Upload
vuongkhuong
View
287
Download
8
Embed Size (px)
Citation preview
This document describes the Symmetrix Service Credential, Secured by RSA release 1.0, and is intended for use by EMC customers who are using this security system with their EMC Symmetrix products. Topics include:
◆ About Service Credential .................................................................... 2◆ Emergency access to Symmetrix service processor ......................... 5◆ Service Credential and the Symmetrix Audit Log........................... 9◆ Symmetrix Audit Log Service Credential entry examples........... 18◆ Adoption of UTC time....................................................................... 24◆ Service processor Local Host Administration account ................. 24◆ Determining which tokens are installed ......................................... 26
EMC® Symmetrix® Service Credential,Secured by RSA
Version 1.0
Reference GuideP/N 300-004-562
Rev A01
March 29, 2007
1
2
About Service Credential
About Service Credential
Overview EMC® Symmetrix® Service Credential, Secured by RSA (Service Credential) is introduced with Enginuity™ 5772 for Symmetrix DMX-3.
Service Credential is designed to protect against unauthorized Symmetrix service by authenticating valid identities on the service processor. The technology applies exclusively to service processor activities and not to host-initiated actions on Symmetrix devices. It covers both onsite and remote login access to a Symmetrix service processor.
Service Credential uses RSA technology to enable strong role-based authentication access. A credential is definable via role and activity (not just via the host level), includes an encrypted credential, and requires confirmation by a service professional’s password (see Figure 1 on page 2). For each access attempt, the Service Credential system tracks and records which service professional is logging in, the role and tasks that individual is authorized to perform, and the validity of the credential time frame. If these credentials are not validated by the Symmetrix, the service professional attempting to access will neither be able to access service tools on the service processor nor perform other internal Customer Engineer (CE) functions.
Figure 1 Credential creation
EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
About Service Credential
It is important to note that the Symmetrix does not have to be connected to the EMC network in order for this solution to operate. Once the components on the service processor have been installed and the installation has been confirmed by the end user as successful, the service processor acts independently of the EMC infrastructure.
Security elements Three elements of computer security are addressed:
Authentication — Assures the user’s identity via multifactor checks. In other words, EMC verifies that you are who you claim to be.
Authorization — The user, once authenticated, is granted privileges on the system based upon his or her job role. For example, an Associate CE is not able to log in as a Senior Product Support Engineer (PSE) unless he or she has been granted permission to do so.
Auditing — The user’s actions, access level (CE, PSE, or other) and connection methods are all captured in a customer viewable log.
Credential characteristicsCredentials are obtained from a secured website and are each:
◆ Specific to the user◆ Specific to the activity◆ Valid for a (user specified) duration of 1 to 240 hours
A credential may also be serial number or site specific depending on the customer’s security requirements or preferences.
Additional security featuresMost Service Credential security processes are transparent to the customer, including those for security access authentication and authorization. However, all Symmetrix user ID information is encrypted within a credential for secure storage on the service processor, and is captured to the audit log. The Service Credential method is a requirement for EMC Global Services access to EMC’s restricted and proprietary service tools on the Symmetrix service processor.
3EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
4
About Service Credential
Token types The Service Credential solution requires installation of one or more authentication token records (tokens) as part of the initial setup of the locking mechanism. Different types of tokens handle different situations ranging from initial default settings to granular protection by serial number. Table 1 on page 4 describes Service Credential token types.
Table 1 Service Credential token types
Token type GUI label Definition Recommended installation
EMC Default
EMCDefault This token type is used on any EMC maintained Symmetrix Serial Number. When this token is installed it allows use of EMC Global Services credentials, which allows broad access to all Symmetrix systems.
Note: The EMC Default credential, like all default settings, is useful at initial setup and should be removed when practical. For a higher security option, see instead the Serial Number type token below.
Initially installed on every Service Credential enabled Symmetrix unless customer requirements specify otherwise. Should be removed when full security is required.
Secure Emergency
SecureEMR A token type that is used in the event of an emergency (defined below). It uses the customer’s external RSA SecurID Software Authenticator desktop application to generate an alternate type of credential that allows service personnel access to the Symmetrix. Generation of the credential requires input from both EMC and the customer.
