aaa-reports! enterprise v1.2 released

The next release of aaa-reports! enterprise has just been made - mainly concentrating on new reports and datasets including:

• Single TACACS+ command authorisations. Shows both permitted and denied commands by combining log entries from Failed Attempts and T+ Device Administration logs
• RADIUS and TACACS session reports. These provide single row per session with all relevant data.
• RADIUS identity networking reports. The dataset used by the RADIUS session report is key for auditing identity network environments allowing for a username to be tied to a client side MAC address/IP Address or telephone number, assigned IP address etc.
• Stability and bug fixes
• Updated installers

aaa-reports! v1.2 is a free upgrade for customers with a current support contract.

Windows Server 2008 UAC Issues

When aaa-reports! is installed on a Windows Server 2008 system, you may get a message displayed when attempting to launch aaa-reports:

"An unidentified program is attempting to access your computer"

This is caused by User Access Control kicking in - even though you may be logged in as an administrator by default applications you run will not. You can either elevate to admin level on a use-by-use basis or right-click+properties to see aaa-reports! to always "run as administrator".

However, because the RunAAARe.exe is merely a bootstrap, you will need to locate the RunAccess.exe application as well and elevate this also.

Alternatively, you can find instructions at Microsoft Technet to either disable UAC completely, or just disable UAC prompting for members of the local admin group.

Using aaa-reports! enterprise database snaphots

One of the great features added to enterprise v1.1 was the ability to create snapshots of the back-end databases. With automation its possible to, say quarterly or bi-annually, to create a copy of the aaa-reports! database for future use.

At some later point in time - perhaps even two years later, during an audit its easy to re-locate the snapshot and re-connect aaa-reports! giving you all the data that was present on the day the snapshot was created.

To script the creation of a snapshot simply add this command to a .bat or .cmd file executed by the windows task manager:

RunAAARE /CreateSnapshot(MY_SNAPSHOT)

To connect to specific snapshot, start aaa-reports! and enable the "multi-db" feature under options. Re-start and you will be presented with the database manager which allows you to choose which backend database you want to connect to, for example a snapshot or the DEFAULT live database.

Enjoy.

How to survive an ACS audit with aaa-reports!

For many organisations the Cisco Secure ACS server is the guardian of the network - controlling administrative access to routers and switches plus overseeing end network users over VPN, wireless and firewall.

Its no surprise therefore that it should come under intense scrutiny during an audit. Perhaps what is surprising is the lack on awareness over best practice for running ACS in a secure way. We'd like to help in our small way and below is a list of tips we've picked up over the years of providing reporting services for ACS.

1. Buy aaa-reports! Without the ability to aggregate the logs from all your ACS servers and report on the data, or use our query builder for forensic analysis, or import the ACS database to document the policy features enabled.... you'll have a hard time getting the evidence that an auditor might ask for.
2. Make sure ACS is logging the appropriate attributes for the reports you need to create. For example if you need to document who did what to devices in specific Network Device Groups (NDG) you must ensure this value actually gets logged. Performing ACS upgrades often sets logging configs back to their defaults.
3. Create a build specification for your ACS. Detail the "meta config" of your ACS so that after an emergency hardware swap-out or software upgrade you can quickly check that the ACS has the correct configuration. The build spec document should be under version control and is a useful item in itself to convince an auditor your system is well controlled.
4. Create a Change Control system for config changes on the ACS. Since its ACS that decides who gets access and what commands they run on your network its vital you report on the Administration Audit logs. During an audit you can then correlate entries in your change control system with actual edits recorded in the Admin Audit logs. aaa-reports! can document what all or individual ACS admins did in detail.
5. Retain 2 years of actual CSV log data on your reporting server. For general day-to-day reporting you dont need this amount, but during an audit you may be required to show what happened on a specific historic data. aaa-reports! multi-db feature will allow you to create a specific back-end database just for this task and import logs from the required time period. Alternatively use the aaa-reports! snapshot feature to regularly save its database state, for example quarterly. You may then connect aaa-reports! to any of the historic snapshot databases to report on the data from that quarter.
6. Regularly export the ACS database into aaa-reports! If you are running reports against log data from 2 years ago you also need to know what was in the ACS database at the same time - using a more recent ACS database might yield unexpected results because the configuration is likely to changed in the meantime. Use csvsync to regularly grab the ACS database and keep them alongside the retained CSV logs for future reference.
7. Review the quality of ACS log data. From time to time its worth taking a look at the quality of the data getting logged. We often find customers with rogue scripts being automated on devices that cause the ACS Failed Attempts logs to become full of many MBs of "junk data" - essentially one failed attempt for each line of the script. If left to continue for months the real data starts to become more difficult to find.

In terms of specific questions that an audit will concentrate on, typically it will revolve around demonstrating that not only is there specific and adequate policy to control access to those parts of the network require it, but also to seek evidence that those policies are in fact working. In aaa-reports! we added a whole set of reports for TACACS+ Device Administration (TDA) that attempt to document the ACS policy configuration, answer questions such as "who can/cannot access devices and once connected what can they do?" and finally report on what did actually happen.

