Security audits in a high-availability environment

If you want to enable and make use of the auditing feature on an HPOM management server that is installed in a high-availability cluster, you need to bear in mind the following special considerations.

In a high-availability cluster, the custom-event logs which the audit feature uses to record activity on the HPOM for Windows management server are located on both cluster nodes in %OvDataDir%\log in the same way as a stand-alone HPOM management server: they are not located in %OvShareDir%\log. The cluster service synchronizes the custom event log at regular intervals between the active and backup nodes in the cluster, too.
NOTE:
Synchronization between active and backup cluster nodes can only take place if the custom-event log, OvConfigChangeEvents.evt, exists and is writable on the individual backup nodes in the cluster, for example; after a fail over.
You only have to enable auditing once in the high-availability environment, on the active HPOM for Windows management server in the cluster. You change the values in the auditing namespace in Server Configuration dialog to change the registry keys that configure auditing. In the event of a fail over, the registry keys on the active HPOM management server are automatically replicated to the backup nodes in the cluster, along with their sub-keys and settings (on or off).
The custom logs for audit events are constantly synchronized between the active cluster node where the HPOM for Windows management server is running, and the backup cluster node.
Any changes that are subsequently made either manually or automatically to these registry keys (or their sub-keys) on the active cluster node (where the HPOM management server is running) are automatically replicated by the cluster service to the other nodes in the cluster in the event of a fail over.
The registry keys are "attached" to a cluster resource called "OvOW Registry Replication". Whenever this resource is brought online on a cluster node, the MS Cluster Service overwrites any existing keys with the keys from the machine, where this resource was previously online.

For example, if you disable auditing for the Policy Management and Deployment component in the cluster by setting the value Turn on policy management and deployment auditing to False, this sets the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\OvConfigChanges\OvPolicyMgmt, and the cluster service sets the same value on the other nodes in the cluster.

NOTE:
Registry changes are only replicated from the active to the backup HPOM in the high-availability cluster. If you make manual changes to the key settings management server in the registry of the backup HPOM management server in the high-availability cluster, these changes will be not be replicated to the active cluster node, where the HPOM management server is running. More importantly, the changes made to the registry on the backup cluster node are lost in the event of a fail over, when the cluster service starts the HPOM management server on the backup cluster node and, in the process, creates a replica of the active cluster node's registry on the backup cluster node.

To enable or disable auditing globally in a high-availability cluster

You enable and disable security audits on an HPOM management server that is installed in a high-availability cluster in the same way you enable and disable security audits on a stand-alone HPOM management server, with one exception: the method you use to stop and restart Windows services.

CAUTION:
The steps described in this procedure must be carried out on the active HPOM management server in the high-availability cluster.

In the console tree on the active HPOM management server in the high-availability cluster, right-click Operations Manager, and then click ConfigureServer.... The Server Configuration dialog opens.
Click Namespaces, and then click Auditing. A list of values appears.
Set the value of Turn on in general as follows:
- Enable auditing: True
- Disable auditing: False
Click Apply.
On the active HPOM management server in the high-availability cluster, restart the services associated with the event sources you want to audit, as follows:
1. In the Cluster Administrator, locate the cluster group for your HPOM management server installation, for example: HPOM
2. Take the HPOM management server off line
  Right-click the cluster group for your HPOM management server installation and select the Take offline option from the menu which pops up. This command stops all the resources and Windows services associated with the HPOM management server, without provoking a fail over.
3. Stop and restart the Windows-Management service (WinMgmt).
  At the command prompt, type:
  c:\>net stop WinMgmt
  c:\>net start WinMgmt
4. Bring the HPOM management server back on line
  Next, right-click the cluster group for your HPOM management server installation once again and select the Bring online option from the menu which pops up. This command restarts all the resources and Windows services associated with the HPOM management server.
  
  NOTE:
  After you restart the services, you can change the value of Turn on at runtime to enable and disable auditing without having to restart the services again.
Start the Windows Event Viewer and, in the console tree, click the OvConfigChanges item.

To manage auditing for individual event sources

This procedure explains how to enable or disable auditing at runtime for individual or multiple event sources on the active HPOM management server in the high-availability cluster without having to restart any associated Windows services for the change to take effect.

NOTE:
The registry keys that you modify using the Server Configuration dialog do not exist on the backup nodes in the cluster until a fail over occurs and the registries on the cluster nodes are synchronized.

In the console tree on the active HPOM management server in the high-availability cluster, right-click Operations Manager, and then click ConfigureServer.... The Server Configuration dialog opens.
Click Namespaces, and then click Auditing. A list of values appears.
Set the value of Turn on at runtime as follows:
- Enable auditing: True
- Disable auditing: False
Click Apply.
To enable or disable auditing for individual event sources on the active HPOM management server in the high-availability cluster:
1. Set the value of Turn on at runtime to True on the active HPOM management server
2. Set values for the individual event sources that you want to enable or disable, for example:
3. - Turn on action execution auditing
  - Turn on agent certificate request handling auditing
  - Turn on config change auditing
  - Turn on forwarded message change auditing
  - Turn on local message change auditing
  - Turn on outage auditing
  - Turn on policy management and deployment auditing
  - Turn on user roles configuration auditing
4. Set the values to True (enabled) or False (disabled), as required, and then click Apply.
Start the Windows Event Viewer on the active HPOM management server in the high-availability cluster and, in the console tree, click the OvConfigChanges item.

Related Topics: