Documente Academic
Documente Profesional
Documente Cultură
Version 8.5
User Guide
SC23-6581-00
Version 8.5
User Guide
SC23-6581-00
Note Before using this information and the product it supports, read the information in Appendix B, Notices, on page 243.
This edition applies to version 8, release 5, modification 0 of IBM Tivoli Compliance Insight Manager (product number 5724-S67) and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright International Business Machines Corporation 1998, 2008. All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Figures . . . . . . . . . . . . . . vii Tables . . . . . . . . . . . . . . . ix About this publication . . . . . . . . xi
Intended audience . . . . . . . . . . Publications . . . . . . . . . . . . Tivoli Compliance Insight Manager library . Accessing terminology online . . . . . Accessing publications online . . . . . Ordering publications. . . . . . . . Accessibility . . . . . . . . . . . . Tivoli technical training . . . . . . . . Support information . . . . . . . . . Conventions used in this publication . . . Typeface conventions . . . . . . . . Operating system-dependent variables and paths . . . . . . . . . . . . . . xi . xi . xi . . xii . . xiii . . xiii . . xiii . . xiii . . xiii . . xiv . . xiv . . xiv . . .
Chapter 6. Reporting . . . . . . . . . 25
Standard reports . . . . Event detail reports . . Custom reports . . . . Graphic reports . . . . Enterprise Overview . Database Overview . . Trend graphic . . . Log management reports . Compliance module reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 25 26 26 26 26 27 27 27
Part 1. Introduction . . . . . . . . . 1
Chapter 1. Tivoli Compliance Insight Manager Overview . . . . . . . . . . 3
Monitoring compliance . . . . . . . . . . . 3
31
31 31 31 32
33
Starting and stopping the Management Console . Switching the Management Console users . . . Opening and closing the Management Console windows . . . . . . . . . . . . . . Changing the appearance of the Management Console windows . . . . . . . . . . . Customizing the Management Console toolbars . Creating your own toolbar . . . . . . . Refreshing contents of the Management Console window . . . . . . . . . . . . . . Changing the automatic refresh interval . . . Changing the login timeout . . . . . . . Working with the Management Console commands Setting up iView from the Management Console . Displaying audit data in iView . . . . . . Defining an iView URL . . . . . . . . Accessing iView from the Management Console Using the Management Console tools . . . . . Setting a data export schedule . . . . . . Importing audit data . . . . . . . . .
. 43 . 44 . 45 . 47 . 48 . 48 . 49 . 49 . 50 50 . 51 . 51 . 52 52 . 52 . 52 . 53
Working with database properties . . Working with system properties . . Working with event source properties
. . .
. . .
. . .
. 77 . 78 . 78
85
85 85 85 86 87 87
Chapter 12. Working with system groups, individual systems, and event sources . . . . . . . . . . . . . . 55
Working with groups of systems . . . . . . Creating system groups . . . . . . . . Renaming system groups . . . . . . . . Deleting system groups . . . . . . . . Working with individual systems . . . . . . Adding new systems . . . . . . . . . Moving systems to other system groups . . . Deleting systems . . . . . . . . . . Reattaching a system . . . . . . . . . Identifying systems for troubleshooting . . . Working with event sources and user information sources . . . . . . . . . . . . . . . Adding event sources to systems . . . . . Renaming event sources . . . . . . . . Deleting event sources . . . . . . . . . Adding user information sources to systems . Renaming user information sources . . . . Deleting user information sources . . . . . . . . . . . . . . . . . . . . . . 55 55 55 56 57 57 58 59 60 61 61 61 63 63 65 67 68
. 77
iv
Deleting policy rules . . . . . . . Hiding and showing rules . . . . . Importing policy rules . . . . . . Defining and managing attention rules . . Defining attention rules . . . . . . Creating attention rules . . . . . . Editing attention rules . . . . . . Deleting attention rules . . . . . . Setting severity levels for attention rules Test and commit policies for auditing . . Testing policies . . . . . . . . . Committing policies for auditing . . . Viewing automatic policies . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
107 107 107 108 108 108 109 110 110 110 110 111 111
Removing Administrator privileges for a member of a scoping group . . . . . . Moving the assets of a scoping group . . . Operations done outside Scoping . . . . . . Creating and managing users . . . . . . Tivoli Compliance Insight Manager dimension groups . . . . . . . . . . . . .
. . . .
. 141
Chapter 25. Analyzing trends with iView . . . . . . . . . . . . . . . 165 Chapter 26. Monitoring with iView . . 167
Monitoring Monitoring Monitoring period . . Monitoring location . Monitoring activity of a specific person. . . all activity on a specific object . . all activity within a specific time . . . . . . . . . . . . all activity initiated from a specific . . . . . . . . . . . . specific activities on specific objects . . . . . 167 . 168 . 168 . 169 169
. 140
Contents
Changing detailed investigation report parameters . . . . . . . . . . . . Using available detailed investigation reports Configuration tools . . . . . . . . . . Firewall reports . . . . . . . . . . .
Compliance dashboard . . Report center . . . . . Policy template . . . . . Classification template . . Resource center. . . . . Using Management Modules
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
Chapter 28. Understanding field descriptions in iView reports . . . . . 179 Chapter 29. Creating and managing custom reports in iView . . . . . . . 183
Opening Custom Report wizard . . . . . . Custom Report wizard overview . . . . . . Types of custom reports . . . . . . . . Column entries . . . . . . . . . . . Examples of using the Custom Report wizard . Creating a custom report using Custom Report wizard . . . . . . . . . . . . . Adding a custom report to a compliance module using Custom Report wizard . . . Modifying a custom report . . . . . . . . . . . . 183 183 183 184 187
Chapter 34. Cross-platform collecting and storage of audit logs and log data 211
Using the interface of the Log Manager . . . . . Using the Log Manager . . . . . . . . . . Summary statistics on audit logs . . . . . . Inquiring about collection events . . . . . . . Paged list view of the Log Manager . . . . . Inquiring about the completeness of log collections Continuity graph . . . . . . . . . . . Continuity list . . . . . . . . . . . . Inquiring about activity for some log event types Investigating the log depot with the Log Manager Depot investigation tool . . . . . . . . . Working with the Depot investigation tool interface . . . . . . . . . . . . . . Searching with the Depot Investigation Tool . . Example queries . . . . . . . . . . . Retrieving audit logs with the Log Manager . . . Using the replay tool . . . . . . . . . . Getting information about the Log Manager release Using common procedures . . . . . . . . . Filtering reports . . . . . . . . . . . Sorting data . . . . . . . . . . . . . Handling of time in reports . . . . . . . Using the settings . . . . . . . . . . . . 211 211 212 213 215 216 216 217 218 219 220 220 225 227 228 230 232 232 232 232 233 234
Index . . . . . . . . . . . . . . . 247
vi
Figures
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38. 39. 40. 41. 42. 43. 44. Tivoli Compliance Insight Manager system components . . . . . . . . . . . . . 5 Data flow . . . . . . . . . . . . . 7 Point of presence collect . . . . . . . . 12 Remote collect . . . . . . . . . . . 13 SSH collect . . . . . . . . . . . . . 14 SNMP collect . . . . . . . . . . . . 15 Syslog NG collect . . . . . . . . . . 16 Collect using an external API . . . . . . 17 FTP collect . . . . . . . . . . . . . 18 Mapping and loading steps . . . . . . . 21 Exiting the Management Console . . . . . 44 Logging on as a different user . . . . . . 45 View menu for toolbars . . . . . . . . 48 Context menu of the Management Console toolbars . . . . . . . . . . . . . . 49 Context menu of GEM database. . . . . . 51 Setting the Export schedule . . . . . . . 53 Importing log data . . . . . . . . . . 54 Creating a Machine Group dialog . . . . . 55 Renaming a Machine Group dialog . . . . 56 Selecting an option to rename a system group 56 Changing the group for a system . . . . . 58 List of available Machine Groups . . . . . 59 Removing a system that has audit data collected . . . . . . . . . . . . . 59 Properties of a deleted system . . . . . . 60 Reattaching a previously deleted system 61 Starting the Add Event Source command 62 Changing the properties of an event source 62 Choosing an audit policy profile . . . . . 63 Choosing an event source . . . . . . . . 64 Choosing the type of removal . . . . . . 65 Choosing a recurrence pattern for a user information source . . . . . . . . . . 66 Renaming a user information source . . . . 67 Adding a new GEM database . . . . . . 70 Adding an event source to a database . . . . 71 Moving an event source to another database 72 Setting a sliding load schedule . . . . . . 75 A sliding load schedule reflected in the Set Schedules dialog . . . . . . . . . . . 76 Duplicating a policy when creating a new policy . . . . . . . . . . . . . . 91 The Edit Rule window . . . . . . . . 114 The What dimension of the attention rule before the drag-and-drop . . . . . . . 115 The What dimension of the attention rule after the drag-and-drop . . . . . . . . 116 The Alert Maintenance window in the Management Console . . . . . . . . . 117 Editing the alert recipient . . . . . . . 118 General protocol settings dialog for the Email protocol . . . . . . . . . . . . . 122 45. 46. 47. 48. 49. 50. 51. 52. 53. 54. 55. 56. 57. 58. 59. 60. 61. 62. 63. 64. 65. 66. 67. 68. 69. 70. 71. 72. 73. 74. 75. 76. 77. 78. 79. 80. 81. 82. 83. 84. 85. 86. Protocol Settings dialog for the SNMP protocol . . . . . . . . . . . . . Protocol Settings dialog for the Custom protocol . . . . . . . . . . . . . Protocol Settings dialog with the active Delay tab . . . . . . . . . . . . . . . Entry window of the Policy Generator Determining the number of unassigned assets (outlined in red) . . . . . . . . . . Confirming the status change page for scoping . . . . . . . . . . . . . Viewing scoping information for the Who dimension . . . . . . . . . . . . Adding a user to a scoping group . . . . Current security status of the information environment . . . . . . . . . . . . The iView navigation bar icons . . . . . The GEM list . . . . . . . . . . . Connecting to the database GEM . . . . . Verifying the selected database . . . . . . Location of iView filtering icons . . . . . iView Filter Settings dialog . . . . . . . Sorting event lists . . . . . . . . . . List of user activities . . . . . . . . . Report of user activities . . . . . . . . Events list for a time frame . . . . . . . Description of a listed event . . . . . . Setup to display events for a time interval: an example . . . . . . . . . . . . . Database settings pane . . . . . . . . Appearance pane . . . . . . . . . . Enterprise Overview Settings options Trend Settings options . . . . . . . . Incident Tracking settings value . . . . . The Automated Report Distribution page Email Settings . . . . . . . . . . . List of distribution tasks and the Add distribution task button . . . . . . . . Settings for creating a distribution task Configuration of report definitions for a distribution task . . . . . . . . . . Selection of report distribution recipients for the distribution task . . . . . . . . . Load schedule prompts for databases Schedule options for distribution tasks Regulatory Compliance: primary steps Color legends key . . . . . . . . . . Three sections on the Depot Investigation Tool page . . . . . . . . . . . . . Query builder: Time Period subsection Query builder: Event Source subsection Query builder: Select fieldnames . . . . . Example of content search criteria. . . . . Example of summary search results . . . . 123 124 128 130 135 136 137 139 150 151 159 160 160 162 162 163 167 168 169 170 174 194 195 195 197 197 201 201 202 203 203 204 205 206 208 215 220 221 221 222 222 223
vii
viii
Tables
1. 2. 3. 4. 5. 6. Elements of a security policy . . . . Access rights of the Tivoli Compliance Manager user role . . . . . . . Fields of the Event File parameter . Data scoping terminology . . . . iView navigation controls . . . . Standard iView reports . . . . . . . . 33 Insight . . . 87 . . . 124 . . . 134 . . . 151 . . . 161 7. 8. 9. 10. 11. Fields in iView . . . . . . . . . . Entries and their content displayed in the finished report . . . . . . . . . . Web pages in the Log Manager . . . . Optional parameters to identify the location of a log set . . . . . . . . . . . Fixed settings in the Log Manager . . . . 179 . 184 . 211 . 230 . 235
ix
Intended audience
This publication is intended for administrators and system programmers whose roles include security officer, security manager, EDP auditor, or one who monitors events in the enterprise IT environment. Individuals who manage and handle such security standards as Sarbanes-Oxley, GLBA, HIPAA, Basel II, and ISO 27001 can use this publication to learn the basics of using all pertinent aspects of IBM Tivoli Compliance Insight Manager. You should be familiar with operating systems concepts and site system standards, and know how to perform routine security administration tasks. This publication is also useful for network planners and individuals who must plan, implement, and maintain security policy and a compliance strategy in their IT environments.
Publications
This section lists publications in the Tivoli Compliance Insight Manager library and any related documents. The section also describes how to access Tivoli publications online and how to order Tivoli publications.
xi
v IBM Tivoli Compliance Insight Manager: User Guide, SC23-6581-00 Provides an overview of the Tivoli Compliance Insight Manager components and processes and describes performing common management, maintenance, and reporting tasks using the Management Console and iView. v IBM Tivoli Compliance Insight Manager: User Reference Guide, SC23-6582-00 Provides reference information about the General Scanning Language (GSL) and the GSL Toolkit which is used to develop and analyze unique event sources using Tivoli Compliance Insight Manager. v IBM Tivoli Compliance Insight Manager: IBM Tivoli Basel II Management Module Installation Guide, GC23-6583-00 Provides an overview and installation information for the IBM Tivoli Basel II Management Module. v IBM Tivoli Compliance Insight Manager: IBM Tivoli GLBA Management Module Installation Guide, GC23-6584-00 Provides an overview and installation information for the IBM Tivoli GLBA Management Module. v IBM Tivoli Compliance Insight Manager: IBM Tivoli HIPAA Management Module Installation Guide, GC23-6585-00 Provides an overview and installation information for the IBM Tivoli HIPAA Management Module, which can help you detect, keep records, and monitor potential security violations against electronic protected health information (ePHI). v IBM Tivoli Compliance Insight Manager: IBM Tivoli ISO27001 Management Module Installation Guide, GC23-6588-00 Provides an overview and installation information for the IBM Tivoli ISO27001 Management Module. v IBM Tivoli Compliance Insight Manager: IBM Tivoli PCI-DSS Management Module Installation Guide, GC23-6589-00 Provides an overview and installation information for the IBM Tivoli PCI-DSS Management Module. v IBM Tivoli Compliance Insight Manager: IBM Tivoli Sarbanes-Oxley Management Module Installation Guide, GC23-6587-00 Provides an overview and installation information for the IBM Tivoli Sarbanes-Oxley Management Module.
xii
Ordering publications
You can order many Tivoli publications online at: http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss. You can also order by telephone by calling one of these numbers: v In the United States: 800-879-2755 v In Canada: 800-426-4968 In other countries, contact your software account representative to order Tivoli publications. To locate the telephone number of your local representative, perform the following steps: 1. Select http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss. 2. Select your country from the list and click Go. 3. Click About this site in the main panel to see an information page that includes the telephone number of your local representative.
Accessibility
Accessibility features help users with a physical disability, such as restricted mobility or limited vision, to use software products successfully. This product is not accessible; you might not be able to use assistive technologies to hear and navigate the interface. You might not be able to use the keyboard instead of the mouse to operate all features of the graphical user interface.
Support information
If you have a problem with your IBM software, you want to resolve it quickly. IBM provides the following ways for you to obtain the support you need: Online Navigate to the IBM Software Support site at http://www.ibm.com/ software/support/probsub.html and follow the instructions. IBM Support Assistant The IBM Support Assistant (ISA) is a free local software serviceability workbench that helps you resolve questions and problems with IBM software products. The ISA provides quick access to support-related
About this publication
xiii
information and serviceability tools for problem determination. To install the ISA software, navigate to http://www.ibm.com/software/support/isa.
Typeface conventions
This publication uses the following typeface conventions: Bold v Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text v Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets), labels (such as Tip:, and Operating system considerations:) v Keywords and parameters in text Italic v Citations (examples: titles of publications, diskettes, and CDs v Words defined in text (example: a nonswitched line is a point-to-point line) v Emphasis of words and letters (words as words example: "Use the word that to introduce a restrictive clause."; letters as letters example: "The LUN address must start with the letter L.") v New terms in text (except in a definition list): a view is a frame in a workspace that contains data. v Variables and values you must provide: ... where myname represents.... Monospace v Examples and code examples v File names, programming keywords, and other elements that are difficult to distinguish from surrounding text v Message text and prompts addressed to the user v Text that the user must type v Values for arguments or command options
xiv
Part 1. Introduction
Monitoring compliance
Monitoring network security and policy compliance can be a complex undertaking, requiring you to track how people your privileged users, out-sourced departments, trusted users, and consultants interact with technology your applications, databases, operating systems, and devices, without impeding their legitimate activities. Devices and systems throughout an organization's network generate logs of user activities, processes, and events every time a person or system interacts with the network. However, performing comprehensive log analysis usually requires specialists to interpret the audit data from particular systems. Using the patent-pending W7 language, which puts cryptic log terms into everyday business terms such as who, what, and where, Tivoli Compliance Insight Manager generates reports on network activity that anyone in your organization can understand. You do not have to be network security expert to understand what policy violation occurred and who did it. Tivoli Compliance Insight Manager automatically gathers the audit data from the systems and analyzes it, alerting on policy exceptions and special attentions and reporting on trends in security incidents, user behavior, and other activities. These
Copyright IBM Corp. 1998, 2008
System components
The Tivoli Compliance Insight Manager environment includes the following components: v v v v v Enterprise Server Standard Server Actuator(s) Web-based Portal Management Console
An operational Tivoli Compliance Insight Manager Cluster configuration is comprised of one Enterprise Server and one or more Standard Servers.
System components
Standard Server
The Tivoli Compliance Insight Manager Standard Server consists of the following basic components: Standard Server A Windows-based Tivoli Compliance Insight Manager server that collects, archives, normalizes, and reports on log data from audited systems and devices. The Standard Server is the heart of the security audit and compliance system. iView reporting application A Web-based user interface providing a trend dashboard, event drill-down, and detailed reports. Policy Generator A Web-based user interface for building security policies. Management Console An administrative interface for configuring policies and for adding, removing, and managing audited systems, Tivoli Compliance Insight Manager Servers, users, and groups.
Enterprise Server
The Tivoli Compliance Insight Manager Enterprise Server consists of the following basic components: Enterprise Server A Windows-based Tivoli Compliance Insight Manager server that provides centralized log management and forensic functions, enabling these features to operate across multiple Tivoli Compliance Insight Manager Standard Servers. From one Enterprise Server you can get a consolidated view of log collections and log continuity, in addition to being able to search and download logs. iView reporting application A Web-based user interface providing a trend dashboard, event drill-down, and detailed reports. Policy Generator A Web-based user interface for building security policies. Log Manager A Web-based user interface for reporting on log collections and continuity and for searching and downloading logs. Management Console An administrative interface for configuring policies and for adding, removing, and managing audited systems, Tivoli Compliance Insight Manager Servers, users, and groups.
Actuator
Tivoli Compliance Insight Manager uses actuator software to maintain a secure connection between the Tivoli Compliance Insight Manager server and the agents running on the audited systems. The actuator scripts enable the agent to collect audit data from supported platforms, which are called event sources.
System components
Data processing
The Tivoli Compliance Insight Manager system runs several processes to collect, analyze, and report on audit data. Figure 2 shows how Tivoli Compliance Insight Manager processes the source logs (the original log or audit data).
System components
Collect process
Tivoli Compliance Insight Manager retrieves audit data from the audited systems using a process called Collect. The collect process can retrieve data from audited systems in several ways, including a batch collect, point of presence, SSH, remote collect, syslog collect, and SMTP collect, which are discussed in more detail in Chapter 3, Collecting audit data, on page 11.
Centralized storage
Once the audit data has been collected, the original log data is stored in the centralized log depot, or depot, on the Tivoli Compliance Insight Manager server. The depot supports the data centralization function of Tivoli Compliance Insight Manager, and data remains there until it is expressly backed up and removed. Audit data in the log depot is indexed, facilitating search queries and log retrieval for forensic analysis. The Tivoli Compliance Insight Manager Log Manager provides centralized log management, reporting on log collection activities, and log search and retrieval functions. Retrieved logs can be analyzed using external tools such as log readers on the source platform.
System components
month, and past year. You can see security events across all databases, or you can drill down into a specific database. You can also drill down to see details about a security event and perform administrative tasks on the event, such as assigning it to staff for investigation and writing notes about the event. For more information, see Chapter 21, Understanding iView, on page 147. The Policy Generator is a Web-based application used to create a security policy using information in the database. For more information, see Chapter 18, Using the Policy Generator, on page 129. Scoping is a Web-based application used to configure end-user access to information in iView. For more information, see Chapter 19, Scoping data, on page 131. The Log Manager is a Web-based application used to provide centralized log management reporting. For more information, see Chapter 34, Cross-platform collecting and storage of audit logs and log data, on page 211. Management Modules are option Web-based applications that provide specialized reports for several regulations and standards. For more information, see Chapter 33, Understanding and using Management Modules, on page 207.
10
11
1. The collect schedule is triggered. 2. The Server issues a collect log command to the Actuator. This command activates the Actuator on the audited system. 3. The Actuator reads the security log and collects only those records that it has not previously collected. 4. The Actuator formats the collected records into the chunk format and compresses the chunk. 5. The agent reads the chunk log and encrypts it. 6. The agent sends the log from the Actuator system to the Server. 7. The Server archives the chunk in the depot and maintains a directory structure where each event source has its own subdirectory to store chunks. 8. After successfully sending the chunk to Server, the Actuator deletes its local copy.
12
1. The collect schedule is triggered. 2. The Server issues a collect log command to the Actuator. This command activates the Actuator on the Actuator system, which can be any Windows point of presence, including the Server itself. 3. The Actuator reads the security log from the audited system through the Windows event management API and collects only those records that it has not previously collected. 4. The Actuator formats the collected records into the chunk format and compresses the chunk. 5. The agent reads the chunk log and encrypts it. 6. The agent sends the log from the Actuator system to the Server. 7. The Server archives the chunk in the Depot and maintains a directory structure where each event source has its own subdirectory to store chunks. 8. After successfully sending the chunk to Server, the Actuator deletes its local copy. Note: Windows remote collect requires that the point of presence be run by a user that has access to the Security Event Log on the remote system. During the installation of the point of presence, set the OS account for IBM TCIM field to a user with the Manage auditing and security log permission on the audited machine or assign the user that permission before installing Windows remote collect. This action ensures that the event management API can be used from the point of presence to access the audited system.
Chapter 3. Collecting audit data
13
SSH collecting
SSH collect is another variation of a remote collect. It can be used with event sources that are based on UNIX and Linux. The configuration is similar to Windows remote collect. However, in this case, the data retrieval mechanism utilizes an SSH connection from the point of presence to the audited system. Figure 5 shows an example of SSH collect.
Note: SSH collect requires SSH configuration on the audited systems and SSH access to these systems from the point of presence.
14
The receiving component listens on the network and stores all received messages in a file, which the rest of the system regards as a regular event log that is collected and processed according to the event source collect schedule. For high-volume syslog processing, however, a Microsoft Windows-based receiver might not deliver the necessary performance. In these situations, you might want to use a Linux-based syslog daemon that provides better performance, such as Syslog NG. Figure 7 on page 16 shows an example of a Syslog NG collect.
15
The output of the syslog daemon is processed by the rest of the Tivoli Compliance Insight Manager system as data from a regular event source.
16
Other examples of using external APIs and protocols are logs that are based on the database, collected through ODBC and the Firewall-1 OPSEC protocol. These mechanisms require that the environment is configured correctly so that the interfaces that the Actuator needs are available.
17
Custom collect
This collect mechanism requires the source platform to run the data preparation script regularly. The actual configuration varies for different event source types, and may use FTP, either by the data preparation script, or by the Actuator, or by both.
18
Depot indexing
Once audit data is stored in the Standard Server's log depot, the Standard Server indexes the logs by fieldname. This depot indexing facilitates Tivoli Compliance Insight Manager's log investigation and retrieval functions, which allow you to search audit data for specific events or users. Each server in a Tivoli Compliance Insight Manager cluster can collect audit data from event sources, normalize the data, and load the data into GEM databases for reporting. Each server has its own log depot for data storage. The log depot can be located on a local drive or on a network device. Only the Standard Server can index the data in the log depots for all servers in the cluster. Because this task is processor-intensive, the Standard Server typically is dedicated to indexing and consolidating the audit data from the other servers. Note: The Indexer service cannot be disabled from the interface of Tivoli Compliance Insight Manager. Indexer disabling is possible through the standard Windows services tool. To disable the Indexer service, perform the following steps: 1. Select Start Settings Control Panel. 2. In the control panel, double-click Administrative Tools. 3. Double-click Computer Management and scroll down to the Indexing Service. Disabling the Indexer service causes all indexes for this service to stop updating so that the Investigation page always displays the same (latest) results.
Depot investigation
You can use Tivoli Compliance Insight Manager's Depot Investigation Tool on the Standard Server to search all of the audit data stored in the log depots of all of the servers in a cluster. The Depot Investigation Tool enables you to use keyword queries and Boolean search strings to located logs containing a matching event, user, or other event source fieldname. The search returns a report of all matching
Copyright IBM Corp. 1998, 2008
19
Depot investigation
events, which are parsed into data fields but not normalized. Because these fieldnames are specific to the event source type, interpreting the report may require knowledge of the source platform and its specific concepts.
Log retrieval
When suspicious or interesting events are identified, the original log files in which they are contained can be obtained from the depot using log retrieval. After you have used the Depot Investigation Tool to query the log depot for events, you can retrieve the log files that contains the events. Using the Log Retrieval Tool, you can select the logs that you would like to see and download them. Log files are returned from the depot in a format that is identical to the original file (for file-based logs) or in a file representation that matches the original format as closely as possible (for log data contained in a RDBMS or obtained through an API). If a log analysis tool is such as the Windows event viewer is available on the source platform, the log files are can be loaded into that tool (for Windows, they are .evt files). For more information about log retrieval, see Retrieving audit logs with the Log Manager on page 228.
20
Groups
Apply rules
Load
GEM database
Figure 10. Mapping and loading steps
Understanding W7 attributes
During mapping, event records contained in the audit data stored in the log depot are normalized using the W7 language. Devices and systems throughout an organization's network generate logs of user activities, processes, and events every time a person or system interacts with the network. One of the challenges of analyzing security events and monitoring policy compliance is the task of analyzing log files and putting the events that the logs contain into a business context.
21
W7 attributes
Analyzing audit data in a multi-platform environment can be a slow and onerous task, often requiring expertise in a particular operating system or application to read the logs. In addition, different platforms often use different terms to describe the same type of event or characteristic, making it difficult to search for events using a simple text editor. For example, one operating system may call a task "logon" whereas another system may call the same type of task "login." Similarly, one system may ask an end-user to login as a "user," another may ask for a "username," and a third system may ask for a "userid." W7 is TCIM's patent-pending normalization process, which "translates" logs from diverse applications, operating systems, and platforms into everyday business terms such as "who," "what," "where," and so on. This makes it easy to see security events in the context of a business or organizational environment. These terms are called W7 attributes because they represent attributes of an event. W7 normalizes an event record into the following W7 attributes: Who What Which user, application, or process initiated the event? What type of action does the event represent?
When When did the event happen? onWhat What object was affected? An object could be any type of file, database, application, permissions, etc., that was manipulated by the event. Where On which machine did the event happen? WhereFrom Which system is the source of the event? WhereTo Which system is the target of the event? For example, your security policy may consider system logins to certain systems during non-office hours to be a policy violation. Tivoli Compliance Insight Manager can generate policy exceptions alerting on these violations and can generate reports showing "what" happened (in this case, off-hour logins) "toWhat" systems (in this case, the restricted audited systems). Tivoli Compliance Insight Manager's reports can show "who" violated the policy by normalizing how different systems describe a user.
Understanding W7 groups
The W7 attributes enable Tivoli Compliance Insight Manager to describe security events in a consistent (normalized) manner. In order to monitor your security policy and draw conclusions appropriate for your environment, the W7 attributes are classified into W7 groups. The W7 groups allow you to define how people, technology, and time periods are analyzed in Tivoli Compliance Insight Manager's reports. For example, suppose a login event happens on Sunday morning at 8:30 a.m. The organization's policy forbids system access outside of office hours. If the When group classified the hours between 9 a.m. and 6 p.m. as "office hours," then all other times would be outside of office hours. Similarly, if the When group classified the days between Monday and Friday as "working days," then all other days would be considered outside of the acceptable use time period. Thus, the
22
Grouping attributes
Sunday morning login event would be considered to be a policy violation, and Tivoli Compliance Insight Manager would generate a policy exception. Similarly, classifying users into specific job roles helps identify policy violations by examining whether a user is inappropriately accessing data or making changes to the system. The Who group classifies users and processes, typically according to job function. For example, the programmers may be classified in the Development Department Who group. If someone if the Development Department Who group was accessing financial databases (which would be classified in the onWhat group), then this may indicate a policy violation. All W7 attributes are classified into the following W7 groups: v Who groups for classification of users and processes v v v v What groups for classification of event types When groups for classification of time periods Where groups for classification of systems and devices OnWhat groups for classification of objects
The WhereFrom and WhereTo attributes are both classified using the Where groups. How people, technology, and times are classified depends on your environment and policy objectives. You can define and update W7 groups using the Grouping editor in the Management Console. For more information on the Grouping Editor, see XREF.
23
24
Chapter 6. Reporting
Once Tivoli Compliance Insight Manager has collected, normalized, and securely stored the audit data, it can run sophisticated analyses on the data and generate numerous reports showing policy compliance status. All reports are accessed through the Portal. Most reports are available through iView, Tivoli Compliance Insight Manager's web-based reporting interface. You can also configure Tivoli Compliance Insight Manager to email reports to you and other recipients. For more information about emailing reports, see Chapter 32, Distributing reports, on page 199. Tivoli Compliance Insight Manager offers a large number of security compliance reports, including: v Standard reports v Event detail reports v Custom reports v Graphic reports v Trend reports v Log management reports v Compliance module reports customized for a specific regulation or security standard
Standard reports
Tivoli Compliance Insight Manager comes with numerous standard compliance reports. The standard reports list events using the W7 normalized fieldnames, so they identify events using everyday language can be easily understood by non-specialists in a business context. From a standard report, you can drill down on specific events to see the event detail report, which shows all fields from the selected event. You can modify the standard reports in order to customize them to your environment. The standard reports include the following reports, and many more: v Direct Database Access Report v User Account Management Report v User Summary Report v Database System Events v Stored Procedures Exceptions Report v Privileged Operations Report
25
Reporting
Custom reports
In addition to modifying the standard reports, you can create your own custom reports using the Custom Reports wizard in iView. Custom reports include the following types of reports: v Event lists v Summary reports v Top-N report, where N is the number of events in a given time period v Threshold reports For more information about custom reports, see Creating a custom report using Custom Report wizard on page 187.
Graphic reports
The Compliance Dashboard is the first screen in iView and it displays two graphic reports. Graphic reports provide visual analyses of security policy compliance activity. The Compliance Dashboard contains the Enterprise Overview graph, the Database Overview, and the Trend graphic.
Enterprise Overview
The Enterprise Overview uses data from the aggregation database to show the compliance status for all audited systems. The Enterprise Overview shows the interaction of two W7 groups. For example, the graphic could show the interaction of the What group, showing system events, and the Who group, showing users as classified by job role. A colored bubble at the intersection of those two groups indicates the level of policy exceptions and special attentions and the severity of those infractions. The size of the bubble indicates the amount of policy exceptions and special attentions, while the color of the bubble - red, yellow, or blue, indicates the severity. You can quickly identify problem areas and drill down to see what happened.
Database Overview
The Database Overview uses data from a selected GEM database to show the compliance status for audited systems whose audit data is contained in that database. It is similar to the Enterprise Overview, however, it only shows the compliance status for a selected GEM database. GEM databases are usually organized to contain audit data from a subset of systems within the organization, for example, one GEM database may be used to store audit data from the Finance Department's systems, while another GEM database may be used to store audit data from the Human Resource Department's systems, and so on. The Database Overview can show the compliance status for the GEM database associated with a specific department or business unit. The Database Overview shows the interaction of W7 groups. A colored bubble at the intersection of those two groups indicates the level of policy exceptions and special attentions and the severity of those infractions. The size of the bubble indicates the amount of policy exceptions and special attentions, while the color of the bubble - red, yellow, or blue, indicates the severity. You can quickly identify problem areas and drill down to see what happened.
26
Reporting
Trend graphic
The Trend graphic is a line graph that shows changes in the percentage of policy exceptions over a given period of time. You can quickly see whether policy exceptions are increasing or decreasing over time.
The compliance modules contain reports that are mapped to specific line references within the respective regulations and are associated with security protocols that auditors may wish to review.
Chapter 6. Reporting
27
28
29
30
31
32
Group definitions
Policy rules
Attention rules
To create a security policy, use the following steps: 1. At the Management Console, create a new policy, which should be either a blank one or a duplicate of an existing one. 2. Create group definitions or change them if necessary.
Copyright IBM Corp. 1998, 2008
33
34
35
36
5.
6.
7. 8. 9.
37
38
39
40
Primary responsibilities
The main responsibilities of a Tivoli Compliance Insight Manager systems administrator are listed below. Install agents and actuators v Work with other system administrators to install actuators and agents on target platforms. Provide the other administrators with the appropriate installation instructions and audit settings. Baseline audit settings are available for most supported platforms from IBM. v Add event sources to Tivoli Compliance Insight Manager in the Management Console. Modify the event source properties, if needed, to customize the event source properties to your network environment. v Set collect schedules for event sources. Perform daily or weekly maintenance tasks, as outlined in the Tivoli Compliance Insight Manager Security Manager Operational Maintenance document v Check collects v Verify that the agents on the target machines are running and check whether any of the machines are collecting empty chunks (i.e. if auditing may have been turned off) v Check loads in iView v Check database status, contents and load date in the (iView) Dashboard v In case of a GEM database failure, investigate length of time since the last GEM database load (Note: For this, you will need some basic knowledge of the mainmapper so that you can read the mainmapper logs.) v Confirm authorized users can access iView and Management Console Configure Tivoli Compliance Insight Manager v Manage databases in the Management Console v Add databases v Add/remove event sources to a database v Remove databases
Copyright IBM Corp. 1998, 2008
41
Administrator
v Set load schedules, as needed v Perform manual loads, as needed v Set mapping to take place at load-time or at collect-time Manage users in the Management Console: v Create users v Assign roles/databases to users v Configure email alerts v Configure real-time alerts (RTA) v Create the RTA database v Create and modify alert rules Develop policies and generate reports v Manage policies in the Management Console v Create and modify W7 groups v Create and modify policy and special attention rules v Test policies v Commit policies, when needed v Create custom reports in iView
Recommended skills
A Tivoli Compliance Insight Manager systems administrator should have the following information technology skills: v Strong knowledge of Windows operating systems v Knowledge of other operating systems, especially the operating systems of audited systems v Working knowledge of security auditing
42
43
The Management Console closes the window. For more information, see the following sections: v Switching the Management Console users. v Refreshing contents of the Management Console window on page 49. v Changing passwords on page 86.
44
For more information, see the following sections: v Starting and stopping the Management Console on page 43. v Changing passwords on page 86.
45
Server system
Event Source View Lists all event sources, their systems and the GEM databases to which they are attached. This view shows which event sources are defined and which of them are, or are not, assigned to databases. In the Event Source column, the following icons represent the types of available event sources: Event source
Database View Lists all GEM databases and the systems and event sources linked to them. Loaded GEM database
Alert maintenance Use this child window of the Management Console to create and maintain
46
User Management The sixth icon on the Main toolbar pens the User Management window. It displays all Tivoli Compliance Insight Manager users, their assigned roles and all operational Tivoli Compliance Insight Manager databases (GEM and other event-related databases) to which the users have read access. Only one User Management window at a time can be open.
