Welcome back Hex!!!

Years ago I posted about missing Hexonyx and how much I missed that mud.  Over the years the post has generated a number of comments and posts.

One of those comments lead me to this Facebook group and the best part is the mud is back.  So fire up ZMUD or whatever client you are were using so many years ago and join back up.

Bad news is the player file is a bit out of date and you probably don’t have that awesome weapon or awesome piece of quest gear you had last, but come back the memory is still there and just like riding a bike you will quickly be running zones and joining with friends.

Also for a great story of how Hex landed someone a job read here

Configuring User Risk Reporting in Symantec DLP

The User Risk Summary report breaks down incidents based on User and covers email and endpoint incidents  From the help file: “The user risk summary gives you insight into the behavior of specific individuals in your organization by associating users with email and endpoint incidents. This information helps you focus your data loss prevention efforts on those users posing the highest risk to the security of your data.”

There are 3 steps to take in order for the user risk summary report is displayed:

  1. Create custom user attributes
  2. Import user data
  3. View the reports

Create Custom User Attributes

One item to keep clear is the attributes defined here are different then the custom attributes populated by Active Directory as a part of an Incident  These attributes need to be created outside  This has lead to a lot of confusion on my part but needs to be setup

To setup the custom attributes for User Risk Reporting navigate to System -> Users -> Attributes  By default there are now attributes in the system

To add new attribute, select “Add” and then type in the Attribute Name (example: First Name or Department)  These attributes will be populated by the data source (either Active Directory or a CSV file)

The screenshots shows the attributes that are populated in my demo system

Image

Import User Data

Once again this is different than populating the data for incident and needs to be configured separately  We can leverage the existing directory connection that is already being used, or create a new data source

This is found under System -> Users -> Data Sources

Selecting Add presents you with this screenshot

Image

As you can seem I’m using the existing Directory Connection already created, but after I provide a name the data source is ready

Check the box next to the data source and select “Import” to run the import  After the import is complete information will be presented on the User Risk Summary report (if you have incidents)

View the reports

User risk reports will group the Network Incidents and the Endpoint Discover incidents together  These reports will break the incidents down based on severity

Image

If the user is selected then it will present further detail about the types of generated

Image

Symantec Endpoint Encryption is now supported on Ubuntu LTS

Symantec Endpoint Encryption (powered by PGP) has been updated to to version 3.3.  For more information check out the release notes found on Symwise: http://www.symantec.com/docs/TECH201458

Several changes have been made in this release including:

  • Support for Windows 8 on both the 32-bit and 64-bit version

  • Support for Outlook 2013 on the client

  • Support for Red Hat Linux and CentOS 6.3 and 6.4 both 64-bit and 32-bit.

  • Support for Ubuntu 12.04 LTS both the 32-bit and 64-bit versions.

This provides one of the missing parts of what I need to be able to run Ubuntu at my enterprise as we have a requirement to have our drives encrypted by the supported encryption product and have our keys managed centrally.

I hope things like this will see Ubuntu grow into the enterprise from a desktop point of view. Now all we need is integration into an endpoint management tool.

RFC: Ubuntu and Symantec IT Management Suite

Do you use Ubuntu?  Do you use Symantec IT Management Suite?  A recent post on Symantec Connect asked for people who are running Ubuntu to post comments to see if there is interest in adding support for Ubuntu to the product.

For those that do not understand what Symantec IT Management Suite is I will provide a quick overview and then end with a couple of reason as to why I believe this will be a great fit for Ubuntu.

Symantec IT Management Suite (or the product fomarlly known as Altiris) helps with complete management of the endpoints (laptops, desktops and servers) from deployment of the endpoint (imaging), deployment of software and patches, and also tracking the device from an Asset Management point of view.  Some basic portions of IT Management Suite include

  • Bare metal deployment of servers

  • Image deployment of desktops, laptops and servers

  • Software delivery in an unattended way

  • Patch Management (including on the Windows side several 3rd party (non-Microsoft) patches)

  • Full inventory of the device (both hardware and software)

  • Comprehensive reporting on the status device

  • And many other things

My company has been working with Symantec IT Management Suite for almost 10 years and have done a bunch of videos explaining and showing how this product works.

I’ve also written several blog posts about why I believe Ubuntu needs to have more of a focus around the Enterprise and Enterprise tools.  Canonical has developed Landscape, their own product to help with the management of Ubuntu but it is time to leverage an existing management tool to help move further into the enterprise as well.

Here is how ITMS and Ubuntu could work together (in my view)

  • Imaging and deployment of Ubuntu machines across the environment in a standard format

  • Full software and hardware inventory of the device across the entire enterprise

  • Structured deployment of patches across the entire enterprise including reporting on the status of those patches

This would allow for deployment and management across the board in an enterprise and could help

Installing the Symantec Critical Systems Protection agent on a CentOS system

Summary:

This document will cover installation of the Symantec Critcial Systems Protection Agent on  CentOS (Community Enterprise Operating System, a RedHat clone).

Preparing the CentOS system:

In order for the CSP Agent to be installed on any Linux system SELinux needs to be disabled.  Security-Enhanced Linux (SELinux) is a Linux feature that provides for a way to support access control security policies in the Linux kernel.  This is a duplicate of what CSP can provide which is why is must be disabled.  Outside of that, there are no additional depenedencies that need to be installed before the CSP agent can be installed.

Disabling SELinux:

In order to fully disable SELinux you will need to reboot your system, along with knowing the root password to edit a configuration file.  Please route through your standard change control process before doing so.

The first step (outside of becoming root) is to edit your /etc/selinux/config file (vi /etc/selinux/config).  Out of the box it will look like:

Image

Find the line that says “SELINUX=enabled” and change it to “SELINUX=disabled” and it will look like:

Image

Once you write the file you will need to reboot your system.

Copying the needed files to the CentOS box:

There are two needed files that need to be copied over to the CentOS box before installation: agent-cert.ssl and the agent installer (in this case agent64-linux-rhel6.bin).

The installer is not executable so you will need to run the command “chmod a+x agent64-linux-rhel6.bin” before executing.

Installing the CSP Agent:

Once the files are copied and ready to be executed as root execute the command pathtobinfile/agent64-linux-rhel6.bin and hit the space bar to scroll through the license agreement.

The kernel version and the suggested driver version may mismatch but it will work without any problems so accept this.

When prompted provide the fully qualified name of the CSP Management Server:

Image

You will then be prompted to provide the path to the agent-cert.ssl file you copied over to the server you are installing the agent on.

Once everything is filled out you will have one last time to confirm everything is all set:

Image

Once you hit enter the CSP agent will be installed and configured and will communicate to your CSP Manag

Symantec Endpoint Encryption now supports Ubuntu LTS

Symantec Endpoint Encryption (powered by PGP) has been updated to to version 3.3.  For more information check out the release notes found on Symwise: http://www.symantec.com/docs/TECH201458

Several changes have been made in this release including:

  • Support for Windows 8 on both the 32-bit and 64-bit version

  • Support for Outlook 2013 on the client

  • Support for Red Hat Linux and CentOS 6.3 and 6.4 both 64-bit and 32-bit.

  • Support for Ubuntu 12.04 LTS both the 32-bit and 64-bit versions.

This provides one of the missing parts of what I need to be able to run Ubuntu at my enterprise as we have a requirement to have our drives encrypted by the supported encryption product and have our keys managed centrally.

My First KDE Contribution and looking for more

I have contributed in various ways to the Ubuntu Project starting way back in the day with the first release of Kubuntu and its need for documentation.  This first release was my first introduction into the world of becoming an open source contirbutor and for many releases of Kubuntu I wrote the documentation or worked on the documentation or lead the team that did documentation.  Anyways I always struggled to find a way to contribute back to the main KDE project.  I finally found a way with fixing some typos and some grammar problems.

Recently a contributor to the kwalletd project posted an entry on his blog around adding support to GPG for storing the password in.  There were some minor changes that needed to be made and I was able to download the code and apply the needed changes.

So if you look at the commit, there’s my name on the list for making some changes.

Anyways long story short I’ve made some changes to KDE specifically around grammar and spelling and am looking for more work to do.

Are there junior jobs floating around that need some minor grammar changes or did you just implement some awesome new feature but English might not be your primary language?  I would love to help.  Drop me a note.

Symantec Connect Posts Round Up #5

So its been a couple of weeks since my last round up and there are ton of links/posts from Symantec Connect that I thought were very interesting.  I hope you find these interesting, if you do, please drop me a note in the comments section so I know someone is reading them :)
So the first one is not a Connect Post but comes from the Symantec Knowledge Base…
  • Symantec Encryption Management Server and DLP Integration Guide:  I haven’t had a chance to walk through this in my test lab yet, but I’m waiting for some time off from engagements to implement this.  Once that’s done I’ll try to provide some feedback.  Symantec has laid out a pretty aggressive roadmap for integration between the 2 products and I’m hoping they can deliver on it.  Talk to your Symantec Rep for more information on what’s being talked about.
And back to the Connect Posts
  • What to consider for a DLP 11.6 and SEP 12.1 upgrade:  This person is looking for help on upgrading to the current versions of the SEP and DLP products.  The best recommendation is to read the user guides for both products before upgrading.  Also reach out to your Symantec Partner (you do have one don’t you?) as they would love to help out with the upgrade to the new products.
  • Extending DLP Agent for Google Drive monitoring:  The reason for linking to this post is there is frequent conversations around how to extend DLP monitoring for various cloud based storage systems (Dropbox, Box.net, etc) and preventing data from leaving from those vectors.
  • SEP and Vshield integration: I’m pretty excited about what SEP 12.1.2 brings to the virtualized infrastructure one might use.  This post has a bunch of links in it for setting up the VShield integration that VMware uses.  VShield integration reduces overhead in scanning in your Virtual Environment.
  • SEP support for Ubuntu: So this is a long and somewhat confusing thread to follow.  The original poster is asking what support there is for SEP on Ubuntu.  The confusion comes down to the naming of the product.  SAV (Symantec Antivirus) is the product supported for Linux devices.  As of this post SAV for Linux runs in an unmanaged state but can be installed on Ubuntu 12.04 LTS.
  • Sending CSP information to Splunk: Good article on sending info ration to Splunk from Symantec Critical Systems.  The answer is that if you have access to the database you can get the information that you would like out and be able to send that information to Splunk.
  • Is PGP supported for Windows 8?:  A lot of posts around whether or not Symantec supports Windows 8.  On the PGP side this is not the case and at least on a touch device, the pre-boot authentication is not supported.  See http://www.symantec.com/docs/TECH199095 for more information or subscription for when this supported is added.  On a side note are you seeing Windows 8 in the Enterprise?
  • Can DLP inspect an email header?:  Short answer Yes… Long answer read the linked articles in the answers.
  • Creating a rule for tracking registry key modification:  The poster is looking for help in writing a rule to help him track changing of registry keys.  If you know the answer to this question, it would be greatly appreciated.
Thanks for reading these (if you are?) and post me a message or a comment if you actually are.
Jonathan

Symantec Connect Posts Round Up #4

This is week #4 of clearing out the various Symantec Connect Posts that I’ve found interesting (Week #3Week #2, and Week #1).  If you have found these interesting or like reading them, please let me know.  Hope you are finding these interesting and learning something, maybe even answering some of these questions/posts yourself.

So without further ado here’s this weeks (actually last week but got a little behind):

  • Register for Vision 2013 and get a discount and Connect posts:  Are you going or interested in going to Symantec Vision, if you sign up using the Connect code get a discount off it and some points.  I’ve enjoyed the couple of times I’ve been to Vision and have learned a lot.  Hope to see you there
  • ITA ports for SEP 11 SQL Database:  IT Analytics seems to be a pretty popular discussion point around Symantec Connect and this person is looking for specific ports and configuration information.  Drop me a note if you are interested in learning more about IT Analytics and how it can help you with reporting around Symantec Security products
  • An Illustrated Guide to Installing Symantec Mobile Security 7.2: So I haven’t wrapped my brain around Symantec Mobile Security and need to.  This article covers installing/configuring the product.  Great article, give this dude lots of votes on this post
  • 2 Tier Install of DLP 11.6 needs more than 2 servers?: This is an interesting article about how to setup a 2 Tier install of Symantec DLP and what type of servers are needed.  I’ve been doing a lot of work (consulting and architecture) around Symantec DLP so drop me a note if you need any help.
  • DLP false positive incident: This is a common question when it comes to Symantec DLP.  How can I reduce the # of false positives that I’m getting within the system.  You will spend your entire DLP life working on incident count and how many you have.  A lot of time it comes to just changing the breadth of an incident or adding additional keyword requirements.  This might become a separate blog post in and of itself
  • PGP Desktop and DLP Scanning: Yet something else I haven’t quite figured out… The person would like to scan encrypted SMTP traffic when the keys are stored at the Universal Server.  I have heard there is further integration coming along between DLP and Universal Server that might help the person out.  Also there is a KB article that might help out as well.  Will have to spend sometime figuring this out
  • Do I have to use the Enterprise version of SQL for CSP?: No you don’t have to use SQL Enterprise for Critical Systems Protection.  There is an embedded Database that can be used but then you will not have access to IT Analytics for reporting.  SQL Standard edition is a supported database version as well.
  • Migrating SCSP and DB:  This link is more of a place holder for me in case I ever have to deal with this.  The associated KB’s and links within the answers are the best place to get started.
  • SEPM alerts if GUP is unreachable:  This Connect question is looking for a report for notification if the GUPs are unreachable and is a pretty interesting question.  The good part is the tool linked out of the comment created by the SEP product team (will be looking into it as well) found at this article.  Also one of the answers has a report that might be useful to do what the poster is asking for
  • Embedded to SQL: A lot of people when they install SEP and the SEP Manager use the default install of the embedded database and then want to move to full SQL.  We at ITS always recommend using a full SQL database when doing an install.  This allows for better performance and also use of IT Analytics for reporting.  There a lot of links within this forum question on the best way to transition from the embedded database to a full SQL db.  Also this is something that we can help out from a services opportunity.  Drop me a note if you need help or interested.