Managing Profiles

A profile contains the CipherTrust Manager logging criteria for CTE clients, Syslog server configuration, default logging level, LDT Quality of Service (QoS) settings, and other settings that can be used for several CTE clients.

A default profile, DefaultClientProfile, is created automatically when either of the following happens:

• On successful registration of the first client if no profile is specified during registration.

• On creation of the first client group. A new client group is automatically linked to DefaultClientProfile.

When registering a CTE client, the installer prompts to specify a profile for the client. If not specified, DefaultClientProfile is automatically linked to the client on successful registration. The linked profile can be modified later. It is recommended to not delete or modify DefaultClientProfile.

Creating a Profile

To create a profile:

1. Open the Transparent Encryption application.

2. In the left pane, click Settings > Profiles.

3. Click Create Profile.

4. Specify a unique Name for the profile. This is a mandatory field.

5. Provide a Description for the profile.

6. Click Create.

The newly created profile appears in the profiles list.

After you have created a profile, you can define client logging criteria, Syslog configurations, and QoS configurations. These configurations apply to the clients linked to this profile. Refer to the subsequent sections for details.

Setting Client Log Configuration

Client log configuration includes basic information such as the level of logs to capture, whether to enable the Syslog server, settings to upload logs to the CipherTrust Manager, and settings to store logs on clients.

To define client log configurations for a profile:

1. Open the Transparent Encryption application.

2. In the left pane, click Settings > Profiles.

3. Under Name, click the desired profile. The edit view of the profile is displayed. Profile settings are divided into three categories, as shown below:

   

4. Click CLIENT LOGGING CONFIGURATION to expand it. The client log configuration settings are categorized into basic, log upload to key manager, and log to the file on the clients.

   

   Basic Settings

5. Specify the basic settings:

   Field	Description
   Log Level	Level of logs to generate. It defines the detail and extent of information to be logged by the linked agents. In sequence, the options are: • DEBUG: Fine-grained informational events that are targeted towards support engineers and developers. • INFO: Informational messages that highlight the progress of the application at coarse- grained level. • WARN: Potentially harmful situations. • ERROR: Error events that might still allow the application to continue running. This is the default log level. • FATAL: Severe error events that will presumably lead the application to abort. Log levels are cumulative. The level that you select not only generates log entries for events that occur at that level, but all the levels below. For example, the WARN level also includes events that occur on the ERROR and FATAL levels.
   Duplicates	Treatment for duplicate logs. The options are: • SUPPRESS: Messages follow the configured Threshold as to how many times duplicate messages are sent to the CipherTrust Manager during the given Interval. • ALLOW: All duplicate messages are captured and displayed in the log.
   Threshold (1-100)	(Used when the Duplicates field is set to SUPPRESS.) Maximum number of duplicate messages the CTE Agent can send to the CipherTrust Manager within the time specified by Suppress Interval (see below). The default value is 5 messages.
   Suppress Interval (sec) 1-1000	(Used when the Duplicates field is set to SUPPRESS.) Time in which the number of duplicate messages, specified by Threshold, can be uploaded to the CipherTrust Manager. When Suppress Interval exceeds, the count specified by Threshold starts again. The default interval is 600 seconds (10 minutes).
   Enable Concise Logging	Whether to enable Concise Logging for the linked clients. Select to enable, clear to disable. By default, Concise Logging is disabled. When enabled, a reduced number of audit log messages are captured. Refer to Concise Logging for details.
   Syslog Enabled	Whether the Syslog server is enabled. Select to enable, clear to disable. When you select Syslog Enabled, make sure that client Syslog configurations are defined. Refer to Setting Client Syslog Configuration for details. When the Syslog server is disabled, the logs are sent to the client messages file such as /var/adm/messages. On a Windows client, the messages are sent to the Event Viewer (Application events).

