Managing Profiles
A profile contains the CipherTrust Data Security Platform Service logging criteria for CTE clients, Syslog server configuration, default logging level, LDT Quality of Service (QoS) settings, Multifactor Authentication (MFA) settings, Ransomware protection settings, and additional settings that can be used for several CTE clients.
A default profile, DefaultClientProfile
, is created automatically when either of the following happens:
-
On successful registration of the first client if no profile is specified during registration.
-
On creation of the first client group. A new client group is automatically linked to
DefaultClientProfile
.
When registering a CTE client, the installer prompts to specify a profile for the client. If not specified, DefaultClientProfile
is automatically linked to the client on successful registration. The linked profile can be modified later. It is recommended to not delete or modify DefaultClientProfile
.
Creating a Profile
To create a profile:
-
Open the Transparent Encryption application.
-
In the left pane, click Settings > Profiles.
-
Click Create Profile.
-
Specify a unique Name for the profile. This is a mandatory field.
-
Provide a Description for the profile.
-
Click Create.
The newly created profile appears in the profiles list.
After you have created a profile, you can define client logging criteria, Syslog configurations, QoS configurations, MFA configurations, and Ransomware protection settings. These configurations apply to the clients and client groups linked to this profile. Refer to the subsequent sections for details.
Setting Client Log Configuration
Client log configuration includes basic information such as the level of logs to capture, whether to enable the Syslog server, settings to upload logs to the CipherTrust Data Security Platform Service, and settings to store logs on clients.
To define client log configurations for a profile:
-
Open the Transparent Encryption application.
-
In the left pane, click Settings > Profiles.
-
Under Name, click the desired profile. The edit view of the profile is displayed. Profile settings are divided into the following categories:
-
CLIENT LOGGING CONFIGURATION
-
CLIENT SYSLOG CONFIGURATION
-
QUALITY OF SERVICE CONFIGURATION
-
RANSOMWARE PROTECTION CONFIGURATION
-
MULTIFACTOR AUTHENTICATION
-
-
Click CLIENT LOGGING CONFIGURATION to expand it. The client log configuration settings are categorized into basic and log to the file on the clients.
Basic Settings
-
Specify the basic settings:
Field Description Log Level Level of logs to generate. It defines the detail and extent of information to be logged by the linked agents. In sequence, the options are:
• DEBUG: Fine-grained informational events that are targeted towards support engineers and developers.
• INFO: Informational messages that highlight the progress of the application at coarse- grained level.
• WARN: Potentially harmful situations.
• ERROR: Error events that might still allow the application to continue running. This is the default log level.
• FATAL: Severe error events that will presumably lead the application to abort.
Log levels are cumulative. The level that you select not only generates log entries for events that occur at that level, but all the levels below. For example, theWARN
level also includes events that occur on theERROR
andFATAL
levels.Duplicates Treatment for duplicate logs. The options are:
• SUPPRESS: Messages follow the configured Threshold as to how many times duplicate messages are sent to the CipherTrust Data Security Platform Service during the given Interval.
• ALLOW: All duplicate messages are captured and displayed in the log.Threshold (1-100) (Used when the Duplicates field is set to SUPPRESS
.) Maximum number of duplicate messages the CTE Agent can send to the CipherTrust Data Security Platform Service within the time specified bySuppress Interval
(see below). The default value is5
messages.Suppress Interval (sec) 1-1000 (Used when the Duplicates field is set to SUPPRESS
.) Time in which the number of duplicate messages, specified by Threshold, can be uploaded to the CipherTrust Data Security Platform Service. When Suppress Interval exceeds, the count specified by Threshold starts again. The default interval is600
seconds (10 minutes).Enable Concise Logging Whether to enable Concise Logging for the linked clients. Select to enable, clear to disable. By default, Concise Logging is disabled.
When enabled, a reduced number of audit log messages are captured. Refer to Concise Logging for details.Syslog Enabled Whether the Syslog server is enabled. Select to enable, clear to disable. When you select Syslog Enabled, make sure that client Syslog configurations are defined. Refer to Setting Client Syslog Configuration for details.
When the Syslog server is disabled, the logs are sent to the client messages file such as/var/adm/messages
. On a Windows client, the messages are sent to the Event Viewer (Application events).Log to File Settings
-
Configure settings to gather logs in files on clients:
Field Description Log to File Whether to write logs to files on clients. This option is selected by default. This means that, by default, the logs are written to files on clients.
The logs are sent to the/var/log/vormetric/vorvmd_root.log
file of a UNIX client, or a Windows equivalent, such as\Documents and Settings\All Users or WINDOWS\Application\ Data\Vormetric\DataSecurityExpert\agent\log\vorvmd.log
.
