1. Overview

The IT Administrator's view of Secunia is via the "Secunia CSI" Console.   There are two subcomponents available.  

• Deploying Secunia CSI Agents (Scan systems for software vulnerabilities)
• Deploying Secunia PSI Agents (Scan systems for software vulnerabilities, provide some automatic patching and give reporting to end user).

1.1 Notes

• UAB has a site license (currently through Fall 2013) for this software though there are license counts associated with the software and administrator accounts.
• Secunia PSI can only have 1 linkID per reporting subaccount!
• Secunia PSI can be configured to report to a CSI instance or be standalone. Personally owned devices should generally use the non-reporting PSI.

• UAB IT's initial deployment does not include pushing patches via WSUS. How to accomplish this on top of our existing WSUS processes and coming Forefront-based processes is being examined.

2. PSI Usage

If you are only worried about one or two systems (like a workstation), use the end user install of secunia PSI.

3. CSI Usage

Full documentation is available at http://secunia.com/vulnerability_scanning/corporate

• Establishing Subaccounts. Each subaccount is a unique set of reporting views and licensing counts. Accounts can either be subordinate or they can be a "shadow" of an existing account.
• Reporting (AdHOc or Scheduled Email); Several are available including static URLs that you can include in existing webpages as a dashboard for system status.
• Integration with Secunia PSI;
• Patch deployment Integration with WSUS or SCCM; This requires your own WSUS infrastructure. UAB IT is currently examining how to offer third party patches beyond Microsoft.

3.1 Getting Started with CSI

1. Contact This e-mail address is being protected from spambots. You need JavaScript enabled to view it and request an account. Please indicate an approximate number of systems and other administrators you will need.
2. You will receive an email with your account username and password from Secunia This e-mail address is being protected from spambots. You need JavaScript enabled to view it .'; document.write( '' ); document.write( addy_text74154 ); document.write( '<\/a>' ); //--> This e-mail address is being protected from spambots. You need JavaScript enabled to view it
3. Download and install the CSI Management console from http://secunia.com/vulnerability_scanning/corporate
4. Login to the CSI Console with your assigned username and password. You can change your password at anytime.

3.2 Downloading CSI Agent

Please note that a csia.exe download is bound to an account.  If you end up with multiple accounts, please make sure to keep your csia.exe unique.

1. Go to Scan > Scheduled Scanning > Download Agent; There is also a manual available on this screen.
2. Choose an installation methodology. At the end of this document is an example script that will run csia.exe using the -NAME of the hostname as the "group" .

3.3 Downloading a Linked PSI Agent

PSI agents are nice for situations where end users take some responsibility for the software they install and keep up to date.   Please refer to end-user documentation for dealing with some of the caveats associated with PSI, especially with Java.

1. Go to Scan > PSI Integration > Download Custom PSI
2. Create a unique LinkID for your area. This cannot be changed.
3. Save the custom installer as PSISetup!.exe; The name of the installer should not be changed.

3.4 Creating a shadow account

This is an account with the same reporting scope as an existing account.

1. Navigate to User Management > Shadow Accounts
2. Click New Shadow Account
   • Name: Real Name
   • UserName: This e-mail address is being protected from spambots. You need JavaScript enabled to view it
   • Email: This e-mail address is being protected from spambots. You need JavaScript enabled to view it
   • Click "Generate Password"
   • Select the level of access they need to have to your main account
     • Read/Write (Can make changes/delete hosts/regroup systems)
     • Read (Can view reports/system status)

3.5 Creating a subaccount

This is an account with a new reporting scope.  This will not roll up into your main set of reports.  This is useful for delegated responsibility situations such as labs.  If you want someone else to have the same rights as you, create a shadow account!

1. Navigate to User Management > Accounts
2. Click New Account
   • Name: Real Name
   • UserName: This e-mail address is being protected from spambots. You need JavaScript enabled to view it
   • Email: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

   • Click "Generate Password"

4. Secunia CSI Login Scripts

This script is suitable for being used as a login script or as a scheduled task.   Please share any suggested changes to this script.

'==========================================================================
'
' NAME: runsecunia.vbs
'
' AUTHOR: Chris Green This e-mail address is being protected from spambots. You need JavaScript enabled to view it
' AUTHOR: Aaron Blum    This e-mail address is being protected from spambots. You need JavaScript enabled to view it
' DATE  : 2/2/2011
' DATE  : 5/1/2012 (updated)
'
' COMMENT:
'
'  Runs the Secunia csia agent (different visibility scopes per user) and
'    sets the site to the active OU|
'  
' CHANGES:
'     5/1/2012 - Updated Script to work with Secunia 5.0 Agent
'     2/2/2011 - Made csia execute in background.
'
' This default configuration assumes that the csia.exe file is
'   in the "C:\Secunia\" folder and that logs are to be placed
'   in the "C:\Secunia\logs" folder.
'
' It also configures the agent to check-in every two days
'  This can be modify by adjusting the flag after the -i in SecuniaCmd
'
' Change these values where needed.
'
'==========================================================================
' SEC (AKA Chris Green) Login Script