To close any window, use one of the standard Windows controls: v Press [Ctrl+F4]. v Click X in the top right corner of that window. v Select the window menu (press [Alt+-]) and select Close. Note: In the User Management window, you can click Close at the bottom of the window. For more information, see the following sections: v Changing the appearance of the Management Console windows. v Customizing the Management Console toolbars on page 48.
47
48
For more information, see Changing the appearance of the Management Console windows on page 47.
49
50
For more information, see the following sections: v Opening and closing the Management Console windows on page 45. v Changing the appearance of the Management Console windows on page 47. v Customizing the Management Console toolbars on page 48. v Refreshing contents of the Management Console window on page 49.
51
Setting up iView
52
5. In the Export path box, type the path and file where audit data is to be stored. The path typed is relative to the run folder of the Server folder, and can include up to 76 characters. For example, if the default path, \export is used, Server saves audit data in the TCIM_dir\server\export\directory, using the export date as the name of the folder. TCIM_dir is the folder entered when Server was installed. 6. Click OK when finished. Tivoli Compliance Insight Manager exports audit data according to the set schedule and stores it in the specified location. The exported data can be reimported if historical data is to be reviewed or a trend checked over a period of time. For more information, see Importing audit data.
53
4. Click OK when you are ready to begin importing the audit data. Tivoli Compliance Insight Manager imports the specified audit data folder. Note: Server audit data resides in a folder called Logs. A path specified in the Path field should point to the location of a \logs folder. For example, enter \\Source\data for importing audit data from the folder c:\data\logs located on the source system (the c:\data folder is shared on the network).
54
Chapter 12. Working with system groups, individual systems, and event sources
This section includes information about the following topics: v Working with groups of systems v Working with individual systems on page 57 v Working with event sources and user information sources on page 61
4. In the New group name field, type a name for the group. 5. Click OK to confirm the action. Note: To open the Create Machine Group window, click Create Machine Group on the System/Audit toolbar of the Machine View window. For more information, see Renaming system groups.
55
3. Click OK when all system groups to be changed have been renamed. The renamed system group is displayed in the list, in its original location, and in subsequent Tivoli Compliance Insight Manager work sessions, in alphabetical order. Notes: 1. The first group that is created during installation of the Server cannot be renamed. 2. The Rename Machine Group window can be opened from the context menu of the machine group item in the Machine or Event Source View window (see Figure 20).
For more information, see the following sections: v Creating system groups on page 55. v Deleting system groups. v Moving systems to other system groups on page 58.
56
Chapter 12. Working with system groups, individual systems, and event sources
57
3. On the General tab, select a new value from Group and click OK. Alternatively, from the Machine View (see Figure 22 on page 59) or Event Source View windows, do the following steps: 1. For the corresponding system that is to be moved, click the system group cell to select it. 2. Click the system group cell again to open the system group list. Note: Do not double-click, because this action can start the Add Machine wizard.
58
3. Select another system group from the group list. The system is displayed in the specified system group (in the Machine View and Event Source View only).
Deleting systems
Before deleting a system, you must do the following steps: 1. Remove the system from any GEM databases to which it is attached. 2. Turn off auditing on the system; for information about turning off auditing, see information about setting up auditing for the system platform in the IBM Tivoli Compliance Insight Manager: Installation Guide. If audit profiles are supported for the system event sources, you can use the Clean audit profile too. To delete a system, use the following steps: 1. In either the Machine View or the Event Source View windows, ensure that the system cell is selected in the grid and do one of the following steps: v Open the Edit menu and select Delete. v Click Delete on the EditExtensions toolbar. v Press the [Delete] key on the keyboard. v Right-click the system to start its context menu and select Delete. 2. If you are deleting a system that has an event source for which data has already been collected, the Remove Machine window is displayed (see Figure 23):
v Select Keep Active Event Source(s) to keep the data collected from that system in the log depot, and click OK or v Select Remove Machine Completely to delete the data along with removing the system, and click OK.
Chapter 12. Working with system groups, individual systems, and event sources
59
Reattaching a system
A system that was previously deleted can be reattached and its collected data kept when the system is deleted. Systems that can be reattached are displayed as unavailable in the Machine View and Event Source View windows. To reattach a previously deleted system, do the following steps: 1. In the Machine View or Event Source View windows, right-click the system to be reattached. 2. Click Properties on the menu that is displayed. 3. Note the system port and IP address and click OK to close the Properties dialog (see Figure 24).
4. Right-click the system again, and click Reattach Machine in the menu that is displayed. 5. In the Reattach Machine dialog, type the port number and IP address of the system (see Figure 25 on page 61).
60
6. Click OK to reattach the system. Tivoli Compliance Insight Manager displays the system icon in green to indicate that it is attached to a server and can be used to collect audit data.
Chapter 12. Working with system groups, individual systems, and event sources
61
3. The Add Event Source wizard starts. Follow the instructions on the pages of the wizard to add an event source for the destination system. After the wizard completes, Tivoli Compliance Insight Manager adds the event source to the system. The name of the event source, its properties, and its schedule from the Event Source Properties dialog can be changed (Figure 27). Tivoli Compliance Insight Manager can collect events from this event source after
auditing is enabled on the audited system. If the selected event source supports audit profiles, the Add Event Source wizard prompts you to indicate which audit profile to use (Figure 28 on page 63).
62
The audit profile supports proper auditing for this event source. You must specify administrator credentials for that system. For more information about setting up auditing for a specific platform, see the IBM Tivoli Compliance Insight Manager: Installation Guide.
Chapter 12. Working with system groups, individual systems, and event sources
63
b. On the Choose Type of Removal page, you must decide which type of removal to select. To remove several event sources you can select Make Option Valid for Each Selected Event Source (Figure 30 on page 65); leave it clear to have a separate Choose Type of Removal dialog per selected event source.
64
c. On the Delete Process Summary, review the details of the intended operation and click Next to proceed or Back to return to the previous pages of the wizard. d. On the final page of the wizard, click Finish to start deleting. Tivoli Compliance Insight Manager deletes the selected event source from the system. Notes: 1. If a system is removed, both the system and all event sources are removed for that system. 2. If an event source is removed, Tivoli Compliance Insight Manager removes that event source, but leaves the system and any other event sources associated with the system in the database. 3. When the last event source is removed from a GEM database, its load schedule is set at Never.
v Tandem v z/OS
Chapter 12. Working with system groups, individual systems, and event sources
65
2. 3. 4. 5.
6.
66
Chapter 12. Working with system groups, individual systems, and event sources
67
68
69
5. Click OK. The message Creating new GEM database is displayed in the status line. Note: The database path field cannot be edited. The path is displayed so that you know where the database file is located. The newly created GEM database is greyed-out in the list of databases (Database View window only). Before you can load audit data into the new GEM database, you must attach an event source to the database. For more information about attaching event sources, see Attaching event sources to databases on page 71. When a new GEM database is created, the time of its last load schedule is set to the time when the GEM database was created. Only event data that is collected after the time when the GEM database was created can be loaded into the database using a scheduled data load. For more information on scheduled loads, see Creating data loading schedules on page 74. If you want to load historical data (event data that predates the GEM database), you can manually load it. For more information on manual loads, see Manually loading data into GEM databases on page 76.
70
Note: An event source can be moved to another GEM database at any time. For example, you might want to remove a database, but keep the audit data it contained to reduce the amount of data in a database.
71
Audit maintenance
To detach an event source from a database, in the Machine View, Event Source View, or Database View windows, do either one of the following steps: v Right-click the event source to be detached and select Remove from the context menu. v For the selected event source, select the Database cell, click it twice (do not double-click) and select None from the list.
3. In the Database list box, provide a new value for the database. Tivoli Compliance Insight Manager displays the event source that was moved in the new database.
72
Audit maintenance
Notes: 1. If conflicting collect schedules are created (for example, different schedules for a database and for event sources are defined, Tivoli Compliance Insight Manager collects data according to the event source schedule. 2. If the database is populated with some event sources, it is also available in the Machine View and the Event Source View windows too. 3. If the hourly frequency option is selected when a collect schedule is created, Tivoli Compliance Insight Manager collects data from the database or event source at the interval (1 or more hours) that was set, with the first collection at the hour and minute set in the collect schedule. Collection continues until 11:59 p.m. each day. For example, a schedule that collects data every hour starting at 1:00 A.M. collects 23 times each day. A schedule that collects every hour starting at 1:00 p.m. collects 11 times each day. A schedule that collects every 2 hours starting at 1:00 p.m. collects six times each day. Ensure that a collection interval and start time are set for your requirements for audit data.
73
Audit maintenance
Note: If Never is selected, Tivoli Compliance Insight Manager does not collect data from this source. 6. Click or fill in any additional schedule options. 7. Click OK to close the Set Collect Schedule window. 8. Click OK again to apply the schedule. Tivoli Compliance Insight Manager collects event, remote event, or policy source data using the set schedule.
74
Audit maintenance
Note: If Never is selected, Tivoli Compliance Insight Manager does not load, or stops loading data into the database. 6. Click or fill in any additional schedule options. 7. Click OK to close the Set Load Schedule dialog. The load schedule is displayed in the Set Schedules dialog. 8. Click OK again to apply the schedule. Tivoli Compliance Insight Manager loads data for all systems and event sources added to the database, using the set schedule.
2. 3. 4. 5. 6.
75
Audit maintenance
7. Click OK to close the Set Load Schedule dialog. The load schedule description, with the word Sliding is displayed in the Set Schedules dialog Figure 37).
Figure 37. A sliding load schedule reflected in the Set Schedules dialog
8. Click OK to apply the schedule. Tivoli Compliance Insight Manager follows the sliding schedule when loading data for all event sources that were added to the database.
76
Audit maintenance
Note: For a GEM database with an actual load schedule, the value of the Load Schedule property differs from Never the default policy is used for manual loading. In this case, the Choose a Policy dialog is not displayed in the Load Database wizard. f. On the final page of the wizard, click Finish to close this wizard and start the load request. Notes: a. The database status is not updated immediately. When the actual load process starts, the status is updated eventually. b. If a scheduled load triggers during a manual load of a GEM database, the scheduled load is skipped.
77
78
Audit maintenance
v On the Schedule tab, you can change the collect schedule for the event source. v On the Audit Profile tab, you can change the following properties: Administrator credentials Kind of audit profile Custom properties of the event source For more information about event source properties, see the installation section for the event source platform in the IBM Tivoli Compliance Insight Manager: Installation Guide. Note: Audit Profiles are available only for platforms that support remotely setting of auditing security policies (Windows).
79
Audit maintenance
80
81
Security Group
where the consolidation database is installed. By definition, a Consolidation Server is an Enterprise Server. Standard Server A Standard Server is any Tivoli Compliance Insight Manager server that is not an Enterprise Server. A Standard Server contains the Tivoli Compliance Insight Manager server and the web applications. A Standard Server typically is a Grouped Server in a Security Group, but it can also be a Security Server if it is the only server in the group. Tivoli Compliance Insight Manager Cluster A Tivoli Compliance Insight Manager Cluster is a group of only one Enterprise Server and a maximum of three Standard Servers. The Enterprise Server consolidates data from the Standard Servers and reports on audit data from all of the servers in the cluster. All servers in a cluster must authenticate against the same Security Server; thus, all servers in a cluster must be included as Grouped Servers in the same Security Group. This should be considered during installation of servers in a cluster. During the installation of a Grouped Server, you can specify which Security Server should be used for authentication and authorization.
Managing users, roles, and GEM database access permissions for a Security Group
You can administer users, roles, and GEM database access permissions for all members of a Security Group from any Management Console on any server in the Security Group. Adding, deleting, or modifying a Tivoli Compliance Insight Manager user or changing a password for an existing user is stored centrally on the Security Server. For more information about user administration, see Chapter 15, Managing users and roles, on page 85. For example, if you add a new user, that user's information is stored on the Security Server, and the user becomes available to all servers in the Security Group. Similarly, if you delete a user, then that user is no longer available on any server in the Security Group. If you change a password or change a user's role, then that change is applied to all servers in the Security Group. The user has the same role(s) on each server in the Security Group. Users can have different GEM database access rights for each server in the Security Group. A user can be granted access to the database of any Grouped Server or Security Server in the group from any Management Console on any server in the group. The Management Console's User Management dialog contains the list of databases on each server, and it allows an administrator to select the databases to which a user has access rights.
82
Security Group
Synchronizing users, roles, and GEM database access permissions for a Security Group
Although you can manage users, roles, and GEM database access permissions from any Management Console on any server in the Security Group, the changes are not immediately applied to all servers in the group. Each server in the group runs a synchronization process in order to synchronize local server users, roles, and database access permissions with the Security Server. The servers apply the changes after they have finished synchronization. Thus, if a user is assigned a role or granted access to database using the Management Console on one server in the group, the other servers will apply these changes after they have synchronized with the Security Server.
83
84
Adding users
If you have access rights to administer Tivoli Compliance Insight Manager users, you can add them at any time. In general, assign a unique user name and password for each user. To add a user, do the following steps: 1. In the User Management window, click Add below the Users list. 2. In the Username field, type a user name. Start all user names with the letters cif, to avoid name conflicts. User names can include up to 17 additional alphanumeric characters, and cannot include spaces, punctuation, or other symbol characters such as ~ or +. 3. In the Password field, type a password and retype it in the Verification field. Passwords must include between 6 and 20 characters, must start from a letter, and cannot include spaces, punctuation, or other symbol characters such as ~ or +. 4. Click Add. The new user is displayed at the bottom of the Users list in the User Management window. In the next list, new user rules are defined to give you access to Tivoli Compliance Insight Manager components.
Deleting users
With the Administer Tivoli Compliance Insight Manager users role, you can delete any user except the user who is currently logged on. If the logged-on user is to be deleted, switch to another user, and then delete the first user. To delete a user, do the following steps: 1. In the User Management window, select the user to be deleted.
Copyright IBM Corp. 1998, 2008
85
User/role management
2. Click Remove below the Users list or right-click the user and select Remove User from the context menu. 3. In the confirmation window that is displayed, click Yes to delete the user. Tivoli Compliance Insight Manager removes the name from the users list.
Changing passwords
Your password can be changed from either the Tivoli Compliance Insight Manager Logon dialog or from the User Management window. Depending on your assigned user roles, you might be able to change passwords for other users. Passwords must start with a letter, can include up to 20 alphanumeric characters, but cannot include spaces, punctuation, or other symbol characters, such as ~ or +. You and other users need a password to log on to any Tivoli Compliance Insight Manager component for which you have access rights.
Changing your password from the Tivoli Compliance Insight Manager Logon dialog
To change your password from the Tivoli Compliance Insight Manager Logon dialog, do the following steps: 1. Start the dialog in either one of the following ways: v Close the Management Console and start it again. v Log off from the Management Console by selecting File Logoff and select the File menu again and select Logon. 2. In the logon dialog, type your user name and password in the corresponding text fields and click New Password. 3. In the dialog box that is displayed, type a new password in the New Password field and retype it in the Verification field. 4. Click OK.
Changing your password or other user passwords from the User Management window
To change your password or other user passwords from the User Management window, do the following steps: 1. In the User Management window, click the name of the user whose password is to be changed. 2. Start the Change Password dialog in one of the following ways: v Click Change Password. v Right-click the user in the Users list and select Change Password from the context menu. 3. In the Change Password dialog, type a new password, and type it again to verify spelling. 4. Click Change to change the password. 5. If you are changing your own password, do the following: a. Close the Management Console and start it again, or log off from the Management Console by selecting File Logoff. b. Click File Logon to log on again using the new password. Note: After changing your password, or the password of another user, all users currently logged in with the affected user name must log off and log back in with the new password to continue using the Management Console.
86
User/role management
Can add systems and event No right to edit, delete, or sources into GEM databases, commit policies. set up schedules for collecting, loading, and unloading audit data. It also gives rights to manage alerts. Can add, change, delete, and move systems and event sources before Tivoli Compliance Insight Manager collects data for the systems or event sources. No right to delete systems or event sources after the data is collected.
Can delete systems or event None sources for which Tivoli Compliance Insight Manager has collected audit and log data. Can delete a policy or move None a policy to the Committed folder. Can create and change a security policy. Can open and view iView pages. Can view custom reports in iView. Can create and change custom reports in iView. Can add, delete, or change passwords for them. Allows set access to individual databases. Can access and manage incidents. None None None None None
Commit or Delete Security Policy Edit Security Policy Log on to Portal Use Custom Reports in iView Create or Edit Custom Reports in iView Administer Tivoli Compliance Insight Manager users Manage Excerpts Manage Incidents
None None
87
User/role management
Table 2. Access rights of the Tivoli Compliance Insight Manager user role (continued) Role Use Depot Investigation and Log Retrieval tools Access rights granted Rights denied
Allows access to the None corresponding tools of the Log Manager. Using the Policy wizard in iView gives rights to use the Policy wizard in iView.
To set user roles, do the following steps: 1. In the User Management window, click the user to whom user roles are to be assigned. 2. Click each role to be assigned to this user. 3. Click Apply when completed. Tivoli Compliance Insight Manager assigns user roles on the Server according to selections. Notes: 1. Roles that are in use when you are in the User Management window cannot be revoked. For example, you cannot revoke your own rights to access the Management Console and administer user roles. 2. User rights apply both on the Server where you created the user and on the Consolidation Server, if you installed it.
88
Defining a policy
A policy is a collection of rules that determine what audit data Tivoli Compliance Insight Manager loads and displays for analysis. To create a policy, you must specify the following information: v Attention rules v Group definitions for each platform v Platforms to be audited v Policy rules You can create rules for any of the operating system or application platforms from which Tivoli Compliance Insight Manager can collect data. Group definition sets are created to organize audit data into standardized groups for efficient analysis. You can create a group definition set for an entire policy or create a set for each platform to be audited.
89
Storing policies
All policies are stored in the Policies folder, which contains two subfolders: v The Committed folder contains all policies that you have committed for use. You can view but not change committed policies. v The Work folder contains policies that you can change. When you finish changing a policy, move it to the Committed folder for use in collecting audit data. Note: Tivoli Compliance Insight Manager also creates an automatically generated policy that you can view but not change.
