To work with Change Guardian, you require a combination of the following components.
Policy Editor: Allows you to configure policies and assign policies to assets you want to monitor.
Change Guardian Agent for Windows: Collects event data for the supported assets, such as Windows, Windows Active Directory, and Azure Active Directory.
Security Agent for UNIX: Collects event data for Linux, UNIX, and NetApp.
Change Guardian Event Collector Addon for Windows Agent: Collects event data in Common Event Format (CEF) from assets, such as Dell EMC, Microsoft Exchange, and Office 365.
For information about requirements and recommendations, see the System Requirements page.
This section provides the following information:
To install Policy Editor:
In Agent Manger, click Manage Installation > Download Package.
Download the available version of Policy Editor.
Copy the ChangeGuardianPolicyEditor.zip file to the computer where you want to install Policy Editor and extract the files.
The package includes NetIQCGPolicyEditorInstaller.exe and NetIQCGPolicyEditorInstaller.config. Both files must be in the same directory.
Install Policy Editor as an administrator.
When Policy Editor starts, it connects to the Policy Repository with an account that is a member of the administrator or Change Guardian administrator role. The Policy Repository runs on the Change Guardian server.
NOTE:Always open Policy Editor account in the local administrators group.
You can install Change Guardian Agent for Windows in the following ways:
Install agents remotely by using Agent Manager
Install agents manually on a local computer
NOTE:Agent Manager and the Change Guardian Agent for Windows are in FIPS mode, by default.
Following sections guides you through the Change Guardian Agent for Windows installation and configuration:
Remote installation using Agent Manager provides a convenient and uniform method for installing one or more Change Guardian Agent for Windows. When you use Agent Manager to install, Agent Manager communicates with the agent through the Agent Management service.
Prerequisite: Using Agent Manager, you must first add the assets where you want to install agents. You can either import assets from Active Directory or from a text file, or add assets manually. For more information, see Adding Assets.
To install Change Guardian Agent for Windows using Agent Manager:
In Agent Manager, select the asset where you want to deploy the agent. If you select multiple assets, they must use the same credentials.
Click Manage Installation > Install Agents.
For newly added assets, specify the root credentials and click Next.
NOTE:Log in to the newly added asset as an administrator to the deploy agent. The account must be a local administrator or a domain account in the Local Administrators group.
Select the available version of the agent.
For agent configuration, select any one option: default agent configuration, customize the configuration, or add new.
Click Start Installation.
Manual installation includes installing the agent certificates and artifacts, along with the agent.
Use Agent Manager to download and install agent artifacts and certificates on one or more hosts.
NOTE:You must install agent artifacts and certificates for each host separately.
To download:
In Agent Manager, click All Assets > Manage Installation > Download.
Select the Agent certificates and artifacts package.
Specify the hostname and the IP address, and then click Start Download.
Copy and extract the ChangeGuardianAgentCertificates_<hostname>.zip file to the agent artifact directory, before installing the agents.
To install:
From Agent Manager, download the available version of Change Guardian Agent for Windows.
Copy ChangeGuardianAgentforWindows.zip to the computer where you want to install the Change Guardian Agent for Windows and extract the files.
Agent artifacts include: NetIQCGAgentSilentInstaller.exe and NetIQCGAgentSilentInstaller.config. The configuration file contains the configuration you chose when you downloaded agent artifacts.
NOTE:Both agent artifacts and certificates should be in the same directory to successfully complete the installation.
Run the NetIQCGAgentSilentInstaller.exe file as an administrator.
When you have to change an agent’s configuration, for example enable or disable Event Collector Plugin, you must reconfigure the agent.
To configure:
In Agent Manger, do one of the following:
(Conditional) If you have not added assets previously, in Agent Manager, under Asset Groups, click All Assets and then click Add Assets.
(Conditional) If you have added assets previously, in Agent Manager, click All Assets, then Manage Assets, and then Add.
From the assets list, select the computers where you want to deploy the agent. If you select multiple computers, you must use the same credentials in all computers.
Log in as root to the computer that you want to connect and click Next.
Click Manage Installation, and then select Reconfigure.
Select the version and then select the default configuration, edit it or add a new configuration.
You can install Change Guardian Agent for Windows in the following ways:
Install agents remotely by using Agent Manager
Install agents manually on a local computer
Following sections guides you through the Security Agent for UNIX installation and configuration:
This section provides the following information:
To install:
In Agent Manager click Asset Groups > All Assets > Manage Assets > Add.
From the assets list, select the machines where you want to deploy the agent.
If you select multiple machines, use the same credentials.
Click Manage Installation > Install Agents.
Provide the user name and password of the agent and click Next and start the installation.
NOTE:When you are installing Security Agent for UNIX for Change Guardian, the IP address of the Change Guardian server is automatically populated in the configuration window. If you replace the Change Guardian server in future, the new Change Guardian server must use the same IP address to maintain connection with all the agents deployed.
To install:
Download the agent artifacts and certificates. For more information, see Downloading the Agent Certificates and Artifacts.
Log in to an machine running the agent using an account with superuser privileges.
Click All Assets > Manage Installation > Download, and download the required package.
Agent Manager downloads SecurityAgentForUnix.zip to your computer.
Extract SecurityAgentForUnix.zip to the computer where you want to install the Security Agent for UNIX.
Provide file execute permission to the install.sh file and execute the install.sh script.
Follow the prompts to complete the installation.
Continue with the installation steps. The installation might take a few minutes for all services to start after installation.
