Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Axel Buecker
Frank Muehlenbrock
Murat Yildiz
ibm.com/redbooks
International Technical Support Organization
September 2008
SG24-7664-00
Note: Before using this information and the product it supports, read the information in
“Notices” on page vii.
This edition applies to Version 8.5 of IBM Tivoli Compliance Insight Manager.
© Copyright International Business Machines Corporation 2008. All rights reserved.
Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP
Schedule Contract with IBM Corp.
Contents
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
The team that wrote this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Chapter 2. Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.2 Product architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
2.2.1 Tivoli Compliance Insight Manager cluster . . . . . . . . . . . . . . . . . . . . 43
2.2.2 Tivoli Compliance Insight Manager Enterprise Server . . . . . . . . . . . 43
2.2.3 Tivoli Compliance Insight Manager Standard Server . . . . . . . . . . . . 45
2.2.4 Actuators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
2.2.5 Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
2.2.6 The iView Web portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
2.2.7 Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
2.2.8 Component architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
2.3 Product processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
2.3.1 Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
2.3.2 Mapping and loading. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
2.3.3 Data aggregation and consolidation . . . . . . . . . . . . . . . . . . . . . . . . . 72
2.3.4 Reporting and presentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
2.4 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Chapter 3. Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Chapter 4. Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
4.1 Auditing settings for the Windows platforms . . . . . . . . . . . . . . . . . . . . . . . 92
4.1.1 Auditing settings for the Windows Security log . . . . . . . . . . . . . . . . . 92
4.1.2 Active Directory audit policy settings. . . . . . . . . . . . . . . . . . . . . . . . . 93
4.1.3 File server settings: Object access auditing . . . . . . . . . . . . . . . . . . . 96
4.2 Auditing settings for UNIX-based platforms . . . . . . . . . . . . . . . . . . . . . . 102
4.2.1 Configuration of the auditing settings on an AIX system. . . . . . . . . 102
4.3 Configuring the new event sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
4.3.1 Create the GEM database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
4.3.2 Create system group and add Windows machines . . . . . . . . . . . . . 104
4.3.3 Add event sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
4.4 Installing an Actuator on a target machine . . . . . . . . . . . . . . . . . . . . . . . 116
4.5 Configuration of the audit policy (W7 groups and rules) . . . . . . . . . . . . . 119
4.5.1 Adding User Information Sources (UIS) . . . . . . . . . . . . . . . . . . . . . 119
4.5.2 Configuring a new policy with W7 rules . . . . . . . . . . . . . . . . . . . . . 127
4.5.3 Load the database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
4.6 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Contents v
vi Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information on the products and services currently available in your area.
Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product, program, or service that
does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document.
The furnishing of this document does not give you any license to these patents. You can send license
inquiries, in writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such
provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION
PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer
of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions of the publication. IBM may
make improvements and/or changes in the product(s) and/or the program(s) described in this publication at
any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any
manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the
materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm
the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on
the capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them
as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the
sample programs are written. These examples have not been thoroughly tested under all conditions. IBM,
therefore, cannot guarantee or imply reliability, serviceability, or function of these programs.
The following terms are trademarks of the International Business Machines Corporation in the United States,
other countries, or both:
Snapshot, and the NetApp logo are trademarks or registered trademarks of NetApp, Inc. in the U.S. and
other countries.
Novell, the Novell logo, and the N logo are registered trademarks of Novell, Inc. in the United States and
other countries.
Oracle, JD Edwards, PeopleSoft, Siebel, and TopLink are registered trademarks of Oracle Corporation
and/or its affiliates.
Java, JavaScript, Solaris, Sun, and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in
the United States, other countries, or both.
Active Directory, Internet Explorer, Microsoft, Win32, Windows NT, Windows Server, Windows, and the
Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Other company, product, or service names may be trademarks or service marks of others.
viii Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Preface
This IBM® Redbooks® publication is a study guide for IBM Tivoli® Compliance
Insight Manager Version 8.5 and is meant for those who want to achieve IBM
Certifications for this specific product.
The IBM Tivoli Compliance Insight Manager Certification, offered through the
Professional Certification Program from IBM, is designed to validate the skills
required of technical professionals who work in the implementation of the IBM
Tivoli Compliance Insight Manager Version 8.5 product.
This book provides a combination of theory and practical experience needed for
a general understanding of the subject matter. It also provides sample questions
that will help in the evaluation of personal progress and provide familiarity with
the types of questions that will be encountered in the exam.
This publication does not replace practical experience, and it is not designed to
be a stand-alone guide for any subject. Instead, it is an effective tool that, when
combined with education activities and experience, can be a very useful
preparation guide for the exam.
Wade Wallace
International Technical Support Organization, Austin Center
Your efforts will help increase product acceptance and customer satisfaction. As
a bonus, you will develop a network of contacts in IBM development labs, and
increase your productivity and marketability.
Find out more about the residency program, browse the residency index, and
apply online at:
ibm.com/redbooks/residencies.html
Comments welcome
Your comments are important to us!
Preface xi
xii Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
1
The Professional Certification Program from IBM offers a business solution for
skilled technical professionals seeking to demonstrate their expertise to the
world.
The program is designed to validate your skills and demonstrate your proficiency
in the latest IBM technology and solutions. In addition, professional certification
can help you excel at your job by giving you and your employer confidence that
your skills have been tested. You may be able to deliver higher levels of service
and technical expertise than non-certified employees and move on a faster
career track. Professional certification puts your career in your control.
The Professional Certification Program from IBM has developed certification role
names to guide you in your professional development. The certification role
names include IBM Certified Specialist, IBM Certified Solutions/Systems Expert,
and IBM Certified Advanced Technical Expert for technical professionals who
sell, service, and support IBM solutions.
The Professional Certification Program from IBM provides you with a structured
program leading to an internationally recognized qualification. The program is
designed for flexibility by enabling you to select your role, prepare for and take
tests at your own pace, and, in some cases, select from a choice of elective tests
best suited to your abilities and needs. Some roles also offer a shortcut by giving
credit for a certification obtained in other industry certification programs.
Specific benefits might vary by country (region) and role. In general, after you
become certified, you should receive the following benefits:
Industry recognition
Certification may accelerate your career potential by validating your
professional competency and increasing your ability to provide solid, capable
technical support.
Program credentials
As a certified professional, you receive an e-mail with your certificate of
completion and the certification mark associated with your role for use in
advertisements and business literature. You can also request a hardcopy
certificate, which includes a wallet-size certificate.
The Professional Certification Program from IBM acknowledges the individual
as a technical professional. The certification mark is for the exclusive use of
the certified individual.
Ongoing technical vitality
IBM Certified Professionals are included in mailings from the Professional
Certification Program from IBM.
Certification checklist
Here is the certification checklist:
1. Select the certification you would like to pursue.
2. Determine which tests are required by reading the certification role
description.
Note: When providing your name and address to the testing vendor, be
sure to specify your name exactly as you would like it to appear on your
certificate.
5. Take the test. Be sure to keep the Examination Score Report provided upon
test completion as your record of taking the test.
Note: After you take the test, the results and demographic data (such as
name, address, e-mail, and phone number) are sent from the testing
vendor to IBM for processing (allow two to three days for transmittal and
processing). After all the tests required for a certification are passed and
received by IBM, your certificate will be issued.
6. Repeat steps three through five until all required tests are successfully
completed for the certification. If there are additional requirements (such as
another vendor certification or exam), follow the instructions on the
certification description page to submit these requirements to IBM.
7. After you met the requirements, you will be sent an e-mail asking you to
accept the terms of the IBM Certification Agreement.
8. Upon your acceptance, you receive an e-mail with the following deliverables:
– A Certification Certificate in PDF format, which can be printed in either
color or black and white
– A set of graphic files containing the IBM Professional Certification mark
associated with the certification achieved
After you receive a certificate by e-mail, you can also contact IBM at
certify@us.ibm.com to request that a hardcopy certificate be sent by postal mail.
Note: IBM reserves the right to change or delete any portion of the program,
including the terms and conditions of the IBM Certification Agreement, at any
time without notice. Some certification roles offered through the IBM
Professional Certification Program require recertification.
Important: IBM offers the following promotion code, which is good for a 15%
discount on the indicated Tivoli certification exams if taken at any Thomson
Prometric testing center:
Code: 15T937
Percentage off: 15%
Valid for exams: 000-937
Expires: 12/31/2009
Section 1: Planning
This section provides further information about the planning area of the test.
Given the customer reporting needs, determine which report requirements
can be supported by Tivoli Compliance Insight Manager so that a reporting
plan can be established for the implementation. The emphasis is on being
able to perform the following steps:
– Identify the customer report needs.
– Analyze the reports requested by the customer.
– Determine which of these reports can be generated by Tivoli Compliance
Insight Manager.
– Categorize the reports per platform.
– Deliver a list of reports that can be produced.
– Discuss with the customer how the reports should be distributed: per
platform, per department, and with or without scoping.
Given the customer report needs, review the requirements and assess which
event sources will be required so that you can deliver a list of event sources
needed for the Tivoli Compliance Insight Manager environment. The
emphasis is on being able to perform the following steps:
– Review the reporting requirements determined during the assessment of
the customer reporting needs.
– Assess which event sources will be required to support the reporting
requirements.
– Deliver a list of event sources that need to be deployed.
Section 2: Installation
The section provides further information about the installation area of the test:
Given the installation media and a Windows 2003 server, install the database
engine, directory server, and Standard Server, so that a Tivoli Compliance
Insight Manager security server is defined for centralized user management.
The emphasis is on being able to perform the following steps:
– Log in to the Windows server as a user with administrative privileges.
– Verify that the system prerequisites have been met.
– Install the middleware.
– Install the Standard Server.
– Apply the current patches and platform updates.
– Verify the installation.
Section 3:Configuration
The section provides further information about the configuration area of the test:
Given the security compliance reporting requirements for a specific audit
platform, configure the audit subsystem so that the collected security audit
data can be used to generate the required security compliance reports. The
emphasis is on being able to perform the following steps:
– Translate the Security Compliance reporting requirements to the required
Audit Setting Configurations on the target platform.
– Review the current audit settings on the target platform.
– Apply changes to the current audit settings.
– Verify that the audit settings changes have been committed.
– Verify that the data collected (after committing the audit setting changes)
meet the Security Compliance reporting requirements.
Given the management console, use the add machine process so that an
audit trail is collected locally. The emphasis is on being able to perform the
following steps:
– Launch the management console.
– Add a new machine.
– Select the system type.
– Select the machine or machines to be audited.
– Select local for the point of presence.
– Define the communication port.
– Select automatic or manual for the installation type.
• If automatic installation is selected, enter the NetBIOS name for the
machine or machines.
• If automatic installation is selected, enter the operating system
credentials for the Actuator service.
Section 5: Administration
The section provides further information about the administration area of the test:
Given the management console application, navigate through the different
views so that you can perform the basic administration activities for audited
machines. The emphasis is on being able to perform the following steps:
– Launch the management console.
Note: Course offerings are continuously being added and updated. If you do
not see courses listed in your geographical location, contact the delivery
management team.
Course duration
This is a two-day, classroom course.
Objectives
After completing this course, you should be able to accomplish the following:
Explain the function of each Tivoli Compliance Insight Manager component.
Describe a Tivoli Compliance Insight Manager cluster.
Install a Tivoli Compliance Insight Manager server.
Define a Point of Presence.
Define an event source.
Install an Actuator.
Manually collect and load data.
Configure remote collection.
Configure collection for a custom log file.
Required skills
The following are the skills required to take this course:
Some knowledge of the Windows audit subsystem.
Technical skills in UNIX variants, Win32®, and DBMS.
Understanding of security practices, principles, security technologies, and so
on.
Working knowledge of security auditing and operational risk management
concepts.
Course duration
This is a three-day, classroom course.
Outline
The course follows this outline:
1. Monitoring Compliance
Lesson 1: Monitoring Compliance
2. Navigating the Management Console
Lesson 1: Management Console Overview
Lesson 2: Audited Machines
Lesson 3: Event Sources
Lesson 4: Databases
Lesson 5: Alert Maintenance
Lesson 6: Policies
Lesson 7: User Management
Lesson 8: Export and Import
3. Navigating the Web Portal
Lesson 1: Web Portal Overview
Lesson 2: iView
Lesson 3: Log Manager
Required skills
The following skills are required for this course:
Some knowledge of the Windows audit subsystem
Understanding of security practices, principles, and security technologies
Working knowledge of security auditing and operational risk management
concepts
Publications
IBM Tivoli Compliance Insight Manager guides and Redbooks are useful tools for
preparing to take Test 937.
To obtain the online publications for IBM Tivoli Compliance Insight Manager, visit
the following Web site.
http://publib.boulder.ibm.com/tividd/td/IBMTivoliComplianceInsightManag
er8.0.html
IBM Redbooks
Refer to the following IBM Tivoli Compliance Insight Manager-related Redbooks:
Compliance Management Design Guide with IBM Tivoli Compliance Insight
Manager, SG24-7530
To comply with government and industry regulations such as Sarbanes-Oxley,
Gramm-Leach-Bliley, and COBIT, enterprises must constantly detect,
validate, and report unauthorized changes and out-of-compliance actions
within the IT infrastructure.
The IBM Tivoli Compliance Insight Manager solution allows organizations to
improve the security of their information systems by capturing comprehensive
log data, correlating this data through sophisticated log interpretation and
normalization, and communicating results through a dashboard and full set of
audit and compliance reporting.
Chapter 2. Planning
In this chapter, we give an overview of the IBM Tivoli Compliance Insight
Manager. We describe the major components and their position in a real network
environment. This description provides an overview of items that are important to
planning and architecting the design of a compliance and reporting system. It
also covers migration planning, tools, and issues.
Technical security controls are the easiest to monitor, as computer systems save
audit trails and configuration files, which can be checked for fulfillment of
requirements. Security controls on the organizational and the process level
(especially when process steps are not performed with the help of technology)
are harder to check and to control, as they are less persistent, and audit trails are
not created automatically and can be easier manipulated.
This book is intended for administrators and system programmers whose roles
include security officer, security manager, EDP auditor, or one who monitors
events in the enterprise IT environment and are planning for IBM Tivoli
Compliance Manager certification.
Chapter 2. Planning 41
2.2 Product architecture
The Tivoli Compliance Insight Manager environment includes a number of key
components that are depicted in Figure 2-1:
Enterprise Server
Standard Server
Actuators
Management Console
Web Portal (iView)
Standard
Server
The sections that follow outline the major functional capabilities of each of these
servers.
Chapter 2. Planning 43
Centralized log management
As shown in Figure 2-2, the Enterprise Server offers consolidated log
management facilities over all connected Tivoli Compliance Insight Manager
Standard Servers. From one Enterprise Server, you can get a consolidated view
of log collections and log continuity. This simplifies the management of a Tivoli
Compliance Insight Manager cluster, reducing your operational impact as well as
providing a single view for auditors to examine the complete log history. Finally,
the centralized management feature provides a point of access to query and
download the original log data collected by standard servers.
Centralized forensics
The Enterprise Server also provides forensic search capabilities. The Enterprise
Server allows you to search the archived logs for evidence without using the
GEM and W7 tools. Sometimes you may want to look for the raw traces without
going through the report preparation process.
Note: The GEM and W7 tools are used by Tivoli Compliance Insight Manager
for mapping and loading the data. They are described in detail in 2.3.2,
“Mapping and loading” on page 61.
The security status of the audited systems can be viewed through the
Web-based reporting application called iView. iView is described in 2.2.6, “The
iView Web portal” on page 48.
Another main component of the Tivoli Compliance Insight Manager system is the
Management Console, which is used to manage and configure the system. Each
Standard Server has its own configuration database managed by the
Management Console. The Management Console is described further in 2.2.5,
“Management Console” on page 46.
2.2.4 Actuators
Depending on the platform, Actuator software is installed on audited systems as
a service or daemon. Each Actuator consists of an Agent and numerous
Actuator scripts. The Agent is responsible for maintaining a secure link with
Actuators running on the Tivoli Compliance Insight Manager server and other
audited systems. The Actuator scripts are invoked by the Agent (at the request of
the Tivoli Compliance Insight Manager server) to collect the log for a particular
Chapter 2. Planning 45
event source. There is a different script for every supported event type. The
Actuator is depicted in Figure 2-3.
Actuator
Actuator
Scripts
Agent
The Actuator software can be installed locally on the target system or remotely.
You can use the Management Console to perform numerous tasks related to the
configuration and management of the Tivoli Compliance Insight Manager
servers:
Activate the Agents and have them collect audit trails from different platforms.
Define the security policy and attention rules.
Define users and their access rights.
All the actions on the Management Console are performed by the Tivoli
Compliance Insight Manager server. You can think of the Management Console
as being the user interface for the Tivoli Compliance Insight Manager server.
Here you would also define event sources, perform log management, do forensic
search, and monitor overall compliance. After the reports have been prepared by
the server, a Tivoli Compliance Insight Manager user may generate the specific
reports using the iView component.
Planning for the usage and installation of the Tivoli Compliance Insight Manager
requires knowledge of the hardware and software prerequisites. Depending on
your system requirements, you can choose one or more of the available
installation options (please also refer to Chapter 3, “Installation” on page 77).
The IBM Tivoli Compliance Insight Manager Installation Guide Version 8.5,
GC23-6580 gives you detailed information about technical prerequisites.
Possible installation options are:
Tivoli Compliance Insight Manager Enterprise Server
Tivoli Compliance Insight Manager Standard Server
Point of Presence
Management Console
Chapter 2. Planning 47
2.2.6 The iView Web portal
The events found in the logs are normalized and stored in databases. The data in
the databases is available for further investigation through the Web-based tool
called iView. iView is a reporting application that Tivoli Compliance Insight
Manager administrators can use to generate specific reports about compliance
level and policy violations. It uses an HTTP-server, authorizing users to view
reports through their Web browser.
For a detailed description about how to use the iView Web portal, read the IBM
Redbooks publication Deployment Guide Series: IBM Tivoli Compliance Insight
Manager, SG24-7531.
2.2.7 Databases
Tivoli Compliance Insight Manager supports and maintains a set of embedded
databases. These databases store the audit data from security logs and other
sources of event information, for example, Syslog. In the flow from collection to
archive, audit data is indexed and normalized to facilitate analysis, forensics,
information retrieval, and reporting.
The appropriate hard disk space required for the IBM Tivoli Compliance Insight
Manager is based on the amount of daily log data that is collected for the
platforms and applications you plan to monitor.
The amount of data that is to be kept in the log repository determines the
required hard disk space. The repository size can be approximately calculated
using the following formula:
for program files, temp files, and databases, with a minimum of 200 GB.
The disk size for the Enterprise Server should be enlarged depending on the
number of Standard Servers it manages. (For each Standard Server, the
Enterprise Server builds a depot index that can be as large as the depot size of
the Enterprise Server itself.) For example, the extra disk size needed for the
Standard Server can be calculated using the following formula:
Depot
Collected logs are stored in the log Depot, which is a compressed, online, and
file system based log repository.
Reporting database
Data is stored in an instance of an embedded database. It is mapped into the W7
format, which is explained in further detail in “The W7 model” on page 63. The
W7 model stands for the seven main questions Who, What, When, Where, On
What, Where from, and Where to. The reporting databases are also known as
GEM databases. GEM stands for Generic Event Model and is an easy to
understand data model. It is explained in more detail in “Mapping” on
page 62.They are periodically emptied and then filled with more recent data.
Typically, this refresh cycle is done on a daily scheduled basis, meaning that data
from the previous period is present and available for analysis and reporting. Data
from a Depot can be mapped and manually loaded into the reporting database
for processing.
Aggregation database
The aggregation process takes a large number of individual events and
duplicates them into a more manageable set of information. In addition, the
aggregation process creates statistical data that can be used to provide
management level trending data, charts, and reports. It takes multiple events that
have a relationship and consolidates them into a single event. The aggregation
process involves two key operations:
A statistical database of events, exceptions, failures, and attentions is
created. The events are used to generate management charts, reports, and
trending information. For example, users can report on policy exception
trends over a selected time period.
It copies across the exceptions and attentions from the scheduled loads for
each database that is configured. This provides the user with significant
forensic capability. With these events in the same database as the statistical
events, it is possible to perform drill down operations into the data for
forensics, trending, and analysis.
Chapter 2. Planning 49
Aggregation is performed as part of the normal scheduled load processing. After
a successful scheduled load, aggregation is performed for each reporting
database. Aggregation vastly reduces the amount of event information that
needs to be online, and allows users to have an organization view of security
events through iView (the Tivoli Compliance Insight Manager dashboard).
Additionally, these aggregated statistics are used for providing long-term trending
information and are typically held for several years (dictated by local or statutory
requirements). This is highly valuable data and provides a historical database of
an organization’s performance against defined security policies and regulations.
Consolidation database
The consolidation database consolidates all the aggregation databases in a
Tivoli Compliance Insight Manager cluster. This provides an overall view of all
servers in the cluster for trending and statistical purposes.
Configuration database
The configuration database for each server is managed through the
Management Console. Each Configuration Database includes information such
as the Actuator configuration, collect schedules, location of audit log data,
available GEM databases, the list of audited machines, and so on.
Figure 2-5 on page 51 encapsulates the key components and processes in the
Tivoli Compliance Insight Manager environment. Each of the components and
the role that they play in the Tivoli Compliance Insight Manager environment are
discussed in further detail throughout the remainder of this chapter.
Event data is retrieved from the audited systems through a process called
collection. It is then stored on the Standard Server in the Depot.
For analysis, the data is taken from the Depot and normalized into a data model
called General Event Model (GEM). This process is called mapping.
Subsequently, the mapped data is loaded into a reporting database called a
GEM database.
Chapter 2. Planning 51
Data and statistics, spanning a longer period, are maintained by a process called
aggregation. The aggregation process builds a special database, called the
aggregation database, from which trends and summaries can be extracted.
In order to check and investigate the information security status, the Tivoli
Compliance Insight Manager system offers a large number of reports. These are
produced on request by a Web-based application called iView. It can be used to
view GEM databases as well as the aggregation database.
Figure 2-6 shows the key processes performed by a Tivoli Compliance Insight
Manager server. A Tivoli Compliance Insight Manager Enterprise Server also
performs two extra processes, namely indexing and consolidation.
These key processes are described in further detail in the following sections.
The reliable, verifiable collection of original log data is a key part of the process
required for compliance. Through Tivoli Compliance Insight Manager, you can
automate the collection process from your audited machines. Security audit data
is collected in its native form, transferred securely from the target, and stored in
the server’s Depot in the form of a chunk. The term chunk is used to refer to a set
of compressed logs and is the unit of collection in Tivoli Compliance Insight
Manager.
Each chunk consists of a header file and one or more data files, which are called
sub-chunks. A chunk log contains the security log of a given system or
application for a given period of time. For example, assume that the Tivoli
Compliance Insight Manager system is collecting audit data every hour, on the
hour. One chunk log records events from 1 p.m. to 2 p.m. At 2 p.m., Tivoli
Compliance Insight Manager runs a batch collect and collects the audit data from
the application. The next chunk records events from 2 p.m. to 3 p.m. At 3 p.m.,
Tivoli Compliance Insight Manager runs another batch collect and collects the
audit data from the application. Both chunks, from 1 p.m. to 2 p.m. and from
2p.m. to 3 p.m., are portions of the security log from the audited application.
Together, the chunks constitute the whole security log.
Tivoli Compliance Insight Manager provides a set of tools to verify that the
collection process is operating and to detect if collection failures have occurred.
Tivoli Compliance Insight Manager alerts selected administrators if a collection
failure occurs so that immediate action can be taken to prevent possible loss of
log data.
Chapter 2. Planning 53
Methods of data collection
The most common mechanism for retrieving security log data is through a
process called batch collect. A security log is created on the audited machine by
the application, system, or device being audited. In general, such logs contain
records of many events, which all get processed as a batch. The Tivoli
Compliance Insight Manager Server initiates the collection of security logs from
the audited machines. This action is either triggered by a set schedule, or
manually through the Management Console. After receiving the security logs, the
Tivoli Compliance Insight Manager Server archives the security logs in the
Depot.
Each event source that is monitored has an associated Actuator. For example,
the security log on a Sun™ Solaris™ server is collected by the Actuator for the
Solaris event source. The same server running Oracle® could use the same
Actuator to collect and monitor the Oracle security log. There is a different
Actuator script for every supported type of event, so the Actuator can process
logs for several different event sources. In this example scenario, the Actuator is
collecting the logs from two event sources, namely “Solaris” and “Oracle for
Solaris”.
The Agent listens continuously on a reserved port for collect requests issued by
the Tivoli Compliance Insight Manager server. When a request is received, the
Agent invokes the appropriate script to gather the logs. After the Actuator has
collected the security audit log for a particular event source, the Agent
compresses and transfers the logs to the centralized Depot. The Agent maintains
an encrypted channel for all communication between the target machine and the
Tivoli Compliance Insight Manager serve, that is, it provides a secure and
guaranteed transmission service.
Note:
1. The audited system often acts as the target system for event sources.
2. In regards to audit configurations, the audited system and the target
system can be described as the audited system, a system on which the
audited instance of the event source is hosted.
3. The Tivoli Compliance Insight Manager server can act as a Point of
Presence in some configurations. If this is the case, no Actuator needs to
be installed, because it is already included in the server installation.
Otherwise, an Actuator corresponding to the operating system running on
the Point of Presence needs to be installed.
For the examples throughout the remainder of this chapter, in the event that the
audited systems also act as the target systems for the Tivoli Compliance Insight
Manager server to access the audit trail, the term audited system will be used.
Chapter 2. Planning 55
Agent collection mechanism
Figure 2-7 illustrates the steps involved in collecting data from an audited
system.
Note that:
1. The collection schedule is automatically triggered based on configured
settings. Alternatively, a manual collect command is given to the Tivoli
Compliance Insight Manager server through the Management Console.
2. The Tivoli Compliance Insight Manager server issues an audit trail
collect command to the Actuator. This command activates the Actuator on
the audited machine.
3. The appropriate Actuator script reads the security log and collects only those
new records since the last collection.
4. The Actuator formats the collected records into chunk format and compresses
the chunks. A chunk can contain many different log types from the audited
machine.
5. The Agent reads the chunk log data.
6. The Agent securely sends the chunk data in encrypted form to the Agent on
the Tivoli Compliance Insight Manager server.
Agentless collection
Tivoli Compliance Insight Manager supports agentless collection on Windows,
Novell®, and UNIX platforms. When using agentless remote collection, the
picture is slightly different than agent-based collection, but the steps remain the
same. This Point of Presence establishes the secure connection to the Tivoli
Compliance Insight Manager server, sending all agentless collected data
securely to the Depot.
Note: In the case of Windows, the agentless data collection requires one
Point of Presence per domain.
Chapter 2. Planning 57
Windows agentless collection
The most common implementation of remote collection is on the Microsoft®
Windows domain. To audit several machines in a domain, only one of them
needs to be a Point of Presence and have an Actuator installed. Figure 2-8
shows the typical configuration used to perform an agentless collection when the
audited systems are Windows machines. Be aware, however, the agentless
collection method is not supported on all event sources.
Note that:
1. The collection schedule is automatically triggered based on site specific
settings. Alternatively, a manual collect command is given to the Tivoli
Compliance Insight Manager server through the Management Console.
2. The Tivoli Compliance Insight Manager server issues a collect log
command to the Actuator. This command activates the Actuator on the target
machine.
3. The Actuator reads the security log from the remote server(s) using a
NetBIOS connection, collecting only those new events since the last
collection cycle.
4. The log data is processed and sent to the Depot on the Tivoli Compliance
Insight Manager server.
Tivoli Compliance Insight Manager uses a PuTTY client to establish the SSH
connection, which needs to be appropriately configured. The UNIX server also
needs to be running an SSH daemon, set up with the appropriate privileges, as
per the Tivoli Compliance Insight Manager documentation.
Tivoli Compliance Insight Manager offers a toolkit that shows how to configure an
event source to collect arbitrary log data. This method allows the collection of log
data that meets the following criteria:
File based
Record oriented
Text
You can refer to IBM Tivoli Compliance Insight Manager User Reference Guide
Version 8.5, SC23-6582 for further information about how to customize
ubiquitous collect event sources for forensic search and analysis.
Chapter 2. Planning 59
Syslog and SNMP collect
Tivoli Compliance Insight Manager can process and analyze security events that
are collected through the syslog and SNMP network logging mechanisms. The
support for syslog and SNMP messages is done either using a built-in
syslog/SNMP receiver or directly from a syslog-NG server. The Tivoli
Compliance Insight Manager Actuator has a built-in listening component that can
be activated on any Windows Point of Presence and can receive SNMP and
syslog messages. The collection of syslog messages captured by a syslog-NG
server is done through a Windows POP that collects the syslog files through
SSH.
When a chunk is placed in the Depot, it is indexed using the specific indexer that
has been configured for that event source. Indexers do not normalize the data;
they only split it into fields. The fields, or terms, are indexed using a proprietary
technique so the data can be easily searched using the forensic investigation
user interface.
You can build your own indexers using the Generic Scanning Language (GSL)
Toolkit to include collected arbitrary log data in forensic investigations or in cases
where the default indexer does not provide the analysis required.
A simple query language is available that supports Boolean operators (AND and
OR) and allows the grouping of terms through parentheses.
The forensic tools operate over all of the Standard Servers associated with the
Enterprise Server. They access the Depots through normal Windows file share
protocols.
Detailed information about the GSL toolkit can be found in Tivoli Compliance
Insight Manager User Reference Manual, SC23-6582.
Chapter 2. Planning 61
Mapping
To make the audit trail data accessible, it is translated (or normalized) into an
easy-to-understand data model called the Generic Event Model (GEM).