Applying policies
When it collects and loads audit data according to a schedule you set, Tivoli Compliance Insight Manager uses the most recent policy in the Committed folder. Another policy can be used to collect data if you load data manually and select another policy at that time. You might specify another policy, for example, if you recently updated a policy and want to compare audit data from the old policy and the new policy.
90
Editing policies
If an empty policy was created or an existing policy duplicated, you must edit the policy to add or change its contents. Any policy can be edited in the Work folder. To edit a policy, do the following steps: 1. In the Policy Explorer window, open the Work folder. 2. Double-click the policy to be edited. Tivoli Compliance Insight Manager opens a policy window and displays the selected policy. From this window, any of the tasks listed on the Policy Maintenance page can be completed. For example, you can do the following tasks: v Create or change platforms for the policy v Create or change group definition sets for any platform or for all platforms v Create or change groups within a group definition set 3. When the policy change is complete, you can test it within a manual GEM database load, and, if it needs additional changes, the editing process can continue. 4. When the policy editing has been completed, click Policy Save in the menu bar to save the changes. The edited policy is available in the Work folder in the Policy Explorer window.
Deleting policies
Any policy in the Work folder can be deleted. Committed policies cannot be deleted.
91
Renaming policies
Any policy in the Work folder can be renamed. Tivoli Compliance Insight Manager automatically renames policies in the Committed folder using the date and time that the policy was committed; these policies cannot be renamed. To rename policies in the Work folder, do the following steps: 1. When necessary, close the opened policy first. 2. In the Policy Explorer window, open the Work folder, and right-click the policy to be renamed. 3. Select Rename in the context menu that is displayed. 4. Enter a different name for the policy. The renamed policy is displayed in the Work folder.
Creating platforms
After a policy is created, you must define the platforms to be audited. Systems can be audited on any of the platforms that Tivoli Compliance Insight Manager supports. Platforms can be created for any policy in the Work folder. Platforms can be created for a committed policy by duplicating the policy, adding the new platform as described below, and then committing the updated policy. To 1. 2. 3. create a platform, do the following steps: In the Policy Explorer window, open the Work folder. Open the policy where the new platforms are to be created. Right-click the policy folder at the top of the Policy pane of the policy window, and select New Platform from the context menu that is displayed. In this pane, the policy folder is displayed with a shield-like icon containing a capital letter P. 4. In the New Platform dialog, open the list box and select the platform to be added to the policy. 5. Click OK when finished. The new platform is displayed at the bottom of the platform list in the Policy pane. A group definition set is created for the platform.
92
Deleting platforms
Any platform can be deleted from a policy of the Work folder. When a platform is deleted from the policy, Tivoli Compliance Insight Manager stops auditing systems or applications of that specific platform type, even if systems or event sources for that platform still are displayed in the Machine View or Event Source View windows. To delete a platform, do the following steps: 1. In the Policy Explorer window, open the policy that includes platforms to be deleted. 2. In the Policy pane of the policy window, select the platform to be deleted. 3. Delete any group definition sets that were created, copied, or imported into the platform. 4. Right-click the platform to be deleted and select Delete on the context menu that is displayed. 5. Click Yes to confirm. The platform is deleted. Attention: This task cannot be undone. If a deleted group definition set and platform must be restored, you must recreate them manually from committed policies or import files.
93
94
Defining groups
A group can be a collection of any of the following: v Event platforms v Events v People v Systems v Times or dates You can create a group and behavior rules in Tivoli Compliance Insight Manager. When you create a group, its group type is specified. The following group types correspond to the categories into which each piece of audit data is separated: v On What - The files or other objects affected by audit events v What - The events v When - The times or dates on which events occurred v Where - The systems on which the events occurred v Who - The people who triggered audit events Tivoli Compliance Insight Manager gathers the other two categories of audit data -- From Where and Where To -- using the created groups for the Where category, so it is not necessary to create three sets of platform groups.
95
Creating groups
After creating an empty policy, defining platforms to be audited with the policy, and creating group definition sets for the platforms, you must create groups for any of the group types within the group definition sets. To create a group, do the following steps: 1. In the Policy pane of the policy window, open the platform where a you want to create a group. 2. Double-click the group definition set where a group is to be created. The group definition set is displayed in the Grouping pane of the policy window. 3. Right-click the folder of the group type to be created, and select New Group on the context menu that is displayed. Group types are Who, What, When, Where, and On What. Tivoli Compliance Insight Manager uses the Where groups created as From Where and Where To groups as well, so it is not necessary to define groups for the same platforms three times. 4. Type a name for the group in the Group Name box. 5. Click OK when finished. The new group is displayed in the group definition folder. Depending on the folder where the group was added, the icon of the new group varies; for example, the Who group icon looks like people; the On What group icon looks like a file. Next, one or more conditions for group membership should be created.
96
Creating requirements
A requirement is part of a condition. Creating requirements is one of the steps in the process of creating groups. People, systems, or events are members of a group when they match one or more of the conditions of group membership. People, systems, or events match a condition when they match all of the requirements of one condition. To create a requirement, do the following steps: 1. In the Policy pane of the policy window, double-click the group definition set into which a requirement is to be added. The group definition set is displayed in the Grouping pane. 2. Expand the group where the requirement is to be added. The group members are listed. For example, a Who group might include user, administrator, system maintenance, and manager members; a What group might include a list of events for a given platform. 3. Expand the group member where the requirement is to be added. The group conditions are listed. 4. Right-click the condition for which a new requirement is to be created. 5. Select New Requirement in the context menu that is displayed. A bar with three list boxes is displayed. 6. To construct the requirement, open each list box and select the option required. Depending on the type of group created, the options in each list box can vary. For details about creating requirements for each group type, see the group type below: v Who v What v When v Where v On What 7. When finished, click elsewhere in the Grouping pane to leave the requirement bar. The new requirement is displayed in the list of requirements for the edited condition.
97
98
99
100
Note: The Event class in the What group and the contents of the OnWhat group are not the same. The event class in the What group defines the kind of object affected by an audit event. The OnWhat group defines the actual object affected by an audit event. For example, if you select the What group event class file, the OnWhat group in the same group definition set would define a specific file, for example, Q1Sales.xls.
101
Copying groups
After a group is created, and conditions and requirements added for the group, the group can be copied to the same group type in another group definition set. Groups can be copied within a policy or other policies in the Work folder. To copy a group to another group definition set, do the following steps: 1. In the Grouping pane of the policy window, expand the grouping folder that contains the group to be copied. 2. Right-click the group to be copied, and select Copy on the context menu that is displayed. 3. In the Policy pane, open the group definition set into which the group is to be moved. 4. In the Grouping pane, right-click the grouping folder into which the group is to be moved and select Paste on the context menu that is displayed. The copied group is displayed in the new group definition set. Note: For copying groups, it is also possible to use the drag-and-drop mechanism. Drag the group within the source policy while the [Ctrl] button is pressed on the keyboard, and drop it to the destination policy.
Moving groups
A group can be moved to another group definition set in the same policy, as long as it is moved to a group of the same group type. To move a group to another group definition set in the same policy, do the following steps: 1. In the Grouping pane of the policy window, expand the grouping folder that contains the group to be moved. 2. Right-click the group to be moved and select Cut on the context menu that is displayed. 3. In the Policy pane, open the group definition set into which the group is to be moved. 4. In the Grouping pane, right-click the grouping folder into which the group is to be moved and select Paste on the context menu that is displayed. The moved group is displayed in the new group definition set. Note: For moving groups, the drag-and-drop mechanism can also be used. Drag the group within the source policy and drop it to the destination policy.
Renaming groups
A group can be renamed at any time. For example, if a group is copied and the copy is edited, the group can be renamed to describe its new contents better. To rename a group, do the following steps: 1. In the Grouping pane of the policy window, expand the grouping folder that contains the group to be renamed. 2. Right-click the group to be renamed, and select Rename Group on the menu that is displayed. 3. Type a new group name in the Group name box.
102
Deleting groups
A group can be deleted from a group definition set from any policy in the Work folder. Groups cannot be deleted from policies stored in the Committed folder. To delete a group, do the following steps: 1. In the Policy pane of the policy window, open the group definition set that contains the group to be deleted. 2. In the Grouping pane, right-click the group to be deleted and select Delete on the context menu that is displayed. Tivoli Compliance Insight Manager deletes the group and any conditions and requirements defined for the group. Notes: 1. Deletion of a group can be undone. Select the Edit menu and select Undo. 2. You can also press the [Delete] button on the keyboard to delete groups.
Copying conditions
After a condition has been created, it can be copied to another group in the same group definition set or another group definition set. You can copy the condition within a policy or to another policy, as long as it is copied to the same group type. To copy a condition, do the following steps: 1. In the Grouping pane of the policy window, expand the grouping folder of the group whose condition to be copied. 2. Expand the group whose condition to be copied. 3. Right-click the condition to be copied and select Copy on the context menu that is displayed. 4. Open the group definition set, and target group for the condition. 5. Right-click the group, and select Paste on the context menu that is displayed. Note: For copying conditions, you can use the drag-and-drop mechanism too. Drag the condition within the source group while the [Ctrl] button is pressed on the keyboard and drop it to the destination group.
Moving conditions
You can move a condition from a group to another group of the same type. The condition can be moved within the same group definition set or to another group definition set, either within the policy or in another policy. To move a condition, do the following steps: 1. In the Grouping pane of the policy window, expand the grouping folder of the group whose condition is to be moved.
Chapter 16. Policy maintenance
103
Deleting conditions
Group conditions that are no longer needed can be deleted. To delete a condition, do the following steps: 1. In the Grouping pane of the policy window, expand the grouping folder of the group whose condition is to be deleted. 2. Expand the group whose condition is to be deleted. 3. Right-click the condition to be deleted and select Delete on the context menu that is displayed. The condition and any requirement defined for it are deleted. Notes: 1. This action can be undone by closing the policy window without saving the changes. 2. The alternative for deleting conditions is to press the [Delete] button on the keyboard.
Copying requirements
A requirement can be copied to another group definition set in the same or another policy. To copy a requirement, do the following steps: 1. In the Grouping pane of the policy window, expand the grouping folder with the requirement to be copied. The groups are listed. For example, a Who grouping folder might include User, Administrator, System Maintenance, and Manager groups; a What grouping folder might include a list of auditable events for a given platform. 2. Expand the group whose requirement to be copied. The conditions for group membership are listed. 3. Expand the condition whose requirement to be copied. The requirements of the condition are listed. 4. Right-click the requirement to be copied, and select Copy in the context menu that is displayed. 5. Expand the group where the requirement has to be copied. 6. Right-click the target condition and select Paste on the context menu that is displayed. Note: For copying requirements, the drag-and-drop mechanism can also be used. Drag the requirement within the source grouping folder while the [Ctrl] button is pressed on the keyboard and drop it to the destination grouping folder.
104
Moving requirements
Requirements can be moved from one group to another of the same group type. For example, a requirement might be moved from one of the conditions in a System Admin group to a Manager group. Requirements can be moved both within a group definition set and to a group of the same type in another policy. To move a requirement, do the following steps: 1. In the Grouping pane of the policy window, expand the grouping folder with the requirement to be moved. 2. Right-click the requirement to be moved, and select Cut in the context menu that is displayed. 3. Expand the group where the requirement must be moved. 4. Right-click the target condition and select Paste on the context menu that is displayed. Alternatively, to move a requirement, you can use the drag-and-drop mechanism: 1. In the Grouping pane of the policy window, expand the grouping folder with the requirement to be moved. 2. Expand the target group. 3. Drag the requirement to a condition in another group of the same type.
Deleting requirements
Any requirement of any condition can be deleted. Requirements can be deleted at any time. To 1. 2. 3. delete a requirement, do the following steps: Expand the group to display group conditions. Expand the condition that contains the requirement to be deleted. Right-click the requirement, and select Delete on the context menu that is displayed.
The requirement is removed. Note: You can also delete requirements if you press the [Delete] button on the keyboard.
105
106
107
108
109
Testing policies
Creating and testing a policy is an iterative task. To test a policy, do the following steps: 1. In the Policy window, edit the policy and save the changes. 2. Add an event source to a GEM database. 3. Collect and load audit data using the Load Database wizard. 4. Analyze the data to determine whether it answers your security questions. 5. Repeat these steps if you have too much, too little, or the wrong kind of audit data. In general, expect to repeat this cycle a few times, each iteration refining the data volume and content. When you are certain that the policy includes the necessary groups and rules, the edited policy is committed so that Tivoli Compliance Insight Manager can use it when loading audit data on a regular basis.
110
111
112
Sending an alert requires the following steps: 1. Ensure that the security policy includes the necessary rules. For more information, see Creating a policy for alerts for details. 2. Create alerts and configure their settings to generate specific alerts for events meeting specific criteria. For more information, see Creating alerts and configuring alert settings on page 117 for details. 3. Configure a sending protocol for alerts. For more information, see Protocol settings on page 121 for details.
113
Alert management
The criteria are W7 groups. To avoid typing mistakes, type a placeholder and use drag-and-drop to specify these groups later. Monitoring for System Update events recognizes by What. Type a placeholder for the W7 category What. In this example, the placeholder is tbd. 7. Assign a severity, for example 80. For alerts based on direct positive selection, as in this example, severity is of no consequence. However, in general, alerts can also be based on event severity. In that case, the severity assigned to special attention rules is relevant. For more information, see Delaying alerts on page 119 for details.
114
Alert management
8. Specify an ID for the attention rule to be able to refer to it later in the alert settings. The ID should be a single word consisting of letters (a through z) and numbers (1-9) only. In this example, the ID is sysupsa. 9. Click OK. 10. To fill in any placeholders typed for W7 groups, open the desired grouping (here NT) and drag-and-drop the group from the Grouping pane to the placeholder in the Attention Rules pane (Figure 40).
Figure 40. The What dimension of the attention rule before the drag-and-drop
In the example, you would open the NT grouping in the Policy pane, select System Updates in the Grouping pane, and drag-and-drop it to the placeholder tbd for the What dimension in the Attention Rules pane. Figure 41 on page 116 shows the results.
115
Alert management
Figure 41. The What dimension of the attention rule after the drag-and-drop
11. Save the work policy and commit it. As a result of these actions, any system updates lead to a special attention event with severity 80 and attention rule ID sysupsa.
116
Alert management
In that case, the policy needs to be modified so that events for which alerts are required receive severity 95 or higher. Events with severity 10 or higher are always special attention or policy exception events. Policy exception events with severity 95 or higher are events where at least one W belongs to a group with significance 95 or higher. If the security policy already effectively identifies non standard behavior as exceptions, the only policy change required is to single out groups for which alerts need to be raised when they are involved in a policy exception. These could be groups representing privileged users, or especially sensitive data. The significance for such groups should then be set at 95 or higher to elevate the severity of any policy exception involving these groups to the level sufficient to trigger an alert. Again, it is advisable to be cautious and conservative, because raising the significance of many groups to high levels only reduces the ability to distinguish severe events from less severe ones.
Note: Do not forget to click OK to save any changes in the Alert Maintenance window. The changes take effect only after the mapper services are restarted from the Windows Services applet.
Chapter 17. Managing alerts
117
Alert management
To create an alert and configure its settings, do the following steps: 1. Open the Alert Maintenance window by pressing [Ctrl] + [R]. 2. Click New below the list of any currently defined alerts. Tivoli Compliance Insight Manager creates an alert with placeholder entries at the bottom of the list. 3. Edit the entries by double-clicking on the new alert in the list or selecting it and clicking Edit. The Edit Alert Recipient dialog window opens (Figure 43).
4. In the dialog window, specify the following settings: Protocol Select either the SMTP, or SNMP, or Custom delivery protocol for the alert. Other options may be available depending on the protocol settings. Recipient Type an email to specify where to send the alert. The address to be entered depends on one of the following protocols that you select: v For email alerts, use a single SMTP email address. v For SNMP messages, this field is unavailable. v For custom alerts, the recipient should be an address that the custom alert handler expects. For more information, see the section that describes custom alerts. Severity Specify a threshold for alerts based on an event severity level. An alert is sent if an event is encountered with severity equal to or higher than the threshold. Notes: a. When severity is set to 100, Tivoli Compliance Insight Manager does not send alerts based on event severity. In that case specify at least one attention rule in the Rule IDs field.
118
Alert management
b. If both the Severity and Rule IDs fields are used, alerts are sent in both cases: for events that meet the severity (alerts based on event severity) as well as for events that match any of the specified attention rules (alerts based on special attention events). Severity-Delay support Select this box to avoid the risk of flooding the alert channel with multiple alerts. Rule IDs Click in this field and use New, Edit, and Delete to manage attention rule IDs to which this alert should apply. Wherever an event matches an attention rule (a special attention event) and an ID listed in this field matches that of the rule, Tivoli Compliance Insight Manager raises a corresponding alert.
Delaying alerts
When sending alerts based on event severity, the alert channel might be flooded with messages. The number of messages can be reduced by combining multiple messages into one. First alert messages can be delayed to see if more alerts are raised. If more events occur, they can be combined with the earlier ones. This following protocols are applied: v A delay is always possible for email alerts. Emails can carry large amounts of data, and are received by people. Sending large numbers of individual messages does not make sense. v A delay is unavailable for SNMP alerts. An SNMP message can only carry a limited amount of information, which is just sufficient for a single alert message. v The delay can be switched on or off for custom alerts, depending on the possibilities and nature of the custom alert handler. When this feature is enabled, the mapper respects a maximum waiting time while processing events. After that time is reached for one event, it sends all alerts it has gathered in a single message. The default maximum waiting time is a single minute. Enabling this feature delays the alert for a maximum of one minute. You can specify the maximum delay for each protocol and associate an event severity. For more information, see Modifying severity delays on page 127 for more details.
