Tcim85 User

Tivoli Compliance Insight Manager
Version 8.5
User Guide
SC23-6581-00
Tivoli Compliance Insight Manager
Version 8.5
User Guide
SC23-6581-00
Note Before using this information and the product it supports, read the information in Appendix B, Notices, on page 243.
This edition applies to version 8, release 5, modification 0 of IBM Tivoli Compliance Insight Manager (product number 5724-S67) and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright International Business Machines Corporation 1998, 2008. All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Contents
Figures . . . . . . . . . . . . . . vii Tables . . . . . . . . . . . . . . . ix About this publication . . . . . . . . xi
Intended audience . . . . . . . . . . Publications . . . . . . . . . . . . Tivoli Compliance Insight Manager library . Accessing terminology online . . . . . Accessing publications online . . . . . Ordering publications. . . . . . . . Accessibility . . . . . . . . . . . . Tivoli technical training . . . . . . . . Support information . . . . . . . . . Conventions used in this publication . . . Typeface conventions . . . . . . . . Operating system-dependent variables and paths . . . . . . . . . . . . . . xi . xi . xi . . xii . . xiii . . xiii . . xiii . . xiii . . xiii . . xiv . . xiv . . xiv . . .
Chapter 5. GEM mapping and W7 normalization . . . . . . . . . . . . 21

Understanding W7 attributes . . . . . Understanding W7 groups . . . . . . Evaluating events using W7 classifications . . . . . . . . 21 . 22 . 23
Chapter 6. Reporting . . . . . . . . . 25
Standard reports . . . . Event detail reports . . Custom reports . . . . Graphic reports . . . . Enterprise Overview . Database Overview . . Trend graphic . . . Log management reports . Compliance module reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 25 26 26 26 26 27 27 27
Part 1. Introduction . . . . . . . . . 1
Chapter 1. Tivoli Compliance Insight Manager Overview . . . . . . . . . . 3
Monitoring compliance . . . . . . . . . . . 3
Part 2. Doing a task in Tivoli Compliance Insight Manager . . . . 29

Chapter 7. Using the Grouping wizard
Opening the Grouping wizard . . . . . Defining groups with the Grouping wizard . Loading and listing groups . . . . . Creating, changing or deleting groups . . . . . . . . . . . . .
31
31 31 31 32
Chapter 2. How Tivoli Compliance Insight Manager works . . . . . . . . 5

System components . . . . . . . . Standard Server . . . . . . . . Enterprise Server . . . . . . . . Actuator . . . . . . . . . . . How the system works . . . . . . . Data processing . . . . . . . . Collect process . . . . . . . . . Centralized storage . . . . . . . Mapping and loading processes . . . Aggregation and consolidation processes Viewing data analyses and reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 6 6 6 7 7 8 8 8 8 8
Chapter 8. Creating a security policy
33
Chapter 9. Using the Policy wizard and creating policy rules . . . . . . . . . 35

Preliminary steps at the Management Console . Opening the policy wizard . . . . . . . Creating or changing policy rules . . . . . Step 1: Starting options . . . . . . . Step 2: Select a threshold . . . . . . . Step 3: Cover additional events . . . . . Step 4: Result policy . . . . . . . . Step 5: Result export . . . . . . . . Importing policy rules and committing a policy . . . . . . . . . . . . . . . . . . 35 36 36 36 36 37 37 37 38
Chapter 3. Collecting audit data . . . . 11

Using batch collects. . . . . . . . Collecting from a point of presence . . Remote collecting for Windows . . . . SSH collecting . . . . . . . . . Syslog and SNMP collecting . . . . . Collecting using external APIs . . . . Custom collecting mechanisms (collecting . . . . . . . . . . . . . . . . . . . . . . . . with FTP) 11 12 13 14 14 16 17
Part 3. Managing the Tivoli Compliance Insight Manager system . . . . . . . . . . . . . . 39

Chapter 10. Tivoli Compliance Insight Manager systems administrator . . . . 41
Primary responsibilities . Recommended skills . . . . . . . . . . . . . . . . . . . 41 . 42
Chapter 4. Performing forensic analysis 19

Depot indexing . . Depot investigation . Log retrieval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 . 19 . 20
Chapter 11. Getting started with the Management Console . . . . . . . . 43 iii
Copyright IBM Corp. 1998, 2008
Starting and stopping the Management Console . Switching the Management Console users . . . Opening and closing the Management Console windows . . . . . . . . . . . . . . Changing the appearance of the Management Console windows . . . . . . . . . . . Customizing the Management Console toolbars . Creating your own toolbar . . . . . . . Refreshing contents of the Management Console window . . . . . . . . . . . . . . Changing the automatic refresh interval . . . Changing the login timeout . . . . . . . Working with the Management Console commands Setting up iView from the Management Console . Displaying audit data in iView . . . . . . Defining an iView URL . . . . . . . . Accessing iView from the Management Console Using the Management Console tools . . . . . Setting a data export schedule . . . . . . Importing audit data . . . . . . . . .
. 43 . 44 . 45 . 47 . 48 . 48 . 49 . 49 . 50 50 . 51 . 51 . 52 52 . 52 . 52 . 53
Working with database properties . . Working with system properties . . Working with event source properties
. . .
. . .
. . .
. 77 . 78 . 78
Chapter 14. Centralized user management . . . . . . . . . . . . 81

Security Group components . . . . . . . . Configuring a Security Group . . . . . . . Managing users, roles, and GEM database access permissions for a Security Group . . . . . . Synchronizing users, roles, and GEM database access permissions for a Security Group . . . . . 81 . 82 . 82 . 83
Chapter 15. Managing users and roles

Creating and managing users . Adding users . . . . . . Deleting users . . . . . Changing passwords . . . Managing user roles . . . . Setting or changing user roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
85
85 85 85 86 87 87
Chapter 12. Working with system groups, individual systems, and event sources . . . . . . . . . . . . . . 55
Working with groups of systems . . . . . . Creating system groups . . . . . . . . Renaming system groups . . . . . . . . Deleting system groups . . . . . . . . Working with individual systems . . . . . . Adding new systems . . . . . . . . . Moving systems to other system groups . . . Deleting systems . . . . . . . . . . Reattaching a system . . . . . . . . . Identifying systems for troubleshooting . . . Working with event sources and user information sources . . . . . . . . . . . . . . . Adding event sources to systems . . . . . Renaming event sources . . . . . . . . Deleting event sources . . . . . . . . . Adding user information sources to systems . Renaming user information sources . . . . Deleting user information sources . . . . . . . . . . . . . . . . . . . . . . 55 55 55 56 57 57 58 59 60 61 61 61 63 63 65 67 68
Chapter 16. Policy maintenance . . . . 89

Creating and managing policies . . . . . Defining a policy . . . . . . . . . Creating a new empty policy . . . . . Duplicating existing policies . . . . . . Editing policies . . . . . . . . . . Deleting policies . . . . . . . . . . Renaming policies . . . . . . . . . Defining and managing group definition sets . Creating platforms . . . . . . . . . Deleting platforms . . . . . . . . . Defining and managing group definition sets . What are group definition sets? . . . . . Creating group definition sets . . . . . Creating a global group definition set . . Copying group definition sets . . . . . Deleting group definition sets . . . . . Importing group definition sets . . . . . Defining and managing groups . . . . . . Defining groups . . . . . . . . . . Creating groups . . . . . . . . . . Creating conditions for groups . . . . . Creating requirements . . . . . . . . Changing group significance . . . . . Copying groups . . . . . . . . . Moving groups . . . . . . . . . . Renaming groups . . . . . . . . . Deleting groups . . . . . . . . . Managing group definitions and requirements Copying conditions . . . . . . . . Moving conditions . . . . . . . . Deleting conditions . . . . . . . . Copying requirements . . . . . . . Moving requirements . . . . . . . . Deleting requirements . . . . . . . Defining and managing policy rules . . . . Defining policy rules . . . . . . . . Creating policy rules . . . . . . . . Editing policy rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 . 89 . 90 . 90 . 91 . 91 . 92 . 92 . 92 . 93 . 93 . 93 . 93 . 94 . 94 . 94 . 95 . 95 . 95 . 96 . 96 . 97 . 101 . 102 . 102 . 102 . 103 . 103 . 103 . 103 . 104 . 104 . 105 . 105 . 105 . 105 . 106 . 106
Chapter 13. Audit maintenance . . . . 69

Working with GEM databases . . . . . . . Adding GEM databases . . . . . . . . Deleting GEM databases . . . . . . . . Attaching event sources to databases . . . . . Adding event sources to a database . . . . Removing event sources from databases . . . Moving an event source to another database . Creating and maintaining data collection and load schedules . . . . . . . . . . . . . . Creating data collection schedules . . . . . Creating data loading schedules . . . . . Setting a sliding load schedule . . . . . . Manually loading data into GEM databases . Clearing GEM databases . . . . . . . . Working with database, system, and event source properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 69 70 71 71 71 72 72 72 74 75 76 77
. 77
iv
IBM Tivoli Compliance Insight Manager: User Guide
Deleting policy rules . . . . . . . Hiding and showing rules . . . . . Importing policy rules . . . . . . Defining and managing attention rules . . Defining attention rules . . . . . . Creating attention rules . . . . . . Editing attention rules . . . . . . Deleting attention rules . . . . . . Setting severity levels for attention rules Test and commit policies for auditing . . Testing policies . . . . . . . . . Committing policies for auditing . . . Viewing automatic policies . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
107 107 107 108 108 108 109 110 110 110 110 111 111
Removing Administrator privileges for a member of a scoping group . . . . . . Moving the assets of a scoping group . . . Operations done outside Scoping . . . . . . Creating and managing users . . . . . . Tivoli Compliance Insight Manager dimension groups . . . . . . . . . . . . .
. . . .
140 140 141 141
. 141
Part 4. Viewing data and reporting 143

Chapter 20. Using the Portal . . . . . 145 Chapter 21. Understanding iView . . . 147
Chapter 17. Managing alerts . . . . . 113

Creating a policy for alerts . . . . . . . . . Sending alerts based on direct positive selection Sending alerts based on event severity . . . . Creating alerts and configuring alert settings . . . Delaying alerts . . . . . . . . . . . . Reducing the time between events and alerts Preventing repeated alerts . . . . . . . . Sending alerts for attention severity only . . . Protocol settings . . . . . . . . . . . . SMTP . . . . . . . . . . . . . . . SNMP . . . . . . . . . . . . . . . Custom . . . . . . . . . . . . . . Modifying severity delays . . . . . . . . 113 114 116 117 119 119 120 121 121 121 122 123 127
Chapter 22. Getting started with iView 149

Changing browser caching to view updated data . . . . . . . . . . . . . Logging on to iView . . . . . . . . Successful logon . . . . . . . . . Understanding the iView navigation bar . Starting and continuing iView successfully audit . . . . . . . . . . . . . . . 149 149 150 150 151
Chapter 23. Understanding the iView Dashboard . . . . . . . . . . . . 153

Overview. . . . Enterprise overview Settings . . . Trend graphic . . Settings . . . Database overview Database summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 153 154 155 155 156 156
Chapter 18. Using the Policy Generator . . . . . . . . . . . . . 129

Overview. . . . . . The Policy Generator user Entry window . . . Online Help system . Policy Generator users . . . . interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 129 129 130 130
Chapter 24. Navigating iView . . . . . 159

Connecting to a GEM database . . . . Moving from summary data to detail data Viewing filtered report data . . . . . Sorting report columns . . . . . . . . . . . . . . . . . . . 159 161 161 163
Chapter 19. Scoping data . . . . . . 131

Purpose . . . . . . . . . . . . . . Overview. . . . . . . . . . . . . . Structure of Scoping configuration . . . . Data structure of Scoping configuration . . Asset ownership rules . . . . . . . . Users of Scoping application . . . . . . Logging into the Scoping user interface . . Using the Scoping user interface . . . . . Terminology . . . . . . . . . . . . . Using Scoping . . . . . . . . . . . . Determining the number of unassigned assets Determining the status of scoping . . . . Enabling and disabling scoping . . . . . Viewing scoping information for dimension . Adding a new scoping group . . . . . . Renaming a scoping group . . . . . . . Removing a scoping group . . . . . . . Adding a member to a scoping group . . . Removing a member from a Scoping group . Setting a member of a scoping group as Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 131 131 131 132 132 132 133 134 134 134 135 135 136 137 138 138 138 139
Chapter 25. Analyzing trends with iView . . . . . . . . . . . . . . . 165 Chapter 26. Monitoring with iView . . 167
Monitoring Monitoring Monitoring period . . Monitoring location . Monitoring activity of a specific person. . . all activity on a specific object . . all activity within a specific time . . . . . . . . . . . . all activity initiated from a specific . . . . . . . . . . . . specific activities on specific objects . . . . . 167 . 168 . 168 . 169 169
Chapter 27. Viewing audit data in standard iView reports . . . . . . . 171

Viewing policy exceptions . . . . Viewing special attention events . . Viewing failures . . . . . . . Using daily verification reports . . Using detailed investigation reports . . . . . . . . . . . . . . . . . . . . . . . . . . 171 172 172 172 173
. 140
Contents
Changing detailed investigation report parameters . . . . . . . . . . . . Using available detailed investigation reports Configuration tools . . . . . . . . . . Firewall reports . . . . . . . . . . .
. 173 174 . 176 . 176
Compliance dashboard . . Report center . . . . . Policy template . . . . . Classification template . . Resource center. . . . . Using Management Modules
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
207 207 207 208 208 208
Chapter 28. Understanding field descriptions in iView reports . . . . . 179 Chapter 29. Creating and managing custom reports in iView . . . . . . . 183
Opening Custom Report wizard . . . . . . Custom Report wizard overview . . . . . . Types of custom reports . . . . . . . . Column entries . . . . . . . . . . . Examples of using the Custom Report wizard . Creating a custom report using Custom Report wizard . . . . . . . . . . . . . Adding a custom report to a compliance module using Custom Report wizard . . . Modifying a custom report . . . . . . . . . . . . 183 183 183 184 187
Chapter 34. Cross-platform collecting and storage of audit logs and log data 211
Using the interface of the Log Manager . . . . . Using the Log Manager . . . . . . . . . . Summary statistics on audit logs . . . . . . Inquiring about collection events . . . . . . . Paged list view of the Log Manager . . . . . Inquiring about the completeness of log collections Continuity graph . . . . . . . . . . . Continuity list . . . . . . . . . . . . Inquiring about activity for some log event types Investigating the log depot with the Log Manager Depot investigation tool . . . . . . . . . Working with the Depot investigation tool interface . . . . . . . . . . . . . . Searching with the Depot Investigation Tool . . Example queries . . . . . . . . . . . Retrieving audit logs with the Log Manager . . . Using the replay tool . . . . . . . . . . Getting information about the Log Manager release Using common procedures . . . . . . . . . Filtering reports . . . . . . . . . . . Sorting data . . . . . . . . . . . . . Handling of time in reports . . . . . . . Using the settings . . . . . . . . . . . . 211 211 212 213 215 216 216 217 218 219 220 220 225 227 228 230 232 232 232 232 233 234
. 187 . 188 . 188
Chapter 30. Working with iView data in other media . . . . . . . . . . . 189

Printing iView reports . . . . . . Exporting iView data to other formats . Exporting to PDF format . . . . Exporting to XLS format. . . . . Exporting to CSV format . . . . Attributes of exported iView reports . . . . . . . . . . . . . . . . . . . . . . . . . 189 189 189 190 190 190
Chapter 31. Using iView settings . . . 193

Introduction . . . . . . . . Using database settings . . . . Using appearance settings . . . Using enterprise overview settings Using trend settings . . . . . Using incident tracking settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 193 194 195 196 197
Appendix A. Support information . . . 237

Searching knowledge bases . . . . . . . . . Searching information centers . . . . . . . Searching the Internet . . . . . . . . . Obtaining fixes . . . . . . . . . . . . . Registering with IBM Software Support . . . . Receiving weekly software updates . . . . . . Contacting IBM Software Support . . . . . . Determining the business impact . . . . . . Describing problems and gathering information Submitting problems . . . . . . . . . . 237 237 237 237 238 238 239 239 240 240
Chapter 32. Distributing reports . . . 199

Upgrading . . . . . . Disk space limit . . . Functionality overview . . Email Settings . . . . Manage Users . . . . Distribution Tasks . . . Setting up automated report Matching database load and . . . . . . . . . . . . . . . . . . . . . . . . distribution distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . schedules 199 199 200 201 201 202 204 205
Appendix B. Notices . . . . . . . . 243

Trademarks . . . . . . . . . . . . . . 244
Index . . . . . . . . . . . . . . . 247
Chapter 33. Understanding and using Management Modules . . . . . . . . 207
vi
Figures
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38. 39. 40. 41. 42. 43. 44. Tivoli Compliance Insight Manager system components . . . . . . . . . . . . . 5 Data flow . . . . . . . . . . . . . 7 Point of presence collect . . . . . . . . 12 Remote collect . . . . . . . . . . . 13 SSH collect . . . . . . . . . . . . . 14 SNMP collect . . . . . . . . . . . . 15 Syslog NG collect . . . . . . . . . . 16 Collect using an external API . . . . . . 17 FTP collect . . . . . . . . . . . . . 18 Mapping and loading steps . . . . . . . 21 Exiting the Management Console . . . . . 44 Logging on as a different user . . . . . . 45 View menu for toolbars . . . . . . . . 48 Context menu of the Management Console toolbars . . . . . . . . . . . . . . 49 Context menu of GEM database. . . . . . 51 Setting the Export schedule . . . . . . . 53 Importing log data . . . . . . . . . . 54 Creating a Machine Group dialog . . . . . 55 Renaming a Machine Group dialog . . . . 56 Selecting an option to rename a system group 56 Changing the group for a system . . . . . 58 List of available Machine Groups . . . . . 59 Removing a system that has audit data collected . . . . . . . . . . . . . 59 Properties of a deleted system . . . . . . 60 Reattaching a previously deleted system 61 Starting the Add Event Source command 62 Changing the properties of an event source 62 Choosing an audit policy profile . . . . . 63 Choosing an event source . . . . . . . . 64 Choosing the type of removal . . . . . . 65 Choosing a recurrence pattern for a user information source . . . . . . . . . . 66 Renaming a user information source . . . . 67 Adding a new GEM database . . . . . . 70 Adding an event source to a database . . . . 71 Moving an event source to another database 72 Setting a sliding load schedule . . . . . . 75 A sliding load schedule reflected in the Set Schedules dialog . . . . . . . . . . . 76 Duplicating a policy when creating a new policy . . . . . . . . . . . . . . 91 The Edit Rule window . . . . . . . . 114 The What dimension of the attention rule before the drag-and-drop . . . . . . . 115 The What dimension of the attention rule after the drag-and-drop . . . . . . . . 116 The Alert Maintenance window in the Management Console . . . . . . . . . 117 Editing the alert recipient . . . . . . . 118 General protocol settings dialog for the Email protocol . . . . . . . . . . . . . 122 45. 46. 47. 48. 49. 50. 51. 52. 53. 54. 55. 56. 57. 58. 59. 60. 61. 62. 63. 64. 65. 66. 67. 68. 69. 70. 71. 72. 73. 74. 75. 76. 77. 78. 79. 80. 81. 82. 83. 84. 85. 86. Protocol Settings dialog for the SNMP protocol . . . . . . . . . . . . . Protocol Settings dialog for the Custom protocol . . . . . . . . . . . . . Protocol Settings dialog with the active Delay tab . . . . . . . . . . . . . . . Entry window of the Policy Generator Determining the number of unassigned assets (outlined in red) . . . . . . . . . . Confirming the status change page for scoping . . . . . . . . . . . . . Viewing scoping information for the Who dimension . . . . . . . . . . . . Adding a user to a scoping group . . . . Current security status of the information environment . . . . . . . . . . . . The iView navigation bar icons . . . . . The GEM list . . . . . . . . . . . Connecting to the database GEM . . . . . Verifying the selected database . . . . . . Location of iView filtering icons . . . . . iView Filter Settings dialog . . . . . . . Sorting event lists . . . . . . . . . . List of user activities . . . . . . . . . Report of user activities . . . . . . . . Events list for a time frame . . . . . . . Description of a listed event . . . . . . Setup to display events for a time interval: an example . . . . . . . . . . . . . Database settings pane . . . . . . . . Appearance pane . . . . . . . . . . Enterprise Overview Settings options Trend Settings options . . . . . . . . Incident Tracking settings value . . . . . The Automated Report Distribution page Email Settings . . . . . . . . . . . List of distribution tasks and the Add distribution task button . . . . . . . . Settings for creating a distribution task Configuration of report definitions for a distribution task . . . . . . . . . . Selection of report distribution recipients for the distribution task . . . . . . . . . Load schedule prompts for databases Schedule options for distribution tasks Regulatory Compliance: primary steps Color legends key . . . . . . . . . . Three sections on the Depot Investigation Tool page . . . . . . . . . . . . . Query builder: Time Period subsection Query builder: Event Source subsection Query builder: Select fieldnames . . . . . Example of content search criteria. . . . . Example of summary search results . . . . 123 124 128 130 135 136 137 139 150 151 159 160 160 162 162 163 167 168 169 170 174 194 195 195 197 197 201 201 202 203 203 204 205 206 208 215 220 221 221 222 222 223
vii
viii
Tables
1. 2. 3. 4. 5. 6. Elements of a security policy . . . . Access rights of the Tivoli Compliance Manager user role . . . . . . . Fields of the Event File parameter . Data scoping terminology . . . . iView navigation controls . . . . Standard iView reports . . . . . . . . 33 Insight . . . 87 . . . 124 . . . 134 . . . 151 . . . 161 7. 8. 9. 10. 11. Fields in iView . . . . . . . . . . Entries and their content displayed in the finished report . . . . . . . . . . Web pages in the Log Manager . . . . Optional parameters to identify the location of a log set . . . . . . . . . . . Fixed settings in the Log Manager . . . . 179 . 184 . 211 . 230 . 235
ix
About this publication

IBM Tivoli Compliance Insight Manager provides log and audit trail information from across the enterprise that you can securely store, query, and use for investigative and compliance management. You can purchase optional modules for complying with the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, Payment Card Industry Data Security Standard, Basel II, and ISO 27001. This product collects, stores, normalizes, and analyzes the logs that document and describe all user behavior in your IT environment, and it compares the log data to acceptable use policies that your organization and your regulators define. IBM Tivoli Compliance Insight Manager can help you prepare for security audits and help track compliance with regulatory requirements, generate and enforce security policy, and monitor, investigate and report on privileged (trusted) user activity. You can improve operational efficiency while managing real-time security events. The IBM Tivoli Compliance Insight Manager: User Guide describes system components and processes that IBM Tivoli Compliance Insight Manager uses, and explains how to set up and maintain event monitoring activity to obtain security data and logs, security and compliance reports, and alerts. You can learn how to create your enterprise-wide security policy and maintain it, manage individual systems and system groups in your enterprise, define and track users' roles, create and manage alerts, and regulate (scope) access to information that is generated in reports.
Intended audience
This publication is intended for administrators and system programmers whose roles include security officer, security manager, EDP auditor, or one who monitors events in the enterprise IT environment. Individuals who manage and handle such security standards as Sarbanes-Oxley, GLBA, HIPAA, Basel II, and ISO 27001 can use this publication to learn the basics of using all pertinent aspects of IBM Tivoli Compliance Insight Manager. You should be familiar with operating systems concepts and site system standards, and know how to perform routine security administration tasks. This publication is also useful for network planners and individuals who must plan, implement, and maintain security policy and a compliance strategy in their IT environments.
Publications
This section lists publications in the Tivoli Compliance Insight Manager library and any related documents. The section also describes how to access Tivoli publications online and how to order Tivoli publications.
Tivoli Compliance Insight Manager library

The following documents are available in the Tivoli Compliance Insight Manager library: v IBM Tivoli Compliance Insight Manager: Installation Guide, GC23-6580-00 Provides an overview of the installation process and describes installing and configuring each of the Tivoli Compliance Insight Manager components. Information is provided on configuring auditing for supported systems and deploying event and user information sources.
xi
v IBM Tivoli Compliance Insight Manager: User Guide, SC23-6581-00 Provides an overview of the Tivoli Compliance Insight Manager components and processes and describes performing common management, maintenance, and reporting tasks using the Management Console and iView. v IBM Tivoli Compliance Insight Manager: User Reference Guide, SC23-6582-00 Provides reference information about the General Scanning Language (GSL) and the GSL Toolkit which is used to develop and analyze unique event sources using Tivoli Compliance Insight Manager. v IBM Tivoli Compliance Insight Manager: IBM Tivoli Basel II Management Module Installation Guide, GC23-6583-00 Provides an overview and installation information for the IBM Tivoli Basel II Management Module. v IBM Tivoli Compliance Insight Manager: IBM Tivoli GLBA Management Module Installation Guide, GC23-6584-00 Provides an overview and installation information for the IBM Tivoli GLBA Management Module. v IBM Tivoli Compliance Insight Manager: IBM Tivoli HIPAA Management Module Installation Guide, GC23-6585-00 Provides an overview and installation information for the IBM Tivoli HIPAA Management Module, which can help you detect, keep records, and monitor potential security violations against electronic protected health information (ePHI). v IBM Tivoli Compliance Insight Manager: IBM Tivoli ISO27001 Management Module Installation Guide, GC23-6588-00 Provides an overview and installation information for the IBM Tivoli ISO27001 Management Module. v IBM Tivoli Compliance Insight Manager: IBM Tivoli PCI-DSS Management Module Installation Guide, GC23-6589-00 Provides an overview and installation information for the IBM Tivoli PCI-DSS Management Module. v IBM Tivoli Compliance Insight Manager: IBM Tivoli Sarbanes-Oxley Management Module Installation Guide, GC23-6587-00 Provides an overview and installation information for the IBM Tivoli Sarbanes-Oxley Management Module.
Accessing terminology online

The Tivoli Software Glossary includes definitions for many of the technical terms related to Tivoli software. The Tivoli Software Glossary is available at the following Tivoli software library Web site: http://publib.boulder.ibm.com/tividd/glossary/tivoliglossarymst.htm The IBM Terminology Web site consolidates the terminology from IBM product libraries in one convenient location. You can access the Terminology Web site at the following Web address: http://www.ibm.com/software/globalization/terminology
xii
Accessing publications online

IBM posts publications for this and all other Tivoli products, as they become available and whenever they are updated, to the Tivoli Information Center Web site at http://publib.boulder.ibm.com/infocenter/tivihelp/v3r1/index.jsp. Note: If you print PDF documents on other than letter-sized paper, set the option in the File Print window that allows Adobe Reader to print letter-sized pages on your local paper.
Ordering publications
You can order many Tivoli publications online at: http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss. You can also order by telephone by calling one of these numbers: v In the United States: 800-879-2755 v In Canada: 800-426-4968 In other countries, contact your software account representative to order Tivoli publications. To locate the telephone number of your local representative, perform the following steps: 1. Select http://www.elink.ibmlink.ibm.com/publications/servlet/pbi.wss. 2. Select your country from the list and click Go. 3. Click About this site in the main panel to see an information page that includes the telephone number of your local representative.
Accessibility
Accessibility features help users with a physical disability, such as restricted mobility or limited vision, to use software products successfully. This product is not accessible; you might not be able to use assistive technologies to hear and navigate the interface. You might not be able to use the keyboard instead of the mouse to operate all features of the graphical user interface.
Tivoli technical training

For Tivoli technical training information, refer to the following IBM Tivoli Education Web site at: http://www.ibm.com/software/tivoli/education.
Support information
If you have a problem with your IBM software, you want to resolve it quickly. IBM provides the following ways for you to obtain the support you need: Online Navigate to the IBM Software Support site at http://www.ibm.com/ software/support/probsub.html and follow the instructions. IBM Support Assistant The IBM Support Assistant (ISA) is a free local software serviceability workbench that helps you resolve questions and problems with IBM software products. The ISA provides quick access to support-related
About this publication
xiii
information and serviceability tools for problem determination. To install the ISA software, navigate to http://www.ibm.com/software/support/isa.
Conventions used in this publication

This publication uses several conventions for special terms and actions, operating system-dependent commands and paths, and margin graphics.
Typeface conventions
This publication uses the following typeface conventions: Bold v Lowercase commands and mixed case commands that are otherwise difficult to distinguish from surrounding text v Interface controls (check boxes, push buttons, radio buttons, spin buttons, fields, folders, icons, list boxes, items inside list boxes, multicolumn lists, containers, menu choices, menu names, tabs, property sheets), labels (such as Tip:, and Operating system considerations:) v Keywords and parameters in text Italic v Citations (examples: titles of publications, diskettes, and CDs v Words defined in text (example: a nonswitched line is a point-to-point line) v Emphasis of words and letters (words as words example: "Use the word that to introduce a restrictive clause."; letters as letters example: "The LUN address must start with the letter L.") v New terms in text (except in a definition list): a view is a frame in a workspace that contains data. v Variables and values you must provide: ... where myname represents.... Monospace v Examples and code examples v File names, programming keywords, and other elements that are difficult to distinguish from surrounding text v Message text and prompts addressed to the user v Text that the user must type v Values for arguments or command options
Operating system-dependent variables and paths

This publication uses the Windows convention for specifying environment variables and for directory notation. When using the UNIX command line, replace %variable% with $ variable for environment variables and replace each backslash (\) with a forward slash (/) in directory paths. The names of environment variables are not always the same in the Windows and UNIX environments. For example, %TEMP% in Windows environments is equivalent to $TMPDIR in UNIX environments. Note: If you are using the bash shell on a Windows system, you can use the UNIX conventions.
xiv
Part 1. Introduction
Chapter 1. Tivoli Compliance Insight Manager Overview

IBM Tivoli Compliance Insight Manager is a security compliance technology that collects, analyzes, and archives log data and produces detailed security reports on information security policy compliance. Recent high profile data security breaches have raised awareness of the importance of strong data security measures and of the consequences of data compromises. In response, world governments and international industry groups passed stringent regulations mandating that organizations implement and monitor security policy compliance with detailed requirements. Failure to comply with information security protocols required by laws such as Gramm-Leach-Bliley Act (GLBA) and Basel II, or by industry groups such as Payment Card Industry Data Security Standard (PCI) and ISO 27001, carry stiff penalties for organizations, in addition to the risk of data compromises and its consequences. To comply with these increased demands for data security, organizations must implement comprehensive security policies and safeguards and to monitor access to confidential information, changes to critical systems, and appropriate use of data. Additionally, organizations are asked to retain the logs generated by numerous devices and systems for security compliance analysis and investigation. Tivoli Compliance Insight Manager performs these main tasks: v Collect logs from numerous applications, operating systems, and platforms v Archive logs in a secure database while enabling you to search and retrieve logs for forensic analysis v Normalize logs into the patent-pending W7 language, which puts cryptic log terms into everyday business terms such as who, what, and where v Produce detailed reports on security compliance that can be easily understood by business managers and auditors
Monitoring compliance
Monitoring network security and policy compliance can be a complex undertaking, requiring you to track how people your privileged users, out-sourced departments, trusted users, and consultants interact with technology your applications, databases, operating systems, and devices, without impeding their legitimate activities. Devices and systems throughout an organization's network generate logs of user activities, processes, and events every time a person or system interacts with the network. However, performing comprehensive log analysis usually requires specialists to interpret the audit data from particular systems. Using the patent-pending W7 language, which puts cryptic log terms into everyday business terms such as who, what, and where, Tivoli Compliance Insight Manager generates reports on network activity that anyone in your organization can understand. You do not have to be network security expert to understand what policy violation occurred and who did it. Tivoli Compliance Insight Manager automatically gathers the audit data from the systems and analyzes it, alerting on policy exceptions and special attentions and reporting on trends in security incidents, user behavior, and other activities. These
Purpose and uses of Tivoli Compliance Insight Manager

reports may be helpful in addressing compliance breaches and documenting that the organization has implemented the appropriate information security policies. Tivoli Compliance Insight Manager can be used to monitor compliance with your organization's security policies. Optional reporting modules can be used with Tivoli Compliance Insight Manager to provide reports specific to the following regulations: v Basel II v Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) v Health Insurance Portability and Accountability Act (HIPAA) v ISO 27001 v Payment Card Industry Data Security Standard Version 1.1 (PCI) v Sarbanes-Oxley Act Note: Customers are responsible for ensuring their own compliance with various laws and with various standards. It is the customer's sole responsibility to obtain advise of competent legal counsel as to the identification and interpretation of any relevant laws that may affect the customer's business and any actions the customer may need to take to comply with such laws. IBM does not provide legal, accounting, or auditing advice, or represent or warrant that its products or services will ensure that customer is in compliance with any law.
Chapter 2. How Tivoli Compliance Insight Manager works

Tivoli Compliance Insight Manager is a security compliance system that operates as a system on your network to collect, analyze, and archive log data and produce detailed security reports on information security policy compliance. This chapter discusses the components of the Tivoli Compliance Insight Manager system and explains how it works at a high level.
System components
The Tivoli Compliance Insight Manager environment includes the following components: v v v v v Enterprise Server Standard Server Actuator(s) Web-based Portal Management Console
An operational Tivoli Compliance Insight Manager Cluster configuration is comprised of one Enterprise Server and one or more Standard Servers.
Figure 1. Tivoli Compliance Insight Manager system components
System components
Standard Server
The Tivoli Compliance Insight Manager Standard Server consists of the following basic components: Standard Server A Windows-based Tivoli Compliance Insight Manager server that collects, archives, normalizes, and reports on log data from audited systems and devices. The Standard Server is the heart of the security audit and compliance system. iView reporting application A Web-based user interface providing a trend dashboard, event drill-down, and detailed reports. Policy Generator A Web-based user interface for building security policies. Management Console An administrative interface for configuring policies and for adding, removing, and managing audited systems, Tivoli Compliance Insight Manager Servers, users, and groups.
Enterprise Server
The Tivoli Compliance Insight Manager Enterprise Server consists of the following basic components: Enterprise Server A Windows-based Tivoli Compliance Insight Manager server that provides centralized log management and forensic functions, enabling these features to operate across multiple Tivoli Compliance Insight Manager Standard Servers. From one Enterprise Server you can get a consolidated view of log collections and log continuity, in addition to being able to search and download logs. iView reporting application A Web-based user interface providing a trend dashboard, event drill-down, and detailed reports. Policy Generator A Web-based user interface for building security policies. Log Manager A Web-based user interface for reporting on log collections and continuity and for searching and downloading logs. Management Console An administrative interface for configuring policies and for adding, removing, and managing audited systems, Tivoli Compliance Insight Manager Servers, users, and groups.
Actuator
Tivoli Compliance Insight Manager uses actuator software to maintain a secure connection between the Tivoli Compliance Insight Manager server and the agents running on the audited systems. The actuator scripts enable the agent to collect audit data from supported platforms, which are called event sources.
System components
How the system works

Devices and systems throughout an organization's network generate logs of user activities, processes, and events every time a person or system interacts with the network. These logs provide a record of all network activities and can be analyzed to show whether user behavior is in compliance with security policy. Tivoli Compliance Insight Manager works by collecting audit data from audited systems and devices in the network. An event source enables Tivoli Compliance Insight Manager to collect audit data from different platforms and operating systems. Once Tivoli Compliance Insight Manager has collected the audit data, it processes them by normalizing the logs into easily searchable fields. During processing, Tivoli Compliance Insight Manager compares all logs to established security policies. Policy breaches and other suspicious or unusual events are brought to your attention by alerts and notifications, trend graphs, and reports. You can see the security status of the audited systems in the Tivoli Compliance Insight Manager Portal.
Data processing
The Tivoli Compliance Insight Manager system runs several processes to collect, analyze, and report on audit data. Figure 2 shows how Tivoli Compliance Insight Manager processes the source logs (the original log or audit data).
Figure 2. Data flow
System components
Collect process
Tivoli Compliance Insight Manager retrieves audit data from the audited systems using a process called Collect. The collect process can retrieve data from audited systems in several ways, including a batch collect, point of presence, SSH, remote collect, syslog collect, and SMTP collect, which are discussed in more detail in Chapter 3, Collecting audit data, on page 11.
Centralized storage
Once the audit data has been collected, the original log data is stored in the centralized log depot, or depot, on the Tivoli Compliance Insight Manager server. The depot supports the data centralization function of Tivoli Compliance Insight Manager, and data remains there until it is expressly backed up and removed. Audit data in the log depot is indexed, facilitating search queries and log retrieval for forensic analysis. The Tivoli Compliance Insight Manager Log Manager provides centralized log management, reporting on log collection activities, and log search and retrieval functions. Retrieved logs can be analyzed using external tools such as log readers on the source platform.
Mapping and loading processes

After audit data has been collected and stored, Tivoli Compliance Insight Manager normalizes the logs into data model called the Generic Event Model (GEM) using a process called mapping. The mapped data is put into a GEM database using a process called loading. GEM databases are periodically (usually daily) emptied and loaded with more recent data. Data from the previous day is kept in the database, ready for analysis. If necessary, other data from the depot can be mapped and loaded manually using commands.
Aggregation and consolidation processes

After audit data has been normalized in the GEM database, the Tivoli Compliance Insight Manager Standard Server builds a special database using a process called aggregation. The purpose of aggregation is to summarize all of the data in order to create trend and summary reports, which span a longer period of time than the data in the GEM database. In a Tivoli Compliance Insight Manager cluster system, the aggregation data from all servers in the cluster is collected by a process called consolidation. The Standard Server contains a special database called the consolidation database that delivers enterprise-wide trend and summary reports using data from all of the servers in a cluster.
Viewing data analyses and reports

Once these processes have occurred, numerous reports and trending facilities are available through your web browser client using iView, Tivoli Compliance Insight Manager's web-based reporting application. You can review trend graphics showing the status of security events over time; examine the contents of the GEM database(s), aggregation, and consolidation databases; drill down into security events; perform administrative tasks to manage security events, and run numerous reports on the data. The Portal is a Web-based interface that enables you to access iView, the Policy Generator, Scoping, the Log Manager (only available on the Enterprise Server), and any Tivoli Compliance Insight Manager Management Modules that are installed. iView is Tivoli Compliance Insight Manager's Web-based reporting interface. iView's trend graphics show security events over the past 24 hours, past week, past
System components
month, and past year. You can see security events across all databases, or you can drill down into a specific database. You can also drill down to see details about a security event and perform administrative tasks on the event, such as assigning it to staff for investigation and writing notes about the event. For more information, see Chapter 21, Understanding iView, on page 147. The Policy Generator is a Web-based application used to create a security policy using information in the database. For more information, see Chapter 18, Using the Policy Generator, on page 129. Scoping is a Web-based application used to configure end-user access to information in iView. For more information, see Chapter 19, Scoping data, on page 131. The Log Manager is a Web-based application used to provide centralized log management reporting. For more information, see Chapter 34, Cross-platform collecting and storage of audit logs and log data, on page 211. Management Modules are option Web-based applications that provide specialized reports for several regulations and standards. For more information, see Chapter 33, Understanding and using Management Modules, on page 207.
10
Chapter 3. Collecting audit data

Tivoli Compliance Insight Manager can collect event logs, or audit data, in several ways. This section explains how different collect mechanisms work. A collect is the process of retrieving audit data from the audited systems and applications and archiving it in a central location on the Tivoli Compliance Insight Manager Server called the log depot or depot. A collect is facilitated by an event source and an actuator. The security log from each operating system, platform, or application that is monitored, or audited, by Tivoli Compliance Insight Manager is called an event source. A special piece of software, called an Actuator, enables Tivoli Compliance Insight Manager to collect and process audit data from a given operating system or application. For example, the actuator for Solaris enables Tivoli Compliance Insight Manager to collect the security log from a Solaris system, and this log is a Solaris event source. For several event sources, Tivoli Compliance Insight Manager supports the collection of original audit logs, that is, the collection mechanism does not to affect the type, structure, and content of the audit log that a specific platform produced. The Log Retrieval Tool can retrieve the log files from the depot. For more information, see Investigating the log depot with the Log Manager on page 219. Each event source is associated with a schedule that determines how often audit data is collected. The collection schedule, which is configured in the Management Console, is typically set to collect hourly.
Using batch collects

The most common way to collect audit data uses a batch collect. An application creates a security log on a system every time someone uses the application or the application runs a process. These logs contain records of many events, which are all processed together as a batch. The Tivoli Compliance Insight Manager system collects and stores this batch as a whole. Once the Server has collected a batch of events, it stores it in a data structure called a chunk log or chunk. Each chunk consists of a header file and one or more data files, which are called sub-chunks. A chunk log contains the security log of a given system or application for a given period of time. For example, assume that the Tivoli Compliance Insight Manager system is collecting audit data every hour, on the hour. One chunk log records events from 1 p.m. to 2 p.m. At 2 p.m., Tivoli Compliance Insight Manager runs a batch collect and collects the audit data from the application. The next chunk records events from 2 p.m. to 3 p.m. At 3 p.m., Tivoli Compliance Insight Manager runs another batch collect and collects the audit data from the application. Both chunks, from 1-2 p.m. and from 2-3 p.m., are portions of the security log from the audited application. Together, the chunks constitute the whole security log.
11
Point of presence collect
Collecting from a point of presence

