Security and Compliance Analytics (pka DSS SCM) 1.0 Now Available!

(imported topic written by SystemAdmin)

We’re pleased to announce the general availability of Tivoli Endpoint

Manager for Security and Compliance Analytics 1.0 (pka DSS SCM)! All

customers currently licensed for Tivoli Endpoint Manager for Security and

Compliance, BigFix SCVM, or BigFix SCM v3 are entitled to this component.

ABOUT TIVOLI ENDPOINT MANAGER FOR SECURITY AND COMPLIANCE ANALYTICS

Tivoli Endpoint Manager for Security and Compliance Analytics (SCA) is a

web-based application for endpoint security and risk assessment. The system

archives endpoint security compliance check results to help identify

configuration issues and report levels of compliance toward security

configuration goals. SCA is a component of Tivoli Endpoint Manager for

Security and Compliance, which includes libraries of technical checks (aka

controls) and tools based on industry best practices and standards for

endpoint and server security configuration. The technical checks enable

continuous, automated detection and remediation of security configuration

issues. Note that certain SCM checklists provided by IBM are designed to

work with the SCA reporting. You may have a range of “legacy� BigFix

fixlets, Tivoli Endpoint Manager fixlets, and custom fixlets for security

compliance in your deployment. These will continue to function correctly,

however, only certain fixlets will appear within the SCA reports.

Report views and tools for managing the SCM checks are provided by SCA. SCA

generates the following reports, which can be filtered, sorted, grouped,

customized using any set of Tivoli Endpoint Manager properties, and

exported:

Overviews of Compliance: Status and History

Checklists: Compliance, Status, and History

Checks: Compliance, Status, Values, and History

Computers: Compliance, Status, Values, and History

Computer Groups: Compliance, Status, and History

Exceptions: Management, Status, and History

More information about the SCM technical checks and the SCA reporting

component is available in the Security Configuration Management

documentation on our support website at

http://support.bigfix.com/resources.html

NEW DISA STIG FOR WINDOWS SCM CONTENT ALSO NOW AVAILABLE

In addition to the new SCA component, a new set of DISA STIG content sites

for Windows is available. This content, replacing the previous DISA STIG

for Windows sites, is based on the latest guidance from DISA. The new

content is compatible with SCA 1.0, contains measured values analysis

properties, and uses a new model for check parameterization. The new sites

are:

DISA STIG on Windows 2008 DC v6r1.11

DISA STIG on Windows 2008 MS v6r1.11

DISA STIG on Windows 2003 DC v6r1.18

DISA STIG on Windows 2003 MS v6r1.18

DISA STIG on Windows Vista v6r1.18

DISA STIG on Windows XP v6r1.18

DISA STIG on Windows 7 v1r2

HOW TO GET TIVOLI ENDPOINT MANAGER FOR SECURITY AND COMPLIANCE ANALYTICS

and the NEW DISA STIG FOR WINDOWS CONTENT

If you are running BES 8.0 or Tivoli Endpoint Manager 8.1 or later and your

server is gathering the SCM Reporting site, a new Security and Compliance

Analytics dashboard is available in the Security Configuration domain with

a utility to download and install the new Analytics software. Also, the new

DISA STIG Windows sites will appear in your License Overview dashboard in

the BigFix Management domain.

If you are running BES 7.x and you are currently licensed for Tivoli

Endpoint Manager for Security and Compliance, BigFix SCVM, or BigFix SCM

v3, please contact ibmtemlicensing@lotus.com for access to the new

component and new DISA STIG for Windows mastheads.

We hope you have a chance to evaluate and adopt this exciting new product

from IBM and the Tivoli Endpoint Manager (built on BigFix technology) team.

Thank you!

– The IBM Tivoli Endpoint Manager Product Team

(imported comment written by SystemAdmin)

Thought I’d also include some annotated screen shots so you get a glimpse at the new reports…

http://farm6.static.flickr.com/5176/5474733038_62dcaee4ef_b.jpg

http://farm6.static.flickr.com/5100/5474732860_f730dc039d_b.jpg

(imported comment written by Chris_Loer)

Has anyone out there started using our new baby? We’d love to hear any first impressions or feedback, whether it’s on the new content we’ve published to all the Consoles or the new Analytics tool itself!

(imported comment written by BenKus)

I told Chris that if he issued a plea for feedback then the people on the forum would almost certainly answer him…

So has anyone out there tried the newest DSS SCM version that we worked for so long on?

Ben

(imported comment written by SystemAdmin)

Hi Ben, Chris,

I have been looking at this - just been waiting to get some data to give it some ‘meaning’.

My first impressions are that it looks like a very impressive tool and given the ease-of-use and uncluttered presentation, I can see myself spending time presenting it to our managers (as you know - all managers like a graph )

As always there is a ‘but’ …

A.D. integration, as per WebReports, would be extremely useful.