Installed on every Service Credential enabled Symmetrix unless customer requirements specify otherwise.
Serial Number
Serial A token type that requires EMC service personnel to obtain a credential specifically for access to this Symmetrix. The credential generated is unique to the both the Symmetrix and the user requesting access.
Note: This is the most secure of the Service Credential options.
Required on EMC maintained systems for remote support.
Site Site A token type that requires EMC service personnel to obtain a new credential each time they intend to access a Symmetrix at a particular customer site. The credential may be used on several different Symmetrix systems within the same customer site provided that a Site token is installed. However, each credential is unique to the user requesting it.
Can be installed on every Service Credential enabled Symmetrix at a given site (as determined).
EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
Emergency access to Symmetrix service processor
Emergency access to Symmetrix service processorAn emergency is defined as a customer is experiencing a Severity 1 (storage device down) problem, inquiry or request related to the applicable EMC equipment or software, and EMC or an authorized EMC support partner is unable to use, obtain or generate the access code required for EMC or partner to perform its applicable warranty or maintenance support obligations to the customer.
In this case, the service professional cannot access the Symmetrix Maintenance Aids normally. While rarely required, the emergency solution allows access. The RSA SecurID Software Authenticator desktop application is prescribed for emergency solution use by EMC direct service professionals to customers entitled to EMC service.
This alternative to the standard process of provide access to the Symmetrix Maintenance Aids (using credentials generated by service professionals at EMC) uses an RSA Software Authenticator. This solution does not capture user-specific information to the audit log. However, this alternative is useful in emergencies, when access to EMC is not practical.
Emergency solution Customers entitled to EMC service can avoid service interruption by providing for “break-the-glass” emergency access to Symmetrix arrays that use Service Credential. To implement this emergency solution, you should:
◆ Install and keep secure the RSA SecurID Software Authenticator application. See “RSA SecurID Software Authenticator desktop application” on page 6.
◆ Monitor the Symmetrix Audit Log for any emergency access activity. See “Service Credential and the Symmetrix Audit Log” on page 9.
Note: When a user logs into a Symmetrix using this method, username auditing is not operational: The token serial number (value: 40816356) is logged in place of the username.
◆ Never allow this solution to be used for primary access to the Symmetrix service processor.
5EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
6
Emergency access to Symmetrix service processor
RSA SecurID Software Authenticator desktop application
Usage overview Before you need to use it, install the Software Authenticator desktop application as described in “Installation procedure” on page 6.
Note: Software Authenticator should be installed on specified Windows systems only. With the introduction of Enginuity release 5772, this included Windows 2000 Professional (SP2 and higher) and Windows XP Professional.
To prepare for a service event requiring access to a Symmetrix service processor, an onsite EMC service professional must authenticate his or her identity to the customer’s satisfaction, and identify the serial number of the Symmetrix service processor in need of service.
The customer gives the service professional access to the PC where the Software Authenticator desktop application is installed and secured by the customer, as well as the passphrase controlling access to one or more Symmetrix records loaded into the Authenticator.
The onsite service professional then enters his or her PIN in the Authenticator desktop application GUI to generate a passcode. The service professional applies this passcode and corresponding PIN to gain access to the relevant service processor. This individual will then service the Symmetrix, using the CE role that is linked to that token record.
Installation procedure 1. On the computer where you will install the RSA SecurID Software Authenticator application, navigate to the EMC RSA website:
http://www.rsasecurity.com/node.asp?id=1162
2. Click Download RSA SecurID Token for Windows Desktops near the bottom of the web page.
Note: RSA identifies the Software Authenticator application as a Token. Do not confuse this with the EMC token types and tokens (data files) described in Table 1, “Service Credential token types,” on page 4.
An email entry window appears.
3. Enter your email address, and click Submit.
A new submission form (not shown here) will appear.
EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
Emergency access to Symmetrix service processor
4. Fill out this form, making sure to include all required fields, which are highlighted in red. Click Submit.
The RSA SecurID Token for Windows Desktops installation page appears, as shown in Figure 2 on page 7.
Figure 2 RSA SecurID Token download page
5. Follow instructions on this page to download and unzip the package to your installation location. If you are not already at the installation location, go there now.
