UnixSOE Enterprise Suite v8.x Data Security Dec 2013

Contents Introduction Current Procedures Transfer Infrastructure (TI) TI Hierarchy Customer to CSC Network TI Requirements Presentation Server (PS) Store and Forward Server (SFS) Data Transfer Approval Strategic Tools - Additional Information

Introduction These slides present an overview of the UnixSOE Enterprise Suite v8.x, Transfer Infrastructure and Strategic components, and considers the security aspects of deployment of this solution into a new customer account. This forms part of the TI Security Pack.

Current Procedures Collection of information is manually intensive System configuration data Capacity planning and performance data Patch data Security audit data Frequent requirement to collect other data Usually requires manual logon to each and every server Unix global strategic tools, which collect this information, require multiple collection nodes Overhead to install and maintain Often very little automation and highly manual activities Process is resource intensive Leads to delays/omissions/errors SOE v3.x or later resolves these issues

Transfer Infrastructure (TI) SOE v8.x relies on a Transfer Infrastructure (TI) The TI provides: A centrally managed and secure data collection infrastructure for the Strategic Components A central database for storage of collected data A web interface for global queries and reporting Data collected by UnixSOE Enterprise Suite Auto-Config: System configuration and patch data Caper: Capacity planning and performance data CaperLPAR: Capacity planning and performance data for LPAR and VIO CaperVMware: Capacity planning and performance data for ESX SOE Harden: Security audit & Configuration Management SOE PatchTT: Patch Tracking & Management Tool vAuto-Config: System configuration data for virtual environment. Cron Manager: Server crontab management.

TI Hierarchy A CSC regional Presentation Server (PS) will be installed in each CSC strategic data centre (i.e. Australia, EMEA and NA) A Store & Forward Server (SFS) will be installed in each CSC customer account network Strategic Component will be installed on each TI client (i.e. individual UNIX servers), to collect data for that server The SFS receives data from all the TI clients, and forwards this to the regional PS server The PS server receives data from the account SFS, imports it into a database, and provides a web interface in order that staff can view/report on the data The TI encrypts all data (using OpenSSH – Secure Shell) and communications from the client to the SFS, and onwards to the PS

Customer to CSC Network TI Requirements Customer SFS connectivity to regional CSC PS (via OpenSSH, port 22) Regional CSC PS connectivity to customer based SFS (via OpenSSH, port 22) Data transfers supported via POLL or PUSH mode POLL mode, PS initiates connection to SFS (default) i.e. connection originates from CSC into customer network. PUSH mode, SFS initiates connection to PS i.e. connection originates from customer into CSC network.

Presentation Server (PS) Data is stored in a PostgreSQL database Direct access to the database is protected via username/password based authentication Web reporting is provided via Apache web server Both canned and ad hoc reporting capabilities are available User level access to the web interface is also protected via the Authentication, Access Control, and Audit module (AAA): Authentication via individual and unique username/password Access Control restrictions on which data a user may view Audit trail of user access and queries User account management is compliant with the CSC Unix Baseline Security Standard and CSC Corporate Security Policies TI servers are hardened to be compliant with the CSC Unix Baseline Security Standard and CSC Corporate Security Policies This standard has been ratified by the CSC Managed Security Solutions (MSS) Organization, the CSC Global Information Services (GIS) Security Line of Service (LoS)

Store and Forward Server (SFS) By default the SFS will relay data from the customer account based TI clients to the regional CSC PS SFS is configurable to control which data is forwarded to the regional CSC PS and which data is retained within the customer network Where data cannot be transmitted outside of the customer network, an account based PS is required to present this data locally within the customer network NB. Local presentation of data removes many of the benefits of deploying the TI, and should only be considered as a final option, after exhaustive investigation

Data Transfer Approval Require customer security approval Can all data from the UNIX Strategic Tools be forwarded to the regional CSC PS? Is there any data which is not permitted outside of the customer network, and which must remain on the customer account based SFS? This is not a simple yes/no decision, and the data generated by each tool should be considered carefully, before answering the above questions Which data collection method will be used? (POLL v PUSH) The Data Security Approval Process is designed to ascertain answers to these questions Once completed a signed agreement should be reached to define precisely the data transfer implementation

Strategic Components Additional Information

UnixSOE Enterprise Suite v8.x Auto-config Caper CaperLPAR CaperVMware Harden PatchTT vAuto-Config Cron manager Detailed examples of the data generated by these components can be found in the UnixSOE Enterprise Suite v8.x Sample Data Reports document

Overview - Auto-Config Auto-Config is a Inventory management Tool. It is used to collect following data : System Hardware configuration information i.e. CPU, Memory, Disk etc. Software inventory scanning i.e. OS packages and patches etc. Third party software i.e. Netbackup, VERITAS, Cluster etc. Database detection and configuration information. Collect information about virtual environment i.e. ZONES, LPAR, WPAR Licensing information i.e. VERITAS Licenses, OS license etc. Server Uptime and Last logged in user info. Hardware Finance, Warranty and Lease Information. It collects more than 70 categories of system configuration, network services, and installed package information.

