16.3 Managing Solution Packs

16.3.1 Importing Solution Packs

Solution Packs are available from several sources. They can be downloaded from the Sentinel product page (an additional license might be needed). Solution Pack can also be provided by one of Novell’s partners, or they can be created from content in your own Sentinel system.

The first step in using a Solution Pack is to import the .zip file into the system by using the Import Plugin Wizard. When a Solution Pack is imported, the .zip file is copied to the server where the DAS (Data Access Service) components are installed. The actual contents of the Solution Pack are not available in the target Sentinel system until the controls are installed through the Solution Manager.

If you import an updated version of a Solution Pack, you are prompted to replace the existing plug-in.

To import a Solution Pack

  1. Click the Tool menu and select Solution Packs. The Solution Packs window displays.

  2. Click the Import icon in the Solution Packs window. The Import Plugin Type window is displayed.

  3. Select Import Solution package plug-in file (.zip), then click Next. The Choose Plugin Package File window displays.

  4. Use the Browse button to the locate Solution Pack to import to the plug-in repository. Select a ZIP file and click Open.

    If you have selected a Solution Pack that already exists, the Replace Existing Plugin window displays.

  5. Click Next if you want to replace the existing plug-ins

  6. Click Next. The Plugin Detail window displays, including the details of the plug-in to be imported.

  7. Select the Launch Solution Manager check box if you want to deploy the plug-in after importing the Solution Pack.

    If you select the Launch Solution Manager check box, the Solution Manager displays.

  8. Click Finish.

16.3.2 Opening Solution Packs

To use the Solution Manager and view the contents of a Solution Pack, a user must be assigned Solution Manager permissions. For more information, see Section 16.1.2, Permissions for Using Solution Packs.

Opening a Solution Pack in the Solution Manager

  1. Click the Tool menu and select Solution Packs. The Solution Package window displays:

  2. Double-click a Solution Pack in the Solution Packs window. The Solution Manager window is displayed.

Content Comparison

When the Solution Pack is opened, the Solution Manager compares the contents of the Solution Pack to other Solution Pack content from different Solution Packs or previous versions of the same Solution Pack.

Table 16-3 Content Status

Icon

Name

Description

Installed

Indicates that the content is already installed in the target Sentinel system.

The version is the same in the opened Solution Pack and the previously installed Solution Pack.

Out of Sync

Indicates that a different version of the content is already installed in the target Sentinel system. A difference in name, definition, or description could trigger an Out of Sync status.

Out Of Sync Status

The Out of Sync icon indicates that content in the newly opened Solution Pack differs from a version that was previously installed by another Solution Pack (either a different Solution Pack or a previous version of the same Solution Pack). The name, definition, or description of the content might be different.

NOTE:The Solution Manager only compares content from different Solution Packs (or different versions of the same Solution Pack) for installed content. It does not compare content that has not yet been installed. It also does not compare Solution Pack content to content in the target system; manual changes to content in the Sentinel Control Manager are not reflected in Solution Manager.

When you right-click a Solution Pack, you can select Expand Only Out of Sync Nodes. This option expands all controls that are out of sync and collapses all controls that are either uninstalled or in sync. This makes it easy to find the out of sync content in a large Solution Pack.

To resolve out of sync content:

  1. Select the out of sync content (not the control or category) in the Solution Manager.

  2. Right-click and select Out of sync content details.

    A message displays with information about which Solution Pack is the source of the out of sync content

  3. Compare the description of content item in the two Solution Packs to determine which version you want to keep.

  4. Uninstall the out of sync control from all Solution Packs.

    Ideally you should resolve the out of sync issue before installing the new Solution Pack.

  5. Reinstall the control with the content you want to keep.

  6. Implement and test as required.

16.3.3 Installing Content from Solution Packs

To use the content of a Solution Pack in the Sentinel Control Center, you must install the Solution Pack or selected controls in a Sentinel system (also known as the “target” Sentinel system).

When you install either a Solution Pack or an individual control, all of the child nodes are installed.

Installing the Contents of a Solution Pack

  1. Go to Tools > Solution Packs.

  2. Double-click a Solution Pack to open Solution Manager. Alternatively, you can click the Open with Solution Manager icon. The Solution Manager window displays.

  3. Select a Solution Pack or a control you want to install, then click Install.

    Alternatively, right-click a Solution Pack or control and select Install. The Install Control Wizard displays. If you select a Solution Pack, all the controls in that Solution Pack display. If you select an individual control, that control is displayed in the Install Control Wizard window.

  4. Click Next. If correlation rules or reports are included in the Solution Pack, you need to proceed through several additional screens until you reach the Install Content window.

  5. Click Install.

    After installation the Finish button displays

  6. Click Finish.

If the installation fails for any content item in the control, the Solution Manager rolls back all the contents in that control to uninstalled.

There are special considerations for installing certain types of content, including correlation rules and reports; these issues are described below.

Correlation Rules and Actions

Correlation rules are deployed to a specific correlation engine. During the control installation, Figure 16-1 shows the correlation engines in the target Sentinel system and the rules that are already running on those engines. Based on the number and complexity of the rules running on the engines, you can decide which correlation engine to deploy the correlation rule to.