119
Alert management
events varies, depending on the system load, and takes about 15 minutes if the load is moderate. As a result, alerts, if any, are generated within 30 minutes after the event has occurred. This time can be reduced further by increasing the collect frequency, at the cost of additional overhead. Collect schedules more frequent than every five minutes are advised only in special cases.
where <GEMDB> is the name of the GEM database. For example, to disable alerting for GEM database GEM1, leaving it enabled for all other GEM databases that are loaded on schedule, add the following configuration parameter to gensub.ini:
[Mainmapper.GEM1] alerting=no
Alerting can also be disabled for all GEM databases at once, making it possible to enable it for specific GEM databases only. To disable alerting for all GEM databases, add the following configuration parameter to gensub.ini:
[Mainmapper] alerting=no
Alerting can then be enabled for a specific GEM database such as the following example:
[Mainmapper.<GEMDB>] alerting=yes
For example, to disable alerting by default and enable it for GEM database GEM2 only, add the following configuration parameter to gensub.ini:
[Mainmapper] alerting=no [Mainmapper.GEM2] alerting=yes
Note that even if gensub.ini explicitly specifies that alerting should be performed for a GEM database, it is still done only if the database is loaded on a schedule.
120
Alert management
3. To receive alerts only on the special attention rule severity, change No to Yes and save the file. Note: Restart the EventMapper services in the Windows Services applet to make the change take effect.
Protocol settings
After one or more alerts are specified, you must configure the protocols in use. Protocol settings apply to all alerts that are sent using the same protocol. To configure protocol settings, do the following steps: 1. In the Management Console, open the Alert Maintenance window by pressing [Ctrl] + [R]. 2. In the Alert Maintenance window, select an alert and click Protocol Settings. The Protocol Settings dialog that is displayed depends on the protocol, that is, either the SMTP (email), SNMP, or custom protocol. Each protocol has specifics that must be considered. For details about configuring the protocols, see the following sections.
SMTP
If the SMTP (Email) protocol is used, after performing steps 1 and 2 as in Protocol settings, the Protocol Settings dialog is displayed as follows (Figure 44 on page 122):
121
Alert management
Figure 44. General protocol settings dialog for the Email protocol
To configure the settings, do the following steps: 1. Check that the General tab of the dialog is active and fill in the following text fields: Host From Type the DNS hostname or IP address of the SMTP email server that forwards the messages. Type the SMTP email address of the sender. This would be generally an email address of the Tivoli Compliance Insight Manager administrator.
Reply to Type the SMTP email address where recipients can send a reply if the address is different from the From address. For example, it might necessary to route replies to a mailbox that all administrators can access. 2. Click OK to save the change. Notes: 1. The SMTP server should be properly configured. Most SMTP servers have an IP filter. Ensure that the IP number of the Server can use the server. 2. If you must distribute alerts to several recipients, set up a distribution list alias on the SMTP server so that the Server sends only a single alert to the SMTP server. This alert can be distributed to all recipients.
SNMP
If the SNMP protocol is used, after performing steps 1 and 2, the Protocol Settings dialog is displayed Figure 45 on page 123):
122
Alert management
To configure the settings, complete the text fields, using the following steps: Address Enter the DNS hostname or IP address of the SNMP device or application receiving the alerts. Port Enter the IP port on which the SNMP receiver listens (usually 161).
Notes: 1. SNMP uses the UDP protocol, and thus you cannot be sure that messages actually arrive at the SNMP receiving device. To maximize reliability, the network often needs to be configured for SNMP traffic. Consult your network administrator about network configuration. 2. SNMP receivers are configured using a file defining the SNMP message format. The file for the SNMP alert format sent by Tivoli Compliance Insight Manager can be found at \tcim\Server\mib\alert.mib.
Custom
With the Custom protocol, alerts can be forwarded virtually to any device or application using any protocol. To achieve this forwarding, you must obtain or create a protocol handler, such as an MS-DOS or Windows 32 executable. The custom protocol handler is started by the mapper whenever a set of custom alerts must be sent. If the severity delay feature is not used, the custom protocol handler is started separately for every custom alert. If the severity delay feature is used, the handler is started when the maximum wait time has passed, combining multiple custom alerts in a single run. After performing steps 1 and 2 as in Protocol settings on page 121, the Protocol Settings dialog is displayed (Figure 46 on page 124):
123
Alert management
To configure the settings, complete the Execute field by typing the command line that invokes the handler. You can use an absolute path to the executable, or a path relative to the \tcim\Server\run folder. Any command line parameters that the handler requires, as well as three different place holders can be specified. When the alert handler is started, the place holders are replaced with actual values: v The recipient value to include the recipient from the Recipient field of the alert on the command line. The handler can use this parameter to route the message. v The eventfile value to include the path to a temporary file with event data on the command line. The event file makes the payload of the message available to the handler. For more information, see Event File parameters for details. v The summary value to include a text summary of the events the alert reports on directly on the command line. The summary can include any of the following items:
nn Attentions occured. Maximum Severity: ss. Broken Attention Rules: <rule1>, <rule2>, ..., <rulen>.
124
Alert management
Table 3. Fields of the Event File parameter (continued) Header When WhenGroups Content The event time stamp. A list of all When groups to which the event belongs. Event main class: the first part of the What as listed in iView. Event class: the middle part of the What as listed in iView. Success class: the third part of the What as listed in iView. Format / Valid values Non-empty string with format: dow mon dd hh:mm:ss zzz yyyy. Non-empty string. String format:[groupname1: groupsignificance1, Non-empty string.
WhatVerb
WhatNoun
Non-empty string.
WhatSuccess
WhatGroups
A list of all What groups The same as WhenGroups. to which the event belongs. The platform type from the event Where. Non-empty string
The platform name from Non-empty string the event Where. A list of all Where groups to which the event belongs. The same as WhenGroups
The person name for the Non-empty string event Who. The logon ID for the even Who. A list of all Who groups to which the event belongs. The platform type from the event Wherefrom. Non-empty string The same as WhenGroups
Non-empty string
The platform name from Non-empty string the event Wherefrom. A list of all WhereFrom groups to which the event belongs. The left part of the OnWhat from the event as listed in iView. The middle part of the OnWhat from the event as listed in iView. The right part of the OnWhat from the event as listed in iView. The same as WhenGroups
OnwhatType
Non-empty string
OnwhatPath
Non-empty string
OnwhatName
Non-empty string
125
Alert management
Table 3. Fields of the Event File parameter (continued) Header OnWhatGroups Content A list of all OnWhat groups to which the event belongs. The platform type from the event Whereto. Format / Valid values The same as WhenGroups
Non-empty string
The platform name from Non-empty string the event Wherefrom. A list of all WhereTo groups to which the event belongs. A list of IDs of all attention rules that match this event. The same as WhenGroups
RuleIDs
To run the sample, save the code to a batch file called c:\sdalert.bat and use the following command line in the protocol settings window:
c:\sdalert.bat <recipient> <summary> <eventfile>
The sample writes its output to a file called sdalert.log, as in the following example:
126
Alert management
The current time is: 15:08:23.91 Enter the new time: Recipient anyone@example.com Summary "Attention occurred. Severity: 80. Broken Attention Rule: sysupsa." Eventfile C:\DOCUME~1\CEAROO~1.CRM\LOCALS~1\Temp\cstalert44756.tmp Severity WhatNoun WhereName WhoGroups OnwhatType WheretoType EventCount WhatSuccess WhereGroups WherefromType OnwhatPath WheretoName When WhatGroups WhatVerb WhatGroups WhereType WhoRealname WhoLogonname WherefromName WherefromGroups OnwhatName OnwhatGroups WheretoGroups RuleIDs
80 1 Wed May 07 15:04:44 CEST 2003 [Office Hours:10] Use Privilege Failure [System Updates:50] Windows SATURN [Workstations:10] John Emerson SATURN\JOHN [Users:10] [Workstations:10] SATURN [Workstations:10] AUDITPOLICY . Audit Policy [Other Objects:10] Windows SATURN [Other Platforms:10] [sysupsa]
The output shows the current time, the recipient, the event summary, and the event file pathname, and is in the temp folder of the Tivoli Compliance Insight Manager run account OS user. The event file is a temporary file that is deleted after the handler exits. If needed, the contents should be copied by the handler as the sample handler does. The handler copies and forwards the data to another location. The sample output shows the contents of the event file commencing with the line that starts with Severity. Note: The alert handler is called directly from a Java process. It does not run in a DOS window, and no output to standard devices should be generated. If output is sent to any of the standard devices, such as stdout or stderr, the process halts, as well as the main mapper, making the database load fail. Therefore, the sample redirects all output for both stdout as well as stderr (2) either to an output file or the null device.
127
Alert management
Figure 47. Protocol Settings dialog with the active Delay tab
3. Use the range menu to specify a severity range from 1 to 99. Alternatively, select a value in the menu and enter the one that is required. 4. In the Delay list box, select a number of minutes needed to delay alerts in the severity range. 5. Click Add. 6. Repeat steps 3 - 5 for each severity range and delay that needs to be set. Click OK when finished.
128
Overview
You can use the Policy Generator to create the first working security policy easily. Use a set of collected data in a database as a starting point to create a security policy, including a graphical wizard that is easy to use and understand. You can create working security policies automatically, using event data captured by event sources and knowledge that is built into the tool, based on the known acceptable behavior of the platform families contained in that data. Policy Generator is provided per Tivoli Compliance Insight Manager instance, and is installed by the iView 8.5 installation program.
Entry window
If you open the Policy Generator successfully, the entry window opens (Figure 48 on page 130). In the Policy name field, enter a name of the security policy to be created, and click Next. On the subsequent window of Policy Generator, follow the instructions that are available in the Online Help.
Copyright IBM Corp. 1998, 2008
129
Policy Generator
To cancel creating a policy, click Cancel.
130
Purpose
Scoping is a Web-based application that controls access to information in the iView reports.
Overview
Scoping is done per Tivoli Compliance Insight Manager instance. Users within the Scoping application own Who, onWhat and Where groups. iView shows only the user information about events that are associated with groups that you own. You can use the user interface of the Scoping application to configure Scoping in a Server using a Web browser. You can either manage the Scoping configuration information for Scoping items or enable or disable the functionality.
131
Overview
Manager group is an asset in the root scoping group for the hierarchy of the corresponding dimension. A user can be a member of multiple scoping groups in any or all of the hierarchies. Any membership of a user in a scoping group can be marked as an administrator.
Normal users
Normal users can view only scoping configuration information associated with scoping groups they own. For each scoping group, if you are a normal user you can view information about the scoping group and its assets and members if you are a member of that scoping group or a member of a scoping group that is an ancestor (parent, grandparent, and so on.) of that scoping group. Normal users can also be set as administrators for a scoping group of which they are members. When a normal user is an administrator of a scoping group, that user can change scoping configuration for that group and all descending scoping groups.
132
Overview
The Portal is the main entry point to the Tivoli Compliance Insight Manager Web-based applications. For more information about logging into the Portal, see Chapter 20, Using the Portal, on page 145. The other way to access the Scoping interface is to enter the URL http://server_ip_address/scoping into your web browser, where the server_ip_address is the IP address for the Tivoli Compliance Insight Manager Web-based applications. The Scoping login page displays, and you can enter your username and password and click Submit to open the Scoping application. If you cannot successfully log into the Scoping application, you may not have permission to access the Scoping application. See your Tivoli Compliance Insight Manager administrator regarding permissions. Note: If you do not execute any action after a period of 10 minutes or more, you will be automatically logged out of the Scoping application.
Overview page
The Overview page provides access to the scoping group hierarchy for each of the dimensions (Who, onWhat, and Where) that are covered by Scoping. If you are logged in as the Tivoli Compliance Insight Manager administrator, you also can see the number of groups in the Who dimension, onWhat dimension, and Where dimension that are not assigned as scoping group assets The Overview page also allows the Scoping functionality to be enabled or disabled. Only the Tivoli Compliance Insight Manager administrator can enable or disable Scoping.
133
Terminology
Terminology
Table 4 shows data scoping terms and descriptions.
Table 4. Data scoping terminology Term Scoping groups that you can control Tivoli Compliance Insight Manager Administrator Normal user Dimension Meaning All scoping groups in which a Tivoli Compliance Insight Manager user is a member and all their descendant groups. The administrator user created during installation, typically having the username cifowner. A Tivoli Compliance Insight Manager user other than the administrator. One of the W7 (Who, What, When, Where, onWhat, from What, Where to) properties defined in Tivoli Compliance Insight Manager for events. A Tivoli Compliance Insight Manager group on the Who, Where or onWhat dimensions.
Asset group
Using Scoping
This section provides you with detailed instructions about using features of the Scoping application.
134
Using Scoping
Note: This functionality is available to the Tivoli Compliance Insight Manager administrator user only.
135
Using Scoping
If you clicked Start, the Changing Scoping Status page is displayed. Wait till the change of the scoping status is complete. To disable scoping, click Disable Scoping. Proceed then in a way similar to the preceding step. Note: This functionality is only available to the Tivoli Compliance Insight Manager administrator user.
136
Using Scoping
You can see only those scoping groups in which you are a member and in all its descendants. For each scoping group, this window shows the scoping group name, all scoping group members, all scoping group assets, and all child scoping groups. For each scoping group member, this window shows the username for the user associated with this scoping group member entry. If the user is an administrator of this scoping group, the Admin Rights check box is also selected. For each scoping group asset, this window displays the name of the Tivoli Compliance Insight Manager group in the dimension for this hierarchy that corresponds to this scoping group asset.
137
Using Scoping
v The new name for the scoping group is empty or consists entirely of spaces. v A scoping group with the same name is in the same dimension.
138
Using Scoping
3. Optionally, you can select the corresponding check box to be an administrator for this Scoping group. 4. Click Submit to add the user to the scoping group or Cancel to end the operation. Note: If all the users are already members of this Scoping group, the list box is unavailable on the New Member page and you have only an option to click Close. If the operation was not canceled, Scoping information for the dimension is updated to reflect your modifications. This operation fails if you are neither the Tivoli Compliance Insight Manager administrator nor an administrator of the Scoping group to which the new member is added or any ancestor scoping group of it.
139
Using Scoping
v You are neither the Tivoli Compliance Insight Manager administrator nor an administrator of the scoping group from which the member is to be removed, and you are not in any ancestor scoping group of it. v You are removing the Tivoli Compliance Insight Manager administrator from a root scoping group.
140
Using Scoping
This operation can fail if you are not an administrator of the scoping group from which the assets are to be moved, or to which the assets are to be moved, or any ancestor scoping group of it. Notes: 1. A warning message is displayed if you click Move and no assets are selected. 2. To move an individual asset, click the arrows widget beside the corresponding asset. 3. On the Move Assets To page, select a destination scoping group from the list box. 4. Click Submit to move the assets to the destination scoping group or Cancel to end the operation.
141
142
143
144
145
Portal
To log out of the Portal, click the Log off tab in the upper right corner of the Portal Overview page. Notes: 1. To get access to the Portal, cookies must be enabled in the browser. Refer to the browser online help for instructions about enabling cookies. 2. Tivoli Compliance Insight Manager components can be protected by roles. Only a part of functionality can be accessible to you. Refer to Chapter 15, Managing users and roles, on page 85 for details about managing roles.
146
147
148
Notes: 1. The Tivoli Compliance Insight Manager setup program automatically installs a copy of iView on the Server system when other Tivoli Compliance Insight Manager components are installed. Additional copies of iView can be installed on other Windows NT or Windows 2000 computers. For installation information, see the IBM Tivoli Compliance Insight Manager: Installation Guide. 2. If the name of Server system where Tivoli Compliance Insight Manager is installed changes, the administrator must change this name in the tcim-home\iView\tomcat\conf\catalina.policy file as well. For example from
permission java.net.SocketPermission "$OLD_MACHINE_NAME$:1024-", "listen, accept";
to
permission java.net.SocketPermission "$NEW_MACHINE_NAME$:1024-", "listen, accept";
Logging on to iView
Before starting to use iView, you must get a user name and a password from the Tivoli Compliance Insight Manager administrator, who can create the user name through the Management Console. By default, this user has authority to log on to iView. To open iView, perform the following: 1. Log on to the Portal. Refer to Chapter 20 for more details. 2. On the Overview page of the Portal, click iView in the IBM Tivoli Compliance Insight Manager section of the main pane.
Copyright IBM Corp. 1998, 2008
149
Successful logon
When the Tivoli Compliance Insight Manager administrator has configured load schedules on the Server, a window similar to the example in Figure 53 is displayed:
This window shows the current security status of the information environment at a glance. It uses the aggregation database, which is created automatically when a scheduled load occurs. If load schedules were not defined for the Server, an aggregation database and data are not provided for the databases in the Enterprise Overview area.
150
Table 5 contains a list of the navigation controls and a brief description of each.
Table 5. iView navigation controls Navigation control Dashboard Description Shows the Compliance Dashboard page of iView. For more information, see Chapter 23, Understanding the iView Dashboard, on page 153. Shows the All Events page of iView, which presents the aggregated data of all databases for a specific period of time. Shows the initial iView reports page. Shows the Policy Settings page of iView, where you can set up and check Tivoli Compliance Insight Manager audit policies. Gives access to the Group types page of iView, including group types for the selected database, the number of groups they presently contain, and the Grouping wizard. Shows the User Preferences page of iView. Here iView preferences can be configured. Shows the Regulations Resource Center page of iView. Here Management Modules can be accessed and monitored. Opens the Overview page of Portal. For more information, see Chapter 20, Using the Portal, on page 145 for details.
151
152
Enterprise overview
Audit data is grouped in a node graph, which is a two-dimensional view of event data. Dimensions can be any two of the seven available types of information associated with events tracked by Tivoli Compliance Insight Manager (Who, What, When, Where, on What, from Where, Where to). The title above the node graph displays its context information. The context information consists of the data source name, the time period start and end dates, and the event statistics resolution for the information being displayed. To the left side of the node graph and under the node graph are line labels that display names of the groups for the corresponding lines. The names of the groups on the X and Y axes are arranged alphabetically. The intersections of the lines in the node grid contain nodes. A node is the area in the node graph where a column crosses a line. When the total number of events for that node is a nonzero value, a colored ball is displayed in the node. For representing quantities of events in nodes, a set of four colored balls, each with a predefined, easily distinguishable size, is displayed. The larger the size of the colored ball, the greater the total number of events for the node.
