Solution Packs are available from several sources. They can be downloaded from the Sentinel product page (an additional license might be needed). Solution Pack can also be provided by one of Novell’s partners, or they can be created from content in your own Sentinel system.
The first step in using a Solution Pack is to import the .zip file into the system by using the Import Plugin Wizard. When a Solution Pack is imported, the .zip file is copied to the server where the DAS (Data Access Service) components are installed. The actual contents of the Solution Pack are not available in the target Sentinel system until the controls are installed through the Solution Manager.
If you import an updated version of a Solution Pack, you are prompted to replace the existing plug-in.
To import a Solution Pack
Click the
menu and select . The window displays.Click the
icon in the window. The window is displayed.Select Import Solution package plug-in file (.zip), then click
. The window displays.Use the
button to the locate Solution Pack to import to the plug-in repository. Select a ZIP file and click .If you have selected a Solution Pack that already exists, the Replace Existing Plugin window displays.
Click
if you want to replace the existing plug-insClick
. window displays, including the details of the plug-in to be imported.Select the Launch Solution Manager check box if you want to deploy the plug-in after importing the Solution Pack.
If you select the
check box, the Solution Manager displays.Click
.To use the Solution Manager and view the contents of a Solution Pack, a user must be assigned Solution Manager permissions. For more information, see Section 16.1.2, Permissions for Using Solution Packs.
Click the
menu and select Solution Packs. The Solution Package window displays:Double-click a Solution Pack in the Solution Packs window. The Solution Manager window is displayed.
When the Solution Pack is opened, the Solution Manager compares the contents of the Solution Pack to other Solution Pack content from different Solution Packs or previous versions of the same Solution Pack.
Table 16-3 Content Status
The
icon indicates that content in the newly opened Solution Pack differs from a version that was previously installed by another Solution Pack (either a different Solution Pack or a previous version of the same Solution Pack). The name, definition, or description of the content might be different.NOTE:The Solution Manager only compares content from different Solution Packs (or different versions of the same Solution Pack) for installed content. It does not compare content that has not yet been installed. It also does not compare Solution Pack content to content in the target system; manual changes to content in the Sentinel Control Manager are not reflected in Solution Manager.
When you right-click a Solution Pack, you can select
. This option expands all controls that are out of sync and collapses all controls that are either uninstalled or in sync. This makes it easy to find the out of sync content in a large Solution Pack.To resolve out of sync content:
Select the out of sync content (not the control or category) in the Solution Manager.
Right-click and select
.A message displays with information about which Solution Pack is the source of the out of sync content
Compare the description of content item in the two Solution Packs to determine which version you want to keep.
Uninstall the out of sync control from all Solution Packs.
Ideally you should resolve the out of sync issue before installing the new Solution Pack.
Reinstall the control with the content you want to keep.
Implement and test as required.
To use the content of a Solution Pack in the Sentinel Control Center, you must install the Solution Pack or selected controls in a Sentinel system (also known as the “target” Sentinel system).
When you install either a Solution Pack or an individual control, all of the child nodes are installed.
Go to
> .Double-click a Solution Pack to open Solution Manager. Alternatively, you can click the
icon. The Solution Manager window displays.Select a Solution Pack or a control you want to install, then click Install.
Alternatively, right-click a Solution Pack or control and select
. The Install Control Wizard displays. If you select a Solution Pack, all the controls in that Solution Pack display. If you select an individual control, that control is displayed in the Install Control Wizard window.Click
. If correlation rules or reports are included in the Solution Pack, you need to proceed through several additional screens until you reach the Install Content window.Click
.After installation the
button displaysClick
.If the installation fails for any content item in the control, the Solution Manager rolls back all the contents in that control to uninstalled.
There are special considerations for installing certain types of content, including correlation rules and reports; these issues are described below.
Correlation rules are deployed to a specific correlation engine. During the control installation, Figure 16-1 shows the correlation engines in the target Sentinel system and the rules that are already running on those engines. Based on the number and complexity of the rules running on the engines, you can decide which correlation engine to deploy the correlation rule to.
Correlation rules deploy in an Enabled or Disabled state, depending on their status in the source Sentinel system when the Solution Pack was created.
If an Execute Script Correlation action (created in Sentinel 6.0) is associated with the correlation rule, the Solution Manager attempts to install the associated JavaScript code on all correlation engines. If any of the correlation engines is unavailable, a message displays.