6. Double click setup.exe, and follow the prompts provided by this installation setup application. Click Finish.
7. Navigate to the folder below, and open file SecurID.exe:
C:\Program Files\RSA Security\RSA SecurID Software Token\
Or, select Start > Programs > RSA SecurID Software Token > RSA SecurID Software Token.
The SecurID software token GUI appears. See Figure 3 on page 7.
Figure 3 RSA SecurID Token interface
8. From the token interface, select File > Import Tokens.
7EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
8
Emergency access to Symmetrix service processor
This menu item allows you to import multiple SDTID files into the RSA SecurID Software Token application.
9. Navigate to the SDTID file created during token provisioning.
Note: This file is located on transportable media.
10. Click Open to read in the file.
A prompt appears for the SDTID password. See Figure 4, “Software Token API,” on page 8.
Figure 4 Software Token API
11. Enter the password and click OK.
Setting a tokenpassphrase
The procedure below, although optional, is a recommended best practice with an emergency solution token.
About the passphraseA passphrase is similar to a password except that a passphrase can contain spaces. For example, “my secret phrase” is a valid passphrase. A passphrase can contain up to 32 characters.
Note: Do not confuse the token passphrase, which protects access to one or more of the entries of Symmetrix records loaded into the SecurID Software Authenticator desktop application, with the service professional’s PIN or the generated password that protects the transport of the SDTID file that was created initially during setup.
Setting a token passphrase provides extra security for your token. Once a token passphrase is used, you will be prompted to enter it whenever:
◆ The last token used was passphrase protected and you start the software token application
EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
Service Credential and the Symmetrix Audit Log
◆ You select a passphrase-protected token and use it for authentication
Passphrase setting procedure1. Select Tools > Set Token Passphrase.
The Set Token Passphrase window appears as shown in Figure 5, “Set Token Passphrase window,” on page 9.
Figure 5 Set Token Passphrase window
2. Enter your New Passphrase, re-enter it in the Confirm field, and click OK.
Note: You can remove a passphrase by entering your current passphrase, but leaving the New Passphrase and Confirm boxes blank.
An Operation Successful confirmation message will appear upon completion.
Service Credential and the Symmetrix Audit Log
Diagnostic log This log corresponds to the traditional Symmetrix Audit Log provided before the release of Enginuity 5772. It is continued with release 5772, but only the security audit log captures Service Credential activity.
Security audit log Symmetrix security-related system events are logged into the security audit log—also known as the Symmetrix Audit Log, as we will now refer to it here. The Symmetrix Audit Log provides a comprehensive,
9EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
10
Service Credential and the Symmetrix Audit Log
tamper-proof view of management and support actions on the applicable Symmetrix system. It records major activities on the Symmetrix, including host-initiated actions, physical component changes, actions on the service processor, and any attempts blocked by security controls such as Symmetrix Access Control. Recorded events include CE login, Symmetrix CLI activities, and data erasure status. Log contents cannot be altered, and read access is authorized with the specified Auditor role in Solutions Enabler 6.4 (released in conjunction with Enginuity 5772).
With the addition of the RSA enVision enterprise product in your infrastructure, you can consolidate Symmetrix audit logs with other enterprise logs for long-term analysis and storage for management and compliance purposes.
Log format Figure 6, “Symmetrix Audit Log entry example,” on page 10 provides an example Symmetrix security audit log entry as displayed by the symaudit CLI. Fields important to Service Credential are in bold.
Table 2, “Symmetrix Audit Log symaudit format,” on page 11 provides examples and descriptions for the fields in Symmetrix Security Audit Log entries.
Figure 6 Symmetrix Audit Log entry example
Record Number : 36Records in Seq : 1Offset in Seq : 1Time : 03/02/07 22:25:38Vendor ID : EMC CorpApplication ID : SWIN.swlsApplication Version : UNA.UNA.0.0API Library : SYMMWINAPI Version : 1.0.2616.210Host Name : ENGBOXOS Name : WinNT-SPOS Revision : 5.0.2195.0Client Host : Process ID : 00000000Task ID : 00000000Function Class : SecurityAction Code : ConnectText : Connect Success: Remote user 55 connected. Role - PSE. Activity -
Maintenance/BreakFix.Username : 55Activity ID :
EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
Service Credential and the Symmetrix Audit Log
Table 2 Symmetrix Audit Log symaudit format (1 of 2)
Variable Example Description
Record Number 36 This integer starts at 1, and is incremented by 1 with the creation of each new audit log record.