Correlation rules deploy in an Enabled or Disabled state, depending on their status in the source Sentinel system when the Solution Pack was created.

If an Execute Script Correlation action (created in Sentinel 6.0) is associated with the correlation rule, the Solution Manager attempts to install the associated JavaScript code on all correlation engines. If any of the correlation engines is unavailable, a message displays.

Figure 16-4 Install Control Wizard: Select Correlation Engine

You can cancel the control’s installation and fix the problem or continue installation on only the available correlation engines.

Figure 16-5 Unavailable Correlation Engines

The Execute Script Correlation action (created in Sentinel 6.0) cannot run on a particular correlation engine if the installation of the JavaScript code fails for that correlation engine. The .js file can be manually copied to the proper directory on the correlation engine. In a default installation, the proper directory is<install_directory>/config/exec.

If an Execute Command correlation action is associated with the correlation rule, the Solution Manager installs the command and its arguments, but the script, batch file, or utility must be manually configured on the correlation engines. This might require installing the utility, configuring permissions, or manually copying a script or batch file to the proper directory on the correlation engines.

In a default installation, the proper directory for the script file is <install_directory>/config/exec.

If a JavaScript Action is associated with the correlation rule, the Solution Manager installs the Action configuration, the Action plug-in, and the associated Integrator configuration and Integrator plug-in if needed.

JasperReports

Sentinel Rapid Deployment uses JasperReports for report generation. There are two options to add JasperReports to the Solution Pack. They can either be added from the local machine (.zip or .rpz files) or from the Sentinel server you are connected to.

Sentinel Rapid Deployment does not support Crystal Reports. However, existing Solution Packs containing Crystal Reports can still be opened/edited/saved in the Solution Designer. When you attempt to install a control that also contains the Crystal Report along with other non-Crystal content such as JasperReports, Correlation rules, Action plug-ins, and Integrator plug-ins, all other contents except the Crystal Report are installed. If you attempt to open a control that contains only Crystal Reports, it stops you with an error message. In both scenarios, a log message is entered to the Sentinel Control Center log.

Default Reports

Sentinel Rapid Deployment bundles the following reports with the Sentinel Core solution pack.

  • Sentinel Core Event Configuration

  • Sentinel Core Event Source List

  • Sentinel Core Event Source Overview

  • Sentinel Core Incident Management Dashboard

  • Sentinel Core Incident Status Summary

  • Sentinel Core Internal Events

  • Sentinel Core Solution Pack Audit Trail

  • Sentinel Core Solution Pack Status Dashboard

Content Placeholders

Only fully defined controls can be installed. For controls that contain placeholders, the Install option is disabled:

The following warning displays in the Description frame:

Duplicate Content within a Solution Pack

If two separate controls contain identical content and one control is deployed successfully, the status of the duplicate content in the other control is changed to Installed.The remaining child nodes in the second control stay uninstalled.

Each content item is only installed once. If the same content item (for example, a correlation rule) is included in more than one control, it is only installed once. Therefore, if you install one of those controls, the content displays with an installed status in the other control. In this scenario, the Solution Manager might show that the content for the second control is only partially installed. See Control 1.4.2 in the example below:

Figure 16-6 Duplicated Content with in a Solution Pack

Content with the Same Name in the Target Sentinel System

If the Solution Manager detects content with the same name but a different unique identifier in the target Sentinel system, the Solution Manager installs the content with a unique ID appended to the name. For example, the rule from the Solution Pack might be named Unauthorized Firewall Change (1). The existing rule in the Sentinel system is unchanged.

NOTE:To prevent confusion for end users, Novell recommends that one of these rules be renamed.

16.3.4 Implementing Controls

After the content installation, additional steps might be necessary to fully implement a control, such as the following examples:

  • Populating a .csv file that is used by the mapping service for event enrichment.

  • Scheduling automatic report execution in the Crystal Reports Server.

  • Enabling auditing on source devices.

  • Copying an attached script for the Execute Command correlation action to the appropriate location on the correlation engines.

These steps should be added when the Solution Pack is created in Solution Designer.

To implement a control:

  1. Open a Solution Pack in the Solution Manager.

  2. Select a control.

  3. Click the Implementation tab in the Documentation frame.

  4. Follow all of the instructions in the Implementation tab.

  5. Add notes to the Notes tab of the Documentation frame as necessary to document progress or necessary deviations from the recommended implementation steps.

  6. When the implementation is complete, select the control and change the status drop-down to Implemented.

An audit event is generated and sent to the Sentinel Control Center.

Because of potential legal and regulatory implications, the status for a control should only be changed after all of the implementation steps have been successfully completed.

NOTE:A control must be installed before it can be implemented.

16.3.5 Testing Controls

After the content implementation, the content should be tested to verify that it is working as expected. Testing might require steps such as the following:

  • Run a report.

  • Generate a failed login on a critical server and verify that a correlated event is created.

These steps should be added when the Solution Pack is created in Solution Designer.