Copyright IBM Corp. 1998, 2008
153
Enterprise Overview
The color of the ball can be blue, amber or red depending on the maximum event severity for that node and the values of threshold parameters that can be configured from the Settings page. The lower threshold is amber and the upper threshold is red: v If the maximum event severity for the node is less than the amber threshold, the color of the ball is blue. v If the maximum event severity for the node falls in the range between the amber threshold and the red threshold, including the value of the amber threshold itself, the color of the ball is amber. v If the maximum event severity for the node is greater than or equal to the red threshold, the color of the ball is red. When the mouse pointer hovers over a node, a tip is displayed with information about the total number of events, exceptions, attentions, and the maximal severity for that node. If you click on the node, you can select the detailed report on another page.
Settings
The Enterprise Overview Settings page includes many useful options for managing the appearance of your Enterprise Overview, starting with the following options that allow the time period for the displayed summary to be determined: Show last completed Selecting this control activates a pair of list boxes that can be set to indicate a round number of recent days, weeks or months for which the enterprise summary is generated. Last existing data Selecting this control sets the latest record (time stamp) of data to be the point from which the enterprise summary is generated. Date range Selecting this control sets the start time and end time for the summary. The appearance of the date range is influenced by the Show last completed option: the date range can be expressed in days, weeks or months. Display groups based upon Select this list box to control the way in which groups are displayed on the summary. The following top options are included: v Attentions v Events v Exceptions v Failures v Severity You can use the collapsible Horizontal Axis Settings pane to adjust the following parameters of the X-axis: Dimension Use this list box to select the dimension for the X-axis among the seven Ws: Who, What, When, Where, OnWhat, FromWhere, WhereTo. Number of groups Use this list box to set the number of groups in the range from 1 to 50 used for generating the summary. If the number of groups for a dimension
154
Enterprise Overview
is more than was set with this option, the rest of the groups constitute a generic group called the composite group. Show the most important assets When selected, this radio button allows only the most important assets on the summary to be shown. Select assets to show When selected, this radio button activates the Available and Selected lists which can be used to select preferred assets for the summary. You can use the collapsible Vertical Axis Settings pane to adjust the parameters of the Y-axis. This pane contains the same controls as the Horizontal Axis Settings pane. Note: You can access iView's Enterprise Overview Settings page from the Dashboard page, and you can access some of the Enterprise Overview Settings from the Database Summary page. On both the Dashboard page and the Database Summary pages, your changes can be saved and used the next time you login to iView. In addition, settings changes made from the User Preferences page can be saved and used the next time you login to iView. For more information, see Using enterprise overview settings on page 195.
Trend graphic
You can use this component to spot deviations from, and trends in, the company security policy. The Trend graphic component consists of a graphical chart with a heading describing data displayed. Along with the corresponding label, Percentage of Policy Exceptions, the heading also displays the date range indicating the period of time for which data is evaluated. The X-axis presents date/time period labels that depend on the selected settings. Data on the chart is presented by a solid blue line. The value of the percentage of policy exceptions is calculated as the ratio of the number of policy exceptions to the number of all events. On the chart, the amber line is the amber threshold, which is Lower threshold. The red line is the red threshold, which is Upper threshold. Thus, the red and amber lines indicate the severity level. Note: Ideally, the number of policy exceptions should be below the amber line. The amber and red thresholds are configured from the Settings page of iView.
Settings
You can adjust the time period for which the trend graphic graphs are displayed. The following time periods apply: Show last completed Selecting this control activates a pair of list boxes so that you can set a round number of recent days, weeks, or months for which the enterprise summary is generated.
155
Trend graphic
Last existing data Selecting this check box enables the latest record (time stamp) of data to be the point from which the enterprise summary is generated. Date range Selecting this control helps you set the start time and end time for the summary. The appearance of the date range is influenced by the Show last completed option: the date range can be expressed in days, weeks, or months. Note: You can access iView's Trend Settings page from the Dashboard page. Changes made from the Dashboard page can be saved and used the next time you login to iView. In addition, settings changes made from the User Preferences page can be saved and used the next time you login to iView. For more information, see Using trend settings on page 196.
Database overview
On the left side of the Database Overview pane, all databases for the current Server are listed as large icons with labels. The first database is usually the aggregation database. If a Consolidation Server is installed, the consolidation database is the first database in the list. On the right side of the Database Overview pane, the following information is displayed for a selected database: Name The name of the database. Status The status of the database. The status can be loaded, loading, not loaded, or cleared. Loading date For a loaded database, the date of last data loading. Content Event sources that are attached to the chosen database. Notes: 1. When the mouse pointer is moved to another database icon on the left side of the Database Overview pane, the information about the right side changes synchronously. 2. When you click a database icon, you are directed to the database summary page.
Database summary
The heading immediately below the navigation bar specifies the name of the chosen database and the name of the current Server. On the Database Summary page, data is grouped into three panes: v Event Information, a summary of events for the chosen database is available, is grouped in the following options: Total Events Total number of events for the database. Policy Exceptions Total number of policy exceptions and their value in percentages.
156
Database Summary
Special Attentions Total number of attention events and their value in percentages. Failures Total number of failures and their value in percentages. For each of the iView report types mentioned above, you can select between the event detail report and the event summary report by clicking the corresponding icon to the right of the Event Information pane. v Status of the database, a pane that summarizes information about the current status of the database, groups information in the following categories: Status of Database See Database overview on page 156 for possible values of the database status. Loading date Date when the database was loaded. Number of days Number of days for which events are collected. v Data in this database, a list of event sources attached to the chosen database, is available. Event sources are displayed with the Where (Platform), Start time, End time, #Chunks, and #Events attributes. Click Timezone on the right side of the Data in this database pane to change the current time zone for values of the start time and end time attributes of event sources. In the Time Zone Settings dialog that is displayed, select a time zone from the list box and click OK. Note: Changes made from the Dashboard page and the Database Summary Page can be saved and used the next time you login to iView. You also can configure the time zone using the User Preferences page, and those changes can be saved and used the next time you login to iView. For more information, see Using database settings on page 193. To return to the Dashboard page, click Dashboard on the left side of the navigation bar. The database that you previously clicked is selected in the Database Overview pane.
157
158
The Database Overview area presents a set of databases to which you have access rights. A successfully loaded database is displayed as an icon. A database is selected by clicking the corresponding control. Figure 56 on page 160 shows the link is followed that connects to the database GEM:
159
In the following sections, a database is selected because one of the icons in the Database Overview area was followed. The selected database can be verified in the upper left corner of the report page (Figure 57):
Thus, the first element in the breadcrumb always links to the Compliance Dashboard page and represents the Server that is being connected. The second element represents the currently selected database and leads to the Summary
160
Event-based summary reports A subset of reports obtained from Management Modules, a generated by Management capability that you can use to monitor and maintain Modules compliance with a selected standard.
Filtering can be provided for any of the W7 elements by clicking the square icons as marked with blue circles as shown in Figure 58 on page 162:
161
The blank color of the square icon means that no filtering is applied to the corresponding group. The color red means that some filtering is applied. In addition, the title of the report reflects the current parameters of iView filtering. In Figure 59, for example, filtering for Add : Privilege / Success is applied to the What group and filtering for System is applied to the Who group. Clicking a square arrow invokes the Filter Settings dialog (Figure 59):
Here you can enter new filtering parameters or change what is available; you can use the question mark ? (for a single character) and the asterisk * (for multiple characters) as wildcards and the grave accent symbol as the escape character ( means a literal in the filter value).
162
163
164
165
166
The report shows chronologically what actions a user, in this case the user cifowner, has initiated. The report includes the type of action in the What column while the object involved is listed in the OnWhat column. The user name itself is listed in the Who column.
167
168
The result is an event list that shows all events 30 minutes before and 30 minutes after the chosen event. Use the following steps to obtain the information a second way: 1. On the iView navigation bar, click Reports. 2. Pick any report from the list that allows specification of a time frame (see the Action column). 3. View the report with the chosen time frame.
169
170
The number of exceptions is found in the last column. Click this number to see a list of the actual events. If more information about a specific event is needed, click the link to the Event Detail page.
171
The event count link connects to the actual events on the Event Table page. If more information is required about a specific event, click the time indication link to go the Event Detail page.
Viewing failures
The Failures event summary report control on the Database Summary page navigates to the Failures Summary page, which is a summary of all failures that were logged, in order of their severity. The following are the main severity categories: Higher than 40 High and red in color 21-40 0 - 20 Medium, and red in color Colored from unavailable to pink
iView lists the number of failures for every kind of failure in this summary. Clicking the number produces the event list of that kind of failure. If detailed information about the event is required, click the time indication link to select the Event Detail page.
172
173
1. In the Setup section, click the date and time interval over which data is to be viewed. The default setting shows the full range of times for data in the database. 2. Click Execute to see events that occurred in the set time frame, or click Reset to return to the original interval settings.
174
175
Configuration tools
You can use the following report types in the Configuration tools section to see events in a summary form, summarized by group type, security policy, or attention rules. This section also provides a link to the Policy wizard. Events by type report Lists all event types with a total for each type. You can use the links in this report to enable all events, policy exception events, and attention events sorted by event type to be viewed. W7 Summary report Lists all events in the database, sorted in order of frequency. Clicking a link in the #Event column displays all events of the type clicked. Events by rule report Lists all events selected by a rule. This report gives a way to test the effect of a new policy or attention rule. Create the report by clicking a choice in each list box in the Rule section, and then clicking Submit. The resulting report shows events that would no longer create policy exceptions or attention events if this rule was added to the security policy. Policy Settings report Lists all events that comply with the security policy rules. The page of the Policy Settings report includes a link to the Policy wizard; you can access the Policy wizard using this link if one has been assigned the Security Policy role in Tivoli Compliance Insight Manager; for information about managing user roles in Tivoli Compliance Insight Manager, see Chapter 15, Managing users and roles earlier in this manual. For information about using the Policy wizard, see Chapter 8, Creating a security policy. The report displays the automatic and security policy used to load the data in the GEM database which is being viewed. It then lists the number of events in the database that trigger each policy rule in the security policy. Policy wizard link Opens the Policy wizard, if one has the Edit Security Policy role in Tivoli Compliance Insight Manager. For information about using the Policy wizard, see Chapter 8, Creating a security policy. For convenience, short descriptions of Configuration tools reports are available in the Description column on the iView Reports page.
Firewall reports
The following firewall reports enable tracking of network activity that crosses the company firewalls: Firewall Activity report Lists the ten most active IP addresses and the IP addresses that caused the most policy exceptions. Firewall Overview report Provides top ten lists of the following entities: Active Web browsers Lists Web browsers that connected most frequently to the site.
176
Firewall reports
Access drops Lists access requests dropped by FireWall-1. Weird sources report Lists IP addresses that begin with either 0 or 127; for example, 127.0.0.1 is reserved for use as a loopback address; 0.0.0.0 is reserved for use as a default. route. Low port users report Lists users who access ports 0 to 5, which are normally not used. Firewall Server-Initiated Connections report Lists the top ten most active servers that can initiate network connections. For example, this report might list a Web server that can also initiate FTP connections. Firewall Suspects report Lists the top 20 inside and outside users who performed any of the following suspect events: v Host scans v Port scans v Policy exceptions If the report information needed is not in a built-in iView report, a custom report can be created, as described in Chapter 29, Creating and managing custom reports in iView, on page 183.
177
Firewall reports
178
Event type From Where from Where (Origin group) Group type Impersonated Logonname Impersonation Loading date Location LogonId Logonname
179
Number of Special Attention Events Total number of events matching at least one of the attention rules. Object On What The different combinations of ObjectType: ObjectPath / ObjectName loaded in the database. The Object represented by the triple ObjectType: ObjectPath / ObjectName that is related to the action. The group of objects. The group of objects. The Object represented by the triple ObjectType: ObjectPath / ObjectName, that is related to the action. Owner of the user name who changed to another user name. Time stamp of the first event in the group of events in the following 15 minutes. Network ID of actions (where you failed to logon). The type of the log record as it is displayed in the chunk log. Relative importance of an event. If the event matches an attention rule, the severity of the event is equal to the severity of the attention rule it matched. If the event is a policy exception, the severity equals the highest significance number of the W7 groups it belongs to. If the event is neither an attention nor policy exception event, the severity equals the highest significance of the W7 groups it belongs to, divided by 10. Time stamp of the first event. Current status of the database. Current status of the database. Name of report. Total number of events loaded in the database. Tivoli Compliance Insight Manager policy selected for loading the database. Edited part of the original log record. Combination (triplet) of the Eventmainclass, Eventclass, and Successclass. The value represents the action taken. Type of actions.
Start time Status Status of Database Title Total number of Events User policy Value What
180
What Group When When (Period group) Where Where (Platform group) Where (Platform) Where Group Who Who (Name) Who (Source group)
181
182
183
Column entries
Data in the reports is grouped by columns. The number and type of columns that are available for selection in a report through Custom Report wizard depend on the report type. Table 8 describes each column and the content that is displayed in the finished report.
Table 8. Entries and their content displayed in the finished report Column Where detail Meaning Shows the name and type of the platform on which the event occurred, as follows: name (type). If type equals -, only the name of the platform is shown. Shows the real name of the user who caused the event if available. Otherwise, it shows the logon name. Shows the event type triplet (verb : noun / success) of the event. Shows the time stamp of the 15 minutes in which the event occurred. To show the time stamp of the event itself, use the event_timestamp column. Shows the name and type of the originating platform, as follows: name (type). If type equals -, only the name of the platform is shown. Shows the type, path and name of the object associated with the event, as follows: type : path / name Shows the name and type of the target platform, as follows: name (type). If type equals -, only the name of the platform is shown Shows the name of (one of the) When group(s) for the time at which the event occurred. Shows the name of (one of the) What group(s) to which the event type of the event belongs.
Who detail
On What detail
Where To detail
184
Where To group Number of events Number of policy exceptions Number of special attentions Number of failures Number of successes Percentage of policy exceptions
Percentage of failures
Percentage of successes
Verb
Noun
Success
Platform name
185
Logon name
Origin type
Object type
Object path
Object name
Target name
Target type
To add a column to a report, click its name in the list of W7 items. The column is displayed in the box for selected columns. The order of columns in the box determines the order in which they are shown in the report. The top-to-bottom order in the box corresponds to the left-to-right order in the report. To change the order of columns, select a column to be moved and drag it to the desired location.
186
187
4. In a. b. c.
188
Note: You can export any report except firewall reports, and you can export custom reports as well as built-in reports.
189
190
191
192
Introduction
iView settings are grouped in the following categories: Database Settings This group of settings allows some database properties to be adjusted. For more information, see Database overview on page 156. Appearance You can change the language of iView messages and define lower and upper thresholds for the trend graph displayed on the Dashboard. Enterprise Overview Settings These settings include time span-, grid axis-, and asset group-related options that present the Enterprise Overview pane on the Dashboard page. For more information, see Enterprise overview on page 153. Trend Settings You can adjust some settings responsible for depicting the Trend graphic pane on the Dashboard page. For more information, see Trend graphic on page 155. Incident Tracking In this section of the iView settings, you can specify parameters for connecting an external incident tracking system. Each group of iView settings is located in a separate collapsible pane. To make the modifications effective, click Apply on the bottom of the User Preferences page. To cancel the modifications, click Reset, which is available in the lower right corner of the page. Note: You also can access iView's Enterprise Overview Settings group and the Trend Settings group from the Dashboard page, and you can access some of the Enterprise Overview Settings from the Database Summary page. On both the Dashboard page and the Database Summary pages, your changes can be saved and used the next time you login to iView. In addition, settings changes made from the User Preferences page can be saved and used the next time you login to iView. For more information, see Chapter 23, Understanding the iView Dashboard, on page 153.
193
Database settings
appropriate to the geographical location.
Notes: 1. After being selected in iView, the selected database becomes the default database. 2. Another approach to choosing a time zone is from the Database Summary page. Changes are saved and can be used the next time that iView is selected. For more information about the Database Summary page, see Database summary on page 156.
194
Appearance settings
While entering values for the thresholds, observe the following restrictions: v The value for the Lower threshold field must be less than for the Upper threshold field. v Both values should be valid numbers in the range from 0 to 100.
Show last completed When selected, this control activates a pair of boxes to set a round number of days, weeks or months for which the enterprise summary is generated.
Chapter 31. Using iView settings
195
Horizontal Axis Settings This pane provides options that allow parameters of the X-axis to be adjusted: Dimension This list enables the dimension for the X-axis to be chosen among the seven Ws: Who, What, When, Where, OnWhat, FromWhere, and WhereTo. Number of groups This list allows the number of groups to be set in the range from 1 to the total number of asset groups available at the Server, to be used for generating the enterprise overview. A control for showing assets You can select one of the following controls: Show the most important assets. Allows only the most important assets on the summary to be shown. Select assets to show Activates the Available and Selected lists, which you can use to select preferred assets for the summary. Vertical Axis Settings This pane allows parameters of the Y-axis to be adjusted, and contains the same controls as the Horizontal Axis Settings pane described above. Note: You also can access iView's Enterprise Overview Settings group and the Trend Settings group from the Dashboard page, and you can access some of the Enterprise Overview Settings from the Database Summary page. On both the Dashboard page and the Database Summary pages, your changes can be saved and used the next time you login to iView. In addition, settings changes made from the User Preferences page can be saved and used the next time you login to iView. For more information, see Chapter 23, Understanding the iView Dashboard, on page 153.
196
Trend Settings
You can specify the following options: Show last completed When selected, this control activates a pair of list boxes that you can use to set a round number of last days, weeks or months for which the enterprise summary is generated. Last existing data When selected, this check box sets the latest record (time stamp) of data to be the point from which the enterprise summary is generated. Note: You can access iView's Trend Settings group from the Dashboard page. Your changes can be saved and used the next time you login to iView. In addition, settings changes made from the User Preferences page can be saved and used the next time you login to iView. For more information, see Chapter 23, Understanding the iView Dashboard, on page 153.
Notes: 1. The Incident Tracking pane is only visible for users that have the Manage Incidents role defined. Refer to Part 3, Managing the Tivoli Compliance Insight Manager system, on page 39 for more details. 2. The incident tracking functionality is available only when Management Modules for Tivoli Compliance Insight Manager are installed.
197
198
Upgrading
Tivoli Compliance Insight Manager 8.5 includes the following new report distribution features: v Report distribution tasks. v The schedule for report distributions. v Two formats for distributing reports as email excerpts: CSV and PDF. If the plug-in that enables PDF output is installed, the default format is set to PDF. Otherwise, the default is CSV. v Status notification emails for report distributions. v Options for convenient selection of report recipients. After upgrading from Consul InSight 7.0 to Tivoli Compliance Insight Manager 8.5, you can distribute reports using iView only. However, the settings used for report distribution in Consul InSight 7.0 are still present on the system in C:\IBM\TCIM\Server\run. These settings are in the iview.ini file, and can be transferred manually to the automated report distribution. In the contents of the iview.ini file, MailHost, From, and Reply correspond to Email Settings that are set up for all distribution tasks. To, Experts, and GemDb correspond to the Addressees and Reports sections for creating distribution tasks. The contents of the iview.ini file are shown in the following example:
[Mail] MailHost=mail host From=from address Reply=reply to address [Excerpt.GEM1] TEG=1 [ExcerptTEG.GEM1.1] To="email@yourcompany.com" Experts="inspect,overview" GemDb="GEM1"
199
Note: Ensure that the new value does not exceed the size of the IBM\TCIM\server\run\excerpts directory. If it does exceed the size, reports are generated and stored in the directory until the directory space limit is exceeded. Reports are not generated if the directory has no space to store them.
Functionality overview
The new report distribution functionality in Tivoli Compliance Insight Manager Version 8.5 does nothing by default. To distribute iView reports as email excerpts, configure these settings in the following order on the Automated Report Distribution page (Figure 71 on page 201): 1. Email Settings 2. Manage Users 3. Distribution Tasks You can click the Distribution icon in iView to open the page (Figure 71 on page 201). For tips and support information, use the right-hand Extra Information pane.
200
Email Settings
Distribution tasks have common email settings (Figure 72). As originator of the tasks, use the settings to specify your name, the email address from which reports are sent, a reply-to email, and the mail host used to send the reports. This specification must be done to enable report distribution as email excerpts. Status notifications for each report distribution instance are sent to a specially predefined email.
Manage Users
The Manage Users section lists Tivoli Compliance Insight Manager users that have been added through the Management Console. In this section, use the Email
Chapter 32. Distributing reports
201
Distribution Tasks
You can manage report distribution using distribution tasks. The tasks define the timing and type of reports, including format, the GEM databases that are involved, and the Tivoli Compliance Insight Manager users who receive the reports. You can find a list of existing distribution tasks in the corresponding section on the Automated Report Distribution page. To edit a task, click its title in the list. To create a task, click Add distribution task (Figure 73).
Figure 73. List of distribution tasks and the Add distribution task button
For each distribution task you must specify general information, report definitions, and recipients of email excerpts with the defined reports (Figure 74 on page 203).
202
Distribution tasks contain definitions for selected iView reports (Figure 75). Before being sent, the defined reports must be generated. This action is done automatically whenever the GEM database that is associated with a report is loaded.
To reduce the system load, if a report is intended for many recipients, only one such report is generated, and each recipient does not get a separate copy of the report (Figure 76 on page 204).
203
Figure 76. Selection of report distribution recipients for the distribution task
The generated reports are distributed as email excerpts only when the scheduled distribution task to which they are assigned is launched. You can configure this timing with the Schedule options for the task. If the task sets off more often than a related database loads, the same report is distributed to a report recipient only once after the database load. Consequently, until a new database loads, all subsequent email excerpts include either empty reports (if the Show empty reports check box is selected) or none at all. For example, if the task sets off five times and a related database loads only once during a specific period of time, reports generated at this database load are still distributed by the task only once. New reports cannot be distributed by the task until the database loads again and new reports can be generated. If a database related to the task loads more often than the task is scheduled to set off, then one email excerpt includes as many generated reports as the number of the loads. All generated reports are stored by the system until they have been distributed as email excerpts. After distribution, the reports are deleted. For better system performance and report distribution results, database load and report distribution task schedules should be matched. For more information about matching, see Matching database load and distribution schedules on page 205. For more information, see Setting up automated report distribution.
204
are generated only when a database load is complete. Load schedule prompts for databases show only the time when the load starts. Therefore, when setting the schedule for any distribution task, add some time between the database load and distribution task schedules to ensure that the database load is complete (Figure 78 on page 206).
205
206
Compliance dashboard
A compliance dashboard displays an easy-to-understand, color-coded matrix that highlights degrees and level of compliance based on user behavior and data access. The dashboard is customized for the specific regulation or standard of interest, depending on the module you choose.
Report center
A Report Center provides dozens of relevant reports linked to the ISO27001 standard or FFIEC handbook (for GLBA), for monitoring compliance to the regulation or standard, and understanding who touched what across the network. Reporting requirements are similar for each of the supported standards, but each has a different focus.
Policy template
A Policy Template recommends a customizable policy to specify which users can access regulated information, and what they can do with it. Leveraging the IBM patent-pending W7 Methodology, the Policy Template provides an easy, enforceable manner in which to establish and monitor file access versus policy. This project delivers a default security policy template that enables customers to build policies that successfully monitor compliance. A policy template for each standard can be loaded from the Management Console. Optionally, IBM delivers a tool (and improves the existing tool) to build the policy for the customer.
Copyright IBM Corp. 1998, 2008
207
Classification Template
Classification template
A classification template enables quick classification of the enterprise for role-based security event management and auditing of the enterprise versus policy. Each classification template speaks the language of a regulation or standard for demonstration of compliance. A classification template for each standard can be used from the Management Console. The template uses terms and vocabulary that the standard defines. A single classification can satisfy all the standards under consideration here. It is structured in the form of a major category and subcategories that are specific to the selected standard as the starting point to use.
Resource center
The regulatory resource center is the key entry point into the regulatory compliance section on Tivoli Compliance Insight Manager. A Resource Center includes information about the Act and guidelines for using Tivoli Compliance Insight Manager for compliance, including specific advice about adjusting the logging and audit settings in the enterprise to enable proper access monitoring. Within the resource center you can select the tools (policy and grouping tools) and the reporting resources for each regulatory standard supported/installed.
Enable auditing & alerting In heterogeneous environments, understanding which logging and alerting to turn on, and how, is a significant challenge. Tivoli Compliance Insight
208
209
210
Chapter 34. Cross-platform collecting and storage of audit logs and log data
This section introduces Tivoli Compliance Insight Manager Log Manager (Log Manager) and outlines its basic features. Like other components of the Portal, the Log Manager is a Web application. Compatible with Microsoft Internet Explorer Version 6.0 or later, the Log Manager is designed for cross-platform collection of audit logs and storing log data in a native format. The Log Manager can show proof that all log data has been collected, and reports on the completeness of the collected data.
Log Retrieval
Every page contains the menu bar of the Log Manager, a means for navigating to the other pages of the Log Manager. Any page can be identified in the following ways: v By the page title, which is shown at the top of the main pane v By the third level of the breadcrumb trail, which is placed straight below the menu bar of the Log Manager v By the text of the respective icon in the menu bar. When compared with the other icons of the menu bar, the icon of the opened page is shaded.
211
Panes
The main pane is located in the left part of the page, and consists of the Collect History Status and Log Continuity Status sections. The Collect History Status section gives information about the latest collect status. The Log Continuity Status section gives information about the completeness of audit logs. The Extra Information pane, located in the right-hand part of the page, consists of the Help section. The Help section gives instructions about using the key features of the Log Manager Dashboard page (the currently opened page of the Log Manager). Every section can be collapsed or expanded by clicking the section title bar. A collapsed section can be indicated by the expansion icon pointing to the right. An expanded section can be indicated by the expansion icon pointing downward. The Extra Information pane can be collapsed by clicking in the left round corner of the Extra Information pane.
212
Chapter 34. Cross-platform collecting and storage of audit logs and log data
213
214
Event source Name of the event source that generated the corresponding log collection event. Event source type Type of the above event source. Audited machines Name of the system to which the corresponding event source is added. PoP Name of the point of presence system that sends the corresponding audit logs to the Server system.
Server Name of the Server system where audit information from the connected point of presence is collected. Data in the paged list view can be filtered and sorted. Refer to Using common procedures on page 232 for more details about filtering and sorting the Log Manager data.
Chapter 34. Cross-platform collecting and storage of audit logs and log data
215
Continuity graph
The graph is placed in the Continuity Audit section and is, in essence, a Gantt chart. Every rectangle represents here a separate audit log and every row with rectangles represents an event source. The graph shows time along its X-axis. The unit of time used on the X-axis labels depends on the current time scale, which, by default, is day. To change the time scale to hour, week, month, or year, click the corresponding tab beneath graph. To move to an adjacent time period, click an arrow on the time sliding control to the left/right of the time period label above the graph. To get information about an audit log depicted in the graph, hover the mouse pointer over the corresponding rectangle. A tool tip opens showing the time the audit log started, the time the audit log ended, and the audit log status. Rectangles that represent audit logs are colored according to their status. Refer to the Legend section of the Log Manager Extra Information pane for short descriptions of audit log statuses. By default, audit logs on the graph are grouped by the names of audited systems. To group audit logs by the type of event sources, click the Type tab to the left of the graph. Event sources in the chart are sorted first on the applied grouping criterion on the names of audited systems or by the types of event sources and then on the names of event sources. Notes: 1. The maximum of 200 rows can be shown on the graph at one time. If this limit is exceeded, a message with this information and request is shown instead a narrower filter.
216
Continuity list
In the Log File Detail section, a list represents audit logs according to filtering criteria. To filter data in a column, click the funnel-shaped icon in the header of the column. In the Filter dialog that opens, select the required criteria and click Start Filter. Refer to Using common procedures on page 232 for more details about filtering of the Log Manager reports. The list has log selection check boxes that you can use for downloading the respective audit logs to the local system. Refer to Retrieving audit logs with the Log Manager on page 228 for more details about retrieving audit logs with the Log Manager. The list has the following columns: Status Apart from the log selection check box, this column contains the status icon. For interpreting a specific status icon, refer to the Legend section of the Log Manager Extra Information pane. # Size Number of log files in the audit log. Size of the compressed audit log.
Start date Start date of the audit log. Start time of the audit log. Start time of the audit log. End date End date of the audit log. End time End time of the audit log. Machine Name of the audited system. Event source Name of the audited event source. Event source type Type of the audited event source. The Legend section of the Extra Information pane contains short descriptions of the status icons available in the Status column of the list and helps in interpreting shadings of audit logs in the graph. The status can be one of the following values: v Archived log sets v Complete log set v Corrupted log set v Delayed collect, possible data loss
Chapter 34. Cross-platform collecting and storage of audit logs and log data
217
218
219
The Depot Investigation Tool is protected by the Depot Investigation and Log Retrieval role. If you do not have this role, Investigate is disabled on the menu bar of the Log Manager. The Depot Investigation Tool is also disabled if depot indexing functionality is disabled. See Chapter 15, Managing users and roles, on page 85 for more details about managing Tivoli Compliance Insight Manager roles.
Query builder
Use the Query builder section to select the necessary criteria for the search:
220
2. In the Event Source subsection, select the event sources to be searched, by a server name, by an Actuator (point of presence) system name, an audited machine name, an event source type and an event source name (Figure 83). Note that the list boxes allow multiple selections.
3. In the Select Fieldnames subsection, select a field for inclusion in the search results list by selecting a check box in front of the field name. Notes: a. To get the list of event source types that contain a field, hover the mouse pointer over the field. A tool tip opens to show this list (Figure 84 on page 222). b. When you modify the event source selection, the field list is not immediately refreshed. A message with this information and request is shown. Click the refresh link to see all relevant field names.
Chapter 34. Cross-platform collecting and storage of audit logs and log data
221
4. In the Content Search subsection (Figure 85), specify search criteria in the form of a search string. Wildcards (marked by an asterisk *) are acceptable only at the end of a word. Multiple search criteria can be combined through OR and AND relationships. Brackets are also allowed. For more information, see Searching with the Depot Investigation Tool on page 225 and Example queries on page 227.
5. Click Start Search. The result of the search is displayed in the Search summary and the Search results sections of Depot Investigation Tool. Note: If validation of search parameters provided in Query builder fails, an error message is displayed directly below the Content Search section title bar, and the search does not start.
Search summary
The Search summary section shows summary information about the log data that is being searched (Figure 86 on page 223). It is based on the results of the first step of the search process, the step that searches the existing indices and returns blocks of events that match the search criteria. For more information, see Searching with the Depot Investigation Tool on page 225 for details.
222
Search summary contains a paged list view. For more information, see Inquiring about collection events on page 213 for common characteristics of a paged list view. The data items shown in Search summary are event sources, one for every event source searched. You cannot sort the data items, which are cleared as soon as a new search is started. The following information is listed in the Search summary section after a successful search: Audited Machine Name of the audited system. Event source Name of the event source. Event source type Name of the event source type. Total records Estimated number of log records in the selected time period. Relevance Indication of the relevance of an event source for the current search. Difficulty Indication of the time needed to be taken for processing the search for a specific event source.
Search results
The Search results section shows the final results of the search. This section contains a paged list view. For more information, see Inquiring about collection events on page 213 for common characteristics of a paged list view. The data items shown in Search results are log records that matched the search criteria. Data in Search results is displayed as soon as the first log record is found. In the meantime, the search operation continues. To select audit logs for further downloading, select the corresponding check boxes in the leftmost column of Search results. Check boxes here are always enabled, because the audit logs are still in the log depot (you can read them). Refer to Retrieving audit logs with the Log Manager on page 228 for more details about retrieving audit logs using the Log Manager. Note: Data cannot be sorted in Search results, but is shown in the order in which it comes out of the search.
Chapter 34. Cross-platform collecting and storage of audit logs and log data
223
Extra Information
Apart from the usual Help section, the Extra Information pane on the Depot Investigation Tool page contains the following sections: Actions This section contains commands for performing the following commands: Refresh field list This command refreshes the list of field names currently shown in the Field list subsection of the Query builder section of the main pane, based on the currently selected event sources. Start search This command starts a search operation. It is equal to clicking Start Search in the Query builder section. Stop search This command stops a search operation that is running. Retrieve selected log files This command assembles the audit logs containing records selected in the Search results section of the main pane and opens Log Retrieval. Refer to Retrieving audit logs with the Log Manager on page 228 for more details about retrieving audit logs with the Log Manager. Restore default settings This command resets all page settings of the Investigate page to their default values. Refer to Using the settings on page 234 for details about the Log Manager settings. Information This section shows the current state of the search operation, which is represented as a list of field value entries: Progress Percentage of the search operation that has completed. One of the following values is displayed: 0% No search has started yet.
224
The value that matches the percentage of logs processed (with a minimum of 1%) Search is in the next step (Step 2). 100% Search is complete.
The progress percentage at the time it was stopped Search has stopped. Creation time Duration of the search. It is one of the following values: 0 Search has not started.
Wall-clock time spent so far Search is in progress. Wall-clock time it took to search Search is complete. Wall-clock time spent at the time it was stopped Search was stopped. Logfiles Number of log files processed. The Logfiles entry can have one of the following values: 0 No search has started, or the search is in Step 1.
Number of sublogs searched so far Search is in Step 2. Total number of sublogs searched Search is complete. Log records Number of log records that match the search criteria. This column has one of the following values: 0 No search has started, or the search is in Step 1.
Number of matching log records found so far Search is in Step 2. Number of matching log records found Search was completed. Number of matching log records found at the time it was stopped Search has stopped.
225
v In certain circumstances, the analyzer does not create separate tokens even if embedded punctuation characters are included. The following syntax describes this situation. // floating point, serial, model numbers, ip addresses, etc. // every other segment must have at least one digit | <NUM: (<ALPHANUM> <P> <HAS_DIGIT> | <HAS_DIGIT> <P> <ALPHANUM> | <ALPHANUM> (<P> <HAS_DIGIT> <P> <ALPHANUM>)+ | HAS_DIGIT> (<P> <ALPHANUM> <P> <HAS_DIGIT>)+ | <ALPHANUM> <P> <HAS_DIGIT> (<P> <ALPHANUM> <P> <HAS_DIGIT>)+ | <HAS_DIGIT> <P> <ALPHANUM> (<P> <HAS_DIGIT> <P> <ALPHANUM>)+ ) > | <#P: ("_"|"-"|"/"|"."|",") > | <#HAS_DIGIT: // at least one digit (<LETTER>|<DIGIT>)* <DIGIT> (<LETTER>|<DIGIT>)* > Where the sequence may be a number, a model number, IP address, and so on, the analyzer does not split it into individual tokens. If none of those cases is true, the sequence does the splitting. The following examples illustrate: Windows session ID 0x0,0x3E7 creates one token 0x0,0x3E7. IP address 192.168.0.1 creates one token 192.168.0.1. User name DOMAIN\userid creates two tokens DOMAIN and userid. v You can search an email address on the name, host, or both, by splitting the address into three terms (that is, name, host, and name@host). With an understanding about creating an index entry and what is displayed in the Depot Investigation Tool, you can construct query strings to find the necessary items much more effectively.
226
The Query Parser supports the syntax and determines the indices and time range for the search.
Example queries
How do I search for related records for the same server, same userid, and same session_id? Use the following example:
platform_name:Tivoli Compliance Insight Manager03 and session_id:0x0,0x3e7 and (username: cifowner and username:Tivoli Compliance Insight Manager03)
Note also the use of the above phrase username:cifowner and username:Tivoli Compliance Insight Manager03. The following phrases are not equal. (username:cifowner and username:Tivoli Compliance Insight Manager03) is not the same as (username:cifowner and Tivoli Compliance Insight Manager03). The first phrase finds instances where username has two terms, Tivoli Compliance Insight Manager03\cifowner. The second phrase finds instances where username is equal to cifowner and where any other term in the event is equal to Tivoli Compliance Insight Manager03. Notes: 1. The search or index server can handle only a certain number of search operations simultaneously. By default, this number is only one search request. If the server is busy, a corresponding message is shown. For example, the following message might be displayed:
The server is busy. Please retry your search request at a later time.