The simplest collect configuration uses an Actuator that is installed on the audited system itself. Figure 3 shows a audit data collect using a point of presence. Figure 3 shows the following steps:
Figure 3. Point of presence collect
1. The collect schedule is triggered. 2. The Server issues a collect log command to the Actuator. This command activates the Actuator on the audited system. 3. The Actuator reads the security log and collects only those records that it has not previously collected. 4. The Actuator formats the collected records into the chunk format and compresses the chunk. 5. The agent reads the chunk log and encrypts it. 6. The agent sends the log from the Actuator system to the Server. 7. The Server archives the chunk in the depot and maintains a directory structure where each event source has its own subdirectory to store chunks. 8. After successfully sending the chunk to Server, the Actuator deletes its local copy.
12
Remote collect for Windows
Remote collecting for Windows

Remote collect does not require a running agent on the audited system. Remote collect uses a remote data retrieval mechanism from an independent vendor. The most common configuration is used for event sources based on the Windows log mechanism. For remote collect, the configuration is slightly different, but the steps remain the same, as Figure 4 shows: Figure 4 shows the following steps:
Figure 4. Remote collect
1. The collect schedule is triggered. 2. The Server issues a collect log command to the Actuator. This command activates the Actuator on the Actuator system, which can be any Windows point of presence, including the Server itself. 3. The Actuator reads the security log from the audited system through the Windows event management API and collects only those records that it has not previously collected. 4. The Actuator formats the collected records into the chunk format and compresses the chunk. 5. The agent reads the chunk log and encrypts it. 6. The agent sends the log from the Actuator system to the Server. 7. The Server archives the chunk in the Depot and maintains a directory structure where each event source has its own subdirectory to store chunks. 8. After successfully sending the chunk to Server, the Actuator deletes its local copy. Note: Windows remote collect requires that the point of presence be run by a user that has access to the Security Event Log on the remote system. During the installation of the point of presence, set the OS account for IBM TCIM field to a user with the Manage auditing and security log permission on the audited machine or assign the user that permission before installing Windows remote collect. This action ensures that the event management API can be used from the point of presence to access the audited system.
13
Remote collect for Windows

Typically, this user also is an administrator for the domain which contains the point of presence and audited machine.
SSH collecting
SSH collect is another variation of a remote collect. It can be used with event sources that are based on UNIX and Linux. The configuration is similar to Windows remote collect. However, in this case, the data retrieval mechanism utilizes an SSH connection from the point of presence to the audited system. Figure 5 shows an example of SSH collect.
Figure 5. SSH collect
Note: SSH collect requires SSH configuration on the audited systems and SSH access to these systems from the point of presence.
Syslog and SNMP collecting

IBM Tivoli Compliance Insight Manager can process and analyze security events that are collected through the syslog and SNMP network logging mechanisms. To collect network events, a component should listen on the network and receive all incoming events. The Tivoli Compliance Insight Manager Actuator has a built-in listening component that can be activated on any Windows point of presence and
14
Syslog collect and SNMP collect

can receive both SNMP and Syslog messages. Figure 6 shows an example of syslog and SNMP collect.
Figure 6. SNMP collect
The receiving component listens on the network and stores all received messages in a file, which the rest of the system regards as a regular event log that is collected and processed according to the event source collect schedule. For high-volume syslog processing, however, a Microsoft Windows-based receiver might not deliver the necessary performance. In these situations, you might want to use a Linux-based syslog daemon that provides better performance, such as Syslog NG. Figure 7 on page 16 shows an example of a Syslog NG collect.
15
Syslog collect and SNMP collect
Figure 7. Syslog NG collect
The output of the syslog daemon is processed by the rest of the Tivoli Compliance Insight Manager system as data from a regular event source.
Collecting using external APIs

Frequently, obtaining security event data involves using an API that has a specific API event source. Whenever such an API works across a network link, this action influences the configuration. A common example is auditing network appliances. A network appliance usually comes with a management console or other external component that interacts with it. That component also provides the API to obtain the event data. Figure 8 on page 17 shows an example of a collect configuration using an external API.
16
External API collect
Figure 8. Collect using an external API
Other examples of using external APIs and protocols are logs that are based on the database, collected through ODBC and the Firewall-1 OPSEC protocol. These mechanisms require that the environment is configured correctly so that the interfaces that the Actuator needs are available.
Custom collecting mechanisms (collecting with FTP)

If no other suitable collect mechanism is available, a custom script is scheduled on the platform of the event source. The log data is put in a folder where it can be picked up by the Actuator. Figure 9 on page 18 shows an example of a custom collect mechanism.
17
Custom collect
Figure 9. FTP collect
This collect mechanism requires the source platform to run the data preparation script regularly. The actual configuration varies for different event source types, and may use FTP, either by the data preparation script, or by the Actuator, or by both.
18
Chapter 4. Performing forensic analysis

After audit data is collected and stored in the Log Depot, it is available for analysis and reporting. IBM Tivoli Compliance Insight Manager provides two methods for analysis: v Forensic analysis v W7 mapping and reporting Forensic analysis is used to follow up on security incidents and to detect unusual behavior by finding anomalies in behavioral trends. W7 mapping and reporting is more systematic, because it processes all data and verifies policy compliance for all events. This section explains some of the concepts involved in forensic analysis, and W7 mapping is introduced in detail in Chapter 5, GEM mapping and W7 normalization, on page 21.
Depot indexing
Once audit data is stored in the Standard Server's log depot, the Standard Server indexes the logs by fieldname. This depot indexing facilitates Tivoli Compliance Insight Manager's log investigation and retrieval functions, which allow you to search audit data for specific events or users. Each server in a Tivoli Compliance Insight Manager cluster can collect audit data from event sources, normalize the data, and load the data into GEM databases for reporting. Each server has its own log depot for data storage. The log depot can be located on a local drive or on a network device. Only the Standard Server can index the data in the log depots for all servers in the cluster. Because this task is processor-intensive, the Standard Server typically is dedicated to indexing and consolidating the audit data from the other servers. Note: The Indexer service cannot be disabled from the interface of Tivoli Compliance Insight Manager. Indexer disabling is possible through the standard Windows services tool. To disable the Indexer service, perform the following steps: 1. Select Start Settings Control Panel. 2. In the control panel, double-click Administrative Tools. 3. Double-click Computer Management and scroll down to the Indexing Service. Disabling the Indexer service causes all indexes for this service to stop updating so that the Investigation page always displays the same (latest) results.
Depot investigation
You can use Tivoli Compliance Insight Manager's Depot Investigation Tool on the Standard Server to search all of the audit data stored in the log depots of all of the servers in a cluster. The Depot Investigation Tool enables you to use keyword queries and Boolean search strings to located logs containing a matching event, user, or other event source fieldname. The search returns a report of all matching
19
Depot investigation
events, which are parsed into data fields but not normalized. Because these fieldnames are specific to the event source type, interpreting the report may require knowledge of the source platform and its specific concepts.
Log retrieval
When suspicious or interesting events are identified, the original log files in which they are contained can be obtained from the depot using log retrieval. After you have used the Depot Investigation Tool to query the log depot for events, you can retrieve the log files that contains the events. Using the Log Retrieval Tool, you can select the logs that you would like to see and download them. Log files are returned from the depot in a format that is identical to the original file (for file-based logs) or in a file representation that matches the original format as closely as possible (for log data contained in a RDBMS or obtained through an API). If a log analysis tool is such as the Windows event viewer is available on the source platform, the log files are can be loaded into that tool (for Windows, they are .evt files). For more information about log retrieval, see Retrieving audit logs with the Log Manager on page 228.
20
Chapter 5. GEM mapping and W7 normalization

Once audit data is centrally stored in the log depot, it can be processed and analyzed. Tivoli Compliance Insight Manager normalizes the audit data into a data model called the Generic Event Model (GEM) and stores the normalized data in a relational database called a GEM database. These two processes are called mapping and loading. In the mapping process, audit data is normalized into the W7 language. In the loading process, the normalized audit data is stored in the GEM database, making it available for reporting. Because mapping precedes and facilitates loading, the two processes often are referred to in combination as a load. Figure 10 illustrates these steps:
Depot Map Determine attributes
Groups
Apply rules
Load
GEM database
Figure 10. Mapping and loading steps
Understanding W7 attributes
During mapping, event records contained in the audit data stored in the log depot are normalized using the W7 language. Devices and systems throughout an organization's network generate logs of user activities, processes, and events every time a person or system interacts with the network. One of the challenges of analyzing security events and monitoring policy compliance is the task of analyzing log files and putting the events that the logs contain into a business context.
21
W7 attributes
Analyzing audit data in a multi-platform environment can be a slow and onerous task, often requiring expertise in a particular operating system or application to read the logs. In addition, different platforms often use different terms to describe the same type of event or characteristic, making it difficult to search for events using a simple text editor. For example, one operating system may call a task "logon" whereas another system may call the same type of task "login." Similarly, one system may ask an end-user to login as a "user," another may ask for a "username," and a third system may ask for a "userid." W7 is TCIM's patent-pending normalization process, which "translates" logs from diverse applications, operating systems, and platforms into everyday business terms such as "who," "what," "where," and so on. This makes it easy to see security events in the context of a business or organizational environment. These terms are called W7 attributes because they represent attributes of an event. W7 normalizes an event record into the following W7 attributes: Who What Which user, application, or process initiated the event? What type of action does the event represent?
When When did the event happen? onWhat What object was affected? An object could be any type of file, database, application, permissions, etc., that was manipulated by the event. Where On which machine did the event happen? WhereFrom Which system is the source of the event? WhereTo Which system is the target of the event? For example, your security policy may consider system logins to certain systems during non-office hours to be a policy violation. Tivoli Compliance Insight Manager can generate policy exceptions alerting on these violations and can generate reports showing "what" happened (in this case, off-hour logins) "toWhat" systems (in this case, the restricted audited systems). Tivoli Compliance Insight Manager's reports can show "who" violated the policy by normalizing how different systems describe a user.
Understanding W7 groups
The W7 attributes enable Tivoli Compliance Insight Manager to describe security events in a consistent (normalized) manner. In order to monitor your security policy and draw conclusions appropriate for your environment, the W7 attributes are classified into W7 groups. The W7 groups allow you to define how people, technology, and time periods are analyzed in Tivoli Compliance Insight Manager's reports. For example, suppose a login event happens on Sunday morning at 8:30 a.m. The organization's policy forbids system access outside of office hours. If the When group classified the hours between 9 a.m. and 6 p.m. as "office hours," then all other times would be outside of office hours. Similarly, if the When group classified the days between Monday and Friday as "working days," then all other days would be considered outside of the acceptable use time period. Thus, the
22
Grouping attributes
Sunday morning login event would be considered to be a policy violation, and Tivoli Compliance Insight Manager would generate a policy exception. Similarly, classifying users into specific job roles helps identify policy violations by examining whether a user is inappropriately accessing data or making changes to the system. The Who group classifies users and processes, typically according to job function. For example, the programmers may be classified in the Development Department Who group. If someone if the Development Department Who group was accessing financial databases (which would be classified in the onWhat group), then this may indicate a policy violation. All W7 attributes are classified into the following W7 groups: v Who groups for classification of users and processes v v v v What groups for classification of event types When groups for classification of time periods Where groups for classification of systems and devices OnWhat groups for classification of objects
The WhereFrom and WhereTo attributes are both classified using the Where groups. How people, technology, and times are classified depends on your environment and policy objectives. You can define and update W7 groups using the Grouping editor in the Management Console. For more information on the Grouping Editor, see XREF.
Evaluating events using W7 classifications

Tivoli Compliance Insight Manager determines whether an event requires extra attention by comparing its W7 group classifications with a set of user-defined rules. Policy rules and attention rules represent two different ways of evaluating events: Policy rules Rules that describe allowed behavior. A well-defined policy includes rules that thoroughly and explicitly define all allowed behavior. Attention rules Rules that identify events that deserve special investigating attention. By comparing event W7 attributes with the policy rules and attention rules, the mapping process determines if an event complies with the policy rules. If the event does not comply with the policy rules, then the event is identified as a policy exception. An event may also be considered a special attention, even if it is not a policy exception. Tivoli Compliance Insight Manager ranks events based on its significance, which is determined by grouping and policy evaluation. Each event receives a significance number that indicates the amount of attention an event may require. Significance numbers range from 1 to 99. Events with a significance number between 1 and 9 are considered to be ordinary events; events with a significance number between 10 and 99 are considered to be special attentions and policy exceptions. Events that require immediate attention have higher significance numbers.
Chapter 5. GEM mapping and W7 normalization
23
24
Chapter 6. Reporting
Once Tivoli Compliance Insight Manager has collected, normalized, and securely stored the audit data, it can run sophisticated analyses on the data and generate numerous reports showing policy compliance status. All reports are accessed through the Portal. Most reports are available through iView, Tivoli Compliance Insight Manager's web-based reporting interface. You can also configure Tivoli Compliance Insight Manager to email reports to you and other recipients. For more information about emailing reports, see Chapter 32, Distributing reports, on page 199. Tivoli Compliance Insight Manager offers a large number of security compliance reports, including: v Standard reports v Event detail reports v Custom reports v Graphic reports v Trend reports v Log management reports v Compliance module reports customized for a specific regulation or security standard
Standard reports
Tivoli Compliance Insight Manager comes with numerous standard compliance reports. The standard reports list events using the W7 normalized fieldnames, so they identify events using everyday language can be easily understood by non-specialists in a business context. From a standard report, you can drill down on specific events to see the event detail report, which shows all fields from the selected event. You can modify the standard reports in order to customize them to your environment. The standard reports include the following reports, and many more: v Direct Database Access Report v User Account Management Report v User Summary Report v Database System Events v Stored Procedures Exceptions Report v Privileged Operations Report
Event detail reports

You can see event detail reports showing all fields for a specific event by drilling down on a bubble in the Compliance Dashboard or from any of the standard reports. Event detail reports are often helpful when investigating a security incident.
25
Reporting
Custom reports
In addition to modifying the standard reports, you can create your own custom reports using the Custom Reports wizard in iView. Custom reports include the following types of reports: v Event lists v Summary reports v Top-N report, where N is the number of events in a given time period v Threshold reports For more information about custom reports, see Creating a custom report using Custom Report wizard on page 187.
Graphic reports
The Compliance Dashboard is the first screen in iView and it displays two graphic reports. Graphic reports provide visual analyses of security policy compliance activity. The Compliance Dashboard contains the Enterprise Overview graph, the Database Overview, and the Trend graphic.
Enterprise Overview
The Enterprise Overview uses data from the aggregation database to show the compliance status for all audited systems. The Enterprise Overview shows the interaction of two W7 groups. For example, the graphic could show the interaction of the What group, showing system events, and the Who group, showing users as classified by job role. A colored bubble at the intersection of those two groups indicates the level of policy exceptions and special attentions and the severity of those infractions. The size of the bubble indicates the amount of policy exceptions and special attentions, while the color of the bubble - red, yellow, or blue, indicates the severity. You can quickly identify problem areas and drill down to see what happened.
Database Overview
The Database Overview uses data from a selected GEM database to show the compliance status for audited systems whose audit data is contained in that database. It is similar to the Enterprise Overview, however, it only shows the compliance status for a selected GEM database. GEM databases are usually organized to contain audit data from a subset of systems within the organization, for example, one GEM database may be used to store audit data from the Finance Department's systems, while another GEM database may be used to store audit data from the Human Resource Department's systems, and so on. The Database Overview can show the compliance status for the GEM database associated with a specific department or business unit. The Database Overview shows the interaction of W7 groups. A colored bubble at the intersection of those two groups indicates the level of policy exceptions and special attentions and the severity of those infractions. The size of the bubble indicates the amount of policy exceptions and special attentions, while the color of the bubble - red, yellow, or blue, indicates the severity. You can quickly identify problem areas and drill down to see what happened.
26
Reporting
Trend graphic
The Trend graphic is a line graph that shows changes in the percentage of policy exceptions over a given period of time. You can quickly see whether policy exceptions are increasing or decreasing over time.
Log management reports

The Tivoli Compliance Insight Manager Log Manager contains a set of reports to monitor log collection activities. The History Report shows the number of log collection events that occurred during a given period of time. A log collection event is each instance when Tivoli Compliance Insight Manager attempted to collect audit data. This report tracks the status of log collection events; in the case of a failed log collection, the report provides diagnostic information that you can use to resolve the issue. The Log Continuity Report analyzes log sets, the collected logs stored in the log depot, and reports on how complete the logs sets are. If a log set is incomplete, then the report provides diagnostic information that you can use to resolve the issue. Log Manager reports are only available on the Enterprise Server. For more information, see Using the interface of the Log Manager on page 211.
Compliance module reports

There are several optional compliance modules that can be used with Tivoli Compliance Insight Manager to provide reports specific to the following regulations: v v v v v v Basel II GLBA HIPAA ISO 27001 PCI Sarbanes-Oxley
The compliance modules contain reports that are mapped to specific line references within the respective regulations and are associated with security protocols that auditors may wish to review.
Chapter 6. Reporting
27
28
Part 2. Doing a task in Tivoli Compliance Insight Manager
29
30
Chapter 7. Using the Grouping wizard

To create an effective security policy, you must define groups. Tivoli Compliance Insight Manager provides you with out-of-the box default grouping files that provide solid ideas for the What and When-groups. Tivoli Compliance Insight Manager also automatically creates Who groups for NT and Windows 2000 computers. Yet, in many cases you may want to define groups that are more specific to your installations. The grouping wizard can help you define such groups based on actual log information, which is especially useful to create Who and OnWhat groups. For example, all users who perform administration tasks should be assigned to the administrators' group. You can start the wizard with a preloaded grouping file, or you can create a completely new grouping file with the wizard. Retain the names for the What-groups that IBM provides, because they form the basis for the security model in Tivoli Compliance Insight Manager. Over time, you can build more and more standard reports upon these standard group names. The Grouping wizard is also a very powerful tool to analyze your security information, because it shows the Who, OnWhat, When and Where information for each type of operation. You can use the wizard to determine which administrators added a user, or which systems had audit policy modifications.
Opening the Grouping wizard

Use the following steps to open the Grouping wizard: 1. On the iView login page, click the list box and click the Tivoli Compliance Insight Manager Server that you want to view. If you can access only one Server, that entry is displayed without a list box. 2. Type your username and password, and click Login. 3. On the top of the Compliance Dashboard page, click the GEM List tab to display GEM databases on the Server you selected. 4. If the GEM database you want to view is not already selected, click its name to select it. The selected GEM database is displayed with an asterisk (*) after its name. You can select any database that contains loaded data. 5. On the Summary page, click the Groups tab to access the Groups page. Here you find the group types in this database, the number of groups they currently contain, and Grouping wizard. 6. On the Groups page, click Grouping wizard.
Defining groups with the Grouping wizard

You can use the Grouping wizard to define groups and work with them. You can list groups, create, change or delete groups, or edit a group.
Loading and listing groups

Use the following steps to load and list groups with the Grouping wizard. 1. Click Load Starter Set to load an existing grouping file and get a selection list with all currently defined grouping files. When you select a grouping file, ensure that it matches the platform that you are currently analyzing. For
31
Defining groups with the Grouping wizard

example, take the novell_group file for Novell. After the starter set policy is loaded, you can see numbers (except for zero) for the groups that are previously defined, and you can observe how many different objects exist for each of the five grouping dimensions. Note: The FromWhere and WhereTo dimensions use the same group names as the Where. 2. Click Edit for the group that you want to audit to navigate to the next window. This description is based on the What group edit.
Creating, changing or deleting groups

In the case of the What groups, you see a panel with the currently defined groups on the left-hand side, and the ungrouped events on the right hand side. The events that are shown as ungrouped may be included in the global (cross-platform) grouping file such as the logon and logoff records. You can make changes by selecting one of the What groups and double-clicking on the group name, or you can click Edit. You can also create new groups or delete groups. 1. Click Edit to edit a group. 2. Click OK to exit the wizard. 3. A new panel is displayed so that you can add patterns. Click one of the specific events in the left-hand side column, or type in a (partial) pattern in the box at the bottom of the Pattern column and click Add to add the pattern. You can also remove selected patterns from the middle column with Delete. The column on the right shows the events that are matched. Note: The other Ws use a very similar panel, but add the event type on top, so that you can view Ws that are affected for that event. 4. After all the changes are made, click OK until you return to the initial window, which has Save Grouping File. 5. Click Save to preserve the file in the specified location.
32
Chapter 8. Creating a security policy

To create a security policy, you must have access to Tivoli Compliance Insight Manager Management Console and the Policy wizard found in Tivoli Compliance Insight Manager iView. You can create a security policy from scratch or from an existing policy. Typically, a security policy is used until it needs updating. Thereafter, you must either adapt it or create a new policy, depending on the level of change that is necessary. At the Management Console you can find your security policies in the following folders: Committed folder In the Committed folder you find the parts of the security policy that you created and plan to use. Tivoli Compliance Insight Manager always uses the last committed policy. Work folder In the Work folder you retain security policies that you are still developing. The security policy that Tivoli Compliance Insight Manager uses to turn chunk logs into events that you can view using iView is the combination of the last automatic and the last committed policy. Table 1 shows elements that are included in a security policy.
Table 1. Elements of a security policy Name Platforms Group definition sets Function The platform types a policy audits. Every platform has its own group definition set. A group definition set is a collection of groups defined by the W7 principle. Every group definition consists of conditions and requirements. An event is part of a group if it adheres to at least one condition. An event adheres to a condition when it adheres to all requirements the condition contains. A set of rules that define all types of behavior that is permitted in your company. These rules are based on the group definitions. All events that are outside these rules are policy exceptions and can be viewed as such in iView. Rules to select events that need extra scrutiny. These events may be policy exceptions or legitimate events.
Group definitions
Policy rules
Attention rules
To create a security policy, use the following steps: 1. At the Management Console, create a new policy, which should be either a blank one or a duplicate of an existing one. 2. Create group definitions or change them if necessary.
33
Creating a security policy

3. Load events into a GEM database if they have not been loaded yet. You should use a loaded GEM database for policy rules creation. A GEM database could be loaded from the Management Console on a scheduled basis from collected events, or manually. 4. At iView use the Policy wizard to create policy rules. 5. At the Management Console, create attention rules.
34
Chapter 9. Using the Policy wizard and creating policy rules

The Policy wizard is a Tivoli Compliance Insight Manager tool that helps you automatically generate a set of policy rules or extend an existing policy rule set. Policy rules define allowed behavior. Most events that happen in a company are normal events, created by normal working activities. The Policy wizard creates rules that represent this behavior, so that actions that these rules do not cover are automatically policy exceptions unless you modify the policy rules manually at the Management Console. Before you can use the Policy wizard you must have installed all Tivoli Compliance Insight Manager components, as described in the IBM Tivoli Compliance Insight Manager: Installation Guide. You can find the Policy wizard in Tivoli Compliance Insight Manager iView. You must have created the policy itself and the group definitions at the Management Console, and you cannot use the Policy wizard to generate attention rules, which must be generated manually at the Management Console. For more information, see Creating attention rules on page 108. The following topics about the policy wizard are included: v Steps to take at the Management Console v Opening the Policy wizard v Creating or changing policy rules with the Policy wizard v Importing policy rules into a new or existing policy v Committing the new or changed policy
Preliminary steps at the Management Console

You must do the following preliminary steps at the Management Console: 1. Start the Management Console. 2. You can create a completely new policy rule set by performing the following steps: a. At the Policy pane, create a new policy. b. Create the group definitions in the new policy. c. Either commit the new policy so that Tivoli Compliance Insight Manager uses it automatically in iView or specify the Load Now option and select the policy. 3. You can modify an existing policy by performing the following steps: a. If necessary, modify your group definitions as described in the help file. b. If the policy is currently in use because it is the last committed one, IBM Tivoli Compliance Insight Manager loads the database using this policy. If not, specify the Load Now option and select or commit the policy. When you load the database, ensure that it contains a sufficient amount of data. When you are new to Tivoli Compliance Insight Manager, use the sliding schedules option to get seven days of data. Run the Policy wizard again regularly or at significant times, for example end of the month, end of quarter, and end of year, if your security policy is supposed to monitor financial events. When satisfied with your set of policy rules, you can save the set of rules and import it into a new
35
Preliminary steps at the Management Console

or existing policy. After you import the rules and commit the new or changed policy, Tivoli Compliance Insight Manager can apply it.
Opening the policy wizard

1. On the iView login page, click the box and select the server you want to view. If you can access only one server, the server entry is displayed without a box. 2. Enter your username and password, and click Login. 3. In the Database Overview pane of the Dashboard page, a number of GEM databases can be seen. If the GEM database you want to view is not already chosen, click the respective icon to select it. A green glow is displayed around the icon. You can select any database that contains loaded data. 4. On the navigation bar, click Policies to access the Policy Settings page and find the policy that Tivoli Compliance Insight Manager used to load this database. Click Policy wizard. 5. On the Policy Settings page, click Policy wizard.
Creating or changing policy rules

You can use the five-step Policy wizard to create or change policy rules. After you complete a step, click the right-facing green arrow below the page title to continue to the next step. You can also click the left green arrow to return to earlier steps if you want to review or change your work.
Step 1: Starting options

In this step, you can decide whether to change policy rules in an existing policy or create new policy rules. 1. Click either Start with current policy to add policy rules to the current policy or click Create new policy to begin creating new policy rules. 2. Click the right green arrow to continue to Step 2.
Step 2: Select a threshold

In this step, the Policy wizard automatically generates a set of proposed policy rules and checks them according to the threshold. 1. The Policy wizard creates potential policy rules for all events in the database. 2. The Policy wizard sorts these events in order, from most frequent to least frequent. 3. The Policy wizard checks a set of proposed policy rules, using the threshold. The higher you set the threshold, the more events the Policy wizard makes into rules. The 99% default threshold indicates that the Policy wizard checks rules for events that add up to 99% of the total number of database events. From another perspective, a 99% threshold indicates that the Policy wizard does not check the rules for 1% of the total number of database events, though it does make them. These events become exceptions that you collect and analyze when you run Tivoli Compliance Insight Manager. Note: Keep the threshold percentage high. If you change an existing policy, policy wizard also displays any rules that are already operative, and takes them into account when checking the proposed policy rules. The default threshold is 99%. 4. To change the threshold, do the following steps: a. Delete the number in Set Threshold Percentage To.
36
To create or change policy rules with the Policy wizard

b. Type another percentage (for example, 95). c. Click Apply. When you click Apply, the Policy wizard checks the potential policy rules according to the new threshold. If you lowered your threshold, you have fewer policy rules and more policy exceptions, and vice versa. Review the list of policy rules for events that occurred frequently enough to generate a rule, but that represent events you want to exclude. For example, the Policy wizard might create a policy rule if your data included a high number of login failures. Clear the box in the Allow column for every rule that you want to remove. Select the box in the Allow column for every rule that you want to include. Click the right green arrow to continue to the next step.
5.
6.
7. 8. 9.
Note: You can also remove rules in Step 3.
Step 3: Cover additional events

This page displays only the events that fall below the threshold you set in Step 2. 1. Click the box in the Allow column for each event that you want to include as a policy rule. For example, changes by administrators are infrequent, so may not be displayed in the initial list of the Policy wizard rules in Step 2. They are legitimate activities, however, so you want to include a rule to allow them. 2. Click the right green arrow to continue to the next step.
Step 4: Result policy

In this step, you can review the new or changed policy. 1. Review the proposed rules one more time to ensure that they cover all the events that you want to allow and exclude the events that you do not want. 2. Click the left green arrow to return to earlier pages if you want to make changes. 3. When you finish viewing or changing the policy rule set, click the right green arrow to continue to the next step.
Step 5: Result export

In this step, you can click Export to save the new policy in a file. To use the new policy, import the file and commit the new policy, using commands in the Management Console. Steps for importing the file and committing the policy are displayed in the following section. To export when you are using Microsoft Internet Explorer, use the following steps: 1. Click Export to open the File Download window. 2. Click Save file to disk option. 3. In the Save As dialog, click to c:/tcim/manconsole, and type a name for the policy rules file. 4. Click Save to begin downloading the policy rules as a file. 5. Close the Download Complete window. You have now downloaded your policy rule set.
Chapter 9. Using the Policy wizard and creating policy rules
37
To import policy rules and commit a policy
Importing policy rules and committing a policy

After you create or change a policy rule set, use the following steps to import it: 1. Start the Management Console. 2. In the Navigate pane, click the Policies folder, and then click the Work folder. 3. Double-click the policy in the Work folder into which you want to import the policy rules you created. Note: If you want to import rules into an existing policy, delete the old policy rules before you import the new policy rules. 4. Click anywhere in the Policy Rules pane, and select PolicyImport Policy Rules from the menu. 5. Type the path and file name, or browse to the file where you saved the policy rules you created. 6. Click OK to import the .pcy file into the security policy. To use the new or changed security policy as your current policy, you can use the following steps to commit it: 1. In the Navigate pane, select the policy you want to commit. 2. Select Policy Commit. The new policy is displayed in the Committed folder. Tivoli Compliance Insight Manager uses this policy for auditing because the policy is the last committed policy. If you want to compare an existing policy with a new one, you can duplicate the original policy before you import new policy rules. To duplicate a policy, use the following steps: 1. Select the policy that you want to duplicate. 2. Select Policy Duplicate. The duplicated policy now is displayed in the Work folder. Note: If you want to change policy rules in a committed policy, you must duplicate the policy into the Work folder before you can import the new policy rules and commit the updated policy.
38
Part 3. Managing the Tivoli Compliance Insight Manager system
39
40
Chapter 10. Tivoli Compliance Insight Manager systems administrator

The Tivoli Compliance Insight Manager end-user and the Tivoli Compliance Insight Manager systems administrator are often different people with different backgrounds and roles in the organization. As a security compliance policy monitoring tool, it is necessary that Tivoli Compliance Insight Manager is optimized for your environment and is well maintained. A Tivoli Compliance Insight Manager systems administrator should ensure that the system runs smoothly and that any routine user or systems management tasks are performed. A Tivoli Compliance Insight Manager systems administrator should also be able to configure the system, including adding and removing event sources and configuring policies. The primary responsibilities and necessary skill set for the person tasked with administering the Tivoli Compliance Insight Manager system are listed below.
Primary responsibilities
The main responsibilities of a Tivoli Compliance Insight Manager systems administrator are listed below. Install agents and actuators v Work with other system administrators to install actuators and agents on target platforms. Provide the other administrators with the appropriate installation instructions and audit settings. Baseline audit settings are available for most supported platforms from IBM. v Add event sources to Tivoli Compliance Insight Manager in the Management Console. Modify the event source properties, if needed, to customize the event source properties to your network environment. v Set collect schedules for event sources. Perform daily or weekly maintenance tasks, as outlined in the Tivoli Compliance Insight Manager Security Manager Operational Maintenance document v Check collects v Verify that the agents on the target machines are running and check whether any of the machines are collecting empty chunks (i.e. if auditing may have been turned off) v Check loads in iView v Check database status, contents and load date in the (iView) Dashboard v In case of a GEM database failure, investigate length of time since the last GEM database load (Note: For this, you will need some basic knowledge of the mainmapper so that you can read the mainmapper logs.) v Confirm authorized users can access iView and Management Console Configure Tivoli Compliance Insight Manager v Manage databases in the Management Console v Add databases v Add/remove event sources to a database v Remove databases
41
Administrator
v Set load schedules, as needed v Perform manual loads, as needed v Set mapping to take place at load-time or at collect-time Manage users in the Management Console: v Create users v Assign roles/databases to users v Configure email alerts v Configure real-time alerts (RTA) v Create the RTA database v Create and modify alert rules Develop policies and generate reports v Manage policies in the Management Console v Create and modify W7 groups v Create and modify policy and special attention rules v Test policies v Commit policies, when needed v Create custom reports in iView
Recommended skills
A Tivoli Compliance Insight Manager systems administrator should have the following information technology skills: v Strong knowledge of Windows operating systems v Knowledge of other operating systems, especially the operating systems of audited systems v Working knowledge of security auditing
42
Chapter 11. Getting started with the Management Console

This section includes information about the following topics: v Starting and stopping the Management Console v Switching the Management Console users on page 44 v Opening and closing the Management Console windows on page 45 v Changing the appearance of the Management Console windows on page 47 v Customizing the Management Console toolbars on page 48 v Refreshing contents of the Management Console window on page 49 v Working with the Management Console commands on page 50 v Setting up iView from the Management Console on page 51 v Using the Management Console tools on page 52
Starting and stopping the Management Console

Begin and end the Management Console work sessions by logging on and logging off. To get an Tivoli Compliance Insight Manager password (if it has not been created yet), contact the Tivoli Compliance Insight Manager administrator. Use the following steps to start the Management Console and log on: 1. Select Start Programs IBM Tivoli Compliance Insight Manager, or double-click the Tivoli Compliance Insight Manager icon on the desktop. 2. In the Logon window, type a user name and password. 3. Click OK or Enter. The Management Console window starts. Note: The login command has a timeout. After waiting to log in, if the server is not responding, you see an error message. You can change the value of this timeout by selecting File Options. For more information, see Refreshing contents of the Management Console window on page 49. To stop the Management Console: v In the Management Console window, select File Exit (see Figure 11 on page 44). v Alternatively, you can close the Management Console window.
43
Getting started with the Management Console
Figure 11. Exiting the Management Console
The Management Console closes the window. For more information, see the following sections: v Switching the Management Console users. v Refreshing contents of the Management Console window on page 49. v Changing passwords on page 86.
Switching the Management Console users

You can use the following steps to switch from one Tivoli Compliance Insight Manager user to another without closing the Management Console: 1. From the Management Console, select File Logoff to close all its dependent windows. 2. Select File Logon to open the Tivoli Compliance Insight Manager Logon window. 3. Type the user name and password, and click OK to log on as another user (see Figure 12 on page 45). The Management Console logs you on to the system.
44
Figure 12. Logging on as a different user
For more information, see the following sections: v Starting and stopping the Management Console on page 43. v Changing passwords on page 86.
Opening and closing the Management Console windows

When the Management Console opens, notice the Main toolbar navigation bar on the left of the window. The first three icons on the Main toolbar, which are Machine View, Event Source View, and Database View, provide an overview of the current system configuration from different points of view in list or grid style. Only one of these views can be open at a time, and they show the combinations of systems, event sources and GEM databases in the system. The grid functions as a spreadsheet: click a cell to select it; click it again or press F2 to edit, depending on the type of cell, list, text box, or dialog that is displayed. You can sort the view on a specific column by clicking on the column header; clicking a second time reverts the sort order. The following list contains information about the views: Machine View Shows all system groups and audited systems with their event sources and the GEM databases to which these event sources are attached. In the Audited Machine column, the following icons represent the types of available systems:
45

Audited machine
Audited system disconnected
Remotely audited system
Server system
Event Source View Lists all event sources, their systems and the GEM databases to which they are attached. This view shows which event sources are defined and which of them are, or are not, assigned to databases. In the Event Source column, the following icons represent the types of available event sources: Event source
User information source
Database View Lists all GEM databases and the systems and event sources linked to them. Loaded GEM database
Empty GEM database
GEM database in error
Alert maintenance Use this child window of the Management Console to create and maintain
46

your alert settings, which include Protocol, Recipient, Severity, Severity-Delay support, and Rule IDs. Policy Explorer The fifth icon (a shield with the capital letter P) on the Main toolbar opens the Policy Explorer window. Double-click any policy in the Committed or Work folders to open the three-part policy window that displays details for that policy. The title of the policy window is the same as the name of the policy. As many policy windows as needed can be opened.
User Management The sixth icon on the Main toolbar pens the User Management window. It displays all Tivoli Compliance Insight Manager users, their assigned roles and all operational Tivoli Compliance Insight Manager databases (GEM and other event-related databases) to which the users have read access. Only one User Management window at a time can be open.
To close any window, use one of the standard Windows controls: v Press [Ctrl+F4]. v Click X in the top right corner of that window. v Select the window menu (press [Alt+-]) and select Close. Note: In the User Management window, you can click Close at the bottom of the window. For more information, see the following sections: v Changing the appearance of the Management Console windows. v Customizing the Management Console toolbars on page 48.
Changing the appearance of the Management Console windows

You can use standard Windows commands to change the appearance and location of the Management Console and any of its child windows. For child windows within the Management Console, you can use the following commands on the window menu to arrange the windows: Tile Horizontally Arranges all open windows as horizontal tiles from top to bottom. Tile Vertically Arranges all open windows as vertical tiles from top left to bottom right. Cascade Arranges all open windows in an overlapping cascade with all window titles visible. Arrange Icons Moves the title bars of all minimized windows to the bottom of the Management Console window.
47

For more information, see the following sections: v Opening and closing the Management Console windows on page 45. v Customizing the Management Console toolbars. v Refreshing contents of the Management Console window on page 49. v Working with the Management Console commands on page 50.
Customizing the Management Console toolbars

You can use commands on the View menu to hide or show the Management Console toolbars and status bar, and you can hide or show specific panes in the policy window. Select View Toolbars, and pick the toolbars to be displayed (see Figure 13).
Figure 13. View menu for toolbars
Creating your own toolbar

You can use the following steps to make your own toolbar: 1. Select View Toolbars Customize. 2. Create a new toolbar by clicking New and entering a name for it in the New Toolbar window. The new toolbar is displayed in the Management Console window immediately after you enter the name. 3. In the Customize dialog, select the Commands tab. 4. On that tab, select commands in the respective categories. Drag and drop them to the newly created toolbar. 5. Click Close to confirm the modifications. In the same way, custom toolbars for the Machine View/Event Source View/Database View window can be created by selecting View Toolbars System Audit Customize.
48

Toolbars can be enabled or disabled for the Management Console parent or child window by control-clicking its toolbar for invoking the context menu (see Figure 14).
Figure 14. Context menu of the Management Console toolbars
For more information, see Changing the appearance of the Management Console windows on page 47.
Refreshing contents of the Management Console window

You can refresh the information in the Management Console at any time. The interval at which the Management Console automatically refreshes its contents can also be reduced or increased. If several people use the Management Console concurrently, refreshing ensures the most up-to-date information. To refresh information in the Management Console, do one of the following actions: v Select View Refresh. v Press the [F5] key. v Click Refresh. In the status bar, the Loading data from Server message is displayed, followed by the Redrawing View message. At that point, if the operation was successful, the status bar displays Ready.
Changing the automatic refresh interval

To change the automatic refresh interval, use the following steps: 1. Select File Options. 2. In the first box, type the round number of minutes between automatic updates of the Management Console contents. The default setting is 15 minutes.
49

3. Optionally, select Threshold Load Schedule Frequency if data is to be collected and loaded every minute or every two minutes. 4. Click OK to save the settings.
Changing the login timeout

To change the login timeout, use the following steps: 1. Select File Options. 2. In the Preferences section, type any number between 1 and 999 for login timeout in seconds. The default setting is 180 seconds. 3. Click OK to save the settings. Attention: Selecting the Threshold Load Schedule Frequency check box and scheduling data loading at intervals of less than 15 minutes puts unnecessary stress on your network and server. For more information, see Opening and closing the Management Console windows on page 45.
Working with the Management Console commands

You can work with Tivoli Compliance Insight Manager objects, such as systems, databases or event sources, by using the Management Console menus as well as toolbar buttons. To enable commands and toolbar buttons for a Tivoli Compliance Insight Manager object, click the object in the Management Console. For example, if you want to load a GEM database, select a database containing attached event sources. Tivoli Compliance Insight Manager then enables the Load command. Commands and toolbar buttons that do not apply to the selected object are disabled (unavailable). You can start commands using any of the following methods: v Select an object by clicking it, select the required menu and click the command. v Click an object, and then click a control on the toolbar. v Pop up the context menu for the object (see Figure 15 on page 51) by right-clicking it or pressing the context menu key when available on the keyboard, and then select the required command. For example, right-clicking a database displays database-specific commands, and right-clicking a system displays system-specific commands.
50
Figure 15. Context menu of GEM database
For more information, see the following sections: v Opening and closing the Management Console windows on page 45. v Changing the appearance of the Management Console windows on page 47. v Customizing the Management Console toolbars on page 48. v Refreshing contents of the Management Console window on page 49.
Setting up iView from the Management Console

This section includes information about the following topics: v Displaying audit data in iView v Defining an iView URL on page 52 v Accessing iView from the Management Console on page 52
Displaying audit data in iView

iView enables audit data that was loaded onto GEM databases to be viewed and analyzed. The data can be viewed in a summary form, or you can click links in iView pages to view details about specific events. Summaries or details can be viewed on all audit data, or on subsets of data, such as policy exceptions or login and access failures. In addition to viewing data, the iView Policy wizard and Grouping wizard tools can be used to create policy rules and groups quickly. For complete information about working with iView, see Part 4, Viewing data and reporting, on page 143. The following functions are related to iView and are accessible from the Management Console: v Defining an iView URL v Accessing iView from the Management Console
51
Setting up iView
Defining an iView URL

To access iView from the Management Console, first specify the iView URL. Then audit data in iView can be viewed by shift-clicking loaded databases. Loaded databases are displayed in green in the Management Console. To define an iView URL, use the following steps: 1. In the main menu bar, select Tools Define iView Browser URL. 2. In the Define URL window, enter an URL in the Enter URL text field. Enter http://tcim_host_name/iview/, where tcim_host_name is the host name of the system where the Tivoli Compliance Insight Manager server is installed. 3. Click OK when you are finished.
Accessing iView from the Management Console

