Security audits in a high-availability environment


If you want to enable and make use of the auditing feature on an HPOM management server that is installed in a high-availability cluster, you need to bear in mind the following special considerations.

For example, if you disable auditing for the Policy Management and Deployment component in the cluster by setting the value Turn on policy management and deployment auditing to False, this sets the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\OvConfigChanges\OvPolicyMgmt, and the cluster service sets the same value on the other nodes in the cluster.

Note NOTE:
Registry changes are only replicated from the active to the backup HPOM in the high-availability cluster. If you make manual changes to the key settings management server in the registry of the backup HPOM management server in the high-availability cluster, these changes will be not be replicated to the active cluster node, where the HPOM management server is running. More importantly, the changes made to the registry on the backup cluster node are lost in the event of a fail over, when the cluster service starts the HPOM management server on the backup cluster node and, in the process, creates a replica of the active cluster node's registry on the backup cluster node.

To enable or disable auditing globally in a high-availability cluster

You enable and disable security audits on an HPOM management server that is installed in a high-availability cluster in the same way you enable and disable security audits on a stand-alone HPOM management server, with one exception: the method you use to stop and restart Windows services.

Caution CAUTION:
The steps described in this procedure must be carried out on the active HPOM management server in the high-availability cluster.

  1. In the console tree on the active HPOM management server in the high-availability cluster, right-click Operations Manager, and then click ConfigurearrowServer.... The Server Configuration dialog opens.
  2. Click Namespaces, and then click Auditing. A list of values appears.

  3. Set the value of Turn on in general as follows:
    • Enable auditing: True
    • Disable auditing: False
  4. Click Apply.
  5. On the active HPOM management server in the high-availability cluster, restart the services associated with the event sources you want to audit, as follows:
    1. In the Cluster Administrator, locate the cluster group for your HPOM management server installation, for example: HPOM
    2. Take the HPOM management server off line

      Right-click the cluster group for your HPOM management server installation and select the Take offline option from the menu which pops up. This command stops all the resources and Windows services associated with the HPOM management server, without provoking a fail over.

    3. Stop and restart the Windows-Management service (WinMgmt).

      At the command prompt, type:
      c:\>net stop WinMgmt
      c:\>net start WinMgmt

    4. Bring the HPOM management server back on line

      Next, right-click the cluster group for your HPOM management server installation once again and select the Bring online option from the menu which pops up. This command restarts all the resources and Windows services associated with the HPOM management server.

      Note NOTE:
      After you restart the services, you can change the value of Turn on at runtime to enable and disable auditing without having to restart the services again.
  6. Start the Windows Event Viewer and, in the console tree, click the OvConfigChanges item.

To manage auditing for individual event sources

This procedure explains how to enable or disable auditing at runtime for individual or multiple event sources on the active HPOM management server in the high-availability cluster without having to restart any associated Windows services for the change to take effect.

Note NOTE:
The registry keys that you modify using the Server Configuration dialog do not exist on the backup nodes in the cluster until a fail over occurs and the registries on the cluster nodes are synchronized.
  1. In the console tree on the active HPOM management server in the high-availability cluster, right-click Operations Manager, and then click ConfigurearrowServer.... The Server Configuration dialog opens.
  2. Click Namespaces, and then click Auditing. A list of values appears.

  3. Set the value of Turn on at runtime as follows:
    • Enable auditing: True
    • Disable auditing: False
  4. Click Apply.
  5. To enable or disable auditing for individual event sources on the active HPOM management server in the high-availability cluster:
    1. Set the value of Turn on at runtime to True on the active HPOM management server
    2. Set values for the individual event sources that you want to enable or disable, for example:
      • Turn on action execution auditing
      • Turn on agent certificate request handling auditing
      • Turn on config change auditing
      • Turn on forwarded message change auditing
      • Turn on local message change auditing
      • Turn on outage auditing
      • Turn on policy management and deployment auditing
      • Turn on user roles configuration auditing
    3. Set the values to True (enabled) or False (disabled), as required, and then click Apply.
  6. Start the Windows Event Viewer on the active HPOM management server in the high-availability cluster and, in the console tree, click the OvConfigChanges item.

Related Topics: