Beruflich Dokumente
Kultur Dokumente
SG24-7530-00
Compliance Management
Design Guide
with IBM Tivoli Compliance Insight Manager
Enterprise integration for operational
and regulatory compliance
Complete architecture and
component discussion
Deployment scenario
with hands-on details
Axel Buecker
Ann-Louise Blair
Franc Cervan
Dr. Werner Filip
Scott Henley
Carsten Lorenz
Frank Muehlenbrock
Rudy Tan
ibm.com/redbooks
7530edno.fm
SG24-7530-00
7530edno.fm
Note: Before using this information and the product it supports, read the information in
Notices on page ix.
7530TOC.fm
Contents
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
The team that wrote this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Comments welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Part 1. Architecture and design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 1. Business context for compliance management . . . . . . . . . . . . 3
1.1 Introduction to compliance management . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Business drivers for compliance management . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Criteria of a compliance management solution . . . . . . . . . . . . . . . . . . . . . . 7
1.4 Recent challenges for compliance management . . . . . . . . . . . . . . . . . . . 10
1.5 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 2. Architecting a compliance management solution . . . . . . . . . . 13
2.1 Security Information and Event Management architecture . . . . . . . . . . . . 14
2.2 IBM Tivoli SIEM solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2.1 Event types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.3 Solution architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.3.1 Projecting a security compliance solution . . . . . . . . . . . . . . . . . . . . . 21
2.3.2 Definition of a security compliance solution . . . . . . . . . . . . . . . . . . . 21
2.3.3 Design of a security compliance solution . . . . . . . . . . . . . . . . . . . . . 23
2.4 IBM Tivoli compliance tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.5 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Chapter 3. IBM Tivoli Compliance Insight Manager component structure27
3.1 Product overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.2 Product architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.2.1 Tivoli Compliance Insight Manager cluster . . . . . . . . . . . . . . . . . . . . 30
3.2.2 Tivoli Compliance Insight Manager Enterprise Server . . . . . . . . . . . 30
3.2.3 Tivoli Compliance Insight Manager Standard Server . . . . . . . . . . . . 32
3.2.4 Actuators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.2.5 Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.2.6 iView Web portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.2.7 Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.2.8 Component architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
iii
7530TOC.fm
iv
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530TOC.fm
5.5 Tivoli Compliance Insight Manager and Tivoli Security Operations Manager
complement each other . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
5.5.1 Different groups have differing requirements . . . . . . . . . . . . . . . . . 118
5.5.2 The combined strength . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
5.5.3 SIEM integration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
5.6 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Part 2. Customer environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Chapter 6. Introducing Tivoli Financial Accounting Corporation. . . . . . 129
6.1 Company profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
6.2 Current IT infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
6.3 Security compliance business objectives . . . . . . . . . . . . . . . . . . . . . . . . 133
6.3.1 Comply to security requirements in the industry . . . . . . . . . . . . . . . 134
6.3.2 Maintain and demonstrate management control. . . . . . . . . . . . . . . 134
6.3.3 Integrate monitoring across a multi-platform environment . . . . . . . 134
6.3.4 Harvest and structure information to specific needs . . . . . . . . . . . . 135
6.3.5 Establish a cost efficient and future proofed solution . . . . . . . . . . . 136
6.4 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Chapter 7. Compliance management design . . . . . . . . . . . . . . . . . . . . . . 137
7.1 Business requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
7.2 Functional requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
7.3 Design approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
7.4 Implementation approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
7.4.1 Determine what reports need to be generated . . . . . . . . . . . . . . . . 148
7.4.2 Monitoring target assets for reports . . . . . . . . . . . . . . . . . . . . . . . . 149
7.4.3 Identify what data needs to be collected from each event source . 151
7.4.4 Ensure that Tivoli Compliance Insight Manager has the ability to monitor
audit trails from that event source. . . . . . . . . . . . . . . . . . . . . . . . . . 151
7.4.5 Prioritize the target systems and applications . . . . . . . . . . . . . . . . . 152
7.4.6 Planning deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
7.4.7 Divide the tasks into phases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
7.5 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Chapter 8. Basic auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
8.1 Phase one auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
8.2 Install Tivoli Compliance Insight Manager cluster . . . . . . . . . . . . . . . . . . 159
8.2.1 Install Enterprise Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
8.2.2 Install Standard Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
8.3 Phase one reporting requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
8.4 Enabling and configuring auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
8.4.1 Auditing settings for the Windows Security log . . . . . . . . . . . . . . . . 161
8.4.2 Active Directory audit policy settings. . . . . . . . . . . . . . . . . . . . . . . . 162
Contents
7530TOC.fm
vi
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530TOC.fm
Contents
vii
7530TOC.fm
viii
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530spec.fm
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information on the products and services currently available in your area.
Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product, program, or service that
does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document.
The furnishing of this document does not give you any license to these patents. You can send license
inquiries, in writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such
provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION
PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer
of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions of the publication. IBM may
make improvements and/or changes in the product(s) and/or the program(s) described in this publication at
any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any
manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the
materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm
the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on
the capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them
as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the
sample programs are written. These examples have not been thoroughly tested under all conditions. IBM,
therefore, cannot guarantee or imply reliability, serviceability, or function of these programs.
ix
7530spec.fm
Trademarks
The following terms are trademarks of the International Business Machines Corporation in the United States,
other countries, or both:
Redbooks (logo)
developerWorks
z/OS
AIX 5L
AIX
CICS
Domino
DB2
IBM
Lotus Notes
Lotus
MVS
Notes
OS/390
Redbooks
RACF
SOM
Tivoli Enterprise
Tivoli Enterprise Console
Tivoli
WebSphere
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530pref.fm
Preface
In order to comply with government and industry regulations such as Sarbanes
Oxley, Gramm-Leach-Bliley and COBIT, enterprises have to constantly detect,
validate, and report unauthorized change and out-of-compliance actions within
their IT infrastructure.
The IBM Tivoli Compliance Insight Manager solution allows organizations to
improve the security of their information systems by capturing comprehensive log
data, correlating this data through sophisticated log interpretation and
normalization, and communicating results through a dashboard and full set of
audit and compliance reporting.
We discuss the business context of security audit and compliance software for
enterprises, and describe the logical and physical components of Tivoli
Compliance Insight Manager. Finally, within a business scenario we discuss a
typical deployment.
This book is a valuable resource for security officers, administrators, and
architects who wish to understand and implement a centralized security audit
and compliance solution.
xi
7530pref.fm
many Tivoli software products. Her main focus for the past two years has been
developing data integration solutions using IBM Tivoli Directory Integrator.
Franc Cervan is an Advisory IT Security Specialist from IBM Slovenia. He holds
a degree in electrical engineering and is also ITIL certified. He has over 10 years
of experience in security and systems management solutions.Since 2003 he is
part of the IBM Software group as a Tivoli Technical Sales Specialist for the SEA
region. His area of expertise are Tivoli Security and Automation products.
Dr. Werner Filip is a professor of the department for Computer Science and
Engineering at the University of Applied Sciences Frankfurt am Main, Germany
and a Consultant in IT Security. His primary research interests are Systems and
Network Management and Applied Security. Prior to joining University of Applied
Sciences Frankfurt he worked for 25 years for IBM in various positions, during
his last 10 years with IBM as a Consultant in Systems and Network Management
at former IBMs European Networking Center, Germany. He received a Diploma
in Mathematics, and a Doctorate in Computer Science from the Technical
University Darmstadt, Germany.
Scott Henley is an IBM Pre-sales Senior IT Specialist. He performs pre-sales
support for the IBM Tivoli Security portfolio throughout Asia Pacific. As such he
is an expert in many of the IBM Tivoli Security products and in recent years has
specialized in the Security Information and Event Management space. His
current role at IBM as an above country expert for the Asia Pacific region means
that he is often travelling thoughout the Asia and Pacific region speaking with
and assisting IBM customers to get the best value from their investment in IBM
security technologies. He is also often called upon to speak at various industry
conferences on topics such as Compliance, Risk Management and Governance.
He holds a Bachelor Degree and Masters Degree with Distinction in Information
Technology, is a CISSP and holds numerous other Industry and product
certifications that he has collected throughout his almost 20 years in the IT
Industry.
Carsten Lorenz is a cerified Senior Managing Consultant at IBM in Germany.
He manages security solutioning in large and complex IT infrastructure
outsourcing engagements for customers throughout Europe, Middle-East and
Africa. He has more than 8 years of experience in the security and compliance
field, specializing in the areas of Security Management, IT Risk Assessment,
Governance and Operational Risk Management. Carsten has performed
consulting engagements with IBM customers in various industries, ranging from
fortune 500 to SMBs. Carsten is a CISSP and a CISA, and he holds a Bachelor
Degree in European Studies from Univeristy of Wolverhamption, UK, and a
Diploma in Business Science from University of Trier, Germany.
Frank Muehlenbrock is an IBM Information Security Manager. After having
supported pre-sales andservices activities in Germany for the Tivoli Security
xii
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530pref.fm
Figure 1 From left, Werner, Axel, Ann-Louise, Franc, Scott, Rudy, Carsten, and Frank
Besides working on this Compliance Management Design Guide with IBM Tivoli
Compliance Insight Manager this great team also developed the Deployment
Guide Series: IBM Tivoli Compliance Insight Manager, SG24-7531.
Thanks to the following people for their contributions to this project:
Preface
xiii
7530pref.fm
??????????
International Technical Support Organization, Austin Center
Nick Briers, Koos Lodewijkx, Dimple Ahluwalia, Jose Amado, Bart Bruijnesteijn,
Philip Jackson, Sujit Mohanty, Erica Wazewski
IBM
Comments welcome
Your comments are important to us!
We want our books to be as helpful as possible. Send us your comments about
this book or other IBM Redbooks in one of the following ways:
Use the online Contact us review Redbooks form found at:
ibm.com/redbooks
Send your comments in an e-mail to:
redbooks@us.ibm.com
Mail your comments to:
IBM Corporation, International Technical Support Organization
Dept. HYTD Mail Station P099
2455 South Road
Poughkeepsie, NY 12601-5400
xiv
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530p01.fm
Part 1
Part
Architecture and
design
In this part we discuss the overall business context for security compliance
management of IT systems and explain the general business requirements for a
security compliance management solution.
Then a framework for providing security compliance functionality throughout an
organization is described. In addition to this we introduce the high-level
components and new concepts for the design of a compliance management
solution using IBM Tivoli Compliance Insight Manager.
Additionally, an understanding of the high level product architecture of Tivoli
Compliance Insight Manager is provided.
At the end of this part we introduce you to the IBM Security Information and
Event Management solution.
7530p01.fm
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch01.fm
Chapter 1.
7530ch01.fm
The Sarbanes-Oxley Act was established in 2002, results from corporate scandals (for example
Enron and Worldcom) about incorrect financial reporting and aims to protect stakeholders from
huge losses and to prevent future shocks to confidence in the financial system in the USA. Since
July 2006, the law applies to all companies listed on the US stock exchanges, including
international or foreign companies. To find more information check out this URL:
http://www.soxlaw.com/
The Basel II is an accord issued by the Basel Committee on Banking Supervision and summarized
recommendations on banking laws and regulations with the intent to harmonize banking regulation
worldwide. This second accord introduces matters around Operational Risk, which again includes
risks in the area of technology, processes and people. To find more information check out this URL:
http://www.bis.org/publ/bcbsca.htm
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch01.fm
7530ch01.fm
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch01.fm
determines how much money a bank can use to provide credits to their
customers and how much it has to keep in reserve to cover for risks, which again
affects the interest rates a bank can offer its customers. So today, even the
external regulation itself develops further from a basic approach of compliance
vs. non-compliance towards approaches in the area of level of control vs.
non-compliance, where compliance is the highest level of control possible.
Note: Being compliant versus being in-control
If you have ever been audited (or audited someone), you probably know that
there is a difference between being:
In compliance: All your systems and processes are operated and delivered
according to the security policies and standards (and you have evidence
for compliance).
In control: You know what is in compliance and what is not, you know why,
and you have a plan of action (and you have evidence for control).
Now, what is more important? Being in control is. Because you could be in
compliance by accident. Further, if you are compliant, but not in control,
chances are high that you will not stay compliant for very long.
If you are in control, you will end up being compliant eventually. Or at least you
will have it on record why you are not compliant.
And if you are not compliant and not in control, gaining control should be your
primary goal.
This is the reason why regulations more and more shift from compliance to
control objectives.
Most organizations do not stop after they have met the basic principles set out in
their policies, they want to understand how efficiently this level of compliance
was achieved or even exceeded. Customers also want to identify indicators
about how stable and consistent the current compliance achievement is and
whether the state of compliance can be maintained.
7530ch01.fm
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch01.fm
Level of automation
... is concerned with a compliance management solution relying on
automated checks, which requires higher investments in technology, or on
manual checks, which requires more human effort and skills, or a
combination of both. Also, the level of automation can be limited by
technological limitations, for example, compliance tools not supporting every
system, that should be checked for compliance, or the system itself not
providing enough functionality to provide information about its compliance.
The key dimensions listed above can be derived by considering the following
secondary factors:
Business environment of the organization
Is corporate espionage or other business crime an issue? Does the company
use outsourcing services? How dependent is the business on its IT systems?
Regulatory and legal obligations
In which industry is the business operating? In which countries is the
business operating? Which laws and regulatory requirements exist in each
country for this industry with influence on information security? What level of
scrutiny is executed by the regulators?
Note: It is useful to keep in mind that a security compliance management
system can provide a lot of evidence about the level of executive control.
Organizational complexity
The size and setup of the organization influences the speed of the reaction to
deviations from the desired security level. Further, it will have a significant
impact on the requirements on an IT security compliance management
solution, such as the administration approach.
Technological complexity
Obviously, the existing IT environment defines the scope of the operating
system, middle ware, and business applications that need to be supported by
any IT security compliance management solution. Also, the level of
standardization, centralization and consolidation has significant influence on
the IT security compliance management solution.
Security policy framework maturity
Mature businesses have shaped the existing security policies and standards
as well as work practices and procedures from the policy level. This defines
the general security control requirements and the standard level, which
provides platform specific security settings which meet the security control
requirements on a given platform, as well as descriptions about how to
7530ch01.fm
implement the standards and how to deal with situations where the standard
cannot be applied due to specific technical requirements of a given system.
10
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch01.fm
1.5 Conclusion
As a result of the influencing factors discussed above, a security compliance
management solution must provide a flexible yet comprehensive framework that
can be configured and customized to the specific organization in question and
takes a holistic approach on collecting and controlling the information security
compliance of an organization. Such business requirements for compliance
management set the boundaries for functional and non-functional requirements
of a technical compliance management solution.
The increased pressure on organizations to demonstrate better control and
compliance and the ever-increasing complexity of the business and the technical
environment demands integrated and automated solutions for compliance
management in order to prevent that the organization spends more time for
managing compliance than for its primary objectives.
The proceeding of this book discusses the implementation of such an automated
solution based on the IBM Tivoli Compliance Insight Manager as well as other
supporting technologies and products.
11
7530ch01.fm
12
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch02.fm
Chapter 2.
Architecting a compliance
management solution
An architecture is designed to be strategicit is meant to have a longer life than
a blue print, design specification, or a topological map or configuration. If it is too
specific, it becomes constrained by current circumstances. If it is too broad or
general, it cannot provide direction and guidance. It is meant to assist in making
decisions related to the identification, selection, acquisition, design,
implementation, deployment, and operation of security elements in an
organizations environment.
An architecture also has to support many communities and represent the
long-term view of a technical direction. Security compliance architectures in
particular need to allow for multiple implementations depending on the realities
of the moment, and caution should be exercised to prevent the security
compliance architecture from becoming a blueprint for a specific implementation.
In this chapter we describe a framework for providing security compliance
functionality throughout the organization. A security compliance architecture
must be flexible and open in order to deal with the ever changing environments
an organization may face in the future. The primary factors that require a
modification to an architecture are:
A change to the requirements in the regulatory environment in which the
organization operates.
13
7530ch02.fm
14
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch02.fm
15
7530ch02.fm
Security Event
Management Reporting
e
nc
lia d
mp oar
Co shb
Da
S
Da ecur
sh ity
bo
ard
Security Information
Management Reporting
Monitoring
Correlation
Forensics
Reports
ol
ntr
Co
an
ce
Alerts
Co
mp
li
Advanced Analytics
OS
Application
DBMS
Mainframe
In Gartners1 research paper Magic Quadrant for Security Information and Event
Management, 1Q07 you find an industry wide standard definition of SIEM:
16
Magic Quadrant for Security Information and Event management, 1Q07, publication date 9 May
2007, ID number G00147559.
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch02.fm
Market definition/description:
The SIEM market is driven by customer needs to analyze security event data
in real time (for threat management, primarily focused on network events) and
to analyze and report on log data (for security policy compliance monitoring,
primarily focused on host and application events). SIM provides reporting and
analysis of data primarily from host systems and applications, and secondarily
from security devicesto support security policy compliance management,
internal threat management and regulatory compliance initiatives. SIM
supports the monitoring and incident management activities of the IT security
organization, and supports the reporting needs of the internal audit and
compliance organizations. SEM improves security incident response
capabilities. SEM processes near-real-time data from security devices,
network devices and systems to provide real-time event management for
security operations. SEM helps IT security operations personnel be more
effective in responding to external and internal threats.
With SIEM in place all problems in the previous numeration can be mitigated.
The benefits of SIEM are also clear: More effective security management and
compliance with regulatory requirements. Side effects like rapid return of
investment and ongoing savings on equipment and manpower are not addressed
here, but are also valid business reasons to implement a SIEM architecture.
