Working with CAS templates
This section describes how to maintain CAS templates and template sets.
Define a Template/Template Set
- Create a New Template Set
- Modify a Template Set
- Clone a Template Set
- Delete a Template Set
Create a New Template Set
- Open the CAS Configuration Navigator by clicking .
- Click New to open the Monitored Item Template Definitions panel.
- Select OS Type.
- Select DB Type. If the template set does not require any specific DB type then select N_A as the DB Type.
- Enter a unique name for Template Set Name. Note: Template Set Names over 128 characters will be truncated
- Click Apply to save the CAS Template Set Definition.
- To add items to the new template set, click Add to Set and see Define a Template Set Item.
Finding the Guardium CAS Panel
Access to CAS Configuration Functions, by default, is restricted to the admin user and to users who have been assigned the CAS role.
Click Harden. The list of CAS functions is listed within the Configuration Change Control (CAS Application) header.
Opening the CAS Configuration Navigator
The CAS Configuration Navigator panel is the starting point for creating or modifying CAS Template Sets.
Open the CAS Configuration Navigator panel by clicking .
The list can be filtered by OS type and DB type.
Modify a Template Set
- Open the CAS Configuration Navigator panel by clicking .
- Filter the template set list by OS Type or DB Type.
- Select the Template Set that you want to modify and click Modify to open the CAS Template Set Definition pane.
- Make your changes and click Apply to save them.
Clone a Template Set
- Open the CAS Configuration Navigator panel by clicking .
- Filter the template set list by OS Type or DB Type.
- Select the Template Set that you want to clone and click Clone to open the CAS Template Set Definition panel.
- Once cloned, modify the clone to suit your needs.
Delete a Template Set
- Open the CAS Configuration Navigator panel by clicking .
- Filter the template set list by OS Type or DB Type.
- Select the Template Set that you want to delete and click Delete.
Define a Template Set Item
- Create a New Template Set Item
- Modify a Template Set Item
- Delete a Template Set Item
Create a New Template Set Item
- Open the CAS Configuration Navigator panel by clicking .
- Click New to open the Monitored Item Template Definitions panel.
- Enter in a Template Set Name, select an OS Type and DB Type, and click Apply.
- Click Add To Set to create a new item.
Modify a Template Set Item
- Open the CAS Configuration Navigator panel by clicking .
- Filter the template set list by OS Type or DB Type.
- Select the Template Set that you want to modify and click Modify to open the CAS Template Set Definition panel.
- Select the items you want to modify, and click Edit Selected.... Make your desired changes and click Apply to save them.
Delete a Template Set Item
- Open the CAS Configuration Navigator panel by clicking .
- Filter the template set list by OS Type or DB Type.
- Select the Template Set that you want to modify and click Modify to open the CAS Template Set Definition panel.
- Select the items you want to delete, and click Delete Selected.
CAS Item Template Definition Pane
Component | Description |
---|---|
OS Type | The operating system type: Windows or UNIX. You can change this selection when the template set is empty, but you cannot change it if the template set contains one or more items. |
DB Type | The database type (Oracle, MS-Sql, DB2®, Sybase, Informix®, etc.) or N/A for an operating system template set. You can change this selection when the template set is empty but you cannot change it if the template set contains one or more items. |
Description | An optional name for the item used in reports and to identify the item in other CAS panels (the CAS Template Set Definition for example). If omitted, the item name defaults to the file name or pattern, variable name, or script (as appropriate for the type). |
Type |
One of the following: SQL Query, OS Script, Environment Variable, Registry Variable, Registry Variable Pattern, File, and File Pattern. See Template and Audit Types for further information. Note: If being used with CAS-based assessment tests this must be of type OS Script.
|
Content |
Type dependent text defining the specific item to monitor, or how to generate it. See Template and Audit Types for further information. Note: For an OS script CAS will wait for a script to complete. To limit the time allowed for an OS
script to run and allowing CAS to terminate the script, use the cas_command_wait
guard_tap.ini parameter. The default wait time is 300 seconds or 5 minutes.