 'On Error Resume Next

'' full path to CSI Program
''const CsiaPath = "%ProgramFiles%\Secunia\csia.exe"
const CsiaPath = "C:\Secunia\csia.exe"
'' Output log directory, Log will be username.sec
''const LogPath = "%ProgramFiles%\Secunia\logs\"
const LogPath = "C:\Secunia\logs\"
'' Run in foreground?
const bInteractive = False

Set objNetwork = CreateObject("WScript.Network")
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
' Overwrite the last instance of the logs
Dim objLogPath, ouGuess, idxDash, secuniaCmd
objLogPath = LogPath & objNetwork.UserName & ".sec"
Set objLog = objFSO.OpenTextFile(objLogPath,2,true)

TimeStamp = Year(now) & "-" & Month(now) & "-" & Day(now) & "-" & Hour(now) & Minute(now)
ouGuess = "ADLogonScript"
idxDash = InStr(1,objNetwork.computername, "-", 1) - 1

If idxDash > 0 Then
   ouGuess =  Mid(objNetwork.computername, 1, idxDash)
End If  

objLog.WriteLine("[*] Secunia " & objNetwork.UserName & "@" & objNetwork.computername & " on " & Now)

secuniaCmd = CsiaPath & " -i 2D -L -g " & ouGuess & " -v --skipwait -d " & LogPath & TimeStamp & "_csia.log"
objLog.WriteLine("[*] Secunia Executing with " & secuniaCmd)

If bInteractive Then
                set oExec = objShell.Exec(secuniaCmd)

                ' Wait for the scan to complete
                Do While Not oExec.StdOut.AtEndofStream
                                strText = oExec.StdOut.ReadLine()
                                objLog.WriteLine(strText)
                Loop

                objLog.WriteLine("[*] Secunia Exited with " & oExec.Status & " on " & objNetwork.UserName & "@" & objNetwork.computername & " on " & Now)

Else
    '' Close the output file, hide csia in the background
                objLog.Close
                objShell.Run "cmd /c " & secuniaCmd & ">>" & objLogPath, vbHide
End If

For Assistance Using the System:

The Oracle Documentation website was created to provide users of the Oracle Administrative Systems with the information and instruction needed to utilize the system effectively.

Instructor-Led Clinics are held each Thursday in AB B60 from 2:00 to 3:30 to assist users with specific problems or provide individualized training.

Live "Chat" Service is available each Tuesday and Thursday from 2:00 to 3:30 or Friday 9:30 - 11:30 for time sensitive questions that cannot wait until the next clinic. The "Chat" window is monitored by instructors who are available to answer system related questions immediately. (http://main.uab.edu/Sites/it/internal/faculty-staff/adminsystems/58439/).

For time sensitive questions that cannot wait until the above stated times, email This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

To Get a Blazer ID or Reset Your Password

Go to http://www.uab.edu/blazerid or call AskIT at 205-996-5555 or email AskIT at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

For Access to a Computer

For employees that do not have access to a computer on the job site, the Payroll Services Office in the Administration Building has three computers available for employees to use. Also, the Payroll staff is available to provide assistance with Self Service responsibilities each weekday from 9:00 a.m. until 3:00 p.m. in Room 280 of the Administration Building.

Campus libraries also have computers available for employees to access their Self Service information in the Administrative Systems. However, no one is available at these locations to assist with using the Administrative Systems.

Mervyn H. Sterne Library Lister Hill Library

917 13^th Street South 1700 University Boulevard

Hours: http://www.uab.edu/lister/hours.htm#HOURS

For Technical Assistance  

Contact AskIT at 205-996-5555 or email This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

Know the Basics (PDF)

Access

Users of the Administrative Systems have access to sets of web pages, forms, functions, data and reports that are defined by specific "responsibilities" within the system.  Some Responsibilities are automatically set up in the Administrative Systems for individuals when they are added to the Oracle HR system as a New Hire, Rehire or Trainee.  Other responsibilities must be set up with the Access Control Form (ACF).

Select Oracle Administrative Systems Access for an introduction to Oracle security. For a quick look at specific topics, select one of the links below.

• Responsibilities
• Types of Access - Restricted or Open
• Obtaining Access: Default Responsibilities
• Obtaining Access: Approved Responsibilities
• End User Responsibility Summary Table
• Terminating (End Dating) Responsibilities
• Access Control Form
• ACF Workflow

Roles

In addition to access responsibilities, employees may be assigned certain "roles" within Oracle so that they may view and/or update data, and receive notifications and reports.

Click Oracle Administrative Systems Roles Summary Table for a description of the roles in Oracle.