The Tivoli Compliance Insight Manager mapping process for each and every
platform is coded using the Generic Scanning Language (GSL) and the Generic
Mapping Language (GML) in files that reside on the Tivoli Compliance Insight
Manager server. The chunks are sorted based on their timestamps and are
processed sequentially by the appropriate mappers. These mappers determine
the field translation values, that is, the mapper interprets the original log data and
translates the chunk data into the GEM database model.
Determine attributes
Security log data consists of records. Each record usually describes one event
that happened on the audited system. Central to GEM is the classification of
these events according to their W7 attributes. This is the process of normalizing
the data. W7 is an English Language format that describes: Who did What,
When, Where, From Where, Where To, and on What. The use of W7 formatted
information enables security specialists and non-technical personnel, including
auditors, to interpret audit information without the need for detailed knowledge of
each source. Most operating systems, infrastructure applications, and almost
every security device produces log data that is not readily understandable,
therefore mapping to the W7 format translates data into powerful audit
information.
The process of adding meta-information from the currently active policy to the
GEM records using the W7 classification scheme for the assets is often referred
to as grouping (or filtering).
The process of comparing each GEM event with the defined policies allows the
severity of each event to be evaluated. The policies applied to the event data
throughout this process determines the contents of the policy exception and
attention reports. When high severity events such as policy violations are
detected, an automatic e-mail alert can be sent to predefined recipients.
Note: Because mapping precedes and serves loading, the combination of the
two is also called load (in short form).
In the remainder of this section, we describe the key concepts related to mapping
and loading in more detail.
The W7 model
A security log consists of event records. Each record usually describes a single
event that occurred on the audited system. Tivoli Compliance Insight Manager
normalizes the collected event data into an English-based language called W7
so that it can easily be interpreted. All Tivoli Compliance Insight Manager
security events have seven basic attributes:
Who Which user or application initiated the event?
What What kind of action does the event represent?
When When did the event occur?
Where On which machine did the event happen?
OnWhat What object (file, database, and printer) was involved?
WhereFrom From which machine did the event originate?
WhereTo Which machine is the target or destination of the event?
Chapter 2. Planning 63
Figure 2-11 shows the W7 model.
Benefit of using W7
The disparate platforms and systems generating the logs will often use different
terminology for the same action. For example, one operating system may use the
term logging on, while another operating system uses login. Similarly, one
system may request a user ID while another system asks for a user name.
Unless you are an expert in all of the different systems used by your
organization, it is very difficult to search through the logged data manually to find
all instances of a given action or user.
Mapping the raw event data into a standard set of seven distinctive attributes
enables a consistent method for monitoring, analyzing, and reporting,
irrespective of the original format of the event. When translating log records into
W7 format, the seven Ws of the event are determined from the structure and
content of the original log record. Log record formats are very different for every
Groups
In order to apply logic and draw conclusions from the normalized data, the events
have to be classified. Knowing that an event happened on Monday at 8.30 a.m. is
one thing, but in order to draw conclusions, it is more interesting to know whether
it happened during or outside a specific time period, for example, office hours.
Similarly, a user ID has certain access rights, detailing what a user is allowed to
initiate. These user access rights are usually dependent on their role, for
example, based on whether he or she is an administrator, regular user, or guest.
Therefore, all W7 attributes are classified into W7 groups. There are five types of
groups:
1. Who groups for classification of users and processes
2. What groups for classification of event types
3. When groups for classification of time periods
4. Where groups for classification of machines and devices
5. onWhat groups for classification of objects
The Where, Where from, and Where to attributes are all classified using the
same Where groups.
The Tivoli Compliance Insight Manager administrator can review and update this
information in the Grouping editor on the Tivoli Compliance Insight Manager
Management Console.
Chapter 2. Planning 65
Figure 2-12 shows how the GEM event data is linked to the W7 model.
Figure 2-12 The relationship between the GEM event and the W7 model
The result of the grouping for a particular record can be viewed in the Event
detail report in iView, as shown in Figure 2-13 on page 67.
The column called Field shows the GEM field values of a GEM event. The
column Group shows for each GEM field value which W7groups are linked to the
value to the left of it. For example, the GEM field value Administrator
(MSTESTCE\ADMINISTRATOR) is linked to at least two W7 groups:
Administrators and IT.
Policy management
Whether or not an event deserves special treatment is determined by comparing
the W7 groups it is classified into against a set of rules defined by the Tivoli
Compliance Insight Manager administrator. As previously mentioned, there are
two kinds of rules:
Policy rules These rules describe acceptable users, for example,
allowed behavior.
Attention rules These rules identify events deserving special attention.
Chapter 2. Planning 67
Policy rules are used to monitor the way that information and processes are
being used within an organization, that is, they specify which actions can be
performed by which people on which systems at what times. Actions that do not
match a policy rule generate policy exceptions. Policy rules have an associated
priority that can be set to enable differentiation so that policy violations and other
exceptions can be processed according to their severity or importance. This
allows security administrators and auditors to focus on addressing those events
that have the most significant impact on the business.
By refining policy rules, you can ensure that existing policies are effective and
can even establish new policies that reflect the actual behavior of users, as
opposed to theoretical activities contained in policy manuals and non-automated
tracking systems.
Attention rules are used to highlight instances of events that are critical to the
organization. One typical application for these rules is to monitor change
management activities even if the events are allowed by your policy rules.
Actions that match an attention rule generate actions. For example, by looking for
a specific instance of a data attribute in any of the W7 dimensions for certain
events, you can set an alert to notify someone of a change to a server’s
configuration.
Chapter 2. Planning 69
Alerting and notification
Alerts are messages that Tivoli Compliance Insight Manager sends when a
serious or potentially harmful security event has occurred. Alerts allow for a fast
response to the event by a systems manager or system administrator. The aim of
alerts is to raise attention for events that require a follow-up, that is, special
attention events or events above a defined severity level, such as security policy
exceptions. These properties are evaluated in the policy evaluation step of the
Map/Load process. The Map/Load process (mapper) sends alerts, as mentioned
in “Group and apply rules” on page 62.
Tivoli Compliance Insight Manager can send alerts through the following
protocols:
SMTP Alerts are sent as e-mails.
SNMP Alerts are sent as SNMP traps.
Custom alerts Alerts are sent through a mechanism invoked with a
user-provided program or script.
For more information about alerts, refer to Chapter 17, “Managing Alerts”, in IBM
Tivoli Compliance Insight Manager User Guide Version 8.5, SC23-6581.
Only those IT security policy rules that interact with the security functions on a
platform may be considered to become Tivoli Compliance Insight Manager
security policy rules.
The following requirements must be met in order to use Tivoli Compliance Insight
Manager to report on a particular policy:
1. The security functions on the target must contain audit functions to monitor
the actions relating to the rule.
2. Tivoli Compliance Insight Manager must support the platform and collect the
information that the target provides.
Commit
Corporate IT TCIM
Security security
Policy rule. policy.
Chapter 2. Planning 71
policy to ensure that it reflects the “real world” environment and permissible
actions. Rules within policies can be adjusted at any time.
The Policy Generator is an automated tool for creating policies from loaded event
data in a database and, based upon the built-in knowledge of various platforms,
builds the most applicable policy from that data. This policy can then be loaded
and modified if desired using the Policy Editor in the Management Console.
1
More information about SOX can be found at http://www.soxlaw.com/.
2
More information about GLBA can be found at
http://www.ftc.gov/privacy/privacyinitiatives/glbact.html.
3
More information about ISO17799 can be found at http://www.17799central.com/.
4
More information about COBIT can be found at
http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/TaggedPageDisplay
.cfm&TPLID=55&ContentID=7981.
Both standard and custom reports let you examine exceptions and events that
require special attention, and since the data presented in these reports is in the
W7 format, no specialized knowledge is required to interpret the output. Reports
are clear, concise, and integrate all security data for your review. Tivoli
Compliance Insight Manager provides a dashboard with graphical and statistical
overviews of logged activities, with drill-down capabilities to identify and examine
related events. Additionally, Tivoli Compliance Insight Manager’s clear illustration
of policy exceptions enables you to continuously monitor and tailor your security
policies to your changing business needs.
Custom reports
The Tivoli Compliance Insight Manager comes with standard reporting
capabilities like logon failures and so on. However, such a report does not
consider company-specific thresholds or provide a graphical representation of
the events, which can help to directly identify an account that might be under
attack. To create a custom report, follow these steps:
1. Open the portal and select iView → Reports → Add Custom Report.
2. Enter general information in the Report Editor page.
3. Complete the Report Layout.
4. Define the Report Type and select the columns you want to see in the report.
5. Select the events that should be reported.
6. Enter the conditions to the report.
7. Save the report.
A detailed description of creating customized reports and when and how reports
are distributed can be found in the IBM Redbooks publication Compliance
Management Design Guide with IBM Tivoli Compliance Insight Manager,
SG24-7530.
Chapter 2. Planning 73
Compliance management modules
From the boardroom to information technology departments, rules and
regulations are placing ever-increasing demands on organizations of all sizes. In
the middle are IT security managers and auditors, who face the overwhelming
task of understanding the regulations and implementing a wide array of
compliance measures.
Regulations underscore the need to understand who is touching the most crucial
corporate data, and whether this behavior complies with security policy. You can
use Tivoli Compliance Insight Manager to monitor all security events and audit
them against your security policy.
Report distribution
Tivoli Compliance Insight Manager Version 8.5 provides the functionality for the
automated distribution of reports in full or as excerpts to a predefined group of
Tivoli Compliance Insight Manager users. This report distribution functionality is
available through the Web interface of iView. More information about the report
distribution functionality can be found in Chapter 32, “Distributing Reports”, in
IBM Tivoli Compliance Insight Manager User Guide Version 8.5, SC23-6581.
5
More information about HIPAA can be found at http://www.hhs.gov/ocr/hipaa/.
2.4 Conclusion
Tivoli Compliance Insight Manager gathers audit information from across the
organization and compares activity to the acceptable use policies defined by both
your organization and by your regulators. The core of Tivoli Compliance Insight
Manager is based on a secure, reliable, and robust log collection engine that
supports effective, complete log collection and fast, efficient query and retrieval.
By focusing on security from the inside, it uses the W7 methodology (Who, did
What, on What, When, Where, Where from, and Where to) to consolidate,
normalize, analyze, and report on vast amounts of user behavior and system
activity. As a result, organizations can quickly and easily reveal who touched
what within the organization (with alerts and proactive reports) and compare that
activity to an established internal policy or external regulations. Numerous
organizations rely on the policy-based approach of Tivoli Compliance Insight
Manager to simplify monitoring the activities of privileged users, such as
administrators and outsourcers, improving security auditing, compliance
monitoring, and enforcement for heterogeneous environments, ranging from
super servers to the desktop.
After having read and understood this chapter and the additional sources that
were mentioned in this chapter, you should be able to answer all planning
questions of the certification test. Please note that practical experience is
essential in passing the certification test successfully.
Chapter 2. Planning 75
76 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
3
Chapter 3. Installation
A Compliance Management System consists of many components and requires
extensive planning, as we discussed in Chapter 2, “Planning” on page 39. In this
chapter, we provide a high-level overview of the Tivoli Compliance Insight
Manager installation process. For more detailed, step-by-step installation
instructions, refer to the Deployment Guide Series: IBM Tivoli Compliance Insight
Manager, SG24-7531 and IBM Tivoli Compliance Insight Manager Installation
Guide Version 8.5, GC23-6580.
After having read and understood this chapter and the additional sources that will
be provided in this chapter, you should be able to answer all of the exam
questions related to the installation process. Please note that practical
experience is essential in passing the certification exam successfully.
In this context, we take a closer look at the following functional areas that are
crucial for the installation of the Tivoli Compliance Insight Manager:
Supported software and operating systems
Network traffic requirements
Centralized user management
Tivoli Compliance Insight Manager Web Applications has the following software
requirements:
Internet Explorer 6.0
– Style sheet supported and enabled
– JavaScript™ supported and enabled
– Java™ applets supported and enabled
– Cookies enabled
Chapter 3. Installation 79
Connect the Actuator to the Tivoli Compliance Insight Manager servers
through a TCP/IP network.
The database engine must be installed on all servers. However, only the Security
Server has an LDAP server installed. During installation of the database engine
and the LDAP server, you specify one of the following:
You want to install the user directory (for a Security Server)
You want to connect to the user directory (for a Grouped Server)
Both the Security Server and the Grouped Servers can be either Tivoli
Compliance Insight Manager Standard Servers or Enterprise Servers. However,
because of the resource requirements of an Enterprise Server, you may want to
consider using a Standard Server for the Security Server.
Chapter 3. Installation 81
Prior to the installation of the Tivoli Compliance Insight Manager, you first need to
install and configure the DB2® database and IBM Tivoli Directory server that will
be used for hosting the GEM database and the user directory. The installation
needs to be performed by a user with sufficient privileges to install the software,
such as a Local Administrator.
For more information about the installation of the Security Server, see the IBM
Tivoli Compliance Insight Manager Installation Guide Version 8.5, GC23-6580.
Figure 3-1 on page 83 shows all of the details that need to be entered as part of
the database engine installation.
After the installation of the database engine is complete, you must reboot your
system before continuing with the installation of the other Tivoli Compliance
Insight Manager components.
Chapter 3. Installation 83
After entering the target directory for the installation, we continue with the
creation of the Tivoli Compliance Insight Manager user account. Figure 3-2
shows the creation of the Tivoli Compliance Insight Manager user account.
In the database connection window shown in Figure 3-3 on page 85, we specify
the database instance. This is a database instance that Tivoli Compliance Insight
Manager can use that was specified during the installation of the database
engine.
After entering the required parameters, you will see the target directories where
the components will be installed. For a step-by-step explanation of the Tivoli
Compliance Insight Manager Standard Server installation process, refer to IBM
Tivoli Compliance Insight Manager Installation Guide Version 8.5, GC23-6580.
Chapter 3. Installation 85
Verification of the Standard Server installation
After finishing the setup, we need to ensure that the installation was successful.
Figure 3-4 shows the Setup Complete window displayed after the completion of
the installation. This window lists the Tivoli Compliance Insight Manager
components that were installed, and whether the installation succeeded.
For more information about the installation of the Tivoli Compliance Insight
Manager Standard Server, see the IBM Tivoli Compliance Insight Manager:
Installation Guide, GC23-6580.
Chapter 3. Installation 87
3.2.3 Installation of Tivoli Compliance Insight Manager Enterprise
Server
There are two primary installation options for the Enterprise Server: You can
install a new server or upgrade a Standard Server. When performing an upgrade
from a Standard Server, you simply install the consolidation component.
For more information about the installation of the Tivoli Compliance Insight
Manager Enterprise Server, see the IBM Tivoli Compliance Insight Manager:
Installation Guide, GC23-6580.
Figure 3-5 on page 89 shows a message box that comes up once the Standard
Server of Tivoli Compliance Insight Manager is installed. If you install an
Enterprise Server later and would like to register this Standard Server to the
Enterprise Server, then you can do so by running the command that is saved in a
text file. The location of this text file is shown in this message box. You can
retrieve this text file and copy the command for use when you register the
Standard Server with the Enterprise Server.