NOTE:Manual Installation of Security Agent for UNIX downloaded from Change Guardian Agent Manager accepts the agent certificate configuration even if there is a mismatch of the agent hostname and IP address. You must ensure that you use the correct configuration before installing Security Agent for UNIX.
The silent or unattended installation is useful if you need to install more than one agent. Silent installation allows you to install the agent without interactively running the installation script.
IMPORTANT:To perform silent installation, ensure that you have recorded the installation parameters during the interactive installation and then run the recorded file on other endpoints. Silent installation uses an installation file that records the information required for completing the installation. Each line in the file is a name=value pair that provides the required information, for example, HOME=/usr/netiq.
The installation script extracts information from the installation file and installs the agent according to the values you specify.
If you use the deployment wizard to perform local installation on one computer, you can create a silent installation file based on your requirement. A sample installation file, SampleSilentInstallation.cfg, is located in your agent download package.
To install:
Download the installation files from the Downloads website.
Download the package in the root folder and specify the following command to extract the install files from the tar file:
tar -zxvf <install_filename>
Replace <install_filename> with the actual name of the install file.
After you create the installation file, you can run silent installation on the endpoints from command line using the following command:
./install.sh <Target_Directory> -s <SilentConfigurationFile>.cfg
Where Target_Directory is the directory you want to install the agent and SilentConfigurationFile is the file name used to specify the installation options. You can also use the default configuration file, SampleSilentInstallation.cfg. The installation file name must be specified as an absolute path. By default, SampleSilentInstallation.cfg is located in the agent install directory.
Following is the list of parameters that you can use during silent installation:
|
Parameter |
Description |
|---|---|
FRESH_INSTALL |
Specifies whether you want to install or upgrade the agent. Valid entries are 1 (install) and 0 (upgrade). The default value is 1. |
CREATE_TARGET_DIR |
Specifies whether you want the install program to create the target installation directory if it does not already exist. Valid entries are y and n. The default value is y. |
CONTINUE_WITHOUT_PATCHES |
Specifies whether the install program stops or continues when the operating system is not a supported version. Valid entries are y and n. The default value is n. |
IQCONNECT_PORT |
Specifies the port that the agent uses to listen for communications from UNIX Agent Manager. The default value is 2620. |
IQ_STARTUP |
Specify restart method for the agent process. For information about the options, see Services of the Security Agent for UNIX. Valid entries are rclink and inittab. The default option is rclink. |
CGU_STARTUP |
Specifies restart method for the detected process. For information about the options, see Services of the Security Agent for UNIX. Valid entries are rclink and inittab. The default value is rclink. |
MANAGE_AUDIT_LOGS |
Specifies whether the agent reduces the size and removes old audit logs. Valid entries are y and n. |
AUDIT_LOG_SIZE |
Specifies the maximum size, in bytes, that the agent allows an audit log to reach before starting a new log. |
AUDIT_LOG_RETENTION |
Specifies the number of audit logs that the agent keeps. Once this number of audit logs exists, the agent deletes old logs when making new ones. |
KEEP_OLD_AGENT_DIR |
Specifies whether to keep the previous installation directory when you are upgrading the agent. Valid entries are y and n. |
OLD_INSTALL_DIR_MOVED |
Specifies the directory where you want the installation program to move to the previous installation directory. |
Reconfigure the agents if you have deployed the agents using Agent Manager:
To reconfigure:
In Agent Manger, do one of the following:
(Conditional) If you have not added assets previously, in Agent Manager, under Asset Groups, click All Assets and then click Add Assets.
(Conditional) If you have added assets previously, in Agent Manager, click All Assets, then Manage Assets, and then Add.
From the assets list, select the computers where you want to deploy the agent. If you select multiple computers, you must use the same credentials in all computers.
Log in as root to the computer that you want to connect and click Next.
Click Manage Installation, and then select Reconfigure.
Select the version and then select the default configuration, edit it or add a new configuration.
Change Guardian Event Collector Addon for Windows Agent collects events in the common event format (CEF). Change Guardian supports events only in CEF.
Before installing the Change Guardian Event Collector Addon for Windows Agent, set up the required connectors:
To install Change Guardian Event Collector Addon for Windows Agent:
In Agent Manager, click Manage Installation > Download Package.
Download Change Guardian Event Collector Addon for Windows Agent.
In the installer window, specify the local path in which you want to install Change Guardian Event Collector Addon for Windows Agent.
Select the connectors to configure.
Specify the location to store events in CEF.
NOTE:Specify the same path in CEF Data Output Path in Agent Manger.
Specify the values for File Rotation Interval and File Size.
File Rotation Interval is the interval, in seconds, at which a new file is created. A new file is created when either the File Rotation Interval or the file size exceeds the set value. If the EPS is low in AWS IAM, set the file rotation and file size values lower than the default.
Specify the parameters for the selected connectors.
|
If your connector is |
Do this |
|---|---|
|
Dell EMC |
Specify the following:
|
|
Microsoft Exchange |
Specify the following:
|
|
AWS IAM |
Specify the following:
|
|
Office 365 |
Specify the following:
|
(Optional) Open Windows services, and restart the following services:
ArcSight Dell EMC Unity and VNXe Storage
ArcSight Microsoft Exchange PowerShell
NOTE:After the installation, restart the services once to receive the events.
To modify the settings of any connector, launch Change Guardian Event Collector Addon for Windows Agent and click Modify against the desired collector name.