When the Log to File option is selected, you can configure the settings listed below.File Log Level Level of logs to capture in the log file. In sequence, the options are:
• DEBUG: Fine-grained informational events that are targeted towards support engineers and developers.
• INFO: Informational messages that highlight the progress of the application at coarse- grained level.
• WARN: Potentially harmful situations.
• ERROR: Error events that might still allow the application to continue running. This is the default log level.
• FATAL: Severe error events that will presumably lead the application to abort.
Log levels are cumulative. The level that you select not only generates log entries for events that occur at that level, but all the levels below. For example, theWARN
level also includes events that occur on theERROR
andFATAL
levels.Max File Size (1-1000 MB) Maximum size of a log file. The CTE Agent starts a new, empty log file when the specified limit is exceeded. The default maximum file size is 1000
MB.Max Old Files (1-100) The maximum number of old log files to keep. The default number is 100
.Allow Purge Whether to allow purging the old log files. Select to allow purge, clear to disallow. This option works in conjunction with the Max Old Files option (see above).
For example, set Max Old Files to3
and select the Allow Purge check box. After 3 log files are generated, the first log file,log1
, is deleted and a new log file,log4
, is created.If the Allow Purge check box is clear, log files continue to accumulate in the server database and you have to remove them manually. -
Click Update.
The changes are effective immediately and apply to the clients linked with the profile.
The DPoD audit query records will now include CTE client information.
Setting Client Syslog Configuration
When you have Syslog servers up and running in your environment, you can redirect your client logs to them. A CipherTrust Data Security Platform Service administrator can configure profiles to redirect client logs to Syslog servers.
To configure Syslog settings in a profile:
-
Open the Transparent Encryption application.
-
In the left pane, click Settings > Profiles.
-
Under Name, click the desired profile.
-
Expand CLIENT SYSLOG CONFIGURATION.
-
Specify the following details:
Note
-
You can configure up to four servers, labeled as Server 1, Server 2, Server 3, and Server 4. By default, Server 1 and Server 2 are visible. To view Server 3 and Server 4, click Show Additional Servers.
-
This document describes steps to configure one server, Server 1. Extend the steps to suit your setup requirements.
Field Description Log Level Level of logs to redirect. In sequence, the options are:
• DEBUG: Fine-grained informational events that are targeted towards support engineers and developers.
• INFO: Informational messages that highlight the progress of the application at coarse- grained level.
• WARN: Potentially harmful situations.
• ERROR: Error events that might still allow the application to continue running. This is the default log level.
• FATAL: Severe error events that will presumably lead the application to abort.
Log levels are cumulative. The level that you select not only generates log entries for events that occur at that level, but all the levels below. For example, theWARN
level also includes events that occur on theERROR
andFATAL
levels.Local Whether logs are sent to the client. If selected, the logs are saved on the client at /var/log/messages
. By default, the option is clear.Server 1 Hostname or IP Hostname or IP address of the Syslog server. Port Port of the Syslog server. Message Format Format in which the log messages are transferred to the Syslog server. The options are:
• Plain Message
• CEF
• RFC5424
• LEEF
The default log format isRFC5424
. This format adheres to the Syslog Protocol RFC 5424 guidelines.Protocol Transport protocol for the Syslog connection. The options are UDP
,TCP
, andTLS
. The default protocol isTCP
.
When you selectTLS
, the following fields appear:
• CA Certificate: Click Browse to select the CA certificate.
• Certificate: Click Browse to select the certificate.
• Private Key: Click Browse to select the private key. -
-
Click Update.
The Syslog server settings are configured.
Setting Quality of Service Configuration
The QoS configuration settings apply to clients that have the LDT feature enabled on them. Administrators use these settings to maintain operational efficiencies in their systems in conjunction with LDT operations. They can specify percentage of CPU usage or a rekey rate and schedules for LDT operations. Refer to the CTE-Live Data Transformation with CipherTrust Data Security Platform Service for best practices about using LDT and QoS.
A CipherTrust Data Security Platform Service administrator can configure LDT QoS on the CipherTrust Data Security Platform Service.
To configure LDT QoS settings in a profile:
-
Open the Transparent Encryption application.
-
In the left pane, click Settings > Profiles.
-
Under Name, click the desired profile.
-
Expand QUALITY OF SERVICE CONFIGURATION.
-
Specify the rekey option. The options are:
-
Rekey by Rate: Select to rekey by rate (in MB/s). This is the default setting. Specify the LDT QoS Rekey Rate. The default value is 0.
-
Rekey by CPU: Select to rekey by CPU usage. By default, LDT operations use all of the available CPU memory.
Optionally, you can reserve percentage of the clients' CPU for LDT rekey operations. To do so:
-
Select Cap CPU Allocation. The CPU Percentage field becomes editable.
-
Enter the CPU Percentage. The value must be greater than 0.
-
-
LDT Status Check Rate: Select the frequency to check and update the LDT status on the CipherTrust Data Security Platform Service. The valid value ranges from 10 to 1440 minutes. The default value is 60 minutes.
-
-
Specify a QoS schedule to run LDT. Under QoS Schedules, select an LDT QoS Schedule. The options are:
Name Time Ranges Description ANYTIME Sunday 12:00 AM - Saturday 11:59 PM LDT runs any day at any time of the week WEEKNIGHTS Monday 12:00 AM - Monday 07:00 AM
Monday 09:00 PM - Tuesday 07:00 AM
Tuesday 09:00 PM - Wednesday 07:00 AM
Wednesday 09:00 PM - Thursday 07:00 AM
Thursday 09:00 PM - Friday 07:00 AM
Friday 09:00 PM - Friday 11:59 PMLDT runs between midnight to 7:00 AM from Monday to Friday WEEKENDS Sunday 12:00 AM - Monday 07:00 AM
Friday 09:00 PM - Saturday 11:59 PMLDT runs between 9:00 PM Friday to 7:00 AM on Monday CUSTOM < Custom Range > LDT runs at a custom schedule (described below) Creating a Custom LDT Schedule
To create a custom LDT schedule:
-
Select CUSTOM from the LDT QoS Schedule drop-down list. Now, the Create New QoS Schedule button is available.
-
Click Create New QoS Schedule. The Create QoS Schedule dialog box is displayed.
-
Select the Starting Day. The LDT process will start on this day of the week. The default starting day is Monday.
-
Specify the Starting Time in the
HH:MM AM/PM
format. Use the arrows to select time in hours (1 to 11) and minutes (00 to 59). Select AM or PM from the drop-down list. The default starting time is1:00 AM
. -
Select the Ending Day. The LDT process will end on this day of the week. The default ending day is
Monday
. -
Specify the Ending Time in the
HH:MM AM/PM
format. The default ending time is2:00 AM
.
-
-
Click Create. The custom LDT QoS schedule is displayed on the screen. The specified Time Ranges are also displayed.
-
-
Click Update. The configuration is saved successfully.
Note
-
To create a new custom schedule, click Create New QoS Schedule.
-
To delete a custom schedule, click Delete corresponding to the schedule you want to delete.
Setting Ransomware Protection Configuration
Common Ransomware Protection settings for clients and client groups is configured in profiles. In the profile, specify the process set to be excluded from monitoring and the action to be taken on all other processes that attempt to access the sensitive data. You can also disable the Ransomware Protection for all GuardPoints on the linked clients from a profile.
To configure Ransomware Protection settings in a profile:
-
Open the Transparent Encryption application.
-
In the left pane, click Settings > Profiles.
-
Under Name, click the desired profile.
-
Expand RANSOMWARE PROTECTION CONFIGURATION.
-
Specify the Ransomware Protection configuration.
-
Next to Trusted Process Set, click Select. The Select Process Set dialog box shows the list of available process sets.
-
Select the process set to be excluded from monitoring.
-
Click Select. The CTE Agent will ignore the processes in the selected process set. All other process sets will be monitored for suspicious behavior.
-
-
Select the Operation to be performed on the monitored processes. The available operations are:
-
Block: Logs an audit message that a suspicious activity has been detected, and blocks its access to the sensitive data. This is the default setting.
-
Monitor: Logs an audit message that a suspicious activity has been detected, and allows the activity on the sensitive data.
-
Disable: Disables Ransomware Protection for all GuardPoints on the clients linked with this profile.
Note
-
When you change the operation to Disable in a profile, Ransomware Protection for all GuardPoints on the linked clients is disabled.
-
When you change the profile of a client to another profile with the operation set to Disable, Ransomware Protection for all GuardPoints on the client is disabled.
-
-
-
Click Update.
-
Setting MFA Configuration
Common MFA configuration for clients and client groups is configured in profiles. When the security configuration for a client is built, the MFA configuration is fetched from the associated profile.
To set up MFA configuration, specify an OIDC connection and the set of exempted users. MFA will not be enforced for users in the exempted user set. By default, MFA is enforced for all users of the associated clients.
To configure MFA settings in a profile:
-
Open the Transparent Encryption application.
-
In the left pane, click Settings > Profiles.
-
Under Name, click the desired profile.
-
Expand MULTIFACTOR AUTHENTICATION.
-
Specify the MFA configuration.
-
Select OIDC Connection from the drop-down list. This is the OIDC connection over which MFA configurations will be enforced. OIDC connections are created on the CipherTrust Data Security Platform Service. Refer to Connection Manager for details.
-
Select MFA Exempted User Set from the drop-down list. This user set will be exempted from MFA. MFA will not be enforced on the users of this set.