...
Time 03/02/07 22:25:38 MM/DD/YY HH:MM:SSTime on the host: Symmetrix time, HH range: 00–23
Vendor ID EMC Corp Almost always “EMC Corp”
Application ID SWIN.swls Which application triggered the log entry:GINA = swls.GINAEMCRemote = SWIN.swlsSSCKeyClient = SWIN.swlsSymmWin = SWIN.swls
...
Host Name ENGBOX The network name of the host generating the record. This name is unique for each host and thus allows host identification.
Internally generated records: Symmetrix Serial NumberService Processor: EMC SP 1Mainframe: System Serial Number
Client Host If the hostname is a server acting on behalf of a client system, then the name of the client system is placed in this field. Values for this field are generated as are the hostname values.
...
Function Class Security Class, or major functional area, of action being performed.
For SymmWin scripts, these classes include:
CfgChgMaintRDFRecover
11EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
12
Service Credential and the Symmetrix Audit Log
Action Code Connect Subordinate action in a Function Class being performed. The kinds of actions include: Successful connectionFailed connectionLoss of connectionRebootFile transferConfiguration changeInstallationUninstallation of tokens
For SymmWin scripts and its Function Classes, these action codes include:
for CfgChg: Create MigrateCodeLoad SetConvert SwapExpand VTOCMap
for Maint: Add RemoveCodeLoad ReplaceNotRdy SparingReady
for RDF: Sync
for Recover: Scan
Text Connect Success: Remote user 55 connected. Role - PSE. Activity - Maintenance/ BreakFix.
Free-form text description of action being performed. Also provides additional information about transactions from SSCKeyClient.
Username User3 The name of the logged-in user responsible for issuing the command that triggered the record.
...
Table 2 Symmetrix Audit Log symaudit format (2 of 2)
Variable Example Description
EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
Service Credential and the Symmetrix Audit Log
Log reading with symaudit commandYou can extract log entries from the Symmetrix Audit Log by using its symaudit CLI command. You can access the log for Service Credential information by using the following symaudit features:
NAME symaudit
Allows the user to extract records from a Symmetrix audit log file to determine what application on what host initiated actions that caused Symmetrix behavior.
Provides a monitor option for displaying the records as they are written to the log file. Provides the ability to determine the date and time of the current log file data and its size.
SYNOPSIS symaudit list -sid <SymmID> [-text | -v] [-h] [-function_class [-exclude] <ClassName>[, <ClassName>, ...] ] [-action_code [-exclude] <ActionName>[, <ActionName>, ...] ] [-host <HostName>] [-vendor_id <VendorId>] [-application_id <ApplId>[, <ApplId>, ...] ] [-activity_id <ActivityId>] [-symdev_range <StartDevname>:<EndDevname>] [-start_date <date_time>] [-end_date <date_time>] [-record_num <RecordNumber>] [-n <RecordCount>] [-last_n <RecordCount>] [-user <UserName>]
symaudit monitor -sid <SymmID> [-text | -v] [-h] [-i Interval] [-c Count]
symaudit show -sid <SymmID> [-h]
ARGUMENTS list Lists the extracted audit log records.
monitor Monitors the Symmetrix array for new audit log data in real time.
show Shows the time period and quantity of data in the audit log file.
13EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
14
Service Credential and the Symmetrix Audit Log
DESCRIPTION Use the symaudit command to retrieve information from the Symmetrix Audit Log file. Data is written to this audit file during control operations initiated by host applications. The audit file merges activity from all hosts into one file.
The symaudit command can filter the extracted data by using options that specify match criteria. The options include hostname, application name, function class, and action code. A combination of filters can be used.
The monitor action causes the command to run in the foreground polling the Symmetrix for new audit log records at the interval in seconds that you specified, either until the iteration count is satisfied or the program is stopped. Verbose mode (-v) provides a more detailed output.