Also the ability to add our own Custom Sites and Baselines into the Checklist Reports so that they, too, can be presented.

Brgds,

Mark

(imported comment written by Chris_Loer)

Hi Mark,

Thanks for the feedback! We definitely hear about AD integration, it’s on our radar. For the “custom sites” question, did you know that you can take our latest DISA or FDCC content, copy it into a custom site (using the “create custom checklist wizard”), and that it will show up as a new checklist in the Analytics tool? This won’t allow you to automatically import your own custom “check fixlets”, but it allows you to parameterize our checks, as well as mix and match the checks that you want to include in a given checklist.

Chris

(imported comment written by SystemAdmin)

Hi Chris,

I wasn’t aware of the “create custom checklist wizard”. Unfortunately this would not really help us in this instance.

Just out of curiosity, are the reports/graphs generated from all the checks or only the visible ones?

Mark.

(imported comment written by Chris_Loer)

When you say “visible checks”, are you talking about the “Hide Fixlet Locally/Globally” feature in the Console? If so, the answer is “all the checks” – SCA doesn’t look at the Console’s “hidden” flags. When SCA imports data from the platform database, every Fixlet site that contains at least one Fixlet tagged as a “Configuration Check” gets pulled in as a “Checklist”.

What types of custom checks have you implemented? Our vision is that SCA should be able to give you compliance reports on custom checks as well as checklist generated by IBM, but as we move in that direction we need to have a very good understanding of how our customers’ custom checks behave.

(imported comment written by SystemAdmin)

Hi Chris,

Yes I was talking about the ‘Hide Fixlet Locally/Globally’ feature. I am toying with the idea of globally hiding fixlets that we are not actively monitoring (yet) rather than create Baselines and/or Custom Sites of the fixlets. If the SCA did look at the hidden flag our managers here would be able to see how well we are doing at remediating the fixlets that we are monitoring as well as getting an overall view of our estate.

As an example to answer your second point - every year we have an external auditing company come in an check the state of a cross section of our servers. I have created a Custom Site that uses a combination of Custom Copies of your fixlets along with my own fixlets where there is none supplied (e.g. servers that have users who run cron jobs, servers that have port 23 open). This allows us to monitor those systems all year round, fix any problems and document any exceptions.

We also create Baselines of your fixlets too. Since there are a huge number of checks to monitor we take a manageable selection, created a Baseline and fix all the issues. Once all those checks are fixed we create a policy action, where possible, to autoremediate and then create the next baseline, and so on. Which brings me back to my first point about simply hiding the checks that we don’t want to monitor yet.

(imported comment written by Chris_Loer)

Hi Mark,

The model we’ve had is to think of the contents of a Fixlet site as the single canonical definition of what’s in a checklist, so we’d imagine that if you want to exclude a check from active monitoring/reporting, you’d do that by deleting the Fixlet from your checklist site. One implication of this model is that you only use “external” fixlet sites when you’re following the

exact

guidance of the external source (DISA or FDCC). If you want to make any changes, then you need to work with a copy of the checklist in a custom site. We know that the “Fixlet = Check” and “Site = Checklist” mapping can feel a little awkward in the Console right now, and we’re looking at ways to build more UI to make it feel natural. For some of our customers, the “hiding” functionality is tied to their remediation workflow in the Console. So for example, they might hide a check from non-master operators if they don’t want NMOs to use the remediation in that check, but they still collect the compliance data for the check.

It’s great that you’re creating your own custom SCM checks and mixing them in with the ones we supply. We definitely want to support that use case. Probably the first thing we’ll try to do is make a wizard that allows you to “tag” your own custom Fixlets with the information they need in order to be imported into the Analytics tool, so that you can get historical compliance reporting that integrates our stuff with your stuff.

It sounds like you’re using Baselines in a pretty standard “BigFix” way to make mass remediation easier – cool! We’re interested in how you’d want to report on “compliance” for a baseline within SCA, especially since we don’t have any firm designs for doing that right now. If you had a custom site with two custom checks in it and one baseline that rolled up 30 more checks, would you want that to show up as a “checklist” with three “checks” in it? So a computer that was compliant for the two custom checks and compliant for 29 of the 30 components of the baseline would show as “66% compliant” since it failed the single “baseline check”.

(imported comment written by SystemAdmin)

Hi Chris,

Sorry for the delay in getting back to you on this…

Your last point about how to report on baseline failures is quite subjective and could/would probably spark a lively debate!

It seems to me that there are two ways of using baseline:-

1. a set of disparate fixlets grouped together to make it more convenient to check and remediate on relevant issues

or

2. a set of related fixlets that provide a solution to a single issue

As an example, I might have

1. a baseline with two fixlets, the first checks for a misconfigured “/etc/ntp.conf” and the second checks the file permissions for “/etc/passwd”. I would want to see this as 2 checks.