If an Internet Web browser such as Microsoft Internet Explorer or Netscape Navigator is installed on the system where the Management Console is used, you can use iView to see audit data in any loaded GEM database. To see audit data in iView, use the following steps: 1. Ensure that a browser URL was defined for iView. If it was not defined, you are prompted to define it. 2. Shift-click (hold the [Shift] key and then click the mouse at the same time) any GEM database that contains successfully loaded data. Databases that contain loaded data seem green. A window of the default browser of your workstation opens, and the iView Logon window is displayed. 3. Type the username and password that were used to log on to iView. After a successful logon, iView displays data of the GEM database that was clicked. For more information about working with iView reports, see Part 4, Viewing data and reporting, on page 143.
Using the Management Console tools

From the Management Console, you can access tools that you can use to do the following tasks: v Set an export schedule for audit data. v Import audit data that was previously exported.
Setting a data export schedule

You can set up a schedule to export audit data. Exporting the data to files enables old audit material from GEM databases to be archived, clearing space for incoming audit data. To schedule exporting of audit data, use the following steps: 1. Select Tools Set Export Schedule. The Export Schedule window opens. 2. In the Export data older than box, type the time in round days after which data is to be exported. For example, to archive data older than a week, type 7; to archive data older than a month, type 30. 3. Click Set Schedule to set a time and day for exporting audit data. 4. In the Set Export Schedule window, provide a recurrence pattern for scheduling export. You can set a weekly, monthly, or annual schedule, or set no schedule at all. Click OK when schedules are set, and the corresponding value is displayed
52

in the Export schedule box of the Export Schedule window (see Figure 16).
Figure 16. Setting the Export schedule
5. In the Export path box, type the path and file where audit data is to be stored. The path typed is relative to the run folder of the Server folder, and can include up to 76 characters. For example, if the default path, \export is used, Server saves audit data in the TCIM_dir\server\export\directory, using the export date as the name of the folder. TCIM_dir is the folder entered when Server was installed. 6. Click OK when finished. Tivoli Compliance Insight Manager exports audit data according to the set schedule and stores it in the specified location. The exported data can be reimported if historical data is to be reviewed or a trend checked over a period of time. For more information, see Importing audit data.
Importing audit data

Audit data that was previously exported can be reimported. This action might be necessary for further analysis of an issue to support a formal audit process, or if a long-term problem must be traced back to its origin. To import audit data do the following steps (see Figure 17 on page 54): 1. Select Tools Import Log Data. 2. In the Import Log Data window, type your Tivoli Compliance Insight Manager user name and password. 3. In the Path field, type the path to the exported data files.
53
Figure 17. Importing log data
4. Click OK when you are ready to begin importing the audit data. Tivoli Compliance Insight Manager imports the specified audit data folder. Note: Server audit data resides in a folder called Logs. A path specified in the Path field should point to the location of a \logs folder. For example, enter \\Source\data for importing audit data from the folder c:\data\logs located on the source system (the c:\data folder is shared on the network).
54
Chapter 12. Working with system groups, individual systems, and event sources
This section includes information about the following topics: v Working with groups of systems v Working with individual systems on page 57 v Working with event sources and user information sources on page 61
Working with groups of systems

This section includes information about creating, renaming, and deleting system groups.
Creating system groups

System groups can be created to organize audited systems. For example, systems can be grouped by operating system, by department, or by floor in a large building. System groups can be named using operating systems names, department names, or any other naming convention. To 1. 2. 3. create a system group: Open either the Machine View window. Select one of the existing groups. Select System Create Machine Group. The Create Machine Group window is displayed (see Figure 18).
Figure 18. Creating a Machine Group dialog
4. In the New group name field, type a name for the group. 5. Click OK to confirm the action. Note: To open the Create Machine Group window, click Create Machine Group on the System/Audit toolbar of the Machine View window. For more information, see Renaming system groups.
Renaming system groups

A system group can be renamed at any time. For example, if you are using department names for system groups, groups might be renamed after a company reorganization. To rename a system group, do the following steps:
55

1. In either the Machine View or Event Source View windows, select Rename Machine Group from the System menu. 2. Type a new name in the field (see Figure 19).
Figure 19. Renaming a Machine Group dialog
3. Click OK when all system groups to be changed have been renamed. The renamed system group is displayed in the list, in its original location, and in subsequent Tivoli Compliance Insight Manager work sessions, in alphabetical order. Notes: 1. The first group that is created during installation of the Server cannot be renamed. 2. The Rename Machine Group window can be opened from the context menu of the machine group item in the Machine or Event Source View window (see Figure 20).
Figure 20. Selecting an option to rename a system group
For more information, see the following sections: v Creating system groups on page 55. v Deleting system groups. v Moving systems to other system groups on page 58.
Deleting system groups

To delete a system group, you must empty the group. Move all systems to other groups, or delete them. When the system group is empty, use the following steps to delete the group: 1. Select the group in the Machine View window. 2. Select the Edit menu and select Delete. 3. Right-click the system group to be deleted, and select Delete from the context menu. 4. Click Delete on the EditExtensions toolbar. 5. Press the [Delete] key on the keyboard.
56

Tivoli Compliance Insight Manager removes the system group from the system. Note: The first group that is created during installation of the server cannot be deleted. For more information, see the following sections: v Creating system groups on page 55. v Renaming system groups on page 55.
Working with individual systems

You can add new systems to a group, move systems to other groups, delete a system from a group, or reattach it. Furthermore, you can track down a problem that is occurring on a specific system.
Adding new systems

You can add a system so that Tivoli Compliance Insight Manager can collect audit data from that system. Tivoli Compliance Insight Manager starts the Add Event Source wizard that would add an event source for auditing the operating system. An event source for a system can also be added to audit activity on application platforms, such as SAP, on the same system. Use the following steps to add a system: 1. Open one of the following windows: the Machine View, Event Source View, or the Database View. 2. Open the Add Machine wizard in one of the following ways: v Select the System menu and select Add Machine. v Click Add Machine on the System/Audit toolbar of the respective window. v Right-click a system item, select Add from the context menu and click Machine. v In the Machine View or Event Source View windows, double-click a system group, or right-click it and select Add Machine from the context menu. 3. Follow the instructions provided with the Add Machine wizard to add a new system. 4. Upon completion of the wizard, the Add Machine wizard is run for each event source selected in the Add Machine wizard. Follow the instructions that are available on the pages of the Add Machine wizard. After successfully completing the Add Machine wizard, Tivoli Compliance Insight Manager can collect events from this system after the following steps are completed: 1. Install the Actuator on the target system where the remote collect or remote installation functions could not be used. For more information, see the Installation section for the operating system in the IBM Tivoli Compliance Insight Manager: Installation Guide (only if manual installation was selected when installing using a point of presence approach). 2. Set up auditing on the target system. For more information, see information about configuring auditing for the platform in the IBM Tivoli Compliance Insight Manager: Installation Guide. Alternatively, audit profiles may be used (if supported for the type of additional event source), to set the auditing options of the target system.
57
Moving systems to other system groups

A system can be moved from one system group to another at any time. For example, if systems are organized in system groups by departments, and an employee changes to another department, that employee system can be moved to the new department. To move a system to another system group, do the following steps: 1. Ensure that the system is selected in the Machine View or Event Source View windows. 2. Use one of the following steps to open the Properties of Machine window (see Figure 21) for the intended system: v Open the System menu and select Properties, or v Click Properties on the EditExtensions toolbar, or v Right-click the system and select Properties from the context menu.
Figure 21. Changing the group for a system
3. On the General tab, select a new value from Group and click OK. Alternatively, from the Machine View (see Figure 22 on page 59) or Event Source View windows, do the following steps: 1. For the corresponding system that is to be moved, click the system group cell to select it. 2. Click the system group cell again to open the system group list. Note: Do not double-click, because this action can start the Add Machine wizard.
58
Figure 22. List of available Machine Groups
3. Select another system group from the group list. The system is displayed in the specified system group (in the Machine View and Event Source View only).
Deleting systems
Before deleting a system, you must do the following steps: 1. Remove the system from any GEM databases to which it is attached. 2. Turn off auditing on the system; for information about turning off auditing, see information about setting up auditing for the system platform in the IBM Tivoli Compliance Insight Manager: Installation Guide. If audit profiles are supported for the system event sources, you can use the Clean audit profile too. To delete a system, use the following steps: 1. In either the Machine View or the Event Source View windows, ensure that the system cell is selected in the grid and do one of the following steps: v Open the Edit menu and select Delete. v Click Delete on the EditExtensions toolbar. v Press the [Delete] key on the keyboard. v Right-click the system to start its context menu and select Delete. 2. If you are deleting a system that has an event source for which data has already been collected, the Remove Machine window is displayed (see Figure 23):
Figure 23. Removing a system that has audit data collected
v Select Keep Active Event Source(s) to keep the data collected from that system in the log depot, and click OK or v Select Remove Machine Completely to delete the data along with removing the system, and click OK.
59

3. If you decide to delete the collected data, a confirmation message is displayed. Click Yes to confirm that you want to delete the system data. If the system but not the system data is deleted, Tivoli Compliance Insight Manager displays the system as unavailable; if both the system and the data are deleted, or data had not been collected for this system, Tivoli Compliance Insight Manager deletes both the system icon and all event sources that used this system. Notes: 1. This deletion also includes all event sources that use this system as a point of presence. 2. The system on which the Server was installed cannot be deleted. To highlight its special status, it has a blue icon rather than a green one. 3. The system on which the Management Console is running cannot be deleted. Delete is disabled on such systems.
Reattaching a system
A system that was previously deleted can be reattached and its collected data kept when the system is deleted. Systems that can be reattached are displayed as unavailable in the Machine View and Event Source View windows. To reattach a previously deleted system, do the following steps: 1. In the Machine View or Event Source View windows, right-click the system to be reattached. 2. Click Properties on the menu that is displayed. 3. Note the system port and IP address and click OK to close the Properties dialog (see Figure 24).
Figure 24. Properties of a deleted system
4. Right-click the system again, and click Reattach Machine in the menu that is displayed. 5. In the Reattach Machine dialog, type the port number and IP address of the system (see Figure 25 on page 61).
60
Figure 25. Reattaching a previously deleted system
6. Click OK to reattach the system. Tivoli Compliance Insight Manager displays the system icon in green to indicate that it is attached to a server and can be used to collect audit data.
Identifying systems for troubleshooting

The log files generated by the Actuator during data collection identify systems by an ID number. To track down a problem on a specific system, you can match the system ID number with the actual system. To match a system ID to a system name, do the following steps: 1. From the Machine View, Event Source View, or Database View windows, select Tools Machine Properties by ID. 2. In the Get Machine Properties by ID dialog, enter the system ID from the log file to the Agent ID field and click OK. The Properties dialog opens, displaying information about the system that matches the typed ID. 3. Click OK to close the Properties dialog.
Working with event sources and user information sources

You can add event sources to systems, rename event sources, or delete them.
Adding event sources to systems

When a system is added on the Management Console, Tivoli Compliance Insight Manager starts the Add Event Source wizard to collect the system operating system events. Data can be collected from other application platforms on the same system by adding an event source for each application platform. To add an event source to a system, do the following steps: 1. In the Machine View window, ensure that the destination system is available. 2. In the Machine View, Event Source View or Database View windows, start the Add Event Source wizard (Figure 26 on page 62) in either one of the following ways: v In the main menu, select System Add Event Source. v Click Add Event Source on the System/Audit toolbar of the respective window. v Right-click any system to start the context menu, select Add and click Event Source.
61
Figure 26. Starting the Add Event Source command
3. The Add Event Source wizard starts. Follow the instructions on the pages of the wizard to add an event source for the destination system. After the wizard completes, Tivoli Compliance Insight Manager adds the event source to the system. The name of the event source, its properties, and its schedule from the Event Source Properties dialog can be changed (Figure 27). Tivoli Compliance Insight Manager can collect events from this event source after
Figure 27. Changing the properties of an event source
auditing is enabled on the audited system. If the selected event source supports audit profiles, the Add Event Source wizard prompts you to indicate which audit profile to use (Figure 28 on page 63).
62
Figure 28. Choosing an audit policy profile
The audit profile supports proper auditing for this event source. You must specify administrator credentials for that system. For more information about setting up auditing for a specific platform, see the IBM Tivoli Compliance Insight Manager: Installation Guide.
Renaming event sources

An event source can be renamed at any time. To rename an event source, do the following steps: 1. In the Machine View, Event Source View or the Database View windows, click the event source to be renamed. 2. Click the event source again or press [F2] to make this cell editable and enter the new name. Alternatively double-click the event source, and change its name in the Properties field. Tivoli Compliance Insight Manager displays the renamed event source.
Deleting event sources

To remove an event source, do the following steps: 1. In the Machine View, Event Source View, or Database View windows, start the Delete Event Source wizard in one of the following ways: v Right-click the event source to be removed and select Delete from the context menu. v For the selected event source, select the Edit menu and click Delete. v Click Delete on the Edit Extensions toolbar. v Press the [Delete] key on the keyboard. v Click Delete Event Source on the context toolbar. v Click the Delete Event Source menu item in the System main menu ([Ctrl-0] acceleration key).
63

2. The Delete Event Source wizard starts. Follow the instructions on the pages of the wizard to delete the intended event source. a. On the welcome page of the wizard, click Next. The Select Event Source page shows optional multiple selections. [Ctrl]-click in the Name list to add additional items to the selection (Figure 29):
Figure 29. Choosing an event source
b. On the Choose Type of Removal page, you must decide which type of removal to select. To remove several event sources you can select Make Option Valid for Each Selected Event Source (Figure 30 on page 65); leave it clear to have a separate Choose Type of Removal dialog per selected event source.
64
Figure 30. Choosing the type of removal
c. On the Delete Process Summary, review the details of the intended operation and click Next to proceed or Back to return to the previous pages of the wizard. d. On the final page of the wizard, click Finish to start deleting. Tivoli Compliance Insight Manager deletes the selected event source from the system. Notes: 1. If a system is removed, both the system and all event sources are removed for that system. 2. If an event source is removed, Tivoli Compliance Insight Manager removes that event source, but leaves the system and any other event sources associated with the system in the database. 3. When the last event source is removed from a GEM database, its load schedule is set at Never.
Adding user information sources to systems

Existing user groups can be used by the Tivoli Compliance Insight Manager mapping and loading process if the groups were created on any of the following platforms: v AIX v HP-UX v v v v Microsoft Windows Novell Netware OS/400 SOLARIS
v Tandem v z/OS
65

A user information source duplicates the existing operating system groups and stores them in Tivoli Compliance Insight Manager format. Tivoli Compliance Insight Manager uses these duplicates as group definitions to avoid creating Who group definitions in Tivoli Compliance Insight Manager for these platforms. When loading data into a GEM database, Tivoli Compliance Insight Manager uses the group definitions from the user information source in addition to the groups defined in the policy. User information from a user information source is applied to all event sources from the same operating system. To add a user information source to a system, do the following steps: 1. In the Machine View, Event Source View, or Database View windows, start the Add User Information Source wizard in one of the following ways: v Select System Add User Information Source. v Click Add User Information on the System/Audit toolbar. v Right-click any system to start its context menu, select Add and click User Information Source. A wizard starts guiding you through the process. Click Next on the welcome page. On the Choose a Machine page, select a system to collect the user information. Click Next. On the Choose a User Information Source page, select the type of user information to be collected. Click Next. On the Define User Information Source Properties page, edit the domain or server name, review the other properties, and edit them if necessary. Click Next. On the Choose a Collect Schedule page (Figure 31), select a collect schedule. Click Next.
2. 3. 4. 5.
6.
Figure 31. Choosing a recurrence pattern for a user information source
66

7. On the final page, review the summary of the user information source to be added. To change its properties, click Back to return to the previous pages, or click Finish to complete the wizard. Tivoli Compliance Insight Manager adds the user information source to the system. Note: To see whether a database used groups from a user information source rather than groups from your security policy, right-click the loaded database and click View Policy Used from the menu that is displayed.
Renaming user information sources

A user information source can be renamed at any time. To rename a user information source, do the following steps: 1. In the Machine View, Database View, or Event Source View windows, click to select the user information source to be renamed. 2. Click again to make the cell editable, or press [F2]. 3. Type a new name for the user information source. Alternatively, a user information source can be renamed from the User Information Source Properties dialog. To start the dialog for the selected user information source, do any of the following options: v Select the System menu and select Properties. v Click Properties on the EditExtensions toolbar. v Select Properties from the context menu of the user information source (Figure 32). Tivoli Compliance Insight Manager displays the renamed user information source.
Figure 32. Renaming a user information source
67
Deleting user information sources

You can delete a user information source from a system at any time. Tivoli Compliance Insight Manager reverts to using the policy rules in the most recently committed policy when marking data for analysis. To remove a user information source, do the following steps: 1. Ensure that the user information source is selected in the Machine View or Event Source View windows. 2. Do one of the following options: v Select the Edit menu and select Delete. v Click Delete on the EditExtensions toolbar. v Press the [Delete] key on the keyboard. v Right-click the user information source to be deleted to start its context menu, and click Delete. Tivoli Compliance Insight Manager removes the selected user information sources from the system.
68
Chapter 13. Audit maintenance

You can use the Management Console to schedule loading of event source data into General Event Model (GEM) databases. After the data is loaded, either manually or according to a schedule, you can see the data in iView. This section contains the following topics: v Working with GEM databases v Attaching event sources to databases on page 71 v Creating and maintaining data collection and load schedules on page 72 v Working with database, system, and event source properties on page 77 Note: Adding a system to Server or a system group is not the same as adding an event source to a database. A system is added to a Server or system group to establish a connection between the Server and each system whose activity it is planned to audit. An event source is added to a database to store audit data from that event source in the database.
Working with GEM databases

You can add or delete GEM databases.
Adding GEM databases

A General Event Model (GEM) database is a database into which Tivoli Compliance Insight Manager loads audit data collected by each Actuator. After loading the data, each data event is divided into seven parts, representing the seven categories in the auditing model. Tivoli Compliance Insight Manager divides all events into the same seven categories, regardless of the platform that produced the event. If you standardize audit data across all platforms, you can view and compare trends in audit data throughout your company. By default, five GEM databases are created during installation. If additional room is needed to store and normalize audit data, you can add databases at any time. The maximum number of databases created by Tivoli Compliance Insight Manager is 32. If you attempt to exceed this value, a warning message displays prompting you to reduce the total number of databases. To add a GEM database, do the following steps: 1. In the Management Console, open one of the following windows: the Machine View window, the Event Source View window, or the Database View window. 2. Open the Database menu and click Add GEM Database. The Add GEM Database window is displayed . 3. In the Name box, type a database name of up to 14 characters. 4. In the Size box, type a starting size for the database, in MB. The minimum database size is 10MB; typically databases range from 75MB to 300MB, but grow as needed, if the data size exceeds the set size.
69
Figure 33. Adding a new GEM database
5. Click OK. The message Creating new GEM database is displayed in the status line. Note: The database path field cannot be edited. The path is displayed so that you know where the database file is located. The newly created GEM database is greyed-out in the list of databases (Database View window only). Before you can load audit data into the new GEM database, you must attach an event source to the database. For more information about attaching event sources, see Attaching event sources to databases on page 71. When a new GEM database is created, the time of its last load schedule is set to the time when the GEM database was created. Only event data that is collected after the time when the GEM database was created can be loaded into the database using a scheduled data load. For more information on scheduled loads, see Creating data loading schedules on page 74. If you want to load historical data (event data that predates the GEM database), you can manually load it. For more information on manual loads, see Manually loading data into GEM databases on page 76.
Deleting GEM databases

GEM databases that are no longer needed can be deleted. For example, you might prefer to have a smaller number of GEM databases, each of which holds more data. It might be necessary to move data around and delete databases after a company reorganization so that you can align data in each database with departments or divisions in the organization. Deleting a GEM database implies also clearing the GEM database of all data and removing any event sources attached to it. To delete a GEM database, do the following steps: 1. In the Database View window, right-click the GEM database to be deleted and select Delete from the context menu. The Delete GEM database wizard opens. 2. Follow the instructions on the pages of the wizard to remove the intended GEM database. Notes: 1. Other ways to open the Delete GEM database wizard for a selected database include any of the following methods: v Select the Edit menu of the Management Console and click Delete. v ClickDelete on the EditExtensions toolbar.
70

v Press the [Delete] key on the keyboard. 2. Databases that are loading cannot be deleted, and are excluded from the wizard database list.
Attaching event sources to databases

You can add event sources to a database, move them to another database, or remove them.
Adding event sources to a database

When you add an event source to a GEM database, Tivoli Compliance Insight Manager loads data collected from that event source into the database. After the load, each audit event is separated into seven parts, one for each of the seven auditing categories. After Tivoli Compliance Insight Manager categorizes each audit event, the data in iView can be viewed and you can work with it. To add an event source to a database ( Figure 34), do the following steps: 1. In the Machine View or Event Source View windows, click the Database cell for the event source that is to be added to a GEM database, to select it. 2. Click the Database cell again. A list of available GEM databases is displayed. 3. Select the database from the Database list box.
Figure 34. Adding an event source to a database
Note: An event source can be moved to another GEM database at any time. For example, you might want to remove a database, but keep the audit data it contained to reduce the amount of data in a database.
Removing event sources from databases

When an event source is detached from a database, Tivoli Compliance Insight Manager stops loading data from that event source into the database. Detachment of the event source from a database does not actually delete it. The event source is still displayed in the Event Source View window and can be added to the database again, or to another database. If an event source is removed from a database and you do not plan to add it to another database, you must disable auditing on the target system. For information about stopping auditing on the system, see the IBM Tivoli Compliance Insight Manager: Installation Guide.
71
Audit maintenance
To detach an event source from a database, in the Machine View, Event Source View, or Database View windows, do either one of the following steps: v Right-click the event source to be detached and select Remove from the context menu. v For the selected event source, select the Database cell, click it twice (do not double-click) and select None from the list.
Moving an event source to another database

An event source can be moved to another GEM database at any time. To move a specific event source to another GEM database, do the following steps: 1. In the Machine View or Event Source View windows, click the respective Database cell of the event source to be moved, to select it. 2. Click it again or press [F2] to start a list box (Figure 35).
Figure 35. Moving an event source to another database
3. In the Database list box, provide a new value for the database. Tivoli Compliance Insight Manager displays the event source that was moved in the new database.
Creating and maintaining data collection and load schedules

You can create data collection schedules or data loading schedules, or you can set a sliding load schedule. Data can be manually loaded into a database, and GEM databases can be cleared.
Creating data collection schedules

Each Actuator collects audit data at times and on days that are specified in a collect schedule. A collect schedule can be set for databases, event sources, or policy sources.
72
Audit maintenance
Notes: 1. If conflicting collect schedules are created (for example, different schedules for a database and for event sources are defined, Tivoli Compliance Insight Manager collects data according to the event source schedule. 2. If the database is populated with some event sources, it is also available in the Machine View and the Event Source View windows too. 3. If the hourly frequency option is selected when a collect schedule is created, Tivoli Compliance Insight Manager collects data from the database or event source at the interval (1 or more hours) that was set, with the first collection at the hour and minute set in the collect schedule. Collection continues until 11:59 p.m. each day. For example, a schedule that collects data every hour starting at 1:00 A.M. collects 23 times each day. A schedule that collects every hour starting at 1:00 p.m. collects 11 times each day. A schedule that collects every 2 hours starting at 1:00 p.m. collects six times each day. Ensure that a collection interval and start time are set for your requirements for audit data.
Creating a collect schedule for a database

To create a collect schedule for a database, do the following steps: 1. In the Database View window, right-click the database for which a collect schedule is to be set and click Set Schedules on the menu that is displayed. 2. Click Collect to open the Set Collect Schedule window. 3. Depending on the selected recurrence pattern, different options are displayed so that you can tailor the collect schedule. For example, you can select different minute intervals if the Frequently recurrence pattern was selected. The hour and minute of collection can be selected if the Daily recurrence pattern was chosen. Note: If Never is selected, data from this database is not collected. 4. Click or fill in any additional schedule options. 5. Click OK to close the Set Collect Schedule dialog. 6. Click OK again to apply the schedule. Tivoli Compliance Insight Manager collects data for all event sources that were added to the database, using the set schedule.
Creating a collect schedule for an event source or remote event source

By default, Tivoli Compliance Insight Manager collects event source or remote event source data using the database collect schedule. Another collection schedule for individual event or policy sources can be set as follows: 1. In either the Machine View, Event Source View, or Database View windows, right-click the event source, remote event source, or policy source for which a collect schedule is to be created. 2. Click Properties on the menu that is displayed. 3. Click the Schedule tab. 4. Click Use Schedule, and click Change. 5. Depending on the recurrence pattern selected, different options are displayed that enable the collection schedule to be tailored. For example, different minute intervals can be selected if the Frequently recurrence pattern was selected; the hour and minute of collection can be selected if the Daily recurrence pattern was selected.
73
Audit maintenance
Note: If Never is selected, Tivoli Compliance Insight Manager does not collect data from this source. 6. Click or fill in any additional schedule options. 7. Click OK to close the Set Collect Schedule window. 8. Click OK again to apply the schedule. Tivoli Compliance Insight Manager collects event, remote event, or policy source data using the set schedule.
Creating data loading schedules

A load schedule is created to tell Tivoli Compliance Insight Manager when to load audit data from each system, event source, or remote event source into its assigned GEM database. Ensure that a data loading interval and start time are set to use all the collected audit data. To do so, follow these tips: v In general, set load frequency to an interval as long as or longer than the collect schedule interval. For example, data may be collected hourly, and loaded twice a day. It is unlikely that you would want to collect data twice a day, and load it hourly. v Set the load schedule time about 15 minutes after each scheduled collection time. This delay ensures that Tivoli Compliance Insight Manager loads the most recently collected data into the database. v If Daily is selected as the load frequency, data can be loaded on a sliding schedule that enables analysis of the most recent seven days of data. v If Hourly is selected as the load frequency, Tivoli Compliance Insight Manager loads collected data into the database at the interval between 1-12 hours that was set. Collection starts at the specified hour and minute, and continues collecting until 11:59 p.m. each day. For example, a schedule that loads data every hour starting 1:00 a.m. collects 23 times each day. A schedule that collects every hour starting at 1:00 p.m. collects 11 times each day; a schedule that collects every two hours starting at 1:00 P.M. collects six times each day. v Data can be loaded manually if necessary before a scheduled loading time.
Creating a load schedule

To create a load schedule, do the following steps: 1. In Machine View, Event Source View, or Database View, double-click the Load Schedule cell or right-click and select Edit, or 2. In the Database View window, right-click the database where the data is to be loaded Note: When a database is populated with event sources, it also is displayed in the Machine View and the Event Source View windows. 3. Click Set Schedules on the menu that is displayed. 4. Click Load to open the Set Load Schedule dialog. 5. Depending on the selected recurrence pattern, different options are displayed to allow the load schedule to be tailored. For example, different minute intervals can be selected if the Frequently recurrence pattern was selected. The hour and minute at which Tivoli Compliance Insight Manager is to load data can be selected if the Daily recurrence pattern was selected.
74
Audit maintenance
Note: If Never is selected, Tivoli Compliance Insight Manager does not load, or stops loading data into the database. 6. Click or fill in any additional schedule options. 7. Click OK to close the Set Load Schedule dialog. The load schedule is displayed in the Set Schedules dialog. 8. Click OK again to apply the schedule. Tivoli Compliance Insight Manager loads data for all systems and event sources added to the database, using the set schedule.
Setting a sliding load schedule

If the Daily frequency is selected when creating a database load schedule, and data is collected at least once a day, up to 14 days of the most recent data can be loaded into the database on a sliding schedule. This option saves only the most recent number of days of data, and automatically clears older data on a daily basis. This option might be useful for week-by-week overviews of audit data, and for loading the same data in another database to maintain historic audit data if necessary. Note: Before you set a sliding load schedule, configure a maximum of 7 days to ensure reliable performance. Load failures can occur if system resources are insufficient. To set a sliding load schedule, do the following steps: 1. In the Database View window, right-click the database where a sliding load schedule is to be set up. Note: If the database is populated with some event sources, it is also available in the Machine View and the Event Source View window too. Click Set Schedules on the menu that is displayed. Click Load to open the Set Load Schedule dialog. Select the Daily recurrence pattern. In the upper part of the Load area, set a load time. In the lower part of the Load area, select Last Days of Data and provide the necessary number of days in the corresponding list (Figure 36).
2. 3. 4. 5. 6.
Figure 36. Setting a sliding load schedule
75
Audit maintenance
7. Click OK to close the Set Load Schedule dialog. The load schedule description, with the word Sliding is displayed in the Set Schedules dialog Figure 37).
Figure 37. A sliding load schedule reflected in the Set Schedules dialog
8. Click OK to apply the schedule. Tivoli Compliance Insight Manager follows the sliding schedule when loading data for all event sources that were added to the database.
Manually loading data into GEM databases

Audit data can be manually loaded into a GEM database. To load data manually into a GEM database, do the following steps: 1. In the Database View window, right-click the database to be loaded now. Note: When the database is populated with event sources, it is also displayed in the Machine View and the Event Source View windows. 2. Select Load on the context menu that is displayed. The Load Database wizard starts. 3. Follow the instructions on the pages of the wizard to load data in the database: a. On the welcome page of the wizard, click Next. b. On the Choose a Database page, select a database to be loaded and click Next. c. On the Choose Period page, specify the time interval over which events are to be loaded. The default interval is one day. Then click Next. d. On the Collect Now page, select one of the following options: v Collect the latest data for the associated event sources before loading data from the requested period into the database, or v Load only data that had been collected earlier e. In the Choose a Policy dialog, select the required policy option. v Select Matching to load data using the policy whose date (the day the policy was moved to the Committed folder is closest to the date on which the data was collected. For example, if five-month-old data is loaded to research a security issue, you might want to load that data using the policy that was in place when it was collected. v Select Newest to load data using the most recently committed policy. v Select Fixed and click any policy in either the Committed or Work folders. You might want to load data using a policy in the Work folder to test it before moving it to the Committed folder.
76
Audit maintenance
Note: For a GEM database with an actual load schedule, the value of the Load Schedule property differs from Never the default policy is used for manual loading. In this case, the Choose a Policy dialog is not displayed in the Load Database wizard. f. On the final page of the wizard, click Finish to close this wizard and start the load request. Notes: a. The database status is not updated immediately. When the actual load process starts, the status is updated eventually. b. If a scheduled load triggers during a manual load of a GEM database, the scheduled load is skipped.
Clearing GEM databases

The GEM database must be cleared before the database can be deleted. Audit data collected from systems and event sources can also be cleared if no longer needed. Note: All the database event sources have the same collect schedule. To unload all audit data in the database, use the following steps: 1. From the Database View window, right-click the database to be cleared. Note: If the database is populated with some event sources, it is also available in the Machine View and the Event Source View windows too. 2. Click Clear. When Tivoli Compliance Insight Manager removes data from the database, the database icon is displayed in yellow to indicate that it is empty. To remove data from specific event sources in the database, see Removing event sources from databases on page 71.
Working with database, system, and event source properties

You can work with database, system, and event source properties.
Working with database properties

You can view database properties, load data manually, and change data collection and load schedules from the Properties dialog. To display or change database properties, do the following steps: 1. Right-click the database whose properties are to be viewed. 2. Click Properties on the menu that is displayed. The Status field describes the database status, which can be empty or loaded, loading, or in load failure. From the Database Properties window, you can do the following actions: v Click Load if data is to be loaded manually. v Click Set Schedules if a collect schedule or a load schedule is to be created for the database. v Click Clear to clear the database. v Set Data Processing. v Click OK when viewing or changing database properties is completed.
77
Working with database, system, and event source properties

Note: Click another tab at the top of the Properties dialog to view or change properties for another GEM database.
Working with system properties

You can see system properties from the Properties dialog. To display system properties, do the following steps: 1. From the Machine View window, right-click the system whose properties are to be viewed, and select Properties on the context menu that is displayed, or 2. Directly double-click the system cell at any view. The Properties dialog opens, displaying properties for the system you clicked. 3. Click the tabs at the top of the dialog to display additional properties. 4. When viewing or changing system properties is completed, click OK to close the Properties dialog. Note: If the system is represented with some event sources, it is also available in the Event Source View. If this event source is added to a database, the system is also available in the Database View window. To change system properties, do the following steps: 1. The Machine Properties dialog has two tabs: General, and Network. On the General tab, you can move the system to another system group. To move the system to another system group, click the arrow in the Group list box, and pick another system group. The rest of the properties on the General tab were set when the system was first added. These properties cannot be changed. 2. On the Network tab, you can generate a new installation password for the system and test the connection between Server and the system. To generate a new installation password for the system, click New Install Password. A new password must be generated for a delay of more than 24 hours between adding a system to the Management Console and installing an Actuator on the system itself. 3. To test the connection between Server and the system, click Test IP and port. A Test IP and port dialog opens. Click Details to display the results of the connection test. Click OK to close the connection test dialog.
Working with event source properties

You can view or change properties for event sources and user information sources. To display event source properties, use the following steps: 1. From the Machine View, Event Source View or the Database View windows, right-click the event source whose properties you want to view. 2. Click Properties on the menu that is displayed. The Properties dialog opens, displaying properties for the selected event source. 3. Click the tabs at the top of the dialog to display additional properties. 4. When you finish viewing or changing event source properties, click OK to close the Properties dialog. Furthermore, you can change event, remote event, or policy source properties. The event source Properties dialog has two, or possibly three tabs, which are called General, Schedule, and Audit Profile. You can make the following changes: v On the General tab, you can change the name of the event source as it is displayed in the Event Source Properties, and edit the properties that you have set when you defined the event source on the system.
78
Audit maintenance
v On the Schedule tab, you can change the collect schedule for the event source. v On the Audit Profile tab, you can change the following properties: Administrator credentials Kind of audit profile Custom properties of the event source For more information about event source properties, see the installation section for the event source platform in the IBM Tivoli Compliance Insight Manager: Installation Guide. Note: Audit Profiles are available only for platforms that support remotely setting of auditing security policies (Windows).
79
Audit maintenance
80
Chapter 14. Centralized user management

Centralized user management is enabled by the use of a Tivoli Compliance Insight Manager Security Group. Centralized user management enables Tivoli Compliance Insight Manager servers in a Security Group to authenticate users and authorize access against a designated server, called a Security Server. Because all user permissions for users of the servers in a Security Group are stored on one Security Server, you can add, delete, or modify users and permissions and these changes will be applied globally to all servers in the Security Group.
Security Group components

The components of a Security Group are described in the list below: Security Group A Tivoli Compliance Insight Manager Security Group is a set of any number of Tivoli Compliance Insight Manager servers that use the same Security Server for authentication and authorization. A Security Group consists of only one Security Server. All other servers in the Security Group are called Grouped Servers. A Security Group can include multiple Tivoli Compliance Insight Manager Clusters. All Tivoli Compliance Insight Manager servers in the same Security Group can administer Tivoli Compliance Insight Manager users and their permissions for all other servers in that Security Group. Security Server A Tivoli Compliance Insight Manager Security Server is the core of a Tivoli Compliance Insight Manager Security Group. The Security Server contains an LDAP server used by all Tivoli Compliance Insight Manager servers in the Security Group for authentication and a permission store used by all Tivoli Compliance Insight Manager servers in the Security Group for authorization. Grouped Server A Grouped Server is any Tivoli Compliance Insight Manager server that is a member of a Security Group but is not the Security Server of that group. During the installation of a Grouped Server, you can specify which Security Server should be used for authentication and authorization. A Security Group deployment uses the Tivoli Compliance Insight Manager Enterprise Server and Standard Server. These servers are referred to as the Security Server or Grouped Server based on their role in the group. The Tivoli Compliance Insight Manager servers are described in the list below: Enterprise Server The Enterprise Server is the main Tivoli Compliance Insight Manager server in a Tivoli Compliance Insight Manager Cluster. An Enterprise Server contains all components of a Standard Server, and it also contains the web applications, depot indexer, log retrieval search functionality, and the consolidation server. An Enterprise Server can be either a Grouped Server or the Security Server in a Security Group. Consolidation Server A Consolidation Server is a Tivoli Compliance Insight Manager server
81
Security Group
where the consolidation database is installed. By definition, a Consolidation Server is an Enterprise Server. Standard Server A Standard Server is any Tivoli Compliance Insight Manager server that is not an Enterprise Server. A Standard Server contains the Tivoli Compliance Insight Manager server and the web applications. A Standard Server typically is a Grouped Server in a Security Group, but it can also be a Security Server if it is the only server in the group. Tivoli Compliance Insight Manager Cluster A Tivoli Compliance Insight Manager Cluster is a group of only one Enterprise Server and a maximum of three Standard Servers. The Enterprise Server consolidates data from the Standard Servers and reports on audit data from all of the servers in the cluster. All servers in a cluster must authenticate against the same Security Server; thus, all servers in a cluster must be included as Grouped Servers in the same Security Group. This should be considered during installation of servers in a cluster. During the installation of a Grouped Server, you can specify which Security Server should be used for authentication and authorization.
Configuring a Security Group

You can configure a Security Group when you install a Tivoli Compliance Insight Manager server. For more information about installing a Tivoli Compliance Insight Manager server or about configuring a Security Group, see the IBM Tivoli Compliance Insight Manager: Installation Guide.
Managing users, roles, and GEM database access permissions for a Security Group
You can administer users, roles, and GEM database access permissions for all members of a Security Group from any Management Console on any server in the Security Group. Adding, deleting, or modifying a Tivoli Compliance Insight Manager user or changing a password for an existing user is stored centrally on the Security Server. For more information about user administration, see Chapter 15, Managing users and roles, on page 85. For example, if you add a new user, that user's information is stored on the Security Server, and the user becomes available to all servers in the Security Group. Similarly, if you delete a user, then that user is no longer available on any server in the Security Group. If you change a password or change a user's role, then that change is applied to all servers in the Security Group. The user has the same role(s) on each server in the Security Group. Users can have different GEM database access rights for each server in the Security Group. A user can be granted access to the database of any Grouped Server or Security Server in the group from any Management Console on any server in the group. The Management Console's User Management dialog contains the list of databases on each server, and it allows an administrator to select the databases to which a user has access rights.
82
Security Group
Synchronizing users, roles, and GEM database access permissions for a Security Group
Although you can manage users, roles, and GEM database access permissions from any Management Console on any server in the Security Group, the changes are not immediately applied to all servers in the group. Each server in the group runs a synchronization process in order to synchronize local server users, roles, and database access permissions with the Security Server. The servers apply the changes after they have finished synchronization. Thus, if a user is assigned a role or granted access to database using the Management Console on one server in the group, the other servers will apply these changes after they have synchronized with the Security Server.
Chapter 14. Centralized user management
83
84

You can use the User Management window in iView to do the following tasks: v Create and manage users Adding users Deleting users Changing passwords v Manage user roles Setting or changing user roles To 1. 2. 3. open the User Management window, use the following steps: Select the View menu and select User Management. Click the User Management button on the Main toolbar. Press [Ctrl+U] on the keyboard.
Creating and managing users

You can add and remove users, and change their passwords.
Adding users
If you have access rights to administer Tivoli Compliance Insight Manager users, you can add them at any time. In general, assign a unique user name and password for each user. To add a user, do the following steps: 1. In the User Management window, click Add below the Users list. 2. In the Username field, type a user name. Start all user names with the letters cif, to avoid name conflicts. User names can include up to 17 additional alphanumeric characters, and cannot include spaces, punctuation, or other symbol characters such as ~ or +. 3. In the Password field, type a password and retype it in the Verification field. Passwords must include between 6 and 20 characters, must start from a letter, and cannot include spaces, punctuation, or other symbol characters such as ~ or +. 4. Click Add. The new user is displayed at the bottom of the Users list in the User Management window. In the next list, new user rules are defined to give you access to Tivoli Compliance Insight Manager components.
Deleting users
With the Administer Tivoli Compliance Insight Manager users role, you can delete any user except the user who is currently logged on. If the logged-on user is to be deleted, switch to another user, and then delete the first user. To delete a user, do the following steps: 1. In the User Management window, select the user to be deleted.
85
User/role management
2. Click Remove below the Users list or right-click the user and select Remove User from the context menu. 3. In the confirmation window that is displayed, click Yes to delete the user. Tivoli Compliance Insight Manager removes the name from the users list.
Changing passwords
Your password can be changed from either the Tivoli Compliance Insight Manager Logon dialog or from the User Management window. Depending on your assigned user roles, you might be able to change passwords for other users. Passwords must start with a letter, can include up to 20 alphanumeric characters, but cannot include spaces, punctuation, or other symbol characters, such as ~ or +. You and other users need a password to log on to any Tivoli Compliance Insight Manager component for which you have access rights.
Changing your password from the Tivoli Compliance Insight Manager Logon dialog
To change your password from the Tivoli Compliance Insight Manager Logon dialog, do the following steps: 1. Start the dialog in either one of the following ways: v Close the Management Console and start it again. v Log off from the Management Console by selecting File Logoff and select the File menu again and select Logon. 2. In the logon dialog, type your user name and password in the corresponding text fields and click New Password. 3. In the dialog box that is displayed, type a new password in the New Password field and retype it in the Verification field. 4. Click OK.
Changing your password or other user passwords from the User Management window
To change your password or other user passwords from the User Management window, do the following steps: 1. In the User Management window, click the name of the user whose password is to be changed. 2. Start the Change Password dialog in one of the following ways: v Click Change Password. v Right-click the user in the Users list and select Change Password from the context menu. 3. In the Change Password dialog, type a new password, and type it again to verify spelling. 4. Click Change to change the password. 5. If you are changing your own password, do the following: a. Close the Management Console and start it again, or log off from the Management Console by selecting File Logoff. b. Click File Logon to log on again using the new password. Note: After changing your password, or the password of another user, all users currently logged in with the affected user name must log off and log back in with the new password to continue using the Management Console.
86
Managing user roles