OPTIONSapplicable to
Service Credential
-action_code Filters the audit log records so that only the records containing the specified action code return.
-application_id Shows the time period and quantity of data in the audit log file.
-c Specifies the number (count) of times to poll for data. If this option is not specified, the audit log is polled continuously.
-end_date Indicates the date and time of the last audit log record to display. The format is [mm/dd[/yy]]:[hh:mm[:ss]]. If only the hh:mm is provided, the current day is assumed. If only mm/dd is provided, the current year is assumed. A four-digit year can also be specified. If no time is specified, it will default to 0:0:0, the very beginning of the day. If the end_date and the -n options are omitted, the output continues until the end of file.
-function_class Filters the audit log records so that only the records belonging to the specified function_class return.
-h Provides brief, online help information.
-host Filters the audit log records so that only the records generated from the specified host return.
-i Specifies the repeat interval in seconds. The default interval is 30 seconds. The minimum interval is 5 seconds.
-last_n Specifies the number of most recent records to display.
-n Specifies the number of records to display.
-record_num Indicates at which record number in the audit log to start processing.
-sid Specifies the Symmetrix ID of the Symmetrix audit log file to process.
EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
Service Credential and the Symmetrix Audit Log
-start_date Indicates the date and time of the first audit log record to display. Format is [mm/dd[/yy]]:[hh:mm[:ss]]. If only the hh:mm is provided, the current day is assumed. If only mm/dd is provided, the current year is assumed. A four-digit year can also be specified. If no time is specified, it will default to 0:0:0, the very beginning of the day.
-text Indicates that the text associated with the audit log record should be displayed.
-user Filters the audit log records so that only the records containing the specified username return.
-v Provides a more detailed, verbose listing.
-vendor_id Filters the audit log records so that only the records containing the specified vendor_id are returned.
PARAMETERSapplicable to
Service Credential
ActionName The name of a control action associated with an audit log entry. These are not case sensitive. Example action names include but are not limited to:
Commit LoginConnect LogoutDisconnect TokenMgtFileTrf
ApplId The name of an application whose activity generated audit log entries.
ClassName The name of a functional class area. These are not case sensitive. Possible class names include but are not limited to:
CfgChg SecurityMaint
HostName The name of the host system whose application generated the audit log entry.
RecordCount A count of the number of audit log records that should be returned.
RecordNumber A record sequence number that is within the audit log file's current range.
SymmID The 12-digit ID of the Symmetrix array.
VendorId The name of the vendor that produced the application whose activity generated audit log entries.
RETURN CODES Code Number Code Symbol
0 CLI_C_SUCCESS
1 CLI_C_FAIL
19 CLI_C_GK_IS_LOCKED- All GateKeepers to the Symmetrix array are currently locked.
15EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
16
Service Credential and the Symmetrix Audit Log
EXAMPLES1. To show the time period and information for a specific array's
audit log, enter:
symaudit -sid 04 show
The following output is returned:
A U D I T L O G D A T A
Symmetrix ID : 000000006204
Starting date : 05/26/2006 12:55:39 Ending date : 07/11/2006 13:40:37
Starting record number : 175500 Ending record number : 237198 Total record count : 61699
2. To list all audit log entries matching several functional classes, enter:
symaudit -sid 04 list -function_class CfgChg, Security
3. To list all audit log entries which are not of several action code types, enter:
symaudit -sid 04 list -action_code -exclude Init, Add
4. To list audit log entries made by a certain user from a certain host, within a given record range, enter:
symaudit -sid 04 list -user root -host myHost -record 200 -n 100
EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
Service Credential and the Symmetrix Audit Log
5. To list detailed audit log entries for a specific array within a certain time period, enter:
symaudit -sid 04 list -v -start_time 7/11:9:40 -end_time 7/11:9:45
The following output is returned:
A U D I T L O G D A T A
Symmetrix ID : 000000006204
Record Number : 237178 Records in Seq : 1 Offset in Seq : 1 Time : 07/11/06 09:42:37 Vendor ID : EMC Corp Application ID : SYMAUTH Application Version : 6.4.0.10 API Library : SDK API Version : X6.4.0.10 (Edit Level: 810) Host Name : api196 OS Name : SunOS OS Revision : 5.8Generic Client Host : Process ID : 00001235 Task ID : 00000001 Function Class : ACCESS Action Code : Set Text : Starting a User Authorization operation to modify settings: Enforcement Policy [enforce] Username : H:api199\ruggip Activity ID : SE57a9e3d8d8
Record Number : 237179 Records in Seq : 1 Offset in Seq : 1 Time : 07/11/06 09:42:37 Vendor ID : EMC Corp Application ID : SYMAUTH Application Version : 6.4.0.10 API Library : SDK API Version : X6.4.0.10 (Edit Level: 810) Host Name : api196 OS Name : SunOS OS Revision : 5.8Generic Client Host : Process ID : 00001235 Task ID : 00000001 Function Class : ACCESS Action Code : Set Text : The User Authorization modify settings operation SUCCEEDED Username : H:api196\ruggip Activity ID : SE57a9e3d8d8
17EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
18
Symmetrix Audit Log Service Credential entry examples
Symmetrix Audit Log Service Credential entry examples
EMCRemote log entries
Table 3 Symmetrix Audit Log entries – EMCRemote (1 of 3)
Event type Example
Access Function Class : Security
Connect (success) Record Number : 120Records in Seq : 1Offset in Seq : 1Time : 03/08/07 14:06:01Vendor ID : EMC CorpApplication ID : SWIN.swlsApplication Version : UNA.UNA.0.0API Library : SYMMWINAPI Version : 1.0.2616.210Host Name : ENGBOXOS Name : WinNT-SPOS Revision : 5.0.2195.0Client Host :Process ID : 00000000Task ID : 00000000Function Class : SecurityAction Code : ConnectText : Connect Success: Remote user 55 connected. Role - PSE. Username : 55Activity ID :
Connect (failure) Action Code : ConnectText : Connect Failed: Invalid credential.Username : Unknown
Connection lost Action Code : DisconnectText : Connect Lost: Remote user 55 lost connection.Username : Unknown
Disconnection Action Code : DisconnectText : Disconnect: Remote user 55 disconnected.Username : 55
Login (attempt) Action Code : LoginText : Login Attempt: Remote user 55 attempted to autologin to Windows.
Reboot Action Code : DisconnectText : Reboot: Remote user 55 rebooted SP
EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
Symmetrix Audit Log Service Credential entry examples
File transfer Function Class : Maint
Rename Action Code : FileTrfText : Remote user 55 renamed C:\New Folder to new temp
Delete File Action Code : FileTrfText : Remote user 55 deleted file C:\new temp\logall_date051207_time020202.log
Create New File Action Code : FileTrfText : Remote user 55 created new file C:\new temp\logall_date051207_time020202.log
Retrieve File Action Code : FileTrfText : Remote user 55 retrieved file C:\EMC\SLC\SLCKeyClient\ssckc.log
Delete Directory Action Code : FileTrfText : Remote user 55 deleted directory C:\new temp
Overwrite existing file Action Code : FileTrfText : Remote user 55 overwrote existing file C:\EMC\SLC\SLCKeyClient\ssckc.log
File Transfer Action Code : FileTrfText : 1048624 bytes copied successfully. Elapsed time: 00:00:08
Configuration Function Class : Cfgchg
Caller List Settings are Saved
Action Code : CommitText : Caller List settings are saved
Caller Settings are saved
Action Code : CommitText : Caller Settings are saved
General Options are changed
Action Code : CommitText : General Options are changed
Performance Options are changed
Action Code : CommitText : Performance Options are changed
Security Options are changed
Action Code : CommitText : Security Options are changed
Table 3 Symmetrix Audit Log entries – EMCRemote (2 of 3)
Event type Example
19EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
20
Symmetrix Audit Log Service Credential entry examples
GINA log entries
Login Options are changed
Action Code : CommitText : Login Options are changed
Device Settings are changed
Action Code : CommitText : Device Settings are changed
Configuration Wizard settings are saved
Action Code : CommitText : Configuration Wizard settings are saved
Table 3 Symmetrix Audit Log entries – EMCRemote (3 of 3)
Event type Example
Table 4 Symmetrix Audit Log entries – GINA
Event type Example
Access Messages
Login (success) Record Number : 1703Records in Seq : 1Offset in Seq : 1Time : 01/22/07 11:32:54Vendor ID : EMC CorpApplication ID : swls.GINAApplication Version : 0001.0000..API Library : UnknownAPI Version :Host Name :OS Name : N/AOS Revision :Client Host :Process ID : 00000000Task ID : 00000000Function Class : SecurityAction Code : LoginText : Login Success: admin logged into application GINA with role of 11Username : adminActivity ID :