17
7530ch02.fm
To install the full breadth of IBMs SIEM capabilities, a combination of the IBM
Tivoli Security Operations Manager (TSOM) real-time correlation and operational
dashboard, and the IBM Tivoli Compliance Insight Managers (TCIM) user
monitoring, compliance dashboard and regulatory compliance reporting should
be used. Real time threat and infrastructure event sources are directed to Tivoli
Security Operations Manager for real time correlation and infrastructure controls
monitoring, while internal user focused log sources are sent to the Tivoli
Compliance Insight Manager log management system and infrastructure.
The following figure shows how an IBM SIEM solution can look like if both
Compliance Insight Manager and Security Operations Manager technologies are
used for security compliance solutions.
Figure 2-2 Tivoli Security Operations Manager and Tivoli Compliance Insight Manager as
part of a SIEM solution
18
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch02.fm
directly from the device. For a significant majority of deployment scenarios, the
IBM SIEM architecture is able to collect log or event data only once and make
effective use of that information within both Tivoli Security Operations Manager
and Tivoli Compliance Insight Manager technologies.
Bi-directional correlated events are also being integrated between Standard
Servers of Tivoli Compliance Insight Manager and Tivoli Security Operations
Manager CMS Servers (see Figure 2-2).
Security policies are defined by the executive board and provide a clearly stated
security direction for the overall organization. They can also be named the
security constitution.
19
7530ch02.fm
Security standards are the next level of security rules adherence. Security
standards are metrics that define allowable boundaries. A standard must provide
sufficient parameters that a procedure or guideline can unambiguously be met.
Standards, in comparison to policies, will change if requirements or technologies
change. Policies will rather remain static. There may be multiple standards for
one policy. More discussion on this topic can be found in 1.1, Introduction to
compliance management on page 4 and Appendix A, Corporate policy and
standards on page 447.
A good example of a standard would be the password rules. This standard
documents the allowed minimum password length, the maximum password age
or whether a new user needs to change his/her password after the first access.
When talking about standards it is clear that security compliance in larger
organizations cannot be maintained manually. How could this be accomplished
for hundreds or even thousands of IT systems with different operaing
environments, database servers, Internet facing systems and more? IBM Tivoli
Security Compliance Manager helps you to check on your security compliance
automatically. For more details refer to IBM Tivoli Security Compliance
Manager on page 24.
20
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch02.fm
21
7530ch02.fm
The initial project definition is based on the documentation that triggered the
project, such as the IT architecture, security architecture, request for proposal
(RFP) or equivalent. All of these documents identify the business background
and the business need for the solution. They also document the business and
technical requirements for the solution. For a security compliance solution, the
following (unordered) areas need to be defined in this phase:
Regulatory requirements
What are the regulatory requirements the organization has to adhere to? For
example, is the enterprise listed at the New York Stock Exchange (NYSE)? If
that is the case it needs to be compliant to the Sarbanes-Oxley Act (SOX).
Other regulatory requirements apply depending on the industry the
organization is operating in.
Security policies
What does the corporate security policy define for users, accounts,
passwords, access control, and so on? It is important to follow the
organizations security policies, because they ensure the correct handling of
IT resources. They are the foundation of information security within an
organization.
Monitored environment
Target users: Who are the users that have to be monitored? Examples are
privileged users, database administrators, executives, and so on.
Target systems: What are the components in your system environment
that have to be monitored? Examples include operating systems,
databases, applications, the network, firewalls, physical locations, and so
on.
Reports
In order to constantly demonstrate evidence of compliance it is mandatory to
show compliance reports.
Processes
Although we are purely focusing on designing a security compliance solution,
the outcome of architecting such a solution does not only result in a technical
toolset and an infrastructure that has to be implemented. In order to create a
comprehensive solution supporting processes must be developed and put
into production. Examples of such processes are:
Patch management process
User identity revalidation process
Problem and change management process
Incident management process
22
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch02.fm
There are many more processes that could be added to this list. Basically, for
every IT related tasks you need to have a process in place.
23
7530ch02.fm
24
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch02.fm
25
7530ch02.fm
2.5 Conclusion
In this chapter we shed some light into the necessary steps in order to architect a
compliance management solution. After we investigated the different compliance
related event types that have to be collected we described a general solution
architecture.
Finally we spent a few paragraphs on introducing the IBM Tivoli solution offerings
in the compliance management space: Tivoli Security Compliance Manager,
Tivoli Security Operations Manager, and Tivoli Compliance Insight Manager.
In the the following chapter we start to focus on Tivoli Compliance Insight
Manager by introducing the product architecture and component model to you.
26
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
Chapter 3.
27
7530ch03.fm
28
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
Standard
Server
Tivoli
Compliance
Insight
Manager
Enterprise
Server
Web Portal
Report viewing
- Compliance
- Event detail
- Log management
- Forensic search
Policy management using Policy Generator
Scoping
Actuators
Management
Console
29
7530ch03.fm
30
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
Centralized forensics
The Enterprise Server also provides the forensic search capabilities. The
Enterprise Server allows you to search the archived logs for evidence without
using the GEM and W7 tools. Sometimes you may want to look for the raw traces
without going through the report preparation process.
31
7530ch03.fm
Note: The GEM and W7 tools are used by Tivoli Compliance Insight Manager
for mapping and loading the data. They are described in detail in 3.3.2,
Mapping and loading on page 46.
Management Console, which is used to manage and configure the system. Each
Standard Server has its own configuration database managed by the
Management Console. The Management Console is described further in 3.2.5,
Management Console on page 33.
To exchange information between its components, Tivoli Compliance Insight
Manager uses a virtual private network consisting of agents that maintain
encrypted communication channels. This network runs on the TCP/IP layer of
the existing organizational network.
3.2.4 Actuators
Depending on the platform, Actuator software is installed on audited systems as
a service or daemon. Each Actuator consists of an Agent and numerous
Actuator scripts. The Agent is responsible for maintaining a secure link with the
Agents running on the Tivoli Compliance Insight Manager Server and other
audited systems. The Actuator scripts are invoked by the Agent (at the request of
the Tivoli Compliance Insight Manager Server) to collect the log for a particular
event source. There is a different script for every supported event type. The
Actuator is depicted in Figure 3-3.
32
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
Actuator
Actuator
Scripts
Agent
The Actuator software can be installed locally on the target system or remotely.
In Data collection using Actuators on page 40 we describe the log collection
process.
33
7530ch03.fm
You can use the Management Console to perform numerous tasks related to the
configuration and management of the Tivoli Compliance Insight Manager
servers:
Activate the Agents and have them collect audit trails from different platforms.
Define the security policy and attention rules.
Define users and their access rights.
Start the preparations of the reports.
All the actions on the Management Console are performed by the Tivoli
Compliance Insight Manager server. You can think of the Management Console
as being the user interface for the Tivoli Compliance Insight Manager server.
After the reports have been prepared by the server, a Tivoli Compliance Insight
Manager user may generate the specific reports using the iView component.
34
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
3.2.7 Databases
Tivoli Compliance Insight Manager supports and maintains a set of embedded
databases. These databases store the audit data from security logs and other
sources of event information, for example Syslog. In the flow from collection to
archive, audit data is indexed and normalized to facilitate analysis, forensics,
information retrieval, and reporting.
An embedded database is also used to store configuration information about the
Tivoli Compliance Insight Manager environment itself.
Depot
Collected logs are stored in the log Depot, which is a compressed, online, file
system based log repository.
Reporting database
Data that has been mapped into the W7 format is stored in an instance of an
embedded database. These reporting databases are also known as GEM
databases. They are periodically emptied and then filled with more recent data.
Typically this refresh cycle is done on a daily scheduled basis, meaning that data
from the previous period is present and available for analysis and reporting. Data
from a Depot can be mapped and manually loaded into the reporting database
for processing.
Aggregation database
The aggregation process takes a large number of individual events and
duplicates them into a more manageable set of information. Additionally the
aggregation process creates statistical data that can be used to provide
management level trending data, charts and reports. It takes multiple events that
have a relationship and consolidates them into a single event. The aggregation
process involves two key operations:
A statistical database of events, exceptions, failures, and attentions is
created. The events are used to generate management charts, reports and
trending information. For example, users can report on policy exception
trends over a selected time period.
It copies across the exceptions and attentions from the scheduled loads for
each database that is configured. This provides the user with significant
forensic capability. With these events in the same database as the statistical
35
7530ch03.fm
events, it is possible to perform drill down operations into the data for
forensics, trending, and analysis.
Aggregation is performed as part of the normal scheduled load processing. After
a successful scheduled load, aggregation is performed for each reporting
database. Aggregation vastly reduces the amount of event information that
needs to be online, and allows users to have an organization view of security
events via iView (the Tivoli Compliance Insight Manager dashboard).
Additionally, these aggregated statistics are used for providing long-term
trending information and are typically held for several years (dictated by local or
statutory requirements). This is highly valuable data and provides a historical
database of an organization performance against defined security policies and
regulations.
Consolidation database
The consolidation database consolidates all the aggregation databases in a
Tivoli Compliance Insight Manager cluster. This provides an overall view of all
servers in the cluster for trending and statistical purposes.
Configuration Database
The Configuration Database for each Standard Server is managed through the
Management Console. Each Configuration Database includes information such
as the Actuator configuration, collect schedules, location of audit log data,
available GEM databases, the list of audited machines, and so on.
36
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
37
7530ch03.fm
Data and statistics, spanning a longer period, are maintained by a process called
aggregation. The aggregation process builds a special database, called the
aggregation database from which trends and summaries can be extracted.
In order to check and investigate the information security status, the Tivoli
Compliance Insight Manager system offers a large number of reports. These are
produced on request by a Web-based application called iView. It can be used to
view GEM databases as well as the aggregation database.
Figure 3-6, Tivoli Compliance Insight Manager key processes flowchart shows
the key processes performed by a Tivoli Compliance Insight Manager server. A
Tivoli Compliance Insight Manager Enterprise Server also performs two extra
processes, namely indexing and consolidation.
These key processes are described in further detail in this section.
38
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
3.3.1 Collection
Collection is the process of centralizing event data by retrieving it from the
audited machines and applications and archiving it in the Depot, the central
storage repository for log data on the Tivoli Compliance Insight Manager Server.
The reliable, verifiable collection of original log data is a key part of the process
required for compliance. Through Tivoli Compliance Insight Manager you can
automate the collection process from your audited machines. Security audit data
is collected in its native form, transferred securely from the target and stored in
the servers Depot in the form of a chunk. The term chunk is used to refer to a set
of compressed logs and is the unit of collection in Tivoli Compliance Insight
Manager.
The Depot supports the consolidation function of Tivoli Compliance Insight
Manager and data remains there until it is explicitly backed up and removed. This
way log data is preserved for forensic analysis and investigations.
Tivoli Compliance Insight Manager provides a set of tools to verify the collect
process is operating and to detect if collect failures have occurred. Tivoli
Compliance Insight Manager alerts selected administrators if a collect failure
occurs so that immediate action can be taken to prevent possible loss of log
data.
Tivoli Compliance Insight Manager provides specific reporting for administrators
and auditors to verify collections are occurring on schedule without problems. It
also allows you to verify that there is a continuous collection of logs available.
Tivoli Compliance Insight Manager can send alerts if the event data indicates
there is cause for concern and further investigation is needed. Finally, it is
possible to download selected logs from the Depot to a users local machine for
further analysis outside of Tivoli Compliance Insight Manager.
39
7530ch03.fm
Logs
Syslog
SNMP
NetBIOS
ODBC
External APIs
SSH
There are two methods of data collection:
1. Locally installed software (Actuator) on the target machine.
2. Agentless collection. This can be achieved by either
a. A remote Actuator installation that allows you to collect the application
security log that is located on a different host machine.
b. The Tivoli Compliance Insight Manager server acting as a Point of
Presence to collect the data.
40
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
The Agent listens continuously on a reserved port for collect requests issued by
the Tivoli Compliance Insight Manager server. When a request is received, the
Agent invokes the appropriate script to gather the logs. After the Actuator has
collected the security audit log for a particular event source, the Agent
compresses and transfers the logs to the centralized Depot. The Agent maintains
an encrypted channel for all communication between the target machine and the
Tivoli Compliance Insight Manager server. That is, it provides a secure and
guaranteed transmission service.
Note:
1. The audited system often acts as the target system for event sources.
2. With relation to audit configurations, the audited system and the target
system can be described as the audited system, a system on which the
audited instance of the event source is hosted.
3. The Tivoli Compliance Insight Manager server can act as a Point of
Presence in some configurations. If this is the case, no Actuator needs to
be installed because it is already included in the server installation.
Otherwise, an Actuator corresponding to the operating system running on
the Point of Presence needs to be installed.
For the examples throughout the remainder of this chapter, in the event that the
audited systems also act as the target systems for the Tivoli Compliance Insight
Manager server to access the audit trail, the term audited system will be used.
41
7530ch03.fm
42
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
on some platforms you can also have the Actuator delete the original audit
trail.
Agentless collection
Tivoli Compliance Insight Manager supports agentless collection on Windows,
Novell, and UNIX platforms. When using agentless remote collection, the
picture is slightly different than agent-based collection, but the steps remain the
same. This Point of Presence establishes the secure connection to the Tivoli
Compliance Insight Manager server, sending all agentless collected data
securely to the Depot.
Note: In the case of Windows the agentless data collection requires one Point
of Presence per domain.
Agentless collect reduces the operational overhead compared to an agent-based
approach. The SSH approach with UNIX provides a secure connection; the
NetBIOS approach used with Windows remote collect does not provide a secure
connection due to limitations inherent to the Windows environment.
43
7530ch03.fm
Tivoli Compliance Insight Manager uses PuTTY client to establish the SSH
connection, which needs to be appropriately configured. The UNIX server also
needs to be running an SSH daemon, set up with the appropriate privileges as
per the Tivoli Compliance Insight Manager documentation.
44
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
Tivoli offers a toolkit that shows how to configure an event source to collect
arbitrary log data. This method allows the collection of log data that meets the
following criteria:
File based
Record oriented
Text
You can refer to the IBM Tivoli Compliance Insight Manager User Reference
Guide Version 8.0, SC23-6545-00 for further information about how to customize
ubiquitous collect event sources for forensic search and analysis.
Similar to the ubiquitous log collection, the W7LogSDK gives you the ability to
collect custom log files. Furthermore, the W7LogSDK allows you to map and load
the data. This toolkit is described in 3.4, The W7LogSDK on page 59.
IBM Services are available to assist with collecting logs from event sources that
are not automatically support by Tivoli Compliance Insight Manager.
45
7530ch03.fm
46
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
Mapping
To make the audit trail data accessible, it is translated (or normalized) into an
easy-to-understand data model called the Generic Event Model (GEM).
The Tivoli Compliance Insight Manager mapping process for each and every
platform is coded using the Generic Scanning Language (GSL) and the Generic
Mapping Language (GML) in files that reside on the Tivoli Compliance Insight
Manager server. The chunks are sorted based on their timestamps and are
processed sequentially by the appropriate mappers. These mappers determine
the field translation values. That is, the mapper interprets the original log data
and translates the chunk data into the GEM database model.
For more information on GSL/GML refer to the IBM Tivoli Compliance Insight
Manager User Reference Guide Version 8.0, SC23-6545.
47
7530ch03.fm
Determine attributes
Security log data consists of records. Each record usually describes one event
that happened on the audited system. Central to GEM is the classification of
these events according to their W7 attributes. This is the process of normalizing
the data. W7 is an English Language format which describes: Who did What,
When, Where, From Where, Where To and on What. The use of W7 formatted
information enables security specialists and non-technical personnel including
auditors to interpret audit information without the need for detailed knowledge
of each source. Most operating systems, infrastructure applications, and almost
every security device produces log data that is not readily understandable,
therefore mapping to the W7 format translates data into powerful audit
information.
Loading
During the loading phase the server uploads the GEM records together with the
meta information into a relational GEM database. Usually, GEM databases are
periodically emptied and filled with recent data, often on a daily basis. This
means the data of the last day is present in the database in W7 format, ready for
analysis. If necessary, other data from the Depot can be mapped and loaded
through manual commands for analysis.
Note: Because mapping precedes and serves loading, the combination of the
two is also called load (in short form).
48
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
In the remainder of this section we describe the key concepts related to mapping
and loading in more detail.
The W7 model
A security log consists of event records. Each record usually describes a single
event that occurred on the audited system. Tivoli Compliance Insight Manager
normalizes the collected event data into an English-based language called W7
so that it can easily be interpreted. All Tivoli Compliance Insight Manager
security events have seven basic attributes:
Who
What
When
Where
OnWhat
WhereFrom
WhereTo
49
7530ch03.fm
Benefit of using W7
The disparate platforms and systems generating the logs will often use different
terminology for the same action. For example, one operating system may use the
term logging on, while another operating system uses login. Similarly, one
system may request a userid while another system asks for a username.
Unless you are an expert in all of the different systems used by your
organization, it is very difficult to search through the logged data manually to find
all instances of a given action or user.
Mapping the raw event data into a standard set of seven distinctive attributes
enables a consistent method for monitoring, analyzing, and reporting irrespective
of the original format of the event. When translating log records into W7 format,
the seven W's of the event are determined from the structure and content of the
original log record. Log record formats are very different for every distinct event
source; therefore the normalization of data into W7 requires a specialized
knowledge of each event source to be mapped. The logic required to do this
mapping is built into the mapper code that resides on each audited machine or
device.
W7 is a grammar that enables you to check if a certain GEM event is in
compliance with the security policy. Through the use of this grammar, you can
differentiate between events that are compliant, considered exceptions and
require special attention.
Groups
In order to apply logic and draw conclusions from the normalized data, the
events have to be classified. Knowing that an event happened on Monday at
8.30 AM is one thing, but in order to draw conclusions, it is more interesting to
know whether it happened during or outside a specific time period for example
office hours. Similarly, a user-id has certain access rights, detailing what a user
is allowed to initiate. These user access rights are usually dependent on their
role. For example, based on whether he/she is an administrator, regular user or
guest. Therefore all W7 attributes are classified into W7 groups. There are five
types of groups resulting:
1. Who groups for classification of users and processes
2. What groups for classification of event types
3. When groups for classification of time periods
4. Where groups for classification of machines and devices
5. onWhat groups for classification of objects
The Where, Where from and Where to attributes are all classified using the same
Where groups.
50
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
Figure 3-12 The relationship between GEM event and the W7 model
51
7530ch03.fm
That is, the W7 model can be used to determine if some GEM database records
need special attention or whether the records comply with the set of policy rules.
The result of the grouping for a particular record can be viewed in the Event
detail report in iView, as shown in Figure 3-13.
The column called Field shows the GEM field values of a GEM event. The
column Group shows for each GEM field value which W7groups are linked to the
value left of it. For example, the GEM field value
Administrator(MSTESTCE\ADMINISTRATOR) is linked to at least two W7
groups: Administrators and IT.
Policy management
Whether or not an event deserves special treatment is determined by comparing
the W7 groups it is classified into against a set of rules defined by the Tivoli
Compliance Insight Manager administrator. As previously mentioned, there are
two kinds of rules:
Policy rules
Attention rules
Policy rules are used to monitor the way that information and processes are
being used within an organization. That is, they specify which actions can be
52
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
performed by which people on which systems at what times. Actions that do not
match a policy rule generate policy exceptions. Policy rules have an associated
priority that can be set to enable differentiation so that policy violations and other
exceptions can be processed according to their severity or importance. This
allows security administrators and auditors to focus on addressing those events
that have the most significant impact on the business.
By refining policy rules, you can ensure that existing policies are effective and
can even establish new policies that reflect the actual behavior of users, as
opposed to theoretical activities contained in policy manuals and non-automated
tracking systems.
Automatically applying the policy rules makes it easy to quickly determine
whether or not each monitored action does or does not comply with policy.
Attention rules are used to highlight instances of events that are critical to the
organization. One typical application for these rules is to monitor change
management activities even if the events are allowed by your policy rules.
Actions that match an attention rule generate actions. For example, by looking
for a specific instance of a data attribute in any of the W7 dimensions for certain
events, you can set an alert to notify someone of a change to a servers
configuration.
Figure 3-14 illustrates the process of comparing a logged event to the specified
policy and attention rules to determine whether actions and alerts are necessary.
53
7530ch03.fm
54
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
attention events or events above a defined severity level, such as security policy
exceptions. These properties are evaluated in the policy evaluation step of the
Map/Load process. The Map/Load process (mapper) sends alerts, as mentioned
in the Group and apply rules on page 48.
Tivoli Compliance Insight Manager can send alerts through the following
protocols:
SMTP
SNMP
Custom alerts
For more information about alerts look up the section Managing Alerts in the
IBM Tivoli Compliance Insight Manager User Guide Version 8.0, SC23-6544.
55
7530ch03.fm
Commit
TCIM
security
policy
Corporate IT
Security
Policy rule
Classify it as either a
policy rule or an
attention rule
Determine if the
audit trail on the
target can be
configured to
provide entities
that match the
Subject, Object or
Verb
Add an appropriate W7
policy rule to the TCIM
security policy
56
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
57
7530ch03.fm
Report distribution
Tivoli Compliance Insight Manager Version 8.0 provides the functionality for the
automated distribution of reports in full or as excerpts to a predefined group of
Tivoli Compliance Insight Manager users. This report distribution functionality is
available through the Web interface of iView. More information about the report
distribution functionality can be found in Distributing Reports in the IBM Tivoli
Compliance Insight Manager User Guide Version 8.0, SC23-6544.
User roles
You can assign every Tivoli Compliance Insight Manager user specific access
and viewing rights from the Management Console. This level of granularity in
setting user access lets you customize views and management rights for specific
users, and limit access to administrative functionality. The ability to define the
mailing lists for alerts regarding high severity events also allows the Tivoli
Compliance Insight Manager administrator to control access to the security event
58
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
data. Any Tivoli Compliance Insight Manager user activity, from administrative
actions to report viewing, is automatically self-audited and included in the
organization wide security reporting.
59
7530ch03.fm
A file with event data in one of the W7Log formats, which can be XML or CSV.
The file must be fully compliant with the format definitions described in this
chapter.
The file(s) must be placed in a directory that is specified as an event source
property through the Management Console.
Each file in the specified directory must be COMPLETE (for example,
containing only complete log records) when the W7Log Actuator reads it. A
suitable manner to ensure this is to construct the log file somewhere else and
then move it to the designated directory for collection.
The contents of different log files shall not overlap in generation time of the
log records.
The files must be processed in the correct time sequence; the recommended
way to ensure this is through the naming of the log files.
Note: The W7Log Actuator will read ALL the log files from the designated
directory on the Actuator system and combine them into a chunk file to be
stored in the Depot. It then REMOVES all the log files from the directory.
60
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
Fields:
when
Syntax:
when: 2005-11-27T10:33:45+05:00
Fields:
whorealname
whologonname
Syntax:
Example:
61
7530ch03.fm
Fields:
whatverb
whatnoun
whatsuccess
Syntax:
Example:
whatverb: Create
whatnoun: File
whatsuccess: Success
whatverb: Remove
whatnoun: Group
whatsuccess: Failure
whatverb: Clear
whatnoun: Auditlog
whatsuccess: Success
Remarks:
62
Defined as:
platform (type and name) where the event was registered (for
example SUN Solaris, GATEWAY, and so on)
Fields:
wheretype
wherename
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
Where
Syntax:
63
7530ch03.fm
Fields:
wherefromtype
wherefromname
Syntax:
Example:
wherefromtype: Internet
wherefromname: host.domain.com
Remarks:
64
Defined as:
Fields:
wheretotype
wheretoname
Syntax:
Example:
wheretotype: WebApp
wheretoname: webserver_01
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
Where To
Remarks:
65
7530ch03.fm
Fields:
onwhattype
onwhatpath
onwhatname
Syntax:
Examples:
onwhattype: FILE
onwhatpath: C:\Documents and Settings
onwhatname: ntuser.ini
onwhattype: FILE
onwhatpath: -/etc
onwhatname: passwd
onwhattype: PRINTER
onwhatpath: printer01.domain.com
onwhatname: HP LaserJet First Floor
onwhattype: DATABASE
onwhatpath: ORADBINSTANCE
onwhatname: OracleSchema1
Remarks:
66
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
Fields:
info
Syntax:
Note:
1. Record fields can be empty or have only spaces, however it is
recommended to use single dash - for absent values.
2. The size of record fields is not checked by the Tivoli Compliance Insight
Manager mapper. It is the responsibility of the producer of the W7Log file
to ensure that fields do not exceed the maximum string length.
67
7530ch03.fm
Quotes inside quoted strings are escaped with a double quote rather than a
backslash
W7LogSDK CSV format does not define any comment character.
The W7LogSDK CSV file contents is defined as follows:
1. Log records must be written in UTF-8 encoding.
2. Header lines must list field names, separated by commas in the fixed order,
exactly as follows:
when,whorealname,whologonname,whatverb,whatnoun,whatsuccess,wheretyp
e,wherename,wherefromtype,wherefromname,wheretotype,wheretoname,onwh
attype,onwhatpath,onwhatname,info
3. The remaining lines must list the field values for every log record, one record
per line. There must be exactly 16 values in each log record, describing one
event that happened on the audited system. Please refer to the event
attributes listed in 3.4.2, Event attributes on page 60.
Example 3-1 illustrates valid contents for a W7LogSDK CSV file. It specifies
some imaginary events.
Example 3-1 test.csv
when,whorealname,whologonname,whatverb,whatnoun,whatsuccess,wheretype,w
herename,wherefromtype,wherefromname,wheretotype,wheretoname,onwhattype
,onwhatpath,onwhatname,info
2003-07-18T14:22:00+00:00, John Smith, jsmith, Logon, System, Success,
Microsoft Windows, PDC,-,WORKSTATION, Microsoft Windows,PDC,SYSTEM,
-,PDC, successful logon
2003-07-18T14:22:01+00:00, -, exporer.exe, Create, File, Success,
Microsoft Windows, PDC, -, -, -, -, FILE, C:\Documents and
Settings\jsmith,ntuser.ini,
68
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
69
7530ch03.fm
<xs:element ref="when"/>
<xs:element ref="who"/>
<xs:element ref="where"/>
<xs:element ref="what"/>
<xs:element ref="onwhat"/>
<xs:element ref="wherefrom"/>
<xs:element ref="whereto"/>
<xs:element ref="info"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="sample">
<xs:complexType>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element ref="event" />
<xs:element ref="sample" />
</xs:choice>
</xs:complexType>
</xs:element>
</xs:schema>
The XML log file must contain XML log records defined by the above schema,
each of which describes one event that happened on the audited system. Please
refer to the event attributes listed in 3.4.2, Event attributes on page 60.
The record fields can not contain XML special characters, so corresponding XML
entities must be used instead:
< - The less than sign (<)
> - The greater than sign (>)
& - The ampersand (&)
' - The single quote ( ' )
" - The double quote ( " )
Example 3-2 shows a valid XML file that has been formatted using the
W7LogSDK XML schema:
Example 3-2 test.xml
<sample>
<event>
<when>2003-07-18T14:22:01-02:00</when>
<what verb="Logon" noun="System" success="Success"/>
70
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch03.fm
3.4.5 Validators
There are W7LogSDK Format Verification tools available that allows software
developers to test the validity of the generated logs.
Note: The validators do not check the size of each record field, the person
responsible for producing each log must ensure that the size requirements for
each field are satisfied.
These validators are available on the installation CDs. You can refer to the IBM
Tivoli Compliance Insight Manager Installation Guide Version 8.0, GI11-8176-00
for further details on installing and using these validators.
3.5 Conclusion
Tivoli Compliance Insight Manager gathers audit information from across the
organization and compares activity to the acceptable use policies defined by
both your organization and by your regulators. The core of Tivoli Compliance
Insight Manager is based on a secure, reliable, and robust log collection engine
that supports effective, complete log collection and fast, efficient query and
retrieval. By focusing on security from the inside, it uses the W7 methodology
71
7530ch03.fm
(Who, did What, on What, When, Where, Where from and Where to) to
consolidate, normalize, analyze and report on vast amounts of user behavior and
system activity. As a result, organizations can quickly and easily reveal who
touched what within the organization (with alerts and proactive reports) and
compare that activity to an established internal policy or external regulations.
Numerous organizations rely on the policy-based approach of Tivoli Compliance
Insight Manager to simplify monitoring the activities of privileged users, such as
administrators and outsourcers; improving security auditing, compliance
monitoring and enforcement for heterogeneous environments, ranging from
super servers to the desktop.
72
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch04.fm
Chapter 4.
Compliance management
solution design
In this chapter we discuss Tivoli Compliance Insight Manager solution design
from two aspects. In the context of implementation process, we first discuss the
functional design and configuration, which is directly related to the functional
requirements. Next, in 4.2, Operational design and configuration on page 87,
we discuss the aspects of Tivoli Compliance Insight Manager solution design
related to non-functional and operational aspects of implementing and
maintaining Tivoli Compliance Insight Manager deployment, such as monitoring
and maintenance, archiving and information retention, performance and
scalability.
73
7530ch04.fm
So, what does it take to implement Tivoli Compliance Insight Manager from start
to finish?
The process is fairly simple and consists of four key phases:
Discovery and analysis
Project definition and planning
Implementation
Product use
The most critical piece of information we need for any successful implementation
are the reporting requirements. They tell us what data we need to capture and
what we need to report on. That leads us to the overall amount of data we collect
on a daily basis, how much hardware we need, and so on. Based on this
information we can design and size our solution. We describe each phase in
more detail in the following sections.
Reporting requirements
We identify the reports we need based on specified objectives in terms of
regulatory compliance, internal security policies, operational efficiency, audit
concerns, and so on. Our design approach, based on risk assessment, is to
address privileged user monitoring and auditing (PUMA) first, then expand the
solution to address other objectives.
Note: A risk assessment takes into account the sensitivity and criticality of the
data and defines the assets that can be considered high risk and should
therefore be controlled. The controls put into place for these assets are
therefore most important and should be addressed first if possible by Tivoli
Compliance Insight Manager. The set of administrative or high privilege
accounts form an asset that has high priority.
To meet reporting requirements we also need to
... identify collection types (near real time or batch)
... decide on information grouping (by geographic location, platform, business
unit, and so on)
74
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch04.fm
... specify the time frame for data to be maintained in the Depot (for example
one, two, three months or years) and in the GEM databases (for example
from one to seven days)
... determine the time frame (for example one, two, three months or years)
and location (for example SAN, DVDs) to archive the data.
Installation environment
The goal of this task is to assess and document on the computing environment to
prepare for the Tivoli Compliance Insight Manager implementation. We identify
existing audit settings (if fine tuned, not to generate excessive amount of log
data) and data capture, network topology (communication settings, firewalls,
locations, and so on) to identify solution constraints or limitations, estimated log
volume, data storage (type, location) and so on.
Audit settings
The goal of this task is to specify the audit data we need to collect in order to
support the reporting requirements. The audit settings used are always a
trade-off between security and system performance and disk space used. In
most cases, auditing every single action is not an option, thus we analyze the
audit subsystem and determine, evaluate and document/provide audit settings
that support our reporting requirement for every event source on every supported
platform. For example, in the Windows audit subsystem all logons on the
platforms are captured by the audit categories account logon and logon. To
generate the same report on Solaris you would need to activate the audit class lo
in the system wide audit file.
A basic example of the Windows audit settings required for PUMA reporting on
actions performed by IT administrators is shown in Figure 4-1 on page 76 and
Figure 4-2 on page 77.
75
7530ch04.fm
76
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch04.fm
We show more details about various audit settings in our scenario in the second
part of the book starting in Chapter 8, Basic auditing on page 157.
77
7530ch04.fm
versions, audit settings, ports and protocols needed to install Tivoli Compliance
Insight Manager, and so on).
The Tivoli Compliance Insight Manager implementation design architecture is a
result of information gathered in previous phases, product capabilities and
planning. Therefore, it is very important for a successful implementation, that we
discuss it in more detail in the following sections. General logical (conceptual)
and physical (system) architecture is already explained in the Tivoli Compliance
Insight Manager product documentation and in Chapter 3, IBM Tivoli
Compliance Insight Manager component structure on page 27, thus we will
focus on the different design layouts and the reasons behind those. We start with
functional design and configuration.
78
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch04.fm
Internet
DMZ
Production Zone
Intranet
Restricted
Management Zone
Uncontrolled
Controlled
Secured
Controlled
Note: The breaks between each network zone indicate the use of a firewall
that clearly delineates each perimeter from the next.
Using the concept of security domains you can translate Figure 4-3 on page 79
into something more targeted, as shown in Figure 4-8 on page 82.
Tivoli Compliance Insight Manager supports up to eight audit configurations as
shown from Figure 4-4 on page 80, to Figure 4-7 on page 81, where dashed
lines represent the system boundary. The layout of Tivoli Compliance Insight
Manager components, data flow from audited system to server and the control of
data flow from audited to target system define the actual audit configuration.
Note: The number of audit configurations supported on a specific platform
varies from one event source to another.
This is sufficient for auditing multiple event sources on systems running different
operating systems. For more information on deploying Tivoli Compliance Insight
Manager event sources, see the IBM Tivoli Compliance Insight Manager
Installation Guide Version 8.0, GI11-8176-00.
79
7530ch04.fm
Audited system
Target system
PoP
TCIM server
Figure 4-4 shows the audit configuration with all components separated.
Audited system
Target system
PoP
TCIM server
Figure 4-5 shows audit configurations where either left, middle, right or left and
right pair of components share the same system.
Note: The Tivoli Compliance Insight Manager Enterprise Server can act as a
Point of Presence in some configurations. If this is the case, no Actuator
needs to be installed because it is already included in the server installation.
Otherwise, an Actuator corresponding to the operating system running on the
Point of Presence needs to be installed.
Note: The audited system can act as the target system for some event
sources.
Audited system
Target system
PoP
TCIM server
Figure 4-6 shows audit configurations where only the audited system or the
server is on its own system.
80
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch04.fm
Audited system
Target system
PoP
TCIM server
Figure 4-7 shows the simplest audit configuration, with all components on the
same system.
To exchange information among its components, Tivoli Compliance Insight
Manager uses a network of agents that maintain encrypted communication
channels. This network runs on the TCP/IP layers of the existing organizational
network.
The actual collection process can involve different mechanisms in a variety of
configurations. A system audited through remote collect does not need to run the
Tivoli Compliance Insight Manager software. Instead, event data is forwarded to
the server by a Point of Presence system with direct access to the audited
system. To audit several systems in a Windows domain, only one must be
configured as a Point of Presence and have an Actuator installed. For more
information on Tivoli Compliance Insight Manager concepts and different typical
configurations, see the IBM Tivoli Compliance Insight Manager User Guide
Version 8.0, SC23-6544-00.
We place different components of Tivoli Compliance Insight Manager into
different network zones as shown in Figure 4-8 on page 82, to show many, but
not all, possible audit configurations and collect mechanisms.
81
7530ch04.fm
Internet
DMZ
Production Zone
Intranet
Audited system
Audited system
Audited system
Audited system
Target system
Target system
Syslog NG
FTP server
PoP
PoP
Audited system
Audited system
Restricted
Audited system
External API
PoP
Target system
PoP
Audited system
Uncontrolled
Controlled
3
2
TCIM
cluster
TCIM
server
TCIM cluster
TCIM cluster
Secured
TSOM
10
Console
Controlled
82
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch04.fm
3. Example 3 shows a configuration similar to the previous one, but this time the
user arranges to transfer data from an audited system to a Point of Presence
(not equal to server), where the data is collected.
4. Example 4 shows the remote collection for Windows configuration, where the
audited instance of the event source is hosted by a system other than the
Point of Presence system, and the server system acts as a Point of Presence
for this event source. In other words, Tivoli Compliance Insight Manager
collects data directly from a remote system. The remote collect does not
require a running Agent on the audited system. Remote collect involves a
remote data retrieval mechanism from an independent vendor. The most
common configuration is used for event sources based on the Windows log
mechanism using the Windows event management API.
5. Example 5 shows SSH collect, similar to the previous example, but this time
the user arranges to transfer data from the audited system to a remote target
system (not equal to server), from where the server collects the data. SSH
collect is another variation of remote collect. It can be used with event
sources that are based on UNIX and Linux. The configuration is similar to
Windows remote collect; however, the data retrieval mechanism utilizes an
SSH connection from the Point of Presence to the audited system.
6. Example 6 shows Syslog and SNMP collection - the Tivoli Compliance Insight
Manager capability to process and analyze security events that are collected
through the Syslog and SNMP network logging mechanisms. To collect
network events, a component listens on the network and receives all
incoming events. The Tivoli Compliance Insight Manager Actuator has a built
in listening component that can be activated on any Windows Point of
Presence and can receive both SNMP and Syslog messages. The Actuator,
server, and the audited instance of the event source are all hosted by
different systems. In other words, Tivoli Compliance Insight Manager collects
data directly from a remote audited system through a Point of Presence (not
equal to server). When the target system component is also present, a user
arranges the data transfer to a remote system (not equal to the Point of
Presence), from where a Point of Presence (not equal to server) collects the
data.
7. Example 7 is similar to the previous one, but for high volume Syslog
processing, a Microsoft Windows based receiver might not deliver the
necessary performance. In these situations, you might want to use a Linux
based Syslog receiver that provides better performance, such as Syslog NG,
an open source Syslog implementation.
8. Example 8 shows a custom collection mechanism FTP collect. If no other
suitable collect mechanism is available, a script is scheduled on the platform
of the event source. The log data is put in a folder where it can be picked up
by the Actuator.
83
7530ch04.fm
DMZ
Production Zone
Intranet
Audited system
Audited system
Audited system
Target system
Audited system
Audited system
Audited system
PoP
PoP
Target system
Restricted
TCIM server
Console
Uncontrolled
Controlled
Secured
Controlled
84
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch04.fm
but have to implement some Points of Presence with Actuators. Figure 4-10 on
page 85 depicts how a medium Tivoli Compliance Insight Manager deployment
can look like.
Internet
DMZ
Audited system
Audited system
Audited system
Production Zone
Audited system
Audited system
Audited system
Audited system
Audited system
Audited system
Target system
PoP
PoP
Intranet
Audited system
Audited system
Audited system
Target system
PoP
PoP
Restricted
TCIM server
TCIM cluster
Uncontrolled
Controlled
Secured
Console
Controlled
85
7530ch04.fm
Internet
DMZ
Audited system
Audited system
Audited system
PoP
Production Zone
Audited system
Audited system
Audited system
Audited system
Audited system
Audited system
Target system
PoP
Intranet
Audited system
Audited system
Audited system
Target system
PoP
PoP
Restricted
Audited system
Audited system
Audited system
Syslog NG
TCIM
cluster
TCIM
server
TCIM cluster
TCIM cluster
Uncontrolled
Controlled
SAN
Secured
Console
Controlled
For high scalability and performance there are multiple clusters deployed with
multiple Points of Presence serving different clusters. As shown with the line
coming from the Internet zone, there is consolidation among different
locations/regions in place. For high Syslog performance, the Syslog receiver is
implemented in the DMZ zone. For high availability all Tivoli Compliance Insight
Manager servers are connected to a Storage Area Network (SAN).
We will cover the design approach for our specific scenario in more detail in the
second part of the book in 7.3, Design approach on page 145.
4.1.3 Implementation
Before we start with the implementation, we verify that the recommended audit
settings are in place and that all systems are configured as suggested in the
prerequisites (we verify Tivoli Compliance Insight Manager servers hardware,
software/platform versions, audit settings, TCP/IP connectivity, and so on).
Here is a simple outline of the implementation steps:
1.
2.
3.
4.
5.
6.
86
Install server(s)
Install necessary POPs per platform type
Activate the event sources
Activate auditing for all event sources
Collect and load the data
Build the W7 model, policy, and attention rules
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch04.fm
Daily checks
On a daily basis all logons to the system and the status of the collected data
should be verified.
87
7530ch04.fm
Logons
Based on the Tivoli Compliance Insight Manager use role, granted access rights
should be verified for the following:
Management Console
After a successful logon, the Management Console displays the previously
opened view. Management Console logon failures are logged in the bbbin.log
file. You find these files in the IBM\TCIM\server\log directory. The system
prompts you with a Login has failed error message under the following
circumstances:
Password is incorrect
User ID is not authorized to use Management Console
User ID is unknown
Tivoli Compliance Insight Manager server service is down
Oracle service is down
If you are prompted with a connection error, verify the service status.
Web Portal
In order to access iView, Log Manager, Policy Generator and Scoping
applications you need to connect through the Tivoli Compliance Insight
Manager Portal as shown in Figure 4-12:
88
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch04.fm
If you receive a Page cannot be displayed error message, verify that the
following services are running. The service status can be verified using the
Windows Services application.
Tivoli Compliance Insight Manager
IIS service
Tomcat service
The system prompts you with the error message if the user name or
password is incorrect.
A user must have the Log on to Portal role to access iView. If you have not
been assigned this role, you receive the error Permission denied: insufficient
role privileges.
Data collection
To verify the data collection check the timestamp in the Last Collect column. In
our screenshot in Figure 4-13, we just set a new schedule for the z/OS event
source, so the data collection has not started yet, thus the Last Collect column is
empty. On the other hand, the data collection from the Oracle event source
worked as expected.
The column shows the time of the oldest log record available in the last collected
chunk. In normal conditions, the last collect time should be a multiple of the
collect schedule. Verify this information for each event source that has a collect
schedule defined.
Database check
The database can be in one of the following four states, which can be checked in
the Management Console:
Error
Loaded
Loading
Cleared
The failure message and database contents can be seen in iView as shown in
Figure 4-14 below.
89
7530ch04.fm
The End time stamps for each platform shown in iView should be close to the
latest scheduled collect relative to the Last Load timestamp shown in the
Database View in the Management Console as shown in Figure 4-15. If this is
not the case, either the event source failed to collect the latest log records, or no
log records were produced between the end time and the collection time for that
platform.
Compare the time in the Last Load column with the Load Schedule frequency.
The last load time stamp should be a multiple of the load frequency defined in the
load schedule and as close as possible to the current time.
Database load problems can occur during the three phases of preparing the
reports in the GEM database:
Mapping
Loading
Post-processing
Every load process of a GEM database is recorded in the
mainmapper-<GEM_DB_Name>.log[#] files in the IBM\TCIM\server\log
directory.
Weekly checks
On a weekly basis disk space, Depot and Tivoli Compliance Insight Manager
services should be checked.
90
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch04.fm
Disk space
The device where the Tivoli Compliance Insight Manager server is installed
should have at least 20GB of free space.
The size of the temporary database file of the database engine located in the
IBM\TCIM\Engine10g\oradata\EPRORADB directory would be between 512MB
and 2GB.
Services
All Tivoli Compliance Insight Manager services of startup type Automatic should
be running. The Tivoli Compliance Insight Manager server service spawns
additional tasks that can be seen in the task manager. These tasks are
agent.exe, auditctl.exe, and bbbin.exe.
In order to stop all services related to Tivoli Compliance Insight Manager, you
can use a batchfile like the one shown in Example 4-1:
Note: Both Example 4-1 and Example 4-2 are taken from our ITSO scenario.
For your specific configuration, you should replace the lines
net stop "IBM Tivoli Compliance Insight Manager Event Mapper DBname"
or
net start "IBM Tivoli Compliance Insight Manager Event Mapper DBname"
with the lines reflecting your GEM databases (DBname being Local, Manual
and SelfAudit in our example).
Example 4-1 Batch script to STOP Tivoli Compliance Insight Manager
@echo off
echo.
echo This script will STOP all TCIM services.
echo.
echo To abort this script close this window or use CRTL-C, otherwise press a key to proceed.
pause
echo.
echo Stopping IBM Tivoli Compliance Insight Manager Event Mapper Local service...
91
7530ch04.fm
echo.
net stop "IBM Tivoli Compliance Insight Manager Event Mapper Local"
echo.
echo Stopping IBM Tivoli Compliance Insight Manager Event Mapper Manual service...
echo.
net stop "IBM Tivoli Compliance Insight Manager Event Mapper Manual"
echo.
echo Stopping IBM Tivoli Compliance Insight Manager Event Mapper SelfAudit service...
echo.
net stop "IBM Tivoli Compliance Insight Manager Event Mapper SelfAudit"
echo.
echo Stopping IBM Tivoli Compliance Insight Manager Tomcat service...
echo.
net stop "IBM Tivoli Compliance Insight Manager Tomcat"
echo.
echo Stopping IBM Tivoli Compliance Insight Manager Server 8.0 service...
echo.
net stop "IBM Tivoli Compliance Insight Manager Server 8.0"
echo.
echo Stopping OracleCeAEngine10gTNSListener service...
echo.
net stop OracleCeAEngine10gTNSListener
echo.
echo Stopping OracleServiceEPRORADB service...
echo.
net stop OracleServiceEPRORADB
echo.
echo All services stopped. Press a key to proceed.
echo.
pause
In order to start all services related to Tivoli Compliance Insight Manager, you
can use a batchfile like the one shown in Example 4-2:
Example 4-2 Batch script to START Tivoli Compliance Insight Manager
@echo off
echo.
echo This script will START all TCIM services.
echo.
echo To abort this script close this window or use CRTL-C, otherwise press a key to proceed.
pause
echo.
echo Starting OracleServiceEPRORADB service...
echo.
net start OracleServiceEPRORADB
echo.
echo Starting OracleCeAEngine10gTNSListener service...
echo.
92
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch04.fm
Tasks
There are several schedules to be considered in a Tivoli Compliance Insight
Manager environment as shown in Figure 4-16.
93
7530ch04.fm
The collect schedule depends on the amount of log data that the event source
produces. Collection on a daily basis, after regular office hours is suggested.
The user information source collection schedule should be prior to any last
collection of the day, before the load schedule runs. For example, if the last
collection of the day is at 10:00 p.m., the user information source collect
schedule should be a few minutes before 10:00 p.m.
As with the collect schedule, the load schedule should be sequential. That is, the
next load schedule should begin after the last load has completed. Analyze the
mainmapper log files related to the GEM database to determine how long it takes
to load the GEM database.
The restart task performs the following actions:
94
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch04.fm
Report distribution should be scheduled after the load schedule has completed.
There are several job schedules that should be considered in the Enterprise
Server: consolidation, indexer, log continuity report generator and centralized
log management. The jobs that can be scheduled are consolidation and log
continuity report generator, since all others are scheduled automatically.
For reference, the centralized log management runs every minute and the
indexer is scheduled to re-index every Sunday at 10:00 p.m.
The consolidation job is represented by the beat.bat file on the Enterprise
Server. This job reads the aggregation databases from the Standard Servers and
copies the tables to the consolidation database (also referred to as the Beat
database) on the Enterprise Server. The aggregation databases are updated
during the post-processing job on a scheduled GEM database load. Therefore,
you should schedule the consolidation job after all GEM databases are loaded on
the Standard Servers.
The log continuity report generator job regenerates the continuity report in the
log manager. From the users point of view, it is helpful if this task is scheduled to
run at the beginning of each working day. The time it takes to generate the report
depends on the size of the Depot on the Standard Servers. The task can be
scheduled to begin around 6:00 a.m. so the report will be generated before the
working day begins.
The chunk continuity report generator (CCRG) job is implemented as a
scheduled task that can also be run on demand. When it runs, it searches the
Depot for chunks and determines if the chunks are complete and continuous. In
order to get this information, it looks at the chunk header files of each chunk and
fills the chunk continuity tables appropriately.
In a Tivoli Compliance Insight Manager environment, all log collection
information is consolidated on the Enterprise Server.
95
7530ch04.fm
Logs
For auditing, troubleshooting or any forensic activity related to the Tivoli
Compliance Insight Manager itself, it is important to identify and discuss the
purpose, location and content of various Tivoli Compliance Insight Manager log
files.
Server logs
All log files for the server can be found in the \server\log directory. The key files
are:
auditctl.log
BBBin.log
install.log
mainmapper-<GEM_DB_Name>.log
Contains information about the load process for the gem
database. Not only will you find errors but also indication of
mapper/bulk loading and postprocessing times.
plugger.log
restart.log
Consolidation logs
Key consolidation logs can be found in consolidation\log. The most important
logs are:
install.log
consolidation.log
Portal logs
Key Web Portal logs can be found in \iview\tomcat\logs. The most important logs
are:
96
InsightPortal_AuditTrail.log
LogManager_AuditTrail.log
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch04.fm
iView logs
Key iView logs can be found in \iview\log or iview\server. The most important
logs are
iview\log\Install.log
iview\server\Iview_excerpt.log
97
7530ch04.fm
The idea behind this backup is that it moves the archived security data (chunks)
from the Depot to the backup media. This means that the moved chunks are no
longer available for selection when creating reports. To do this the chunks must
be imported again.
When you export data from the Depot it is flagged in the Log Manager as data
exported. So if you want to retrieve the original log data, then you can easily see
that the data is not in the Depot and needs to be imported.
The export schedule is defined using Management Console and the backup is
performed by the Tivoli Compliance Insight Manager server. Transferring
security data helps to maintain enough disk space on the Tivoli Compliance
Insight Manager server and because all chunks are registered within Tivoli
Compliance Insight Manager the tables in the database are also cleaned up.
98
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch04.fm
After the security data has been backed up using the export facility in the
Management Console, it is not available for reporting until it has been imported
again using the Management Console.
99
7530ch04.fm
For better system performance and report distribution results, database load and
report distribution task schedules should be matched. For more information on
Tivoli Compliance Insight Manager reporting, see the IBM Tivoli Compliance
Insight Manager User Guide Version 8.0, SC23-6544-00.
4.2.4 Support
There are numerous options to find support for Tivoli Compliance Insight
Manager. If you encounter a problem, you want it resolved quickly, you can
search the available knowledge bases to determine whether the resolution to
your problem was already encountered and is already documented.
IBM provides extensive documentation in an information center that can be
installed on your local computer or on an Intranet server. You can use the search
function of this information center to query conceptual information, instructions
for completing tasks, reference information, and support documents.
If you cannot find an answer to your question in the information center, search
the Internet for the latest, most complete information that might help you resolve
your problem. You can search a variety of resources, which includes: IBM
Technotes, IBM downloads, IBM Redbooks, IBM developerWorks, Forums and
news groups, Google, and so on.
A product fix might be available to resolve your problem. To determine what fixes
are available for your IBM software product, check the product support on the
IBM Software support site:
http://www.ibm.com/software/support
For more information on Tivoli Compliance Insight Manager support, see the
IBM Tivoli Compliance Insight Manager Installation Guide Version 8.0,
GI11-8176-00.
Whether you are building a skills plan, or simply looking for educational
resources, we can help you define a software skills program that is right for you.
Select from a wide variety of training options from comprehensive training
portfolio, take advantage of extensive list of skills resources and communities
and verify skill level through role based certification. For more information visit
the Training and Certification Web site:
http://www.ibm.com/software/sw-training
That concludes the support section.
100
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch04.fm
4.3 Conclusion
You have to consider how compliance design objectives can be realized using
Tivoli Compliance Insight Manager. The goal is to produce a plan containing a
phased set of implementation steps where the end result satisfies the functional
requirements and therefore also satisfies the original business requirements.
While business and functional requirements are the main parts of the security
design objectives, we also have to consider other non-functional requirements
and constraints. These may include objectives that are necessary to meet
general business requirements, or practical constraints on designing the
compliance solution.
Prioritizing the monitoring and reporting requirements of the target systems and
applications is important because the priorities are one of the primary factors
used to decide which implementation tasks will be done in which phase of the
project. It is rare that a compliance management solution can be created as a
single deliverable satisfying every requirement on all targets. It is far more likely
that it will be delivered in phases and the highest priority requirements should be
included in the earliest phases.
After mapping the requirements to Tivoli Compliance Insight Manager features
and creating a list of implementation tasks, the priorities of each target and the
implementation effort for each target can be used to decided how to break up the
project into phases. The goal of breaking the project into phases is to quickly
deliver solutions to some high-priority requirements. This allows the company to
begin seeing a return on their investment, while lower priority and more difficult
tasks are still being executed.
That concludes the solution design. We continue with Chapter 5, IBM Security
Information and Event Management on page 103.
101
7530ch04.fm
102
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch05.fm
Chapter 5.
103
7530ch05.fm
104
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch05.fm
To achieve each of the goals of SIM and SEM you also need a strong supporting
security log management capability.
For our purposes and in alignment with how some market analysts are
describing Security Information and Event Management (see the Market
Definition introduced in Chapter 2, Architecting a compliance management
solution on page 13) we will refer to the combination of these capabilities (SIM,
SEM and log management) as a Security Information and Event Management
solution (or SIEM solution).
105
7530ch05.fm
Including security operations center console functions for large and complex
environments.
The Tivoli Security Operations Manager component provides complete
security operations functions, including dashboard views suitable for an
operations center, security incident management and service level reporting
capabilities and integration with leading ticketing systems. In addition it
provides security operators with the ability to be greatly more effective by
capturing their knowledge and incorporating it into threat and risk
management practices as well as allowing automation and remediation.
Integration with network analysis.
IBMs SIEM solution currently provides network statistical analysis functions
that mean that an organization can start to identify threats soon after the
solution is deployed without having to resort to writing specific threat
identification rules. The statistical analysis component compares background
noise against current threat levels before providing a threat/risk assessment
for each of the network nodes in an organization.
Have comprehensive user- and access-oriented analysis.
IBMs SIEM solution primarily via its Tivoli Compliance Insight Manager
component provides extremely detailed and comprehensive capabilities in
this area and is recognized as a leading and innovative solution primarily on
these capabilities. These capabilities are discussed in a great level of depth
throughout this book including practical examples in Part 2, Customer
environment on page 127 of the book.
Be integrated with a vendor's vulnerability management and systems
management products.
IBMs SIEM solution includes integration with key enterprise systems
management products such as IBM Tivoli Enterprise Console, IBM Tivoli
Netcool/Omnibus and other non-IBM system management products. This
integration means that the IBM SIEM solution can become a part of a large IT
Service Management solution and could leverage the capabilities of IBMs IT
Service Management strategy, including such factors as IBMs process
managers based on industry best practice. More information about IBM
Service Management is available at the following URL
http://www.ibm.com/software/tivoli/solutions/it-service-management/.
This integration also allows IBM to satisfy what for many organizations is the
vision of Network and Security Operations Center convergence (a recognized
best practice by many analysts).
The Tivoli Compliance Insight Manager component of the solution focuses on
tracking the interaction of users versus data and reporting this in terms of
compliance against a configurable audit policy. Tivoli Security Operations
Manager on the other hand focuses on real time identification of security related
106
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch05.fm
107
7530ch05.fm
Figure 5-2 The IBM SIEM log collection and record retention
The IBM SIEM architecture allows you to scale the solution to the size necessary
to meet the growing audit logging and monitoring requirements. The IBM SIEM
solution has a layered architecture. The data will be compressed and available
when required. For the analysis and reporting phase the data stored in the log
depot takes up only a fraction of the size of the original data. Only critical
information required for analysis, status reporting, audit reporting, and alerting is
extracted from the raw event logs and then normalized into an easy to read
format. It is common practice to define both a raw event log data retention policy
and a reporting / analysis database retention policy.
108
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch05.fm
The IBM Security Information and Event Management architecture provides you
with a solid log collection and storage foundation to build your solution.
109
7530ch05.fm
the weighting assigned to a particular asset. These values are derived from your
security policies and standards.
The IBM SIEM architecture uses two distinct techniques to perform
computational correlation on events gathered by the system. Impact correlation
relates to the calculations performed on individual events. Statistical correlation
determines the trends created by groups of events. Together, these two methods
of calculating threats provide a highly accurate and surprisingly easy to
administer method of prioritizing incidents of your network infrastructure without
the need to configure rules.
The IBM SIEM architecture makes it possible to consolidate information from the
network or insider attack that compromised the portal with the out of policy
database changes. Analysts using the IBM SIEM solution are able to see the
effects of an attack on applications and data as well as details of when it
occurred, what user identities were used, and how it was accomplished. Using
the comprehensive graphical interface, a non-technical user can focus on a
specific event that occurred on the database. They can extend their analysis to
view all activity by a particular user around the time of that event, including
activity on other systems. They can drill down into the details about a specific
event or database operation, and look at all events on the database or events for
a user on other systems around the time of a specific policy violation or alert.
They can pull up out of the box reports such as one on the actions of system
administrators to find out how a user was granted privileges and who granted
them. These capabilities allow auditors and administrators to determine not only
which user performed an action on a database, device, mail server or other
infrastructure component but the actions that were performed by privileged users
to grant that user the privileges they needed to perform actions that violated
policy.
Traditionally, to get the full breadth of capability that is required by many
organizations, both a security event management product and security
information management product would need to be purchased. These products
have traditionally been offered by different organizations and often did not work
well together. IBM is offering an industry leading security event management
solution, Tivoli Security Operations Manager, and an industry leading security
information management solution, Tivoli Compliance Insight Manager. By
combining these products IBM's SIEM solution can provide the most in-depth
security event analysis capability in the industry. While these products can be
used independently of each other, the combined capabilities enable you to
identify real time correlated events that occur in the network and tie these events
to user activity that has occurred related to these events. Associating real time
events with in-depth user information allows your organization to more quickly
understand the root cause of events and reduce the time required to respond to
an event, reduce the number of events that result in false positive alerts, and
110
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch05.fm
improve the ability to provide data to support regulatory requirements for both
compliance and audit.
Figure 5-4 The Tivoli Security Information and Event Management solution
Another key capability of the IBM SIEM solution is the support for remote store
logging and monitoring.
111
7530ch05.fm
112
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch05.fm
Where to. Correlation of data is done automatically in existing reports. Within the
product, correlation across and within one or more of the seven W's is possible.
Once the mapping is complete the IBM SIEM compares the events to a policy
that provides alerting and reporting of abnormal and special attention events as
defined by the custom policy.
The IBM SIEM solution does not just rely on events logged in Syslog / SNMP
data which typically are generated by network and security devices, it can also
collect and analyze the native audit logs of operating systems, databases, and
applications. These systems should also be audited according to the common
criteria and best security practice, which is part of the standard installation
process.
113
7530ch05.fm
The problem is that each of these activities involves security data that is
distributed throughout the organization. Organizations and service providers
need to be able to access and analyze this disparate dataquickly and
efficiently.
In today's complex, multivendor environments that means leveraging an
automated, integrated solution.
In response to these challenges IBM provides Tivoli Security Operations
Managera security event management platform designed to improve the
effectiveness, efficiency and visibility of security operations and information risk
management. Tivoli Security Operations Manager centralizes and stores security
data from throughout the technology infrastructure so that you can:
Automate log aggregation, correlation and analysis.
Recognize, investigate and respond to incidents automatically.
Streamline incident tracking and handling.
Enable monitoring and enforcement of policy.
Provide comprehensive reporting for compliance efforts.
Tivoli Security Operations Manager automates many repetitive, time- intensive
activities required for effective security operations. The result is an efficient,
cost-effective approach to security operations.
114
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch05.fm
115
7530ch05.fm
116
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch05.fm
117
7530ch05.fm
5.4.9 Conclusion
Security breaches can have serious, measurable consequences: lost revenue,
downtime, damage to reputation, damage to IT assets, theft of proprietary or
customer information, clean-up and restoration costs, and potential litigation
costs. To reduce these risks, security organizations need the capability to quickly
identify and react to attacks.
Tivoli Security Operations Manager provides a holistic view of your security
posture and the abilities to drill down and investigate attacks quickly. As a result,
it is a valuable tool in helping to prevent intrusions and maximize the security of
your business.
For more technical details around Tivoli Security Operations Manager refer to
IBM Redbooks deliverables Deployment Guide Series: IBM Tivoli Security
Operations Manager 4.1, SG24-7439-00 and Enterprise Security Architecture
Using IBM Tivoli Security Solutions, SG24-6014-04.
118
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch05.fm
C-level executive officers such as the Chief Information Officer (CIO) and
Chief Financial Officer (CFO) need to be able to demonstrate compliance with
regulations. The number of regulations that they need to be able to
demonstrate compliance for grows rapidly and includes for example,
Sarbanes-Oxley, SAS70, PCI, Basel II and so on. A key challenge for this
group of people is to keep up with the requirements of the various compliance
regulations that are developed.
The Chief Information Security Officer and audit groups are interested in
protecting intellectual property and ensuring privacy properly. Where as,
The technical security teams need to be able to manage security operations
and threats effectively and efficiently.
These differing requirements are more graphically illustrated in Figure 5-5.
The IBM SIEM solution combining Tivoli Compliance Insight Manager and Tivoli
Security Operations Manager addresses each of these differing requirements as
follows (graphically illustrated in Figure 5-6 on page 120). For the C-level officers
who need to be able to demonstrate compliance with regulations it provides a
compliance dashboard and reporting capabilities. These capabilities are
provided by the Tivoli Compliance Insight Manager component of the solution.
For the Chief Information Security Officer and audit teams who require the ability
to report on user behaviors it provides privileged user monitoring and audit,
database and application auditing, and operating system (including mainframe)
119
7530ch05.fm
120
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch05.fm
Security Operations Manager). After the acquisition of the two products was
completed, an analysis revealed that only 31 sources were common with only 10
sources having strong relevance to both products. This reflects the different
focusses that were applied in the development of the two products. Tivoli
Security Operations Manager was developed with network security and threat
identification in mind. It was designed to perform high speed real time correlation
of events across differing platforms in order to identify incidents. Where as Tivoli
Compliance Insight Manager was designed to focus on the needs of business
users and to present security information in a way that they understand, for
example, in terms of who has done what to what when and where (for example,
by categorization of data using the W7 model). Tivoli Security Operations
Manager appeals to those who require the ability to identify in real time that a
particular host IP address is being attacked or is attacking. Where as Tivoli
Compliance Insight Manager maps data directly back to your users so that you
can identify, who of your known people is doing something that is not in
accordance with your policies.
The key area of overlap is in the collection of information from operating system
sources (see Figure 5-7 on page 122). For Unix and Linux systems this does not
provide any great complexity as these platforms typically use syslog. This means
that in a combined solution a single high speed syslog collector can be used to
satisfy the requirements of both components of the SIEM solution. Further the
Tivoli Compliance Insight Manager Windows Point of Presence used to collect
Windows event logs can also host the Tivoli Security Operations Manager real
time event collector for collection of Windows operating system generated
security events.
121
7530ch05.fm
User personas
Here are some of the user personas that may be interested in information
provided by a SIEM solution:
Network operations
Network administrators
Security administrators
Database administrators
Chief Information Security Officers
Internal auditors
External auditors
122
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch05.fm
123
7530ch05.fm
124
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch05.fm
5.6 Conclusion
In this chapter we explored the concepts of Security Information and Event
Management and illustrated how these concepts are supported by the IBM
Security Information and Event Management solution. Next we described how
the two components of the solution complement each other and highlighted the
differences in their capabilities. Finally we showed some of the basic use cases
and the way these use cases could be met with the components of the IBM SIEM
solution. The rest of this book describes how Tivoli Compliance Insight Manager
meets many of the requirements of SIEM whilst Chapter 12, Tivoli Security
Operations Manager integration on page 371 shows how the two components of
the SIEM solution are currently integrated.
125
7530ch05.fm
126
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530p02.fm
Part 2
Part
Customer
environment
This part illustrates a scenario about a fictional financial institution and describes
the implementation of security compliance management with Tivoli Compliance
Insight Manager.
127
7530p02.fm
128
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch06.fm
Chapter 6.
129
7530ch06.fm
130
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch06.fm
Tivoli Financial Accounting Corporation uses one pair of fully resilient data
centers in Brussels, Belgium for their EU operations. These centers are also
hosting the mainframe system and a fully mirrored Storage Area Network for 150
Terabytes of data. The company also runs two smaller data centers in Newark,
New Jersey, USA to support US operations, which host 70 Terabytes of data.
The company uses two dedicated local data centers in Luxembourg, because
regulatory restrictions in Luxembourg prohibit export of banking customer data
outside of Luxembourg. The remaining storage of 26 Terabytes is allocated to
these data centers.
131
7530ch06.fm
Platform
Server
Name
MS Windows 2003
EUHQ-FP
MS Windows 2003
MS Windows 2003
132
Log in
MB/day
Zone
Server Location
100
Intranet
Brussels HQ
BR1-FP
100
Intranet
Brussels 1
BR2-FP
100
Intranet
Brussels 2
MS Windows 2003
AM1-FP
100
Intranet
Amsterdam 1
MS Windows 2003
AM2-FP
100
Intranet
Amsterdam 2
...
...
...
...
...
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch06.fm
Platform
Server
Name
Log in
MB/day
Zone
Workflow
MS Windows 2003
EUHQ-DO
10
Production
Brussels HQ
Workflow
EUHQ-DO
100
Production
Brussels HQ
...
...
...
Database
Oracle Enterprise
LU-DB
Database
MS Windows 2003
Database
Oracle Enterprise
...
Server Location
...
...
500
Production
Luxembourg 1
USHQ-DB
10
Production
Newark HQ
USHQ-DB
750
Production
Newark HQ
SAP
AIX 5,3
EUHQ-SP
1000
Production
Brussels HQ
SAP
SAP R3
EUHQ-SP
100
Production
Brussels HQ
SAP
AIX 5,3
LU-SP
750
...
...
...
MF COREBANK
zOS LPAR1
EU-ANIT
MF BRATELLER
zOS LPAR2
EU-ASRU
MF EBANKING
zOS LPAR3
EU-AZEN
1500
SOC
RH Linux Enterprise
EUHQ-SO
10
SOC
EUHQ-SO
2500
...
...
...
Compliance
EUMF-SC
Compliance
MS Windows 2003
LU-SC
Compliance
SWIFT Connect
MS Windows 2003
MAIL Connect
RH Linux Enterprise
USHQ-MR
...
...
...
Production
Luxembourg 1
...
...
3000
Production
Brussels HQ
2000
Production
Brussels HQ
...
...
Production
Brussels HQ
Management
Brussels HQ
Management
Brussels HQ
...
...
200
Management
Brussels HQ
10
Management
Luxembourg 1
USHQ-SC
400
Management
Newark HQ
EUHQ-SW
250
DMZ
Brussels HQ
100
DMZ
Newark HQ
...
...
...
WEB Connect
MS Windows 2003
EUHQ-WW
WEB Connect
MS Windows 2003
LU-WW
100
DMZ
Brussels HQ
60
DMZ
Luxembourg 1
WEB Connect
MS Windows 2003
USHQ-WW
Network Device
Nokia, Cisco
various
100
25
DMZ
Newark HQ
Various
Various
Workstation
Windows XP
various
Various
Various
The table already includes the systems reserved for Tivoli Compliance Insight
Manager, listed under the application category Compliance. The table does not
list the shadow systems in the respective backup data centers.
133
7530ch06.fm
134
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch06.fm
language, one that can present this data in an comfortable, accessible way. The
internal audit department of Tivoli Financial Accounting Corporation wants all IT
systems to be audited. As a leading financial institution, they have to be sure that
everything is done by the rules and that no data can be misused by falling into
the hands of unauthorized users. "We need to know what is happening in the IT
environment. I would like to monitor all our assets at all times!" the Tivoli
Financial Accounting Corporation CISO says. For Tivoli Financial Accounting
Corporation this means all platform events have to be centrally collected and
reported. Having a fully automated tool that is capable of monitoring and
reporting across all of Tivoli Financial Accounting Corporations systems, where
classified information is handled, is a key requirement for the solution.
135
7530ch06.fm
6.4 Conclusion
We have introduced Tivoli Financial Accounting Corporation, a fictional financial
institution that will serve as an example scenario for the Tivoli Compliance Insight
Manager implementation outlined in the following chapters. We have discussed
the company profile, the current IT infrastructure, as well as the objectives with
regard to security compliance management. We will use this information to
design and to implement an appropriate compliance management solution.
136
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch07.fm
Chapter 7.
Compliance management
design
In this chapter, we describe the design approach that Tivoli Financial Accounting
Corporation will take in order to design a compliance management solution that
meets all their regulatory requirements. This discussion is divided into the
following sections:
Business requirements
Functional requirements
Design approach
Implementation approach
As described in Chapter 6, Introducing Tivoli Financial Accounting Corporation
on page 129, Tivoli Financial Accounting Corporation plans to list with the Stock
Exchange in six months time and they want to be prepared to meet their auditing
and reporting compliance needs. By using Tivoli Compliance Insight Manager as
the basis for their compliance management solution, Tivoli Financial Accounting
Corporation will be able to meet these regulatory requirements.
137
7530ch07.fm
138
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch07.fm
139
7530ch07.fm
Extracting relevant information from the raw logs manually can be difficult
because the format of logs is often quite incomprehensible. This can be
overcome by implementing a compliance management solution that is
capable of processing the log data and transforming it into a standardized
format that is easier to read. As described in Chapter 6, Introducing Tivoli
Financial Accounting Corporation on page 129, Tivoli Financial Accounting
Corporation would ideally like to be able to view this data through a
Web-based portal. They also like the ability to easily generate meaningful
reports to display the compliance information.
The key functional requirements for monitoring user access to sensitive
company assets are listed in Table 7-1.
Table 7-1 Functional requirements for monitoring user access to sensitive assets
Requirement
Description
140
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch07.fm
Description
Description
141
7530ch07.fm
Requirement
Description
Description
142
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch07.fm
over time. There are a few main aspects of the IT environment that when
modified, will impact the compliance management solution:
Changes to the IT architecture
Changes to the IT personnel
Changes to the internal IT security policies governing the use of the
company assets
The architecture of Tivoli Financial Accounting Corporations IT environment
changes regularly as new systems are acquired, new uses are applied to
existing systems and old systems are retired. Therefore, it is essential that
when these changes occur, the compliance management solution can be
configured to access the logged audit data available on each of the IT
systems in use. In order to do this, it needs to have multi-platform support as
previously mentioned (please refer to Table 7-1 on page 140). Similarly, it is
important that the compliance management solution is able to collect and
process logs from a wide variety of different event sources on those target
systems. Ideally it should be flexible enough to monitor and process logs from
ANY event source provided those logs contain sufficient data in an
appropriate format.
