Objective 8.4 – Perform Auditing and Compliance

Knowledge

  • Identify applicable logs for auditing
    • NSX Manager – Syslog, System Event Report, Virtual Appliance Events, Audit Log
    • NSX Edge – Syslog
    • Firewall – Syslog
  • Identify permissions for auditing
    • Security Administrator – NSX security only: for example, define data security policies, create port groups, create reports for NSX modules, Create and publish policies and view violation reports. Cannot start or stop a data security scan
    • NSX Administrator – Start and stop data security scans
    • Auditor – View configured policies and violation reports.
  • Identify common data security regulations supported by NSX Data Security
    • A regulation is a data privacy law for protecting PCI (Payment Card Industry), PHI (Protected Health Information) and PII (Personally Identifiable Information) information.
  • Identify common file formats supported by NSX Data Security
    • Archive, CAD, Database, PDF, Mail, Multimedia, Presentation, Spreadsheet, Text/Markup, Word Processing.
  • Describe and differentiate information available in audit logs
    • Audit logs include audit records for situations like admin login, configuration change, etc. Audit records provide granular details of all changes.
    • NSX Manager retains up to 1000,000 audit logs
  • Use flow monitoring to audit firewall rules
    • Log in to the vSphere Web Client.
    • Select Networking & Security from the left navigation pane and then select Flow Monitoring.
    • Ensure that you are in the Dashboard tab.
    • Click Flow Monitoring.
      The page might take several seconds to load. The top of the page displays the percentage of allowed traffic, traffic blocked by firewall rules, and traffic blocked by SpoofGuard. The multiple line graph displays data flow for each service in your environment. When you point to a service in the legend area, the plot for that service is highlighted.
    • Traffic statistics are displayed in three tabs:
      • Top Flows displays the total incoming and outgoing traffic per service over the specified time period based on the total bytes value (not based on sessions/packets). The top five services are displayed. Blocked flows are not considered when calculating top flows.
      • Top Destinations displays incoming traffic per destination over the specified time period. The top five destinations are displayed.
      • Top Sources displays outgoing traffic per source over the specified time period. The top five sources are displayed.
    • Click the Details by Service tab.
      Details about all traffic for the selected service are displayed. Click Load More Records to display additional flows. The Allowed Flows tab displays the allowed traffic sessions and the Blocked Flows tab displays the blocked traffic.
      You can search on service names.
    • Click an item in the table to display the rules that allowed or blocked that traffic flow.
    • Click the Rule Id for a rule to display the rule details
  • Audit deleted users
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click NSX Managers.Click a vCNS server in the Name column and then click the Monitor tab.
    • Click the Audit Logs tab
    • Enter “Delete” into the filter box and press ente
  • Audit infrastructure changes
    The NSX Ticket Logger allows you to track the infrastructure changes that you make. All operations are tagged with the specified ticket ID, and audit logs for these operations include the ticket ID. Log files for these operations are tagged with the same ticked ID.

    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click the Manage tab.
    • Click Edit next to NSX Ticket Logger Settings.
    • Type a ticket ID and click Turn On.
    • The NSX Ticket Logging pane is displayed at the right side of the vSphere Web Client window. Audit logs for the operations that you perform in the current UI session include the ticket ID in the Operation Tags column.
      8.4.Ticket Logger
      If multiple vCenter Servers are being managed by the vSphere Web Client, the ticket ID is used for logging on all applicable NSX Managers.
      Ticket logging is session based. If ticket logging is on and you log out or if the session is lost, ticket logging will be turned off by default when you re-login to the UI. When you complete the operations for a ticket, you turn logging off by repeating steps 2 and 3 and clicking Turn Off.
  • View NSX Manager audit logs and change data
    • Log in to the vSphere Web Client.
    • Click Networking & Security and then click NSX Managers.
    • Click a vCNS server in the Name column and then click the Monitor tab.
    • Click the Audit Logs tab.
    • To view details of an audit log, click the text in the Operation column. When details are available for an audit log, the text in the Operation column for that log is clickable.
    • In the Audit Log Change Details, select Changed Rows to display only those properties whose values have changed for this audit log operation.
  • Configure NSX Data Security
    To configure NSX Data Security, you need to perform the following configurations

    • Ensure the Data Security and Endpoint services are installed
    • Create a Data Security policy
    • Create a Security Policy
    • Map the Security Policy to a Security Group
  • Create a Data Security policy
    To detect sensitive data in your environment, you must create a data security policy. You must be a Security Administrator to create policies.
    To define a policy, you must specify the following:

    • Regulations
      A regulation is a data privacy law for protecting PCI (Payment Card Industry), PHI (Protected Health Information) and PII (Personally Identifiable Information) information. You can select the regulations that your company needs to comply to. When you run a scan, Data Security identifies data that violates the regulations in your policy and is sensitive for your organization.

      • Log in to the vSphere Web Client.
      • Click Networking and Security and then click Data Security.
      • Click the Manage tab.
      • Click Edit and click All to display all available regulations.
      • Select the regulations for which you want to detect compliance.
      • Click Next.
      • Certain regulations require additional information for NSX Data Security to recognize sensitive data. If you selected a regulation that monitors Group Insurance Numbers, Patient Identification Numbers, Medical Record Numbers, Health Plan Beneficiary Numbers, US Bank Account Numbers, Custom Accounts, or Student identification numbers, specify a regular expression pattern for identifying that data.
        NOTE Check the accuracy of the regular expression. Specifying incorrect regular expressions can slow down the discovery process.
      • Click Finish.
      • Click Publish Changes to apply the policy.
    • File filters
      You can create filters to limit the data being scanned and exclude file types unlikely to contain sensitive data from the scan.

      • In the Manage tab of the Data Security panel, click Edit next to Files to scan.
      • You can either monitor all files on the virtual machines in your inventory, or select the restrictions you want to apply.
        • Monitor all files on the guest virtual machines
          NSX Data Security scans all files.
        • Monitor only the files that match the following conditions
          Select the following options as appropriate.

          • Size indicates that NSX Data Security should only scan files less than the specified size.
          • Last Modified Date indicates that NSX Data Security should scan only files modified between the specified dates.
          • Types: Select Only files with the following extensions to enter the file types to scan.  Select All files, except those with extensions to enter the file types to exclude from the scan.
        • Click Save.
        • Click Publish Changes to apply the policy.
  • View and download compliance reports
    • Log in to the vSphere Web Client.
    • Click Networking and Security and then click Data Security.
    • Click the Reports tab.
    • Specify whether you want to view a Violation counts or Violating files report.
  • Create a regular expression
    A regular expression is a pattern that describes a certain sequence of text characters, otherwise known as strings. You use regular expressions to search for, or match, specific strings or classes of strings in a body of text.

    Using a regular expression is like performing a wildcard search, but regular expressions are far more powerful. Regular expressions can be very simple, or very complex. An example of a simple regular expression is cat.

    This finds the first instance of the letter sequence cat in any body of text that you apply it to. If you want to make sure it only finds the word cat, and not other strings like cats or hepcat, you could use this slightly more complex one: \bcat\b.

    This expression includes special characters that make sure a match occurs only if there are word breaks on both sides of the cat sequence. As another example, to perform a near equivalent to the typical wildcard search string c+t, you could use this regular expression: \bc\w+t\b.

    This means find a word boundary (\b) followed by a c, followed by one or more non-whitespace, nonpunctuation characters (\w+), followed by a t, followed by a word boundary (\b). This expression finds cot, cat, croat, but not crate.
    Expressions can get very complex. The following expression finds any valid email address. \b[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}\b

Tools

  • NSX Administration Guide
    • NSX Ticket Logger
    • vSphere Web Client
Advertisements

One thought on “Objective 8.4 – Perform Auditing and Compliance

  1. Pingback: VMware VCP-NV NSX Study Resources | darrylcauldwell.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s