You can set or change the users' roles.
Setting or changing user roles

If the Administer Tivoli Compliance Insight Manager users role was assigned, user roles for yourself and other users can be set or changed. One or more user roles can be assigned to any user. Table 2 shows access rights information of each Tivoli Compliance Insight Manager user role.
Table 2. Access rights of the Tivoli Compliance Insight Manager user role Role Access the Management Console Manage Databases and Real-time alerts Access rights granted Can view the Management Console contents. Rights denied No right to change the Management Console contents.
Can add systems and event No right to edit, delete, or sources into GEM databases, commit policies. set up schedules for collecting, loading, and unloading audit data. It also gives rights to manage alerts. Can add, change, delete, and move systems and event sources before Tivoli Compliance Insight Manager collects data for the systems or event sources. No right to delete systems or event sources after the data is collected.
Manage Machines, Event Sources and Log Management Reports
Delete Event Source with Audit Log
Can delete systems or event None sources for which Tivoli Compliance Insight Manager has collected audit and log data. Can delete a policy or move None a policy to the Committed folder. Can create and change a security policy. Can open and view iView pages. Can view custom reports in iView. Can create and change custom reports in iView. Can add, delete, or change passwords for them. Allows set access to individual databases. Can access and manage incidents. None None None None None
Commit or Delete Security Policy Edit Security Policy Log on to Portal Use Custom Reports in iView Create or Edit Custom Reports in iView Administer Tivoli Compliance Insight Manager users Manage Excerpts Manage Incidents
None None
87
Table 2. Access rights of the Tivoli Compliance Insight Manager user role (continued) Role Use Depot Investigation and Log Retrieval tools Access rights granted Rights denied
Allows access to the None corresponding tools of the Log Manager. Using the Policy wizard in iView gives rights to use the Policy wizard in iView.
To set user roles, do the following steps: 1. In the User Management window, click the user to whom user roles are to be assigned. 2. Click each role to be assigned to this user. 3. Click Apply when completed. Tivoli Compliance Insight Manager assigns user roles on the Server according to selections. Notes: 1. Roles that are in use when you are in the User Management window cannot be revoked. For example, you cannot revoke your own rights to access the Management Console and administer user roles. 2. User rights apply both on the Server where you created the user and on the Consolidation Server, if you installed it.
88
Chapter 16. Policy maintenance

A security policy consists of group definition sets, policy rules, and attention rules defined for one or more platforms. When systems whose activity is audited are registered, Tivoli Compliance Insight Manager applies the policy and attention rules in your security policy to load audit data from each system into a GEM database, organizing the data using the groups you defined, and displaying the results in iView. To open the Policy Maintenance window, do the following steps: 1. From the Policy Explorer window, click the folder that contains the policy to be viewed or changed. 2. Double-click the policy to open the three-paned policy window and display the policy that was clicked. In the Policies window, you can create, test, change, and apply the company security policies. From this window, you can do the following tasks: v Create and manage policies and platforms v Define and manage group definition sets v Define and manage groups v Manage conditions and requirements v Define and manage policy rules v Define and manage attention rules v Test and commit policies for auditing
Creating and managing policies

You can define a policy, create a new empty policy, duplicate or edit it, or delete or rename it.
Defining a policy
A policy is a collection of rules that determine what audit data Tivoli Compliance Insight Manager loads and displays for analysis. To create a policy, you must specify the following information: v Attention rules v Group definitions for each platform v Platforms to be audited v Policy rules You can create rules for any of the operating system or application platforms from which Tivoli Compliance Insight Manager can collect data. Group definition sets are created to organize audit data into standardized groups for efficient analysis. You can create a group definition set for an entire policy or create a set for each platform to be audited.
89

Policy rules specify which actions can be performed by which people on which systems at what times. Actions that do not match a policy rule generate policy exceptions. Attention rules specify which events should generate audit data even if the events are allowed by your policy rules. Actions that match an attention rule generate attentions. Tivoli Compliance Insight Manager filters audit data generated by policy exception rule and attention rule matches, translates it into seven standardized groups according to the auditing model, and displays the results in iView for analysis.
Storing policies
All policies are stored in the Policies folder, which contains two subfolders: v The Committed folder contains all policies that you have committed for use. You can view but not change committed policies. v The Work folder contains policies that you can change. When you finish changing a policy, move it to the Committed folder for use in collecting audit data. Note: Tivoli Compliance Insight Manager also creates an automatically generated policy that you can view but not change.
Applying policies
When it collects and loads audit data according to a schedule you set, Tivoli Compliance Insight Manager uses the most recent policy in the Committed folder. Another policy can be used to collect data if you load data manually and select another policy at that time. You might specify another policy, for example, if you recently updated a policy and want to compare audit data from the old policy and the new policy.
Creating a new empty policy

The first step in creating a policy is to create and name a policy file. To create a new policy, do the following steps: 1. In the Policy Explorer window, click Policy New Policy in the menu bar. The New Policy dialog opens. 2. Select Empty if it is not already selected. 3. Type a name for the policy. You can enter up to 80 characters for the name of the policy. The name can include letters and numbers, but cannot include spaces, punctuation, or symbol characters, such as @ or *. 4. Click OK when completed. The new policy is displayed in the Work folder. The next step in policy creation is defining platforms from which you plan to collect audit data.
Duplicating existing policies

You can duplicate a policy in the Committed folder or in the Work folder rather than creating a new policy from scratch. To duplicate a policy, do the following steps:
90

1. In the Policy Explorer window, open the folder that contains the policy to be duplicated. 2. Right-click the policy to be duplicated, and select Duplicate on the menu that is displayed. A duplicate of the policy is displayed in the Work folder. Its default name is selected so that it can be renamed. 3. Type a new name for the policy. Up to 80 characters for the name of the policy can be entered. The name can include letters and numbers, but cannot include spaces, punctuation, or symbol characters, such as @ or *. It is also possible to duplicate a policy when creating a new policy (Figure 38):
Figure 38. Duplicating a policy when creating a new policy
Editing policies
If an empty policy was created or an existing policy duplicated, you must edit the policy to add or change its contents. Any policy can be edited in the Work folder. To edit a policy, do the following steps: 1. In the Policy Explorer window, open the Work folder. 2. Double-click the policy to be edited. Tivoli Compliance Insight Manager opens a policy window and displays the selected policy. From this window, any of the tasks listed on the Policy Maintenance page can be completed. For example, you can do the following tasks: v Create or change platforms for the policy v Create or change group definition sets for any platform or for all platforms v Create or change groups within a group definition set 3. When the policy change is complete, you can test it within a manual GEM database load, and, if it needs additional changes, the editing process can continue. 4. When the policy editing has been completed, click Policy Save in the menu bar to save the changes. The edited policy is available in the Work folder in the Policy Explorer window.
Deleting policies
Any policy in the Work folder can be deleted. Committed policies cannot be deleted.
91

To 1. 2. 3. delete a policy in the Work folder, do the following steps: When necessary, close the opened policy first. In the Policy Explorer window, open the Work folder. Right-click the policy to be deleted and select Delete on the context menu that is displayed. 4. In the Confirmation box, click Yes to delete the policy. The policy is deleted.
Renaming policies
Any policy in the Work folder can be renamed. Tivoli Compliance Insight Manager automatically renames policies in the Committed folder using the date and time that the policy was committed; these policies cannot be renamed. To rename policies in the Work folder, do the following steps: 1. When necessary, close the opened policy first. 2. In the Policy Explorer window, open the Work folder, and right-click the policy to be renamed. 3. Select Rename in the context menu that is displayed. 4. Enter a different name for the policy. The renamed policy is displayed in the Work folder.
Defining and managing group definition sets

You can create or delete platforms that are audited.
Creating platforms
After a policy is created, you must define the platforms to be audited. Systems can be audited on any of the platforms that Tivoli Compliance Insight Manager supports. Platforms can be created for any policy in the Work folder. Platforms can be created for a committed policy by duplicating the policy, adding the new platform as described below, and then committing the updated policy. To 1. 2. 3. create a platform, do the following steps: In the Policy Explorer window, open the Work folder. Open the policy where the new platforms are to be created. Right-click the policy folder at the top of the Policy pane of the policy window, and select New Platform from the context menu that is displayed. In this pane, the policy folder is displayed with a shield-like icon containing a capital letter P. 4. In the New Platform dialog, open the list box and select the platform to be added to the policy. 5. Click OK when finished. The new platform is displayed at the bottom of the platform list in the Policy pane. A group definition set is created for the platform.
92
Deleting platforms
Any platform can be deleted from a policy of the Work folder. When a platform is deleted from the policy, Tivoli Compliance Insight Manager stops auditing systems or applications of that specific platform type, even if systems or event sources for that platform still are displayed in the Machine View or Event Source View windows. To delete a platform, do the following steps: 1. In the Policy Explorer window, open the policy that includes platforms to be deleted. 2. In the Policy pane of the policy window, select the platform to be deleted. 3. Delete any group definition sets that were created, copied, or imported into the platform. 4. Right-click the platform to be deleted and select Delete on the context menu that is displayed. 5. Click Yes to confirm. The platform is deleted. Attention: This task cannot be undone. If a deleted group definition set and platform must be restored, you must recreate them manually from committed policies or import files.

You can define and manage group definition sets.
What are group definition sets?

A group definition set is a collection of folders called Who, What, When, Where, and OnWhat. Each folder holds groups that fit into one of the auditing categories. After group definition set folders have been created, groups of people, events, times, systems, and platforms should be defined for any or all folders in the group definition set. You can create a group definition set for each platform to be audited, or create a global group definition set whose groups apply to all platforms that you audit.
Creating group definition sets

You can create a group definition set for each platform whose systems or events to be audited. Every group definition set includes five grouping folders named Who, What, When, Where, and OnWhat. These grouping folders correspond to the groups into which Tivoli Compliance Insight Manager translates each event when the audit data is loaded into a GEM database. Note: All platform-related data is collected in the Where grouping folder, and separates the platform data into the Where, From Where, and Where To categories when it translates the data. To create a group definition set, do the following steps: 1. In the Policy pane of the policy window, right-click the platform for which you want to create a group definition set.
93

2. Select New group definition set on the context menu that is displayed. A new group definition set with a default name is displayed. 3. Enter a name that describes the group definition set. You can name group definition sets using department names, platform names, or any other desirable names. The new group definition set is displayed in the platform folder. Next, groups are created for each group definition set.
Creating a global group definition set

You can create a global group definition set whose groups apply to all platforms that are audited. To create a global definition set, do the following steps: 1. In the Policy pane of the policy window, right-click the Policy icon. 2. Select New Group Definition Set in the context menu that is displayed. The new group definition set is displayed below any platforms defined for the policy. 3. Enter a new name for the group definition set. After the global group definition set has been created, groups need to be created for it, just as for platform-specific group definition sets.
Copying group definition sets

You can copy a group definition set to another platform in the same policy or to another policy in the Work folder. To copy a group definition set, do the following steps: 1. In the Policy pane of the policy window, double-click the platform folder that contains a group definition set to be copied. 2. Right-click the group definition set to be copied, and select Copy on the context menu that is displayed. 3. If the group definition set must be copied into another policy in the Work folder, open that policy. 4. Right-click the platform folder into which you want to copy the group definition set, and select Paste on the context menu that is displayed. The new group definition set is displayed in the platform folder. The copied groups can be edited the same way that they were created.
Deleting group definition sets

You can delete a group definition set from any platform of any policy in the Work folder. It is not possible to delete group definition sets from policies stored in the Committed folder. To delete a group definition set, do the following steps: 1. In the Policy pane of the policy window, open the platform that contains the group definition set to be deleted. 2. Right-click the group definition set and select Delete on the context menu that is displayed. 3. When asked to confirm the deletion, click Yes.
94

The group definition set and all groups, conditions and requirements defined for the group definition set are deleted. Attention: This action cannot be undone. If the deleted group definition set must be recreated, recreate it manually from committed policies or import files.
Importing group definition sets

The Grouping wizard in iView can create and save group definition sets as a file. These files usually have a .CFG extension. A group definition set can be imported to use with any policy in the Work folder. To import a group definition set, do the following steps: 1. In the Policy pane of the policy window, right-click the platform name. 2. Select Import Group Definition Set on the context menu that is displayed. The Import Group Definition Set dialog opens. 3. Type the name and path of the file to be imported, or click Browse and locate the file. 4. In the Group Definition Set Name field, type the name to be used for the imported group definition set. 5. Click OK when finished. The group definition set is displayed in a folder in the Policy pane, using the supplied name. The group definition set can be copied to a platform if desired.
Defining and managing groups

You can define, create, copy, remove, rename, or delete groups.
Defining groups
A group can be a collection of any of the following: v Event platforms v Events v People v Systems v Times or dates You can create a group and behavior rules in Tivoli Compliance Insight Manager. When you create a group, its group type is specified. The following group types correspond to the categories into which each piece of audit data is separated: v On What - The files or other objects affected by audit events v What - The events v When - The times or dates on which events occurred v Where - The systems on which the events occurred v Who - The people who triggered audit events Tivoli Compliance Insight Manager gathers the other two categories of audit data -- From Where and Where To -- using the created groups for the Where category, so it is not necessary to create three sets of platform groups.
95

Group members are defined by creating one or more conditions. To be a member of a group, the member, (a person, event, time, system, or platform), must meet at least one of the set conditions. Conditions are defined as one or more requirements. To be a member of a group, the member must meet a condition. To meet a condition, the group member must meet all of the requirements of that condition. A group member can be displayed in more than one group. For example, suppose you run a manufacturing plant with three shifts and have many employees who work double shifts. You might create three When groups called Day Shift, Evening Shift, and Night Shift. The condition for group membership in any of these groups is an employee ID that identifies the employee as a manufacturing worker. Employees working double shifts would not trigger false positive audit events. After groups are created, you can copy, move, delete, or rename the groups.
Creating groups
After creating an empty policy, defining platforms to be audited with the policy, and creating group definition sets for the platforms, you must create groups for any of the group types within the group definition sets. To create a group, do the following steps: 1. In the Policy pane of the policy window, open the platform where a you want to create a group. 2. Double-click the group definition set where a group is to be created. The group definition set is displayed in the Grouping pane of the policy window. 3. Right-click the folder of the group type to be created, and select New Group on the context menu that is displayed. Group types are Who, What, When, Where, and On What. Tivoli Compliance Insight Manager uses the Where groups created as From Where and Where To groups as well, so it is not necessary to define groups for the same platforms three times. 4. Type a name for the group in the Group Name box. 5. Click OK when finished. The new group is displayed in the group definition folder. Depending on the folder where the group was added, the icon of the new group varies; for example, the Who group icon looks like people; the On What group icon looks like a file. Next, one or more conditions for group membership should be created.
Creating conditions for groups

A condition is a statement that describes a member of a group. For example, if a group is titled All Employees, the condition for group membership is a valid employee ID. If a group is created called Finance Managers, the condition for group membership is an employee ID that identifies a group member as a management employee in the Finance department. When groups are created, you must specify the conditions for group membership. To create each condition, set one or more requirements. To create conditions, do the following steps:
96

1. In the Grouping pane of the policy window, expand the grouping folder that contains the group where a condition is to be added. 2. Right-click the group where a condition is to be created, and select New Condition on the context menu that is displayed. A conditional icon that looks like a mathematical equivalency sign is displayed below the grouping folder. The triple period (...) indicates that the condition does not yet have a requirement. Next, create one or more requirements for the condition.
Creating requirements
A requirement is part of a condition. Creating requirements is one of the steps in the process of creating groups. People, systems, or events are members of a group when they match one or more of the conditions of group membership. People, systems, or events match a condition when they match all of the requirements of one condition. To create a requirement, do the following steps: 1. In the Policy pane of the policy window, double-click the group definition set into which a requirement is to be added. The group definition set is displayed in the Grouping pane. 2. Expand the group where the requirement is to be added. The group members are listed. For example, a Who group might include user, administrator, system maintenance, and manager members; a What group might include a list of events for a given platform. 3. Expand the group member where the requirement is to be added. The group conditions are listed. 4. Right-click the condition for which a new requirement is to be created. 5. Select New Requirement in the context menu that is displayed. A bar with three list boxes is displayed. 6. To construct the requirement, open each list box and select the option required. Depending on the type of group created, the options in each list box can vary. For details about creating requirements for each group type, see the group type below: v Who v What v When v Where v On What 7. When finished, click elsewhere in the Grouping pane to leave the requirement bar. The new requirement is displayed in the list of requirements for the edited condition.
Defining Who groups

Who groups define the person who caused an event. Depending on how the groups are organized, you can use department names, such as Sales or Finance, for Who groups. Alternatively, Who groups can be organized by employee title or level in the organization.
97

To create a Who group, do the following steps: 1. In the Grouping pane of the policy window, right-click the Who folder in the group definition set. 2. Create a new group. 3. Create a condition for each member of the group. For example, if creating a department group, make a condition for each employee in the department. 4. Create a requirement for the condition. From the first requirement list box, you can select one of the following requirements: v Logon name v Originator v Real name v Source platform name v Source platform type From the second requirement list box, you can select one of the following requirements: v Contains v Ends with v In group v Is v Matches IP address v Not in group v Starts with At the third requirement field, type the rest of the requirement. For example, if Login name and Is are chosen in the first two fields, type a valid login name here. 5. Click elsewhere in the policy window when the requirement has been typed.
Defining What groups

What groups describe the action that triggered an audit event or the outcome of the action. For example, a logon authorization failure might trigger an audit based on its Success class. To create a What group, do the following steps: 1. In the Grouping pane of the policy window, right-click the What folder of the group definition set. 2. Create a new group. 3. Create a condition for each member of the group. For example, if you are creating a group for logon and logoff events, make a condition for each kind of logon and logoff event. 4. Create a requirement for each condition. From the first requirement list box, you can select one of the following items: v Event main class to indicate the event type, such as logon, create, or stop. v Event class to indicate the kind of object on which the action is performed, such as the system or clipboard. Sometimes this choice refines the action of the event class (for example, authorization or access when selecting an event class of logon). v Success class to indicate the outcome of the action. From the second requirement list box, you can select one of the following items:
98

v Contains v Ends with v In group v Is v Not in group v Starts with Options in the third requirement list box vary, depending on the choices clicked in the first two list boxes. For example, if the Success class was clicked in the first list box, the three values in the third box are Success, Failure, and *Not available. 5. Click elsewhere in the policy window to leave the requirement when you are finished.
Defining When groups

When groups define the time and date that an audit event occurred. Typical names for a When group are Office hours, Weekend, Weekday Evening, and so on. A When group is created by defining the start and end times for some activity. This information is repeated for each applicable day of the week. To create a When group, do the following steps: 1. In the Grouping pane of the policy window, right-click the When folder in the group definition set. 2. Create a new group. 3. Create a condition for each member of the group. For example, if defining work hours, create a condition for each day of the week. 4. Create a requirement for each condition. From the first requirement list box, you can select one of the following requirements: v Event happened from ... to v In group v Not in group At the second and third requirement list box, you can select any day of the week and time of the day, unless in group or not in group in the first requirement box were picked. If either of these choices were picked, type a group name at the second field in the list. In the third and subsequent requirement fields, select another day of the week and time of the day, correspondingly. 5. Click elsewhere in the policy window to leave the requirement when finished.
Defining Where groups

Where groups define both the specific system and the system platform on which an audit event occurred. Where groups can be organized by platform types, system groups, or servers. These groups must use platform names so the Where groups can be matched to the platforms to be audited. The Where group definitions are used to collect data for two other auditing categories: Where To and From Where. If a Where group is defined for each platform in the company, Tivoli Compliance Insight Manager can use the Where groups defined to gather information about the other two platform-related categories. To create a Where group, use the following steps:
99

1. In the Grouping pane of the policy window, right-click the Where folder in the group definition set. 2. Create a new group. 3. Create a condition for each member of the group. 4. Create a requirement for the condition. From the first requirement list box, you can select the following requirements: v Platform name v Platform type, or v Any string value Note: Typed values called aspects are also possible. From the second requirement list box, you can select the following requirements: v Contains v Ends with v In group v Is v Matches IP address v Not in group v Starts with In the third requirement field, type the rest of the requirement. For example, if Platform name was clicked in the first list box, and clicked Not in Group in the second box, type the name of the platform whose systems are to be excluded from this group. 5. Click elsewhere in the policy window to leave the requirement when finished.
Defining OnWhat groups

On What groups define the specific object or objects affected by an audit event. These objects can be folders, files, or data within files. Examples of On What groups are financial or payroll data, files that hold trade secrets such as patent information, or employee medical records. To create an On What group, do the following steps: 1. In the Grouping pane of the policy window, right-click the OnWhat folder in the group definition set. 2. Create a new group. 3. Create a condition for each member of the group. For example, if creating a group for all employee medical records that are stored in different directories by department, a condition would be created for medical records in each department. 4. Create a requirement for the condition. From the first requirement list box, you can select one of the following requirements: v Object name v Object path v Object type v Any string value Note: A typed value called aspects is also possible. From the second requirement list box, you can select one of the following requirements:
100

v Contains v Ends with v In group v Is v Matches IP address v Not in group v Starts with At the third requirement field, type the rest of the requirement. For example, if Object path and Is were picked in the first two fields, type the path of the file directory to be added to the group. 5. Click elsewhere in the policy window to leave the requirement when finished. To 1. 2. 3. 4. 5. 6. create an OnWhat group, for example, do the following steps: Select OnWhat and create a new group. Create a condition. Create a requirement. In the first field select object path. In the second field select the matching value starts with. In the third field enter the path of the directory that contains all employee files.
Note: The Event class in the What group and the contents of the OnWhat group are not the same. The event class in the What group defines the kind of object affected by an audit event. The OnWhat group defines the actual object affected by an audit event. For example, if you select the What group event class file, the OnWhat group in the same group definition set would define a specific file, for example, Q1Sales.xls.
Changing group significance

You can set or change a significance percentage assigned to a group to indicate the severity of events belonging to the group. A higher significance percentage assigns a higher severity level to group events. For example, if you were concerned primarily about external firewall breaches, you might assign a high significance to network login failures. Tivoli Compliance Insight Manager uses the significance percentage and a severity threshold that you set to determine when to send alert messages. To change significance of a group, do the following steps: 1. In the Grouping pane of the policy window, right-click the group whose significance is to be changed. 2. Click Edit Significance on the menu that is displayed. 3. Type a new significance between 10 and 99 in the Significance box. 4. Click OK to save. The changed significance is displayed in parentheses after the group name in the Grouping pane.
101
Copying groups
After a group is created, and conditions and requirements added for the group, the group can be copied to the same group type in another group definition set. Groups can be copied within a policy or other policies in the Work folder. To copy a group to another group definition set, do the following steps: 1. In the Grouping pane of the policy window, expand the grouping folder that contains the group to be copied. 2. Right-click the group to be copied, and select Copy on the context menu that is displayed. 3. In the Policy pane, open the group definition set into which the group is to be moved. 4. In the Grouping pane, right-click the grouping folder into which the group is to be moved and select Paste on the context menu that is displayed. The copied group is displayed in the new group definition set. Note: For copying groups, it is also possible to use the drag-and-drop mechanism. Drag the group within the source policy while the [Ctrl] button is pressed on the keyboard, and drop it to the destination policy.
Moving groups
A group can be moved to another group definition set in the same policy, as long as it is moved to a group of the same group type. To move a group to another group definition set in the same policy, do the following steps: 1. In the Grouping pane of the policy window, expand the grouping folder that contains the group to be moved. 2. Right-click the group to be moved and select Cut on the context menu that is displayed. 3. In the Policy pane, open the group definition set into which the group is to be moved. 4. In the Grouping pane, right-click the grouping folder into which the group is to be moved and select Paste on the context menu that is displayed. The moved group is displayed in the new group definition set. Note: For moving groups, the drag-and-drop mechanism can also be used. Drag the group within the source policy and drop it to the destination policy.
Renaming groups
A group can be renamed at any time. For example, if a group is copied and the copy is edited, the group can be renamed to describe its new contents better. To rename a group, do the following steps: 1. In the Grouping pane of the policy window, expand the grouping folder that contains the group to be renamed. 2. Right-click the group to be renamed, and select Rename Group on the menu that is displayed. 3. Type a new group name in the Group name box.
102

4. Click OK to save. The renamed group is displayed in the group definition set.
Deleting groups
A group can be deleted from a group definition set from any policy in the Work folder. Groups cannot be deleted from policies stored in the Committed folder. To delete a group, do the following steps: 1. In the Policy pane of the policy window, open the group definition set that contains the group to be deleted. 2. In the Grouping pane, right-click the group to be deleted and select Delete on the context menu that is displayed. Tivoli Compliance Insight Manager deletes the group and any conditions and requirements defined for the group. Notes: 1. Deletion of a group can be undone. Select the Edit menu and select Undo. 2. You can also press the [Delete] button on the keyboard to delete groups.
Managing group definitions and requirements

You can copy, move, and delete conditions and requirements in group definition sets.
Copying conditions
After a condition has been created, it can be copied to another group in the same group definition set or another group definition set. You can copy the condition within a policy or to another policy, as long as it is copied to the same group type. To copy a condition, do the following steps: 1. In the Grouping pane of the policy window, expand the grouping folder of the group whose condition to be copied. 2. Expand the group whose condition to be copied. 3. Right-click the condition to be copied and select Copy on the context menu that is displayed. 4. Open the group definition set, and target group for the condition. 5. Right-click the group, and select Paste on the context menu that is displayed. Note: For copying conditions, you can use the drag-and-drop mechanism too. Drag the condition within the source group while the [Ctrl] button is pressed on the keyboard and drop it to the destination group.
Moving conditions
You can move a condition from a group to another group of the same type. The condition can be moved within the same group definition set or to another group definition set, either within the policy or in another policy. To move a condition, do the following steps: 1. In the Grouping pane of the policy window, expand the grouping folder of the group whose condition is to be moved.
103

2. Expand the group whose condition is to be copied. 3. Right-click the condition to be copied and select Cut on the context menu that is displayed. 4. Open the group definition set, and target group for the condition. 5. Right-click the group, and select Paste on the context menu that is displayed. Note: For moving conditions, the drag-and-drop mechanism can also be used. Drag the condition within the source group and drop it to the destination group.
Deleting conditions
Group conditions that are no longer needed can be deleted. To delete a condition, do the following steps: 1. In the Grouping pane of the policy window, expand the grouping folder of the group whose condition is to be deleted. 2. Expand the group whose condition is to be deleted. 3. Right-click the condition to be deleted and select Delete on the context menu that is displayed. The condition and any requirement defined for it are deleted. Notes: 1. This action can be undone by closing the policy window without saving the changes. 2. The alternative for deleting conditions is to press the [Delete] button on the keyboard.
Copying requirements
A requirement can be copied to another group definition set in the same or another policy. To copy a requirement, do the following steps: 1. In the Grouping pane of the policy window, expand the grouping folder with the requirement to be copied. The groups are listed. For example, a Who grouping folder might include User, Administrator, System Maintenance, and Manager groups; a What grouping folder might include a list of auditable events for a given platform. 2. Expand the group whose requirement to be copied. The conditions for group membership are listed. 3. Expand the condition whose requirement to be copied. The requirements of the condition are listed. 4. Right-click the requirement to be copied, and select Copy in the context menu that is displayed. 5. Expand the group where the requirement has to be copied. 6. Right-click the target condition and select Paste on the context menu that is displayed. Note: For copying requirements, the drag-and-drop mechanism can also be used. Drag the requirement within the source grouping folder while the [Ctrl] button is pressed on the keyboard and drop it to the destination grouping folder.
104
Moving requirements
Requirements can be moved from one group to another of the same group type. For example, a requirement might be moved from one of the conditions in a System Admin group to a Manager group. Requirements can be moved both within a group definition set and to a group of the same type in another policy. To move a requirement, do the following steps: 1. In the Grouping pane of the policy window, expand the grouping folder with the requirement to be moved. 2. Right-click the requirement to be moved, and select Cut in the context menu that is displayed. 3. Expand the group where the requirement must be moved. 4. Right-click the target condition and select Paste on the context menu that is displayed. Alternatively, to move a requirement, you can use the drag-and-drop mechanism: 1. In the Grouping pane of the policy window, expand the grouping folder with the requirement to be moved. 2. Expand the target group. 3. Drag the requirement to a condition in another group of the same type.
Deleting requirements
Any requirement of any condition can be deleted. Requirements can be deleted at any time. To 1. 2. 3. delete a requirement, do the following steps: Expand the group to display group conditions. Expand the condition that contains the requirement to be deleted. Right-click the requirement, and select Delete on the context menu that is displayed.
The requirement is removed. Note: You can also delete requirements if you press the [Delete] button on the keyboard.
Defining and managing policy rules

You can define, edit, delete, hide and show, and import policy rules.
Defining policy rules

Policy rules define which actions can be performed by which people on which systems and at what times. When collected audit data is loaded, Tivoli Compliance Insight Manager marks exceptions, which are actions that do not match a policy rule, and displays them in an Exceptions report in iView. Policy rules using the Tivoli Compliance Insight Manager audit categories -- Who, What, When, Where, and so on.
105
Creating policy rules

Policy rules can be created at any time and added to any policy in the Work folder. Policy rules are created by typing group names in one or more category boxes in the Edit Rule dialog. The policy rule is applied by checking events in the collected audit data to the conditions and requirements defined for the group when it was created. Remember that policy rules define allowed behavior. For example, when creating a policy rule, you select Administrators in the What group and office hours in the When group, Tivoli Compliance Insight Manager marks events for any member of the Administrators group who generates events outside defined office hours. Marked events represent policy exceptions. If a category lacks an entry, the policy rule is applied to all groups in that category. Thus, in the example given above, any member of a Who, Where, On What, Where From, or To Where group can trigger this policy rule. To create a new policy rule, do the following steps: 1. Right-click anywhere in the Policy Rules pane of the policy window. 2. Select New Rule on the context menu that is displayed. The Edit Rule dialog opens. 3. Type a group name in any of the category fields -- Who, What, Where, and so on. Use only already-defined group names, and ensure groups of the correct type are typed in each category box. For example, type only names of defined Who groups, such as Administrators or Employees in the Who box. Type only names of defined What groups, such as Access and Login in the What box. 4. Optionally, type a new policy rule description in the Description box. 5. Click OK to close the Edit Rule dialog. The new policy rule is displayed in the Policy Rules pane. 6. Select Policy Save from the main menu to save the changes. Note: Using the Copy and Paste commands in the Edit menu, you can copy a policy rule from a policy and paste it to the destination policy. Alternatively, you can drag with the mouse a policy rule from a source policy and drop it to the destination policy.
Editing policy rules

Policy rules can be edited for any policy in the Work folder. To edit a policy rule for a committed policy, duplicate the policy, change the policy rule, and then commit the policy again. This process creates a new policy in the Committed folder, while retaining the original policy if needed. To edit a policy rule, do the following steps: 1. In the Policy Rules pane of the policy window, double-click the policy rule to be edited. The Edit Rule dialog opens. 2. Change or add group names to any of the category boxes -- Who, What, Where, and so on. Use only already-defined group names, and ensure groups of the correct type are typed in each category box. For example, type only names of defined Who groups, such as administrators or employees in the Who box. Type only names of defined What groups, such as access and login in the What box. 3. Optionally, type a new policy rule description in the Description box.
106

4. When the policy rule has been changed, click OK to close the Edit Rule dialog. The edited policy rule is displayed in the Policy Rules pane. 5. Click Policy Save in the menu to save the changes.
Deleting policy rules

Policy rules can be deleted in any policy in the Work folder. To delete a policy rule in a committed policy, duplicate the policy, delete the policy rule, and commit the policy again. This process creates a new policy in the Committed folder, while retaining the original policy if needed. To delete a policy rule, do the following steps: 1. In the Policy Rules pane of the policy window, right-click the policy rule to be deleted. 2. Select Delete on the context menu that is displayed. The policy rule is deleted. Notes: 1. This action can be undone with the Undo command in the Edit menu. 2. You can also delete policy rules if you press the [Delete] button on the keyboard.
Hiding and showing rules

An effective security policy includes many audit rules. To reduce the number of audit rules on the window, individual policy rules and attention rules can be hidden, as follows: To hide policy or attention rules, do the following steps: 1. In the menu, click View Hidden Rules to clear the command. 2. In the Policy pane or Attention pane of the policy window, right-click the rule to be hidden. 3. Click Hidden on the menu that is displayed. 4. Repeat steps 2 and 3 to hide additional rules. To view all hidden rules, in the menu click View Hidden Rules to select the command. All hidden audit rules are shown. Hidden audit rules are displayed with either an unavailable dot or an unavailable alert symbol. To select the audit rule, and change it in any way, it must be displayed. To display previously hidden audit rules, do the following steps: 1. Click View Hidden Rules to view hidden rules, if they are not already visible. 2. In the Policy pane or Attention pane of the policy window, right-click the rule to be displayed. 3. Click Hidden on the menu that is displayed. 4. Repeat steps 2 and 3 to show additional audit rules.
Importing policy rules

The Policy wizard in iView makes policy rules and attention rules automatically generated and saved in a file with a .PCY extension. This file can be imported into any policy in the Work folder and the complete set to be available for evaluating
107

and committing. Because the imported rules are created from recently collected data, you can respond quickly and easily to changed activities. To import policy rules, do the following steps: 1. Open the policy into which policy rules are to be imported. 2. In the Rules pane, select either the Policy tab or the Attention tab, whichever to be imported. 3. Right-click any rule and select Import Rules from the context menu. 4. In the Import Policy from iView wizard dialog that is displayed, type or browse to the file to be imported. Note: Files saved using the Policy wizard have a .PCY extension by default. 5. Click OK to import the rules. Attention: Importing new rules overwrites the existing set of rules. The newly imported rules are displayed in the Rules pane.
Defining and managing attention rules

You can define, edit, and delete attention rules, and you can set their severity levels.
Defining attention rules

Attention rules define events that are marked for attention, even if the events are allowed by your security policy. Attention rules are created for allowed but high-risk actions, as well as for serious policy exceptions. When audit data is loaded, Tivoli Compliance Insight Manager marks all actions that match an attention rule and displays them in a Special Attention summary in iView. Separating attention data from other audit data focuses attention on the most potentially serious activities, while collecting more typical audit data for trend analysis.
Creating attention rules

Attention rules can be created at any time, for any policy in the Work folder, by typing group names into one or more category fields in the Edit Rule dialog. The attention rule is applied by checking actions against the conditions and requirements that you defined for the group when it was created. Attention rules can cause marking of allowed and disallowed behavior. For example, when creating an attention rule, you select Administrators in the What group, and Office Hours in the When group, Tivoli Compliance Insight Manager marks events for any member of the Administrators group who generates events outside defined office hours. Marked events are displayed as attention data. If an entry in one of the categories is not included, the attention rule is applied to all groups in that category. To create an attention rule, do the following steps: 1. From the Policy Rules pane of the policy window, click the Attention tab. 2. Right-click anywhere in the Attention Rules pane, and select New Rule on the context menu that is displayed. The Edit Rule dialog opens.
108

3. Type a group name in any of the category boxes (Who, What, Where, and so on). Use only previously defined group names, and ensure that groups of the correct type are typed in each category box. For example, enter only names of defined Who groups, such as administrators or employees at the Who field. Enter only names of defined What groups, such as access and login at the What field, and so on. 4. Type a severity for the attention rule at the Severity field. The severity determines which events merit sending an alert message. 5. You can supply an attention rule ID at the ID field. These IDs can be used when Alerts are set up. 6. You can supply an attention rule description at the Description field. 7. Click OK to close the Edit Rule dialog. The new attention rule is displayed in the Attention Rules pane. 8. From the main menu select Policy Save to save the changes. Note: Using the Copy and Paste commands in the Edit menu, attention rules can be copied from a policy and pasted to the destination policy. Alternatively, use the mouse to drag an attention rule from a source policy and drop it to the destination policy.
Editing attention rules

Attention rules can be edited for any policy in the Work folder. To edit an attention rule for a committed policy, first duplicate the policy, then change the attention rule, and finally commit the policy again. This process creates a new policy in the Committed folder, while retaining the original policy. To edit an attention rule, do the following steps: 1. From the Policy Rules pane of the policy window, ensure that the Attention tab is selected. 2. Right-click the attention rule to be changed, and select Edit on the context menu that is displayed. The Edit Rule dialog opens. 3. Add or change group names in any of the category boxes (Who, What, Where, and so on). Use only already-defined group names, and ensure that groups of the correct type are typed in each category box. For example, enter only names of defined Who groups, such as administrators or employees at the Who field. Enter only names of defined What groups, such as access and login at the What field. 4. Change the attention rule severity in the Severity box. 5. Optionally, supply an attention rule ID at the ID field. These IDs can be used when setting up Alerts. 6. Optionally, supply an attention rule description at the Description box. 7. Click OK to close the Edit Rule dialog. The edited attention rule is displayed in the Attention Rules pane. 8. From the main menu select Policy Save to save the changes. Note: Using the Copy and Paste commands in the Edit menu, you can copy an attention rule from a policy and paste it to the destination policy. Alternatively, you can drag with your mouse an attention rule from a source policy and drop it to the destination policy.
109
Deleting attention rules

Attention rules can be deleted in any policy in the Work folder. To delete an attention rule in a committed policy, first duplicate the policy, then delete the attention rule, and finally commit the policy again. This process creates a new policy in the Committed folder, while retaining the original policy if necessary. To delete an attention rule, do the following steps: 1. In the Policy Rules pane of the policy window, click the Attention tab. 2. Right-click the attention rule to be deleted and select Delete on the context menu that is displayed. The attention rule is deleted. Alternatively, you can delete attention rules if you press the [Delete] button on the keyboard. Note: This action can be undone with the Undo command in the Edit menu.
Setting severity levels for attention rules

When Alerts are set up, the level of severity is indicated at which the message is to be sent. The severity level is set when an attention rule is created. Events whose severity exceeds the limit set here generate an alert. To set a severity level for an attention rule, do the following steps: 1. In the Policy Rules pane of the policy window, ensure that the Attention tab is selected to display attention rules. 2. Right-click the attention rule for which severity level is to be set or changed and select Edit from the context menu. 3. At the Severity field, type or change the severity value for this attention rule. 4. Optionally, enter a rule ID in the ID field. This ID can be used when Alerts are set up. 5. Optionally, type a rule description in the Description field. 6. Click OK to close the Edit Rule dialog. 7. From the main menu select Policy Save to save the changes.
Test and commit policies for auditing

You can create, test, commit, and view auditing policies.
Testing policies
Creating and testing a policy is an iterative task. To test a policy, do the following steps: 1. In the Policy window, edit the policy and save the changes. 2. Add an event source to a GEM database. 3. Collect and load audit data using the Load Database wizard. 4. Analyze the data to determine whether it answers your security questions. 5. Repeat these steps if you have too much, too little, or the wrong kind of audit data. In general, expect to repeat this cycle a few times, each iteration refining the data volume and content. When you are certain that the policy includes the necessary groups and rules, the edited policy is committed so that Tivoli Compliance Insight Manager can use it when loading audit data on a regular basis.
110
Committing policies for auditing

You commit a policy that is, you move the policy to the Committed folder in the Policy Explorer window, to indicate that Tivoli Compliance Insight Manager should follow rules in that policy when it collects and loads audit data. To commit a policy, do the following steps: 1. In Policy Explorer, open the Work folder. 2. Right-click the policy to be committed, and select Commit on the context menu that is displayed. The policy is moved from the Work folder to the Committed folder. The most recent policy is used to load audit data. If you want to use another policy to load data, use the Load command.
Viewing automatic policies

An automatic policy can be viewed to confirm which policy is used to collect a set of audit data that you want to analyze. To view an automatic policy, do the following steps: 1. Ensure that a user information source has collected data using its schedule. 2. Ensure that a GEM database was loaded with data collected by the corresponding event source. 3. From the Machine, Event Source or Database View, right-click the GEM database and select View Policy Used on context menu that is displayed. The automatically retrieved policy is displayed.
111
112
Chapter 17. Managing alerts

Alerts are messages that Tivoli Compliance Insight Manager sends when a serious or potentially harmful security event has occurred. Alerts allow for a fast response to the event by a systems manager or system administrator. The aim of alerts is to raise attention for events that require a follow-up, that is, special attention events or events above a defined severity level, such as security policy exceptions. The relevance of events is defined in the security policy. For more information, see Chapter 16, Policy maintenance, on page 89 for details. Alerts can be generated either for special attention events or for events with a specific severity, such as policy exceptions. These properties are evaluated in the policy evaluation step of the Map/Load process. For more information, see Chapter 5, GEM mapping and W7 normalization, on page 21 for details. The Map/Load process (mapper) sends alerts. Tivoli Compliance Insight Manager can send alerts through the following protocols: SMTP SNMP Custom Alerts are sent as emails. Alerts are sent as SNMP traps. Alerts are sent through a mechanism invoked with a user-provided program or script.
Sending an alert requires the following steps: 1. Ensure that the security policy includes the necessary rules. For more information, see Creating a policy for alerts for details. 2. Create alerts and configure their settings to generate specific alerts for events meeting specific criteria. For more information, see Creating alerts and configuring alert settings on page 117 for details. 3. Configure a sending protocol for alerts. For more information, see Protocol settings on page 121 for details.
Creating a policy for alerts