Clearly, the compliance management solution is limited by what data is being
logged by each of the event sources. Therefore, appropriate audit settings
need to be identified and configured on the target systems. The auditing on
each target system can be referred to as an audit sub-system.
Changes to the IT personnel may include existing staff changing roles, new
staff being hired and staff leaving the company. Any of these personnel
changes need to be reflected in the structure of the compliance management
solution, which needs to compare the behavior of these users with the defined
security policies of allowable actions.
The corporate IT security policies themselves also need to be defined and
refined on an ongoing basis as the business grows. For example, when new
regulatory requirements are introduced, the business needs to be able to
create new policies, as well as modify the existing policies. Similarly, when
new assets are introduced into the system, a new audit-subsystem will need
to be established on the target system and new policies will need to be
established to monitor and audit the usage of the new asset.
Since the compliance management solution is reliant on the individual audit
sub-systems to obtain its data, it is important to maintain data integrity in the
logs on the target systems. To ensure the integrity is maintained, Tivoli
Financial Accounting Corporation needs their compliance management
solution to audit the actions performed on the audit sub-systems.
The configuration of the compliance management solution is extremely
important to ensure that the correct log data is audited. Therefore, only a
143
7530ch07.fm
Description
Be flexible enough to monitor and audit logs from ANY event source,
provided the log contains sufficient data in an appropriate format.
144
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch07.fm
Description
145
7530ch07.fm
5. Prioritize the monitoring and reporting requirements for the various target
systems and applications.
6. Complete a pre-planning worksheet to cover all of the target event sources.
7. Divide the tasks into phases.
Prioritizing the monitoring and reporting requirements of the target systems and
applications is important because the priorities are one of the primary factors
used to decide which implementation tasks will be done in which phase of the
project. It is rare that a compliance management solution can be created as a
single deliverable satisfying every requirement on all targets. It is far more likely
146
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch07.fm
that it will be delivered in phases and the highest priority requirements should be
included in the earliest phases.
Assigning priorities to the requirements is often difficult because They are all
important. You can more easily compare the priorities of the target systems and
applications by performing a risk assessment1. The targets that are identified as
being a high risk can then be treated as the highest priority. A simple way to
calculate risk is to use the following formula:
Risk = Impact * Likelihood
The Impact component should be a 1-10 rating that represents the impact or
consequence for the business if a threat is realized. The impact should be judged
by business experts and should take into account both the short term and the
long term effect on the business.
The likelihood of a threat occurring can also be rated on a 10 point scale, from 1
indicating that it is extremely unlikely to occur through to 10 indicating that the
event is very likely to occur on a daily basis. The technical experts are probably
in the best position to evaluate the likelihood of each threat.
Asking yourself some questions that gauge the positive and negative impacts of
the requirements for each target may also help you with your prioritization:
How much money can be saved by automating the auditing of this target?
How sensitive is the data stored on this target?
Are there existing mechanisms or processes in place for auditing the target,
which will be sufficient for now?
What is the complexity of monitoring this target? Does Tivoli Compliance
Insight Manager provide an Actuator that supports this event source?
After mapping the requirements to Tivoli Compliance Insight Manager features
and creating a list of implementation tasks, the priorities of each target and the
implementation effort for each target can be used to decided how to break up the
project into phases. The goal of breaking the project into phases is to quickly
deliver solutions to some high-priority requirements. This allows the company to
begin seeing a return on their investment, while lower priority and more difficult
tasks are still being executed.
To learn more about risk management you may want to refer to the Risk Management Guide for
Information Technology Systems from the NIST
(http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf) or check out the IT
Security Cookbook at http://www.boran.com/security/index.html.
147
7530ch07.fm
Regulatory requirements
Being a financial corporation, Tivoli Financial Accounting Corporation would
initially like to align its reporting with Basel II. However, the company also wants
to be able to adjust their reports and policies in the future to accommodate other
regulations such as SOX and PCI when necessary.
The set of reports listed in Table 7-7 has been identified as a starting point for
them. You notice that many of these reports can be generated from the data
collected for the internal IT security policy requirements (the numbers in the
brackets refer to sections in ISO 17799).
Table 7-7 Initial Basel II reporting goals
Basel II report
Description
148
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch07.fm
Basel II report
Description
149
7530ch07.fm
Table 7-8 Classification of Tivoli Financial Accounting Corporations systems and event sources
Event Source
Classification
Windows XP workstations
No
Yes
Yes
Yes
DMZ machines
No
z/OS mainframe
Yes
DB2 on z/OS
Yes
AIX
Yes
Confidential data.
Yes
Yes
Domino
Yes
Yes
Yes
Oracle
Yes
Yes
Active Directory
Yes
150
Monitor with
Tivoli Compliance
Insight Manager?
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch07.fm
7.4.3 Identify what data needs to be collected from each event source
Each of the individual reports need to be analyzed and a list of the event details
that are needed from each event source need to be identified. Once the list of
required attributes has been determined, the audit subsystem of the target
system can be investigated to determine whether audit settings exist that will
produce logs containing the required details.
If it is not possible to generate the required log data then that report can not be
produced for that particular system.
Tivoli Financial Accounting Corporation has analyzed the audit subsystems for all
of the event sources that are to be monitored by Tivoli Compliance Insight
Manager (as described in Table 7-8). It has been determined that it is possible to
collect sufficient data from each of these audit subsystems for the purposes of
monitoring and reporting on these event sources.
7.4.4 Ensure that Tivoli Compliance Insight Manager has the ability to
monitor audit trails from that event source
Next we have to look through the list of event sources and compare it against the
list of supported Tivoli Compliance Insight Manager event sources.
Table 7-9 Tivoli Compliance Insight Manager support for event sources
Event Source
AIX OS
W2K3 OS
Active Directory
Mainframe
DB2
Oracle
SAP
Domino
151
7530ch07.fm
Event Source
152
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch07.fm
153
7530ch07.fm
Name
Description
Windows Basic
Auditing
Extended
Auditing
Reporting
requirements
System z
integration
Tivoli Security
Operations
Manager
integration
7.5 Conclusion
In this chapter, we described the design approach that was taken by Tivoli
Financial Accounting Corporation in order to design their compliance
management solution using Tivoli Compliance Insight Manager. We outlined the
154
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch07.fm
155
7530ch07.fm
156
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
Chapter 8.
7530ch08.fm
Basic auditing
In this chapter we describe the implementation for phase one of Tivoli Financial
Accounting Corporations compliance management solution using Tivoli
Compliance Insight Manager. As outlined in Chapter 7, Compliance
management design on page 137, in phase one they plan to install a Tivoli
Compliance Insight Manager cluster. For this phase, they monitor the actions of
their Windows domain users by installing local Windows Actuators and configure
a Microsoft Windows event source for each Windows server. An Active Directory
event source is also configured on the Windows Domain Controllers. The audit
subsystem on each Windows server has to be configured to generate sufficient
log information. Appropriate W7 groups and rules are established through the
Management Console and ultimately, the iView Compliance Dashboard is used
to monitor user actions.
157
7530ch08.fm
158
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
The critical data shares reside on the Windows 2003 file and print servers shown
in the Intranet zone of Figure 8-1 on page 158. The share folders to be audited
have been identified as:
C:\Finance
C:\HR
C:\CustomerData
Print Share: C:\WINDOWS\system32\spool
Finally, the Tivoli Compliance Insight Manager servers need to be enabled for
self-auditing.
159
7530ch08.fm
Description
160
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
Basel II report
Description
161
7530ch08.fm
Note: The Audit object access option is only set to Success/Failure on the
file and print servers that host confidential file shares. On the other Windows
servers in Tivoli Financial Accounting Corporations environment the Audit
object access is set to No auditing.
162
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
By default, the Active Directory is configured to log critical and error events only.
Only change this behavior if a detailed investigation is needed, because
extensive logging of events can quickly consume data storage space.
The following types of events that can be written to the event log are defined in
the Active Directory:
1. Knowledge Consistency Checker (KCC)
2. Security Events
3. ExDS Interface Events
4. MAPI Events
5. Replication Events
6. Garbage Collection
7. Internal Configuration
8. Directory Access
9. Internal Processing
10.Performance Counters
11.Initialization/Termination
12.Service Control
13.Name Resolution
14.Backup
15.Field Engineering
16.LDAP Interface Events
17.Setup
18.Global Catalog
19.Inter-Site Messaging
163
7530ch08.fm
Microsoft has defined six levels of diagnostic logging for the Active Directory:
0 - (None)
Only critical events and error events are logged at this level.
1 - (Minimal)
2 - (Basic)
5 - (Internal)
164
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
Figure 8-4 Registry settings for Active Directory diagnostic event logging
4. Close regedit.
Note: Tivoli Financial Accounting Corporation uses an Active Directory forest.
The worked example in this chapter describes the monitoring of a single
Active Directory server only. In reality, to complete the Tivoli Compliance
Insight Manager compliance management solution for Tivoli Financial
Accounting Corporation, the process for monitoring the single Active Directory
server in this chapter has to be repeated for each member of the forest.
165
7530ch08.fm
C:\Finance
C:\HR
C:\CustomerData
Print Share: C:\WINDOWS\system32\spool
In this section we describe how to monitor and audit one of these file shares
(C:\Finance). Tivoli Financial Accounting Corporation has to repeat this process
for all of the shared folders that need to be audited.
To enable and configure auditing of access to the C:\Finance folder, we complete
the following steps on the target file and print servers.
1. Open Windows Explorer, right click on the shared folder and select
Properties as shown in Figure 8-5.
2. Click on the Security tab and then the Advanced button, as shown in
Figure 8-6.
166
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
3. Select the Auditing tab. Figure 8-7 shows the default contents of this tab.
167
7530ch08.fm
4. Configure auditing for a new user or group by clicking Add. An input box is
displayed. We enter the name of the user group to be monitored and click
OK. In Figure 8-8, the Domain Users group has been added because all
authenticated users of the Tivoli Financial Accounting Corporation systems
are contained in this group.
168
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
169
7530ch08.fm
6. The new auditing entry now appears in the Advanced Security Settings
window as shown in Figure 8-10.
170
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
Figure 8-10 The new auditing entry is displayed in the Advanced Security Settings
window
7. Click OK to close.
Remember to repeat steps 1 through 7 for the other involved file shares.
171
7530ch08.fm
Each of these steps are outlined in sections 8.5.1, Create GEM database,
8.5.2, Create system group and add Windows machines, and 8.5.3, Add event
sources.
5. Figure 8-12 shows how the new database appears in the Database View.
172
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
173
7530ch08.fm
2. Select the Audited Machine Type from the available drop-down menu. For
Tivoli Financial Accounting Corporations Windows 2003 servers, the correct
machine type is Microsoft Windows, highlighted in Figure 8-15. Select Next.
174
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
3. Enter the name of the target machine(s) to be audited in the Name input box
within the Machine frame and click on the Add button. As illustrated in
Figure 8-16, the machine name now appears in the Selected frame. Click
Next.
Note: Checking the Show Available Event Source Types box causes the
Event Source Type panel on the right hand side of the screen to appear. This
allows you to browse the supported event sources for the type of machine you
are adding.
175
7530ch08.fm
4. A local Actuator will be installed on each of the target machines. This option is
selected in Figure 8-17. Click Next.
176
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
5. The default port that is used for the Point of Presence is 5992. We check the
availability of the configured port by clicking on the Test Port button. In this
window we can choose to perform either an Automatic or a Manual install. For
demonstration purposes, we show a manual Actuator installation on a single
Windows 2003 target system (FSPDC), as shown in Figure 8-18. When
adding the remaining Windows 2003 server machines in Tivoli Compliance
Insight Manager, Tivoli Financial Accounting Corporation can use the option
of automatically installing the Windows Actuators on the targets.
7. The Choose Event Source Type window appears. For the FSPDC machine,
which is an Active Directory Domain controller, both Microsoft Active
177
7530ch08.fm
Directory and Microsoft Windows have been selected (see Figure 8-20).
Select Next.
Note: When adding the Windows 2003 server machines that are not Active
Directory servers, only the Microsoft Windows event source would be
selected.
8. Figure 8-21 shows the Completing the Add Machine Wizard window that
appears. Click Finish to complete the Add Machine setup.
178
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
Note: During the Add Machine Wizard a configuration file is created. This file
is needed when you install the Actuator on your target machine(s).
179
7530ch08.fm
180
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
3. The next window that appears allows us to choose a collect schedule (see
Figure 8-24). A collect schedule should be tuned to prevent audit trail loss
because the event log overwrites itself. We configure the desired schedule
and click Next.
181
7530ch08.fm
4. The next screen prompts us to select the GEM database where the data
collected from this event source should be loaded. Tivoli Financial Accounting
Corporation loads all Windows events in the GEM database called GENERAL
that was created in 8.5.1, Create GEM database on page 172. We select
GENERAL as shown in Figure 8-23 and click Next.
Note: Data collected from your FSPDC machine is first stored in the
Depot. At load time it will be loaded into the GEM database, here
GENERAL.
182
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
5. Figure 8-26 shows the next screen that is displayed. This screen allows us to
configure a Load schedule for loading the data from the event source into the
GEM database. The Load schedule should be related to the Collect schedule
that was configured in step 3. Configure the Load schedule and click Next.
Note: In general, set load frequency to an interval as long as or longer than
the collect schedule interval. For example, data may be collected hourly,
and loaded twice a day. It is unlikely that you would want to collect data
twice a day, and load it hourly.
Set the load schedule time at least 15 minutes after each scheduled
collection time. This delay ensures that Tivoli Compliance Insight Manager
loads the most recently collected data into the database.
183
7530ch08.fm
The Event Source Wizard is now complete and the final screen shown in
Figure 8-27 is displayed. Click on the Finish button.
184
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
185
7530ch08.fm
2. You are presented with the License Agreement screen (see Figure 8-29).
After agreeing with the License terms and conditions click Yes to proceed
with the installation.
186
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
3. Figure 8-30 shows the Choose Setup screen for the installation wizard.
Select Point of Presence to install a Windows Actuator on the FSPDC server
and click Next.
187
7530ch08.fm
4. Enter the path to the installation directory. The default location C:\IBM\TCIM
is being used on the FSPDC server as shown in Figure 8-31. Click Next.
188
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
5. Figure 8-32 shows the next screen. It confirms the target directory based on
the installation directory selected on the previous screen. Click Next to
proceed.
189
7530ch08.fm
190
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
191
7530ch08.fm
9. The Updates Overview screen shown in Figure 8-36 outlines the installed
components. Click Next.
192
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
10.The Actuator Installation Wizard is now complete and the Setup Finished
screen appears (see Figure 8-37). Click Finish.
193
7530ch08.fm
8.7 Configuring W7
Now that the audit sub-systems have been configured on the Windows servers
and the event sources have been registered with Tivoli Compliance Insight
Manager, the W7 rules can be configured on the Standard Server. In particular,
the groups need to be defined, along with appropriate W7 policy and attention
rules.
In this section we describe the process of setting up the W7 rules for the Tivoli
Financial Accounting Corporations Windows event sources.
2. The Add User Information Source Wizard starts. Click Next on the welcome
screen as shown in Figure 8-39.
194
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
3. The next screen that is displayed allows us to select the machine where the
User Information Source resides. Figure 8-40 shows that for this example,
FSPDC is selected. Click Next.
195
7530ch08.fm
196
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
5. The User Information Source properties are displayed on the next screen, as
displayed in Figure 8-42. Click the Edit button to modify the Domain name.
Note: The difference between Grouping ActiveDirectory and Grouping
Windows is that Grouping ActiveDirectory is for Active Directory on
Windows 2000 and Windows 2003 and Grouping Windows is for Windows
NT Domains.
197
7530ch08.fm
6. You can now enter the name of the Active Directory domain. Tivoli Financial
Accounting Corporation has used the domain name INSIGHT to represent all
of its users who are being monitored by Tivoli Compliance Insight Manager.
The wizard has now advanced to the next screen by clicking Next.
198
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
7. Now you can choose a collect schedule for extracting information from the
specified UIS before clicking Next to continue. Refer to Figure 8-44.
199
7530ch08.fm
8. The Add User Information Source completion screen is displayed. You should
collect the UIS data before the (last) collection of the audit trail happens. In
that way you are sure that the UIS data is applied to the chunks that will be
analyzed.
Click the Finish button to complete the process as shown in Figure 8-45.
200
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
9. The new User Information Source is now displayed in the Event Source view
of Management Console as can be seen in Figure 8-46.
201
7530ch08.fm
Note: If there is more than one UIS defined in the management console, you
have the option to select which Automatic Policy you want to view. Each UIS
will show the name of the machine being used to collect the UIS data.
202
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
A new policy appears under the Work folder as shown in Figure 8-48.
203
7530ch08.fm
2. Use the Browse button to search for the correct configuration file.
3. The imported group definitions from the UIS are stored in an automatic policy
by default. The automatic policies are located at
<TCIM_HOME>/Server/config/grouping/automatic as shown in Figure 8-49.
204
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
Figure 8-51 NT folder for the automatic policy contains the config file
205
7530ch08.fm
6. A folder called FSPDC appears in the policy window on the right hand side.
We double-click on this policy group and its contents is displayed in the left
hand panel as shown in Figure 8-54.
206
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
Figure 8-54 Locate the new group definition set in the working policy
207
7530ch08.fm
2. Figure 8-56 shows how to create a requirement to specify the new condition.
That is, right click on the condition and select New Requirement.
3. As you recall, object access auditing was configured in 8.4.3, File server
settings - object access auditing on page 165. These configured audit
settings on the target machine result in user actions on the C:\Finance folder
(and its contents) being logged by Windows. These logged events describe
208
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
4. The new requirement is now complete and can be seen in the Grouping panel
as shown in Figure 8-58.