When changing this parameter there is no need to restart CAS.
|
Permission Limit |
For File and File Pattern Type only. Used for UNIX only - the permissions that this file should not exceed. |
File Owner | For File and File Pattern Type only. The owner of the file(s). |
File Group | For File and File Pattern Type only. The group owner of the file(s). |
Period | The maximum interval between tests, specified as a number of minutes(m), hours(h), or days(d). Data becomes available after the initial period is realized and up to and before the next period begins. |
Keep Data | If selected, a copy of the actual data is saved with each change. For example: for a file item, a copy of the file is saved. If selected, but the size of the raw data for the item is greater than the Raw Data Limit configured for this CAS host, no data will be saved. |
Use MD5 | Indicates whether or not an additional comparison is done by calculating a checksum of the raw data using the MD5 algorithm. Computing the MD5 checksum is time consuming for large character objects. However, it is a better indicator of change than just the size. The default is not to use MD5. If MD5 is used, but the size of the raw data is greater than the MD5 Size Limit configured for the CAS host, the MD5 calculation and comparison will be skipped. |
Enabled | Selected by default; indicates whether or not the item will be checked for changes. |
Template and Audit Types
Type | Description |
---|---|
SQL Query | The content should be a valid SQL statement. The result returned by the statement will be compared to the result returned the last time the query was run. The query will be run with the parameters specified in the datasource that is being used: username, password, DB port, and so forth. Care should be taken when filling out these parameters in the datasource or the query will fail to return a result. |
OS Script | The content can be a valid command line entry, or the name of a file containing an OS executable script. The script is executed in the environment of the OS user specified in the Database Instance Account field of the datasource definition. |
Environment Variable | The content should name an environment variable that is defined in the context of the OS user specified in the Database Instance Account field of the datasource definition. |
Registry Variable | The content is interpreted as the path to a variable in the Windows Registry of the host. The value found on that path is compared to the value found the last time the path was traced. |
Registry Variable Pattern |
The content is a sequence of regular expressions that is used to match the components of paths in the Windows Registry. The pattern is used to develop registry variable type monitored items which will be treated as described previously. The regular expressions are joined by / so that the pattern resembles a registry path. The more familiar \ character cannot be used, since that is a special character in the syntax of Java™ regular expressions. If a / is needed in one of the regular expressions, it must be escaped with a \. (e.g. U\/235 would be used to match U/235). The pattern .. can be used to match zero or more components within a path. For example, HKLM/Software/../buzz will match HKLM\Software\buzz, or HKLM\Software\one\two\three\buzz. This type of pattern can lead to a computationally expensive registry search, so use it carefully. Other than these exceptions, the regular expressions follow the syntax of Java regular expressions. |
File | The content is interpreted as an absolute file path on the host. The characteristics of the
file found on the path will be compared to the characteristic found the last time the path was
traced. The path may include environment variables which will be expanded in the context of the OS
user specified in the datasource. The path may also begin with a substitution variable, like
$SYBASE_HOME, which will be replaced by the value entered in the Database Instance Directory field of the datasource definition. |
File Pattern | The content is a sequence of regular expressions that is used to match the components of file paths and to generate File type monitored items. The regular expressions are joined by / so that the pattern resembles an actual file path. As with registry patterns, the \ cannot be used for Windows files because of the regular expression syntax. If the pattern begins with ?: on a Windows machine, the pattern match will be started on each of the drives of a multi-drive machine. The .. construction described with registry patterns can also be carefully used in a file pattern. Environment variables from the context of the OS user can be used in a file pattern and will be expanded before the expansion of the regular expressions. |
Configuration Auditing System APIs
CAS includes a robust set of GuardAPIs and REST APIs that you can use to manage hosts, template items, and template sets outside of the Guardium UI. For more information about the APIs, see Configuration Auditing System APIs.