Below are some additional TDA specific tips:

1. Ensure services such as shell/exec are only enabled for ACS groups that really need it. The aaa-reports! TDA Group Summary report will list every ACS group and what TDA features are enabled. The TDA Group Detail report can be used to inspect the policy in detail.
2. Check for user-level ovverides. In general users should always inherit policy from their group unless there is good reason. The aaa-reports! TDA User Summary report list users with group overriden configuration. The TDA User Detail report can be used to inspect what policy items are specific to the user.
3. Use Network Access Restrictions (NAR) to prevent login by unauthorised personnel. The first line of defence is to only allow device admin users access to routers and switches. We find some customers rely purely on command authorisation - this potentially lets anyone access the device who can authenticate. Imagine the scenario where ACS has "unknown authentication" enabled pointing at your Windows AD then answer "Who has access?". aaa-reports! can report group-by-group on device access controlled by NARs and therefore answer "Who has access to device XYZ?"
4. Use Device Command Sets (DCS) for command authorisation. Create a set of re-usable DCSs with meaningful names in preference to simple group-level command authorisations. ACS administration is simplified and the auditor should understand what the intent of the policy is by its name. aaa-reports! can document the both the content of each DCS and the group assignments, thereby answering the question "What commands can user X execute on device XYZ?"
5. Seek out and remove old ACS user accounts. aaa-reports! can report on inactive users both from examination of accounting logs and (if password aging is enabled) from the imported ACS database itself.
6. Learn how to use the aaa-reports! Query Builder. Despite the comprehensive set of pre-built canned reports, during an audit you are likely to be asked questions about a specific date, user or device. Knowing how to use the QB to build filter/sort and group/totalling queries will get the answers quickly. Take the random question "How many sessions did user X have on devices A, B and C on this date?" The aaa-reports! QB can easily create custom reports that filter on any number of attribute values, group by multiple columns and have calculated fields such as sum, count, average etc. If you have a working knowledge of Visual Basic 6 (VB6) its also possible to use a rich array of formatting and other VB6 functions to create additional fields.

Undergoing an audit is never easy, but at least with the right tools it doesnt have to be awful!

Csvsync v3.0.3 Released

For csvsync users who are:

1. Running on Server 2008, and
2. Using SSL/HTTPS with their ACS server

v3.0.3 will fix an issue introduced by a feature (read bug) in the latest winhttp.dll (v6). During the csv file download ACS will reject further requests from csvsync. Csvsync will error:

File Sync Error (2)

On the ACS side, CSAdmin will log the following error in its Admin.log:

ADMN 08/28/2009 13:32:27 E 1261 1896 0x0 Possible attack on session 33542 from 192.168.254.30

RBAC Style Device Management using CIsco Secure ACS and TACACS+

A few years back when we all worked on ACS at Cisco a good friend wrote a really clear guide to using ACS (with TACACS+) to implement an RBAC style system for managing administrative authentication and authorization of IOS devices.

The Cisco web site isnt always very easy to find stuff and Im sure one day it'll get deleted, so here is link to a local copy:

Missing user names in the ACS package.cab

aaa-reports! can import the ACS cab file to get an up-to-date list of usernames, group assignments and even much of the policy. However, its possible that dynamic users (eg externally authenticated via Windows, RSA, LDAP etc) may not be included in the cab file.

This is because ACS now has an extra setting to disable dynamic users. If enabled the external users will not be included in the package.cab file. The setting is in the Configure Caching Unknown Users section on the External Authenticators ACS Admin page.

Also worth a mention, on the User Setup page there is the Remove Dynamic Users button, that will do exactly that!

TIP: If you wish to purge stale records - export the cab into aaa-reports! and run the inactivity reports to see which user records can go. Only then should you remove the dynamic users.

SHAMELESS PLUG: csvsync v3.0 can initiate the creation of the package.cab and download it ready for automated import into aaa-reports! enterprise v1.1

aaa-reports! v2.3

In final testing now... this release addresses some issues with Windows Server 2008 and Cisco Secure ACS v4.2

As usual free of charge to customers with support & maintenance contracts.

Why we do CSV

We still get the occasionall comment about why aaa-reports! uses CSVs to import data from ACS - as opposed to syslog and ODBC (both of which will be supported in future) and this week a good reminder surfaced. 

While looking at some release notes for ACS v4.2 we stumbled across CSCsg62239. This bug blandly says "Binary text appears [randomly] in syslog output". Nice one.

In our experience CSV logging tends (with a few minor issues) to just work. ODBC logging slows the ACS to a crawl and syslog packets could go into a black hole and you'd never know.

If you have a legal or audit requirement to retain logs for any period of time - you need to use CSV based logs and collect/archive them regularly. This is where our csvsync client can help :)

csvsync runtime errors - missing dll

A customer recently got a missing DLL error when running csvsync - MSVCO60D.dll to be exact. This is part of the C/C++ runtime and should normally be present already.

Anyhow, there is a Microsoft KB article on how to download the latest Visual C++ 6.0 run-time at this URL:

http://support.microsoft.com/kb/259403