Figure 8-58 W7 group definition for the Windows financial data file share
209
7530ch08.fm
Who
What
Where
Value
System
System Operations
INSIGHT
For this policy rule to be useful, Tivoli Financial Accounting Corporation has
ensured that the W7 Who group called System effectively describes the
permitted system users with appropriate requirements and conditions defined.
Similarly, the W7 Where group called INSIGHT has been created to represent all
of the Windows servers being monitored in the INSIGHT domain.
In the following figures we show the steps involved to create the new policy rule
from the Policies view in the Management Console.
1. Ensure that the Policy tab is selected and right-click in the Policy Rules panel.
Select New Rule as shown in Figure 8-59.
210
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
2. As you can see in Figure 8-60, an Edit Rule window appears where you can
enter the W7 groups that specify the new rule. Click OK.
3. The new rule appears in the Policy Rules list as can be seen in Figure 8-61.
211
7530ch08.fm
4. Once the new policy rules have been defined, the working policy must be
saved. The Save option is under the Policy menu. (Refer to Figure 8-62).
Note: For phase 1 of implementation, Tivoli Financial Accounting
Corporation also wanted to create policy rules to capture the allowed
operations on the confidential file shares. For example, a policy rule
specifying that the W7 Who group called Finance can perform operations
on objects in the W7 onWhat group called FinancialData and so on.
212
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
For example, the IT security staff are interested in being notified whenever
confidential financial data is deleted. In this section we outline the configuration
in Tivoli Compliance Insight Manager to configure an attention rule for these
deletion events.
Here it is important to highlight that a W7 group has been defined to represent
the deletions performed by a user in a Windows environment. Figure 8-63 shows
this group definition.
This What group can now be used in the new attention rule.
Here is an outline of the steps involved in creating the new attention rule for
capturing any deletion events on the Windows financial data file shares.
1. Ensure that the Attention tab is selected and right click in the Attention Rules
panel. Select the New Rule option shown in Figure 8-64.
2. Figure 8-65 shows the Edit Rule window that appears. The new attention rule
has been defined as: Any user performing a deletion (W7 What = User
Actions - Deletions) on objects in the financial file shares (W7 onWhat =
Financial Data).
213
7530ch08.fm
3. After we click OK in the Edit Rule window, the new attention rule appears in
the Attention Rules panel.
214
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
Alerts
As described in the previous section, Tivoli Financial Accounting Corporation
wants to configure an alert that sends an e-mail to the IT security admin staff
when deletions are performed on objects in the confidential file shares.
The following steps describe how an e-mail alert is created for the Windows
finance file share:
1. Open the Alert Maintenance window in the Management Console. Click on
the New button as shown in Figure 8-67.
215
7530ch08.fm
216
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
3. The Edit Alert window is displayed. Configure the alert to send an e-mail to
the recipient admin@tfac.com when events matching the attention rule with
ID DeleteFinancials occur. (Refer to Figure 8-69). Click OK.
217
7530ch08.fm
4. The alert is updated with the new configured settings. Click on the Protocol
Settings button identified in Figure 8-70 to configure the protocols in use.
Protocol settings apply to all alerts that are sent using the same protocol.
218
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
219
7530ch08.fm
1. Locate the database that you plan to load in the database view of the
Management Console. Right click and select Load as shown in Figure 8-72.
220
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
4. Specify a period of time for which the collected data should be loaded as
shown in Figure 8-75 and click Next.
221
7530ch08.fm
5. On the next screen, depicted in Figure 8-76, decide whether to perform a data
collection now or whether to use the data that has already been collected
through an earlier collect process.
222
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
6. Since you are performing a manual load, the wizard prompts you to specify
which policy should be used to map the data. In order to test the policy you
have been working on select the fixed policy option and navigate to the
correct policy in the work folder as seen in Figure 8-77. Click Next to proceed.
223
7530ch08.fm
224
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
8. When you refresh the database view in the Management Console you can
see that the status for that database changes to the value Loading... to signify
that the load process has started. When the load is complete the status is
Loaded and the time and date of the last load is updated.
The database summary for the GENERAL database is displayed. Figure 8-80
shows an example of this summary page. You can see an events summary
225
7530ch08.fm
section on the right hand side of the screen that includes Total Events, Policy
Exceptions, Special Attentions, and Failures. There are Event List icons and
Event Summary Report icons to link through to more specific event details.
Let us now look in more detail at mapped events. In particular we explore the
Policy Exceptions and Special Attentions.
226
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
This view shows a summary of the exceptions that have occurred with the
number of each type of exception in the last column. For a view of all the
individual policy exception events you may choose the Policy Exception Event
List icon from the GENERAL database summary page (rather than the Policy
Exception Summary icon). Clicking on this icon displays all of the individual
Policy Exception events.
227
7530ch08.fm
To look at an individual event in more detail, click on one of the values in the
Date/Time column, which is a hyperlink to the event detail view. Figure 8-83
shows the event detail for the event selected in Figure 8-82.
Clicking on the text This is a policy exception links you to the page shown in
Figure 8-84 where the Policy Exception event is explained further. Here you can
see the W7 rule that the individual event was mapped to during the load process.
228
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
229
7530ch08.fm
You can click on any values in the #SpecAtt column to link through to a break
down of that group of events. After clicking on the number 141 (as seen in
Figure 8-85), the details for that group of Special Attention events is displayed.
Figure 8-86 shows the Special Attentions for events classified as User Actions File (W7 What group) on Financial Data (W7 onWhat group) by user
INSIGHT\Katie (W7 Who Group) located at INSIGHT\FSPDC (W7 Where
group).
230
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
Once again you can get further event details about a particular item that is listed
by clicking on the link in the Date/Time field. The Event Detail page shown in
Figure 8-87 is displayed.
231
7530ch08.fm
The link This is a special attention event can be used to see an explanation of
why the event has been classified as a Special Attention event. You can see
from Figure 8-88 that in this case, the Special Attention event for IT personnel
(W7 Who group) performing an action on the Financial Data - Medium objects
(w7 onWhat group) has been triggered.
232
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
8.8.3 Reports
The iView Reports page can be used to generate online reports based on the
loaded data. To open this page you can click on the Reports button in the top
menu of the Database Summary page (refer back to Figure 8-80).
iView Reports is divided into four main categories:
Configuration Tools
Daily Verification
Detailed Investigation
Firewall Reports
Each of these categories contain pre-defined reports for you to analyze the
events that have been captured. Examples from some of these categories are
described in the remainder of this section.
233
7530ch08.fm
The icon in the shape of a tick in the Action column in the row of Events by Rule
indicates that in order to run this report some user input is required. It indicates
that some parameters are needed to determine the scope of the report. You are
prompted to configure the W7 rule for which you want the matching events to
display. Configure the report to include all events that are classed as user
actions on a file containing financial data. That is, you are filtering the events
using the W7 What group User Actions - File and the W7 onWhat group
Financial Data as displayed in Figure 8-90.
When this report is submitted, a list of events matching this W7 rule are created.
As shown on the previous event list reports, it is possible to navigate through
Web links to find individual event details where desired.
234
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
As described in Figure 8.3, there are a number of Basel II reports that Tivoli
Financial Accounting Corporation are particularly interested in generating.
One of the desired reports is based on user responsibilities and password use.
Therefore, one of the daily verification reports that is of interest to Tivoli Financial
Accounting Corporation is the Logon Failure Summary report.
You can generate the Logon Failure Summary report by clicking on the
appropriate link as shown in Figure 8-91.
A list of the failed logon events and their associated details are displayed in the
browser. Refer to Figure 8-92 for an example Logon Failure Summary report.
235
7530ch08.fm
Detailed investigation
Earlier in this chapter we also outlined Tivoli Financial Accounting Corporations
desire to monitor actions performed on their confidential file shares (refer back to
8.1, Phase one auditing on page 158), so let us now view the detailed
investigation report called Object Audit.
As can be seen from Figure 8-93, this is another example of a report that
requires parameters to be specified before it can be generated. Select which W7
onWhat group you want to audit. As shown in Figure 8-94, select to audit the
Financial Data.
236
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
When you click Submit the report is generated. The screen shown in Figure 8-95
shows the output for this report.
As with all of the online reporting in Tivoli Compliance Insight Manager, you are
able to examine the finer details of these events by clicking on the desired links.
Let us find out more about the Object Deletion event that is listed in the Object
Audit Report by clicking on the 1 in the #Events column. The W7 details of the
event are displayed, as shown in Figure 8-96, and by clicking on the available link
in this window you can obtain the event details given in Figure 8-97.
237
7530ch08.fm
238
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
If the diagram represents the last week, click Previous to return to the previous
week. Click Next to go forward one time period. If no data is available, the control
is unavailable.
Below the bar graph in this view there are seven list boxes for each W7 group
types. You can configure all possible W7 group combinations using these drop
down menus. If you select Go (located to the right of these seven list boxes) then
the diagram displays data for the selected groups. There is a table at the bottom
of the screen with a description of every bar in the diagram. You can click its
number of events to get its event list.
239
7530ch08.fm
the Management Console, displayed in Figure 8-99, you can see that this
database also has a daily load schedule associated with it when the server is
initially installed. That is, a Tivoli Compliance Insight Manager Server
automatically starts self auditing from the moment it is first installed.
240
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch08.fm
There is lots of other useful self audit reporting capabilities. For instance, the
report displayed in Figure 8-103 shows all the events contained in the Self Audit
database that are classified as Configuration Changes. As you can see, by
default Configuration Change events include user actions such as creating
policies, committing policies, aggregating log data, and so on.
241
7530ch08.fm
8.10 Conclusion
Phase one of Tivoli Financial Accounting Corporations implementation plan is
now complete. In this chapter we have described the process that was used to
install and configure a Tivoli Compliance Insight Manager cluster. Tivoli Financial
Accounting Corporation now has their Tivoli Compliance Insight Manager
environment set up to monitor the actions of their Windows domain users. In
order to achieve this monitoring, Windows Actuators were installed on the
Windows servers in the IT environment. Microsoft Windows event sources and
Active Directory event sources were configured for the appropriate servers.
The audit subsystems on each server were also configured to ensure that
sufficient log information is generated on the target machines. Appropriate W7
groups and rules were defined and encapsulated in a Tivoli Compliance Insight
Manager policy that has been committed. Scheduled loads can now be
performed on the GENERAL database to collect the data from these Windows
event sources. The iView Compliance Dashboard can be used to monitor user
actions by reporting on the loaded events.
In the next phase, Tivoli Financial Accounting Corporation is going to expand
their deployed compliance management solution by using Tivoli Compliance
Insight Manager to audit more platforms and applications in their environment. In
particular, in phase two, they begin monitoring AIX, SAP, Domino and Oracle.
242
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch09.fm
Chapter 9.
243
7530ch09.fm
9.1 IT environment
Figure 9-1 shows the customer IT architecture. This architecture was described
in detail in Chapter 6, Introducing Tivoli Financial Accounting Corporation on
page 129. The system groups that we are addressing in this phase of the project
have been highlighted in Figure 9-1.
Figure 9-1 Tivoli Financial Accounting Corporation IT architecture components for phase 2
244
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch09.fm
245
7530ch09.fm
audit shutdown
audit off
audit on
audit query
The following commands can be useful when interacting with the AIX audit
subsystem:
auditcat
auditpr
The AIX audit subsystem is controlled by the following files (by default these files
are located in the /etc/security/audit directory):
config file
This file contains the key stanzas that control the auditing subsystem. The
stanzas include:
246
start:
bin:
stream:
classes:
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
users:
7530ch09.fm
start:
binmode = on
streammode = off
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
freespace = 65536
stream:
cmds = /etc/security/audit/streamcmds
classes:
eprise = PROC_Delete, PROC_Execute, PROC_RealUID, PROC_AuditID,
PROC_RealGID, PROC_Environ, PROC_Privilege, PROC_Settimer,
FILE_Link, FILE_Unlink, FILE_Rename, FILE_Owner, FILE_Mode,
FS_Mount, FS_Unmount, FILE_Acl, FILE_Privilege, FS_Chroot,
TCPIP_Config, TCPIP_host_id, TCPIP_route, TCPIP_connect,
TCPIP_access, TCPIP_set_time, TCPIP_kconfig, TCPIP_kroute,
TCPIP_kconnect, TCPIP_kcreate, USER_Login, PORT_Locked, SYSCK_Check,
SYSCK_Update, SYSCK_Install, USER_Check, USER_Logout, PORT_Change,
USER_Change, USER_Remove, USER_Create, USER_SetGroups, USER_SetEnv,
USER_SU, GROUP_User, GROUP_Adns, GROUP_Change, GROUP_Create,
GROUP_Remove, PASSWORD_Change, PASSWORD_Flags, PASSWORD_Check,
PASSWORD_Ckerr, SRC_Start, SRC_Stop, SRC_Addssys, SRC_Chssys,
SRC_Addserver, SRC_Chserver, SRC_Delssys, SRC_Delserver,
ENQUE_admin, ENQUE_exec, SENDMAIL_Config, SENDMAIL_ToFile,
AT_JobAdd, AT_JobRemove, CRON_JobRemove, CRON_JobAdd, CRON_Start,
CRON_Finish, NVRAM_Config, DEV_Configure, DEV_Change, DEV_Create,
DEV_Start, INSTALLP_Inst, INSTALLP_Exec, UPDATEP_Name, DEV_Stop,
DEV_UnConfigure, DEV_Remove, LVM_ChangeLV, LVM_ChangeVG,
LVM_CreateLV, LVM_CreateVG, LVM_DeleteVG, LVM_DeleteLV,
247
7530ch09.fm
# the next line removes our previous temporary work audit trail
# in case we did not clean up properly previously.
/usr/bin/rm -f /var/log/eprise/working
# the next line uses the auditcat tool to output the audit trail
# into the location /var/log/eprise/working. The $bin
# parameter will be expanded to the path /audit/trail from
# our config file.
/usr/sbin/auditcat -o /var/log/eprise/working $bin
# The next line appends the flushed data to a date and hour stamped
# file in /var/log/eprise e.g. trail.2007083115. This is the file
# which TCIM is looking for when it collects audit data.
/usr/bin/cat /var/log/eprise/working >>
/var/log/eprise/trail.`date +"%Y%m%d%H"`
# The next line alows us to maintain the full audit trail in the
# /audit/trail location (this is not required by TCIM but local
# practice may be that this should be the full audit trail).
/usr/bin/cat /var/log/eprise/working >> /audit/trail
# last we remove our temporary working file as it is no longer
# required.
/usr/bin/rm -f /var/log/eprise/working
248
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch09.fm
events file
This file is where we define the event formatting options. We would like to get
audit entries for objects being read, written, and executed, so we need to add
the entries in Example 9-3 to the end of the events file (notice that comments
in the event file are preceded with the * character.
Example 9-3 events file entries for Tivoli Compliance Insight Manager
/home/sensitivedata:
r = "Obj_READ"
w = "Obj_WRITE"
Preparing the AIX system for audit data collection using SSH
In order for Tivoli Compliance Insight Manager to perform remote collection of
audit data we have to do the following:
Create a user for Tivoli Compliance Insight Manager to use. In our case we
create a user named insight.
Ensure that the user has the correct permissions to access the audit data, for
example, the user needs to have full permissions for the /var/log/eprise
directory and its contents, read permissions for the failedlogin file
(/etc/security/failedlogin), read and execute permissions for the /etc and
/etc/security directories, read permissions for the wtmp file (/var/log/wtmp),
and read and execute permissions for the /var and /var/log directories. We
achieved this by adding the insight user to the system, audit, and security
groups on the AIX target system.
Configure the system so that the Tivoli Compliance Insight Manager server is
able to perform an SSH collect from the AIX system using the new user id.
249
7530ch09.fm
The basic steps to perform this are covered in the IBM Tivoli Compliance
Insight Manager Installation Guide Version 8.0, GI11-8176-00 (Chapter 9 Enabling Collect using SSH event sources). Let us summarize the steps that
are required:
Create ssh public and private keys.
Copy the public key to the insight users ssh/authorized_keys file.
Save the private key to the Tivoli Compliance Insight Manager servers
SSHKeys directory (typically C:\IBM\TCIM\server\run\sshkeys).
Perform one Putty based ssh login from the Tivoli Compliance Insight
Manager server to the target platform using your Tivoli Compliance Insight
Manager user.
Test the connection using the chksshcon tool.
In the previous sub sections we have shown how to configure and prepare the
AIX system so that its audit subsystem generates the information we want and
so that Tivoli Compliance Insight Manager is able to use SSH to collect that
information. Next we show you how to configure Tivoli Compliance Insight
Manager to collect the audit information.
250
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch09.fm
2. Select IBM AIX from the audited machine type (see Figure 9-3 on page 251).
3. Select your machine as shown in Figure 9-4 (in our case our AIX system is
named FINSYS).
251
7530ch09.fm
4. Choose the Point of Presence that performs the collection (see Figure 9-5). In
our case we are using our EXPANSIONTCIM server to perform the remote
SSH collection. This is the same server that should have previously been
configured so that it is able to connect to the target system using SSH.
252
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch09.fm
5. Select the event source type of AIX Audit trail through SSH as shown in
Figure 9-6 on page 254.
253
7530ch09.fm
6. At this stage you have completed the Add Machine Wizard as shown in
Figure 9-7 on page 255. Select the finish option which automatically invokes
the Add Event Source Wizard.
254
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch09.fm
7. Select Next on the opening screen of the Add Event Source Wizard (see
Figure 9-8 on page 256).
255
7530ch09.fm
256
trail
Prefix for the log files we collect (see Example 9-2 on
page 248 where we defined this).
SSH KeyFile
finsys.ppk
Private key we use to connect to the AIX system.