Where:
hostname is the name of the system on which dataserver is installed.
TCPport is the TCP port that the database uses to communicate. (The default
value is 50001.)
dataserver is the database server where the engine for the Standard Server
to be registered resides.
DBcifownerpwd is the password for the DB_cifowner_user user account.
OS-user is the operating system user account for Server on the Standard
Server
OS-user password is the password for the OS-user account.
Chapter 3. Installation 89
3.3 Conclusion
In this chapter, we gave an overview of how to plan the installation of the Tivoli
Compliance Insight Manager. We also showed how to install the Tivoli
Compliance Insight Manager Standard Server, including the registration of the
Standard Server to the Enterprise Server.
Chapter 4. Configuration
Before Tivoli Compliance Insight Manager can collect the audit trails for
monitoring, the auditing functionality must be enabled and configured properly on
the target systems. In this section, we describe the auditing configuration of the
Windows and AIX platforms. We also explain how to configure the new event
sources and the deployment of the Actuators. The last section of this chapter
shows how to create the policies. In this context, we describe how to create and
modify W7 groups and how to use these groups in policies.
After having read and understood this chapter and the additional sources that will
be provided in this chapter, you should be able to answer all of the exam
questions related to the configuration process. Please note that practical
experience is essential in passing the certification exam successfully.
In this section, we describe the settings that are configured for all of the Windows
2003 servers, as well settings specific to the Active Directory® and File and Print
servers.
Figure 4-1 on page 93 shows the configuration of the audit policy settings by
using the Microsoft Management Console (MMC).
Chapter 4. Configuration 93
By default, the Active Directory is configured to log critical and error events only.
Only change this behavior if a detailed investigation is needed, because
extensive logging of events can quickly consume data storage space.
The following types of events that can be written to the event log are defined in
the Active Directory:
Knowledge Consistency Checker (KCC)
Security Events
ExDS Interface Events
MAPI Events
Replication Events
Garbage Collection
Internal Configuration
Directory Access
Internal Processing
Performance Counters
Initialization/Termination
Service Control
Name Resolution
Backup
Field Engineering
LDAP Interface Events
Setup
Global Catalog
Inter-Site Messaging
Microsoft has defined the following levels of diagnostic logging for the Active
Directory:
0 - (None) Only critical events and error events are logged at this
level.
1 - (Minimal) Very high-level events are recorded in the event log at this
setting.
2 - (Basic) Events with a logging level of 2 or lower are logged.
3 - (Extensive) Events with a logging level of 3 or lower are logged.
4 - (Verbose) Events with a logging level of 4 or lower are logged.
In this stage of the process, the desired level of logging on Security Events and
Directory Access needs to be decided. These settings are applied through the
registry settings as follows:
1. Run regedit on the Active Directory target machine.
2. Navigate to the registry subkey
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diag
nostics.
3. Assign a value from 0 to 5 for each of the available REG_DWORD values in
this Diagnostics subkey. Figure 4-3 shows some example values from the
registry.
Chapter 4. Configuration 95
Note: The example in this chapter describes the monitoring of a single Active
Directory server only. For bigger Active Directory implementations where a
domain forest has been implemented, the process for monitoring the single
Active Directory server shown in this chapter would need to be repeated for
each member of the forest.
Chapter 4. Configuration 97
3. Select the Auditing tab. Figure 4-6 shows the default contents of this tab.
Chapter 4. Configuration 99
5. An Auditing Entry window for the selected folder is displayed. Select an Apply
onto option from the available drop-down menu and check the appropriate
access options before clicking OK. As you can see in Figure 4-8, we decided
to monitor the create, read, write, and delete access to this folder, as well as
all subfolders and files.
6. The new auditing entry will now appear in the Advanced Security Settings
window, as shown in Figure 4-9 on page 101.
100 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Figure 4-9 The new auditing entry is displayed in the Advanced Security Settings window
7. Click OK to close.
For additional guidance about how to configure the Windows audit settings for
use with Tivoli Compliance Insight Manager, refer to the IBM Tivoli Compliance
Insight Manager Installation Guide Version 8.5, GC23-6580.
We suggest using the BIN module for the production servers. To start, stop, and
query the audit subsystem, use the /usr/sbin/audit command.
To audit object access on an AIX system, you must define the object audit event
types and which objects you want to monitor.
For additional guidance on how to configure the AIX audit subsystem for use with
Tivoli Compliance Insight Manager, refer to IBM Tivoli Compliance Insight
Manager Installation Guide Version 8.5, GC23-6580.
102 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
4.3 Configuring the new event sources
Now that the audit subsystems have been configured on the target machines, the
Tivoli Compliance Insight Manager server needs to be configured to monitor the
targets. This configuration involves the following high level steps in the Tivoli
Compliance Insight Manager Management Console:
1. Create a GEM database to store the event data.
2. Create a Windows and an AIX Machine Group and add the machines to be
audited.
3. Add the individual event sources for each target machine.
104 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
These steps should be performed to add each machine:
1. Right-click the WindowsSystems machine group shown in the Management
Console Machine View and select Add Machine. The Add Machine Wizard
will begin (see Figure 4-13).
3. Enter the name of the target machine(s) to be audited in the Name input box
within the Machine frame and click the Add button. As illustrated in
Figure 4-15 on page 107, the machine name now appears in the Selected
frame. Click Next.
The Tivoli Compliance Insight Manager server, in turn, relies on the Computer
Browser service to obtain a database of all existing systems in the domain as
well as in the other domains or workgroups. The Computer Browser service is
used for the NETBIOS name resolution (port 139) that runs on every Microsoft
Windows target system. If the systems are separated by a firewall, the user must
ensure that the netbios-ssn (port 139) on the firewall is opened in both directions.
Note: Checking the Show Available Event Source Types box causes the
Event Source Type panel on the right hand side of the window to appear. This
allows you to browse the supported event sources for the type of machine you
are adding.
106 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Figure 4-15 Choose Audited Machines
4. A local Actuator will be installed on each of the target machines. This option is
selected in Figure 4-16. Click Next.
6. Providing that the port you have configured is available, the message box
shown in Figure 4-18 will be displayed. Click OK on the Test IP and Port
message box. Click Next in the New Point of Presence window to advance
the Wizard.
108 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Note: When adding the Windows 2003 server machines that are not Active
Directory servers, only the Microsoft Windows event source would be
selected.
A configuration file is created for each audited machine based on the choices
made during the previous Add Machine steps. The Management Console stores
the configuration file in the default folder Install_Dir\Server\config\machines. If
the Management Console is running on a remote system, the configuration file is
stored on the remote system under Install_Dir\ManConsole.This file will be
needed during the manual installation of the Actuator on the audited machines.
110 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
The steps that follow describe how to complete the Microsoft Active Directory
Event Source wizard for an example server:
1. Click Next on the Event Source Wizard welcome window that is displayed in
Figure 4-21.
112 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
3. Within Tivoli Compliance Insight Manager, it is possible to define schedules
for the event sources to automatically collect the security data from the audit
platform. Every time a schedule runs, the Tivoli Compliance Insight Manager
server connects to the event source and instructs it to collect the security
data. The data is then transmitted to the Tivoli Compliance Insight Manager
server as a chunk. The next window that appears allows you to choose a
Collect Schedule, as shown in Figure 4-23. Configure the desired schedule
and click Next.
5. Figure 4-25 on page 115 shows the next window that is displayed. This
window allows you to configure a Load Schedule for loading the data from the
event source into the GEM database. The Load Schedule should be related to
the Collect Schedule that was configured in step 3. Configure the Load
Schedule and click Next.
114 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Note: In general, set the load frequency to an interval as long as or longer
than the Collect Schedule interval. For example, data may be collected
hourly, and loaded twice a day. It is unlikely that you would want to collect
data twice a day, and load it hourly.
Set the Load Schedule time at least 15 minutes after each scheduled
collection time. This delay ensures that Tivoli Compliance Insight Manager
loads the most recently collected data into the database.
For more information about the configuration of the new event sources, refer to
IBM Tivoli Compliance Insight Manager Installation Guide Version 8.5,
GC23-6580.
To install the Actuator manually, run the setup.exe program in the \NT directory of
the IBM Tivoli Insight Manager for Windows 2003 CD3. After entering the
directory for the Actuator installation, you will be asked to also enter the path to
116 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
the configuration file shown in Figure 4-27. The configuration file was created
when adding the event source through the Management Console.
In the next step the setup will be performed. The installation wizard will
automatically install the updates that have been included with the installation
media. After the successful installation, the current patches and platform updates
need to be obtained from IBM Tivoli Support. Verification of the installation can
be done by viewing the register.ini file.
For more information about the Actuator installation, refer to the IBM Tivoli
Compliance Insight Manager Installation Guide Version 8.5, GC23-6580.
118 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
4.5 Configuration of the audit policy (W7 groups and
rules)
Now that the audit subsystems have been configured on the servers and the
event sources have been registered with Tivoli Compliance Insight Manager, the
W7 rules can be configured on the Standard Server. In particular, the groups
need to be defined, along with the appropriate W7 policy and attention rules.
120 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
3. The next window that is displayed allows us to select the machine where the
User Information Source resides. Figure 4-31 shows that, for this example,
the server FSPDC is selected. Click Next.
122 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
5. The User Information Source properties are displayed on the next window, as
shown in Figure 4-33. We click the Edit button to modify the Domain name.
124 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
7. Now we can choose a Collection Schedule for extracting information from the
specified UIS before clicking Next to continue (refer to Figure 4-35).
9. The new User Information Source is now displayed in the Event Source view
of Management Console, as shown in Figure 4-37.
Figure 4-37 Grouping Active Directory UIS is available in the Management Console
126 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Viewing the User Information Source
Once the first scheduled UIS collection is complete, we can view the user
information grouping definitions that have been collected.
Select Policy → View Automatic Policy and choose the current time in order to
get the most recent grouping definition.
The following process can be used to create a new policy that includes grouping
and policy rules for the Windows event sources that are being monitored:
1. Duplicate the latest committed policy to create a new working policy.
2. The new working policy can be used for customizing the W7 group definitions.
The Group Definition Set from the UIS can be imported into this policy.
3. Create appropriate W7 policy rules and attention rules for policy building.
4. Load the database using this working policy.
5. Commit the policy when the W7 rules are producing the desired results.
Each of these five steps are described in more detail in this section.
A new policy appears under the Work folder, as shown in Figure 4-39.
128 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Figure 4-40 Import Group Definition Set
2. We can use the Browse button to search for the correct configuration file, as
shown in Figure 4-41.
Figure 4-42 NT folder for the automatic policy contains the config file
130 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Figure 4-43 Select group definition file
5. In Figure 4-44, we configure the group definition set name to be “FSPDC” and
click OK.
Figure 4-45 Locate the new group definition set in the working policy
132 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
2. Figure 4-47 shows how to create a requirement to specify the new condition.
Right-click the condition and select New Requirement.
3. As you recall, object access auditing was configured in 4.1.3, “File server
settings: Object access auditing” on page 96. These configured audit settings
on the target machine will result in user actions in the C:\Finance folder (and
its contents) being logged by Windows. These logged events describe actions
on the finance share. When mapped by Tivoli Compliance Insight Manager,
these events will have a W7 Object Path value that starts with “C:\finance”.
Therefore, the requirement “Object Path starts with C:\Finance” is configured,
as shown in Figure 4-48.
Figure 4-49 W7 group definition for the Windows financial data file share
The default committed policy that was used as the basis for the current working
policy contains a number of predefined policy rules and attention rules. We need
to analyze the existing policy and attention rules to ensure that they are all
appropriate to our IT environment.
New rules also need to be created to customize the rules to meet environment
specific needs. This section describes the process of creating one of the policy
rules that we would like to introduce to the policy. The rule is defined in Table 4-1.
The following figures show the steps involved to create the new policy rule from
the Policies view in the Management Console:
1. Ensure that the Policy tab is selected and right-click in the Policy Rules
window. Select New Rule, as shown in Figure 4-50 on page 135.
134 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Figure 4-50 Create a new policy rule
2. As you can see in Figure 4-51, an Edit Rule window appears that allows us to
enter the W7 groups that specify the new rule. Click OK.
3. The new rule appears in the Policy Rules list, as shown in Figure 4-52.
4. Once the new policy rules have been defined, the working policy must be
saved. The Save option is under the Policy menu (see Figure 4-53).
136 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Figure 4-54 W7 What group: User Actions - Deletions
This What group can now be used in the new Attention rule that is created.
Here is an outline of the steps involved in creating the new Attention rule for
capturing any deletion events on the Windows financial data file shares:
1. Ensure that the Attention tab is selected and right-click in the Attention Rules
window. Select the New Rule option, as shown in Figure 4-55.
3. After we click OK in the Edit Rule window, the new Attention rule appears in
the Attention Rules window, as shown in Figure 4-57.
138 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Alerts
As described in the previous section, we decided to configure an alert that sends
an e-mail to the security IT administrator staff when deletions are performed on
objects in the confidential file shares.
The following steps describe how an e-mail alert is created for the Windows
finance file share:
1. Open the Alert Maintenance window in the Management Console. Click the
New button, as shown in Figure 4-58.
3. The Edit Alert window is displayed, as shown in Figure 4-60 on page 141. We
configure the alert to send an e-mail to the recipient admin@tfac.com when
events matching the attention rule with ID DeleteFinancials occur. Click OK.
140 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Figure 4-60 Edit Alert options
4. The alert is updated with the new configured settings. Click the Protocol
Settings button shown in Figure 4-61 to configure the protocols in use.
Protocol settings apply to all alerts that are sent using the same protocol.
We can wait for the next scheduled collection and load to occur. Alternatively, we
can temporarily cancel the scheduled load and manually load the database
instead.
142 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Here is the process for manually loading the database:
1. Locate the database that you plan to load in the database view of the
Management Console. Right-click it and select Load, as shown in
Figure 4-63.
144 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
3. We select the GENERAL database in the next window and click Next, as
shown in Figure 4-65.
146 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
5. In the next window, shown in Figure 4-67, we decide whether to perform a
data collection now or whether to use the data that has already been collected
through an earlier collection process.
148 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
7. Click Finish in the completion window for the wizard, as shown in
Figure 4-69.
8. When we refresh the database view in the Management Console, we see that
the status for that database changes to the value “Loading...” to signify that
the load process has started. When the load is complete, the status will be
“Loaded” and the time and date of the last load will also be updated.
To commit the working policy, we simply right-click the policy (in the work folder of
Management Console Policy Explorer) and select Commit. When the policy has
been committed, it will appear under the Committed folder.
4.6 Conclusion
Event source configuration was the main topic of this chapter. We showed how
auditing can be configured and enabled on the target systems. The next section
described how to configure new Windows event sources. Without an Actuator on
a target system, it is not possible to gather log data from that system, so we
dedicated a section in this chapter to this topic. The last section of this chapter
described how to configure an audit policy. Basically, these are the W7 groups
and the rules. To work with gathered data, it has to be loaded into the database,
which was one of the last steps described in this chapter.
We are now ready to run reports from the log data that was loaded into the
database, which we discuss in Chapter 6, “Administration” on page 179.
Note: In this chapter, the configuration of the auditing settings and the
installation of the Actuators on the target machines have been explained in
detail only for the chosen example platforms. For more information about the
remaining platforms supported by the Actuators, refer to the IBM Tivoli
Compliance Insight Manager Installation Guide Version 8.5, GC23-6580.
150 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
5
152 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Work around: Only run one instance of the installation program at a time.
After launching the installation program, wait a sufficient amount of time for
the installation wizard to start.
the installation program does not verify that different ports are used for LDAP
and DB2.
If the same port number is specified for both Tivoli Directory Server and DB2,
the installation program does not report an error. However, different ports
must be used.
Work around: Ensure that different port numbers are specified for Tivoli
Directory Server and DB2 during installation.
After infrastructure component installation failure, you must manually remove
any installed components.
If the installation program fails while installing one of the infrastructure
components, you must manually remove any infrastructure components
previously installed, or partially installed, before running the installation
program again.
Work around: Manually remove any installed, or partially installed,
components before running the installation program again.
The server installation fails if the installation program is run using a
nonstandard Windows shell.
If the Tivoli Compliance Insight Manager installation program is run from a
nonstandard Windows shell, the subsequent installation of the Tivoli
Compliance Insight Manager server might fail with a message such as No
suitable driver found.
Work around: If using a nonstandard Windows shell, you must reboot the
Windows system after installing the infrastructure components. You can then
install the Tivoli Compliance Insight Manager server. Alternately, only run the
installation program from Windows Explorer or the Windows Command
Prompt.
You cannot uninstall DB2 when the Tivoli Compliance Insight Manager server
is uninstalled.
When uninstalling the Tivoli Compliance Insight Manager server, the option to
also remove the database engine is not available. You cannot have DB2
uninstalled automatically when you uninstall the Tivoli Compliance Insight
Manager server.
Work around: After uninstalling the Tivoli Compliance Insight Manager server,
uninstall DB2.
154 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
If you uninstall a Tivoli Compliance Insight Manager server and then attempt
to reinstall the server on the system, the installation will fail attempting to
create a DB2 buffer pool because the buffer pool already exists.
Work around: If you intend to reinstall a Tivoli Compliance Insight Manager
server on a system, go to the DB2 Control Center and delete the buffer pools
and table spaces associated with the server. Then install the server.
After upgrading, some information about the AggrDb summary report is
missing.
After upgrading from a previous version of Consul InSight or Tivoli
Compliance Insight Manager, some information about the AggrDb summary
report, such as the platform information, is missing.
Work around: After the first successful load after the upgrade, the information
on the summary report page will be correct.
After upgrading, the GEM database status is shown as Loaded instead of
Cleared.
After upgrading from a previous version of Consul InSight or Tivoli
Compliance Insight Manager, the GEM databases are migrated from Oracle
to DB2. The status of the GEM databases should be indicated as cleared;
however, the status of the GEM databases in iView indicates the status of the
database at the time of the upgrade.
Work around: Ignore the status displayed for the GEM databases until the
next load.
You cannot install the infrastructure components by using a configuration from
a previously deployed solution.
On a system where the installation program was started to install the
infrastructure components and then was cancelled, if you subsequently run
the installation program again and attempt to use a configuration from a
previous solution deployment, the installation program simply closes without
performing any action.
Work around: Do not use a configuration from a previously deployed solution
to modify an existing installation. Use the default solution configuration.
During an upgrade, the Security Server must remain active while other
servers are upgraded.
When upgrading a grouped server, the Security Server must remain available
and operational. Otherwise, the upgrade of the grouped server might fail.
Work around: The system that will become the Security Server must be
upgraded first. When upgrading other servers or installing new servers, do
not shut down or restart the Security Server.
156 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Work around: Ensure that all servers in a Security Group have the same
locale set.
Performing a manual load of a GEM database with a set sliding schedule
stops scheduled loads.
If a manual load of a GEM database is done on a database with a sliding
schedule set, future scheduled loads of the database do not occur as
expected.
Work around: Do not perform a manual load of a GEM database if a sliding
schedule is set. If this cannot be avoided, after performing the manual load,
reestablish the schedule and then restart the mapper service.
Running many concurrent loads of GEM databases can result in errors or a
possible deadlock.
When multiple concurrent loads are being performed to the GEM databases,
it is possible that some might fail with unexpected errors and some might
encounter a deadlock situation (2977096565).
Work around: Try to run loads of the GEM databases serially as much as
possible. Alternately, you can increase the size of the locklist by running the
following DB2 command:
db2 update db cfg using locklist 30000
The default value is 15000.
When determining problems using the db2 audit facility, it must be stopped and
started explicitly. While being started, it uses existing audit configuration
information. Since this facility is independent of the DB2 server, it will remain
active even if the instance is stopped. When the instance is stopped, an audit
record may be generated in the audit log.
The db2 audit facility will affect the Tivoli Compliance Insight Manager server
performance. Run the command db2audit prune all frequently from the current
audit log.
Let us now discuss the details of the various log files and available diagnostic
tools.
The Tivoli Compliance Insight Manager Log Manager contains a set of reports to
monitor log collection activities. Please refer to Tivoli Compliance Insight
Manager User Reference, SC23-6581 for a detailed description of reports.
The History Report shows the number of log collection events that occurred
during a given period of time. A log collection event is each instance when Tivoli
Compliance Insight Manager attempted to collect audit data. This report tracks
the status of log collection events; in the case of a failed log collection, the report
provides diagnostic information that you can use to resolve the issue. The Log
Continuity Report analyzes log sets, the collected logs stored in the log depot,
and reports on how complete the logs sets are. If a log set is incomplete, then the
report provides diagnostic information that you can use to resolve the issue. Log
Manager reports are only available on the Enterprise Server.
5.2.1 Tasks
Before we look at these log files, we need to discuss several schedules in a Tivoli
Compliance Insight Manager environment that create and write to the log files.
The schedules that should be synchronized for Standard Servers are collect,
load, restart, and report distribution.
158 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
The collect schedule depends on the amount of log data that the event source
produces. Collection on a daily basis after regular office hours is suggested and
recommended.
The user information source collection schedule should be prior to any last
collection of the day, before the load schedule runs. For example, if the last
collection of the day is at 10:00 p.m., the user information source collect schedule
should be a few minutes before 10:00 p.m.
As with the collect schedule, the load schedule should be sequential, that is, the
next load schedule should begin after the last load has completed. Analyze the
mainmapper log files related to the GEM database to determine how long it takes
to load the GEM database.
The restart task should be scheduled before the start of the first scheduled daily
mapping. By looking at the database view in the Management Console, you can
determine when this first mapping takes place. This task should be scheduled
every 12 hours.
Report distribution should be scheduled after the load schedule has completed.
There are several job schedules that should be considered in the Enterprise
Server: consolidation, indexer, log continuity report generator, and centralized
log management. The jobs that can be scheduled are consolidation and the log
continuity report generator, because all others are scheduled automatically.
For reference, the centralized log management runs every minute, and the
indexer is scheduled to re-index every Sunday at 10:00 p.m.
The Tivoli Compliance Insight Manager creates and updates four different log file
types. These are:
Server logs
Consolidation logs
Portal logs
iView logs
All of these logs can be used, depending on the problem you are facing, for
troubleshooting. Let us go into more detail.
Server logs
The default directory for server logs is \server\log. The most common key files
are:
actuatornnn.log
Each event source has a corresponding actuatornnn.log, where nnn is the
event source ID. The information about starting a collection for an event
source is logged here:
Example of log entries:
<20080208 08:30:01 utc> P259M1V0.0.314L335A5S0E10:Crm: Opened
..\log\actuator100.log. Product: eprise.product.server.app. Version:
8.5.0. Builddate: 2008/01/17/21:36. Local time: 02/08/08 09:30:01.
<20080208 08:30:01 utc> P259M1V0.0.314L598A2S0E0:Dynamical tracing
mechanism enabled.
<20080208 08:30:01 utc> P259M94V0.1.37L704A6S0E30:AuditActuator:
successfully created ChunkTool osevents
160 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
auditctl.log
This log traces the Audit Controller activities, such as starting collection and
receiving of chunks from every event source.
Example of log entries:
<20080208 08:30:02 utc> P259M189V0.1.99L4512A6S4E125:AudCont:
ACResendCreateChunklog called with count=1 for spi VAJONT Microsoft
Windows(15.1.100) on agent Main_Srv(12.1.1)
<20080208 08:30:02 utc> P259M189V0.1.99L4512A6S4E125:AudCont:
ACResendCreateChunklog called with count=1 for spi VAJONT IBM Tivoli
Compliance Insight Manager Server Activity(15.1.101) on agent
Main_Srv(12.1.1)
<20080208 08:30:02 utc> P259M189V0.1.99L4512A6S4E125:AudCont:
ACResendCreateChunklog called with count=1 for spi VAJONT IBM Tivoli
Directory Server(15.1.103) on agent Main_Srv(12.1.1)
<20080208 08:30:02 utc> P259M189V0.1.99L4512A6S4E125:AudCont:
ACResendCreateChunklog called with count=1 for spi VAJONT Internet
Information Server (IIS)(15.1.104) on agent Main_Srv(12.1.1)
<20080208 08:30:02 utc> P259M189V0.1.99L4512A6S4E125:AudCont:
ACResendCreateChunklog called with count=1 for spi VAJONT IBM Tivoli
Compliance Insight Manager Web Applications(15.1.105) on agent
Main_Srv(12.1.1)
<20080208 08:30:03 utc> P259M189V0.1.99L1821A4S0E230:AudCont:
received log from eventsource VAJONT Microsoft Windows(18.1.100) on
Main_Srv(12.1.1) (VAJONT:2008 02 08 09:30:02)
<20080208 08:30:04 utc> P259M189V0.1.99L1821A4S0E230:AudCont:
received log from eventsource VAJONT IBM Tivoli Compliance Insight
Manager Server Activity(18.1.101) on Main_Srv(12.1.1) (VAJONT:2008
02 08 09:30:02)
authdaemon.log
At least the following events are logged:
– Open/close connection
– Usage of fallback-account
– Reset fallback password
– Start and end of user-grants synchronization run
– Start and end of gemdb-permission synchronization run
– Start and end of CIFOWNER password reset
– Schedule that was read from ini-file
162 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
<20080208 09:49:50 utc> P259M143V0.3.569L1010A3S0E20:BlueBook:
bluebook call 3800 for user 8.111990001.1 from
Main_Srv(12.1.1):userinterface failed, return code: 1705; arguments:
'((time) 0.000000(uint) 0)'
<20080208 09:49:50 utc> P259M143V0.3.569L1010A3S0E20:BlueBook:
bluebook call 5900 for user 8.111990001.1 from
Main_Srv(12.1.1):userinterface failed, return code: 1705; arguments:
'((time) 0.000000(uint) 0)'
<20080208 09:49:51 utc> P259M143V0.3.569L1010A3S0E20:BlueBook:
bluebook call 3917 for user 8.111990001.1 from
Main_Srv(12.1.1):userinterface failed, return code: 1966; arguments:
'((objid) 15.1.100)'
IndexerDaemon.Vajont.log
From this log, the following information can be taken:
– The storage of indexer
– The beginning of the indexer process
– Chunks that should be indexed
– The list of GSLs that are used for indexing
– The number of records and platform events that are indexed
Example of log entries:
<20080208 08:23:36 utc> P542M1533V0.0.70L453A7S0:IndexerDaemon:
IndexerDaemon started.
<20080208 08:23:36 utc> P542M1533V0.0.70L566A7S0:IndexerDaemon: Next
check for changed GSL at Sat Feb 09 22:00:36 CET 2008
<20080208 08:23:36 utc> P542M1533V0.0.70L579A7S0:IndexerDaemon: Next
check for new chunks processing at Fri Feb 08 09:24:36 CET 2008
...
<20080208 08:30:36 utc> P542M1533V0.0.70L282A7S0:Chunk scheduled to
be indexed: \\Vajont\CIFDEPOT\VAJONT.100\2MVWVJ0
<20080208 08:30:36 utc> P542M1533V0.0.70L282A7S0:Chunk scheduled to
be indexed: \\Vajont\CIFDEPOT\VAJONT.101\2MVWVJ0
...
<20080208 08:30:36 utc> P542M1533V0.0.70L532A7S0:Saving state at Fri
Feb 08 09:30:10 CET 2008
<20080208 08:30:36 utc> P542M1533V0.0.70L579A7S0:IndexerDaemon: Next
check for new chunks processing at Fri Feb 08 09:31:36 CET 2008
164 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
mainmapper-<GEM_DB_Name>.log
This log file gives you information about the load process of the GEM
database. You will not only find errors in this log file, but also indications of
mapper/bulk loading and postprocessing times. <GEM_DB_Name> is a
placeholder for the GEM database name. The detailed information in these
logs is about:
– Processing
– Mapping
– Loading
– Aggregation
Also, information about:
– Postprocessing
– Bulk loading
– GSLs used while loading
– Number of events
– Records in chunk
– Execution time of aggregation
will be listed here.
Example of log entries:
<20080208 11:05:03 utc> P542M550V0.0.75L231A7S0:Starting to map
chunk(s)
<20080208 11:05:03 utc> P542M550V0.0.75L286A7S0:MainMapper: load
window set to 0: intermediate loads have been disabled
<20080208 11:05:03 utc> P542M550V0.0.75L298A7S0:MainMapper: bulk
loads will happen serially.
<20080208 11:05:03 utc> P542M550V0.0.75L89A7S0:gensub.ini
[SubMapper] buckets_to_cache = 512
<20080208 11:05:03 utc> P542M550V0.0.75L89A7S0:gensub.ini
[SubMapper] keylimit = 500000
<20080208 11:05:03 utc> P542M550V0.0.75L734A7S0:MainMapper: Starting
GroupMapper
<20080208 11:05:03 utc> P542M550V0.0.75L122A7S0:BcpWriter: opening
bcp.mapping file for gem_property
<20080208 11:05:03 utc> P542M550V0.0.75L131A7S0:Using automatic
policy of 20080208120201
166 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
<20080208 11:06:30 utc> P542M902V0.0.59L294A7S0:PostProcessing:
checkTableIntegrity - start
<20080208 11:06:30 utc> P542M902V0.0.59L309A7S0:PostProcessing:
checkTableIntegrity - done
...
<20080208 11:06:36 utc> P542M902V0.0.59L353A7S0:STATUS:
Postprocessing succeeded for GEM.
...
<20080208 11:06:37 utc> P647M902V0.0.59L895A7S0:Got aggregation
database AggrDb
<20080208 11:06:37 utc> P647M902V0.0.59L909A7S0:Adding lock on
AggrDb for GEM
...
