This application was designed to give users usable data surrounding the activity taking place on their RSA SecurID appliances. This application will work with both the RSA SecurID Appliance 130 and 230 models.
Pre-deployment Assumptions:
- The RSA appliances are configured to send SNMP traps and allow SNMP read access using SNMPv2.
- The Splunk server is accepting SNMP traps and logging them to /var/log/snmptraps.log or the SNMP traps are being absorbed by Splunk in some manner and given a sourcetype name 'snmptrap'.
- The Splunk server has SNMP access to the RSA appliance.
- The snmpget command is installed and in your $PATH
Application Configuration:
Scripted Inputs: For the 'Network Activity' view to properly work there is a scripted input that needs to be configured. This scripted input uses the snmpget command to retrieve specific values from the device. If you have multiple devices then you need to configure multiple scripted inputs. Follow these steps:
RSA SecurID two-factor authentication is based on something you have (a software token installed in the Token app) and something you know (an RSA SecurID PIN), providing a more reliable level of user authentication than reusable passwords. After you install the Token app, you separately import a software token. Your IT administrator will provide instructions for importing tokens to the app. The RSA SecurID Software Token 2.3 for Android includes the following: - Supports up to 10 tokens. Supports phones and tablets.
1. Copy the sample inputs.conf file from $SPLUNK_HOME/etc/apps/RSASecurID/default/inputs.conf to your local folder, just so no changes are overwritten if the application is updated.
2. Edit the inputs.conf file and change the script stanza to reflect your device configuration:
[script://$SPLUNK_HOME/etc/apps/RSASecurID/bin/getSnmpData.sh public 1.1.1.1]
disabled = 1
Change 'public' to be the community name configured on your appliance that has read access. Change '1.1.1.1' to be the IP Address of your appliance. Change 'disabled = 1' to 'disabled = 0' to enable the scripted input.
3. If you have multiple appliances, just copy/paste the [script://] stanza for as many appliances as you have and configure the appropriate values as mentioned above.
Monitored Inputs: There is an example [monitor://] stanza in the inputs.conf file. Configure this for the proper location of the file that your SNMP traps are being logged to. If the SNMP traps are already being indexed by Splunk then this can be ignored.
Reports in this Application:
Summary View:
- All Users Accessing the Device(s)
- Count of Events (5min spans)
- Total Failed/Successful Logins (5min spans)
- Top Ten Connecting Hosts
- Top Ten Actions
User Activity View:
- Successful Actions
- Failed Actions
- Successful Action Reasons
- Failed Action Reasons
- Login Failures by User
- After Hours (<9am and >5pm) Admin Events
- System Level Actions
- Runtime Level Actions
- Admin Level Actions
Network Activity View:
- Received KBytes by Interface
- Transferred KBytes by Interface
- Total Inbound Packets by Interface
- Total Outbound Packets by Interface
- Total TCP In/Out Segments
- Total UDP In/Out Segments
- Total TCP Active/Passive Connections Opened
- Total TCP and UDP Error Counts
- ICMP In/Out Messages
- ICMP Inbound Echos
- ICMP In/Out Destination Unreachables
TODO:
- Making the Event Search form prettier
- Add a correlation view to detect abnormalities in the events
Hardware or software key fobs are available for people who need to log into servers in the Extra Tier and for some high-security applications.
Note: This page explains how to use a software token. If you're using a hardware key fob, see the Hardware Key Fob instructions.- If your smartphone is stolen or lost, notify Systems Support immediately to have your soft token disabled.
- Review Security Precautions for Mobile Handheld Devices.
For Non-Cornell Employees Only
If you are not a Cornell employee, follow these steps before setting up your software token.
- Activate your Cornell NetID.
- Install and connect to CU VPN. Use the following credentials:
- Group: CornellVPN
- Username: netid@cit.roc
- Password: your Cornell NetID password
- Confirm that your IP address is 10.17.29.x
Using the Cornell VPN and your cit.roc credentials ensures that you connect to a server farm network that is protected by Cornell's firewalls.
Download the App and Receive a Setup Password
Complete this procedure only once during initial setup.
Your unit or area manager will request a soft token from Systems Support for you. You will receive an email from Systems Support that includes both a soft token and a Cornell Secure File Transfer link to your RSA SecurID phone app password.
- Download the RSA SecurID app from the app store for your device.
- Retrieve the password via Cornell Secure File Transfer. You'll need to retrieve this password on your device during the setup of your RSA SecurID app. It is used only once during the initial setup.
Create Your PIN
Rsa Securid Apple
Complete this procedure only once during initial setup. You must be on a campus network or connected to CU VPN.
- Open the RSA SecurID app on your device and tap Import Token.
- Enter the soft token you received in an email from Systems Support. It looks like a URL and starts with http://127.0.0.1/securid. Depending on the type of device you're using, you may be able to click the link in the email or copy and paste the soft token.
- When prompted to enter a password, enter the password that was sent to you through Cornell Secure File Transfer.
- When prompted to enter a PIN, enter 0000. The app generates a code. You'll need this code in step 8.
- Use Remote Desktop to connect to this server: hopperrdp.cit.cornell.edu.
- Enter your NetID and password when prompted.
Note: If you don't see the Cornell domain, your username is cornellnetid. The password is your Cornell NetID password. - Click the RSA SecurID logo.
- In Username, enter your NetID.
In Passcode, enter the code that was generated when you entered 0000 in the RSA SecurID app.
Note: This is a temporary passcode used only when you're creating your PIN. - Set a PIN when prompted. Enter a numeric PIN from 4-8 digits, and then click Finish.
This is the PIN you will enter in the RSA SecurID app on your phone in the future. - In the RSA SecurID app on your device, press Back until you are prompted for the PIN, and then enter the PIN you just created. The RSA SecurID app will display a passcode.
- On your computer, you should see the login prompt again.
In User name, enter your NetID.
In Passcode, enter the passcode from the RSA Secure ID app.
Note: You can only use the number that the SecurID app displays once. - The first time you log in, you will be prompted to enter your Windows password. Click OK.
- In Password, enter your password from the Cornell domain. (For most people, this is your NetID password.)
Note: You should only see this prompt the first time you log into a SecurID system.
It may take a minute or two for the system to create your new profile. When it finishes, you'll be logged in and ready to RDP to your servers. To RDP to a server, click Start, then Accessories, then Remote Desktop Connections. You can drag and drop to make this a shortcut on your remote desktop as shown in the following image.
Important! If you downloaded the file containing your password from Cornell Secure File Transfer, be sure to securely delete the file.
Use Two-Factor Authorization to Log In to Your Servers
Rsa Securid App For Windows 10
- Open the RSA SecurID app on your device, and when prompted enter your PIN. The app generates a code. You'll need this code in step 5.
- Connect to this server: hopperrdp.cit.cornell.edu.
You must be on a campus network or connected to CU VPN. - Enter your NetID and password when prompted.
Note: If you don't see the Cornell domain, your username is cornellnetid. The password is your Cornell NetID password. - Click the RSA SecurID logo.
- In User name, enter your NetID.
In Passcode, enter the code that was generated in the RSA SecurID app. - If prompted, enter your Windows password, and then click OK.
- You're now logged in and can RDP to your servers. To RDP to a server, click Start, then Accessories, then Remote Desktop Connections. You can drag and drop to make this a shortcut on your remote desktop as shown in the following image.