2. Currently, the search can find up to 200 000 events before the searching stops automatically and a warning message is displayed. How do I search for all successful logons for the cifowner user on the Tivoli Compliance Insight Manager03 server? Use the following example:
successclass:success and eventmainclass:logon and (username:cifowner and username:Tivoli Compliance Insight Manager03).
How do I search for all activity with a specific session_id in a report? The session ID is reported as having a value of (0x0,0x3E7) in the report. However, the analyzer interprets this value as a single term 0x0,03e7. Therefore the following search term finds all the relevant records:
session_id:0x0,0x3e7
How do I search for the activity of a specific windows user? DOMAIN\userid Faced with such a string, the analyzer stores DOMAIN
Chapter 34. Cross-platform collecting and storage of audit logs and log data
227
So an index entry is created for each named variable, but that index entry can have multiple values created by all the terms that are delivered out of the analyzer. The implication is that for some queries you must use an AND relationship to get the needed result. How do I search for events data such as email addresses? Email addresses are handled in a special way. Generically, an email address is name@host. So three index entries are created: name@host, name, and host. You can use such entries to created a search that is based on the name, host or the full email address. How do I search for events data such as ip addresses? An ip address such as 192.168.0.1 is handled just as you would want, as a single string. If you must search for all ip addresses in the 192.168.0.1 subnet, use a search such as the following, which would find them all.
source_ip:192.168.0*
228
Start date Start date of the audit log, from the audit log header. Start time of the audit log. Start time of the audit log, from the audit log header. End date End date of the audit log, from the audit log header. End time End time of the audit log, from the audit log header. Machine Name of the audited system. Event source Name of the event source. Event source type Name of the event source type. Data in the list can be sorted by one or more criteria. See Using common procedures on page 232 for more details about sorting data in the Log Manager. To filter data in a column, click the funnel-shaped icon in the header of the column. In the Filter dialog that opens, select the required criteria and click Start Filter. See Using common procedures on page 232 for more details about filtering data with the Log Manager. Use the following steps to download audit logs: 1. In the list of the Original Log Files section, select the box next to the audit logs that you want to download. Note: The selection check marks are disabled for audit logs that do not contain any original audit logs or are no longer in the depot. 2. Click Download to start downloading the audit logs. The sublogs from the selected audit logs are packaged together into a single .gz.tar file. 3. In the File download / File open window that opens, provide a path and a name for the downloaded file and click Save to save it on the local system. In the downloaded file, each sublog has its own folder within the compressed file. The name of this folder is <audited-machine>_<eventsource>_<sublog> where <audited-machine> is the name of the system from which the audit logs originate, <eventsource> is the name of the event source, and <sublog> is the name of the sublog. The name of the downloaded files within this folder is in the following format:
<begintime>_<endtime><ext>.gz
where <begintime> is the lowest begin-time stamp of the audit logs in the file, <endtime> is the highest end-time stamp of the audit logs in the file, and <ext> is the extension of the sublog.
Chapter 34. Cross-platform collecting and storage of audit logs and log data
229
Installation
Replay Tool is installed automatically with IBM Tivoli Compliance Insight Manager. No additional installation is required. By default, the executable file replay.exe is placed in the \TCIM\Tools folder.
Note: If you use the one dash value (-) for a filename, the standard input (stdin) is used. To prepare data for replay, extract data from the Log set by using gzip utility with -d option, as in the following example:
gzip -d <chunkname>.gz
To identify the location of Log set, use iView chunk log details report. As well as specifying the file name, the obligatory parameter, you can specify other optional parameters and options. The following example is an analysis of a command line and all of the available parameters and options:
replay.exe -|input.hex|input.snmp|syslog <ip/hostname> <port> <sleep>
v To reiterate, the first, and obligatory, parameter is a name of the file (input.hex|input.snmp|syslog) which contains the SNMP or Syslog message. The SNMP( Syslog) messages can be sent from text or from hexadecimal format. You can determine the type of data from which the SNMP(Syslog) messages are constructed and sent by using the corresponding -hex|-snmp|-syslog option, or by simply renaming the input file with an appropriate extension .hex|.snmp.
230
Command line examples Here are several more command line examples: v Example #1:
>replay.exe dump3.hex -rate 5 -repeat 3
In this example, none of the parameters were specified (except for the file name, which is obligatory). Therefore, the file dump3.hex was sent to the IP address 127.0.0.1 (default value), using the port 162 (default port for .hex files) at a rate of five messages per second and the whole process was repeated three times. v Example #2:
>replay.exe WG0YPI1.snmp 10.3.5.10 122 60 -repeatfile 4
In this example, all four of the parameters were specified (WG0YPI1.snmp - file name, 10.3.5.10 - IP address, 122 - port number, 60 - sleep value, meaning that the messages are sent with an interval of 60 milliseconds), and all of the messages within the file are sent four times (-repeatfile 4). v Example #3:
>replay.exe dump3.hex -repeat 7 -rate 3 -port 164 -ip 10.3.5.10
In this example, only the obligatory file name parameter was used. All other parameters were substituted by options values. Note that options can be placed in any order.
Chapter 34. Cross-platform collecting and storage of audit logs and log data
231
Filtering reports
The Log Manager offers the possibility of applying filters to the underlying audit data. Applying a filter limits the amount of information in the Log Manager reports. Filters are usually accessible through the respective funnel-shaped icons on the corresponding elements of the Log Manager lists. If the data in the column is already filtered, the funnel-shaped icon is shown in orange; otherwise, the icon is unavailable. The Filter dialogs that open have lists with multiple selections, check boxes and other controls, that represent the means for limiting audit data available on the pages of the Log Manager, according to the respective criteria. Any Filter dialog has a Start Filter control to apply the filtering criteria, a Clear Filter control to reset the criteria, and Cancel to stop the filtering action. If a filter is applied to a multi-page list, the Log Manager returns to page 1.
Sorting data
Log data that the Log Manager lists can be sorted. An indication that some column can be used for sorting is an orange line that is displayed when hovering the mouse pointer over the header of the column. The sort order of a paged list view can be changed by either of the following methods: v Clicking on the header text of a column. v Clicking the respective icons at the right-hand side of the Sorting section in the Extra Information pane. These icons can control the position of a sorting criterion in the set of the currently active sorting criteria. If you click multiple times, the column header text sorts through the following states: v Data is sorted in this column in ascending order. v Data is sorted in this column in descending order. v Data not sorted in this column. A paged list view can be sorted in multiple columns (with a maximum of 4 columns at a time). Data is sorted first in the column that was clicked last, then the previously clicked, and so on. This action is reflected in the Sorting section of the Extra Information pane. Refer to Inquiring about collection events on page 213 for a description of the paged list view. To move a sorting criterion one position up in the current set of active sorting, click the up arrow to the right of the required criterion in the Sorting section of the Extra Information pane. To move it one position down, click the corresponding down arrow. Note: Applying sorting always moves the Log Manager to the first page of the paged list view.
232
Chapter 34. Cross-platform collecting and storage of audit logs and log data
233
234
Other settings of the Log Manager such as visibility of panes and sections, time scale, filters applied, sorting criteria, and so on are user preferences. You can set them while using controls that the Log Manager provides. All pages have the Restore default settings command in the Actions section of the Extra Information pane. Clicking it resets all page settings of the current page to their default values.
Chapter 34. Cross-platform collecting and storage of audit logs and log data
235
236
Obtaining fixes
A product fix might be available to resolve your problem. To determine what fixes are available for your IBM software product, check the product support site by performing the following steps: 1. Select the IBM Software Support site at the following Web address:
Copyright IBM Corp. 1998, 2008
237
http://www.ibm.com/software/support 2. Under Products A - Z, click the letter with which your product starts to open a Software Product List. 3. Click your product name to open the product-specific support page. 4. Under Self help, follow the link to All Updates, where you can find a list of fixes, fix packs, and other service updates for your product. For tips on refining your search, click Search tips. 5. Click the name of a fix to read the description. 6. Optional, download the fix.
238
239
Severity 1 The problem has a critical business impact. You are unable to use the program, resulting in a critical impact on operations. This condition requires an immediate solution. Severity 2 The problem has a significant business impact. The program is usable, but it is severely limited. Severity 3 The problem has some business impact. The program is usable, but less significant features that are not critical are unavailable. Severity 4 The problem has minimal business impact. The problem causes little impact on operations, or a reasonable circumvention to the problem was implemented.
Submitting problems
You can submit your problem to IBM Software Support in one of two ways: Online Select the Submit and track problems page on the IBM Software Support site at the following address, and provide your information into the appropriate problem submission tool: http://www.ibm.com/software/support/probsub.html By phone For the phone number to call in your country, select the contacts page of the IBM Software Support Handbook at the following Web address and click the name of your geographic region: http://techsupport.services.ibm.com/guides/contacts.html If the problem you submit is for a software defect or for missing or inaccurate documentation, IBM Software Support creates an Authorized Program Analysis Report (APAR). The APAR describes the problem in detail. Whenever possible, IBM Software Support provides a workaround that you can implement until the APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the IBM product support Web pages daily, so that other users who experience the same problem can benefit from the same resolution.
240
For more information about problem resolution, see Searching knowledge bases on page 237 and Obtaining fixes on page 237.
241
242
Appendix B. Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information about the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
243
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. If you are viewing this information softcopy, the photographs and color illustrations may not be displayed.
Trademarks
The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both: 1-2-3 AIX DB2 developerWorks Domino eServer IBM IBM logo iSeries Lotus Notes OS/390 OS/400 Passport Advantage
244
POWER pSeries Rational Redbooks Tivoli WebSphere z/OS zSeries Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.
Appendix B. Notices
245
246
Index A
accessibility xiii aggregation iView 165 processes 8 alerts attention severity 121 configuring 117 creating 117 custom 123 delaying 119 event severity basis 116 handler 113 handlers, creating 126 managing 113 policy 113 repeated 120 severity delays 127 SMTP 121 SNMP 122 attention events 171 attention rules creating 108 defining and managing 108 deleting 110 editing 109 purpose 23, 108 severity levels 110 audit administration collect schedules 73 data collection 69, 72 database properties 77 event source properties 78 event sources 69, 71, 72 GEM databases 69, 77 load schedules 74 manual data loads 76 passwords 86 sliding load schedules 75 system properties 78 users' roles 85 audit data displaying in iView 51 importing 53 automatic policies 111 collect (continued) custom 17 definition 11 FTP 17 original audit logs 11 point of presence 12 process steps for a security log 12 remote for Windows 13 security logs 11, 12 SNMP 14 SSH 14 steps for remote type 13 Syslog 14 using external APIs 16 committing policies for auditing 111 common problems reporting describing problem 240 determining business impact 239 gathering information 240 submitting 240 compliance types supported xi conditions attention rules 108 copying 103 creating for groups 96 Custom Report wizard 183 defining members in groups 96 definition 96 deleting 95, 104 edited 97 group definitions 33 list 188 managing 89 moving 103 new 97 OnWhat 100 requirements 97 What group 98 When group 99 Where group 100 Who group 98 configuration tools Events by rule 176 Events by type 176 Policy Settings 176 reports 176 W7 Summary 176 consolidation database 8 conventions, typeface xiv customer support contacting 239 information centers 237 Internet 237 knowledge bases 237 obtaining fixes 237 receiving updates 238 registering 238 submitting problems 240
D
daily verification Events by type report 173 Impersonation report 173 Logon Failure Summary report 172 Users report 173 data collection actuator 72 logs 72 schedules 72, 73 data export schedule, setting 52 data loading creating schedules 74 manual 77 setting schedules 74 sliding schedule 75 data model, GEM 21 databases clearing 77 loading 74 manual loading 76 viewing or changing properties 77 depot indexing the data 19 investigation function 19 log 8 purpose as archive 11, 12 detailed investigations logon history by platform 174 logon history by user 175 Object Audit 175 object history 175 period group by users 175 platforms 174 reports 173 suspect by object group 175 suspects by platform 174 user audit 175 user audit by object group 175 user history 175 users by event type 175 directory names, notation xiv
E
education see Tivoli technical training xiii environment variables, notation xiv Event File parameter 113 event sources attaching to a database 71 deleting 63 moving 72 properties 78 removing from a database 71 renaming 63 Events by Type report 173 events, Special Attention 172 exceptions to policy 171
B
Basel II compliance xi books see publications xi, xiii breadcrumb links 159
C
chunk logs 11, 13 cluster 5 collect Actuator configuration batch collect 11 12
247
F
failures 172 fixes, obtaining 237 FTP collect 17
K
knowledge bases information centers Internet 237 searching 237 237
xiii
P
pages All Events 151 Changing Scoping Status 136 Choose a Collect Schedule 66 Choose a Database 76 Choose a Machine 66 Choose a User Information Source 66 Choose Period 76 Choose Type of Removal 64 Collect Now 76 Compliance Dashboard 31, 151, 159, 160 Confirm Status Change 135 Dashboard 36, 150, 153, 157 Database Summary 156, 171, 172 Define User Information Source Properties 66 Enterprise Overview Settings 154 Event Detail 171 Failures 171 Failures Summary 172 Group types 167, 168, 169 Group Types 151 Groups 31 iView 87 iView login 31 iView report 159 iView settings 155 Move Assets To 140, 141 New Member 138 Overview of Portal 151 Policy Exception Summary 171 Policy Exceptions 171 Policy Maintenance 91 Policy Settings 36, 151 Portal Login 145 Portal Login Error 145 Portal Logon 129, 132 Portal Overview 145 Regulations Resource Center 151 Reports 169, 171 Scoping Overview 133 Select Event Source 64 Settings 153, 154 Special Attention 171 Special Attention Summary 172 stored 149 Summary 31 User Preferences enterprise overview settings 155, 156 iView settings 151 time zone settings 157 W7 Summary 161 passwords, changing 86 path names, notation xiv percentage view 165 platform groups creating 55 Platform History report 174
G
GEM databases adding 69 clearing 77 deleting 70 moving event source to another database 72 schedules 77 Generic Event Model (GEM) 21 GLBA compliance xi graphics 165 group definition sets copying 94, 103 creating 93, 96 deleting 94 global 94 importing 95 purpose 93 W7s 93 groups conditions 96, 97 copying 102 creating rules 95 defining and managing 95 deleting 103 moving 102 OnWhat 100 renaming 102 requirements 97 significance, changing 101 W7 attributes 21, 23 What 98 When 99 Where 99 Who 97
L
Log Manager 88 Logon Failure Summary report 172 Logon History by Platform report 174 Logon History by User report 175 logs actuator usage 12 analysis 19 centralized data 21 chunk 11 collect from point of presence 12 data collection schedules 72 depot 8, 19 event 15 GEM databases 77 importing log data 53 load schedules 74 manual load schedules 76 original audit 11 remote collect 13 retrieval 20, 88 retrieving security data 11 security xi, 11 sliding load schedules 75 sub-chunk 11 user behavior xi
M
Management Console accessing iView 52 appearance changes 47 changing 47 commands 50 customizing 48 opening and closing Windows 45 refreshing window content 49 starting and stopping 43 switching users 44 toolbars 48 tools 52 users 44 manual loads into databases 76 manuals see publications xi, xiii mapping data 8, 19, 21
H
HIPAA compliance xi
I
Impersonation report 173 In Period group by Users report 175 index disabling 19 indexing data in log depots 19 information centers, searching 237 Internet, searching 237 ISO 27001 compliance xi iView accessing from the Management Console 52 aggregation 165 audit data display 51 failures 172 Gallery of reports 172 Navigating reports 159 URL definitions 52
N
notation environment variables path names xiv typeface xiv xiv
O
Object Audit report 175 Object History report 175
248
platforms creating 92 deleting 93 policies administration 89 applying 90 creating 90, 108 creating and managing 89 definition 89 deleting 91, 110 duplicating 90 editing 91, 109 empty 90 hiding and showing rules 107 importing rules 107 maintenance 89 renaming 92 rules 89, 105, 106 security 33 storing 90 testing 110 Policy commit for auditing 111 test 110 view automatic 111 Policy rules 69, 171 portal 129 properties changing for a database 77 dialog 77 event sources 78 system 78 protocols alerts 121 settings 121 publications xi accessing online xiii ordering xiii
software updates, receiving 238 Special attention 171 special attention events, by severity 172 statistics, in aggregation 8 sub-chunk logs 11 Summary window 171 support See customer support Suspect by Object group report 175 Suspect by Platform report 174 system groups creating 55 deleting 56 moving within 58 renaming 55 system maintenance group tasks 55 individual systems 57 systems adding 57 adding event sources 61 adding user information sources 65 deleting 59 moving 58 properties 78 reattaching 60
171
W
wizards Add Event Source 57, 61, 62 Add Machine 57, 58 Add User Information Source 66 Custom Report 183, 187, 188 Delete Event Source 63 Delete GEM database 70 graphical 129 Grouping group definition sets 95 overview 31 policy rules, creating 51 types of groups access 151 iView 108 Load Database 76, 77, 110 Load Now 120 Policy file extension used 107 importing policy 108 link from Configuration tools report 171, 176 policy creation 33, 51 Policy Settings report 176 rules creation 34, 35 using in iView 88 Reports 147, 183
T
Testing policies 110 Tivoli Compliance Insight Manager iView aggregation 165 getting started 149 Tivoli Information Center xiii Tivoli technical training xiii training, Tivoli technical xiii trends 165 typeface conventions xiv
R
reports compliance xi daily verification 172 Failures Summary 172 privileged user activity xi regulating scope access to information xi Special Attention Event Summary 172 requirements copying 104 deleting 105 moving 105
U
User audit by Object Group report 175 User Audit report 175 User History report 175 user information sources adding to systems 65 deleting sources 68 renaming sources 67 user management centralized user management 81 users creating or adding 85 daily verification 173 deleting 85 managing 85 naming 85 passwords 85, 86 roles 85, 87 Users by Event type report 175
S
Sarbanes-Oxley compliance xi Scoping 134 enabling and disabling 133 Security Group Grouped Server 81 Security Server 81 user management 81 severity-delay support 113 sliding load schedule 75
V
variables, notation for View graphics 165 percentage 165 xiv
Index
249
250
Printed in USA
SC23-6581-00