<20080208 11:06:56 utc> P647M902V0.0.59L966A7S0:Aggregation run for
CIFDB.GEM completed
<20080208 11:06:56 utc> P647M902V0.0.59L968A7S0:Execution time:
19141 millis
<20080208 11:06:56 utc> P542M540V0.0.151L390A7S0:STATUS: Aggregation
succeeded for GEM.
<20080208 11:06:56 utc> P542M540V0.0.151L260A7S0:Finishing contract
for GEM
<20080208 11:06:56 utc> P542M540V0.0.151L266A7S8:(4) Database loaded
successfully
<20080208 11:06:56 utc> P542M540V0.0.151L323A7S0:Finished contract
for GEM
plugger.log
The plugger.log file contains information about which platform plugs and
applied hotfixes have been applied during installation and the result of the
installation.
Example of log entries:
<20080208 09:00:36> The following Platform Plugs have FAILED to
apply:
<20080208 09:00:36>
<20080208 09:00:36> The following Platform Plugs have SUCCESSfully
been applied:
<20080208 09:00:36> - actdir
Consolidation logs
Any key consolidation logs can be found in the consolidation\log directory. The
most important logs are:
install.log
This log files contains information about the initial consolidation installation of
the Tivoli Compliance Insight Manager.
Example of log entries:
<20080208 09:18:53> Starting installation at :2-8-2008, 09:18:53
local Time
<20080208 09:18:53> Setup mode : First Install
<20080208 09:18:53> Tivoli Compliance Insight Manager Consolidation,
v8.5.0
...
<20080208 09:22:37> Finished setting security permissions ...
<20080208 09:22:37> File or folder 'C:\IBM2\TCIM\Indexes' marked as
compressed !
<20080208 09:22:37> Stopping service InSightTomCat
<20080208 09:22:39> Restarting service InSightTomCat
<20080208 09:22:40>
168 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
<20080208 09:22:40> Installation Tivoli Compliance Insight Manager
Consolidation finished successfully.
consolidation.log
The information contained herein is about Standard Servers added to
Enterprise Server and the addition of the Indexer for all added servers. Also,
information about the scheduled beat task can be found here.
Example of log entries:
<20080208 08:22:31 utc> P647M649V0.0.161L158A7S0:Beat initialisation
complete
<20080208 08:22:31 utc> P647M649V0.0.161L158A7S0:Add connection to
configuration file '../ini/beat.ini'.
<20080208 08:22:31 utc> P647M649V0.0.161L252A7S0:Testing inifile
../ini/beat.ini
<20080208 08:22:31 utc> P647M649V0.0.161L158A7S0:Host 'localhost'
already present in DB2Catalog. OK to use.
<20080208 08:22:31 utc> P647M649V0.0.161L110A7S0:Reading [beat]
section from ../ini/beat.ini
<20080208 08:22:32 utc> P647M649V0.0.161L158A7S0:Starting
CLMDB.DataSync_AddInstance('CIFDB',****,****)
<20080208 08:22:32 utc>
P647M649V0.0.161L158A7S0:DataSync_AddInstance finished successfully
<20080208 08:22:32 utc> P647M649V0.0.161L158A7S0:Executing
'InstallIndexerService.bat Vajont -user .\cifadmin -password *****'
<20080208 08:22:35 utc> P647M649V0.0.161L158A7S0:Indexer for Vajont
was installed successfully.
<20080208 08:22:35 utc> P647M649V0.0.161L158A7S0:Server Vajont added
to consolidation, CLM and indexing.
iView logs
\iview\log, \iview\server, and \iView\tomcat\logs are the default directories for
these logs. The following log files should be considered important when
administering the Tivoli Compliance Insight Manager environment:
\iView\tomcat\logs\iView.log
Here you can find the start time of iview session, its end time, logged user,
roles auditing process, and so on.
Example of log entries:
<20080208 08:22:49 utc> P465M447V0.0.401L141A7S0:classpath =
C:\Program
Files\Java\j2re1.4.2_08\lib\tools.jar;C:\IBM2\TCIM\iView\tomcat\bin\
bootstrap.jar; (v48.0)
<20080208 08:22:49 utc> P465M447V0.0.401L144A7S0:running as:
cifadmin
<20080208 08:22:49 utc> P465M447V0.0.401L73A7S0:[html]path =
'/iview/'
<20080208 08:22:50 utc> P465M444V0.0.216L46A7S0:MinerManagerImpl
startup complete
<20080208 08:22:50 utc> P465M444V0.0.216L87A7S0:iView initialisation
complete
<20080208 08:22:50 utc> P465M447V0.0.401L112A7S0:SessionManagerImpl
startup
<20080208 08:22:50 utc> P465M447V0.0.401L113A7S0: SessionAgeLimit =
0 sec
<20080208 08:22:50 utc> P465M447V0.0.401L114A7S0: ConnectionLimit =
300 sec
...
<20080208 11:29:46 utc> P465M447V0.0.401L671A7S0:Creating a new
session d1da3cd3
<20080208 11:29:46 utc> P465M673V0.0.214L105A7S4: type: oracle
driver: oracle.jdbc.driver.OracleDriver not loaded
<20080208 11:29:46 utc> P465M673V0.0.214L105A7S4: type: sybase
driver: com.sybase.jdbc2.jdbc.SybDriver not loaded
<20080208 11:29:46 utc> P465M673V0.0.214L105A7S4: type: db2 driver:
com.ibm.db2.jcc.DB2Driver v3.4 loaded
170 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
<20080208 11:29:47 utc> P465M782V0.0.21L100A7S0: roles of 'CIFOWNER'
from 'EPRISEDB': [CEAEXRPT, CEAEDPOL, CEAIVIEW, CEAADSYS, CEAUSCRP,
CEAMNCON, CEAADCRP, CEAUSRMN, CEAINVST, CEAADAUD, CEADLPOL,
CEADLLOG, CEAADINC]
<20080208 11:29:47 utc> P465M447V0.0.401L1002A7S0:@d1da3cd3: AUDIT:
Use:Role/Success CEAIVIEW
<20080208 11:29:47 utc> P465M447V0.0.401L1002A7S0:@d1da3cd3: AUDIT:
Logon "CIFOWNER" from Unavailable to EPRORADB succeeded.
<20080208 11:29:47 utc> P465M447V0.0.401L1002A7S0:@d1da3cd3: new
connection
<20080208 11:29:48 utc> P465M440V0.0.294L39A7S0:@d1da3cd3: AUDIT:
Generating report "Dashboard" for database CIFDB/AGGRDB succeeded.
<20080208 11:29:55 utc> P465M440V0.0.294L39A7S0:@d1da3cd3: AUDIT:
Generating report "Summary" for database CIFDB/GEM succeeded.
<20080208 12:00:35 utc> P465M447V0.0.401L237A7S0:@d1da3cd3: AUDIT:
Logoff.
<20080208 12:00:35 utc> P465M447V0.0.401L238A7S0:@d1da3cd3 removing
session
<20080208 12:00:35 utc> P465M447V0.0.401L1002A7S0:@d1da3cd3: closing
connection of d1da3cd3
iView\tomcat\logs\LogManager.log
This log file contains information about:
– Filtering and sorting of data
– Chunks that are downloaded
Example of log entries:
<20080208 13:34:36 utc> INFO
nl.consul.ilm.glue.reportmodel.ojb.FilteredSortedSourceInstance -
P1510M1804V0.0.17L383A7S0: *** Step 2 : orig chunks analysis took
3953 msec for serverVajont
<20080208 13:34:36 utc> INFO
nl.consul.ilm.glue.reportmodel.ojb.FilteredSortedSourceInstance -
P1510M1804V0.0.17L399A7S0: In Vajont number of original chunks:121
<20080208 13:34:36 utc> INFO
nl.consul.ilm.glue.reportmodel.ojb.FilteredSortedSourceInstance -
P1510M1804V0.0.17L472A7S0: *** Step 3 : sorting took 16 msec
<20080208 13:34:36 utc> INFO
nl.consul.ilm.glue.reportmodel.ojb.FilteredSortedSourceInstance -
172 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
<20080208 13:30:47 utc> INFO - P1506M1643V0.0.3L52A7S0:
<9.142.236.125><regenerate continuity report -
finished><cifowner><ok>
\iView\tomcat\logs\PolicyGenerator.log
This file contains the following information:
– User logged in to the Policy generation
– Start time of policy creation
– Name of new created policy
– Number of processed events
– End time of Policy generation
Example of log entries:
<20080208 13:16:08 utc> INFO - P1407M1414V0.0.45L147A7S0: User
CIFOWNER logged on.
...
<20080208 13:16:26 utc> INFO - P1407M1443V0.0.12L110A7S0: Policy
generation started
<20080208 13:16:26 utc> INFO - P1407M1418V0.0.17L342A7S0:
ClusterEngine started in memory monitoring mode
<20080208 13:16:27 utc> INFO - P1407M1418V0.0.17L430A7S0: Events
processed: 46
<20080208 13:16:27 utc> DEBUG - P1407M1418V0.0.17L444A7S0:
nl.consul.cea.gensub.generating.model.GemDimension$Platform@19ea9a.F
ileClusterer: events accepted: 0
<20080208 13:16:27 utc> DEBUG - P1407M1418V0.0.17L444A7S0:
...
<20080208 13:16:32 utc> INFO - P1407M1414V0.0.45L110A7S0: Progress:
100
<20080208 13:16:32 utc> INFO - P1407M1414V0.0.45L120A7S0: Policy
Default-policy-name 1 created on Tivoli Compliance Insight Manager
server.
iview\log\Install.log
This log file contains information about the installation of iView.
Example of log entries:
<20080208 09:18:34> Starting installation at :2-8-2008, 09:18:34
Local Time
174 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
<20080208 11:20:05> Result of Installation/Upgrade
<20080208 11:20:05>
------------------------------------------------------------
<20080208 11:20:05> - Tivoli Compliance Insight Manager Server OK!
<20080208 11:20:05> - Tivoli Compliance Insight Manager Web
ApplicationsOK!
<20080208 11:20:05> - Tivoli Compliance Insight Manager Management
ConsoleOK!
<20080208 11:20:05> - Tivoli Compliance Insight Manager
Consolidation Error!
<20080208 11:20:05>
------------------------------------------------------------
....
<20080208 11:20:06> This is an Enterprise Server ...
<20080208 11:20:10>
<20080208 11:20:10> Installation IBM Tivoli Compliance Insight
Manager finished successfully.
<20080208 11:20:10> Closing log-file at :2-8-2008, 11:20:10 Local
Time
iview\server\Iview_excerpt.log
Here you will find information about reports sent out by e-mail.
There is no example at this point of time for this log. Please open the
corresponding file on the system and make yourself familiar with its entries.
register.ini
There are several register.ini files, which we will explain here.
It is very beneficial to open each of the log files and register.ini files and have a
closer look at the contents of each of these files for passing the certification test.
176 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Component Log file On server On Actuator
where component stands for the name of the component from the above table.
To turn off more verbose logging for a component, add the following line to the
tracing file:
component = no
If you replace yes or no by dynamical or remove the line completely, then the
logging by that component reverts to its default state. (This means that
dynamically tracing is turned off by default, but the software itself may decide to
turn it on for some time.)
Each of these components checks the tracing file once a minute to see if it is
supposed to change the verbosity of its logging, so any relevant change you
make to the tracing file should result in a change in the logging behavior within
one minute.
For some of these components, the verbose method of logging is very verbose,
so we do not recommend that you select verbose logging all the time.
Note: Lack of practical experience will make it very difficult for you to pass the
certification test. Pure theoretical study can never substitute experience.
5.5 Conclusion
In this chapter, we discussed problem determination by using the most important
Tivoli Compliance Insight Manager log files. We also pointed you to additional
study resources to find information regarding the Management Console, which is
one of the most important tools for managing, tuning, and troubleshooting the
Tivoli Compliance Insight Manager.
178 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
6
Chapter 6. Administration
As a security compliance policy monitoring tool, Tivoli Compliance Insight
Manager must be optimized for your environment and be well maintained. A
Tivoli Compliance Insight Manager systems administrator should ensure that the
system runs smoothly and that any routine user or systems management tasks
are performed. A Tivoli Compliance Insight Manager systems administrator
should also be able to configure the system, including adding and removing
event sources and configuring policies. In this chapter, we discuss the
administration of the Tivoli Compliance Insight Manager, including the report
generation.
After having read and understood this chapter and the additional sources that we
will provide in this chapter, you should be able to answer all of the exam
questions related to the administration process. Please note that practical
experience is essential in passing the certification exam.
You can use the Management Console to perform numerous tasks related to the
configuration and management of the Tivoli Insight Manager servers:
Activate the Agents and have them collect audit trails from different platforms.
Define the security policy and attention rules.
Define users and their access rights.
Start the preparations of the reports.
180 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
All the actions on the Management Console are performed by the Tivoli
Compliance Insight Manager server. You can think of the Management Console
as being the user interface for the Tivoli Compliance Insight Manager server.
After the reports have been prepared by the server, a Tivoli Compliance Insight
Manager user may generate the specific reports using the iView component.
182 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
– Test policies versus commit policies, when needed.
– Create custom reports in iView.
In 4.5, “Configuration of the audit policy (W7 groups and rules)” on page 119,
we show how to configure a new policy with W7 rules and the customization
of group definitions. For more information about this area, refer to IBM Tivoli
Compliance Insight Manager Installation Guide Version 8.5, GC23-6580.
The toolset available for report generation is explained in 6.2, “Reporting” on
page 183, where the main functionality of the iView reporting application is
highlighted.
6.2 Reporting
Once Tivoli Compliance Insight Manager has collected, normalized, and securely
stored the audit data, it can run sophisticated analyses on the data and generate
numerous reports showing policy compliance status.
Standard reports
Tivoli Compliance Insight Manager comes with numerous standard compliance
reports. The standard reports list events using the W7 normalized fieldnames, so
they identify events using every day language that can be easily understood by
non-specialists in a business context. From a standard report, you can drill down
on specific events to see the event detail report, which shows all fields from the
selected event. You can modify the standard reports in order to customize them
to your environment.
Custom reports
In addition to modifying the standard reports, you can create your own custom
reports using the Custom Reports wizard in iView. The main functionality of iView
will be explained in 6.2.1, “iView reporting application” on page 186.
Graphic reports
The Compliance Dashboard is the first window in iView and it displays two
graphic reports. Graphic reports provide visual analyses of security policy
compliance activity. The Compliance Dashboard contains the Enterprise
Overview graph, the Database Overview, and the Trend graphic.
Trend reports
The Trend graphic is a line graph that shows changes in the percentage of policy
exceptions over a given period of time. You can quickly see whether policy
exceptions are increasing or decreasing over time.
184 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
The History Report shows the number of log collection events that occurred
during a given period of time. A log collection event is each instance when Tivoli
Compliance Insight Manager attempted to collect audit data. This report tracks
the status of log collection events; in the case of a failed log collection, the report
provides diagnostic information that you can use to resolve the issue.