To test a control:

  1. Open a Solution Pack in Solution Manager.

  2. Select a control.

  3. Click the Testing tab in the Documentation frame.

  4. Follow all of the instructions in the Testing tab.

  5. Add notes to the Notes tab of the Documentation frame as necessary to document progress or necessary deviations from the recommended testing steps.

  6. When the testing is complete, select the control and change the status drop-down to Tested.

An audit event is generated and sent to the Sentinel Control Center.

Because of potential legal and regulatory implications, the status for a control should only be changed after all of the testing steps have been successfully completed.

NOTE:A control must be installed and should be implemented before it can be tested.

16.3.6 Uninstalling Controls

Controls are often used to meet legal or regulatory requirements. After they are implemented and tested, controls should be uninstalled only after careful consideration.

When a control is uninstalled, the status for the control reverts to Not Implemented and child content is deleted from the Sentinel system. There are a few exceptions and special cases:

  • Dependencies are checked to ensure that no content that is still in use is deleted. Some examples of this include a dynamic list that is used by a correlation rule created in the target Sentinel system, a report that is used in a control that is still installed, an iTRAC workflow template that is used in a Solution Pack that is still installed, or a folder that still contains other content.

  • Reports copied to a local system cannot be removed if the uninstall is performed from a Sentinel Control Center on a different machine.

  • JavaScript files associated with Execute Script Correlation actions remain on the correlation engines.

  • Maps (.csv files) and the data they contain are not deleted.

  • Roles associated with workflows are not deleted.

To uninstall a Control:

  1. Right-click the control you want to uninstall and select Uninstall. Alternatively, you can click the Uninstall icon. The Controls To Uninstall window displays

  2. Click Next

    If the control you are uninstalling includes one or more reports, you are prompted whether to uninstall the reports from the local server or the Crystal Reports Server. Ideally, this information was recorded on the Notes tab when the reports were installed.

  3. Click Next. The Uninstall Content window displays.

  4. Click Uninstall. The selected contents are uninstalled.

    You cannot uninstall local reports from a different Sentinel Control Center machine than the one that they were installed on or if the files were copied to a new location after installation. If the Solution Manager cannot find the .rpt files in the expected location, a message is logged in the Sentinel Control Center log file.

  5. Click Finish.

16.3.7 Viewing Solution Pack Status

There are several sources of information about the status of a Solution Pack.

Viewing Status in the Solution Manager

You can view the status of Solution Pack contents in the Solution Manager:

  • None/Blank: No status indicator for a control indicates that the associated content has not been installed yet.

  • Not Implemented: When none or some of the contents of a control are installed, the control is in the Not Implemented state. If the same content is installed by another control, a control might be Not Implemented even if some of its child content is Installed.

  • Implemented: This status indicates that a user has completed all of the implementation steps and manually set the control status to Implemented.

  • Tested: This status indicates that a user has completed all of the testing steps and manually set the control status to Tested.

  • Out of Sync: This status indicates that a different version of the content in the Solution Pack is deployed in the Sentinel target system by another Solution Pack or a previous version of the same Solution Pack.

Generating Status Documentation

The information about the Solution Pack can be exported in PDF format. The report contains details about every node in the Solution Pack, including category, control, and content group. You can select the following available options:

  • Show status: Select this option to show deployment status for each control (Not Installed, Not Implemented, Implemented, or Tested) and whether it’s Out of Sync.

  • Show individual content: Select this option to include information about the child content for each control in the documentation.

Figure 16-7 Status Document

To generate Solution Pack documentation:

  1. Open the Solution Pack for which you want to generate a status report.

  2. Click Create PDF. The Report Options window displays.

  3. Select Show status and Show individual content if desired.

  4. To view the documentation, click Preview. If this is the first time a PDF has been opened from your Sentinel Control Center, you might need to locate Acrobat Reader.

  5. To save the PDF, click Browse. Navigate the location where you want to save the PDF and specify a filename. Click Save.

Audit Events in the Sentinel Control Center

All major actions related to Solution Packs and controls are audited by the Sentinel system, with information about which user performed the action. The following events are visible in the Sentinel Control Center and are stored in the Sentinel database:

  • Solution Pack is imported.

  • Control is installed.

  • Control status is changed to Implemented.

  • Control status is changed to Tested.

  • Control status is changed to Not Implemented.

  • Control is uninstalled.

  • Notes are modified for a control

  • Solution Pack is deleted.

16.3.8 Deleting Solution Packs

Solution Packs are often used to meet legal or regulatory requirements. After they are implemented and tested, Solution Packs should be deleted only after careful consideration.

All deletions are audited by the Sentinel system and sent to both the Sentinel Control Center and the Sentinel database.

  1. Click the Tool menu and select Solution Packs. The Solution Packs window displays.

  2. Select the Solution Pack you want to delete and click the Open icon on the toolbar.

  3. Select the Solution Pack node and click Uninstall. All controls are uninstalled.

  4. Close the Solution Manager

  5. With the same Solution Pack selected, click Remove plugin. Click Yes when you are prompted to delete the Solution Pack.

NOTE:If you attempt to delete a Solution Pack without uninstalling the content first, you are notified that content is still deployed. You have the option to open the Solution Pack in the Solution Manager and uninstall the content.