Tivoli Compliance Insight Manager can raise alerts based on two types of criteria: Direct positive selection Attention rules must be created to define the selection. For more information, see Sending alerts based on direct positive selection on page 114 for more details. Event severity Group significance and policy rules must be specified so that only the right events have severity above the threshold. For more information, see Sending alerts based on event severity on page 116 for more details.
113
Alert management
Sending alerts based on direct positive selection

To send alerts based on specific events, an attention rule to identify each type of event must be created. Each attention rule should have an ID that is used to link an alert. For more information, see Creating alerts and configuring alert settings on page 117 for more details. Example: For example, if you must send an alert each time a system update occurs, you can represent the situation by an event with What grouped as System Updates. Create a special attention rule that qualifies the targeted events as special attentions, as follows: 1. In the Management Console, open the Policy Explorer window by pressing [Ctrl] + [P]. 2. Create a new work policy as a duplicate from the latest committed policy: right-click the latest committed policy and select Duplicate in the context menu. 3. Open the newly-created work policy in the Policy Editor by double-clicking it. 4. Select the Attention tab. 5. Right-click to select New Rule from the context menu. 6. Specify the W7 rule criteria in the Edit Rule window (Figure 39).
Figure 39. The Edit Rule window
The criteria are W7 groups. To avoid typing mistakes, type a placeholder and use drag-and-drop to specify these groups later. Monitoring for System Update events recognizes by What. Type a placeholder for the W7 category What. In this example, the placeholder is tbd. 7. Assign a severity, for example 80. For alerts based on direct positive selection, as in this example, severity is of no consequence. However, in general, alerts can also be based on event severity. In that case, the severity assigned to special attention rules is relevant. For more information, see Delaying alerts on page 119 for details.
114
Alert management
8. Specify an ID for the attention rule to be able to refer to it later in the alert settings. The ID should be a single word consisting of letters (a through z) and numbers (1-9) only. In this example, the ID is sysupsa. 9. Click OK. 10. To fill in any placeholders typed for W7 groups, open the desired grouping (here NT) and drag-and-drop the group from the Grouping pane to the placeholder in the Attention Rules pane (Figure 40).
Figure 40. The What dimension of the attention rule before the drag-and-drop
In the example, you would open the NT grouping in the Policy pane, select System Updates in the Grouping pane, and drag-and-drop it to the placeholder tbd for the What dimension in the Attention Rules pane. Figure 41 on page 116 shows the results.
115
Alert management
Figure 41. The What dimension of the attention rule after the drag-and-drop
11. Save the work policy and commit it. As a result of these actions, any system updates lead to a special attention event with severity 80 and attention rule ID sysupsa.
Sending alerts based on event severity

Severity-based alerting uses the event severity because it is also visible in iView; the event severity is compared to a severity threshold, which is defined in the alert settings. The event severity is determined by taking the highest of the following values: v If the event is a special attention event, the highest severity of all matching attention rules. v If the event is a policy exception, the highest significance of all W7 groups of which the event is part. v If the event is not a policy exception, the highest significance of all W7 groups of which the event is part, divided by 10. When sending alerts based on event severity, the alert channel might be flooded with huge numbers of alerts. Limit this approach to the highest severity levels. Suppose an alert is needed whenever an event of extremely high severity occurs. As severity ranges from 1 to 99, an alerting threshold should be chosen at the higher end of that range, for example, at 95.
116
Alert management
In that case, the policy needs to be modified so that events for which alerts are required receive severity 95 or higher. Events with severity 10 or higher are always special attention or policy exception events. Policy exception events with severity 95 or higher are events where at least one W belongs to a group with significance 95 or higher. If the security policy already effectively identifies non standard behavior as exceptions, the only policy change required is to single out groups for which alerts need to be raised when they are involved in a policy exception. These could be groups representing privileged users, or especially sensitive data. The significance for such groups should then be set at 95 or higher to elevate the severity of any policy exception involving these groups to the level sufficient to trigger an alert. Again, it is advisable to be cautious and conservative, because raising the significance of many groups to high levels only reduces the ability to distinguish severe events from less severe ones.
Creating alerts and configuring alert settings

Tivoli Compliance Insight Manager sends alerts on the basis of alert settings. The settings specify the circumstances required for sending a specific alert to a specific recipient using a specific protocol. Alerts are created and maintained using the Alert Maintenance window (Figure 42) in the Management Console.
Figure 42. The Alert Maintenance window in the Management Console
Note: Do not forget to click OK to save any changes in the Alert Maintenance window. The changes take effect only after the mapper services are restarted from the Windows Services applet.
117
Alert management
To create an alert and configure its settings, do the following steps: 1. Open the Alert Maintenance window by pressing [Ctrl] + [R]. 2. Click New below the list of any currently defined alerts. Tivoli Compliance Insight Manager creates an alert with placeholder entries at the bottom of the list. 3. Edit the entries by double-clicking on the new alert in the list or selecting it and clicking Edit. The Edit Alert Recipient dialog window opens (Figure 43).
Figure 43. Editing the alert recipient
4. In the dialog window, specify the following settings: Protocol Select either the SMTP, or SNMP, or Custom delivery protocol for the alert. Other options may be available depending on the protocol settings. Recipient Type an email to specify where to send the alert. The address to be entered depends on one of the following protocols that you select: v For email alerts, use a single SMTP email address. v For SNMP messages, this field is unavailable. v For custom alerts, the recipient should be an address that the custom alert handler expects. For more information, see the section that describes custom alerts. Severity Specify a threshold for alerts based on an event severity level. An alert is sent if an event is encountered with severity equal to or higher than the threshold. Notes: a. When severity is set to 100, Tivoli Compliance Insight Manager does not send alerts based on event severity. In that case specify at least one attention rule in the Rule IDs field.
118
Alert management
b. If both the Severity and Rule IDs fields are used, alerts are sent in both cases: for events that meet the severity (alerts based on event severity) as well as for events that match any of the specified attention rules (alerts based on special attention events). Severity-Delay support Select this box to avoid the risk of flooding the alert channel with multiple alerts. Rule IDs Click in this field and use New, Edit, and Delete to manage attention rule IDs to which this alert should apply. Wherever an event matches an attention rule (a special attention event) and an ID listed in this field matches that of the rule, Tivoli Compliance Insight Manager raises a corresponding alert.
Delaying alerts
When sending alerts based on event severity, the alert channel might be flooded with messages. The number of messages can be reduced by combining multiple messages into one. First alert messages can be delayed to see if more alerts are raised. If more events occur, they can be combined with the earlier ones. This following protocols are applied: v A delay is always possible for email alerts. Emails can carry large amounts of data, and are received by people. Sending large numbers of individual messages does not make sense. v A delay is unavailable for SNMP alerts. An SNMP message can only carry a limited amount of information, which is just sufficient for a single alert message. v The delay can be switched on or off for custom alerts, depending on the possibilities and nature of the custom alert handler. When this feature is enabled, the mapper respects a maximum waiting time while processing events. After that time is reached for one event, it sends all alerts it has gathered in a single message. The default maximum waiting time is a single minute. Enabling this feature delays the alert for a maximum of one minute. You can specify the maximum delay for each protocol and associate an event severity. For more information, see Modifying severity delays on page 127 for more details.
Reducing the time between events and alerts

Alerts are generated when the events are mapped. Consequently, the time between an event occurring on audited systems and an alert being sent by Tivoli Compliance Insight Manager can be reduced using a frequent collect schedule in combination with the collect-time mapping mode for the GEM database receiving collected events. Example: If the collect schedule is set to every 15 minutes and collect-time mapping is on, events are delivered to Server within 15 minutes. Mapping time for the collected
119
Alert management
events varies, depending on the system load, and takes about 15 minutes if the load is moderate. As a result, alerts, if any, are generated within 30 minutes after the event has occurred. This time can be reduced further by increasing the collect frequency, at the cost of additional overhead. Collect schedules more frequent than every five minutes are advised only in special cases.
Preventing repeated alerts

Each alert should be raised only once and should occur only for scheduled loads, not for loads issued manually through the Load Now wizard. Sometimes an event source is assigned to two (or more) GEM databases, which are all loaded on schedule. To avoid situations when alerts are raised more than once in such cases, you can enable or disable alerting functionality for specific GEM databases only. This task is done through the mapper configuration file \tcim\Server\run\gensub.ini. The file can be found on the Server. By default, alerting is done for all GEM databases that are loaded on schedule. To disable alerting for a specific GEM database, add the following configuration parameter to the gensub.ini file:
[Mainmapper.<GEMDB>] alerting=no
where <GEMDB> is the name of the GEM database. For example, to disable alerting for GEM database GEM1, leaving it enabled for all other GEM databases that are loaded on schedule, add the following configuration parameter to gensub.ini:
[Mainmapper.GEM1] alerting=no
Alerting can also be disabled for all GEM databases at once, making it possible to enable it for specific GEM databases only. To disable alerting for all GEM databases, add the following configuration parameter to gensub.ini:
[Mainmapper] alerting=no
Alerting can then be enabled for a specific GEM database such as the following example:
[Mainmapper.<GEMDB>] alerting=yes
For example, to disable alerting by default and enable it for GEM database GEM2 only, add the following configuration parameter to gensub.ini:
[Mainmapper] alerting=no [Mainmapper.GEM2] alerting=yes
Note that even if gensub.ini explicitly specifies that alerting should be performed for a GEM database, it is still done only if the database is loaded on a schedule.
120
Alert management
Sending alerts for attention severity only

The system can be reconfigured so that severity-based alerting considers only the special attention severity component of the event severity, and ignores the components that are based on group significance. This system-wide setting influences the behavior of all severity-based alerting and is set in the alert configuration file \tcim\Server\config\alert.ini. To apply the setting, do the following steps: 1. Open the file \tcim\Server\config\alert.ini, which can be found on the server. 2. Look for a line starting with attentionalertsonly in the options section. The default is:
[Options] attentionalertsonly=no
3. To receive alerts only on the special attention rule severity, change No to Yes and save the file. Note: Restart the EventMapper services in the Windows Services applet to make the change take effect.
Protocol settings
After one or more alerts are specified, you must configure the protocols in use. Protocol settings apply to all alerts that are sent using the same protocol. To configure protocol settings, do the following steps: 1. In the Management Console, open the Alert Maintenance window by pressing [Ctrl] + [R]. 2. In the Alert Maintenance window, select an alert and click Protocol Settings. The Protocol Settings dialog that is displayed depends on the protocol, that is, either the SMTP (email), SNMP, or custom protocol. Each protocol has specifics that must be considered. For details about configuring the protocols, see the following sections.
SMTP
If the SMTP (Email) protocol is used, after performing steps 1 and 2 as in Protocol settings, the Protocol Settings dialog is displayed as follows (Figure 44 on page 122):
121
Alert management
Figure 44. General protocol settings dialog for the Email protocol
To configure the settings, do the following steps: 1. Check that the General tab of the dialog is active and fill in the following text fields: Host From Type the DNS hostname or IP address of the SMTP email server that forwards the messages. Type the SMTP email address of the sender. This would be generally an email address of the Tivoli Compliance Insight Manager administrator.
Reply to Type the SMTP email address where recipients can send a reply if the address is different from the From address. For example, it might necessary to route replies to a mailbox that all administrators can access. 2. Click OK to save the change. Notes: 1. The SMTP server should be properly configured. Most SMTP servers have an IP filter. Ensure that the IP number of the Server can use the server. 2. If you must distribute alerts to several recipients, set up a distribution list alias on the SMTP server so that the Server sends only a single alert to the SMTP server. This alert can be distributed to all recipients.
SNMP
If the SNMP protocol is used, after performing steps 1 and 2, the Protocol Settings dialog is displayed Figure 45 on page 123):
122
Alert management
Figure 45. Protocol Settings dialog for the SNMP protocol
To configure the settings, complete the text fields, using the following steps: Address Enter the DNS hostname or IP address of the SNMP device or application receiving the alerts. Port Enter the IP port on which the SNMP receiver listens (usually 161).
Notes: 1. SNMP uses the UDP protocol, and thus you cannot be sure that messages actually arrive at the SNMP receiving device. To maximize reliability, the network often needs to be configured for SNMP traffic. Consult your network administrator about network configuration. 2. SNMP receivers are configured using a file defining the SNMP message format. The file for the SNMP alert format sent by Tivoli Compliance Insight Manager can be found at \tcim\Server\mib\alert.mib.
Custom
With the Custom protocol, alerts can be forwarded virtually to any device or application using any protocol. To achieve this forwarding, you must obtain or create a protocol handler, such as an MS-DOS or Windows 32 executable. The custom protocol handler is started by the mapper whenever a set of custom alerts must be sent. If the severity delay feature is not used, the custom protocol handler is started separately for every custom alert. If the severity delay feature is used, the handler is started when the maximum wait time has passed, combining multiple custom alerts in a single run. After performing steps 1 and 2 as in Protocol settings on page 121, the Protocol Settings dialog is displayed (Figure 46 on page 124):
123
Alert management
Figure 46. Protocol Settings dialog for the Custom protocol
To configure the settings, complete the Execute field by typing the command line that invokes the handler. You can use an absolute path to the executable, or a path relative to the \tcim\Server\run folder. Any command line parameters that the handler requires, as well as three different place holders can be specified. When the alert handler is started, the place holders are replaced with actual values: v The recipient value to include the recipient from the Recipient field of the alert on the command line. The handler can use this parameter to route the message. v The eventfile value to include the path to a temporary file with event data on the command line. The event file makes the payload of the message available to the handler. For more information, see Event File parameters for details. v The summary value to include a text summary of the events the alert reports on directly on the command line. The summary can include any of the following items:
nn Attentions occured. Maximum Severity: ss. Broken Attention Rules: <rule1>, <rule2>, ..., <rulen>.
Event File parameters

The eventfile parameter specifies a pathname for a file containing details of events on which an alert reports. The file is prepared by the mapper and is located in the temporary folder for the user environment active for both the mapper processes and the alert handler: the Server OS run account. After the alert handler returns, the mapper deletes the event file again. The first line of the file contains fieldname headers. Each remaining line represents one GEM event. The encoding of the event file is UTF-8. Tabs separate the fields. Table 3 shows and describes the fields.
Table 3. Fields of the Event File parameter Header EventSeverity EventCount Content The event severity as listed in iView. The number of source records represented by the event. Format / Valid values A decimal integer in the range 1-99. A positive decimal integer.
124
Alert management
Table 3. Fields of the Event File parameter (continued) Header When WhenGroups Content The event time stamp. A list of all When groups to which the event belongs. Event main class: the first part of the What as listed in iView. Event class: the middle part of the What as listed in iView. Success class: the third part of the What as listed in iView. Format / Valid values Non-empty string with format: dow mon dd hh:mm:ss zzz yyyy. Non-empty string. String format:[groupname1: groupsignificance1, Non-empty string.
WhatVerb
WhatNoun
Non-empty string.
WhatSuccess
Non-empty string, usually success or failure.
WhatGroups
A list of all What groups The same as WhenGroups. to which the event belongs. The platform type from the event Where. Non-empty string
WhereType WhereName WhereGroups
The platform name from Non-empty string the event Where. A list of all Where groups to which the event belongs. The same as WhenGroups
WhoRealname WhoLogonname WhoGroups
The person name for the Non-empty string event Who. The logon ID for the even Who. A list of all Who groups to which the event belongs. The platform type from the event Wherefrom. Non-empty string The same as WhenGroups
WherefromType WherefromName WherefromGroups
Non-empty string
The platform name from Non-empty string the event Wherefrom. A list of all WhereFrom groups to which the event belongs. The left part of the OnWhat from the event as listed in iView. The middle part of the OnWhat from the event as listed in iView. The right part of the OnWhat from the event as listed in iView. The same as WhenGroups
OnwhatType
Non-empty string
OnwhatPath
Non-empty string
OnwhatName
Non-empty string
125
Alert management
Table 3. Fields of the Event File parameter (continued) Header OnWhatGroups Content A list of all OnWhat groups to which the event belongs. The platform type from the event Whereto. Format / Valid values The same as WhenGroups
WheretoType WheretoName WheretoGroups
Non-empty string
The platform name from Non-empty string the event Wherefrom. A list of all WhereTo groups to which the event belongs. A list of IDs of all attention rules that match this event. The same as WhenGroups
RuleIDs
Non-empty string. String format: [element1, .., elementN], N >= 0
Creating an alert handler

An alert handler can be created in any programming language or technology as long as it can be executed from the command line and can access the parameters from the original command line. The handler is called by the mapper when it determines that an alert should be sent. The DOS environment and security context are inherited from the Server run (OS) account. The initial current directory is the \tcim\Server\run folder. The following sample alert handler is implemented as a batch file:
@echo off rem sdalert.bat sample alert handler batch script rem rem this script copies the command line parameters rem passed by the main mapper as well as the temporary rem file containing event details to the file sdalert.log rem rem The alert handler is called directly from java. rem There is no dos box and no output to standard devices rem should be generated. rem If output is sent to stdout or stderr, the process rem will halt, as well as the main mapper and the database rem load fails. rem c:>nul: cd \>nul: echo.|time>>sdalert.log 2>nul: echo Recipient>>sdalert.log 2>nul: echo %1>>sdalert.log 2>nul: echo Summary>>sdalert.log 2>nul: echo %2>>sdalert.log 2>nul: echo Eventfile>>sdalert.log 2>nul: echo %3>>sdalert.log 2>nul: copy /b sdalert.log+%3 sdalert.log>nul: 2>&1
To run the sample, save the code to a batch file called c:\sdalert.bat and use the following command line in the protocol settings window:
c:\sdalert.bat <recipient> <summary> <eventfile>
The sample writes its output to a file called sdalert.log, as in the following example:
126
Alert management
The current time is: 15:08:23.91 Enter the new time: Recipient anyone@example.com Summary "Attention occurred. Severity: 80. Broken Attention Rule: sysupsa." Eventfile C:\DOCUME~1\CEAROO~1.CRM\LOCALS~1\Temp\cstalert44756.tmp Severity WhatNoun WhereName WhoGroups OnwhatType WheretoType EventCount WhatSuccess WhereGroups WherefromType OnwhatPath WheretoName When WhatGroups WhatVerb WhatGroups WhereType WhoRealname WhoLogonname WherefromName WherefromGroups OnwhatName OnwhatGroups WheretoGroups RuleIDs
80 1 Wed May 07 15:04:44 CEST 2003 [Office Hours:10] Use Privilege Failure [System Updates:50] Windows SATURN [Workstations:10] John Emerson SATURN\JOHN [Users:10] [Workstations:10] SATURN [Workstations:10] AUDITPOLICY . Audit Policy [Other Objects:10] Windows SATURN [Other Platforms:10] [sysupsa]
The output shows the current time, the recipient, the event summary, and the event file pathname, and is in the temp folder of the Tivoli Compliance Insight Manager run account OS user. The event file is a temporary file that is deleted after the handler exits. If needed, the contents should be copied by the handler as the sample handler does. The handler copies and forwards the data to another location. The sample output shows the contents of the event file commencing with the line that starts with Severity. Note: The alert handler is called directly from a Java process. It does not run in a DOS window, and no output to standard devices should be generated. If output is sent to any of the standard devices, such as stdout or stderr, the process halts, as well as the main mapper, making the database load fail. Therefore, the sample redirects all output for both stdout as well as stderr (2) either to an output file or the null device.
Modifying severity delays

The SMTP (Email) and Custom protocols have a setting that allows modifying delays for the Severity Delay feature. Different delays for any number of severity ranges can be specified with this feature. Usually, shorter delays must be used for higher severities. To modify a severity delay, do the following steps: 1. Perform steps 1 and 2 as in Protocol settings on page 121. 2. In the Protocol Settings dialog, click the Delay tab. The dialog is displayed in (Figure 47 on page 128).
127
Alert management
Figure 47. Protocol Settings dialog with the active Delay tab
3. Use the range menu to specify a severity range from 1 to 99. Alternatively, select a value in the menu and enter the one that is required. 4. In the Delay list box, select a number of minutes needed to delay alerts in the severity range. 5. Click Add. 6. Repeat steps 3 - 5 for each severity range and delay that needs to be set. Click OK when finished.
128
Chapter 18. Using the Policy Generator

This section introduces the Tivoli Compliance Insight Manager security policy creation application, Policy Generator, and outlines its basic features. Policy Generator is a Web-based application designed to solve the problem of creating an initial Tivoli Compliance Insight Manager security policy.
Overview
You can use the Policy Generator to create the first working security policy easily. Use a set of collected data in a database as a starting point to create a security policy, including a graphical wizard that is easy to use and understand. You can create working security policies automatically, using event data captured by event sources and knowledge that is built into the tool, based on the known acceptable behavior of the platform families contained in that data. Policy Generator is provided per Tivoli Compliance Insight Manager instance, and is installed by the iView 8.5 installation program.
The Policy Generator user interface

The Portal Logon page is the entry point to Policy Generator. Log in to the Portal before you are given access to the Policy Generator. For details about logging on to the Portal, refer to Chapter 20. To open Policy Generator, click Policy Generator in the IBM Tivoli Compliance Insight Manager section of the main pane of the Portal Overview. The user interface of Policy Generator consists of the following main windows: Entry window In this window, you can enter the name of the security policy to be created. This window also includes Next to carry out policy creation, Cancel to end and Online Help to obtain information about this step. Database selection window In this window, you can select a suitable database for further security policy creation. Use Next to carry out policy creation, Cancel to end and Online Help to obtain further information about this step. Loading window In this window, you can test the newly-created policy. Use Load to carry out policy creation, Finish to exit, and Online Help to obtain information about this step.
Entry window
If you open the Policy Generator successfully, the entry window opens (Figure 48 on page 130). In the Policy name field, enter a name of the security policy to be created, and click Next. On the subsequent window of Policy Generator, follow the instructions that are available in the Online Help.
129
Policy Generator
To cancel creating a policy, click Cancel.
Figure 48. Entry window of the Policy Generator
Online Help system

You can get detailed information about each step of security policy creation in Policy Generator, an online help system. To activate it, you must click Online Help in the browser window. In Policy Generator users, an example of an online help message is shown. Using the help system allows the user to create policies easily, based on collected data in a selected database.
Policy Generator users

The two types of Policy Generator users include the Tivoli Compliance Insight Manager administrator, which is created during installation, and the normal user. All users except the administrator are normal users of Policy Generator. The user must be an auditor who owns at least one of the top-level Scoping groups, or Scoping must be disabled for Tivoli Compliance Insight Manager server installation. Refer to Chapter 19, Scoping data, on page 131 for details.
130
Chapter 19. Scoping data

This section introduces you the Tivoli Compliance Insight Manager Scoping application and outlines its basic features.
Purpose
Scoping is a Web-based application that controls access to information in the iView reports.
Overview
Scoping is done per Tivoli Compliance Insight Manager instance. Users within the Scoping application own Who, onWhat and Where groups. iView shows only the user information about events that are associated with groups that you own. You can use the user interface of the Scoping application to configure Scoping in a Server using a Web browser. You can either manage the Scoping configuration information for Scoping items or enable or disable the functionality.
Structure of Scoping configuration

Scoping configuration includes the following types of entities: Scoping groups Have a name and a dimension and contain zero or more group members, group assets, or child groups. Additionally each Scoping group has one parent Scoping group, except for the root group. Scoping group members Serve to associate Tivoli Compliance Insight Manager users with scoping groups using their user names, and indicate if a user is an administrator for a scoping group. Scoping group assets Associate Tivoli Compliance Insight Manager groups with Scoping asset groups. Global Scoping enabled or disabled flag Indicates the Tivoli Compliance Insight Manager instance.
Data structure of Scoping configuration

In the data structure of Scoping configuration, only one global configuration enabled or disabled flag exists. The Scoping functionality is turned on or off for the entire instance of the Server. Each Scoping group has either a Who, onWhat, or Where Scoping dimension, and always only one Scoping group per dimension without a parent Scoping group (the root Scoping group for the corresponding dimension). The root scoping group for the Who dimension is always named HR Default Owner. The root scoping groups for the onWhat and Where dimensions are always named IT. All other scoping groups always have one and only one parent scoping group in the same dimension. A group in a dimension can be an asset only in a scoping group in the hierarchy for that dimension. A group might not be assigned as an asset for some scoping group. In that case, the Tivoli Compliance Insight
131
Overview
Manager group is an asset in the root scoping group for the hierarchy of the corresponding dimension. A user can be a member of multiple scoping groups in any or all of the hierarchies. Any membership of a user in a scoping group can be marked as an administrator.
Asset ownership rules

The following rules govern asset ownership: v If an asset is associated with a specific scoping group, that scoping group explicitly owns that asset. v A scoping group implicitly owns all assets that its child scoping groups implicitly or explicitly own. v If a user is a member of a scoping group, that user owns all assets that are explicitly or implicitly owned by that scoping group (that is, the assets owned by the scoping group and all its descendants). These ownership rules show that the root scoping group for a hierarchy owns all assets in that dimension.
Users of Scoping application

The two types of users for the Scoping application are the Tivoli Compliance Insight Manager administrator, a user created during the installation, typically with the username cifowner, and the normal user. All users except the administrator are normal users for Scoping.
Tivoli Compliance Insight Manager administrator

The administrator is always a member of the root scoping group of each hierarchy, and thus always owns all groups in all hierarchies. The administrator can view and alter the whole scoping configuration and enable and disable scoping. The administrator knows how many groups are not assigned as assets for each dimension.
Normal users
Normal users can view only scoping configuration information associated with scoping groups they own. For each scoping group, if you are a normal user you can view information about the scoping group and its assets and members if you are a member of that scoping group or a member of a scoping group that is an ancestor (parent, grandparent, and so on.) of that scoping group. Normal users can also be set as administrators for a scoping group of which they are members. When a normal user is an administrator of a scoping group, that user can change scoping configuration for that group and all descending scoping groups.
Logging into the Scoping user interface

There are two ways to access the Scoping user interface. One way to access the Scoping interface is to log into the Tivoli Compliance Insight Manager Portal and click the Scoping link. The Scoping login page displays, and you can enter your username and password and click Submit to open the Scoping application.
132
Overview
The Portal is the main entry point to the Tivoli Compliance Insight Manager Web-based applications. For more information about logging into the Portal, see Chapter 20, Using the Portal, on page 145. The other way to access the Scoping interface is to enter the URL http://server_ip_address/scoping into your web browser, where the server_ip_address is the IP address for the Tivoli Compliance Insight Manager Web-based applications. The Scoping login page displays, and you can enter your username and password and click Submit to open the Scoping application. If you cannot successfully log into the Scoping application, you may not have permission to access the Scoping application. See your Tivoli Compliance Insight Manager administrator regarding permissions. Note: If you do not execute any action after a period of 10 minutes or more, you will be automatically logged out of the Scoping application.
Using the Scoping user interface

The user interface of the Scoping application consists of two main windows. The entry window provides general information and links to functions that you can access. The scoping group hierarchy window for a dimension helps you view and change scoping groups, scoping group assets, and scoping group members.
Overview page
The Overview page provides access to the scoping group hierarchy for each of the dimensions (Who, onWhat, and Where) that are covered by Scoping. If you are logged in as the Tivoli Compliance Insight Manager administrator, you also can see the number of groups in the Who dimension, onWhat dimension, and Where dimension that are not assigned as scoping group assets The Overview page also allows the Scoping functionality to be enabled or disabled. Only the Tivoli Compliance Insight Manager administrator can enable or disable Scoping.
Who, onWhat, and Where dimension pages

The Who, onWhat, and Where dimension pages show the scoping hierarchy for the respective dimension and enables you to see all scoping groups that you own and all scoping group assets and scoping group members for those groups. Normal users (that is, users who are not Tivoli Compliance Insight Manager administrators) can only see the contents of the corresponding scoping group and its descending scoping groups. If you have the administrator rights for a scoping group, you can also make the following modifications to your corresponding scoping groups: v Add a new scoping group under that group, add a new scoping group member, or remove or rename the scoping group v Remove the scoping group member and set or unset the administrator flag for this member in the corresponding scoping group v Move the assets to another scoping group
133
Terminology
Terminology
Table 4 shows data scoping terms and descriptions.
Table 4. Data scoping terminology Term Scoping groups that you can control Tivoli Compliance Insight Manager Administrator Normal user Dimension Meaning All scoping groups in which a Tivoli Compliance Insight Manager user is a member and all their descendant groups. The administrator user created during installation, typically having the username cifowner. A Tivoli Compliance Insight Manager user other than the administrator. One of the W7 (Who, What, When, Where, onWhat, from What, Where to) properties defined in Tivoli Compliance Insight Manager for events. A Tivoli Compliance Insight Manager group on the Who, Where or onWhat dimensions.
Asset group
Using Scoping
This section provides you with detailed instructions about using features of the Scoping application.
Determining the number of unassigned assets

On the entry page (Figure 49 on page 135) is a count of the number of unassigned assets for each dimension. This number represents Tivoli Compliance Insight Manager groups in that dimension that do not have a scoping group asset entry.
134
Using Scoping
Figure 49. Determining the number of unassigned assets (outlined in red)
Note: This functionality is available to the Tivoli Compliance Insight Manager administrator user only.
Determining the status of scoping

On the entry page, if scoping is enabled, you can see Disable Scoping. If scoping is disabled, you can see Enable Scoping.
Enabling and disabling scoping

To enable scoping, use the following steps: 1. On the entry page, click Enable Scoping. 2. On the Confirm Status Change page (Figure 50 on page 136), click Start to enable scoping or Cancel to end your operation.
135
Using Scoping
Figure 50. Confirming the status change page for scoping
If you clicked Start, the Changing Scoping Status page is displayed. Wait till the change of the scoping status is complete. To disable scoping, click Disable Scoping. Proceed then in a way similar to the preceding step. Note: This functionality is only available to the Tivoli Compliance Insight Manager administrator user.
Viewing scoping information for dimension

On the entry page, you can select the page where scoping information for a given dimension is displayed by clicking in the appropriate bar. Also, from any page except the login page, if you click one of the dimension icons Who, onWhat and Where on the top toolbar, the scoping information page for that dimension is displayed. The scoping hierarchy window for a dimension shows information for each scoping group that you can see, in the form of a tree structure (see Figure 51 on page 137).
136
Using Scoping
Figure 51. Viewing scoping information for the Who dimension
You can see only those scoping groups in which you are a member and in all its descendants. For each scoping group, this window shows the scoping group name, all scoping group members, all scoping group assets, and all child scoping groups. For each scoping group member, this window shows the username for the user associated with this scoping group member entry. If the user is an administrator of this scoping group, the Admin Rights check box is also selected. For each scoping group asset, this window displays the name of the Tivoli Compliance Insight Manager group in the dimension for this hierarchy that corresponds to this scoping group asset.
Adding a new scoping group

From the scoping hierarchy window for a dimension, you can use the following steps to add a new scoping group: 1. Clicking Add new scoping group on the name bar of a scoping group. 2. Typing the name for the new scoping group when requested In the hierarchy of the corresponding dimension, the newly created scoping group is displayed as a child of the parent scoping group. This operation can fail for any of the following reasons: v You are not an administrator of any ancestor scoping group for the new scoping group.
137
Using Scoping
v The new name for the scoping group is empty or consists entirely of spaces. v A scoping group with the same name is in the same dimension.
Renaming a scoping group

From the scoping hierarchy window for a dimension, you can use the following steps to rename a scoping group: 1. Click Edit on the name bar of the scoping group. 2. Type the new name for the scoping group when requested. In the hierarchy of the corresponding dimension, the name of the scoping group is changed to the new one. This operation can fail for any of the following reasons: v You are not an administrator of the scoping group whose name is to be changed, or any ancestor scoping group of it. v The new name for the scoping group is empty or filled with spaces. v A scoping group with the same name in the same dimension currently exists. v The scoping group is the root scoping group for a dimension.
Removing a scoping group

From the scoping hierarchy window for a dimension, you can click Delete to remove a scoping group on the name bar of the scoping group. The scoping group that you removed is not displayed from the scoping group hierarchy for a dimension. This operation can fail for any of the following reasons: v You are not an administrator of the scoping group to remove or any ancestor scoping group of it. v The scoping group to delete contains one or more assets, members, or child scoping groups.
Adding a member to a scoping group

From the scoping hierarchy window for a dimension, you can use the following steps to add a scoping group member (Figure 52 on page 139): 1. Click Add new in the Members section of an existing scoping group. 2. On the New Member page, select a user in the list box.
138
Using Scoping
Figure 52. Adding a user to a scoping group
3. Optionally, you can select the corresponding check box to be an administrator for this Scoping group. 4. Click Submit to add the user to the scoping group or Cancel to end the operation. Note: If all the users are already members of this Scoping group, the list box is unavailable on the New Member page and you have only an option to click Close. If the operation was not canceled, Scoping information for the dimension is updated to reflect your modifications. This operation fails if you are neither the Tivoli Compliance Insight Manager administrator nor an administrator of the Scoping group to which the new member is added or any ancestor scoping group of it.
Removing a member from a Scoping group

From the scoping hierarchy window for a dimension, you can remove a scoping group member by clicking the Trash icon for the scoping group member to remove. The selected scoping group member is removed, and you can see the scoping hierarchy for the dimension updated with the member removed. Note: No confirmation follows the clicking the Trash icon. This operation can fail for any of the following reasons:
139
Using Scoping
v You are neither the Tivoli Compliance Insight Manager administrator nor an administrator of the scoping group from which the member is to be removed, and you are not in any ancestor scoping group of it. v You are removing the Tivoli Compliance Insight Manager administrator from a root scoping group.
Setting a member of a scoping group as Administrator

From the scoping hierarchy window for a dimension, you can mark a scoping group member as an administrator, if that member is not yet an administrator, by selecting the Admin rights check box for that scoping group member. The selected scoping group member is made an administrator and you can see the scoping hierarchy for the dimension updated with the new status of the member. This operation can fail if you are neither the Tivoli Compliance Insight Manager administrator nor an administrator of the scoping group in which the member is marked an administrator or any ancestor scoping group of it.
Removing Administrator privileges for a member of a scoping group

From the scoping hierarchy window for a dimension, you can remove the administrator privileges for a member of scoping group, if that member is an administrator, by clearing the Admin rights check box for that scoping group member. The selected scoping group member loses administrator privileges and you are shown the scoping hierarchy for the dimension updated with the new status of the member. This operation can fail for any of the following reasons: v You are neither the Tivoli Compliance Insight Manager administrator nor an administrator of the scoping group in which the member is to lose administrator privileges or any ancestor scoping group of it. v You are trying to remove the Administrator privileges for the Tivoli Compliance Insight Manager administrator for a root scoping group.
Moving the assets of a scoping group

From the scoping hierarchy window for a dimension, you can use the following steps to move scoping group assets from one scoping group to another: 1. Select the check boxes beside the required scoping group assets. 2. Click Move on the corresponding bar. 3. On the Move Assets To page, select a destination scoping group from the list box. 4. Click Submit to move the assets to the destination scoping group or Cancel to end the operation. If the operation is not canceled, the chosen scoping group assets are moved from the current scoping group to the selected destination scoping group. You can see the scoping hierarchy for the dimension updated with the new position of the assets.
140
Using Scoping
This operation can fail if you are not an administrator of the scoping group from which the assets are to be moved, or to which the assets are to be moved, or any ancestor scoping group of it. Notes: 1. A warning message is displayed if you click Move and no assets are selected. 2. To move an individual asset, click the arrows widget beside the corresponding asset. 3. On the Move Assets To page, select a destination scoping group from the list box. 4. Click Submit to move the assets to the destination scoping group or Cancel to end the operation.
Operations done outside Scoping

This section outlines operations that influence the Tivoli Compliance Insight Manager Scoping application and are done outside of it.
Creating and managing users

The administrator user for the Tivoli Compliance Insight Manager applications (including the Scoping application) is created during installation. All other users are created using the Management Console application. Use the Management Console to manage information.
Tivoli Compliance Insight Manager dimension groups

Grouping event properties in the Who, onWhat and Where dimensions is done outside the Scoping application. Any Tivoli Compliance Insight Manager group in any of the GEM, aggregation, and consolidation databases for the Tivoli Compliance Insight Manager instance where scoping is enabled are available in the Scoping application as scoping group assets.
141
142
Part 4. Viewing data and reporting
143
144
Chapter 20. Using the Portal

Tivoli Compliance Insight Manager has a single logon entrance for accessing all its installed components. It is implemented as a Web application and can be opened in a Web browser. The Portal is compatible with the Microsoft Internet Explorer Version 6.0 or later. Before starting to use the Portal, you must obtain a user name and a password from the Tivoli Compliance Insight Manager administrator. He can create the user name through the Management Console, and you can log on to the Portal. In the browser, enter the following URL to get to the Portal: http://webserver/Portal where webserver is the name or IP address of the system where Web Applications are deployed and Portal is the name of the virtual directory where the Portal is deployed. From the system where Web Applications are installed, the URL would be: http://127.0.0.1/Portal After entering, you are directed to the Portal Login page. In the Username and Password fields, enter a valid user name and password and click Log in. After a successful logon, you are directed to the Portal Overview page, which contains a set of links to the available Tivoli Compliance Insight Manager components. If an invalid user name or password is entered, you are directed to the Portal Login Error page, which gives information about the error and asks for another login. The space on the Portal Overview page is divided into two panes: the main pane, which is entitled IBM Tivoli Compliance Insight Manager Portal and the Extra Information pane. The main pane is in the left part of the Portal Overview page. The main pane includes sections about links to the installed components of Web Applications and links to the add-on components of Tivoli Compliance Insight Manager. They are described in detail in Chapter 33, Understanding and using Management Modules, on page 207. The Extra Information pane is located in the right part of the Overview page, and consists of the Help section, which is common to all Tivoli Compliance Insight Manager components that are manageable through the Web interface. The Help section gives instructions about using the key features of the corresponding components. Every section of the Portal can be collapsed or expanded by clicking the section title bar. A collapsed section can be indicated by the expansion icon that points to the right side. An expanded section can be indicated by the expansion icon pointing down. The Extra Information pane can be collapsed as well if you click in its left round corner.
145
Portal
To log out of the Portal, click the Log off tab in the upper right corner of the Portal Overview page. Notes: 1. To get access to the Portal, cookies must be enabled in the browser. Refer to the browser online help for instructions about enabling cookies. 2. Tivoli Compliance Insight Manager components can be protected by roles. Only a part of functionality can be accessible to you. Refer to Chapter 15, Managing users and roles, on page 85 for details about managing roles.
146
Chapter 21. Understanding iView

Although the heart of IBM Tivoli Compliance Insight Manager is the Server, the main purpose of Tivoli Compliance Insight Manager, which is event auditing, is performed with the iView reporting application. You can use iView, a Web-based application, to view summary and detailed reports about the collected audit data, to browse and view the security log data stored in the GEM databases. Unlike standard database viewers, iView contains intelligence that helps security officers quickly focus on the security issues gathered in the GEM databases. The following sections help you find specific security information, based on the security log data of the information environment. Viewing both standard and custom iView reports enables analysis of the data in a variety of formats and levels of detail. For example, you can see the following details: v Events from one database or all loaded databases v Events related to a specific platform or group of systems v Only policy exception events or only events that trigger attention rules v Events from a specific user or system v Events for a specific time period, from minutes to years If a standard report does not provide the preferred information or format, as many custom reports as necessary can be designed, using the built-in Report wizard. With iView, all the audit data can be seen as soon as it is loaded. You do not need to coordinate data from different groups or different platforms. Links from summary pages to detail pages in each report help you move quickly from an overview of all loaded databases to details about a specific event. A copy of iView can be installed on any system with a Web browser, allowing the security staff to monitor and respond to security concerns from virtually anywhere.
147
148
Chapter 22. Getting started with iView

With minimal setup, iView can be accessed from a Web browser or directly from Tivoli Compliance Insight Manager Management Console. This section describes both ways to access and work with iView, including the following tasks: 1. Logging in directly from the Management Console. 2. 3. 4. 5. Logging in to from a Web browser. Logging out of an iView session. Setting browser caching to ensure that the most recent audit data is available Specifying the iView Web URL in the Management Console.
Notes: 1. The Tivoli Compliance Insight Manager setup program automatically installs a copy of iView on the Server system when other Tivoli Compliance Insight Manager components are installed. Additional copies of iView can be installed on other Windows NT or Windows 2000 computers. For installation information, see the IBM Tivoli Compliance Insight Manager: Installation Guide. 2. If the name of Server system where Tivoli Compliance Insight Manager is installed changes, the administrator must change this name in the tcim-home\iView\tomcat\conf\catalina.policy file as well. For example from
permission java.net.SocketPermission "$OLD_MACHINE_NAME$:1024-", "listen, accept";
to
permission java.net.SocketPermission "$NEW_MACHINE_NAME$:1024-", "listen, accept";
Changing browser caching to view updated audit data

To ensure that iView reports always display the most recent audit data, you must adjust caching for the browser. Make this adjustment before starting iView for the first time. To 1. 2. 3. 4. adjust page caching in Internet Explorer 6.0, use the following steps: In the browser menu, click Tools, Internet Options. In the Temporary Internet Files section, click Settings. Below Check for new versions of stored pages, click Every visit to the page. Click OK twice to save and apply the new settings.
Logging on to iView
Before starting to use iView, you must get a user name and a password from the Tivoli Compliance Insight Manager administrator, who can create the user name through the Management Console. By default, this user has authority to log on to iView. To open iView, perform the following: 1. Log on to the Portal. Refer to Chapter 20 for more details. 2. On the Overview page of the Portal, click iView in the IBM Tivoli Compliance Insight Manager section of the main pane.
149
How to log on to iView