The Log Continuity Report analyzes log sets, the collected logs stored in the log
depot, and reports on how complete the log sets are. If a log set is incomplete,
then the report provides diagnostic information that you can use to resolve the
issue.
The compliance modules contain reports that are mapped to specific line
references within the respective regulations and are associated with security
protocols that auditors may wish to review.
All reports are accessed through the reporting portal. The reporting portal is a
single point of entry for the following reporting applications:
iView reporting application
Log Manager
Policy Generator
Scoping
Tivoli Compliance Insight Manager Management Modules
After clicking iView, the application will switch to the main page of iView. The
iView Navigation Bar is displayed at the top of the page, as shown in Figure 6-3.
186 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
We explain briefly the eight options you can choose from this menu:
Dashboard
This shows the compliance dashboard. The dashboard window is divided into
three sections:
– The enterprise view, which shows events, by top event count, by “Who”
and “On What”
– A trend graphic, showing a percentage of policy exceptions
– A database overview with a list of all available databases along with brief
information about a selected database
Trends
This shows all events of aggregated data of all databases for a specific period
of time.
Reports
This shows the initial iView reporting page.
Regulations
Here management modules can be accessed and monitored.
Policy
Here you can set up and check Tivoli Compliance Insight Manager audit
policies.
Groups
This gives access to the group types page of iView. This also includes group
types for the selected database, the number of groups they presently contain,
and the “Grouping Wizard”.
Distribution
IBM Tivoli Compliance Insight Manager provides functionality for the
automated distribution of iView reports to a predefined group of Tivoli
Compliance Insight Manager users, which can be configured with help of this
option.
Settings
This shows the user preferences, which can be configured here.
6.2.4 Scoping
Scoping enables you to control access to event detail. You can specify which
contents of the database each user can view according to their different needs.
There are three classes from the W7 model that you can use to hide information
from users:
Who
Where
OnWhat
You must define which groups from all three classes a user can see. If you omit a
class for a user, scoping assumes that this user is not allowed to see any of the
groups in the omitted class.
6.3 Conclusion
In this chapter, we gave a high-level functional overview for the administration of
a Tivoli Compliance Insight Manager environment, including the report
generation. We explained the primary administration responsibilities and showed
the security compliance reports that Tivoli Compliance Insight Manager offers.
188 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
A
190 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
4. Which procedure in the Policy Editor should be followed when modifying
attention rules in the committed policy?
a. Open the committed policy, select the Attentions tab, right-click and
select Edit for the Attention rule to be changed, make the changes, save
the policy, test the attention rule, and commit the new policy.
b. Open the committed policy, select the Attentions tab, copy the Attention
rule to be modified to the work folder, make the changes, save the policy,
test the attention rule, and commit the new policy.
c. Duplicate the committed policy, open the draft policy, select the Attentions
tab, copy the Attention rule to be modified to the work folder, make the
changes, save the policy, test the attention rule, and commit the new
policy.
d. Duplicate the committed policy, open the draft policy, select the Attentions
tab, right-click and select Edit for the Attention rule to be changed, make
the changes, save the policy, test the attention rule, and commit the new
policy.
5. What is the default port number for communication between a standard
server and a Point of Presence?
a. 22.
b. 139.
c. 5992.
d. 50001.
6. Which statement is true about Actuators?
a. The information is sent to the IBM Tivoli Compliance Insight Manager
server over port 4321 by default.
b. The local copy of the collected audit trail is compressed, turned into a
chunk, and encrypted by the agent.
c. Actuators create a local copy of the collected audit trail in the /bin
subdirectory of the Actuator's installation directory.
d. The local copy of the collected audit trail is compressed, turned into a
chunk, encrypted, and digitally signed by the agent.
7. What is a valid collection strategy for a z/OS® event source?
a. Live, Wait, Poll.
b. Store raw data, Error, Delete.
c. Store past data, Wait, Data set.
d. Collect error, Store raw data, Delete.
192 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Answer key
1. a
2. d
3. a
4. d
5. c
6. b
7. a
8. c
9. a and e
10.b
Access Management A discipline that focuses on Alerts Messages that Tivoli Compliance Insight
ensuring that only approved roles are able to create, Manager sends when a serious or potentially
read, update, or delete data, and only using harmful security event has occurred. Alerts allow for
appropriate and controlled methods. Data a fast response to the event by a systems manager
governance programs often focus on supporting or system administrator.
access management by aligning the requirements
and constraints posed by governance, risk Assurance Activities designed to reach a measure
management, compliance, security, and privacy of confidence. Assurance is different from audit,
efforts. which is more concerned with compliance to formal
standards or requirements.
Actuator A piece of software that automates the
collection of logs from event sources and transmits Audit An independent examination of an effort to
the logs to the Depot. Each Actuator consists of an determine its compliance with a set of requirements.
Agent and numerous Actuator Scripts. The server An audit might be carried out by internal or external
where the Actuator is installed is referred to as the groups.
Point of Presence.
Audit Report A report which shows infrastructure
Actuator Scripts The Actuator Scripts are invoked changes that are made to hardware and software
by the Agent (at the request of the Tivoli Compliance and who is responsible for the changes.
Insight Manager Server) to collect the log for a
particular event source. There is a different script for Audit Trail A record that can be interpreted by
every supported event type. auditors to establish that an activity has taken place.
Often, a chronological record of system activities to
Agent The Agent is a component of the Actuator. It enable the reconstruction and examination of the
listens for collect requests from the Tivoli sequence of events or changes in an event. An audit
Compliance Insight Manager Server, invokes the trail of system resource usage might include user
appropriate Actuator Script, compresses the login, file access, and triggers that indicate whether
retrieved logs, and maintains an encrypted channel any actual or attempted security violations occurred.
for communication with the Tivoli Compliance Insight
Manager Server in order to securely deliver the Audited System A system on which events occur
requested logs. and are recorded in logs that provide the audit data
for Tivoli Compliance Insight Manager.
196 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
COBIT See Control Objectives for Information and Compliance Either a state of being in accordance
related Technology. with established guidelines, specifications, or
legislation or the process of becoming so. Software,
Collect History Report Tivoli Compliance Insight for example, can be developed in compliance with
Manager report that documents log collection specifications created by some standards body,
events. such as the Institute of Electrical and Electronics
Engineers (IEEE), and might be distributed in
Collector A software module that runs on a client compliance with the vendor's licensing agreement.
system and gathers data. This data is subsequently In the legal system, compliance usually refers to
sent to a server. behavior in accordance with legislation, such as the
United States' Can Spam Act of 2003, the
Committee of Sponsoring Organizations of the Sarbanes-Oxley Act (SOX) of 2002, or the United
Treadway Commission (COSO) A U.S. States Health Insurance Portability and
private-sector initiative, formed in 1985. Its major Accountability Act of 1996 (HIPAA).
objective is to identify the factors that cause
fraudulent financial reporting and to make Compliance Check A set of rules used to
recommendations to reduce its incidence. COSO determine whether a computer or group of
has established a common definition of internal computers is compliant or not. There are two types
controls, standards, and criteria against which of compliance checks: software and security.
companies and organizations can assess their
control systems. Compliance Dashboard Available in iView. It
displays an easy-to-understand, color-coded matrix
Common Criteria The Common Criteria is the that highlights degrees and level of compliance
result of the integration of information technology based on user behavior and data access.
and computer security criteria. In 1983, the US
issued the Trusted Computer Security Evaluation Compliance Management Module The Tivoli
Criteria (TCSEC), which became a standard in Compliance Insight Manager regulation-specific
1985. Criteria developments in Canada and reporting interface.
European ITSEC countries followed the original US
TCSEC work. The US Federal Criteria development Compliance Report A report that provides
was an early attempt to combine these other criteria information about the patch compliance status of all
with the TCSEC, and eventually led to the current selected target computers.
pooling of resources towards production of the
Common Criteria. The Common Criteria is Compliant State The state that a user wants an
composed of three parts: the Introduction and object to have.
General Model (Part 1), the Security Functional
Requirements (Part 2), and the Security Assurance
Requirements (Part 3). While Part 3 specifies the
actions that must be performed to gained
assurance, it does not specify how those actions are
to be conducted; to address this issue, the Common
Evaluation Methodology (CEM) was created for the
lower levels of assurance.
Glossary 197
Computer Emergency Response Team CSV See Certified Server Validation.
(CERT) The CERT/CC is a major reporting center
for Internet security problems. Staff members Data Aggregation The ability to get a more
provide technical advice and coordinate responses complete picture of information by analyzing several
to security compromises, identify trends in intruder different types of records at the same time.
activity, work with other security experts to identify
solutions to security problems, and disseminate Data Governance The exercise of
information to the broad community. The CERT/CC decision-making and authority for data-related
also analyzes product vulnerabilities, publishes matters. The organizational bodies, rules, decision
technical documents, and presents training courses. rights, and accountabilities of people and
The CERT/CC is located at the Software information systems as they perform
Engineering Institute (SEI), a federally funded information-related processes. Data governance
research and development center (FFRDC) determines how an organization makes decisions.
operated by Carnegie Mellon University (CMU).
Data Mapping The discipline, process, and
Configuration Compliance The comparison of a organizational group that conducts analysis of data
known state to a compliant state, which can include objects used in a business or other context,
automated actions. After discovery or scanning is identifies the relationships among these data
performed, devices are said to be either compliant or objects, and creates models that depict those
noncompliant. relationships.
Consolidation Database An Enterprise Server Data Privacy The assurance that a person's or
database that delivers enterprise-wide trend and organization's personal and private information is
summary reports. not inappropriately disclosed. Ensuring data privacy
requires access management, security, and other
Control A means of managing a risk or ensuring data protection efforts.
that an objective is achieved. Controls can be
preventative, detective, or corrective, and can be Delta Table A database table used for saving
fully automated, procedural, or technology-assisted changed data from subsequent runs of a collector.
human-initiated activities. They can include actions,
devices, procedures, techniques, or other Deployment The process of reconfiguring and
measures. reallocating resources in the managed environment.
Deployment occurs in response to deployment
Control Objectives for Information and related requests, created manually by administrators or
Technology (COBIT) A set of best practices automatically by the system.
(framework) for information technology (IT)
management created by the Information Systems, Depot The Tivoli Compliance Insight Manager
Audit and Control Association (ISACA), and the IT secure storage facility for storing and archiving logs.
Governance Institute (ITGI) in 1992. COBIT
provides managers, auditors, and IT users with a set Depot Server The component that stores files for
of generally accepted measures, indicators, distribution. Files are uploaded to a Depot server
processes, and best practices to assist them in using a client and stored in a directory that is
maximizing the benefits derived through the use of specified when the Depot server is installed. Depot
information technology and developing appropriate servers can replicate files to other Depot servers
IT governance and control in a company. and download files to clients.
198 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Enterprise Server A server that provides Gramm-Leach-Bliley Act An Act of the United
centralized log management, performs forensic States Congress that repealed the Glass-Steagall
searches of the GEM log archives, and creates Act, opening up competition among banks, security
reports. companies, and insurance companies. The
Glass-Steagall Act prohibited a bank from offering
Event An observable occurrence in a system or investment, commercial banking, and insurance
network. services.
Event Source Each operating system or GRC See Governance, Risk, and Compliance.
application from which Tivoli Compliance Insight
Manager collects log files (also called audit trails). GSL See Generic Scanning Language.
Glossary 199
Information Systems Audit and Control ISO/IEC17799 An information security standard
Association (ISACA) An international association published by the International Organization for
for the support and improvement of professionals Standardization (ISO) and the International
whose jobs involve the auditing of corporate and Electrotechnical Commission (IEC) as ISO/IEC
system controls. 17799:2005 and subsequently renumbered ISO/IEC
27002:2005 in July 2007, bringing it in line with the
Information Technology Governance A subset other ISO/IEC 27000-series standards. It is entitled
discipline of Corporate Governance focused on Information technology - Security techniques - Code
information technology (IT) systems and their of practice for information security management.
performance and risk management. The rising The current standard is a revision of the version first
interest in IT governance is partly due to compliance published by ISO/IEC in 2000, which was a
initiatives (for example, Sarbanes-Oxley (USA) and word-for-word copy of the British Standard (BS)
Basel II (Europe)), as well as the acknowledgement 7799-1:1999.
that IT projects can easily get out of control and
profoundly affect the performance of an IT Governance Institute (ITGI) Exists to assist
organization. enterprise leaders in their responsibility to ensure
that IT goals align with those of the business, and
International Compliance The International that it deliver value, its performance is measured, its
Standards Organization (ISO) produces resources properly allocated, and its risks mitigated.
international standards such as ISO 27002. Through original research, symposia, and electronic
resources, the ITGI helps ensure that boards and
Internet Engineering Task Force executive management have the tools and
(IETF) Develops and promotes Internet standards, information they need for IT to deliver against
cooperating closely with the W3C and ISO/IEC expectations.
standard bodies, dealing in particular with standards
of the TCP/IP and Internet protocol suite. iView Tivoli Compliance Insight Manager Web
user interface for compliance reporting.
ISACA See Information Systems Audit and Control
Association. JAAS See Java Authentication and Authorization
Service.
ISO Name generally applied to quality system
standards published by the International Java Authentication and Authorization Service
Organization for Standardization. ISO certification is (JAAS) A set of APIs that enable services to
provided, on a fee basis, by third-party assessors or authenticate and enforce access controls upon
registrars through an on site, in-depth audit to users. It implements a Java technology version of
determine that a company's quality system meets the standard Pluggable Authentication Module
the requirements of the standard. (PAM) framework, and supports user-based
authorization.
ISO 27002 See ISO/IEC 17799.
Log Chunk The set of events placed in the Depot
by the collect mechanism.
200 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Log Continuity Report Tivoli Compliance Insight Payment Card Industry Data Security Standard
Manager report that documents log continuity (PCI DSS) .Developed by the major credit card
status. companies as a guideline to help organizations that
process card payments prevent credit card fraud,
Log Manager Tivoli Compliance Insight Manager hacking, and various other security issues. A
centralized log collection, management, and company processing, storing, or transmitting credit
reporting interface. The Log Manager is only card numbers must be PCI DSS compliant or they
available on the Enterprise Server. risk losing the ability to process credit card
payments.
Logs and Audit Trails The system records that
documents all activity that occurred on the audited PCI DSS See Payment Card Industry Data
machine. Security Standard.
Management Console Enables you to load data Point of Presence The server where the Actuator
into the databases, add new audited machines and is installed is referred to as a Point of Presence
event sources, configure collection and reporting (POP).
schedules, and add and configure users.
Policy A set of one or more compliance queries
Metadata Information about a particular data set used to demonstrate the level of adherence to
that might describe, for example, how, when, and by specific security requirements.
whom it was received, created, accessed, or
modified and how it is formatted. Some metadata, Policy Bundle A file containing the information
such as file dates and sizes, can easily be seen by associated with a policy, such as the compliance
users; other metadata can be hidden or embedded queries, the collectors, and the associated
and unavailable to computer users who are not schedules. A policy bundle permits the policy to be
technically adept. Metadata is generally not saved and subsequently applied to other servers.
reproduced in full form when a document is printed.
