How Do I Configure My AeroFS Private Cloud Audit Service?

The AeroFS Audit Service is part of the Data Leakage Prevention (DLP) feature in the AeroFS Private Cloud. This service allows an AeroFS appliance administrator to capture and analyze AeroFS usage and sharing data for their organization.

The Audit Service is a central point that collects near-real-time information from AeroFS server and client processes, collates them and delivers these events to a downstream system for indexing and archiving. It does not hold a permanent audit log on the AeroFS appliance - we prefer that your existing SIEM and archiving systems own your audit data.

Configuration

The AeroFS Audit Service can be enabled and configured via the Private Cloud Appliance web administration console. It requires "organization administrator" privilege, similar to other appliance actions - backup, setup, and upgrade.

Appliance management

To configure administration, first log in to the Private Cloud Appliance as an administrator. On bottom left, under "My Appliance" click the "Manage" link.

Auditing Configuration

On the appliance management page, on the left-hand side, click the Auditing link. This will show the current auditing configuration (default disabled) and allow you to enable and configure auditing.

Downstream systems

At minimum, configuring a downstream system requires only a host name (or IP address) and a port number. The destination host:port combination must be reachable from the Private Cloud Appliance.

The protocol from the audit server to the downstream system is very simple: JSON documents, one per line. Here are a few sample events as they are delivered from the audit service. After certifying a desktop and mobile client, this user received an invite to a shared folder.

{"timestamp":"2014-02-21 23:59:52.044","topic":"DEVICE","device_name":"loaf","os_name":"OSX","device_type":"Desktop Client","event":"device.certify","device_id":"af12c4211b3344a3a4fc773c75d316c8","os_family":"OSX","user":"jon@syncfs.com"}

{"timestamp":"2014-02-21 23:58:42.110","topic":"DEVICE","device_type":"Mobile App","event":"device.certify","device_id":"Jon's iPad","user":"jon@syncfs.com"}

{"folder":"55fc6c17e1fa0c6e81770a4585a064d1","timestamp":"2014-02-22 00:00:18.844","topic":"SHARING","event":"folder.invite","sharer":"doris@syncfs.com","target":"jon@syncfs.com","role":["MANAGE","WRITE"]}

Any TCP listener can work as a downstream system. If you are using Splunk, for example, it includes a "TCP" input type which is supported for this use. Splunk is able to automatically index the JSONstream.

SSL connections to downstream systems

In general, the SSL connection is preferred as it prevents eavesdropping on the communication between the AeroFS Private Cloud Appliance and the downstream system. The downstream system must have an SSL-enabled TCP Listener. Again, using Splunk as an example, the "tcp-ssl" input type presents this interface; and it is simple to build
any line-based listener that supports this.

AeroFS requires certificate authentication when talking to a destination server. We must validate the certificate is valid and represents the destination host. The destination server may present a certificate that is signed by a known, trusted CA (one of those in the Java default keystore). In most cases, the destination audit server will simply
present a self-signed certificate, or one that is signed by an internal CA.

In this case, we allow the AeroFS administrator to explicitly set a trusted certificate for the downstream server. The certificate should be in PEM format - it will look something like

-----BEGIN CERTIFICATE-----
MIIB5zCCAVCgAwIBAgIEUszeGDANBgkqhkiG9w0BAQUFADA4MScwJQYDVQQKEx5P
cGVuRFMgU2VsZi1TaWduZWQgQ2VydGlmaWNhdGUxDTALBgNVBAMTBGxvYWYwHhcN
MdAZPfZRmHOqlX1Zj0vgLcjWKhU5B4tcKqScHX56DlyoiNd7Hgga/1StFWtQT2or
-----END CERTIFICATE-----
In some cases, the entire certificate chain may be required.

Don't know the self-signed certificate?

Some unfortunate tools automatically generate a self-signed certificate and don't make that very clear. To find out what certificate a particular service is using, we can use the openssl commandline tool:

openssl s_client -connect {downstream.server.address}:{PORT}

The certificate information will be displayed, including the certificate in PEM form which the administration interface expects.

Please verify this certificate is coming from the expected system and not a man-in-the-middle attack.

Finalizing your configuration

When you click the "Save" button on the auditing page, the AeroFS appliance will restart the identity management service and the audit collection point. This will not interrupt file synchronization.

After you enable the audit service, clients will start sending audit events on their next startup.

Powered by Zendesk