   Log Upload Settings

6. Configure settings to upload logs to the CipherTrust Manager:

   Field	Description
   Log Upload to Key Manager	Whether to enable log upload to the CipherTrust Manager. Select to enable, clear to disable. When this option is selected, you can configure the settings listed below. The logs are displayed under the Client Records page of the CipherTrust Manager GUI.
   Upload Log Level	Level of logs to upload. In sequence, the options are: • DEBUG: Fine-grained informational events that are targeted towards support engineers and developers. • INFO: Informational messages that highlight the progress of the application at coarse- grained level. • WARN: Potentially harmful situations. • ERROR: Error events that might still allow the application to continue running. This is the default log level. • FATAL: Severe error events that will presumably lead the application to abort. Log levels are cumulative. The level that you select not only generates log entries for events that occur at that level, but all the levels below. For example, the WARN level also includes events that occur on the ERROR and FATAL levels.
   Connection Timeout (sec) 1-60	Interval after which the connection attempt to the key manager expires. The default value is 59 seconds.
   Drop if Busy	Whether to slow log generation and drop log files during periods of extreme logging (that is, when the server is busy). Select to drop, clear to keep trying. This setting is clear by default.
   Upload Timeout (sec) 1-900	Interval after which the log upload attempt expires. The default period is 600 seconds (10 minutes).
   Max Interval (sec) 1-1000	Maximum interval to wait before the CTE Agent can upload messages to the CipherTrust Manager. Use this option to update the log viewer even when the Message Upload Range has not been reached. Lower the interval if there is little CTE Agent activity. The default maximum interval is 20 seconds.
   Min Interval (sec) 1-30	Minimum interval to wait before the CTE Agent can upload messages to the CipherTrust Manager. Increase the interval if there is considerable CTE Agent activity, so the agents do not flood the network with log messages. The minimum interval is 10 seconds.
   Message Upload Range (100-1000)	Maximum number of logs to upload at one time. When the specified number of logs is reached, they are uploaded to the CipherTrust Manager. The default number is 1000.
   Cache Settings	Settings to cache logs. The options are: • Max Files: Maximum number of log files to cache. The default number is 200. • Max Space (MB): Maximum log size to cache. The default value is 100 MB.

   Log to File Settings

7. Configure settings to gather logs in files on clients:

   Field	Description
   Log to File	Whether to write logs to files on clients. This option is selected by default. This means that, by default, the logs are written to files on clients. The logs are sent to the /var/log/vormetric/vorvmd_root.log file of a UNIX client, or a Windows equivalent, such as \Documents and Settings\All Users or WINDOWS\Application\ Data\Vormetric\DataSecurityExpert\agent\log\vorvmd.log. When the Log to File option is selected, you can configure the settings listed below.
   File Log Level	Level of logs to capture in the log file. In sequence, the options are: • DEBUG: Fine-grained informational events that are targeted towards support engineers and developers. • INFO: Informational messages that highlight the progress of the application at coarse- grained level. • WARN: Potentially harmful situations. • ERROR: Error events that might still allow the application to continue running. This is the default log level. • FATAL: Severe error events that will presumably lead the application to abort. Log levels are cumulative. The level that you select not only generates log entries for events that occur at that level, but all the levels below. For example, the WARN level also includes events that occur on the ERROR and FATAL levels.
   Max File Size (1-1000 MB)	Maximum size of a log file. The CTE Agent starts a new, empty log file when the specified limit is exceeded. The default maximum file size is 1000 MB.
   Max Old Files (1-100)	The maximum number of old log files to keep. The default number is 100.
   Allow Purge	Whether to allow purging the old log files. Select to allow purge, clear to disallow. This option works in conjunction with the Max Old Files option (see above). For example, set Max Old Files to 3 and select the Allow Purge check box. After 3 log files are generated, the first log file, log1, is deleted and a new log file, log4, is created.If the Allow Purge check box is clear, log files continue to accumulate in the server database and you have to remove them manually.

8. Click Apply.

The changes are effective immediately and apply to the clients linked with the profile.

The CTE client logs can be seen on the Records > Client Records page of the CipherTrust Manager GUI. Filter the records by Client Type and look for the CTE records, as shown below.

Refer to Records for details.

Setting Client Syslog Configuration

When you have Syslog servers up and running in your environment, you can redirect your client logs to them. A CipherTrust Manager administrator can configure profiles to redirect client logs to Syslog servers.

To configure Syslog settings in a profile:

1. Open the Transparent Encryption application.

2. In the left pane, click Settings > Profiles.

3. Under Name, click the desired profile.

4. Expand CLIENT SYSLOG CONFIGURATION.

   

5. Specify the following details:

   Note

   • You can configure up to four servers, labeled as Server 1, Server 2, Server 3, and Server 4. By default, Server 1 and Server 2 are visible. To view Server 3 and Server 4, click Show Additional Servers.
   • This document describes steps to configure one server, Server 1. Extend the steps to suit your setup requirements.

   Field	Description
   Log Level	Level of logs to redirect. In sequence, the options are: • DEBUG: Fine-grained informational events that are targeted towards support engineers and developers. • INFO: Informational messages that highlight the progress of the application at coarse- grained level. • WARN: Potentially harmful situations. • ERROR: Error events that might still allow the application to continue running. This is the default log level. • FATAL: Severe error events that will presumably lead the application to abort. Log levels are cumulative. The level that you select not only generates log entries for events that occur at that level, but all the levels below. For example, the WARN level also includes events that occur on the ERROR and FATAL levels.
   Local	Whether logs are sent to the client. If selected, the logs are saved on the client at /var/log/messages. By default, the option is clear.
   Server 1
   Hostname or IP	Hostname or IP address of the Syslog server.
   Port	Port of the Syslog server.
   Message Format	Format in which the log messages are transferred to the Syslog server. The options are: • Plain Message • CEF • RFC5424 • LEEF The default log format is RFC5424. This format adheres to the Syslog Protocol RFC 5424 guidelines.
   Protocol	Transport protocol for the Syslog connection. The options are UDP, TCP, and TLS. The default protocol is TCP. When you select TLS, the following fields appear: • CA Certificate: Click Browse to select the CA certificate. • Certificate: Click Browse to select the certificate. • Private Key: Click Browse to select the private key.

6. Click Apply.

The Syslog server settings are configured.

Setting Quality of Service Configuration

The QoS configuration settings apply to clients that have the LDT feature enabled on them. Administrators use these settings to maintain operational efficiencies in their systems in conjunction with LDT operations. They can specify percentage of CPU usage or a rekey rate and schedules for LDT operations. Refer to the CTE-Live Data Transformation with CipherTrust Manager for best practices about using LDT and QoS.

A CipherTrust Manager administrator can configure LDT QoS on the CipherTrust Manager.

To configure LDT QoS settings in a profile:

1. Open the Transparent Encryption application.

2. In the left pane, click Settings > Profiles.

3. Under Name, click the desired profile.

4. Expand QUALITY OF SERVICE CONFIGURATION.

   

5. Specify the rekey option. The options are:

   • Rekey by Rate: Select to rekey by rate (in MB/s). This is the default setting. Specify the LDT QoS Rekey Rate. The default value is 0.

   • Rekey by CPU: Select to rekey by CPU usage. By default, LDT operations use all of the available CPU memory.

     Optionally, you can reserve percentage of the clients' CPU for LDT rekey operations. To do so:

     1. Select Cap CPU Allocation. The CPU Percentage field becomes editable.

     2. Enter the CPU Percentage. The value must be greater than 0.

6. Specify a QoS schedule to run LDT. Under QoS Schedules, select an LDT QoS Schedule. The options are:

   Name	Time Ranges	Description
   ANYTIME	Sunday 12:00 AM - Saturday 11:59 PM	LDT runs any day at any time of the week
   WEEKNIGHTS	Monday 12:00 AM - Monday 07:00 AM Monday 09:00 PM - Tuesday 07:00 AM Tuesday 09:00 PM - Wednesday 07:00 AM Wednesday 09:00 PM - Thursday 07:00 AM Thursday 09:00 PM - Friday 07:00 AM Friday 09:00 PM - Friday 11:59 PM	LDT runs between midnight to 7:00 AM from Monday to Friday
   WEEKENDS	Sunday 12:00 AM - Monday 07:00 AM Friday 09:00 PM - Saturday 11:59 PM	LDT runs between 9:00 PM Friday to 7:00 AM on Monday
   CUSTOM	< Custom Range >	LDT runs at a custom schedule (described below)

   Creating a Custom LDT Schedule

   To create a custom LDT schedule:

   1. Select CUSTOM from the LDT QoS Schedule drop-down list. Now, the Create New QoS Schedule button is available.

      

   2. Click Create New QoS Schedule. The Create QoS Schedule dialog box is displayed.

      

      1. Select the Starting Day. The LDT process will start on this day of the week. The default starting day is Monday.

      2. Specify the Starting Time in the HH:MM AM/PM format. Use the arrows to select time in hours (1 to 11) and minutes (00 to 59). Select AM or PM from the drop-down list. The default starting time is 1:00 AM.

      3. Select the Ending Day. The LDT process will end on this day of the week. The default ending day is Monday.

      4. Specify the Ending Time in the HH:MM AM/PM format. The default ending time is 2:00 AM.

   3. Click Create. The custom LDT QoS schedule is displayed on the screen. The specified Time Ranges are also displayed.

      

7. Click Apply. The configuration is saved successfully.

Concise Logging

CTE's standard operational logging sends audit messages for every file system operation. An audit message is sent every time a file is opened, read, updated, or written. Standard logging can generate high volumes of log data. Security administrators might not need most of these logs to monitor file system activities on the protected clients.

A CipherTrust Manager administrator can enable or disable Concise Logging for a profile. After Concise Logging is enabled or disabled, CTE Agent generates a log message to record that event:

"[CGA] [INFO] [CGA3201I] [08/07/2020 10:57:18] Concise logging enabled"
"[CGA] [INFO] [CGA3202I] [08/07/2020 10:57:27] Concise logging disabled"

Advantages

Concise Logging:

• Helps security administrators to focus on relevant audit messages and important actionable messages such as errors and warnings.

• Can eliminate repetitive and unimportant audit messages generated by read and write activities on a file, read and write directory attributes, and other file system activities.

• Eliminates audit messages:

  • For each block read by a user or an application. Only one audit message is sent for every read/write activity.

  • That read the attributes, basic information of file set attributes, and other event-based messages.

  • For directory open, read directory attributes, and directory close.

Considerations

Concise Logging:

• Changes the set of messages that are sent to Security Information and Event Management (SIEM) software systems. If this results in loss of data required for customer reports, then disable Concise Logging.

• Applies to all GuardPoints and for all users of the clients linked with a profile. There is no fine-grained control such as per GuardPoint, user, or message type.

• Applies to the existing clients and the new clients to be linked with the profile subsequently.

• Is supported by CTE secfs only.

• Should not be used with Learn Mode.

Modifying Profiles

To modify a profile:

1. Open the Transparent Encryption application.

2. In the left pane, click Settings > Profiles.

3. Under Name, click the desired profile.

   Alternatively, click the overflow icon () corresponding to the desired profile and click Edit.

4. Expand CLIENT LOGGING CONFIGURATION.

   1. Modify the settings, as appropriate. Refer to Setting Client Log Configuration for details.

   2. Click Apply.

5. Expand CLIENT SYSLOG CONFIGURATION.

   1. Modify the settings, as appropriate. Refer to Setting Client Syslog Configuration for details.

   2. Click Apply.

6. Expand QUALITY OF SERVICE CONFIGURATION.

   1. Modify the settings, as appropriate. Refer to Setting Quality of Service Configuration for details.

   2. Click Apply.

The profile settings are updated.

You can also modify or delete a CUSTOM QoS.

Modifying a CUSTOM LDT QoS Schedule

To modify a CUSTOM schedule:

1. Click the overflow icon () corresponding to the desired custom QoS schedule.

2. Click Edit. The Create QoS Schedule dialog box is displayed.

3. Modify the schedule, as appropriate. Refer to Creating a Custom LDT Schedule for details.

4. Click Apply.

The CUSTOM LDT QoS schedule is modified.

Deleting a CUSTOM LDT QoS Schedule

To delete a CUSTOM schedule:

1. Click the overflow icon () corresponding to the desired custom QoS schedule.

2. Click Delete.

3. Click Yes to confirm the deletion.

The CUSTOM LDT QoS schedule is deleted.

Deleting Profiles

Single or multiple profiles can be deleted from the CipherTrust Manager GUI in one go. Before deleting a profile make sure that no clients or client groups are linked to it.

Deleting Individual Profiles

To delete a profile:

1. Open the Transparent Encryption application.

2. In the left pane, click Settings > Profiles.

3. Click the overflow icon () corresponding to the desired profile.

   Alternatively, select the desired profile and click the delete icon ().

4.Click Delete.

The selected profile is removed from the profiles list.

Deleting Multiple Profiles

To delete multiple profiles:

1. Open the Transparent Encryption application.

2. In the left pane, click Settings > Profiles.

3. Select the check boxes corresponding the desired profiles.

   To select all profiles visible on the page for deletion, select the top check box to the left of the Name heading.

4. Click the delete icon (). A dialog box appears prompting to confirm the action.

5. Click Delete.