Security audits
For security reasons, if is essential to be able to monitor activity, which occurs on the HPOM management server. If you can track use of or changes to the configuration of the HPOM management server and record attempts to gain unauthorized access to data, you have a good chance of being able to determine exactly who was responsible for any security breach and when.
The audit feature allows you to monitor how HPOM for Windows is
used and what, if any, configuration changes are made. HPOM writes
auditable events to its own, internal, custom event log,
%OvDataDir%\log\OvConfigChangeEvents.Evt, which you
can browse using the standard Windows Event Viewer.
In order to run an audit, you have to configure HPOM to monitor the underlying Windows services, which are used to control the various HPOM management areas. You can do this individually for each management area that you want to audit, or collectively if you want to audit all management areas concurrently. Once enabled, the security-audit feature allows you to track events in the following areas:
- Policy Management and Deployment
To audit the management and deployment of policies, you need to monitor the Policy Management and Deployment Server (PMAD). Enabling auditing of the PMAD server logs activity in the following areas:
- The deployment of policies to (and removal from) managed nodes
- Any alteration to (and editing of) policies
NOTE:
The detail which the security audit feature collects is limited. For example, you can determine that version 1.2 of a policy was replaced with version 1.3, but you cannot use the security-audit feature to find out what the changes between the two policies are.
- HP Operations agent: Management and Deployment
To audit the management and deployment of the HP Operations agent, you need to monitor the Policy Management and Deployment server (PMAD). Enabling auditing of the PMAD server logs activity in the following areas:
- The deployment of the HP Operations agent to (and removal from) managed nodes
- HPOM Tools
To audit the use of HPOM tools, you need to monitor the Message-action Server. Enabling auditing of the Message-action Server records activity in the following areas:
- Any access to (and execution of) HPOM tools on the HPOM management server
- Automatic and Operator-initiated Actions
To audit the execution of either automatic or operator-initiated actions, you need to monitor the Message-action Server. Enabling auditing of the Message-action Server logs activity in the following areas:
- Each time an automatic or operator-initiated action is started or stopped on the HPOM management server
- HPOM Users and User Roles
To audit the activity of HPOM users, such as the administrator and the operator, you need to monitor the Security Server. Enabling auditing of the Security Server logs activity in the following areas:
- Any changes to HPOM user roles, rights, and permissions
- Messages
-
To audit changes to messages, you need to enable monitoring of message changes done locally or on forwarded messages. Enabling message auditing logs activity in the following areas:
- Each time the state of a message, the severity, the text, an annotation, or a custom message attribute changes, an audit log is created in the eventlog.
- Audit logs are created each time messages are downloaded or deleted using DB Maintenance.
For each entry in the audit records, HPOM for Windows records the following information:
- The source of the event, for example: the Policy-Management server or the Message-action server
- An Event ID: a unique identifier for each event type, which makes searching the log much easier
- The date and time, at which the event occurred
- A User ID: a unique identifier to link an HPOM operator or administrator to the reported event
Related Topics: