Deployment considerations for Security Analysis Solution 7.1
RAM Usage
No special considerations need to be taken in regards to memory utilisation on the SMP or SQL server. SAS does not have any memory intensive components on either the server or client.
CPU Usage
Both security analysis and remediation function that make up SAS are purpose designed to create the least amount of impact to CPU resources.
Initial Scap profile imports are CPU and Disk IO intensive as they create thousands of Notification Server items.
The initial run of a hierarchy job to replicate Scap content will be CPU and Disk IO intensive as many thousands of Scap entities will need to be replicated. This should be scheduled for a quiet time on both NS and SQL server.
Bandwidth
The ACS Agent package is between 6Mb for x86 and 9Mb for x64. Considering staggering any mass deployment of the ACS Agent (as you would with the SMP Agent) if network capacity is an issue.
Analysis results are reported using the standard SMP Agent event posting infrastructure. A typical results NSE is 40Kb after compression is applied.
Notification Server disk usage
SAS will fetch Scap content from various providers over the internet using HTTP.
Scap content downloads are stored on the NS under %ProgramData%\Arellia
Depending on how many profiles are active this location can contain up to 500Mb of data.
Agent wise the Scap content is downloaded as Client Items and stored locally in the Client Item Cache, the default location is %ProgramData%\Symantec\AltirisAgent\ClientItems
SQL Server disk usage
Allocate 2Mb of SQL storage space per managed endpoint for storing events and results. If you wish to keep a large amount of historical data the necessary space will increase depending on purging settings (see below).
Scap profiles will require anywhere from 40Mb to 300Mb in SQL storage.
Purging Maintenance
Oval Analysis events sent back to the Notification Server can range in size from 100Kb to several megabytes once uncompressed. These events are generated whenever an Analysis task is executed on an endpoint and can quickly add up in a large environment. Analysis events are consumed by the Process Client OVAL Analysis task and converted into Oval Test Result inventory which are hierarchy friendly.
Once the events have been processed they can be purged using the standard SMP Purge Maintenance schedule.
- Navigate to Configuration > Settings > Notification Server > Purging Maintenance
- Select the "Resource Event Data Purge Settings" tab
- Ensure that Configured radio button is selected to enable Purging
- Under the Custom section, click the pencil icon to edit the list of custom data classes
- Add Oval Analysis located under Data Classes > Security Analysis
- Click Save Changes
Change the Oval Analysis purge settings to a shorter retention period, such as 1 week.
The Max rows setting adds extra load during purging and should be left unchecked unless you wish to limit the SQL storage space used by the Analysis events. To do so you first need to calculate the average OVAL Analysis event size, using the following SQL:
sp_spaceused Evt_Oval_Analysis
You will then see results similar to:
- Add the data and index_size columns to determine total space used by data: 31376 Kb
- Divide by the total number of rows: 56
- Which gives an average row size of: 560 Kb
Then take the total space you wish to allocate for Oval analysis data, 10 Gb for example, then divide by the average size of 560Kb which gives ~ 18,700
So to allocate 10Gb of space for the events you would use a Max rows setting of 18700
This formula can be applied to any Event class that you wish to restrict based upon size.
Finally ensure that you enable the SAS resource purging schedule to clean up unwanted resources from the database. This is located under Configuration > Settings > Arellia > Security Analysis > Resource Purging.
Replication
Scap profiles contain a large number of items which take time to replicate across a hierarchy. Care must be taken to schedule the initial replication run of the SAS 'Replicate Down' rules at a time when both parent and child are not hampered by a busy database.
Scap Content - Replicate Down rule
- replicates all Scap Content resources, a small number of items
Scap Data Sources - Replicate Down rule
- replicates all Scap Data Source resources, a small number of items
Scap Entities - Replicate Down rule
- replicates all Scap Entity resources, large number of resources
The following data classes are sent up from child SMP servers. This data is generally small in size and represents a small number of items per computer resource:
- Oval Definition Result
- Oval Test Result
- Remediation Approval
- Xccdf Profile Score
Running SAS remediation through a hierarchy enabled environment will add some hierarchy load due to adhoc replication of SAS client tasks. Ensure that replication is running optimally before attempting to replicate remediation tasks.