2. a baseline with two fixlets, the first checks that SSH is at a certain version and a second to check that root login has been disabled. This, to me, would be a single check as the baseline is checking the complete configuration of SSH

In relation to

make a wizard that allows you to “tag” your own custom Fixlets

• I don’t know how difficult it would be, but a simple checkbox somewhere in the ‘Edit’ screen or even, in the console when you highlight a fixlet you get several buttons - ‘Take Action’, ‘Edit’, ‘Copy’, ‘Remove’, etc - why not add an ‘Add to/Remove from SCA Report’ button?

Mark.

(imported comment written by Chris_Loer)

Hi Mark,

For the cases you describe, it sounds like it could work if we just allowed you to select baselines

or

components of baselines and “tag” them to say “this is a security check”. Then it would be up to you to manage your custom checklists and decide which baselines are checks in their own right and which ones are actually collections of checks.

We don’t currently have a generic “platform” capability to add arbitrary Console menue extensions such as an ‘Add to/Remove from SCA Report’ button, although that feature is on the platform backlog. Without that kind of capability, a project like SCM that’s built entirely on top of the generic platform would need to find a different way to offer the same kind of functionality you suggest.

(imported comment written by mdahitule91)

Hi Team,

We have TEM and Web Reports on same server, is it possible to install TEMA on same?

Regards,

Mangesh Dahitule.

(imported comment written by Chris_Loer)

Hi Mangesh,

Yes, we do it all the time in our demo environments, it’s mostly just a question of whether a single server will scale well enough for your purposes. For smaller deployments (a few thousand seats), it should work well as long as you’re running on pretty good hardware. The TEMA application itself wants about a gigabyte of RAM, but the main load is on the database server (which I assume you’re also running locally) – because the disk access pattern for TEMA is very different from the core TEM database, it’s less efficient to run both databases on the same disks. Again, though, that shouldn’t be a big deal at smaller scale.

The other constraint is that you need to configure TEMA to use a different port than Web Reports, so for example you might have Web Reports on port 80 and TEMA on port 81.

(imported comment written by hmkjr91)

Hello,

I am hoping to get some assistance with installation of SCA. We setup SCA in a lab environment to test functionality, but our production architecture is different and may be causing some issues, not sure.

I have a web server and a separate SQL server for SCA and then of course, there is the BF_Enterprise SQL Server.

I am not able to get past the database connection to the SCA SQL Server part of the setup. If I use Windows Authentication, I am getting a “Bad username and password” error. If I used SQL Authentication, I get a “host cannot be found” messages.

I can logon to the SQL server with the AD account we are using to do the setup and I can create databases - that’s actually a separate question - do you need to create the database in advance of the setup? We did try both ways.

I can successfully create and test an ODBC connection to the SQL server from the SCA web server.

Any ideas, thoughts, or advice would be greatly appreciated. Let me know if there is any other information that might be helpful.

UPDATE: we get this error on the SQL server when attempting to use AD Authentication - Message

Login failed for user ‘Domain\COmputername$’. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.

CLIENT: xxx.xxx.xxx.xxx

QUESTION: is sql authentication required when using a separate sql and web server?

Thanks in advance!

(imported comment written by mike.luu91)

hmkjr

QUESTION: is sql authentication required when using a separate sql and web server?

Security and Compliance Analytics supports both forms of auth (sql and windows) for remote database configurations. Can you tell us which versions of software/OS you are using?

Database Server OS

MSSQL Version

Security and Compliance Analytics Server OS

What is the effective level of UAC, if any, on the Security and Compliance Analytics server?

Can you ensure that the service is running as the intended Domain User? In one of your error messages it seems to be complaining about a domain\computer.

Thanks,

Mike

(imported comment written by hmkjr91)

Thanks Mike, I was able to get version 1.0 installed and working. Then I was advised by IBM folks that were onsite one day this week to install version 1.1.

I keep getting a message that says the installation was interrupted and the system was not modified. The msi installer is returning error code 1603. I turned on verbose logging and don’t see anything useful.

Anyone have any thoughts?

Thanks

(imported comment written by mike.luu91)

hmkjr, I’m sorry you’re having problems installing 1.1. Can you turn on MSI logging and send us the log?

from the command line:

msiexec /l tema_install.log /i tema.msi

(imported comment written by hmkjr91)

After much testing on many different machines and versions of operating system, we have determined that the TEMA 1.1 installation will not complete successfully without a network interface that has internet access.

Our SCA servers do not have internet access.

Questions are:

• Why is this?
• Does the server require internet access for TEMA to function?
• Is there a way around it?

(imported comment written by SystemAdmin)

Hi hmkjr,

Sorry for the trouble. As you know by now, but for the benefit of the rest of the community:

There’s a bug in the 1.1 installer that requires the server have access to http://jetty.mortbay.org/configure.dtd during installation. The fix is in testing and should be available with the next release of the installer.

– Jeff