The Dashboard page of iView is displayed. For more information, see Chapter 23, Understanding the iView Dashboard, on page 153. Note: To get access to iView, the Tivoli Compliance Insight Manager role Log on to iView is required. Refer to Managing user roles on page 87 for details about managing Tivoli Compliance Insight Manager roles.
Successful logon
When the Tivoli Compliance Insight Manager administrator has configured load schedules on the Server, a window similar to the example in Figure 53 is displayed:
Figure 53. Current security status of the information environment
This window shows the current security status of the information environment at a glance. It uses the aggregation database, which is created automatically when a scheduled load occurs. If load schedules were not defined for the Server, an aggregation database and data are not provided for the databases in the Enterprise Overview area.
Understanding the iView navigation bar

The iView navigation bar (Figure 54 on page 151) is located at the top of the iView pages:
150
iView navigation bar
Figure 54. The iView navigation bar icons
Table 5 contains a list of the navigation controls and a brief description of each.
Table 5. iView navigation controls Navigation control Dashboard Description Shows the Compliance Dashboard page of iView. For more information, see Chapter 23, Understanding the iView Dashboard, on page 153. Shows the All Events page of iView, which presents the aggregated data of all databases for a specific period of time. Shows the initial iView reports page. Shows the Policy Settings page of iView, where you can set up and check Tivoli Compliance Insight Manager audit policies. Gives access to the Group types page of iView, including group types for the selected database, the number of groups they presently contain, and the Grouping wizard. Shows the User Preferences page of iView. Here iView preferences can be configured. Shows the Regulations Resource Center page of iView. Here Management Modules can be accessed and monitored. Opens the Overview page of Portal. For more information, see Chapter 20, Using the Portal, on page 145 for details.
Trends Reports Policies Groups
Settings Regulations Portal
Starting and continuing iView successfully

The next step after a successful start of iView is to select the investigation type, which can be the Enterprise overview, the Trends view, or a connection to a specific GEM database. To learn about the reporting power on the GEM databases, see Chapter 26, Monitoring with iView, on page 167. To learn more about the report layout in detail, see Chapter 28, Understanding field descriptions in iView reports, on page 179.
Chapter 22. Getting started with iView
151
152
Chapter 23. Understanding the iView Dashboard

Overview
On the Dashboard page of iView, you can see a broad overview audit data aggregated by the Server. You see this page first when logging on to iView. The Dashboard gives an overall view of all the GEM databases. You can see trouble spots anywhere in the system at a glance. In the window of the Web browser, the Dashboard page consists of the following panes: v Enterprise Overview. Located on the upper left corner of the page, this pane gives a plane cross-section of the W7 aggregation matrix for a pair of dimensions. v Trend graphic. This pane is located on the upper right corner of the page. Here you can see a trend for the percentage of policy exceptions for a specified period of time. v Database Overview. In this collapsible pane, you can see a list of all databases along with brief information for a selected database. The panes are described in the following subsections. In addition, you can control the Enterprise Overview and Trend graphic panes with Settings. When clicked, Settings invokes the Settings page in a new window of the Web browser for the corresponding set of properties. After changing the required properties, click OK. The changes become active for the current iView work session. For more information about configuring the user interface settings, see Chapter 31, Using iView settings, on page 193.
Enterprise overview
Audit data is grouped in a node graph, which is a two-dimensional view of event data. Dimensions can be any two of the seven available types of information associated with events tracked by Tivoli Compliance Insight Manager (Who, What, When, Where, on What, from Where, Where to). The title above the node graph displays its context information. The context information consists of the data source name, the time period start and end dates, and the event statistics resolution for the information being displayed. To the left side of the node graph and under the node graph are line labels that display names of the groups for the corresponding lines. The names of the groups on the X and Y axes are arranged alphabetically. The intersections of the lines in the node grid contain nodes. A node is the area in the node graph where a column crosses a line. When the total number of events for that node is a nonzero value, a colored ball is displayed in the node. For representing quantities of events in nodes, a set of four colored balls, each with a predefined, easily distinguishable size, is displayed. The larger the size of the colored ball, the greater the total number of events for the node.
153
Enterprise Overview
The color of the ball can be blue, amber or red depending on the maximum event severity for that node and the values of threshold parameters that can be configured from the Settings page. The lower threshold is amber and the upper threshold is red: v If the maximum event severity for the node is less than the amber threshold, the color of the ball is blue. v If the maximum event severity for the node falls in the range between the amber threshold and the red threshold, including the value of the amber threshold itself, the color of the ball is amber. v If the maximum event severity for the node is greater than or equal to the red threshold, the color of the ball is red. When the mouse pointer hovers over a node, a tip is displayed with information about the total number of events, exceptions, attentions, and the maximal severity for that node. If you click on the node, you can select the detailed report on another page.
Settings
The Enterprise Overview Settings page includes many useful options for managing the appearance of your Enterprise Overview, starting with the following options that allow the time period for the displayed summary to be determined: Show last completed Selecting this control activates a pair of list boxes that can be set to indicate a round number of recent days, weeks or months for which the enterprise summary is generated. Last existing data Selecting this control sets the latest record (time stamp) of data to be the point from which the enterprise summary is generated. Date range Selecting this control sets the start time and end time for the summary. The appearance of the date range is influenced by the Show last completed option: the date range can be expressed in days, weeks or months. Display groups based upon Select this list box to control the way in which groups are displayed on the summary. The following top options are included: v Attentions v Events v Exceptions v Failures v Severity You can use the collapsible Horizontal Axis Settings pane to adjust the following parameters of the X-axis: Dimension Use this list box to select the dimension for the X-axis among the seven Ws: Who, What, When, Where, OnWhat, FromWhere, WhereTo. Number of groups Use this list box to set the number of groups in the range from 1 to 50 used for generating the summary. If the number of groups for a dimension
154
Enterprise Overview
is more than was set with this option, the rest of the groups constitute a generic group called the composite group. Show the most important assets When selected, this radio button allows only the most important assets on the summary to be shown. Select assets to show When selected, this radio button activates the Available and Selected lists which can be used to select preferred assets for the summary. You can use the collapsible Vertical Axis Settings pane to adjust the parameters of the Y-axis. This pane contains the same controls as the Horizontal Axis Settings pane. Note: You can access iView's Enterprise Overview Settings page from the Dashboard page, and you can access some of the Enterprise Overview Settings from the Database Summary page. On both the Dashboard page and the Database Summary pages, your changes can be saved and used the next time you login to iView. In addition, settings changes made from the User Preferences page can be saved and used the next time you login to iView. For more information, see Using enterprise overview settings on page 195.
Trend graphic
You can use this component to spot deviations from, and trends in, the company security policy. The Trend graphic component consists of a graphical chart with a heading describing data displayed. Along with the corresponding label, Percentage of Policy Exceptions, the heading also displays the date range indicating the period of time for which data is evaluated. The X-axis presents date/time period labels that depend on the selected settings. Data on the chart is presented by a solid blue line. The value of the percentage of policy exceptions is calculated as the ratio of the number of policy exceptions to the number of all events. On the chart, the amber line is the amber threshold, which is Lower threshold. The red line is the red threshold, which is Upper threshold. Thus, the red and amber lines indicate the severity level. Note: Ideally, the number of policy exceptions should be below the amber line. The amber and red thresholds are configured from the Settings page of iView.
Settings
You can adjust the time period for which the trend graphic graphs are displayed. The following time periods apply: Show last completed Selecting this control activates a pair of list boxes so that you can set a round number of recent days, weeks, or months for which the enterprise summary is generated.
155
Trend graphic
Last existing data Selecting this check box enables the latest record (time stamp) of data to be the point from which the enterprise summary is generated. Date range Selecting this control helps you set the start time and end time for the summary. The appearance of the date range is influenced by the Show last completed option: the date range can be expressed in days, weeks, or months. Note: You can access iView's Trend Settings page from the Dashboard page. Changes made from the Dashboard page can be saved and used the next time you login to iView. In addition, settings changes made from the User Preferences page can be saved and used the next time you login to iView. For more information, see Using trend settings on page 196.
Database overview
On the left side of the Database Overview pane, all databases for the current Server are listed as large icons with labels. The first database is usually the aggregation database. If a Consolidation Server is installed, the consolidation database is the first database in the list. On the right side of the Database Overview pane, the following information is displayed for a selected database: Name The name of the database. Status The status of the database. The status can be loaded, loading, not loaded, or cleared. Loading date For a loaded database, the date of last data loading. Content Event sources that are attached to the chosen database. Notes: 1. When the mouse pointer is moved to another database icon on the left side of the Database Overview pane, the information about the right side changes synchronously. 2. When you click a database icon, you are directed to the database summary page.
Database summary
The heading immediately below the navigation bar specifies the name of the chosen database and the name of the current Server. On the Database Summary page, data is grouped into three panes: v Event Information, a summary of events for the chosen database is available, is grouped in the following options: Total Events Total number of events for the database. Policy Exceptions Total number of policy exceptions and their value in percentages.
156
Database Summary
Special Attentions Total number of attention events and their value in percentages. Failures Total number of failures and their value in percentages. For each of the iView report types mentioned above, you can select between the event detail report and the event summary report by clicking the corresponding icon to the right of the Event Information pane. v Status of the database, a pane that summarizes information about the current status of the database, groups information in the following categories: Status of Database See Database overview on page 156 for possible values of the database status. Loading date Date when the database was loaded. Number of days Number of days for which events are collected. v Data in this database, a list of event sources attached to the chosen database, is available. Event sources are displayed with the Where (Platform), Start time, End time, #Chunks, and #Events attributes. Click Timezone on the right side of the Data in this database pane to change the current time zone for values of the start time and end time attributes of event sources. In the Time Zone Settings dialog that is displayed, select a time zone from the list box and click OK. Note: Changes made from the Dashboard page and the Database Summary Page can be saved and used the next time you login to iView. You also can configure the time zone using the User Preferences page, and those changes can be saved and used the next time you login to iView. For more information, see Using database settings on page 193. To return to the Dashboard page, click Dashboard on the left side of the navigation bar. The database that you previously clicked is selected in the Database Overview pane.
157
158
Chapter 24. Navigating iView

This section describes the standard iView reports. For information about creating and working with custom reports, see Chapter 29, Creating and managing custom reports in iView, on page 183. iView report pages include a number of pointers to assist orientation when moving within and between reports. These pointers include descriptive titles, breadcrumb links, and navigation buttons. All iView pages include a title that describes the page contents. If a link is clicked to display additional detail about a specific event, both the page name and the event name are displayed in the title. Breadcrumb links show the current location, relative to the Compliance Dashboard page. These links are displayed directly above the title on each report page. Navigation controls are displayed at the bottom of the report page, below page summary information, and are active only when the length of a report makes them useful. For example, the < (last page) and > (next page) controls become active only when a report includes multiple pages. v Click |< or >| to select the first or last page in the report. v Click a specific page number to jump to the corresponding report page. v Click < or > to go back or forward one page in the report. Note: You can use iView-specific navigation device and move around in iView using standard browser controls, such as Back and Forward.
Connecting to a GEM database

After a successful logon, the Compliance Dashboard page is displayed. To view a report on data in a specific database, click that database in the Database Overview area. A selected database remains selected until you select another database. To switch to this page, click Dashboard at the top of the window. The GEM list looks like Figure 55:
Figure 55. The GEM list
The Database Overview area presents a set of databases to which you have access rights. A successfully loaded database is displayed as an icon. A database is selected by clicking the corresponding control. Figure 56 on page 160 shows the link is followed that connects to the database GEM:
159
Figure 56. Connecting to the database GEM
In the following sections, a database is selected because one of the icons in the Database Overview area was followed. The selected database can be verified in the upper left corner of the report page (Figure 57):
Figure 57. Verifying the selected database
Thus, the first element in the breadcrumb always links to the Compliance Dashboard page and represents the Server that is being connected. The second element represents the currently selected database and leads to the Summary
160

report for this database. Subsequently, a stack of reports is displayed, and you can click a link from it to navigate quickly to a previous report.
Moving from summary data to detail data

iView reports are hierarchically organized so that you can see as much or as little detail as you need. Each report opens with a summary page so that you can drill down to greater levels of detail by clicking links on successive report pages. The level of detail on report pages increases when you are clicking through links. For example, clicking Event on the Summary report displays a summary of all events sorted by W7 group types. Clicking any #Event link on the W7 summary page displays a list of all events of that group type. Clicking an individual event in the list displays all available details about that event, including its log file.
Viewing filtered report data

You can view a subset of the information in a database using the iView filtering feature. Table 6 shows available filtering to obtain useful reports (see Database summary on page 156 for details).
Table 6. Standard iView reports Event list All events Special attention Failures Exceptions To view: A list of all events in the database that was clicked on the iView Dashboard page. Information about events that match attention rules. Information about failure events. Information about events that broke policy rules.
Event-based summary reports A subset of reports obtained from Management Modules, a generated by Management capability that you can use to monitor and maintain Modules compliance with a selected standard.
Filtering can be provided for any of the W7 elements by clicking the square icons as marked with blue circles as shown in Figure 58 on page 162:
161
Figure 58. Location of iView filtering icons
The blank color of the square icon means that no filtering is applied to the corresponding group. The color red means that some filtering is applied. In addition, the title of the report reflects the current parameters of iView filtering. In Figure 59, for example, filtering for Add : Privilege / Success is applied to the What group and filtering for System is applied to the Who group. Clicking a square arrow invokes the Filter Settings dialog (Figure 59):
Figure 59. iView Filter Settings dialog
Here you can enter new filtering parameters or change what is available; you can use the question mark ? (for a single character) and the asterisk * (for multiple characters) as wildcards and the grave accent symbol as the escape character ( means a literal in the filter value).
162

To accept the current filter settings and return to the report click Apply. To clear all filtering settings, click Clear. To ignore changes in the filtering settings and return to the report, click Cancel. Notes: 1. Saving filter settings is not possible in iView. A re-opened report has no filter. 2. Exporting a filtered iView report (Exporting iView data to other formats on page 189) results in the same report as is shown in the browser, including the applied filter.
Sorting report columns

When first opened, event lists are sorted in ascending order by time stamp. You can sort them in any column by clicking on the arrow-icons as marked in Figure 60.
Figure 60. Sorting event lists
163
164
Chapter 25. Analyzing trends with iView

The trends part of iView presents the aggregated data from all the databases. The Trends section opens by default with the All Events of the last seven days. Click Last month to view events of the last month. You can see policy exceptions, special attention events and failures, or get a percentage view of the three options. Click the list box above the diagram. If you need more detailed information, click the diagram so that it zooms in one time period. The minimum time period available is per hour. If you must zoom out again, click Zoom out. Click Previous to go back one time period. If the diagram represents the last week, click Previous to return to the previous week. Click Next to go forward one time period. If no data is available, the control is unavailable. Below the diagram are seven list boxes for the group types for all possible combinations of groups. If you select Go, the diagram displays data for the selected groups. Below these boxes is a description of every bar in the diagram. Click its number of events to get its Event list.
165
166
Chapter 26. Monitoring with iView

You can use Tivoli Compliance Insight Manager iView (iView) is designed for quick analysis of activity. This section uses different approaches to obtain interesting security information, assuming interest in activity of the following entities: v A specific person v An object v A time frame v A location v Specific types of activities (on specific objects) Note: Regarding all of these activities, you can assume that a connection to a specific GEM database and a specific strategy are followed to find the required information.
Monitoring activity of a specific person

After connecting to a database, you can use the following steps to trace the actions of a person: 1. Open the Group types page by clicking Groups on the navigation bar. 2. Follow the Who (Source) link. 3. Select the person. Note: People are represented by their usernames. 4. A list of all activities of the user is displayed (Figure 61).
Figure 61. List of user activities
The report shows chronologically what actions a user, in this case the user cifowner, has initiated. The report includes the type of action in the What column while the object involved is listed in the OnWhat column. The user name itself is listed in the Who column.
167
Monitoring all activity on a specific object
Monitoring all activity on a specific object

To 1. 2. 3. 4. trace the activities involving a specific object, use the following steps: Open the Group types page by clicking Groups on the iView navigation bar. Follow the OnWhat (Object) link. Select an object, a user, a file or any other type. A report that shows all activities on the chosen object is displayed (Figure 62).
Figure 62. Report of user activities
Monitoring all activity within a specific time period

Sometimes you must find out what happened on a specific day or in a shorter time period. You can get the information out of the GEM database in several ways. The easiest way is limited to periods of one minute, at the most, while the other way works for any time span. Use the following steps for the easiest method: 1. Pick any of the policy exceptions or any other individual event from the event list. 2. Follow the time stamp link from the selected event. 3. On the Investigate pane, select the number of minutes to use as a time span for the selected event. 4. Click Investigate. An event list report shows all events a number of minutes before and after the selected event is displayed (Figure 63 on page 169).
168
Monitoring all activity within a specific time period
Figure 63. Events list for a time frame
The result is an event list that shows all events 30 minutes before and 30 minutes after the chosen event. Use the following steps to obtain the information a second way: 1. On the iView navigation bar, click Reports. 2. Pick any report from the list that allows specification of a time frame (see the Action column). 3. View the report with the chosen time frame.
Monitoring all activity initiated from a specific location

When a specific location in the environment is suspicious, you might want to look at what actions were taken from that location. This type of report can easily be generated: 1. Open the Group types page by clicking Groups on the iView navigation bar. 2. Follow the WhereFrom (Origin) link. 3. Follow the link to the location in the list. Note: Alternatively, to trace actions initiated from a specific location, you can use the iView filtering feature. Refer to Viewing filtered report data on page 161 for more information.
Monitoring specific activities on specific objects

If you want to know which objects were modified and who modified them, you can use a specialized report: 1. On the iView navigation bar, click Reports to open the Reports page. 2. Among the detailed investigation reports, select the Suspect by Object Group report. 3. On the User Audit by Object group page, select the actions to be monitored and the types of objects. Notice that you have a choice of W7 groups. Therefore, the strength of this report depends on the level of detail in the grouping information in the security policy. 4. Click Submit to generate the report. 5. Follow a link of one of the listed events and the detailed description is displayed (Figure 64 on page 170).
Chapter 26. Monitoring with iView
169
Monitoring specific activities on specific objects
Figure 64. Description of a listed event
170
Chapter 27. Viewing audit data in standard iView reports

Tivoli Compliance Insight Manager iView (iView) provides a number of reports. The following reports are the most important, and each has a separate page: v The Database Summary page (see Database summary on page 156). v The Policy Exceptions page v The Special Attention page v The Failures page Sorting, date and time filtering, drilling-down, and highlighting events in lists are available. On the Reports page of iView, reports are organized into the following groups: Daily verification reports Use this report to check the status of four key security areas daily. Detailed investigation reports Use this report to provide investigation-level details about specific events, users, objects, or platforms. Configuration tools reports Use this report to enable events to be viewed in summary form, group type, or by policy or attention rules. This section also provides a link to the Policy wizard so that new policy rules can be created. Firewall reports Use this report to review all suspicious network activity across firewalls.
Viewing policy exceptions

Exceptions are events that violate the company security regulations. They may be trivial or extremely interesting. Exceptions may also be defined as attention events to give special attention to specific types of violations. More information about Attention Events can be found in Viewing special attention events. To view policy exceptions, you must have a working security policy. For more information about creating a security policy, see Chapter 8, Creating a security policy. When you click the Policy Exceptions Event summary report icon on the Database Summary page, the Policy Exception Summary page opens. This page shows a summary of all Policy Exception events in the database, in order of severity. Higher than 40 High and red in color. 21-40 0 - 20 Medium and red in color. Low, colored from unavailable to pink.
The number of exceptions is found in the last column. Click this number to see a list of the actual events. If more information about a specific event is needed, click the link to the Event Detail page.
171
iView: Special Attention
Viewing special attention events

Special attention events must be closely watched. These can be either important events (for example, who accessed that very confidential file), or policy exceptions that are deemed so important that they need to be seen (for example, who tried to gain access to the financial accounts and was not allowed to do so). Special attention events can also be used to keep track of suspicious persons or acts. Click the Special Attention event summary report icon on the Database Summary page to open the Special Attention Summary page. Here is a summary of all Special Attention events in the database. iView orders this summary by severity. If any event types have the same severity, iView first displays the event type with the highest event count. The following severity categories apply: Higher than 40 High and red in color 21-40 0 - 20 Medium, and red in color Colored from unavailable to pink
The event count link connects to the actual events on the Event Table page. If more information is required about a specific event, click the time indication link to go the Event Detail page.
Viewing failures
The Failures event summary report control on the Database Summary page navigates to the Failures Summary page, which is a summary of all failures that were logged, in order of their severity. The following are the main severity categories: Higher than 40 High and red in color 21-40 0 - 20 Medium, and red in color Colored from unavailable to pink
iView lists the number of failures for every kind of failure in this summary. Clicking the number produces the event list of that kind of failure. If detailed information about the event is required, click the time indication link to select the Event Detail page.
Using daily verification reports

On the iView Reports page, the Daily verification pane includes several types of daily verification reports: Logon Failure Summary report Lists logon failures, the user who committed each, and the total number of failure events. Click links on this report to display failures by platform, sorted by time. Users report Lists all users with their usernames. Although some users, such as system administrators, may have multiple usernames, most users have one name.
172
Daily verification reports

Click a username link to see a summary of events caused by that user, as well as other user information, such as group membership. Events by Type report Lists a total number of events, as well as totals of exception, attention, and failure events for each audited event type. For example, if all external network accesses events are audited, this report displays the total number of network access events, as well as totals for network access events that cause policy exceptions, attention events, and failures. Click any link to see additional details about that event type. Impersonation report Lists all users who pretended to be someone else, and the person whose identity they stole. Click the number of events link to see the events the impersonator caused. For the remaining types of Daily verification reports, a short description is provided in the Description column.
Using detailed investigation reports

You can use any of the available detailed investigation reports to explore irregularities that have been observed in a daily investigation report. As with all iView reports, click links in each report page to move from summary to detailed information about any event. For example, if a user activity observed in one of the daily investigation reports causes concern, use the Users by Event Type report to display details of all events caused by that user.
Changing detailed investigation report parameters

In most detailed investigation reports, you can narrow the report focus to view information about specific events, time frame, or users, minimizing the amount of data that needs to be reviewed. A number of detailed investigation reports require parameters. The corresponding icon is available in the Action column so you can see events for specific objects, platforms, users, or events.
Setting a report time interval

If the entry in the Action column of the iView Reports page allows specification of a time frame, you can set the time interval over which data is to be seen. Select an interval from minutes to years, but ensure that the interval set matches the data in the database. For example, if data is loaded daily, ensure that the same day is entered, and use a time interval of a day or less. Figure 65 on page 174 shows setup to display events for any time interval between April 16, 2004 at 10.22 a.m. and July 26, 2005 at 8.40 a.m.
173
Detailed investigation reports
Figure 65. Setup to display events for a time interval: an example
1. In the Setup section, click the date and time interval over which data is to be viewed. The default setting shows the full range of times for data in the database. 2. Click Execute to see events that occurred in the set time frame, or click Reset to return to the original interval settings.
Viewing events for specific objects, platforms, or users

To see events for specific objects, platforms, or users, do the following steps: 1. In the Setup section, select the event type, object type, user group, or platform whose events are to be viewed. In reports that include this kind of setup section, you can click as many of the available groups as required. You can add or remove groups and click Submit again to view either more or less data. 2. Click Submit to display events that match the selection, or click Reset to revert to the last submitted report.
Using available detailed investigation reports

Several detail investigation reports are available: Platform History report Shows a list of all platforms for the operating system and application platforms used during the specified time interval, and the number of events that occurred on each platform. Suspect by Platform report Displays events organized by the platform where suspect events occurred. In the Setup section, select each event type to be viewed. Click Submit to display platforms on which the selected events occurred, followed by the number of each kind of event. Logon History by Platform report Lists the number of times someone logged on and off for all audited platforms during the set time interval. Object History report Lists all objects affected by an event, the platform where the event
174

occurred, and the number of events that affected each object. The event total includes unsuccessful events. For example, if a user tries to read a confidential file, the file is displayed in this report. Clicking a link in the #Event column displays details about all events affecting the selected object. Object Audit report Lists objects, which are usually files, in any of the On What groups in the security policy. Members of On What groups are objects, usually files, whose activity needs to be monitored closely. In the Setup section, select each group to be examined, and click Submit. The resulting report lists all objects in the selected groups, the platform where events occurred, and the number of events affecting each object. Click a link in the #Event column to see details about all events affecting the selected object. Note: If all the On What groups are selected, the resulting report is identical to the Object History report described above. Suspect by Object group report Lists the selected objects, and the kinds of events that affected those objects. In the Setup section, select one or more On What groups to indicate which objects that need to be viewed. Then select one or more What groups to indicate which events affecting those objects need to be viewed. Click Submit to generate the report. Logon History by User report Lists all users who logged on or tried to log on during the specified time interval. In the Setup section, enter a time interval and click Execute to display the resulting report. User History report Lists all users who caused events in a specified time interval. In the Setup section, enter a time interval and click Execute to display the resulting report. User audit by Object Group report Lists all users and all objects they affected during a specified time interval. In the Setup section, enter a time interval and click Execute to display the resulting report. User Audit report Lists the users selected, and the kinds of events caused by each user group. In the Setup section, select one or more Who groups to indicate which users are to be viewed. Select one or more What groups to indicate which events that those users caused are to be viewed. Click Submit to generate the report. Users by Event type report Lists all users who caused the events specified. In the Setup section, select one or more What groups to indicate which events are to be viewed. Click Submit to generate the report. In Period group by Users report Lists all users who caused events during a specified time interval in a When group when the security policy was created. For example, the security policy might include When groups that define office hours, weekend hours, holiday hours, and so on. In the Setup section, select one or more When groups to indicate the time periods for events that need to be seen. Click Submit to generate the report.
175

Note: For your convenience, short descriptions of detailed investigation reports are available in the Description column on the iView Reports page.
Configuration tools
You can use the following report types in the Configuration tools section to see events in a summary form, summarized by group type, security policy, or attention rules. This section also provides a link to the Policy wizard. Events by type report Lists all event types with a total for each type. You can use the links in this report to enable all events, policy exception events, and attention events sorted by event type to be viewed. W7 Summary report Lists all events in the database, sorted in order of frequency. Clicking a link in the #Event column displays all events of the type clicked. Events by rule report Lists all events selected by a rule. This report gives a way to test the effect of a new policy or attention rule. Create the report by clicking a choice in each list box in the Rule section, and then clicking Submit. The resulting report shows events that would no longer create policy exceptions or attention events if this rule was added to the security policy. Policy Settings report Lists all events that comply with the security policy rules. The page of the Policy Settings report includes a link to the Policy wizard; you can access the Policy wizard using this link if one has been assigned the Security Policy role in Tivoli Compliance Insight Manager; for information about managing user roles in Tivoli Compliance Insight Manager, see Chapter 15, Managing users and roles earlier in this manual. For information about using the Policy wizard, see Chapter 8, Creating a security policy. The report displays the automatic and security policy used to load the data in the GEM database which is being viewed. It then lists the number of events in the database that trigger each policy rule in the security policy. Policy wizard link Opens the Policy wizard, if one has the Edit Security Policy role in Tivoli Compliance Insight Manager. For information about using the Policy wizard, see Chapter 8, Creating a security policy. For convenience, short descriptions of Configuration tools reports are available in the Description column on the iView Reports page.
Firewall reports
The following firewall reports enable tracking of network activity that crosses the company firewalls: Firewall Activity report Lists the ten most active IP addresses and the IP addresses that caused the most policy exceptions. Firewall Overview report Provides top ten lists of the following entities: Active Web browsers Lists Web browsers that connected most frequently to the site.
176
Firewall reports
Access drops Lists access requests dropped by FireWall-1. Weird sources report Lists IP addresses that begin with either 0 or 127; for example, 127.0.0.1 is reserved for use as a loopback address; 0.0.0.0 is reserved for use as a default. route. Low port users report Lists users who access ports 0 to 5, which are normally not used. Firewall Server-Initiated Connections report Lists the top ten most active servers that can initiate network connections. For example, this report might list a Web server that can also initiate FTP connections. Firewall Suspects report Lists the top 20 inside and outside users who performed any of the following suspect events: v Host scans v Port scans v Policy exceptions If the report information needed is not in a built-in iView report, a custom report can be created, as described in Chapter 29, Creating and managing custom reports in iView, on page 183.
177
Firewall reports
178
Chapter 28. Understanding field descriptions in iView reports

To understand iView reports, you must have a clear understanding of the meaning of the reports' fields. Table 7 provides an alphabetical listing of the fields in iView and gives a short explanation of each of them.
Table 7. Fields in iView Field # #Chunks #Event #Events #Failure #groups #PolExcp #SpecAtt Additional Chunk Description Number of log records used by the translator to generate the GEM event. Number of chunks. Number of events (of this type). Number of events (of the type listed). Number of failed events (of the type listed). Number of groups in the category. Number of policy exceptions matching the description. Number of attention events that match the description. Describes the relative CPU load of the report brings. Also indicates if the report can be configured. The path to the Tivoli Compliance Insight Manager chunk (headers) used to load the audit trail of the platform listed. List of event sources whose audit trails are loaded in the database. The name of the database. You can connect to it whenever it is displayed as a link. Short description of the information provided by the report. Time stamp of the last recorded event for the platform or time stamp of the last event in the chunk. Combination of Eventmainclass, Eventclass and Successclass. If traceable, this field contains the network location where the activity was initiated. Group of network locations. W7 category. The user name switched to. The owner of the user name switched to. Date and time the database was loaded. Network ID where the logon was tried. User name used to logon. User name belonging to the action.
Content Database Description End time
Event type From Where from Where (Origin group) Group type Impersonated Logonname Impersonation Loading date Location LogonId Logonname
179
Field description in iView reports

Table 7. Fields in iView (continued) Field Name Number of Days Number of Failures Number of Policy Exceptions Description Owner of the user name used. Total number of days recorded in the chunks loaded for the database. Total number of events where the SuccessClass equals Failure. Total number of events not matching any of the policy rules.
Number of Special Attention Events Total number of events matching at least one of the attention rules. Object On What The different combinations of ObjectType: ObjectPath / ObjectName loaded in the database. The Object represented by the triple ObjectType: ObjectPath / ObjectName that is related to the action. The group of objects. The group of objects. The Object represented by the triple ObjectType: ObjectPath / ObjectName, that is related to the action. Owner of the user name who changed to another user name. Time stamp of the first event in the group of events in the following 15 minutes. Network ID of actions (where you failed to logon). The type of the log record as it is displayed in the chunk log. Relative importance of an event. If the event matches an attention rule, the severity of the event is equal to the severity of the attention rule it matched. If the event is a policy exception, the severity equals the highest significance number of the W7 groups it belongs to. If the event is neither an attention nor policy exception event, the severity equals the highest significance of the W7 groups it belongs to, divided by 10. Time stamp of the first event. Current status of the database. Current status of the database. Name of report. Total number of events loaded in the database. Tivoli Compliance Insight Manager policy selected for loading the database. Edited part of the original log record. Combination (triplet) of the Eventmainclass, Eventclass, and Successclass. The value represents the action taken. Type of actions.
on What (Object group) On What (Object group) On What (Object)
Original Logonname Periodtimestamp Platform Record Type Severity
Start time Status Status of Database Title Total number of Events User policy Value What
What (Event group)
180

Table 7. Fields in iView (continued) Field What (Event type)CC Description Combination (triplet) of the Eventmainclass, Eventclass and Successclass. The value represents the action taken. Type of actions. Time when the action took place. Time period when the actions took place. Network ID where the actions were logged. Group of locations where the actions were logged. Network ID and type of platform where the actions were logged. Group of locations where the actions were logged. Combination of real name and logon ID. User name under which the action took place. Group of user names or persons.
What Group When When (Period group) Where Where (Platform group) Where (Platform) Where Group Who Who (Name) Who (Source group)
Chapter 28. Understanding field descriptions in iView reports
181
182
Chapter 29. Creating and managing custom reports in iView

Tivoli Compliance Insight Manager iView provides a wide selection of built-in reports, many of which can be modified to present summary or focused data. If these reports do not meet additional auditing needs, you can use Custom Reports wizard to create and manage custom reports. This section includes information about the following topics: v Opening Custom Report wizard v Custom Report wizard overview v Examples of using the Custom Report wizard
Opening Custom Report wizard

1. Before beginning, you must have the user role to create or edit custom reports in iView. For information about assigning user roles, see Chapter 15, Managing users and roles. 2. Open iView if it is not already open. You can open iView by logging in to the Portal and clicking iView on that page. 3. When the iView Dashboard page is displayed, click Reports on the navigation bar. 4. On the My Reports page, click Add Custom Report to open Custom Report wizard.
Custom Report wizard overview

The Custom Report wizard streamlines the process of creating custom reports and adding them either to the My Reports page or to a compliance module. The wizard is integrated into iView and can be accessed using either the Add Custom Report button on the My Reports page or from the Report List page of an installed compliance module. When you open the wizard, you can see three sections in the Main pane: General Information, Report Layout, and Data Criteria. Options available in the sections define characteristics of a report such as name, description, type, number and type of columns, conditions, and type of events as data selection criteria. Tips for using the sections for creating custom reports are in the Extra Information pane of the window.
Types of custom reports

You can create four types of reports using Custom Report wizard: Event list A W7 normalized event list that you can use to drill down to underlying event detail. Charts are not supported for this report type. Summary report A summary level report shows events, exceptions, attentions, and failures per group. You can drill down to underlying events. Top-N report A new type of report in which data is summarized by the top N
183

(user-defined) events in a specified time period. A Top-N report is used to select precisely the N number of rows from a custom report. Because all rows in a report are enumerated in a list, N dictates a number of rows (for example, 5 or 25) that should be selected and included in a Top-N report. You can select the top N rows from the list either in ascending order (for example, the selected N rows are sorted in ascending order according to the number of events in each selected row) or in descending order (for example, the selected N events are sorted in descending order according to the number of events in each selected row). The Other row in the Top-N report shows a summary of all events that are not included in the top N. Threshold report A new type of report shows results only if an event happened more than N times in a specified time period. A Threshold report shows a threshold violation that occurs when similar events occur N or more times in a specified time frame. Threshold parameters include a time frame and number of events (N). For example, if the time is four hours and the number of events is 500, a Threshold report shows all threshold violations where the number of events exceeded 500 within the four hours time frame.
Column entries
Data in the reports is grouped by columns. The number and type of columns that are available for selection in a report through Custom Report wizard depend on the report type. Table 8 describes each column and the content that is displayed in the finished report.
Table 8. Entries and their content displayed in the finished report Column Where detail Meaning Shows the name and type of the platform on which the event occurred, as follows: name (type). If type equals -, only the name of the platform is shown. Shows the real name of the user who caused the event if available. Otherwise, it shows the logon name. Shows the event type triplet (verb : noun / success) of the event. Shows the time stamp of the 15 minutes in which the event occurred. To show the time stamp of the event itself, use the event_timestamp column. Shows the name and type of the originating platform, as follows: name (type). If type equals -, only the name of the platform is shown. Shows the type, path and name of the object associated with the event, as follows: type : path / name Shows the name and type of the target platform, as follows: name (type). If type equals -, only the name of the platform is shown Shows the name of (one of the) When group(s) for the time at which the event occurred. Shows the name of (one of the) What group(s) to which the event type of the event belongs.
Who detail
What detail When detail
Where From detail
On What detail
Where To detail
When group What group
184

Table 8. Entries and their content displayed in the finished report (continued) Column Where group Meaning Shows the name of (one of the) Where group(s) to which the platform on which the event occurred belongs. Shows the name of (one of the) Who group(s) to which the user who caused the event belongs. Shows the name of (one of the) WhereFrom group(s) to which the originating platform belongs. Shows the name of (one of the) OnWhat group(s) to which the object that was affected by the event belongs. Shows the name of (one of the) WhereTo group(s) to which the target platform belongs. Shows the number of events that is summarized in each row. Shows the number of policy exceptions that is summarized in each row. Shows the number of special attention events that is summarized in each row. Shows the number of events with a successclass equal to Failure that is summarized in each row. Shows the number of events with a successclass equal to Success that is summarized in each row. Shows the number of policy exceptions that is summarized in each row as a percentage of the number of events summarized in that row. Shows the number of special attention events that is summarized in each row as a percentage of the number of events summarized in that row. Shows the number of events with a successclass equal to Failure that is summarized in each row as a percentage of the number of events summarized in that row. Shows the number of events with a successclass equal to Success that is summarized in each row as a percentage of the number of events summarized in that row. Shows the verb part of the eventtype associated with the event. Also shown as part of the detail_what column. Shows the noun part of the eventtype associated with the event. Also shown as part of the detail_what column. Shows the success/failure part of the eventtype associated with the event. Also shown as part of the detail_what column. Shows the name of the platform associated with the event. Also shown as part of the detail_where column.
Who group Where From group On What group
Where To group Number of events Number of policy exceptions Number of special attentions Number of failures Number of successes Percentage of policy exceptions
Percentage of special attentions
Percentage of failures
Percentage of successes
Verb
Noun
Success
Platform name
185

Table 8. Entries and their content displayed in the finished report (continued) Column Platform type Meaning Shows the type of the platform associated with the event. Also shown as part of the detail_where column. Shows the logon name of the user associated with the event. Also shown as part of the detail_who column. Shows the real name of the user associated with the event. Also shown as part of the detail_who column. Shows the name of the originating platform associated with the event. Also shown as part of the detail_wherefrom column. Shows the type of the originating platform associated with the event. Also shown as part of the detail_wherefrom column. Shows the type of the object associated with the event. Also shown as part of the detail_onwhat column. Shows the path of the object associated with the event. Also shown as part of the detail_onwhat column. Shows the name of the object associated with the event. Also shown as part of the detail_onwhat column. Shows the name of the target platform associated with the event. Also shown as part of the detail_whereto column. Shows the type of the target platform associated with the event. Also shown as part of the detail_whereto column. Aspects that are specific to an event. Commonly used. Aspects that are related to the 15-minute period in which the event occurred. Very rare. Aspects that are related to the platform on which the event occurred. Used occasionally. Aspects that are related to the user who caused the event. Commonly used. Aspects that are related to the originating platform. Used occasionally. Aspects that are related to the object that is affected by the event. Used occasionally. Aspects that are related to the target platform. Used occasionally.
Logon name
Real name Origin name
Origin type
Object type
Object path
Object name
Target name
Target type
Aspect_event Aspect_when Aspect_where Aspect_who Aspect_wherefrom Aspect_onwhat Aspect_whereto
To add a column to a report, click its name in the list of W7 items. The column is displayed in the box for selected columns. The order of columns in the box determines the order in which they are shown in the report. The top-to-bottom order in the box corresponds to the left-to-right order in the report. To change the order of columns, select a column to be moved and drag it to the desired location.
186
Examples of using the Custom Report wizard

This section contains a description of detailed steps for the following use cases: v Creating a custom report using Custom Report wizard v Adding a custom report to a compliance module using Custom Report wizard on page 188 v Modifying a custom report on page 188
Creating a custom report using Custom Report wizard

To create a custom report using Custom Report wizard, you might want to read the description of the following problem and its solution in this section. Problem Suppose that you want to create a custom report that shows the following data about all events collected in the depot for the group Who, assuming the value of this group is equal to Tele-worker: v Information on groups Where From, What, When, and Where v Information about the number of policy exceptions, special attentions, and failures The report must be listed on the Reports page in Tivoli Compliance Insight Manager iView. The report must have a unique name and a description, and must be listed in a unique section on the Reports page. Solution Use the following steps to create this custom report: 1. Use the following steps to log in to open the Custom Report wizard: a. Log in to the Portal. b. Navigate to to iView. c. Click Reports on the main toolbar. d. Click Add Custom Report. 2. In the General Information section of the wizard, do the following steps: a. Use the Title and Description fields to name the report and give it a description. For example, type Dream for the title and All our dreams come true for the description. b. Select Standard Report Center to list the report on the My Reports page and to avoid linking it to a specific compliance module. c. In the menu, among available sections on the Reports page, select Add Section... and type a name for the section, Dream Audits, in the field. The report is listed in the new section on the Reports page. d. Use the Help Text area to add help text as necessary to the report. For example, type This is a test report to test the Custom Report wizard. 3. In the Report Layout section of the wizard, do the following steps: a. Click Report Type and select Summary Report Type. b. The Columns List is filled with default aggregated columns. Remove the aggregators except for the ones that you want in the report (that is, keep Number of Policy exceptions, Number of Special attentions, and Number of Failures to match the requirement to include information about the number of policy exceptions, special attentions, and failures).
187

c. To include any required non-aggregated columns in the report, select the Where From, What, When, and Where columns, one at a time, from the list of column items. Note: The order of the columns in the report can be changed using drag-and-drop within the Selected Columns list. the Data Criteria section of the wizard, do the following steps: Click Conditions, select the Field Value tab, and select the icon on the right of the Field text box. In the selection list, select the Who group. In the Value text area, type Tele-worker, ensure that is equal to is selected in the menu above it, and click Add. Note: This step adds to the List of Conditions the condition to show data about all events collected in the depot for group Who if the value of this group is equal to Tele-worker.
4. In a. b. c.
Adding a custom report to a compliance module using Custom Report wizard