Policy Exceptions Actions or network activity that
National Institute of Standards and Technology violates company policy.
(NIST) A unit of the US Commerce Department.
Formerly known as the National Bureau of Policy Generator Tivoli Compliance Insight
Standards, NIST promotes and maintains Manager tool that can be used to create policies
measurement standards. It also has active using existing logs to set a baseline for acceptable
programs for encouraging and assisting industry network activity.
and science to develop and use these standards.
Policy Rules A Tivoli Compliance Insight Manager
NIST See National Institute of Standards and tool that helps a user to generate automatically a set
Technology. of policy rules or extend an existing policy rule set.
Glossary 201
Proxy Server A server that acts as an intermediary Risk Management In a broad sense, to assess,
between a workstation user and the Internet so that minimize, and prevent negative consequences
the enterprise can ensure security, administrative posed by a potential threat. The term risk
control, and caching service. A proxy server is management has significantly different meanings
associated with or part of a gateway server that that can affect Data Governance programs. At an
separates the enterprise network from the outside enterprise level, risk refers to many types of risk
network and a firewall server that protects the (operational, financial, compliance, and so on);
enterprise network from outside intrusion. managing risk is a key responsibility of Corporate
Boards and Executive Teams. Within financial
Pull Client A client that permits communication institutions (or in the context of a GRC program), risk
with the server to be initiated by only the server. management might be a boundary-spanning
department that focuses on risk to investments,
Push Client A client that permits communication loans, or mortgages. At a project level, risk
with the server to be initiated by either the client or management is an effort that should be undertaken
the server. as part of project management, focusing on risks to
the successful completion of the project. From a
PuTTY A free software SSH, Telnet, rlogin, and compliance/auditing/ controls perspective, risk
raw TCP client. It was originally available only for assessments and risk management are high-effort
Windows, but is now also available on various UNIX activities included in the COSO and COBIT
platforms. frameworks and required by Sarbanes-Oxley and
other compliance efforts. Data governance
Regulatory Compliance Refers to systems or programs might be asked to support any of these
departments at corporations and public agencies. risk management efforts, and might need input from
Ensures that personnel are aware of and take steps these efforts to resolve data-related issues.
to comply with relevant laws and regulations.
Role Based Access Control Assigns users to
Remote Collect Agentless log collection facilitated roles based on their organizational functions and
by SSH or by NetBIOS for Windows. determines authorization based on those roles.
Risk The product of the level of threat with the level
of vulnerability. It establishes the likelihood of a
successful attack.
202 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Sarbanes-Oxley Act (SOX) Legislation enacted in Security Audit A systematic evaluation of the
response to the high-profile Enron and WorldCom security of a company's information system by
financial scandals to protect shareholders and the measuring how well it conforms to a set of
general public from accounting errors and fraudulent established criteria. A thorough audit typically
practices in the enterprise. The act is administered assesses the security of the system's physical
by the Securities and Exchange Commission (SEC), configuration and environment, software,
which sets deadlines for compliance and publishes information handling processes, and user practices.
rules on requirements. Sarbanes-Oxley is not a set Security audits are often used to determine
of business practices and does not specify how a regulatory compliance, in the wake of legislation
business should store records; rather, it defines (such as HIPAA, the Sarbanes-Oxley Act, and the
which records are to be stored and for how long. The California Security Breach Information Act) that
legislation not only affects the financial side of specifies how organizations must deal with
corporations, but also affects the IT departments information.
whose job it is to store a corporation's electronic
records. The Sarbanes-Oxley Act states that all Security Controls Individual security
business records, including electronic records and requirements that are categorized into
electronic messages, must be saved for not less security-related areas. Different organizations must
than five years. The consequences for demonstrate the implementation of the security
non-compliance are fines, imprisonment, or both. IT controls through a formal audit process to achieve
departments are increasingly faced with the the respective certification required.
challenge of creating and maintaining a corporate
records archive in a cost-effective fashion that Sensitive Data Data that is private, personal, or
satisfies the requirements put forth by the proprietary and must be protected from
legislation. unauthorized access.
Scoping Enables you to define limited access for Sensitive Information As defined by the federal
certain users or for certain groups of users. government, any unclassified information that, if
compromised, could adversely affect the national
Secure Shell (SSH) A network protocol that interest or conduct of federal initiatives.
allows data to be exchanged over a secure channel
between two computers. Encryption provides Server A system where audit data is collected and
confidentiality and integrity of data. SSH uses investigated using Tivoli Compliance Insight
public-key cryptography to authenticate the remote Manager.
computer and allow the remote computer to
authenticate the user, if necessary. Shell A UNIX term for the interactive user interface
with an operating system. The shell is the layer of
programming that understands and executes the
commands a user enters. In some systems, the shell
is called a command interpreter.
Glossary 203
Simple Network Management Protocol Tivoli Compliance Insight Manager Cluster The
(SNMP) Defined by the Internet Engineering Task combination of a Enterprise Server, one of the
Force (IETF). SNMP is used by network Standard Servers, and a collector in a network
management systems to monitor network-attached deployment.
devices for conditions that warrant administrative
attention. Tivoli Compliance Insight Manager Server A
generic term referring to the Tivoli Compliance
SMTP See Simple Mail Transfer Protocol. Insight Manager engine that collects, and
normalizes log data using the W7 methodology.
Snapshot™ The result of running all of the There are two types of Tivoli Compliance Insight
compliance queries in a policy against a set of Manger servers: Enterprise and Standard.
clients. A snapshot shows the number of violations
and indicates what clients are not adhering to the Tivoli Compliance Insight Manager Suite. Refers
security requirements being tested by the to the entire Tivoli Compliance Insight Manager
compliance queries. application. This includes the Tivoli Compliance
Insight Manager server, Point of Presence, Analysis
SNMP See Simple Network Management Engine, Web Portal, iView, Log Manager, and the
Protocol. Compliance Modules.
204 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
W7 Methodology The Tivoli Compliance Insight
Manager patent-pending normalization
methodology, which translates log files into an
English-based language of who, what, on what,
when, where, where from, and where to.
Glossary 205
206 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Related publications
The publications listed in this section are considered particularly suitable for a
more detailed discussion of the topics covered in this book.
IBM Redbooks
For information about ordering these publications, see “How to get Redbooks” on
page 208. Note that some of the documents referenced here may be available in
softcopy only.
Compliance Management Design Guide with IBM Tivoli Compliance Insight
Manager, SG24-7530
Deployment Guide Series: IBM Tivoli Compliance Insight Manager,
SG24-7531
Other publications
These publications are also relevant as further information sources:
IBM Tivoli Compliance Insight Manager Basel II Management Module
Installation Guide, GC23-6583
IBM Tivoli Compliance Insight Manager FISMA Management Module
Installation Guide, GI11-8708
IBM Tivoli Compliance Insight Manager GLBA Management Module
Installation Guide, GC23-6584
IBM Tivoli Compliance Insight Manager HIPAA Management Module
Installation Guide, GC23-6585
IBM Tivoli Compliance Insight Manager Installation Guide, GC23-6580
IBM Tivoli Compliance Insight Manager ISO 27001 Management Module
Installation Guide, GC23-6588
IBM Tivoli Compliance Insight Manager PCI-DSS Management Module
Installation Guide, GC23-6589
IBM Tivoli Compliance Insight Manager Sarbanes-Oxley Management
Module Installation Guide, GC23-6587
Online resources
These Web sites are also relevant as further information sources:
Demonstration of Compliance Insight Manager Version on the IBM
Democenter Web site:
http://demos.dfw.ibm.com/on_demand/Demo/IBM_Demo_Tivoli_Compliance_I
nsight_Manager-May07.html
Official IBM Tivoli product documentation for Compliance Insight Manager
Version 8.5
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?top
ic=/com.ibm.itcim.doc/welcome.htm
Official IBM Tivoli product Web site for Compliance Insight Manager
http://www.ibm.com/software/tivoli/products/compliance-insight-mgr/
Tivoli security compliance forum on IBM developerWorks:
http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1256
208 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Index
checklist 5
A program 2
access rights 46
target audience 7
Active Directory
certification role names
audit settings 93
IBM Certified Advanced Technical Expert 2
diagnostic logging 94
IBM Certified Developer 2
server 96
IBM Certified Developer Associate 2
Actuator 45, 55
IBM Certified Instructor 2
configuration 181
IBM Certified Solutions/Systems Expert 2
daemon 45
IBM Certified Specialist 2
installation 116
Certification Test 937
script 45
prerequisites 8
service 45
chunk 53
Add Machine Wizard 110, 116
continuity tables 160
administration 26
header files 160
administration account 87
log data 56
agent 45–46, 55
cluster configuration 43
installation 181
COBIT 72
aggregation
collect
database 49, 159
process 51, 53
process 49, 52
schedule 159
alert 70
collect command
configuration 139
audit trail collect 56
architecting 39
collect log 58
architecture 42
manual 56, 58
attention rule 46, 180
collection 53
audit policy
events 158
configuration 119
command
Windows servers 92
su (UNIX super user) 102
audited system 54
commit policy 150
communication ports 80
B compliance 40
beat database 159 dashboard 73, 184
beat.bat 89, 159 monitoring 47
compliance management 40
modules 74
C requirements 40
CeaExport.exe 182
component architecture 50
centralized
configuration 17, 50
forensics 44
database 50
log management 44
consolidation
user management 80–81
database 50, 159
certification
job 159
benefits 3
logs 160
210 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
H loading 63
header file 53, 160 log
collection event 158
continuity report 158
I depot 49
IBM Professional Certification Program 2
management 47
IBM Redbooks 36
manager 43, 185
indexing
repository 49
process 52
log files 152, 176
information security 40
actuatornnn.log 160
installation 13
auditctl.log 161
database engine 82
AuditTrail.log 169
Enterprise Server 78, 88
authdaemon.log 161
errors 152
BBBin.log 162
Management Console 78
consolidation.log 169
option 78
IndexerDaemon.Vajont.log 163
options 47
install.log 164, 168
Point of Presence 78
mainmapper-.log 165
Security Server 81
plugger.log 167
software components 83
restart.log 168
Standard Server 78, 82
UNIX 102
success verification 86, 88
Log Manager 188
ISO17799 72
iView 52, 181
custom reports 183 M
custom reports wizard 184 machine group
logs 160, 170 create 104
reporting 47, 72 mainmapper log files 159, 181
reporting application 43, 185–186 Management Console 43, 45–46, 110, 180
Web portal 48 alert configuration 139
iView functions installation 78
dashboard 187 management tasks 177
groups 187 policy editor 72
policy 187 register machine to ... 104
regulations 187 troubleshooting 159
reports 187 User Management panel 182
trends 187 manually loading a database 143
mapping 61
process 51
J message 70
job schedules
Microsoft Management Console 92
chunk continuity report generator (CCRG) 160
monitor compliance 47
consolidation 159
indexer 159
log continuity report generator 159 N
network
traffic requirements 80
L
LDAP server 80
load schedule 159
Index 211
O GLBA 185
operation errors 156 HIPAA 185
organizational level ISO 27001 185
security control 40 PCI 185
Sarbanes-Oxley 185
custom 183
P database system events 184
performance
direct database access 184
tuning 24
distribution 74, 159
performance tuning 176
event detail 183
planning 9, 39
event lists 184
Point of Presence 55, 58, 60
graphic 183–184
installation 78
log continuity 185
policy
log management 183–184
commit 150
privileged operations 184
configuration 127
standard 183
generation tool 71
stored procedures exceptions 184
generator 43, 71, 185, 188
threshold 184
management 67
trend 183–184
rules 68, 70, 188
user account management 184
port
user summary 184
configuration 80
repository 49
portal logs 160
required hard disk space 48
prerequisites
requirements
for Certification Test 937 8
network traffic 80
problem determination 24, 152
software 78
installation 152
operation errors 156
using log files 158 S
process 51 Sarbanes-Oxley Act 72
collect 53 scoping 188
process level security
security controls 40 event alerting 70
product events 95
architecture 42 log 53
documentation 35 security compliance 40
system 41
security controls 40
R organizational level 40
Redbooks Web site 208
process level 40
register.ini 87, 175
technical level 41
registration
security policy 46, 180
Standard Server with Enterprise Server 88
framework 40
reporting 47, 73, 183
Security Server 80
database 49
installation 81
iView 48, 72
server logs 160
reports
service
compliance module 183
Computer Browser 106
Basel II 185
SMTP
compliance modules
212 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
alerting 70 audit settings 102
SNMP URLs
alerting 70 IBM Tivoli Compliance Insight Manager Web site
data collect 60 36
software requirements 78 user
space management 80–81, 182
... for database 48 roles 75
Standard Server 45 User Information Source
configuration 182 see UIS
installation 78, 82
success verification 86
Log Manager 188
W
W7
main functions 45
attention rules
Management Console 45
configuration 136
syslog
attributes 62, 65
data collect 60
categories 72
system group 104
classification scheme 62
elements 127
T format 64, 73
target machine groups 65, 127
adding 104 model 49, 60, 62–63, 188
task policy rules
restart 159 configuration 134
synchronization 158 rules 119
TCP/IP communication ports 80 Web Portal logs 169
technical level Windows
security control 41 audit settings 92
Test 937 target machine 104
objectives 9
test objectives
administration 26
configuration 17
installation 13
performance tuning and problem determination
24
planning 9
Tivoli Software Professional Certification 4
tracing 177
troubleshooting
installation 152
operation errors 156
using log files 158
U
UIS
configuration 119
import group definitions 128
UNIX
Index 213
214 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
(0.2”spine)
0.17”<->0.473”
90<->249 pages
Back cover ®
Developed This IBM Redbooks publication is a study guide for IBM Tivoli
specifically for Tivoli Compliance Insight Manager Version 8.5 and is meant for INTERNATIONAL
Compliance Insight those who want to achieve IBM Certifications for this specific TECHNICAL
Manager product. SUPPORT
The IBM Tivoli Compliance Insight Manager Certification,
ORGANIZATION
Explains the offered through the Professional Certification Program from
certification path IBM, is designed to validate the skills required of technical
and prerequisites professionals who work in the implementation of the IBM BUILDING TECHNICAL
Tivoli Compliance Insight Manager Version 8.5 product. INFORMATION BASED ON
Includes sample test This book provides a combination of theory and practical PRACTICAL EXPERIENCE
questions and experience needed for a general understanding of the
answers subject matter. It also provides sample questions that will IBM Redbooks are developed by
help in the evaluation of personal progress and provide the IBM International Technical
familiarity with the types of questions that will be Support Organization. Experts
encountered in the exam. from IBM, Customers and
Partners from around the world
This publication does not replace practical experience, and it create timely technical
is not designed to be a stand-alone guide for any subject. information based on realistic
Instead, it is an effective tool that, when combined with scenarios. Specific
recommendations are provided
education activities and experience, can be a very useful to help you implement IT
preparation guide for the exam. solutions more effectively in
your environment.