Presentation is loading. Please wait.

Presentation is loading. Please wait.

IBM Software Group | Tivoli Brand Software

Published bySamson Craig Modified over 5 years ago

Similar presentations

Presentation on theme: "IBM Software Group | Tivoli Brand Software"— Presentation transcript:

1 IBM Software Group | Tivoli Brand Software
IBM Tivoli Provisioning Manager 7.1 Compliance and Desired State Management IBM Tivoli Monitoring for Transaction Performance v52 ESP Workshop Workshop Guide

2 Configuration and Compliance aims
In order to ensure a computer’s adherence to security and operational standards, organizations must first define a compliant configuration for the computer. Once set, it is necessary to maintain the computer in that compliant configuration by periodically verifying the configuration and remediating any noncompliant findings For most organizations, manual verification and remediation is not possible

3 General Solution Identify the computers that need to be compliant
Draw up the list of configuration items that need to be true in order for the computers to be considered compliant Inspect the computers to see how they are actually configured Compare the actual configuration with the compliant configuration and determine if the computers are compliant Report the results Fix the problems

4 The TPM 7.1 Solution Create software and security compliance checks for the device or group Schedule and run an inventory scan Schedule and run a compliance check Send notification messages and run scheduled reports Review the issues and act upon the recommendations

5 Compliance check types
Software Module Stack Patch Group Software configuration check Security Patches

6 Software Compliance Checks
Check individual software products Software must be installed Software must not be installed Software installation is optional Check software groups Minimum of one member of the group is required All other members are considered optional Moving on to software compliance checks, there are three kinds of software checks that can be applied to an individual software product, patch, or stack. It can be specified as required to be installed, optionally installed, or prohibited from being installed. For groups of software, there is a special installation check called “selection”. This compliance check is satisfied if at least one member of the group is installed. For example, you can define a software group called Antivirus and put all the supported antivirus products and versions into it. Adding a compliance check for this group will ensure that at least one of these supported products is installed.

7 Security Compliance Checks
These remain the same as in previous versions of TPM AIX Activity Auditing AIX Remote Root Login Endpoint Agent Linux System Logging Operating System Patches and Updates Restrict Other Software UNIX File Permissions UNIX Services User Defined Check Windows Antivirus Windows Event Logging Windows File Permissions Windows Firewall Windows Hard Disk Password Windows Power-On Password Windows Screen Saver Windows Services Windows Unauthorized Guest Access Windows User Password Question: What important checks have we forgotten? Question: What antivirus and firewall software are you using today? Details behind this list of security checks: Misconfigured or Missing Antivirus Maximum elapsed time between scans Minimum elapsed time between scans Maximum age for the virus definitions file Automatic update schedule Missing antivirus software is handling using the same approach as any other missing software product Improper file ACLs Windows: Permissions of groups or users to read/write/delete/execute/extended attribute permissions/etc. UNIX: Permissions for owners/groups/others to read/write/execute; also check if a path is a directory File signatures - date/time, checksum (from 11/8 meeting) Detect when a file or group of files has changed Verify audit settings on Windows for logging the success and/or failure of the following: User logon System event Object access User access rights Process tracking Security policy change Account management Directory service access Account logon Improper system logging settings. Windows: Application, security and system event logs retained for a minimum period of time. UNIX: Verify that facility and priority are logged in the correct log file AIX: Verify the following logs exist /var/log/wtmp /var/log/messages /var/log/faillog Verify password settings on Windows: (/) Minimum password length Maximum password age Password history (re: reuse of passwords) Verify guest access restrictions: (/) Is guest account active Is guest account locked Is guest account only in the guest group Keyboard/Screen not password protected (/) Screen saver is active Screen saver password is set Screen saver time value minimum value Hard-disk password not set (/) Power-on password not set (/) Prohibited services running Missing services AIX: Remote root login forbidden (/) Misconfigured or missing firewall (+) The firewall process is monitoring network traffic The firewall process is running The firewall process is configured to autostart Missing firewall software is handling using the same approach as any other missing software product

8 Adding compliance checks
From the Provisioning Computer or the Provisioning Group compliance screen New Compliance Checks Copy Compliance Checks Copy all compliance checks from a group or computer that already has checks defined Create Compliance Checks Using Model Use the actual state of a model computer to create compliance checks. The actual state is based on the results of inventory scans of the model machine

9 Checking compliance New compliance checks have a compliant status of unknown Run immediately or schedule either a compliance check or an inventory scan and compliance check Inventory scan is needed to check software compliance

10 Compliance Once a scan and check have run any non compliant checks show on the compliance tab

11 Compliance The Provisioning Computers list shows compliance status

12 Compliance The Provisioning groups list shows the number of compliant devices in the group

13 Working with Recommendations
Once a scan and check have run any recommendations for correcting discrepancies appear on the recommendations tab. Initial status of recommendations is opened (Or approved if automatic approval is enabled) Before a recommendation can be implemented it must be approved

14 Working with Recommendations
A recommendation can be ignored for a period you can specify Use “Run” to remediate a software compliance check right away Use “Schedule” to schedule the remediation of a software compliance check for a future time Once run a recommendation shows as implemented and can be closed

Download ppt "IBM Software Group | Tivoli Brand Software"

Similar presentations

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.
File Server Organization and Best Practices IT Partners June, 02, 2010.

File Server Organization and Best Practices IT Partners June, 02, 2010.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.

DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
14.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Maintaining Windows Server 2008 File Services

Maintaining Windows Server 2008 File Services
Guide to MCSE 70-290, Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.

Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
Patch Management Module 13. Module 2-421 You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A Operations vSphere Environment Introduction.

Patch Management Module 13. Module You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A Operations vSphere Environment Introduction.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
1 Chapter Overview Monitoring Server Performance Monitoring Shared Resources Microsoft Windows 2000 Auditing.

1 Chapter Overview Monitoring Server Performance Monitoring Shared Resources Microsoft Windows 2000 Auditing.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Using Group Policy to Manage User Environments. Overview Introduction to Managing User Environments Introduction to Administrative Templates Assigning.

Using Group Policy to Manage User Environments. Overview Introduction to Managing User Environments Introduction to Administrative Templates Assigning.

Similar presentations

Ads by Google