I have a strong dislike for auditing. It’s a time consuming process. But you know, if you use the right systems management tools it doesn’t need to be. Microsoft’s Optimised Infrastructure model and Dynamic Systems Initiative preach automation and expertise built into the network. The latest generation of System Centre allows for this. Microsoft released a short white paper that looks at data centre auditing. It’s not something I’d really considered until the last few months.
Network and some *NIX administrators have long used SYSLOG tools. The idea is that all events are forwarded to a central store. It gives a synchronised view of what is happening across a multitude of devices. It allows for diagnostics. But from an auditors point of view, it gives an audit trail of who did what and when. You can get this sort of functionality going with Windows as well. I’m not a network or *NIX admin but I’m guessing their security logs are not that different to one on a Windows box, i.e. lots of noise and they require significant time to filter through to figure out what was really going on.
System Centre Operations Manager (SCOM or OpsMgr) 2007 includes Audit Collection Services. I first heard of ACS at TechEd Europe in Amsterdam in 2004. It was going to be a standalone tool but after a lengthy delay it finally saw the light as a part of OpsMgr. You can turn on ACS on your OpsMgr agents to enable centralised security logging for Windows platforms. What makes it different to SYSLOG is that Microsoft’s developers have identified the important events that illustrate what is going on and they only forward those events to the ACS database. The ACS database is separate to the rest of the OpsMgr databases so you can permission it differently, i.e. only your auditors or security staff would have access to it if required.
I don’t know if the new Cross Platform Extensions for OpsMgr will allow for ACS on Linux platforms. I suspect that they won’t. Anyway, you’re going to still need SYSLOG for your network devices. From what I’m seeing recently, network monitoring tools (which are often freeware) seem to run and be supported best when running on Linux. Yes, you read that on my blog … something running best on Linux. I am open to non-MS products!
That’s great for monitoring your security activities, but that’s only half of the story. You need to build a secure and regulatory complaint infrastructure and maintain that integrity. I knew a security consultant in Germany who spent a huge amount of time building an automated auditing tool set that dumped data into a central store and allowed for reporting. It covered all sorts of platforms. It was a really great idea. But this guy was an alpha geek. Owning and running that toolset required his level of abilities, I’m guessing.
System Center Configuration Management (SCCM or ConfigMgr) 2007 features Desired Configuration Management (DCM). DCM allows you to use either a set of pre-built or custom made templates to audit your Microsoft network on a recurring and automated basis. That means there’s no more logging into each box to check out the configuration of the box. Everything is automated. You’re also building that expertise into the network by using templates. Heck, Microsoft even gives away a set of DCM packs for the products to cover regulators like SOX, FISMA, EUDPD, HIPAA and more! Now you can just tell your auditors to run a report to see the configuration health of your network. No more wasted admin or auditor time or complexity, e.g. delegated admin rights on servers and applications. The DCM tool is easy enough to get your head around in order to build your own templates for auditing 3rd party or internal applications.
If you’re in a regulated market, e.g. finance, health, pharmaceuticals, etc, then you’re probably required to have these sorts of controls. If you’re using System Centre then it makes sense to look into and enable these functions to make your job easier. Sure, you may require another server and some storage but when you compare time savings VS capital costs, there’s really only one logical way forward: build that expertise into the network and leverage the available automation.