Figure 16-4 Install Control Wizard: Select Correlation Engine
You can cancel the control’s installation and fix the problem or continue installation on only the available correlation engines.
Figure 16-5 Unavailable Correlation Engines
The Execute Script Correlation action (created in Sentinel 6.0) cannot run on a particular correlation engine if the installation of the JavaScript code fails for that correlation engine. The .js file can be manually copied to the proper directory on the correlation engine. In a default installation, the proper directory is<install_directory>/config/exec.
If an Execute Command correlation action is associated with the correlation rule, the Solution Manager installs the command and its arguments, but the script, batch file, or utility must be manually configured on the correlation engines. This might require installing the utility, configuring permissions, or manually copying a script or batch file to the proper directory on the correlation engines.
In a default installation, the proper directory for the script file is <install_directory>/config/exec.
If a JavaScript Action is associated with the correlation rule, the Solution Manager installs the Action configuration, the Action plug-in, and the associated Integrator configuration and Integrator plug-in if needed.
Sentinel Rapid Deployment uses JasperReports for report generation. There are two options to add JasperReports to the Solution Pack. They can either be added from the local machine (.zip or .rpz files) or from the Sentinel server you are connected to.
Sentinel Rapid Deployment does not support Crystal Reports. However, existing Solution Packs containing Crystal Reports can still be opened/edited/saved in the Solution Designer. When you attempt to install a control that also contains the Crystal Report along with other non-Crystal content such as JasperReports, Correlation rules, Action plug-ins, and Integrator plug-ins, all other contents except the Crystal Report are installed. If you attempt to open a control that contains only Crystal Reports, it stops you with an error message. In both scenarios, a log message is entered to the Sentinel Control Center log.
Sentinel Rapid Deployment bundles the following reports with the Sentinel Core solution pack.
Sentinel Core Event Configuration
Sentinel Core Event Source List
Sentinel Core Event Source Overview
Sentinel Core Incident Management Dashboard
Sentinel Core Incident Status Summary
Sentinel Core Internal Events
Sentinel Core Solution Pack Audit Trail
Sentinel Core Solution Pack Status Dashboard
Only fully defined controls can be installed. For controls that contain placeholders, the
option is disabled:The following warning displays in the Description frame:
If two separate controls contain identical content and one control is deployed successfully, the status of the duplicate content in the other control is changed to Installed.The remaining child nodes in the second control stay uninstalled.
Each content item is only installed once. If the same content item (for example, a correlation rule) is included in more than one control, it is only installed once. Therefore, if you install one of those controls, the content displays with an installed status in the other control. In this scenario, the Solution Manager might show that the content for the second control is only partially installed. See Control 1.4.2 in the example below:
Figure 16-6 Duplicated Content with in a Solution Pack
If the Solution Manager detects content with the same name but a different unique identifier in the target Sentinel system, the Solution Manager installs the content with a unique ID appended to the name. For example, the rule from the Solution Pack might be named Unauthorized Firewall Change (1). The existing rule in the Sentinel system is unchanged.
NOTE:To prevent confusion for end users, Novell recommends that one of these rules be renamed.
After the content installation, additional steps might be necessary to fully implement a control, such as the following examples:
Populating a .csv file that is used by the mapping service for event enrichment.
Scheduling automatic report execution in the Crystal Reports Server.
Enabling auditing on source devices.
Copying an attached script for the Execute Command correlation action to the appropriate location on the correlation engines.
These steps should be added when the Solution Pack is created in Solution Designer.
To implement a control:
Open a Solution Pack in the Solution Manager.
Select a control.
Click the
tab in the frame.Follow all of the instructions in the
tab.Add notes to the
tab of the Documentation frame as necessary to document progress or necessary deviations from the recommended implementation steps.When the implementation is complete, select the control and change the status drop-down to Implemented.
An audit event is generated and sent to the Sentinel Control Center.
Because of potential legal and regulatory implications, the status for a control should only be changed after all of the implementation steps have been successfully completed.
NOTE:A control must be installed before it can be implemented.
After the content implementation, the content should be tested to verify that it is working as expected. Testing might require steps such as the following:
Run a report.
Generate a failed login on a critical server and verify that a correlated event is created.
These steps should be added when the Solution Pack is created in Solution Designer.
To test a control:
Open a Solution Pack in Solution Manager.
Select a control.
Click the
tab in the frame.Follow all of the instructions in the
tab.Add notes to the
tab of the Documentation frame as necessary to document progress or necessary deviations from the recommended testing steps.When the testing is complete, select the control and change the status drop-down to Tested.
An audit event is generated and sent to the Sentinel Control Center.
Because of potential legal and regulatory implications, the status for a control should only be changed after all of the testing steps have been successfully completed.
NOTE:A control must be installed and should be implemented before it can be tested.
Controls are often used to meet legal or regulatory requirements. After they are implemented and tested, controls should be uninstalled only after careful consideration.
When a control is uninstalled, the status for the control reverts to Not Implemented and child content is deleted from the Sentinel system. There are a few exceptions and special cases:
Dependencies are checked to ensure that no content that is still in use is deleted. Some examples of this include a dynamic list that is used by a correlation rule created in the target Sentinel system, a report that is used in a control that is still installed, an iTRAC workflow template that is used in a Solution Pack that is still installed, or a folder that still contains other content.
Reports copied to a local system cannot be removed if the uninstall is performed from a Sentinel Control Center on a different machine.
JavaScript files associated with Execute Script Correlation actions remain on the correlation engines.
Maps (.csv files) and the data they contain are not deleted.
Roles associated with workflows are not deleted.
To uninstall a Control:
Right-click the control you want to uninstall and select
. Alternatively, you can click the icon. The Controls To Uninstall window displaysClick
If the control you are uninstalling includes one or more reports, you are prompted whether to uninstall the reports from the local server or the Crystal Reports Server. Ideally, this information was recorded on the
tab when the reports were installed.Click
. The Uninstall Content window displays.Click
. The selected contents are uninstalled.You cannot uninstall local reports from a different Sentinel Control Center machine than the one that they were installed on or if the files were copied to a new location after installation. If the Solution Manager cannot find the .rpt files in the expected location, a message is logged in the Sentinel Control Center log file.
Click
.There are several sources of information about the status of a Solution Pack.
You can view the status of Solution Pack contents in the Solution Manager:
None/Blank: No status indicator for a control indicates that the associated content has not been installed yet.
Not Implemented: When none or some of the contents of a control are installed, the control is in the Not Implemented state. If the same content is installed by another control, a control might be Not Implemented even if some of its child content is Installed.
Implemented: This status indicates that a user has completed all of the implementation steps and manually set the control status to Implemented.
Tested: This status indicates that a user has completed all of the testing steps and manually set the control status to Tested.
Out of Sync: This status indicates that a different version of the content in the Solution Pack is deployed in the Sentinel target system by another Solution Pack or a previous version of the same Solution Pack.
The information about the Solution Pack can be exported in PDF format. The report contains details about every node in the Solution Pack, including category, control, and content group. You can select the following available options:
Show status: Select this option to show deployment status for each control (Not Installed, Not Implemented, Implemented, or Tested) and whether it’s Out of Sync.
Show individual content: Select this option to include information about the child content for each control in the documentation.
Figure 16-7 Status Document
To generate Solution Pack documentation:
Open the Solution Pack for which you want to generate a status report.
Click
. The Report Options window displays.Select Show status and Show individual content if desired.
To view the documentation, click
. If this is the first time a PDF has been opened from your Sentinel Control Center, you might need to locate Acrobat Reader.To save the PDF, click
. Navigate the location where you want to save the PDF and specify a filename. Click .All major actions related to Solution Packs and controls are audited by the Sentinel system, with information about which user performed the action. The following events are visible in the Sentinel Control Center and are stored in the Sentinel database:
Solution Pack is imported.
Control is installed.
Control status is changed to Implemented.
Control status is changed to Tested.
Control status is changed to Not Implemented.
Control is uninstalled.
Notes are modified for a control
Solution Pack is deleted.
Solution Packs are often used to meet legal or regulatory requirements. After they are implemented and tested, Solution Packs should be deleted only after careful consideration.
All deletions are audited by the Sentinel system and sent to both the Sentinel Control Center and the Sentinel database.
Click the
menu and select Solution Packs. The Solution Packs window displays.Select the Solution Pack you want to delete and click the
icon on the toolbar.Select the Solution Pack node and click
. All controls are uninstalled.Close the Solution Manager
With the same Solution Pack selected, click
. Click Yes when you are prompted to delete the Solution Pack.NOTE:If you attempt to delete a Solution Pack without uninstalling the content first, you are notified that content is still deployed. You have the option to open the Solution Pack in the Solution Manager and uninstall the content.