Login (failure) Action Code : LoginText : Login Failed: user123 request to log into application GINA failed authentication checkUsername : user123
Logout Action Code : LogoutText : Logout: 55 logged out of application GINA
EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
Symmetrix Audit Log Service Credential entry examples
SSCKeyClient log entries
Table 5 Symmetrix Audit Log entries – SSCKeyClient
Event type Example
Startup Record Number : 48Records in Seq : 1Offset in Seq : 1Time : 03/02/07 22:37:41Vendor ID : EMC CorpApplication ID : SWIN.swlsApplication Version : UNA.UNA.0.0API Library : SYMMWINAPI Version : 1.0.2616.210Host Name : ENGBOXOS Name : WinNT-SPOS Revision : 5.0.2195.0Client Host :Process ID : 00000000Task ID : 00000000Function Class : SecurityAction Code : TokenMgtText : EMC Corporation Secure Service Credential Token Management SSCKeyClient 1.0.0.10 started by local username 55(84fc64c3e5644a529aec0449147ecef4)Username : 55Activity ID :
Add Token (success) Action Code : TokenMgtText : Success to add SSC token Site for userid 55(228c5ed9457a4e5c9c7ebd91a98a855c)
Add Token (failure) Action Code : TokenMgtText : Failed to add SSC token Site. Username 55 canceled add SSC token.(fccd5da6bddb4644b7993c1cb9161117)
Delete Token (success) Action Code : TokenMgtText : Success to delete token type Site token serial number 40816354(84fc64c3e5644a529aec0449147ecef4)
Add Software Token (success)
Action Code : TokenMgtText : Success to add software token SecureEMR by username Admin(de8cfe65851c4f0f80fb1137b1f5032f)
Set PIN for Software Token (success)
Action Code : TokenMgtText : Success to set PIN using SSC credential for software token type SecureEMR 40816356(0877da5eec644d49a9c8ecdf9e823785)
Set New PIN (success) Action Code : TokenMgtText : Validate SSC for set PIN success for user: 55(0877da5eec644d49a9c8ecdf9e823785)
Set New PIN (failure) Action Code : TokenMgtText : Valdiate SSC for set PIN failed. Your role does NOT authorize you to set new PIN(60952e61041b4365be4e6838ab690074)
21EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
22
Symmetrix Audit Log Service Credential entry examples
SymmWin log entries
Table 6 Symmetrix Audit Log entries – SymmWin (1 of 2)
Event type Example
Access
Login (success) Record Number : 39Records in Seq : 1Offset in Seq : 1Time : 03/02/07 22:31:45Vendor ID : EMC CorpApplication ID : SWIN.swlsApplication Version : UNA.UNA.0.0API Library : SYMMWINAPI Version : 1.0.2616.210Host Name : ENGBOXOS Name : WinNT-SPOS Revision : 5.0.2195.0Client Host :Process ID : 00000000Task ID : 00000000Function Class : SecurityAction Code : LoginText : Login Success: User 55 logged into application Symmwin with role of ENG_ENG.Username : 55Activity ID :
Login (failure) Action Code : LoginText : Login Failure: User request to log into application Symmwin failed authentication check.Username:
Logout (normal) Action Code : LogoutText : Logout: User 55 logged out of application Symmwin.Username : 55
Logout (timeout) Action Code : DisconnectText : Disconnect: Remote user 55 disconnected.Username : 55
Scripts logging to the message queue Function Class : Maint
Replace DiskAction Code : SparingText : Replacing disk in location: 004
Replace Adapter
Action Code : ReplaceText : director/adapter/febe/lcc/xcm
EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
Symmetrix Audit Log Service Credential entry examples
Remove Memory
Action Code : RemoveText : director/memory
Add Memory Action Code : AddText : memory
Code Load Action Code : Text : CodeLoad
Sparing Action Code : Text : Sparing
Not Ready Action Code : Text : NotRdy
Ready Action Code : Text : Ready
Function Class : CfgChg
Online VTOC Action Code : VTOCText : online VTOC
Add/Remove Migration Mode
Action Code : MigrateText : remove/add migration mode
Dynamic RDF Action Code : SetText : devices dynamic RDF
Convert Devices Action Code : ConvertText : convert devices BCV/DRV/static RDF
Meta Expansion Action Code : ExpandText : meta expansion
Create Symm Devices
Action Code : CreateText : craete symm devices
Code Load Action Code : Text : CodeLoad
Swap Optimizer Action Code : SwapText : Optimizer swap
Function Class : RDF
Recover Scan Action Code : SyncText : Recover Scan
Table 6 Symmetrix Audit Log entries – SymmWin (2 of 2)
Event type Example
23EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
24
Adoption of UTC time
Adoption of UTC time
Note: UTC, or Coordinated Universal Time, is the same as GMT (Greenwich Mean Time) except that it does not use daylight savings time (DST).
