IBM Software Group | Tivoli Brand Software IBM Tivoli Provisioning Manager 7.1 Compliance and Desired State Management IBM Tivoli Monitoring for Transaction Performance v52 ESP Workshop Workshop Guide

Configuration and Compliance aims In order to ensure a computer’s adherence to security and operational standards, organizations must first define a compliant configuration for the computer. Once set, it is necessary to maintain the computer in that compliant configuration by periodically verifying the configuration and remediating any noncompliant findings For most organizations, manual verification and remediation is not possible

General Solution Identify the computers that need to be compliant Draw up the list of configuration items that need to be true in order for the computers to be considered compliant Inspect the computers to see how they are actually configured Compare the actual configuration with the compliant configuration and determine if the computers are compliant Report the results Fix the problems

The TPM 7.1 Solution Create software and security compliance checks for the device or group Schedule and run an inventory scan Schedule and run a compliance check Send notification messages and run scheduled reports Review the issues and act upon the recommendations

Compliance check types Software Module Stack Patch Group Software configuration check Security Patches

Software Compliance Checks Check individual software products Software must be installed Software must not be installed Software installation is optional Check software groups Minimum of one member of the group is required All other members are considered optional Moving on to software compliance checks, there are three kinds of software checks that can be applied to an individual software product, patch, or stack. It can be specified as required to be installed, optionally installed, or prohibited from being installed. For groups of software, there is a special installation check called “selection”. This compliance check is satisfied if at least one member of the group is installed. For example, you can define a software group called Antivirus and put all the supported antivirus products and versions into it. Adding a compliance check for this group will ensure that at least one of these supported products is installed.

Security Compliance Checks These remain the same as in previous versions of TPM AIX Activity Auditing AIX Remote Root Login Endpoint Agent Linux System Logging Operating System Patches and Updates Restrict Other Software UNIX File Permissions UNIX Services User Defined Check Windows Antivirus Windows Event Logging Windows File Permissions Windows Firewall Windows Hard Disk Password Windows Power-On Password Windows Screen Saver Windows Services Windows Unauthorized Guest Access Windows User Password Question: What important checks have we forgotten? Question: What antivirus and firewall software are you using today? Details behind this list of security checks: Misconfigured or Missing Antivirus Maximum elapsed time between scans Minimum elapsed time between scans Maximum age for the virus definitions file Automatic update schedule Missing antivirus software is handling using the same approach as any other missing software product Improper file ACLs Windows: Permissions of groups or users to read/write/delete/execute/extended attribute permissions/etc. UNIX: Permissions for owners/groups/others to read/write/execute; also check if a path is a directory File signatures - date/time, checksum (from 11/8 meeting) Detect when a file or group of files has changed Verify audit settings on Windows for logging the success and/or failure of the following: User logon System event Object access User access rights Process tracking Security policy change Account management Directory service access Account logon Improper system logging settings. Windows: Application, security and system event logs retained for a minimum period of time. UNIX: Verify that facility and priority are logged in the correct log file AIX: Verify the following logs exist /var/log/wtmp /var/log/messages /var/log/faillog Verify password settings on Windows: (/) Minimum password length Maximum password age Password history (re: reuse of passwords) Verify guest access restrictions: (/) Is guest account active Is guest account locked Is guest account only in the guest group Keyboard/Screen not password protected (/) Screen saver is active Screen saver password is set Screen saver time value minimum value Hard-disk password not set (/) Power-on password not set (/) Prohibited services running Missing services AIX: Remote root login forbidden (/) Misconfigured or missing firewall (+) The firewall process is monitoring network traffic The firewall process is running The firewall process is configured to autostart Missing firewall software is handling using the same approach as any other missing software product

Adding compliance checks From the Provisioning Computer or the Provisioning Group compliance screen New Compliance Checks Copy Compliance Checks Copy all compliance checks from a group or computer that already has checks defined Create Compliance Checks Using Model Use the actual state of a model computer to create compliance checks. The actual state is based on the results of inventory scans of the model machine

Checking compliance New compliance checks have a compliant status of unknown Run immediately or schedule either a compliance check or an inventory scan and compliance check Inventory scan is needed to check software compliance

Compliance Once a scan and check have run any non compliant checks show on the compliance tab

Compliance The Provisioning Computers list shows compliance status

Compliance The Provisioning groups list shows the number of compliant devices in the group

Working with Recommendations Once a scan and check have run any recommendations for correcting discrepancies appear on the recommendations tab. Initial status of recommendations is opened (Or approved if automatic approval is enabled) Before a recommendation can be implemented it must be approved

Working with Recommendations A recommendation can be ignored for a period you can specify Use “Run” to remediate a software compliance check right away Use “Schedule” to schedule the remediation of a software compliance check for a future time Once run a recommendation shows as implemented and can be closed