Overview - UnixSOE Caper SOE-Caper is a Capacity management and baseline Performance measuring tool. SOE-Caper supports unix heterogeneous environment and its virtual counterparts supports the unix virtual equivalents as well . It consists of client and server components that work together with TI Services to provide a customized and standard view of the data for Capacity Planners.

UnixSOE Caper Features Standard Unix tools and utilities are used, in an effort to keep the “footprint” of this software as small as possible and to minimize additional costs associated with software license or maintenance fees. Visualization of raw performance data is provided for a selected number of key metrics. The consolidated data files created each day contain all of the accumulated metrics and can be used for more detailed ad hoc analysis. Long term historical data consisting of both raw and derived metrics are summarized and accumulated into ‘history’ files. This history is used to populate a relational database used to produce capacity reports and charts. System Downtime reporting. System availability data is recorded during system startup and shutdown time. The availability data is stored in a relational database and can be used to produce the downtime statistics often required for SLA-reports.

SOE – Caper LPAR Features Virtual Equivalent of SOE –Caper for IBM LPARs Installed on LPARs for direct data capture , and on any one (or more) AIX box for remote VIO data capture. Captures the CPU, memory , paging , disk and network performance statistics from IBM Logical Partitions. Focuses more on CPU utilization metrics of LPARs by capturing their entitled capacity, number of physical cpu consumed and cpu percent busy Remotely captures the HMC to Managed Power Server and Managed Server to LPAR and VIO relationship, from the Managing HMC. Remotely Captures the CPU, memory , paging , disk and network performance statistics from VIOs.

SOE-Caper Vmware features Virtual Equivalent of SOE –Caper for ESX servers. Installed on any one (or more) vMA . Remotely captures CPU, memory , paging , disk and network performance statistics of ESX hosts and their guests from ESX. Remotely captures the ESX to their guest relationship. Remotely captures the Datastore capacity of ESX .

Overview – UNIX Harden UNIX OS Security Auditing & Remediation Policy Based tool Perform 327+ Checks using 40 modules Security Standardization Scalability Supported on multiple OS/Hardware architectures Leverage existing CSC IT Infrastructure 19

UNIX Patch Management Product Highlights SOE PatchTT is a patch tracking solution, which can track the UNIX operating systems & security patches at regular interval on the basis of SOE Baseline, All Patch, Cumulative or Custom policies and provide the analysis in the form of user-friendly reports at a centralized place. Product Highlights Automated distribution and centralized management of monthly baseline and other (custom, cumulative etc.) policies in complete infrastructure. Automated distribution of baseline patches in complete infrastructure. Intelligence to report vulnerabilities as per patch dependency defined in policy. Compliance computation on the basis of applicable patch count or host count in the registered group. Report remediation requirement by tracking patches against policy activated on servers centrally. Multiple Policies applicable on single server. Feature to define custom patch security baseline policy, to benchmark system’s vulnerability and standards. Compliance summary on the basis of various categories, i.e. patch severity and host operating system, etc. Pictorial flash graphs for management summary. 20

vAuto-Config Overview vAuto-Config is a Inventory management Tool for heterogeneous virtual environment. It is used to collect following data : Remote data collection from ESX, HMC and Squadron. ESX Server configuration i.e. CPU, Memory, Disk etc. Remotely captures the ESX hosts to guest relationship. Remotely captures the Datastore capacity of ESX . Remotely captures the LPAR and VIO relationship from the Managing HMC. Installed on global zone and collects information for all the non-global zones on it. Top 5 CPU and Memory Configured Virtual Server.

Cron Manager Overview Cron Manager, a new tool to capture, configure and randomize SOE DCT (Harden, PatchTT and Auto-Config) cron configurations. This tool provides following capabilities: Reporting existing SOE DCT (Harden, Auto_config and PatchTT) cron configurations. Manage cron schedule of SOE DCT components (Harden, Auto_config, PatchTT) centrally from Presentation server. Randomize cron scheduling on a group of hosts to avoid processing spikes in a virtualized or physical environment.

Solution Pack Unix SOE & TI Services Questions & Feedback Product Support Helpline unixsoe@csc.com EMEA Platform Service Centre Unix & Linux Server Solutions Team