As an individual logs onto the system, they will come to a screen to input their logon and password followed by a "Sign-on Agreement". After entering the logon and password, the user must accept the agreement to gain access to the system. By accessing the system, the user is agreeing to the following agreement(s):

Employee and Trainee Information Confidentiality and Proper Use Agreement

Transaction File Information Confidentiality and Proper Use Agreement for Independent Contractors/Third Party Entities

As the title indicates, The Employee and Trainee Information Confidentiality and Proper User Agreement applies to all employees and trainees. No signatures are required for this document; but by accessing the system, the user is explicitly agreeing to the policy.

The Transaction File Information Confidentiality and Proper Use Agreement for Independent Contractors/Third Party Entities is for accessing files of Oracle transaction data, requiring the signature of the individual accessing the flat file as well as a company official, if applicable. The approvals for this agreement are routed using the University Contract/Agreement Review routing form. After the contract is properly executed, the sponsoring School/VP/Hospital Fiscal Officer will be contacted with instructions for accessing the transaction file.

ADMINISTRATIVE SYSTEMS: Oracle HR and Finance Applications

Documentation: Navigation

The Navigation section includes the basic features of accessing and navigating the HR and Finance Administrative Systems. It is intended for users of the system with the following responsibilities: UAB HR Officer, UAB Timekeeper, UAB Salary Reclass, UAB GL End User, UAB GA End User, UAB FN Document Entry/Approval, and UAB Requisition Input.

• Navigator Window
• Expand and Collapse
• Top Ten List
• Switching Responsibilities
• Menu Bar
• Toolbar
• Forms
• Keyboard Shortcuts
• List of Values (LOVs)
• Calendar Feature

Workflow is the routing of electronic documents within the HR and Finance Administrative Systems. Some workflow routing is programmatically controlled, such as self service banking changes, effort reports, and invoices. Other workflow routing is defined by the user organizations.

Oracle workflow provides a great deal of flexibility so that documents can be routed differently based on the organization and the type of document. Some workflow routing is programmatically controlled, such as self service changes, effort reports, and invoices. Other workflow routing is defined by the user organizations.

Approval Process

Workflow for approving documents consists of three general stages.

• Creation of online documents
• Approval of online documents
• Updating Oracle base tables

Any user with the appropriate Oracle responsibility may create documents. At submit, the system may validate specific fields related to a particular document type. If the document does not pass the validation, a message window will inform the user. Once the document is submitted, it enters a workflow path.

Every document has a specific departmental routing (end user approval path) before it moves on to review by one or more Central Offices for further approval. The document routing from the requestor to Central is referred to as the end user routing or end user approval path. The end user approval path is controlled at the organization level by the Workflow Officer via the Workflow Approval Maintenance (WAM) form.

Oracle base tables are updated after all approvals are complete.

Approval Paths Created with the WAM Form

Each organizational unit, such as a school, department, or AED, has a Workflow Officer assigned to manage the routing of documents for review and approval. The Workflow Officer is approved at the AED, school or vice president level and set up in Oracle by a workflow administrator.

Each organizational unit, such as school, department or AED, has a Workflow Officer assigned to manage the routing of documents for review and approval via the Workflow Approval Maintenance (WAM) form.  The Workflow Officer is approved at the AED, school or vice president level, and set up in Oracle by a workflow administrator.

The Workflow Officer is responsible for setting up, changing and/or updating the end user approval paths via the WAM form.  The Workflow Officer may use the same approval path for all document types, or the approval paths may vary by document type, based on the needs of the organization.  The WAM form must be updated by the Workflow Officer when a person on a document approval path terminates their employment with UAB, transfers to another organization and/or is no longer responsible for approving documents for the department.  Please refer any changes to the WAM form immediately to the Workflow Officer.

The Oracle HR Administrative System includes the following HR applications:

• Core Human Resources Management
• Advanced Benefits
• Payroll  
• Labor Distribution (LD) and Effort Reporting
• Self Service Applications

Users of the system have access to a limited set of web pages, forms, functions, data and reports that are defined by specific HR "responsibilities".

Listed below are the HR "responsibilities" along with an example of how the responsibility displays on the individuals' personal homepage. Included is a brief overview of the responsibility and which transactional form/s available. Instructional documentation has been developed to assist individuals having access to a specific HR responsibility; simply click on the responsibility name or a specific transactional form.

The UAB HR Officer responsibility gives end users the ability to view and update personnel data, view and update timesheets hours and cost distributions, view and retroactively redistribute previously posted salary/benefit dollars, view faculty data, and run ad hoc reports.

The UAB HR Officer responsibility will appear on the end users Personal Home Page as a nine-digit org number plus the organization name. 

When the UAB HR Officer responsibility is selected, the menu options will display.

Written instructions for each menu option and additional resources are available for viewing or printing by clicking on the green menu option below.

The UAB Self Service Applications responsibility gives active employees, trainees and volunteers the ability to view and update his/her own personal information, such as name and home address, direct deposit banking instructions, and view his/her own pay slips (deposit notice). It also gives individuals with active assignments, the ability to view their assignment and salary history, access their annual W2 information, generate an employment verification form, and certify their educational assistance benefit.

Instructional documentation is available and can be accessed by clicking on the link provided for each task or menu option.