Understanding the problem and solution in this section can help you use the Custom Report wizard to add a custom report to a compliance module. Problem Suppose that you want to create a custom report that shows the following data about all events collected in the depot for group What if the value of this group is equal to Dream: v Information on groups Who, Where From, What, When, and Where v Information about the number of special attentions and failures. The report must be listed as part of the HIPAA compliance module, and must have a unique name and a description. Solution Use the following steps to solve the problem: 1. Go through steps 1 through 4 of Creating a custom report using Custom Report wizard on page 187. During the procedure, select Regulation Resource Center instead of Standard Report Center. 2. Select HIPAA for the compliance module in the corresponding menu.
Modifying a custom report

To modify a custom report, do the following steps: 1. Open the list of reports. 2. Select the necessary report from the list and click Edit to modify the report. Note: Any custom report can be modified by clicking Edit either from the list of reports or from the report page itself.
188
Chapter 30. Working with iView data in other media

This section describes the following methods of distributing and working with iView report data: v Printing iView reports. v Distributing iView reports. For more information, see Chapter 32, Distributing reports, on page 199 for details. v Exporting audit data to other formats for further analysis.
Printing iView reports

You can click Print on the Browser to print iView pages or reports. To print report pages that are too wide to fit on standard paper, make the following adjustments to the printer and browser settings: 1. Change the printer setup to print pages in the landscape format rather than the portrait format. 2. In Internet Explorer 6, adjust the font size of text in browser windows in the following steps: a. Click View, Text Size, and click a smaller font size. b. Click View, Refresh to apply the font size change. Note: You can print graphical custom report pages using the methods described above and also to print a graph image alone. To do so, right-click the graph image, and click Print Picture on the menu that is displayed.
Exporting iView data to other formats

You can export iView reports to the following formats: PDF HTML Hypertext markup language format. XLS CSV Microsoft Excel format. Comma Separated Values. Data can be read with Microsoft Excel, Lotus 1-2-3 and other database products. Portable Document Format.
Note: You can export any report except firewall reports, and you can export custom reports as well as built-in reports.
Exporting to PDF format

You can export reports generated by iView to PDF, the file format in Adobe Acrobat document exchange technology, which allows documents to be displayed and printed in the same way on every computer. Follow these steps to export an iView report to a PDF file: 1. On the report page, right-click PDF, located to the right of the report title bar, and select Save target as from the menu that is displayed.
189
Working with iView data in other media

2. In the Save As dialog, enter a name for the PDF file to the File name field and click Save. iView can now export its report to the PDF file and open it with the Adobe Acrobat application. Note: You might be able to open the Adobe Acrobat application and display exported data directly, if the browser supports this functionality.
Exporting to XLS format

iView offers an opportunity to export reports to Microsoft Excel format (XLS). To export report data generated by iView to XLS format, do the following steps: 1. On the report page, right-click XLS, which is located to the right of the report title bar, and select Save target as from the menu that is displayed. 2. In the Save As dialog, enter a name for the .XLS file to the File name field, and click Save. iView report data is now exported to Microsoft Excel format. Note: Microsoft Excel can import a maximum of 65536 lines, but some iView reports can exceed this number. If an iView report exceeds the Microsoft Excel maximum, Microsoft Excel truncates the report after the maximum number of lines.
Exporting to CSV format

To 1. 2. 3. 4. 5. export iView data to CSV format, do the following steps: On the iView navigation bar, click Reports to open the Reports page. Click the link of the report that is to be exported. In the top right corner of the report title bar, right-click the CSV link. Click Save Target As in the menu that is displayed. In the Save As dialog that is displayed, enter a name for the downloaded data file. Click Save when this action is completed. 6. From Windows Explorer, double-click the file. 7. The default program for reading CSV data opens, displaying the exported report data. If no program is specified for reading CSV data, a Windows prompt is displayed asking which installed program should be used. Note: You might be able to click the CSV link in iView to open Microsoft Excel and display downloaded data directly, if the browser supports this functionality.
Attributes of exported iView reports

Data exported to PDF and XLS formats contains the following attributes that describe the environment of the original report: Generated by Shows the iView version, server name and time when the report was generated. Database Shows the server name and the database selected for the exported report. Loading date Shows the date and time when data was loaded into the database last time. The value can be N/A if the database has not yet been loaded, due to an error/loading state and so on.
190

Data range Shows a date range of data obtained from all audited platforms. The start value is the earliest time that a platform is available in the report, and the end value is the latest time that a platform is available. The data range can be shown in either one of the following ways: v In the time zones of the corresponding platforms (chunk logs) (the default behavior.) The user can select a time zone on the iView Settings page. v In the server time zone. To switch to this option, the following should be added into the iView.ini file: [DatabaseContext] UseServerTimezone = yes
Chapter 30. Working with iView data in other media
191
192
Chapter 31. Using iView settings

Just as with iView, the iView settings, or user preferences, can be reviewed and modified using the Web browser. To access iView settings, log in to iView and click Settings on the navigation bar.
Introduction
iView settings are grouped in the following categories: Database Settings This group of settings allows some database properties to be adjusted. For more information, see Database overview on page 156. Appearance You can change the language of iView messages and define lower and upper thresholds for the trend graph displayed on the Dashboard. Enterprise Overview Settings These settings include time span-, grid axis-, and asset group-related options that present the Enterprise Overview pane on the Dashboard page. For more information, see Enterprise overview on page 153. Trend Settings You can adjust some settings responsible for depicting the Trend graphic pane on the Dashboard page. For more information, see Trend graphic on page 155. Incident Tracking In this section of the iView settings, you can specify parameters for connecting an external incident tracking system. Each group of iView settings is located in a separate collapsible pane. To make the modifications effective, click Apply on the bottom of the User Preferences page. To cancel the modifications, click Reset, which is available in the lower right corner of the page. Note: You also can access iView's Enterprise Overview Settings group and the Trend Settings group from the Dashboard page, and you can access some of the Enterprise Overview Settings from the Database Summary page. On both the Dashboard page and the Database Summary pages, your changes can be saved and used the next time you login to iView. In addition, settings changes made from the User Preferences page can be saved and used the next time you login to iView. For more information, see Chapter 23, Understanding the iView Dashboard, on page 153.
Using database settings

In the Database Settings pane (Figure 66 on page 194), you can adjust database-related properties that affect the appearance of database-specific information about the pages of iView. Use the Default Database list box, which includes the database that serves as the default iView database that can be changed. In the Time zone list box, you can specify the preferred time zone that is
193
Database settings
appropriate to the geographical location.
Figure 66. Database settings pane
Notes: 1. After being selected in iView, the selected database becomes the default database. 2. Another approach to choosing a time zone is from the Database Summary page. Changes are saved and can be used the next time that iView is selected. For more information about the Database Summary page, see Database summary on page 156.
Using appearance settings

To change the language of messages displayed in iView display, click the arrow beside the Language list box and select the value you need. Below the Language list box are the following text fields, which control the threshold values of percentages of policy exceptions: v Lower threshold (amber). In this field, you can enter a decimal value for the amber threshold. v Upper threshold (red). In this field, you can enter a decimal value for the red threshold. The amber threshold and red threshold are displayed as solid horizontal lines on the trend graph of the Dashboard page (Figure 67 on page 195).
194
Appearance settings
Figure 67. Appearance pane
While entering values for the thresholds, observe the following restrictions: v The value for the Lower threshold field must be less than for the Upper threshold field. v Both values should be valid numbers in the range from 0 to 100.
Using enterprise overview settings

The Enterprise Overview Settings pane (Figure 68) contains options responsible for displaying the Enterprise Overview pane of the Dashboard page.
Figure 68. Enterprise Overview Settings options
Show last completed When selected, this control activates a pair of boxes to set a round number of days, weeks or months for which the enterprise summary is generated.
195
Enterprise Overview Settings

Last existing data When selected, this check box sets the latest record (time stamp) of data to be the point from which the enterprise summary is generated. Display groups based upon This list makes it possible to select the way in which groups are displayed on the enterprise summary. The following top options are included: v Attentions v v v v Events Exceptions Failures Severity
Horizontal Axis Settings This pane provides options that allow parameters of the X-axis to be adjusted: Dimension This list enables the dimension for the X-axis to be chosen among the seven Ws: Who, What, When, Where, OnWhat, FromWhere, and WhereTo. Number of groups This list allows the number of groups to be set in the range from 1 to the total number of asset groups available at the Server, to be used for generating the enterprise overview. A control for showing assets You can select one of the following controls: Show the most important assets. Allows only the most important assets on the summary to be shown. Select assets to show Activates the Available and Selected lists, which you can use to select preferred assets for the summary. Vertical Axis Settings This pane allows parameters of the Y-axis to be adjusted, and contains the same controls as the Horizontal Axis Settings pane described above. Note: You also can access iView's Enterprise Overview Settings group and the Trend Settings group from the Dashboard page, and you can access some of the Enterprise Overview Settings from the Database Summary page. On both the Dashboard page and the Database Summary pages, your changes can be saved and used the next time you login to iView. In addition, settings changes made from the User Preferences page can be saved and used the next time you login to iView. For more information, see Chapter 23, Understanding the iView Dashboard, on page 153.
Using trend settings

Similar to the options in the Enterprise Overview Settings, the time period for which the Trend graphic graph is displayed can be adjusted (Figure 69 on page 197).
196
Trend Settings
Figure 69. Trend Settings options
You can specify the following options: Show last completed When selected, this control activates a pair of list boxes that you can use to set a round number of last days, weeks or months for which the enterprise summary is generated. Last existing data When selected, this check box sets the latest record (time stamp) of data to be the point from which the enterprise summary is generated. Note: You can access iView's Trend Settings group from the Dashboard page. Your changes can be saved and used the next time you login to iView. In addition, settings changes made from the User Preferences page can be saved and used the next time you login to iView. For more information, see Chapter 23, Understanding the iView Dashboard, on page 153.
Using incident tracking settings

In this pane on the User Preferences page (Figure 70) is a text field where you can enter an URL for connecting to an external incident tracking system. In the Ticketing Service URL field, enter the correct value.
Figure 70. Incident Tracking settings value
Notes: 1. The Incident Tracking pane is only visible for users that have the Manage Incidents role defined. Refer to Part 3, Managing the Tivoli Compliance Insight Manager system, on page 39 for more details. 2. The incident tracking functionality is available only when Management Modules for Tivoli Compliance Insight Manager are installed.
197
Incident Tracking settings
198
Chapter 32. Distributing reports

IBM Tivoli Compliance Insight Manager Version 8.5 provides functionality for the automated distribution of iView reports to a predefined group of Tivoli Compliance Insight Manager users. Since Tivoli Compliance Insight Manager Version 8.0, this Report Distribution functionality is available through the Web interface of iView. Previously implemented options for distributing reports as email excerpts using the Management Console were removed and are no longer supported. This section describes the following topics: v Report distribution upgrade features v How report distribution tasks work v Creating report distribution tasks and using reports effectively
Upgrading
Tivoli Compliance Insight Manager 8.5 includes the following new report distribution features: v Report distribution tasks. v The schedule for report distributions. v Two formats for distributing reports as email excerpts: CSV and PDF. If the plug-in that enables PDF output is installed, the default format is set to PDF. Otherwise, the default is CSV. v Status notification emails for report distributions. v Options for convenient selection of report recipients. After upgrading from Consul InSight 7.0 to Tivoli Compliance Insight Manager 8.5, you can distribute reports using iView only. However, the settings used for report distribution in Consul InSight 7.0 are still present on the system in C:\IBM\TCIM\Server\run. These settings are in the iview.ini file, and can be transferred manually to the automated report distribution. In the contents of the iview.ini file, MailHost, From, and Reply correspond to Email Settings that are set up for all distribution tasks. To, Experts, and GemDb correspond to the Addressees and Reports sections for creating distribution tasks. The contents of the iview.ini file are shown in the following example:
[Mail] MailHost=mail host From=from address Reply=reply to address [Excerpt.GEM1] TEG=1 [ExcerptTEG.GEM1.1] To="email@yourcompany.com" Experts="inspect,overview" GemDb="GEM1"
Disk space limit

Reports are generated when databases that are related to them load. After being generated, reports are distributed as email excerpts only when distribution tasks that they are bound to are launched. Until then, reports are stored on the hard disk
199
Report Distribution in iView

of the system. The maximum default amount of the storage space for such reports is 1 GB. Match the database load and distribution tasks schedules so that the limit is not exceeded. If the limit is exceeded, new reports are not generated for lack of storage space. For more information, see Matching database load and distribution schedules on page 205. In exceptional circumstances, the limit can be expanded. However, this expansion should be done by or under the guidance of authorized support. To expand the space limit for storing generated reports, do the following steps: 1. Check the size of the IBM\TCIM\server\run\excerpts directory, where generated reports are stored by the system. 2. Open the ExcerptStore.ini configuration file in the IBM\TCIM\server\run directory. 3. Change the value of the storesize parameter (the default is 1 GB or 1024) to the value that is required (for example, 2048), as in the following example:
[settings] storesize=2048
Note: Ensure that the new value does not exceed the size of the IBM\TCIM\server\run\excerpts directory. If it does exceed the size, reports are generated and stored in the directory until the directory space limit is exceeded. Reports are not generated if the directory has no space to store them.
Functionality overview
The new report distribution functionality in Tivoli Compliance Insight Manager Version 8.5 does nothing by default. To distribute iView reports as email excerpts, configure these settings in the following order on the Automated Report Distribution page (Figure 71 on page 201): 1. Email Settings 2. Manage Users 3. Distribution Tasks You can click the Distribution icon in iView to open the page (Figure 71 on page 201). For tips and support information, use the right-hand Extra Information pane.
200
Figure 71. The Automated Report Distribution page
Email Settings
Distribution tasks have common email settings (Figure 72). As originator of the tasks, use the settings to specify your name, the email address from which reports are sent, a reply-to email, and the mail host used to send the reports. This specification must be done to enable report distribution as email excerpts. Status notifications for each report distribution instance are sent to a specially predefined email.
Figure 72. Email Settings
Manage Users
The Manage Users section lists Tivoli Compliance Insight Manager users that have been added through the Management Console. In this section, use the Email
201

Address fields next to each listed user to specify his or her email for distributing reports. This action must be done before adding or editing a distribution task. The users with empty fields cannot be included on a list of report recipients. For more information, see Chapter 15, Managing users and roles, on page 85.
Distribution Tasks
You can manage report distribution using distribution tasks. The tasks define the timing and type of reports, including format, the GEM databases that are involved, and the Tivoli Compliance Insight Manager users who receive the reports. You can find a list of existing distribution tasks in the corresponding section on the Automated Report Distribution page. To edit a task, click its title in the list. To create a task, click Add distribution task (Figure 73).
Figure 73. List of distribution tasks and the Add distribution task button
For each distribution task you must specify general information, report definitions, and recipients of email excerpts with the defined reports (Figure 74 on page 203).
202
Figure 74. Settings for creating a distribution task
Distribution tasks contain definitions for selected iView reports (Figure 75). Before being sent, the defined reports must be generated. This action is done automatically whenever the GEM database that is associated with a report is loaded.
Figure 75. Configuration of report definitions for a distribution task
To reduce the system load, if a report is intended for many recipients, only one such report is generated, and each recipient does not get a separate copy of the report (Figure 76 on page 204).
203
Figure 76. Selection of report distribution recipients for the distribution task
The generated reports are distributed as email excerpts only when the scheduled distribution task to which they are assigned is launched. You can configure this timing with the Schedule options for the task. If the task sets off more often than a related database loads, the same report is distributed to a report recipient only once after the database load. Consequently, until a new database loads, all subsequent email excerpts include either empty reports (if the Show empty reports check box is selected) or none at all. For example, if the task sets off five times and a related database loads only once during a specific period of time, reports generated at this database load are still distributed by the task only once. New reports cannot be distributed by the task until the database loads again and new reports can be generated. If a database related to the task loads more often than the task is scheduled to set off, then one email excerpt includes as many generated reports as the number of the loads. All generated reports are stored by the system until they have been distributed as email excerpts. After distribution, the reports are deleted. For better system performance and report distribution results, database load and report distribution task schedules should be matched. For more information about matching, see Matching database load and distribution schedules on page 205. For more information, see Setting up automated report distribution.
Setting up automated report distribution

When you set up real report distribution tasks for the first time, testing a task is good practice. Use the following steps to test: 1. Obtain an email host name and email address where test email excerpts can be sent. 2. Create a test email user in the Management Console. 3. In Manage Users on the Automated Report Distribution page, add the created test email address for this user. 4. Set up email settings. 5. Create a distribution task (containing a single small report, not exposing classified information) to set off as soon as a related database has loaded. For more information, see Matching database load and distribution schedules on page 205. Deactive the task after it is launched. 6. Check the emailed report and notification. Has it been received, and are the contents as expected? Note: If the Show empty reports check box is not selected and if no reports have been generated yet, no email excerpt is sent.
204

7. Troubleshoot if necessary (wrong mail host, spam filters, and so on). Look up the \iView\tomcat\logs\distributor.log file to troubleshoot report distribution issues. Look up the \Server\logs\mainmapper-GEM database name.log to troubleshoot report generation issues. If all is well, set up the actual distribution tasks by clicking on Add distribution task on the Automated Report Distribution page. Configure the necessary settings on the Edit Automated Report Distribution Task page that opens. For more information, see Functionality overview on page 200 and Matching database load and distribution schedules for details.
Matching database load and distribution schedules

Since reports are generated at the database load but sent out only once, and only when the scheduled distribution task sets off, matching database load and distribution schedules is necessary for the following reasons: v The database loads hourly, the distribution task sets off weekly. Consequently, at the end of the week you receive all reports that were generated during the week. If you are interested in only the first hour of data for the week, the data is about one week old. Also, the email excerpt may be too bulky to be delivered through network firewall filters or mail host limitations for the size of emails. In addition, the storage limit of 1 GB for all generated reports may be exceeded. v The database loads weekly, the distribution task sets off hourly. You receive the reports weekly, shortly after the database loads, and all the other distribution runs seem to be empty. v If database A loads weekly and the database B loads daily, the distribution task sets off daily after the database B is loaded. This way, the user receives reports from database A once a week and reports from the database B daily. Naturally, this way is the most effective for using the report distribution functionality. To match the distribution task schedule with that of the database load, note the time the database selected for a report in the distribution task loads (Figure 77). Set the schedule for the distribution task correspondingly. Remember that reports
Figure 77. Load schedule prompts for databases
are generated only when a database load is complete. Load schedule prompts for databases show only the time when the load starts. Therefore, when setting the schedule for any distribution task, add some time between the database load and distribution task schedules to ensure that the database load is complete (Figure 78 on page 206).
205
Figure 78. Schedule options for distribution tasks
206
Chapter 33. Understanding and using Management Modules

From the boardroom to information technology departments, rules and regulations are placing ever-increasing demands on companies of all sizes. In the middle are IT security managers and auditors, who face the overwhelming task of understanding the regulations and implementing a wide array of compliance measures. Management Modules provide optionally installable sets of capabilities that allow a customer to monitor and maintain compliance with a selected standard. Additional services can be supplied with the product by IBM or its partners and a run book is provided to direct the delivery of these services. Regulations underscore the need to understand who is touching the most crucial corporate data, and whether this behavior complies with security policy. You can use Tivoli Compliance Insight Manager to monitor all security events and audit them, versus security policy. Each add-on module comes with the following components: v Classification Template v Compliance Dashboard v Policy Template v Report Center v Resource Center
Compliance dashboard
A compliance dashboard displays an easy-to-understand, color-coded matrix that highlights degrees and level of compliance based on user behavior and data access. The dashboard is customized for the specific regulation or standard of interest, depending on the module you choose.
Report center
A Report Center provides dozens of relevant reports linked to the ISO27001 standard or FFIEC handbook (for GLBA), for monitoring compliance to the regulation or standard, and understanding who touched what across the network. Reporting requirements are similar for each of the supported standards, but each has a different focus.
Policy template
A Policy Template recommends a customizable policy to specify which users can access regulated information, and what they can do with it. Leveraging the IBM patent-pending W7 Methodology, the Policy Template provides an easy, enforceable manner in which to establish and monitor file access versus policy. This project delivers a default security policy template that enables customers to build policies that successfully monitor compliance. A policy template for each standard can be loaded from the Management Console. Optionally, IBM delivers a tool (and improves the existing tool) to build the policy for the customer.
207
Classification Template
Classification template
A classification template enables quick classification of the enterprise for role-based security event management and auditing of the enterprise versus policy. Each classification template speaks the language of a regulation or standard for demonstration of compliance. A classification template for each standard can be used from the Management Console. The template uses terms and vocabulary that the standard defines. A single classification can satisfy all the standards under consideration here. It is structured in the form of a major category and subcategories that are specific to the selected standard as the starting point to use.
Resource center
The regulatory resource center is the key entry point into the regulatory compliance section on Tivoli Compliance Insight Manager. A Resource Center includes information about the Act and guidelines for using Tivoli Compliance Insight Manager for compliance, including specific advice about adjusting the logging and audit settings in the enterprise to enable proper access monitoring. Within the resource center you can select the tools (policy and grouping tools) and the reporting resources for each regulatory standard supported/installed.
Using Management Modules

Tivoli Compliance Insight Manager leverages security logs and alerts, from firewalls, IDs, hosts, applications, databases and other devices to monitor user behavior and file access. Management Modules are Java-based plug-ins to Tivoli Compliance Insight Manager. Delivered on a CD-ROM, the plug-in can be installed to activate its functionality. Management Modules for Tivoli Compliance Insight Manager enable regulatory and compliance monitoring of relevant (financial, customer, patient) information through five steps (Figure 79):
Figure 79. Regulatory Compliance: primary steps
Enable auditing & alerting In heterogeneous environments, understanding which logging and alerting to turn on, and how, is a significant challenge. Tivoli Compliance Insight
208
How Management Modules Work

Manager facilitates this process across the enterprise, turning on monitoring so that crucial events are not missed. Implement and customize policy templates Within Tivoli Compliance Insight Manager, policy templates enable the comparison of actual user behavior with security policy. The IBM Policy Templates are based on customer and industry best-practices, including the ISO27001 standard, giving a quick-start in terms of compliance. Receive alerts & generate compliance reports This solution has built-in alerting and reporting. Depending on the importance of a system or database, a security manager receives alerts or browse through the best-practice and customizable reports. Archive all events Often overlooked is the need to archive log files. Tivoli Compliance Insight Manager enables the automated archiving of log files to enable compliance with regulations and after-the-fact investigation. Conduct forensic investigations With all the log data archived, and the ability to analyze the normalized and correlated information, forensic investigations become easy and Tivoli Compliance Insight Manager eliminates the need to sort through personnel files and log data manually to determine what occurred.
Chapter 33. Understanding and using Management Modules
209
How Management Modules Work
210
Chapter 34. Cross-platform collecting and storage of audit logs and log data
This section introduces Tivoli Compliance Insight Manager Log Manager (Log Manager) and outlines its basic features. Like other components of the Portal, the Log Manager is a Web application. Compatible with Microsoft Internet Explorer Version 6.0 or later, the Log Manager is designed for cross-platform collection of audit logs and storing log data in a native format. The Log Manager can show proof that all log data has been collected, and reports on the completeness of the collected data.
Using the interface of the Log Manager

Table 9 lists and describes the set of Web pages in the Log Manager.
Table 9. Web pages in the Log Manager Web page Log Manager Dashboard Description This page gives an overall view of failed log collects. For more information, see Summary statistics on audit logs on page 212. This page shows information about log collection events for a specific period of time. For more information, see Inquiring about collection events on page 213. This page shows information about the completeness of log collects for a specific period of time in the log depots. For more information, see Inquiring about the completeness of log collections on page 216. This page shows information about activities for log event types. For more information, see Inquiring about activity for some log event types on page 218. This page allows a criteria-based search for logs in the log depots. For more information, see Investigating the log depot with the Log Manager on page 219. This page provides downloading of original audit logs. For more information, see Retrieving audit logs with the Log Manager on page 228.
Collect History Report
Log Continuity Report
Event Activity Report
Depot Investigation Tool
Log Retrieval
Every page contains the menu bar of the Log Manager, a means for navigating to the other pages of the Log Manager. Any page can be identified in the following ways: v By the page title, which is shown at the top of the main pane v By the third level of the breadcrumb trail, which is placed straight below the menu bar of the Log Manager v By the text of the respective icon in the menu bar. When compared with the other icons of the menu bar, the icon of the opened page is shaded.
Using the Log Manager

This section provides guidelines for using the key features of the Log Manager.
211
Using Log Manager
Summary statistics on audit logs

After successfully logging in to Portal and opening the Log Manager, the Log Manager Dashboard opens to show overall statistics on audit log collects for the last 24 hours (by default). Under the menu bar of the Log Manager and farther on, beneath the breadcrumb trail, the page is divided into two panes: the main pane, which is titled the same as the parent page (Dashboard) and the Extra Information pane.
Panes
The main pane is located in the left part of the page, and consists of the Collect History Status and Log Continuity Status sections. The Collect History Status section gives information about the latest collect status. The Log Continuity Status section gives information about the completeness of audit logs. The Extra Information pane, located in the right-hand part of the page, consists of the Help section. The Help section gives instructions about using the key features of the Log Manager Dashboard page (the currently opened page of the Log Manager). Every section can be collapsed or expanded by clicking the section title bar. A collapsed section can be indicated by the expansion icon pointing to the right. An expanded section can be indicated by the expansion icon pointing downward. The Extra Information pane can be collapsed by clicking in the left round corner of the Extra Information pane.
Pie chart and associated tables

The pie chart of the Collect History Status section represents all failed log collects that occurred for a given period of time for the last day. Clicking the other two tabs located to the left of the pie chart switches the current time scale to the last week or the last month. If no log collects occurred in the current period of time, a static picture of an empty baking tin is shown, replacing the pie chart. Instead of the percentage of successful log collects, the baking tin is labeled No collects. If all log collects are successful, a static picture of a thumbs-up is shown, replacing the pie chart. The picture is labeled All collects successful. Every segment in the pie chart represents a separate type of log collection failure. To identify a type of log collection failure, hover the mouse pointer over the corresponding pie segment. A tool tip opens indicating the type of collection failure along with the percentage for that segment. The percentage shown is the ratio of the log collects that have the collection status represented by the chosen pie segment to the total number of log collects (both successful and failed). To the right of each pie chart is a table. In the Collect History Status section, the table contains the following information: v Total number of log collection failures, containing summarized information about all types of log collection failures. v A separate line for every type of log collection failure. Along with the legend color, the description of the collection failure type is placed to the left of the corresponding line. v Total number of successful log collects. The table has three columns, each containing statistics on log collects for the last day, last week, and last month, respectively. Each cell in the table contains the following values:
212
Using Log Manager

v Number of log collects of the corresponding type occurring in the corresponding period of time. v The percentage of the value above. This percentage is the ratio of the log collects of the corresponding type to the total number of log collects in the corresponding period of time. If no log collects occurred during that period of time, a single dash is shown instead. The absolute numbers in the cells, as well as the pie segments, can be clicked. When you click, the Collect History Report (see Inquiring about collection events), which represents information about the corresponding type of audit events, is displayed. The contents of the Log Continuity Status section can be interpreted in the same way as the Collect History Status section. To exit the Log Manager and return to the Portal, perform either one of the following: v Click the Portal in the first level of the breadcrumb trail. v Click the Portal tab on the same line as the breadcrumb trail, at the right-hand side.
Inquiring about collection events

The Log Manager Collect History Report gives you an opportunity to get information about log collection events for a specific period of time. The Collect History Report can be opened in the following ways: v Click the History icon in the menu bar on each page of the Log Manager to open the Collect History Report with the viewing settings that were applied during the last usage of Collect History Report. For more information, see Using the settings on page 234 for details about the Log Manager viewing settings. v Click a pie segment or an absolute number in the table on the Log Manager Dashboard to open the Collect History Report page with information about the given type of audit events in a given report period. When opened the Collect History Report shows the following information: Trend Chart section In the Trend Chart section of the main pane, a graph shows the number of log collection events on a logarithmic scale, over time. This graph is a stacked column chart. To change the time scale for the viewed audit information, you can click the corresponding tab in the lower right corner of the graph (alternatively, click the corresponding bar or X-axis label). To move to an adjacent time period, click the arrow on the time sliding control to the left/right of the time period label over the graph. The series for different types of log collection events can be identified in the following ways: v Refer to the Legend section of the Extra Information pane. v Hover the mouse pointer over the corresponding column segment. A tool tip opens showing the type of the log collection events and the number of collections for that segment. Collect Event Detail section
213

In the Collect Event Detail section of the main pane, the list represents the log collection events for a specific reporting period. All columns in the list are a fixed width. If a text in a cell ends with three dots, the text does not fit in the cell. To see the full text, hover the mouse pointer over the cell. In front of every row in the list is a log selection check box that you can use for selecting audit logs to be downloaded to a local system for upcoming analysis. Check boxes are disabled in rows that represent failed log collections, because a failed log collection means that there is no audit log to select. Refer to Retrieving audit logs with the Log Manager on page 228 for details about retrieving original audit logs. The two types of the list view are the structured list view and the paged list view. To switch the Collect Event Detail section from the structured list view to the paged list view, click Show list view in the View section of the Extra Information pane. Extra Information pane The following information is shown in the Extra Information pane: v The Help section is common to all of the Log Manager pages. For more information, see Summary statistics on audit logs on page 212 for a description of these sections. v The Actions section, which contains a command for retrieving original audit logs, Retrieve selected log files, and a command to restore default settings of the history report page, Restore default settings. Refer to Retrieving audit logs with the Log Manager on page 228 for more details about retrieving original audit logs. v The View section, which controls the appearance of the list in the Collect Event Detail section. A description is provided in the sections for the structured list view and paged list view. v The Filters section, which reflects the list of filters that are applied to the Collect Event Detail section. Refer to Using common procedures on page 232 for details about the Log Manager filtering. v The Sorting section, which reflects the ordering of the audit event properties. When the list of the Collect Event Detail section is paged, a set of commands is available for changing of sorting in the columns of the list. Refer to Using common procedures on page 232 for more details about sorting the Log Manager data. v The Legend section. Figure 80 on page 215 shows legends used for log collection events:
214
Figure 80. Color legends key
Colors are assigned to the Log Manager event types automatically.
Paged list view of the Log Manager

The paged list view is a list view that always shows one page of log data items at a time. To move to the next page of the list, click the arrow () beneath the list. To move to the previous page, click the back arrow () to move to the first page, click |. To move to the last page of the list, click |, and to move to a specific page, click the corresponding page number. The information is represented in the form of a table with the following columns: Status This column contains a check box for selecting the corresponding event log and an icon that indicates success or failure. Date Time Date of the corresponding log collection event. Time of the corresponding log collection event.
Event source Name of the event source that generated the corresponding log collection event. Event source type Type of the above event source. Audited machines Name of the system to which the corresponding event source is added. PoP Name of the point of presence system that sends the corresponding audit logs to the Server system.
Server Name of the Server system where audit information from the connected point of presence is collected. Data in the paged list view can be filtered and sorted. Refer to Using common procedures on page 232 for more details about filtering and sorting the Log Manager data.
215
Inquiring about the completeness of log collections

To get information about completeness of the log collections, open the Log Continuity Report by clicking Continuity on the menu bar of the Log Manager. When opened, the Log Continuity Report shows information in a graph and a table. The Information section of the Extra Information pane contains the following audit data: Server name Name of the Tivoli Compliance Insight Manager Server system. Creation date Date when the log continuity reports were last regenerated on the Tivoli Compliance Insight Manager Server system. Creation time Time of day when the log continuity reports were last regenerated on the Tivoli Compliance Insight Manager Server system. Creator Name of the user who regenerated the log continuity tables on the Tivoli Compliance Insight Manager Server system. If the log continuity tables were regenerated by a schedule, this field shows Scheduled. Log sets Total number of audit logs in the log depot. Completeness Percentage of completed audit logs of the depot.
Continuity graph
The graph is placed in the Continuity Audit section and is, in essence, a Gantt chart. Every rectangle represents here a separate audit log and every row with rectangles represents an event source. The graph shows time along its X-axis. The unit of time used on the X-axis labels depends on the current time scale, which, by default, is day. To change the time scale to hour, week, month, or year, click the corresponding tab beneath graph. To move to an adjacent time period, click an arrow on the time sliding control to the left/right of the time period label above the graph. To get information about an audit log depicted in the graph, hover the mouse pointer over the corresponding rectangle. A tool tip opens showing the time the audit log started, the time the audit log ended, and the audit log status. Rectangles that represent audit logs are colored according to their status. Refer to the Legend section of the Log Manager Extra Information pane for short descriptions of audit log statuses. By default, audit logs on the graph are grouped by the names of audited systems. To group audit logs by the type of event sources, click the Type tab to the left of the graph. Event sources in the chart are sorted first on the applied grouping criterion on the names of audited systems or by the types of event sources and then on the names of event sources. Notes: 1. The maximum of 200 rows can be shown on the graph at one time. If this limit is exceeded, a message with this information and request is shown instead a narrower filter.
216

2. If the audit data to be displayed in the graph contains more than 1000 audit logs, the graph does not show tool tips when the mouse pointer is hovered over log objects. 3. The graph can show at most one log set object per pixel (horizontally). If this limit is exceeded for any row, a message with this information and requesting to zoom in on a smaller time period is shown.
Continuity list
In the Log File Detail section, a list represents audit logs according to filtering criteria. To filter data in a column, click the funnel-shaped icon in the header of the column. In the Filter dialog that opens, select the required criteria and click Start Filter. Refer to Using common procedures on page 232 for more details about filtering of the Log Manager reports. The list has log selection check boxes that you can use for downloading the respective audit logs to the local system. Refer to Retrieving audit logs with the Log Manager on page 228 for more details about retrieving audit logs with the Log Manager. The list has the following columns: Status Apart from the log selection check box, this column contains the status icon. For interpreting a specific status icon, refer to the Legend section of the Log Manager Extra Information pane. # Size Number of log files in the audit log. Size of the compressed audit log.
Start date Start date of the audit log. Start time of the audit log. Start time of the audit log. End date End date of the audit log. End time End time of the audit log. Machine Name of the audited system. Event source Name of the audited event source. Event source type Type of the audited event source. The Legend section of the Extra Information pane contains short descriptions of the status icons available in the Status column of the list and helps in interpreting shadings of audit logs in the graph. The status can be one of the following values: v Archived log sets v Complete log set v Corrupted log set v Delayed collect, possible data loss
217

v Failed collect, not collected yet v Missing log set v Missing logs To regenerate the tables of the continuity list, click Regenerate report in the Actions section of the Extra Information pane. You can reschedule regeneration and the continuity list. Implement this action by clicking Adjust schedule in the Actions section of the Extra Information pane. A dialog shows the current regeneration schedule. You can enable or disable the report generation. After adjusting the regeneration schedule, click OK to apply the modifications.
Inquiring about activity for some log event types

Do the following fundamental activities for an investigation: v Collect all necessary information through the log history and log continuity reports. v Present event data from all sources in a time-ordered list using Depot Investigation. v Look for anomalies to determine areas where activity is not normal and might represent a good starting point for an investigation. Use the Event Activity Report of the Log Manager. The Event Activity Report is used to determine areas of anomalous activity to get an idea for starting an investigation using Depot Investigation. This information is only one input for the search, but can help identify the time range and sort of attack. To get information about activity for some type of log events, open the Event Activity Report of the Log Manager by clicking Activity on the menu bar of the Log Manager. The Event Activity Report contains statistics for several predefined types of event activity. In the Activity Trend section is a graph that represents statistics for one or more activity types over time. The following types of log events are available in the Log Manager: Email, Instant messaging activity Activity by email, instant messaging and other communication applications. All activity through remote connection protocols Activity related to dialing in to the Server. All inbound and outbound firewall activity Activity related to firewall operation. All intrusion alerts Activity related to the intrusions. All activity of the webservers Activity related to the operation of Web servers. All security changes Activity related to changes in security. All configuration change related activity, excluding security changes Activity related to changes in configuration. To change the set of activity types shown on the graph, use the Legend & Show section of the Extra Information pane. To include or exclude a separate type of log
218
Inquiring about activity for some log event types

events for some statistics in the graph, select or deselect the corresponding check box. Selecting or deselecting items in the Legend & Show section immediately impacts the graph. In the Legend & Show section of the Extra Information pane, the following statistics are available: v Total number of events for every hour, day and month. This data is shown with a solid line. v Number of policy exceptions for every hour, day and month. This data is shown in the graph with a dashed line. v Number of special attention events for every hour, day and month. This data is shown in the graph with the dotted line. The color of a data series line depends on the activity type it represents. Every type of log event activity selected in Legend & Show section has a color assigned to it dynamically. The Y-axis of the graph has a linear scale, showing the absolute numbers of events. To change the time scale for the viewed audit information, click the corresponding tab in the lower right corner of the graph (alternatively, click the corresponding label on the X-axis). Supported time scales for the graph are day, week, month and year. To move to an adjacent time period, click an arrow on the time sliding control to the left or right of the time period label. To get the value of the data point in the graph, hover the mouse pointer over that data point. A tool tip opens indicating the value of the data, the activity type it represents, and the time period. In the Activity Totals section is a table that shows statistics for all activity types. The table is updated whenever the graph is updated. The table of the Activity Totals section has a row for every activity type. In front of every row, the description of the activity type is shown, along with a color box (showing the color that is currently assigned to the activity type, or unavailable if the activity type is not currently selected). The Activity Totals section has three columns, one for each statistic, each showing an absolute number of events and optionally a percentage, as follows: v For the All events statistic, the number of events for the activity type shown on this row, within the reporting period. No percentage is shown. v For the Exceptions statistic, the number of policy exceptions for the corresponding activity type, within the reporting period. As the percentage of all events for this row, the same number of policy exceptions is shown as well. v For the Attention events statistic, the number of special attention events for the activity type shown on this row, within the reporting period. As the percentage of all events for this row, the same number of special attention events is shown as well.
Investigating the log depot with the Log Manager

You can use the Log Manager to search for criteria through the log depot with the help of Depot Investigation Tool, which is installed as part of Standard Server.
219
Investigating the log depot with Log Manager
Depot investigation tool

The Depot Investigation Tool is a powerful forensic search mechanism in Tivoli Compliance Insight Manager. You can use it for online searching across all event sources log data stored in the Tivoli Compliance Insight Manager log depot. The search can operate over long search time periods and cover vast quantities of log data. Found events in search results can be retrieved in archived format using Log Retrieval with corresponding original logs. Besides providing multiple search criteria, the Depot Investigation Tool has its own search and query language like Google that allows specifying search queries. For more information, see Formal query syntax on page 227 for details. Working at the raw log data level, the Depot Investigation Tool would be useful to subject matter experts looking for specific activity or events in the raw log data. In contrast, the highly normalized and correlated data in iView reports is useful to auditors and security officers who need a common view of data. Configuration Depot Investigation Tool is a part of Standard Server. To use the Depot Investigation Tool, any Standard Server must be configured to collect logs. In a production environment, designate one Standard Server for data indexing and searching capabilities for up to three Enterprise Servers configured to collect logs. This server arrangement is necessary for supporting the load that the indexing and searching creates.
Working with the Depot investigation tool interface

To open the Depot Investigation Tool page, click Investigate on the Log Manager menu bar. The Depot Investigation Tool is a set of sections for forming a search query and observing results of the search (Figure 81).
Figure 81. Three sections on the Depot Investigation Tool page
The Depot Investigation Tool is protected by the Depot Investigation and Log Retrieval role. If you do not have this role, Investigate is disabled on the menu bar of the Log Manager. The Depot Investigation Tool is also disabled if depot indexing functionality is disabled. See Chapter 15, Managing users and roles, on page 85 for more details about managing Tivoli Compliance Insight Manager roles.
Query builder
Use the Query builder section to select the necessary criteria for the search:
220
Investigating log depots with Log Manager

1. In the Time period subsection, select the period of time that should be searched. Specify the first day of the time period and the last day of the time period (Figure 82).
Figure 82. Query builder: Time Period subsection
2. In the Event Source subsection, select the event sources to be searched, by a server name, by an Actuator (point of presence) system name, an audited machine name, an event source type and an event source name (Figure 83). Note that the list boxes allow multiple selections.
Figure 83. Query builder: Event Source subsection
3. In the Select Fieldnames subsection, select a field for inclusion in the search results list by selecting a check box in front of the field name. Notes: a. To get the list of event source types that contain a field, hover the mouse pointer over the field. A tool tip opens to show this list (Figure 84 on page 222). b. When you modify the event source selection, the field list is not immediately refreshed. A message with this information and request is shown. Click the refresh link to see all relevant field names.
221
Figure 84. Query builder: Select fieldnames
4. In the Content Search subsection (Figure 85), specify search criteria in the form of a search string. Wildcards (marked by an asterisk *) are acceptable only at the end of a word. Multiple search criteria can be combined through OR and AND relationships. Brackets are also allowed. For more information, see Searching with the Depot Investigation Tool on page 225 and Example queries on page 227.
Figure 85. Example of content search criteria
5. Click Start Search. The result of the search is displayed in the Search summary and the Search results sections of Depot Investigation Tool. Note: If validation of search parameters provided in Query builder fails, an error message is displayed directly below the Content Search section title bar, and the search does not start.
Search summary
The Search summary section shows summary information about the log data that is being searched (Figure 86 on page 223). It is based on the results of the first step of the search process, the step that searches the existing indices and returns blocks of events that match the search criteria. For more information, see Searching with the Depot Investigation Tool on page 225 for details.
222
Figure 86. Example of summary search results
Search summary contains a paged list view. For more information, see Inquiring about collection events on page 213 for common characteristics of a paged list view. The data items shown in Search summary are event sources, one for every event source searched. You cannot sort the data items, which are cleared as soon as a new search is started. The following information is listed in the Search summary section after a successful search: Audited Machine Name of the audited system. Event source Name of the event source. Event source type Name of the event source type. Total records Estimated number of log records in the selected time period. Relevance Indication of the relevance of an event source for the current search. Difficulty Indication of the time needed to be taken for processing the search for a specific event source.
Search results
The Search results section shows the final results of the search. This section contains a paged list view. For more information, see Inquiring about collection events on page 213 for common characteristics of a paged list view. The data items shown in Search results are log records that matched the search criteria. Data in Search results is displayed as soon as the first log record is found. In the meantime, the search operation continues. To select audit logs for further downloading, select the corresponding check boxes in the leftmost column of Search results. Check boxes here are always enabled, because the audit logs are still in the log depot (you can read them). Refer to Retrieving audit logs with the Log Manager on page 228 for more details about retrieving audit logs using the Log Manager. Note: Data cannot be sorted in Search results, but is shown in the order in which it comes out of the search.
223