Service processors (1U servers) now use UTC. These are the major reasons for this change:
Daylight Savings TimeChangeovers between standard and daylight savings time (DST) will not interfere with the coordination between servers and clients because UTC does not observe DST.
Log entry timestamp consistencyWith this code release, the Symmetrix Audit Log will show a consolidated view of the traditional Symmetrix actions that you are accustomed to seeing along with the service security logs from the service processor.
The timestamp of the Symmetrix Audit Log entries comes from the Symmetrix director time, not from that of the service processor. This enables users to see the service security actions in the context of the storage actions in the same Symmetrix Audit log. The service processor UTC-based events will then be translated to director time on the array for consistency.
Service processor Local Host Administration accountOn the service processor there are three authentication domains a user can select to gain access:
SLC — Requires a valid Service Credential and password.
FOB — Requires a valid Software Authenticator passcode and PIN.
Local Host — Uses default, editable login username and password.
The purpose of the Local Host domain is to allow customer security personnel access. It cannot be used for remote access—only users who are onsite can authenticate using this domain login.
EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
Service processor Local Host Administration account
The default Local Host login username and password can be changed as described in “Changing Local Host default login” on page 25.
Figure 7 GINA for Secure Credential
IMPORTANT!EMC does not maintain Windows usernames or passwords. If you lose or forget either of these login items, EMC cannot reset it— your only option in that case is to re-image the service processor. Please engage your security team, and make sure this login information is in a safe place to prevent a possible disruption.
Changing Local Host default login1. Log in to the domain.
2. Press Ctrl-Alt-Delete and click Change Password to display the screen shown in Figure 8, “Windows 2000 Change Password dialog box,” on page 25.
Figure 8 Windows 2000 Change Password dialog box
25EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
26
Determining which tokens are installed
3. Change the User name or Old Password or both.
4. Test the new login values.
Determining which tokens are installedThis procedure allows you to review and confirm using SSCKeyClient which tokens have been installed on your service processor. Each installed token indicates its particular authentication method.
1. Log in to the service processor in the Local Account domain using your appropriate username and password.
2. Double-click the icon labeled SLCKeyClient (shown at left).
3. On the opening screen, click Next to see the Token Management screen in Figure 9, “SSCKeyClient wizard: Token Management screen,” on page 26.
Figure 9 SSCKeyClient wizard: Token Management screen
4. Select the option List installed tokens to see the List Current Installed Tokens screen as shown in Figure 10, “SSCKeyClient wizard: List Currently Installed Tokens screen,” on page 27.
EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
Determining which tokens are installed
Figure 10 SSCKeyClient wizard: List Currently Installed Tokens screen
See “Token types” on page 4 for a description of the various tokens that may be installed.
27EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide
28
Determining which tokens are installed
Copyright © 2007 EMC Corporation. All rights reserved.
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.All other trademarks used herein are the property of their respective owners.
EMC Symmetrix Service Credential, Secured by RSA 1.0 Reference Guide