Note
-
A CipherTrust Data Security Platform Service administrator with sufficient privileges can delete an OIDC connection being used by a profile. When an in-use OIDC connection is deleted, the security configuration for the associated clients cannot be built and pushed to the clients. The errors are logged in audit records. The CTE Agent continues working with the current configuration until the connection is restored.
-
You can delete the existing OIDC connection and MFA Exempted User set by clicking Delete (X).
-
-
-
Click Update.
Concise Logging
CTE's standard operational logging sends audit messages for every file system operation. An audit message is sent every time a file is opened, read, updated, or written. Standard logging can generate high volumes of log data. Security administrators might not need most of these logs to monitor file system activities on the protected clients.
A CipherTrust Data Security Platform Service administrator can enable or disable Concise Logging for a profile. After Concise Logging is enabled or disabled, CTE Agent generates a log message to record that event:
"[CGA] [INFO] [CGA3201I] [08/07/2020 10:57:18] Concise logging enabled"
"[CGA] [INFO] [CGA3202I] [08/07/2020 10:57:27] Concise logging disabled"
Advantages
Concise Logging:
-
Helps security administrators to focus on relevant audit messages and important actionable messages such as errors and warnings.
-
Can eliminate repetitive and unimportant audit messages generated by read and write activities on a file, read and write directory attributes, and other file system activities.
-
Eliminates audit messages:
-
For each block read by a user or an application. Only one audit message is sent for every read/write activity.
-
That read the attributes, basic information of file set attributes, and other event-based messages.
-
For directory open, read directory attributes, and directory close.
-
Considerations
Concise Logging:
-
Changes the set of messages that are sent to Security Information and Event Management (SIEM) software systems. If this results in loss of data required for customer reports, then disable Concise Logging.
-
Applies to all GuardPoints and for all users of the clients linked with a profile. There is no fine-grained control such as per GuardPoint, user, or message type.
-
Applies to the existing clients and the new clients to be linked with the profile subsequently.
-
Is supported by CTE
secfs
only. -
Should not be used with Learn Mode.
Modifying Profiles
To modify a profile:
-
Open the Transparent Encryption application.
-
In the left pane, click Settings > Profiles.
-
Under Name, click the desired profile.
Alternatively, click the overflow icon () corresponding to the desired profile and click Edit.
-
Expand CLIENT LOGGING CONFIGURATION.
-
Modify the settings, as appropriate. Refer to Setting Client Log Configuration for details.
-
Click Update.
-
-
Expand CLIENT SYSLOG CONFIGURATION.
-
Modify the settings, as appropriate. Refer to Setting Client Syslog Configuration for details.
-
Click Update.
-
-
Expand QUALITY OF SERVICE CONFIGURATION.
-
Modify the settings, as appropriate. Refer to Setting Quality of Service Configuration for details.
-
Click Update.
-
-
Expand RANSOMWARE PROTECTION CONFIGURATION.
-
Modify the settings, as appropriate. Refer to Setting Ransomware Protection Configuration for details.
-
Click Update.
-
-
Expand MULTIFACTOR AUTHENTICATION.
-
Modify the settings, as appropriate. Refer to Setting MFA Configuration for details.
-
Click Update.
-
The profile settings are updated.
You can also modify or delete a CUSTOM QoS.
Modifying a CUSTOM LDT QoS Schedule
To modify a CUSTOM schedule:
-
Click the overflow icon () corresponding to the desired custom QoS schedule.
-
Click Edit. The Create QoS Schedule dialog box is displayed.
-
Modify the schedule, as appropriate. Refer to Creating a Custom LDT Schedule for details.
-
Click Update.
The CUSTOM LDT QoS schedule is modified.
Deleting a CUSTOM LDT QoS Schedule
To delete a CUSTOM schedule:
-
Click the overflow icon () corresponding to the desired custom QoS schedule.
-
Click Delete.
-
Click Yes to confirm the deletion.
The CUSTOM LDT QoS schedule is deleted.
Deleting Profiles
Single or multiple profiles can be deleted from the CipherTrust Data Security Platform Service GUI in one go. Before deleting a profile make sure that no clients or client groups are linked to it.
Deleting Individual Profiles
To delete a profile:
-
Open the Transparent Encryption application.
-
In the left pane, click Settings > Profiles.
-
Click the overflow icon () corresponding to the desired profile.
Alternatively, select the desired profile and click the delete icon ().
-
Click Delete.
The selected profile is removed from the profiles list.
Deleting Multiple Profiles
To delete multiple profiles:
-
Open the Transparent Encryption application.
-
In the left pane, click Settings > Profiles.
-
Select the check boxes corresponding the desired profiles.
To select all profiles visible on the page for deletion, select the top check box to the left of the Name heading.
-
Click the delete icon (). A dialog box appears prompting to confirm the action.
-
Click Delete.