Search results are represented as a table with the following columns: (No header column.) Column that contains a log selection check box. Audited Machine Name of the audited system. Event source Name of the event source. Time stamp Point in time when the event occurred. <FieldName1> Value of the first field in the selected field list. <FieldNameN> Value of the n-th field selected in the Field list subsection of the Investigate Query section.
Extra Information
Apart from the usual Help section, the Extra Information pane on the Depot Investigation Tool page contains the following sections: Actions This section contains commands for performing the following commands: Refresh field list This command refreshes the list of field names currently shown in the Field list subsection of the Query builder section of the main pane, based on the currently selected event sources. Start search This command starts a search operation. It is equal to clicking Start Search in the Query builder section. Stop search This command stops a search operation that is running. Retrieve selected log files This command assembles the audit logs containing records selected in the Search results section of the main pane and opens Log Retrieval. Refer to Retrieving audit logs with the Log Manager on page 228 for more details about retrieving audit logs with the Log Manager. Restore default settings This command resets all page settings of the Investigate page to their default values. Refer to Using the settings on page 234 for details about the Log Manager settings. Information This section shows the current state of the search operation, which is represented as a list of field value entries: Progress Percentage of the search operation that has completed. One of the following values is displayed: 0% No search has started yet.
224

1% Search is in the step that searches against the indices on disk and returns blocks-of-events that match the search criteria (Step 1).
The value that matches the percentage of logs processed (with a minimum of 1%) Search is in the next step (Step 2). 100% Search is complete.
The progress percentage at the time it was stopped Search has stopped. Creation time Duration of the search. It is one of the following values: 0 Search has not started.
Wall-clock time spent so far Search is in progress. Wall-clock time it took to search Search is complete. Wall-clock time spent at the time it was stopped Search was stopped. Logfiles Number of log files processed. The Logfiles entry can have one of the following values: 0 No search has started, or the search is in Step 1.
Number of sublogs searched so far Search is in Step 2. Total number of sublogs searched Search is complete. Log records Number of log records that match the search criteria. This column has one of the following values: 0 No search has started, or the search is in Step 1.
Number of matching log records found so far Search is in Step 2. Number of matching log records found Search was completed. Number of matching log records found at the time it was stopped Search has stopped.
Searching with the Depot Investigation Tool

To understand how to create effective and working search queries, you must understand how the index is created. The Depot Investigation Tool uses the index to determine which log sets and events meet the search criteria. The events matching the criteria are retrieved during the search and displayed on the Depot Investigation Tool page. How the index is created
225

When a GSL file parses data, it produces an output set of data fields that are also known as platform events. These fields are used for creating the index whenever a new log set arrives in the log depot. Additionally, whenever a GSL file is changed for an event source, the related index is recreated, because the GSL file might have been changed to create new data fields to be indexed, invalidating the existing index. When an index is created, the output from the GSL file in the form of data fields is passed through an analyzer, a component that converts a GSL output into a stream of tokens. The tokens are entered in the index as terms that can be used for search on the Depot Investigation Tool page. The analyzer adheres to the following basic conversion rules in its work: v The tokens are separated into white space and punctuation characters, except in certain cases. For example, an entry Thur Jul 26 (GMT +1.00) 2006 10:21:00 would result in the set of items Thu, Jul, 26, GMT, 1.00, 2006, 10, 21, 00. Naturally, creating a search string such as the following one results in an ambiguous search that returns many times and dates that are not related to the investigation:
time:thu and time:jul and time:26 and time:2006 and time:10 and time:21 and time:00
v In certain circumstances, the analyzer does not create separate tokens even if embedded punctuation characters are included. The following syntax describes this situation. // floating point, serial, model numbers, ip addresses, etc. // every other segment must have at least one digit | <NUM: (<ALPHANUM> <HAS_DIGIT> | <HAS_DIGIT> <ALPHANUM> | <ALPHANUM> ( <HAS_DIGIT> <ALPHANUM>)+ | HAS_DIGIT> ( <ALPHANUM> <HAS_DIGIT>)+ | <ALPHANUM> <HAS_DIGIT> ( <ALPHANUM> <HAS_DIGIT>)+ | <HAS_DIGIT> <ALPHANUM> ( <HAS_DIGIT> <ALPHANUM>)+ ) > | <#P: ("_"|"-"|"/"|"."|",") > | <#HAS_DIGIT: // at least one digit (<LETTER>|<DIGIT>)* <DIGIT> (<LETTER>|<DIGIT>)* > Where the sequence may be a number, a model number, IP address, and so on, the analyzer does not split it into individual tokens. If none of those cases is true, the sequence does the splitting. The following examples illustrate: Windows session ID 0x0,0x3E7 creates one token 0x0,0x3E7. IP address 192.168.0.1 creates one token 192.168.0.1. User name DOMAIN\userid creates two tokens DOMAIN and userid. v You can search an email address on the name, host, or both, by splitting the address into three terms (that is, name, host, and name@host). With an understanding about creating an index entry and what is displayed in the Depot Investigation Tool, you can construct query strings to find the necessary items much more effectively.
226
Formal query syntax

To construct a working query, you must understand the acceptable query syntax. The following example shows formal query syntax:
query ::= <term> | <boolean query> boolean query ::= [ ( ] <boolean query> ((and | or ) <boolean query>) [ ) ] term ::= [[<fieldname>] :] <string expression> string expression ::= <string without spaces> [ * ] | <quoted string> quoted string ::= <double_quote> <character not double quote> <double_quote>
The Query Parser supports the syntax and determines the indices and time range for the search.
Example queries
How do I search for related records for the same server, same userid, and same session_id? Use the following example:
platform_name:Tivoli Compliance Insight Manager03 and session_id:0x0,0x3e7 and (username: cifowner and username:Tivoli Compliance Insight Manager03)
Note also the use of the above phrase username:cifowner and username:Tivoli Compliance Insight Manager03. The following phrases are not equal. (username:cifowner and username:Tivoli Compliance Insight Manager03) is not the same as (username:cifowner and Tivoli Compliance Insight Manager03). The first phrase finds instances where username has two terms, Tivoli Compliance Insight Manager03\cifowner. The second phrase finds instances where username is equal to cifowner and where any other term in the event is equal to Tivoli Compliance Insight Manager03. Notes: 1. The search or index server can handle only a certain number of search operations simultaneously. By default, this number is only one search request. If the server is busy, a corresponding message is shown. For example, the following message might be displayed:
The server is busy. Please retry your search request at a later time.
2. Currently, the search can find up to 200 000 events before the searching stops automatically and a warning message is displayed. How do I search for all successful logons for the cifowner user on the Tivoli Compliance Insight Manager03 server? Use the following example:
successclass:success and eventmainclass:logon and (username:cifowner and username:Tivoli Compliance Insight Manager03).
How do I search for all activity with a specific session_id in a report? The session ID is reported as having a value of (0x0,0x3E7) in the report. However, the analyzer interprets this value as a single term 0x0,03e7. Therefore the following search term finds all the relevant records:
session_id:0x0,0x3e7
How do I search for the activity of a specific windows user? DOMAIN\userid Faced with such a string, the analyzer stores DOMAIN
227

and username in the index as separate entries that all have the name username . Therefore a search query should look like the following example:
username:domain and username:userid
So an index entry is created for each named variable, but that index entry can have multiple values created by all the terms that are delivered out of the analyzer. The implication is that for some queries you must use an AND relationship to get the needed result. How do I search for events data such as email addresses? Email addresses are handled in a special way. Generically, an email address is name@host. So three index entries are created: name@host, name, and host. You can use such entries to created a search that is based on the name, host or the full email address. How do I search for events data such as ip addresses? An ip address such as 192.168.0.1 is handled just as you would want, as a single string. If you must search for all ip addresses in the 192.168.0.1 subnet, use a search such as the following, which would find them all.
source_ip:192.168.0*
Retrieving audit logs with the Log Manager

Log Retrieval includes a list of audit logs with original log data in them. You can select the logs for downloading to the local system. Log Retrieval is opened as soon as Retrieval is clicked on the menu bar of the Log Manager or, on the pages of the Log Manager that provide this functionality, with the Retrieve selected log files command in the Actions section of the Extra Information pane. When Log Retrieval is opened with the Retrieve selected log files command, all audit logs in the list that actually have original log data in them and are still in the depot are preselected. Log Retrieval is protected by Depot Investigation and Log Retrieval. If the user does not have this role, the Retrieve selected log files command is disabled in the Actions section of the Extra Information pane. Refer to Chapter 15, Managing users and roles, on page 85 for more details about management of Tivoli Compliance Insight Manager roles. The Original Log Files section of the main pane contains a paged list view. For more information, see Inquiring about collection events on page 213 for common characteristics of a paged list view. Note: The Log Retrieval list can contain a maximum of 10,000 data items (audit logs). When this value is exceeded (with the active filter settings), the list is shown without any data items in it, and with a message giving this information and asking for a narrower filter to be applied. Data in the Log Retrieval list is grouped with the following columns: (Empty header) This column reflects the availability of the original log data. It contains the availability icon, which can have one of the following meanings: v Available v No original data in the audit log. v The audit log is no longer in the depot.
228
Retrieving audit logs with Log Manager

Status Apart from the log selection check box, this column contains the status icon. For interpreting a specific status icon, refer to the Legend section of the Log Manager Extra Information pane. # Size Number of original log files in the audit log that contain original data. Sum of the sizes of the compressed sublogs of the audit log that contain original data.
Start date Start date of the audit log, from the audit log header. Start time of the audit log. Start time of the audit log, from the audit log header. End date End date of the audit log, from the audit log header. End time End time of the audit log, from the audit log header. Machine Name of the audited system. Event source Name of the event source. Event source type Name of the event source type. Data in the list can be sorted by one or more criteria. See Using common procedures on page 232 for more details about sorting data in the Log Manager. To filter data in a column, click the funnel-shaped icon in the header of the column. In the Filter dialog that opens, select the required criteria and click Start Filter. See Using common procedures on page 232 for more details about filtering data with the Log Manager. Use the following steps to download audit logs: 1. In the list of the Original Log Files section, select the box next to the audit logs that you want to download. Note: The selection check marks are disabled for audit logs that do not contain any original audit logs or are no longer in the depot. 2. Click Download to start downloading the audit logs. The sublogs from the selected audit logs are packaged together into a single .gz.tar file. 3. In the File download / File open window that opens, provide a path and a name for the downloaded file and click Save to save it on the local system. In the downloaded file, each sublog has its own folder within the compressed file. The name of this folder is <audited-machine>_<eventsource>_<sublog> where <audited-machine> is the name of the system from which the audit logs originate, <eventsource> is the name of the event source, and <sublog> is the name of the sublog. The name of the downloaded files within this folder is in the following format:
<begintime>_<endtime><ext>.gz
where <begintime> is the lowest begin-time stamp of the audit logs in the file, <endtime> is the highest end-time stamp of the audit logs in the file, and <ext> is the extension of the sublog.
229
Using the replay tool

The purpose of Replay Tool is to replay or resend the specified SNMP or Syslog messages to a target place (a specified IP/hostname and port). Replay Tool replays or resends the data that were received some time ago from an audited platform (device, application, and so on) by using the Tivoli Compliance Insight Manager collect mechanism. Replay Tool simulates the existence of a platform by reproducing log messages that are specific for this platform. In this way, the Server can collect these replayed messages again so that you can replay any log several times and to collect logs for each event source. The process of replaying or resending SNMP or Syslog messages is mainly used for testing newly installed platforms or platforms with changed parameters, where acquiring new logs cannot be performed directly from the audited platform.
Installation
Replay Tool is installed automatically with IBM Tivoli Compliance Insight Manager. No additional installation is required. By default, the executable file replay.exe is placed in the \TCIM\Tools folder.
The command line and its properties

To run Replay Tool, type replay.exe in the command line and specify the name of the following file, which contains the SNMP or Syslog messages:
(-|input.hex|input.snmp|syslog)
Note: If you use the one dash value (-) for a filename, the standard input (stdin) is used. To prepare data for replay, extract data from the Log set by using gzip utility with -d option, as in the following example:
gzip -d <chunkname>.gz
To identify the location of Log set, use iView chunk log details report. As well as specifying the file name, the obligatory parameter, you can specify other optional parameters and options. The following example is an analysis of a command line and all of the available parameters and options:
replay.exe -|input.hex|input.snmp|syslog <ip/hostname> <port> <sleep>
Table 10 lists and describes the options.

Table 10. Optional parameters to identify the location of a log set Option -ip <ip/hostname> -port <port> -rate <number> -repeat <number> -repeatfile <number> -stop <number> -hex|-snmp|-syslog Description Hostname or IP address to send messages to Port number to send messages to Number of messages per second Send each message a number of times Repeat the entire file a number of times Only send number of messages in total Define input type
v To reiterate, the first, and obligatory, parameter is a name of the file (input.hex|input.snmp|syslog) which contains the SNMP or Syslog message. The SNMP( Syslog) messages can be sent from text or from hexadecimal format. You can determine the type of data from which the SNMP(Syslog) messages are constructed and sent by using the corresponding -hex|-snmp|-syslog option, or by simply renaming the input file with an appropriate extension .hex|.snmp.
230

v The second program parameter is parameterip/hostname, which determines the IP address or the name of a platform where the SNMP(Syslog) message is sent. To specify the IP address, type it in the command line immediately after the filename or use the -ip option. The default IP localhost address 127.0.0.1 is used, if the IP address is not specified. v The third program parameter is port, which determines the port number. To specify the port number, type it in the command line immediately after the IP address or use the -port option. If the port number is not specified, the default port 162 (for HEX and SNMP) or 514 (for SYSLOG) is used. v The fourth program parameter is sleep, which determines the number of milliseconds between sending each message. To specify the sleep time, type the number of milliseconds in the command line immediately after the port number. You can also specify the number of messages sent per second, by using the -rate option. If neither the sleep parameter nor the -rate option are used, a rate of 100 messages per second is used. v To replay each message from a file several times, use the -repeat <number> option to send each message from a file number times. v To replay all messages from a file several times, use the -repeatfile <number> option to repeat the entire file number times. v To replay a limited number of messages use the -stop <number> option to send only a specified number of total messages. Note: You must use a space between all of the parameters or options, as well as between options and their values, as in the following example:
replay.exe dump3.hex -rate 5 -repeat 3 -- is correct; replay.exedump3.hex -rate5-repeat3 -- is not correct.
Command line examples Here are several more command line examples: v Example #1:
>replay.exe dump3.hex -rate 5 -repeat 3
In this example, none of the parameters were specified (except for the file name, which is obligatory). Therefore, the file dump3.hex was sent to the IP address 127.0.0.1 (default value), using the port 162 (default port for .hex files) at a rate of five messages per second and the whole process was repeated three times. v Example #2:
>replay.exe WG0YPI1.snmp 10.3.5.10 122 60 -repeatfile 4
In this example, all four of the parameters were specified (WG0YPI1.snmp - file name, 10.3.5.10 - IP address, 122 - port number, 60 - sleep value, meaning that the messages are sent with an interval of 60 milliseconds), and all of the messages within the file are sent four times (-repeatfile 4). v Example #3:
>replay.exe dump3.hex -repeat 7 -rate 3 -port 164 -ip 10.3.5.10
In this example, only the obligatory file name parameter was used. All other parameters were substituted by options values. Note that options can be placed in any order.
231
Getting information about the Log Manager release

On every page of the Log Manager, you can get release information for the application. Click the company logo in the upper right corner of the page. The About Log Manager page opens, showing details about the current release of the application.
Using common procedures

This section summarizes the usage of procedures common to main reports of the Log Manager.
Filtering reports
The Log Manager offers the possibility of applying filters to the underlying audit data. Applying a filter limits the amount of information in the Log Manager reports. Filters are usually accessible through the respective funnel-shaped icons on the corresponding elements of the Log Manager lists. If the data in the column is already filtered, the funnel-shaped icon is shown in orange; otherwise, the icon is unavailable. The Filter dialogs that open have lists with multiple selections, check boxes and other controls, that represent the means for limiting audit data available on the pages of the Log Manager, according to the respective criteria. Any Filter dialog has a Start Filter control to apply the filtering criteria, a Clear Filter control to reset the criteria, and Cancel to stop the filtering action. If a filter is applied to a multi-page list, the Log Manager returns to page 1.
Sorting data
Log data that the Log Manager lists can be sorted. An indication that some column can be used for sorting is an orange line that is displayed when hovering the mouse pointer over the header of the column. The sort order of a paged list view can be changed by either of the following methods: v Clicking on the header text of a column. v Clicking the respective icons at the right-hand side of the Sorting section in the Extra Information pane. These icons can control the position of a sorting criterion in the set of the currently active sorting criteria. If you click multiple times, the column header text sorts through the following states: v Data is sorted in this column in ascending order. v Data is sorted in this column in descending order. v Data not sorted in this column. A paged list view can be sorted in multiple columns (with a maximum of 4 columns at a time). Data is sorted first in the column that was clicked last, then the previously clicked, and so on. This action is reflected in the Sorting section of the Extra Information pane. Refer to Inquiring about collection events on page 213 for a description of the paged list view. To move a sorting criterion one position up in the current set of active sorting, click the up arrow to the right of the required criterion in the Sorting section of the Extra Information pane. To move it one position down, click the corresponding down arrow. Note: Applying sorting always moves the Log Manager to the first page of the paged list view.
232
Log Manager common procedures
Handling of time in reports

Whenever a part of audit data must be reflected in the Log Manager, use local time according to an active time zone. The active time zone can be one of the following: Audited time zone Time zone according to the locale of the audited system. Server time zone Time zone according to the locale of the Server system. Browser time zone Time zone of the local system. Specific time zone Time zone that can be customized through the Log Manager. Various Log Manager reports may present data in different active time zones. Select choices that are available for changing an active time zone in the View section of the Extra Information pane. If audit data is sorted to a time criterion, this action is done independently of the active time zone. You can notice this trait, for example, when the active time zone is set to the audited time zone. You may see a mixture of time zones so that UTC-time based ordering is no longer the same as ordering for the browser time zone. To show the time zone in a Log Manager report, click Show time zone in the View section of the Extra Information pane. When executed, the title of the control is switched to Hide time zone, and can now be used for the reverse operation. The name of this command always ends indicating the current time zone, in brackets. Time and date labels in the Log Manager reports are always formatted according to the browser time zone. Every week is assigned a number. Determining week 1 is decided according to the first week of the year fixed setting. For more information, see Using the settings on page 234 for details about the Log Manager fixed settings. The following time-related terms must also be distinguished while working with the Log Manager reports: Last hour The last 60 minutes, up to and including the last minute for which data is available. It is applicable to the graph of the Log Continuity Report only (see Inquiring about the completeness of log collections on page 216). Last day The last 24 hours, up to and including the last hour for which data is available. Last week The last 7 days, up to and including the last day for which data is available. Last month The last 31 days, up to and including the last day for which data is available. Last year The last 12 months, up to and including the last month for which data is available.
233
Log Manager common procedures

Last complete hour The last full hour (starting at minute 0, and ending at minute 59) for which data is available. It is applicable to the graph on the Log Continuity Report only (see Inquiring about the completeness of log collections on page 216). Last complete day The last full day (starting at hour 0 and ending at hour 23) for which data is available. Last complete week The last full week (starting at the first day of the week and running for 7 days) for which data is available. Last complete month The last full month (starting at day 1 and ending at day 28, 29, 30 or 31) for which data is available. Last complete year The last full year (starting January, and ending December) for which data is available. When the reporting period is on the Last hour, Last day, Last week, Last month, or Last year period, the right arrow of the time sliding control on the graph is absent. Clicking the left arrow moves the reporting period respectively to the Last complete hour, day, week, month or year. When the reporting period is on the Last complete hour, day, week, month or year and the user clicks the right arrow, the reporting period on the graph moves respectively to the last hour, day, week, month, or year period, correspondingly. For example, in the Trend Chart section of the Collect History Report, if the reporting period is currently set to the Last day, and if the last log collection happened today at 13:30, the graph shows yesterday hour 14 up to and including today hour 13. If you click the left arrow on the time sliding control, the reporting period moves to show all of yesterday. If you click the right arrow, the reporting period moves to show yesterday hour 14 up to and including today hour 13 again, and the right arrow is not displayed from the time sliding control.
Using the settings

In the framework of the Log Manager, the following concepts are related to the Log Manager settings: v Fixed settings are the Log Manager settings that are constant and that you cannot change. These settings are kept on the disk in an initialization file or a property file, and are initiated when the user logs in. They remain unchanged during your user session. v User preferences are the settings that you set while using the user interface. They have a default value that is used the first time a specific user logs in. The current values of these settings are kept in persistent storage for each individual user.
234
Log Manager settings

Table 11 contains information about fixed settings in the Log Manager.
Table 11. Fixed settings in the Log Manager Setting First day of the week First day of the year Value Monday (in accordance with ISO-8601). First four-day week. If first day of the week is Monday, this is the first week that has its Thursday in the new year (in accordance with ISO-8601). The size is 24, the number of rows per page of the paged list view. Browser time zone. Data on the Log Manager Dashboard is shown for the time zone of the browser.
Page size Dashboard time zone
Other settings of the Log Manager such as visibility of panes and sections, time scale, filters applied, sorting criteria, and so on are user preferences. You can set them while using controls that the Log Manager provides. All pages have the Restore default settings command in the Actions section of the Extra Information pane. Clicking it resets all page settings of the current page to their default values.
235
236
Appendix A. Support information

This section describes the following options for obtaining support for IBM products: v Searching knowledge bases v Obtaining fixes v Registering with IBM Software Support on page 238 v Receiving weekly software updates on page 238 v Contacting IBM Software Support on page 239
Searching knowledge bases

If you encounter a problem, you want it resolved quickly. You can search the available knowledge bases to determine whether the resolution to your problem was already encountered and is already documented.
Searching information centers

IBM provides extensive documentation in an information center that can be installed on your local computer or on an intranet server. You can use the search function of this information center to query conceptual information, instructions for completing tasks, reference information, and support documents.
Searching the Internet

If you cannot find an answer to your question in the information center, search the Internet for the latest, most complete information that might help you resolve your problem. To search multiple Internet resources for your product, perform the following steps: 1. Expand the product folder in the navigation frame on the left. 2. Expand Troubleshooting and support. 3. Expand Searching knowledge bases. 4. Click Web search. From this topic, you can search a variety of resources, which includes the following resources: v IBM Technotes v IBM downloads v IBM Redbooks v IBM developerWorks v Forums and news groups v Google
Obtaining fixes
A product fix might be available to resolve your problem. To determine what fixes are available for your IBM software product, check the product support site by performing the following steps: 1. Select the IBM Software Support site at the following Web address:
237
http://www.ibm.com/software/support 2. Under Products A - Z, click the letter with which your product starts to open a Software Product List. 3. Click your product name to open the product-specific support page. 4. Under Self help, follow the link to All Updates, where you can find a list of fixes, fix packs, and other service updates for your product. For tips on refining your search, click Search tips. 5. Click the name of a fix to read the description. 6. Optional, download the fix.
Registering with IBM Software Support

Before you can receive weekly email updates about fixes and other news about IBM products, you need to register with IBM Software Support. To register with IBM Software Support, follow these steps: 1. Select the IBM Software Support site at the following Web address: http://www.ibm.com/software/support 2. Click Register in the upper right-hand corner of the support page to establish your user ID and password. 3. Complete the form, and click Submit.
Receiving weekly software updates

After registering with IBM Software Support, you can receive weekly email updates about fixes and other news about IBM products. To receive weekly notifications, follow these steps: 1. Select the IBM Software Support site at the following Web address http://www.ibm.com/software/support 2. Click the My support link to open the Sign in page. 3. Provide your sign in information, and click Submit to open your support page. 4. Click the Edit profile tab. 5. For each product about which you want to receive updates, use the filters to select your exact interests, and click Add products. 6. Repeat step 5 for each additional product. 7. After choosing all your products, click the Subscribe to email link. 8. For each product category, use the filters and select which updates you want to receive, and click Update. 9. Repeat step 8 for each additional product category. For more information about the types of fixes that are available, see the IBM Software Support Handbook at the following Web address: http://techsupport.services.ibm.com/guides/handbook.html
238
Contacting IBM Software Support

IBM Software Support provides assistance with product defects. Before contacting IBM Software Support, the following criteria must be met: v Your company has an active IBM software maintenance contract. v You are authorized to submit problems to IBM Software Support. The type of software maintenance contract that you need depends on the type of product that you have. Product types are one of the following categories: v For IBM distributed software products (including, but not limited to, Tivoli, Lotus, and Rational products, as well as DB2 and WebSphere products that run on Windows, Linux, or UNIX operating systems), enroll in Passport Advantage in one of the following ways: Online Select the IBM Software Passport Advantage site at the following Web address and click How to Enroll: http://www.lotus.com/services/passport.nsf/ WebDocs/Passport_Advantage_Home By phone For the phone number to call in your country, select the IBM Software Support site at the following Web address and click the name of your geographic region: http://techsupport.services.ibm.com/guides/contacts.html v For IBM eServer software products (including, but not limited to, DB2 and WebSphere products that run in zSeries, POWER, pSeries, and iSeries environments), you can purchase a software maintenance agreement by working directly with an IBM sales representative or an IBM Business Partner. For more information about support for eServer software products, select the IBM eServer Technical Support Advantage site at the following Web address: http://www.ibm.com/servers/eserver/techsupport.html If you are not sure what type of software maintenance contract you need, call 1-800-IBMSERV (1-800-426-7378) in the United States or, from other countries, select the contacts page of the IBM Software Support Handbook at the following Web address and click the name of your geographic region for phone numbers of people who provide support for your location: http://techsupport.services.ibm.com/guides/contacts.html To contact IBM Software support, follow these steps: v Determining the business impact v Describing problems and gathering information on page 240 v Submitting problems on page 240
Determining the business impact

When you report a problem to IBM, you are asked to supply a severity level. Therefore, you need to understand and assess the business impact of the problem that you are reporting. Use the following severity criteria:
239
Severity 1 The problem has a critical business impact. You are unable to use the program, resulting in a critical impact on operations. This condition requires an immediate solution. Severity 2 The problem has a significant business impact. The program is usable, but it is severely limited. Severity 3 The problem has some business impact. The program is usable, but less significant features that are not critical are unavailable. Severity 4 The problem has minimal business impact. The problem causes little impact on operations, or a reasonable circumvention to the problem was implemented.
Describing problems and gathering information

When explaining a problem to IBM, be as specific as possible. Include all relevant background information so that IBM Software Support specialists can help you solve the problem efficiently. To save time, know the answers to these questions: v What software versions were you running when the problem occurred? v Do you have logs, traces, and messages that are related to the problem symptoms? IBM Software Support is likely to ask for this information. v Can you create the problem again? If so, what steps were performed to encounter the problem? v Was any change made to the system? For example, were there changes to the hardware, operating system, networking software, and so on. v Are you currently using a workaround for this problem? If so, be prepared to explain it when you report the problem.
Submitting problems
You can submit your problem to IBM Software Support in one of two ways: Online Select the Submit and track problems page on the IBM Software Support site at the following address, and provide your information into the appropriate problem submission tool: http://www.ibm.com/software/support/probsub.html By phone For the phone number to call in your country, select the contacts page of the IBM Software Support Handbook at the following Web address and click the name of your geographic region: http://techsupport.services.ibm.com/guides/contacts.html If the problem you submit is for a software defect or for missing or inaccurate documentation, IBM Software Support creates an Authorized Program Analysis Report (APAR). The APAR describes the problem in detail. Whenever possible, IBM Software Support provides a workaround that you can implement until the APAR is resolved and a fix is delivered. IBM publishes resolved APARs on the IBM product support Web pages daily, so that other users who experience the same problem can benefit from the same resolution.
240
For more information about problem resolution, see Searching knowledge bases on page 237 and Obtaining fixes on page 237.
241
242
Appendix B. Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information about the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106-0032, Japan The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
243
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 U.S.A. Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. If you are viewing this information softcopy, the photographs and color illustrations may not be displayed.
Trademarks
The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both: 1-2-3 AIX DB2 developerWorks Domino eServer IBM IBM logo iSeries Lotus Notes OS/390 OS/400 Passport Advantage
244
POWER pSeries Rational Redbooks Tivoli WebSphere z/OS zSeries Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.
Appendix B. Notices
245
246
Index A
accessibility xiii aggregation iView 165 processes 8 alerts attention severity 121 configuring 117 creating 117 custom 123 delaying 119 event severity basis 116 handler 113 handlers, creating 126 managing 113 policy 113 repeated 120 severity delays 127 SMTP 121 SNMP 122 attention events 171 attention rules creating 108 defining and managing 108 deleting 110 editing 109 purpose 23, 108 severity levels 110 audit administration collect schedules 73 data collection 69, 72 database properties 77 event source properties 78 event sources 69, 71, 72 GEM databases 69, 77 load schedules 74 manual data loads 76 passwords 86 sliding load schedules 75 system properties 78 users' roles 85 audit data displaying in iView 51 importing 53 automatic policies 111 collect (continued) custom 17 definition 11 FTP 17 original audit logs 11 point of presence 12 process steps for a security log 12 remote for Windows 13 security logs 11, 12 SNMP 14 SSH 14 steps for remote type 13 Syslog 14 using external APIs 16 committing policies for auditing 111 common problems reporting describing problem 240 determining business impact 239 gathering information 240 submitting 240 compliance types supported xi conditions attention rules 108 copying 103 creating for groups 96 Custom Report wizard 183 defining members in groups 96 definition 96 deleting 95, 104 edited 97 group definitions 33 list 188 managing 89 moving 103 new 97 OnWhat 100 requirements 97 What group 98 When group 99 Where group 100 Who group 98 configuration tools Events by rule 176 Events by type 176 Policy Settings 176 reports 176 W7 Summary 176 consolidation database 8 conventions, typeface xiv customer support contacting 239 information centers 237 Internet 237 knowledge bases 237 obtaining fixes 237 receiving updates 238 registering 238 submitting problems 240
D
daily verification Events by type report 173 Impersonation report 173 Logon Failure Summary report 172 Users report 173 data collection actuator 72 logs 72 schedules 72, 73 data export schedule, setting 52 data loading creating schedules 74 manual 77 setting schedules 74 sliding schedule 75 data model, GEM 21 databases clearing 77 loading 74 manual loading 76 viewing or changing properties 77 depot indexing the data 19 investigation function 19 log 8 purpose as archive 11, 12 detailed investigations logon history by platform 174 logon history by user 175 Object Audit 175 object history 175 period group by users 175 platforms 174 reports 173 suspect by object group 175 suspects by platform 174 user audit 175 user audit by object group 175 user history 175 users by event type 175 directory names, notation xiv
E
education see Tivoli technical training xiii environment variables, notation xiv Event File parameter 113 event sources attaching to a database 71 deleting 63 moving 72 properties 78 removing from a database 71 renaming 63 Events by Type report 173 events, Special Attention 172 exceptions to policy 171
B
Basel II compliance xi books see publications xi, xiii breadcrumb links 159
C
chunk logs 11, 13 cluster 5 collect Actuator configuration batch collect 11 12
247
F
failures 172 fixes, obtaining 237 FTP collect 17
K
knowledge bases information centers Internet 237 searching 237 237
online publications accessing xiii ordering publications
xiii
P
pages All Events 151 Changing Scoping Status 136 Choose a Collect Schedule 66 Choose a Database 76 Choose a Machine 66 Choose a User Information Source 66 Choose Period 76 Choose Type of Removal 64 Collect Now 76 Compliance Dashboard 31, 151, 159, 160 Confirm Status Change 135 Dashboard 36, 150, 153, 157 Database Summary 156, 171, 172 Define User Information Source Properties 66 Enterprise Overview Settings 154 Event Detail 171 Failures 171 Failures Summary 172 Group types 167, 168, 169 Group Types 151 Groups 31 iView 87 iView login 31 iView report 159 iView settings 155 Move Assets To 140, 141 New Member 138 Overview of Portal 151 Policy Exception Summary 171 Policy Exceptions 171 Policy Maintenance 91 Policy Settings 36, 151 Portal Login 145 Portal Login Error 145 Portal Logon 129, 132 Portal Overview 145 Regulations Resource Center 151 Reports 169, 171 Scoping Overview 133 Select Event Source 64 Settings 153, 154 Special Attention 171 Special Attention Summary 172 stored 149 Summary 31 User Preferences enterprise overview settings 155, 156 iView settings 151 time zone settings 157 W7 Summary 161 passwords, changing 86 path names, notation xiv percentage view 165 platform groups creating 55 Platform History report 174
G
GEM databases adding 69 clearing 77 deleting 70 moving event source to another database 72 schedules 77 Generic Event Model (GEM) 21 GLBA compliance xi graphics 165 group definition sets copying 94, 103 creating 93, 96 deleting 94 global 94 importing 95 purpose 93 W7s 93 groups conditions 96, 97 copying 102 creating rules 95 defining and managing 95 deleting 103 moving 102 OnWhat 100 renaming 102 requirements 97 significance, changing 101 W7 attributes 21, 23 What 98 When 99 Where 99 Who 97
L
Log Manager 88 Logon Failure Summary report 172 Logon History by Platform report 174 Logon History by User report 175 logs actuator usage 12 analysis 19 centralized data 21 chunk 11 collect from point of presence 12 data collection schedules 72 depot 8, 19 event 15 GEM databases 77 importing log data 53 load schedules 74 manual load schedules 76 original audit 11 remote collect 13 retrieval 20, 88 retrieving security data 11 security xi, 11 sliding load schedules 75 sub-chunk 11 user behavior xi
M
Management Console accessing iView 52 appearance changes 47 changing 47 commands 50 customizing 48 opening and closing Windows 45 refreshing window content 49 starting and stopping 43 switching users 44 toolbars 48 tools 52 users 44 manual loads into databases 76 manuals see publications xi, xiii mapping data 8, 19, 21
H
HIPAA compliance xi
I
Impersonation report 173 In Period group by Users report 175 index disabling 19 indexing data in log depots 19 information centers, searching 237 Internet, searching 237 ISO 27001 compliance xi iView accessing from the Management Console 52 aggregation 165 audit data display 51 failures 172 Gallery of reports 172 Navigating reports 159 URL definitions 52
N
notation environment variables path names xiv typeface xiv xiv
O
Object Audit report 175 Object History report 175
248
platforms creating 92 deleting 93 policies administration 89 applying 90 creating 90, 108 creating and managing 89 definition 89 deleting 91, 110 duplicating 90 editing 91, 109 empty 90 hiding and showing rules 107 importing rules 107 maintenance 89 renaming 92 rules 89, 105, 106 security 33 storing 90 testing 110 Policy commit for auditing 111 test 110 view automatic 111 Policy rules 69, 171 portal 129 properties changing for a database 77 dialog 77 event sources 78 system 78 protocols alerts 121 settings 121 publications xi accessing online xiii ordering xiii
software updates, receiving 238 Special attention 171 special attention events, by severity 172 statistics, in aggregation 8 sub-chunk logs 11 Summary window 171 support See customer support Suspect by Object group report 175 Suspect by Platform report 174 system groups creating 55 deleting 56 moving within 58 renaming 55 system maintenance group tasks 55 individual systems 57 systems adding 57 adding event sources 61 adding user information sources 65 deleting 59 moving 58 properties 78 reattaching 60
violations of established policy
171
W
wizards Add Event Source 57, 61, 62 Add Machine 57, 58 Add User Information Source 66 Custom Report 183, 187, 188 Delete Event Source 63 Delete GEM database 70 graphical 129 Grouping group definition sets 95 overview 31 policy rules, creating 51 types of groups access 151 iView 108 Load Database 76, 77, 110 Load Now 120 Policy file extension used 107 importing policy 108 link from Configuration tools report 171, 176 policy creation 33, 51 Policy Settings report 176 rules creation 34, 35 using in iView 88 Reports 147, 183
T
Testing policies 110 Tivoli Compliance Insight Manager iView aggregation 165 getting started 149 Tivoli Information Center xiii Tivoli technical training xiii training, Tivoli technical xiii trends 165 typeface conventions xiv
R
reports compliance xi daily verification 172 Failures Summary 172 privileged user activity xi regulating scope access to information xi Special Attention Event Summary 172 requirements copying 104 deleting 105 moving 105
U
User audit by Object Group report 175 User Audit report 175 User History report 175 user information sources adding to systems 65 deleting sources 68 renaming sources 67 user management centralized user management 81 users creating or adding 85 daily verification 173 deleting 85 managing 85 naming 85 passwords 85, 86 roles 85, 87 Users by Event type report 175
S
Sarbanes-Oxley compliance xi Scoping 134 enabling and disabling 133 Security Group Grouped Server 81 Security Server 81 user management 81 severity-delay support 113 sliding load schedule 75
V
variables, notation for View graphics 165 percentage 165 xiv
Index
249
250
Printed in USA
SC23-6581-00

Tcim85 User

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Tcim85 User

Încărcat de

Drepturi de autor:

Formate disponibile

Tivoli Compliance Insight Manager

Tivoli Compliance Insight Manager

Chapter 5. GEM mapping and W7 normalization . . . . . . . . . . . . 21

Part 2. Doing a task in Tivoli Compliance Insight Manager . . . . 29

Chapter 2. How Tivoli Compliance Insight Manager works . . . . . . . . 5

Chapter 8. Creating a security policy

Chapter 9. Using the Policy wizard and creating policy rules . . . . . . . . . 35

Chapter 3. Collecting audit data . . . . 11

Part 3. Managing the Tivoli Compliance Insight Manager system . . . . . . . . . . . . . . 39

Chapter 4. Performing forensic analysis 19

Chapter 11. Getting started with the Management Console . . . . . . . . 43 iii

Copyright IBM Corp. 1998, 2008

Chapter 14. Centralized user management . . . . . . . . . . . . 81

Chapter 15. Managing users and roles

Chapter 16. Policy maintenance . . . . 89

Chapter 13. Audit maintenance . . . . 69

IBM Tivoli Compliance Insight Manager: User Guide

140 140 141 141

Part 4. Viewing data and reporting 143

Chapter 17. Managing alerts . . . . . 113

Chapter 22. Getting started with iView 149

Chapter 23. Understanding the iView Dashboard . . . . . . . . . . . . 153

Chapter 18. Using the Policy Generator . . . . . . . . . . . . . 129

Chapter 24. Navigating iView . . . . . 159

Chapter 19. Scoping data . . . . . . 131

Chapter 27. Viewing audit data in standard iView reports . . . . . . . 171

. 173 174 . 176 . 176

207 207 207 208 208 208

. 187 . 188 . 188

Chapter 30. Working with iView data in other media . . . . . . . . . . . 189

Chapter 31. Using iView settings . . . 193

Appendix A. Support information . . . 237

Chapter 32. Distributing reports . . . 199

Appendix B. Notices . . . . . . . . 243

Chapter 33. Understanding and using Management Modules . . . . . . . . 207

IBM Tivoli Compliance Insight Manager: User Guide

Copyright IBM Corp. 1998, 2008

IBM Tivoli Compliance Insight Manager: User Guide

Copyright IBM Corp. 1998, 2008

IBM Tivoli Compliance Insight Manager: User Guide

About this publication

Tivoli Compliance Insight Manager library

Accessing terminology online

IBM Tivoli Compliance Insight Manager: User Guide

Accessing publications online

Tivoli technical training

Conventions used in this publication

Operating system-dependent variables and paths

IBM Tivoli Compliance Insight Manager: User Guide

Copyright IBM Corp. 1998, 2008

IBM Tivoli Compliance Insight Manager: User Guide

Chapter 1. Tivoli Compliance Insight Manager Overview

Purpose and uses of Tivoli Compliance Insight Manager

IBM Tivoli Compliance Insight Manager: User Guide

Chapter 2. How Tivoli Compliance Insight Manager works

Figure 1. Tivoli Compliance Insight Manager system components

Copyright IBM Corp. 1998, 2008

IBM Tivoli Compliance Insight Manager: User Guide

How the system works

Figure 2. Data flow

Chapter 2. How Tivoli Compliance Insight Manager works

Mapping and loading processes

Aggregation and consolidation processes