SSH Port
22
Default SSH port.
SSH User
insight
User id that we created on the AIX system for collection.
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch09.fm
9. Next choose a collection schedule (in our case we are testing and will
manually trigger the collection, we can change the schedule at a later date).
10.Choose a GEM database to store the collected data (in our case we chose
the GENERAL database so that we could apply the same policies to our AIX
systems as we have applied to the rest of our environment).
11.Next complete the Add Event Source Wizard.
Our AIX system is now configured to both generate appropriate audit data and
for Tivoli Compliance Insight Manager to collect and report on that data. In the
next section we are going to manually load and display the results of that load.
257
7530ch09.fm
on in the iView portal. Figure 9-10 on page 258 shows that we have successfully
collected and mapped the data from our AIX system into the W7 model.
Figure 9-11 on page 258 shows our policy exceptions. We can see that we have
a number of policy exceptions for our root user showing failed logon attempts.
Figure 9-12 on page 259 shows some further detail about our AIX system and
shows object audit events for our root user attempting to access our sensitive
258
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch09.fm
data. This can be further defined as a policy breach and could result in Tivoli
Compliance Insight Manager generating an attention alert.
In Figure 9-13 we show how we could change the sensitive data significance in
our policy so that it would highlight unusual attempts to access our sensitive data
(of course the significance value should align with the results of your risk
analysis).
259
7530ch09.fm
In Figure 9-15 on page 261 we further refine this by defining a special attention
alert that can be used to notify our security officers about attempts to access our
sensitive data.
260
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch09.fm
Figure 9-16 on page 261 shows the results of this special attention alert when
access to our sensitive data is detected.
Figure 9-16 Special attentions when sensitive data has been accessed
261
7530ch09.fm
admin4.nsf
262
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch09.fm
installed the Notes client test that it is able to access the audit data by performing
the following steps:
1. Log onto the Point of Presence as the Administrator user that Tivoli
Compliance Insight Manager is using to collect data. In our case this user was
cearoot_os (the default user is cearoot).
2. Start the Lotus Notes client and logon to Notes using the Notes user that
Tivoli Compliance Insight Manager will use to access the Notes client.
3. From within the Lotus Notes client open the Notes Log (log.nsf) and
Administration Requests (admin4.nsf) databases on the Domino server. If this
is successful then the Notes client is configured correctly for Tivoli
Compliance Insight Manager to use.
Once you have confirmed that the Lotus Notes client on the Point of Presence is
able to access the Domino audit data you can create the new Tivoli Compliance
Insight Manager Domino event source. This function is performed in the same
way as other event sources were added to Tivoli Compliance Insight Manager.
The basic steps are:
1. Press the Add Event Source button in the Tivoli Compliance Insight
Manager administration console to start the Add Event Source Wizard. During
the Wizards execution the following steps are important:
2. When the wizard asks you for a machine on which the application runs that
you want to audit (see Figure 9-17 on page 264) select the machine on which
the Notes client is installed (this machine should already be a Point of
Presence, if it is not, you need to install the appropriate Actuator on that
machine prior to commencing execution of the Add New Event Source
Wizard). In our case the machine is already being audited for Windows
events, so it previously had a Windows Actuator installed.
263
7530ch09.fm
3. When asked to choose the Event Source type select the Lotus Notes event
source (see Figure 9-18 on page 265).
264
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch09.fm
4. Next you are asked to define the event source properties (see Figure 9-19 on
page 266). In this dialog you enter the details for the Domino server that you
wish to audit, for exmple, the entries are for the server name (fspdc in our
case), logfile (which remains the same), password (Note: when you click on
this you are asked for the current password and to create a new password for
the Notes user), and the admin requests database file name (which you
should not need to change).
265
7530ch09.fm
5. Next define the collection and load schedules and complete the Event Source
Definition Wizard. The next time you perform a scheduled collection and load
you will have collected audit data from the Lotus Domino event source.
In this section we described the process of adding the Lotus Domino event
source to our Tivoli Compliance Insight Manager implementation. The next
section shows the results of this process.
266
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch09.fm
Figure 9-20 Domino audit data within Tivoli Compliance Insight Manager
The next step is to apply the appropriate policy and create appropriate attention
alerts. To illustrate what is possible here we have highlighted two cases.
In the first case Lotus Domino captures a lot of information in its admin4.nsf and
log.nsf databases. This information is faithfully captured and stored in the Tivoli
Compliance Insight Manager GEM repository. However, much of this information
is just about business as usual within our policy guidelines and should not be
highlighted as a policy breach. After our first data collect and load we noticed the
following results in Tivoli Compliance Insight Manager (see Figure 9-21 on
page 267), that means a lot of policy violations were generated by the data
collected from the Notes Domino system.
267
7530ch09.fm
Note: Lotus Domino journaling is a function where each mail item is inspected
and those mail items matching predefined rules will have a copy retained.
We determined that this was not a policy exception so we changed our policy
definitions as follows.
First we created an On What group definition called Journaling as shown in
Figure 9-23. As you can see, we defined a group to highlight Database Object
operations where the object path contains the value Journal. This group was
assigned a very low significance since operations on this object are considered
to be low risk.
We then created a policy that indicated that journaling actions were within our
policy as shown in Figure 9-24 on page 269.
268
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch09.fm
The results of this are a massive reduction in the number of policy violations that
Tivoli Compliance Insight Manager reports (as shown in Figure 9-25 on
page 269).
269
7530ch09.fm
The result of creating this policy grouping definition and special attention rule can
be seen in Figure 9-28 and Figure 9-29 on page 271 respectively.
270
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch09.fm
Figure 9-28 Policy exceptions for users accessing our Sensitive mail file
Figure 9-29 Special attention alerts for users accessing our Sensitive mailbox out of business hours
271
7530ch09.fm
Tivoli Compliance Insight Manager can use log data that is produced in either
format, for example, within an Oracle instance or in OS managed log files (in the
case of Windows the OS log file is the Windows application event log).
Configuring Oracle to generate audit log data is described well in Chapter 41 in
the IBM Tivoli Compliance Insight Manager Installation Guide Version 8.0,
GI11-8176.
The basic steps are:
Configure Oracle to generate audit trail information in the format you desire,
for example, in a database table or in the OS logs; we choose the OS log.
This step is performed by modifying the audit_trail parameter in the Oracle
initialization file (see the installation guide for further details). In our case we
set audit_trail=OS as the parameter to signify that we want the Oracle audit
information in the OS log (this parameter can be modified in several ways, for
272
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch09.fm
example, editing the config file directly or by using the sqlplus Web interface).
After modifying this parameter you need to restart your Oracle instance.
Run the appropriate Oracle AUDIT commands to set up auditing the way you
desire. We are configuring Oracle in a way to produce extensive audit
information because our database contains very sensitive data. The IBM
Tivoli Compliance Insight Manager Installation Guide Version 8.0, GI11-8176
provides three examples of audit configuration settings for Oracle ranging
from low auditing, medium auditing, to high auditing. The high auditing
settings are configured by running the following Oracle audit commands (from
an sql prompt):
AUDIT SESSION
AUDIT SYSTEM AUDIT
AUDIT USER
AUDIT SELECT, INSERT, UPDATE, DELETE ON DEFAULT BY
SESSION
AUDIT SYSTEM GRANT
These settings allow us to capture all logons and logoffs, all changes to the
audit system itself, all changes to user profiles, all attempts to access any of
our tables or modify any of our tables, and any attempts to grant or revoke
privileges.
Once this has been done we can check that our audit settings have worked by
monitoring the contents of the Windows Application event log. If the settings
have worked you should start to see events as shown in Figure 9-30 appear in
the event log.
273
7530ch09.fm
Figure 9-30 The Oracle audit events in the application event log
274
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch09.fm
Next you are asked for the audit policy profile you want to apply to the Oracle
instance (as shown in Figure 9-32 on page 276). We select none as we have
already configured the auditing settings on the target Oracle instance manually.
You could use these settings to control how the Oracle instance is configured for
auditing (each of the policy level settings, for example, low/medium/high
corresponds to a policy configuration file that contains some SQL commands
that configure the appropriate levels of auditing. We felt more comfortable to
define our Oracle auditing settings manually).
275
7530ch09.fm
Next, select a collection schedule and GEM database for the event data (in our
case for testing we chose a schedule of never and the GEM event database of
GENERAL). Once the wizard has completed the event source should be
configured and you are now able to schedule collections and GEM database
loads.
276
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch09.fm
Now that we have the data within Tivoli Compliance Insight Manager we can
start to write and apply policy and attention rules as we have done previously
with the other data sources. Let us assume we have a sensitive set of data and
we want to be alerted if modifications occur to this data. We modify the policy
grouping so that modifications are highlighted and create an attention rule that
alerts us if the data is modified. The policy definition is depicted in Figure 9-34.
277
7530ch09.fm
If we now apply this policy to our Oracle data we see the following results for our
policy groupings (see Figure 9-36 on page 278) and special attention alerts (see
Example 9-37).
Figure 9-36 Our policy rules indicating high severity for attempts to access sensitive data
278
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch09.fm
Figure 9-37 Our special attentions indicating access to sensitive Oracle data
279
7530ch09.fm
file. You can specify the name and location of the Security Audit Log using the
rsau/local/file profile parameter. The following information has been taken from
the IBM Tivoli Compliance Insight Manager Installation Guide Version 8.0,
GI11-8176. It describes the various parameters that may be set (see Table 9-1
on page 280).
Table 9-1 Audit log parameter settings for SAP
Audit Log Parameter
rsau/enable
rsau/local/file
rsau/max_diskspace/local
rsau/selection_slots
rec/client
ALL
Note: The rsau/local/file parameter contains the entire path name to the audit
logs, as well as the file name. The file name must include + symbols to contain
a variable datepart. Do not include a file extension in the file name. See the
following examples for clarification.
This example shows a valid path and filename:
/usr/sap/machine1/log/audit_++++++++
This example shows an invalid path and filename; the filename does not
include a datepart:
/usr/sap/machine1/log/audit
This example shows an invalid path and filename; the filename includes a
file extension:
/usr/sap/machine1/log/audit_++++++++.aud
After you have configured the basic audit settings you need to specify the events
to audit and log as described below.
Start SAP transaction SM19 to specify the events to log in the Audit Security Log.
The installation guide for Tivoli Compliance Insight Manager provides suggested
settings to specify the events that you should log and the audit settings for each
of those events.
Another point to note is that SAP R/3 logging is not circular, which means that
when the log reaches the size specified by the max_disksize parameter, the
audit process will stop. To prevent this from happening you should set the
280
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch09.fm
Then define the event source properties as shown below in Figure 9-39 on
page 282. The details required here are the prefix for the SAP Log Name (audit_
by default), the SAP Log Directory, and the SAP Version. Then define a
collection schedule.
281
7530ch09.fm
After you have completed the Add Event Source Wizard Tivoli Compliance
Insight Manager can now be configured to collect your SAP R/3 audit data.
In the next section we show the results of this data collection.
282
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch09.fm
Again we can now apply a policy to this data in the same way as we applied
policies to each of the other audit event data sources. For example, in our
environment we want to highlight users who have modified an SAP system audit
policy. To do this we can use the following policy group definition using the
standard SAP R/3 Tivoli Compliance Insight Manager provided groupings (see
Figure 9-42).
We can then create some simple policy rules to emphasize what is considered
normal activity within the policy, such as user actions in office hours, system
283
7530ch09.fm
administration during office hours, report runs outside of office hours, and so on,
as illustrated below (see Figure 9-43 on page 284).
We also create some attention rules that can alert us if some action is performed
that is not in accordance with our policy, for example, someone modifies our
audit policy as shown in Figure 9-44.
Figure 9-44 Special attention definition for change of SAP Audit policy
These policy and attention definitions result in a dashboard that looks like
Figure 9-45. This dashboard has grouped all of the events according to our policy
groupings and highlights events associated with changes to the SAP audit
policies. It also shows the special attentions.
284
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch09.fm
Clicking on the intersection of the Ordinary Users and System Updates grid (this
intersection is highlighted in red because it contains high severity policy
violations) shows us all of the events for Ordinary Users performing System
Update activities (as shown in Figure 9-46 on page 286). Clicking on the special
attention summary icon shows us that the user THIMMEL is our culprit! (this is
shown in Figure 9-47 on page 286).
285
7530ch09.fm
9.7 Conclusion
In this chapter we have shown how you can add new event sources to a Tivoli
Compliance Insight Manager implementation. Once the event sources are
configured you can create audit policies to report on the data that has been
captured. We also showed how you can create policy rules and apply these with
some basic modifications to the underlying policy groupings across all aspects of
your infrastructure.
286
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch09.fm
In the next chapter we extend on these themes further by showing how to create
custom reports using the Tivoli Compliance Insight Manager custom report tool.
287
7530ch09.fm
288
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch10.fm
10
Chapter 10.
289
7530ch10.fm
290
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch10.fm
This invokes the Report Editor page, which consists of multiple sections. In a first
step we fill in the fields in the General Information section, as shown in
Figure 10-2.
291
7530ch10.fm
Figure 10-3 Filling report type and column selection of the report layout
After defining the report type, we select the columns that we would like to see in
the report, by clicking on the W7 items on the left side of the mask. The columns
to be displayed in the report are the platform name, where the event occurred,
and the logon name, which has been used in the event. By default, the number of
events is selected and already shown on the right side of the mask. This item
cannot be deleted, as we have specified in the report type, that we want a
threshold report on events.
292
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch10.fm
As the last item for the layout of the report, we want to include a bar chart. This
means that we want to have a bar showing the number of threshold events,
added by platform and by logon name used. Figure 10-4 shows the necessary
selections.
Figure 10-4 Filling the chart definition of the report layout section
Finally, before the report definition is complete, the events must be selected that
should be reported on in the threshold report. This is achieved by defining the
data criteria of the report, as shown in Figure 10-5 on page 294.
293
7530ch10.fm
As we have selected a threshold report type and defined events as the threshold
source, we cannot change the event selection of the data criteria section; it is
pre-defined and greyed out. We have to add a condition, so that only logon
failures are taken into account for the report. Logon failure is an activity that is
described as a what in w7 terminology, and the corresponding detail description
of a logon failure in the model is Logon: User / Failure.
After entering the conditions on the left side of the mask and pressing the Add
button, the rule is displayed on the right side of the mark and we are finished with
the data criteria section. The mask now looks as shown in Figure 10-6.
294
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch10.fm
After we finish the Report Editor by clicking the Save button on the bottom of the
mask, we can see the custom report at the end of the report list in the new
section Tivoli Financial Accounting Services CIO Office Reports together with
the short description we gave it in the Report Editor, as shown in Figure 10-7 on
page 296. The report list is sorted alphabetically by report groups, in which the
reports again are shown in alphabetical order. This means that a custom report
may not show at the end of the list, but in the middle of it, depending on the
report group you used.
Also, the new report is only shown on another system displaying the report list
after a click on the refresh browser button, as the report list including the new
report must be reloaded from the server. So there is no need to panic, in case
you cannot find a newly defined report directly.
295
7530ch10.fm
Figure 10-7 New defined custom report and description at end of report list.
Finally we click on the report to test the report. We can see that the result
matches the requirements, and that the content of the report indicates a possible
brute force attack against six user identifiers, as shown in Figure 10-8.
The report shows that more than ten logon failures must have occurred against
the user identifier agoodrich on workstation WXWKST03, as the threshold was
broken not only once like with the other user identifiers, but even twice.
Remember, that the report shows the number of threshold violations, not the
actual number of events. Also, on the same workstation, one threshold violation
has been caused with the user identifier bedwards. By clicking on the violations
296
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch10.fm
in the list, you are able to review the events and their detailsjust like with the
standard reporting.
As we can see, the custom report is working as expected and as required. Now,
we need to set up the distribution for the report, so that the CIO office receives it
in their mailbox every day. We show you how to configure this in the next section.
297
7530ch10.fm
Using the Add button, we creat the user CEACIOOFFICE and provided rights to
log onto the portal, to create and edit custom reports and to usewhich means
viewcustom reports in iView. This way the CIO office can access the portal and
also investigate violations in reports received by e-mail.
After confirming that the user exists we open the portal and click on
iView Distribution.
On the following panel Automated Report Distribution we configure the e-mail
settings that are used by the distribution engine to send out the reports.
298
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch10.fm
Note: Tivoli Compliance Insight Manager assumes that the mail server
provided in the field Mail-host does not require authentication when the Tivoli
Compliance Insight Manager server connects to the SMTP service. For
example, an internal relay server, ideally setup for system management
activities like report distribution, can be used.
It must be clear, that the sensitivity of the distributed data is high, so that the
mail engine should only be used for internal mail distribution and not for mail
distribution over the Internet.
Also, we fill in the appropriate e-mail address of the CIO office next to the user
Once, these settings are made, we can configure the distribution of the logon
failures threshold report by clicking on Add distribution task, which invokes the
Edit Automated Distribution Task dialog shown in Figure 10-11 on page 300.
299
7530ch10.fm
Figure 10-11 General information section of the automated report distribution editor
300
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch10.fm
Finally, when we close the editor by pressing the Save button, we return to the
Automated Report Distribution main page, which now shows that the distribution
task has been defined, as shown in Figure 10-14.
301
7530ch10.fm
Figure 10-14 Automated Report Distribution main page with defined task
Now the Tivoli Financial Accounting Services CIO Office will receive one e-mail
every day with a report in PDF format, which shows the logon failures above
threshold.
302
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch10.fm
303
7530ch10.fm
Finally, tools like Tivoli Compliance Insight Manager address detective security
controls primarily, they do not providefor other systems than itselfpreventive
security controls. If a given regulatory standard does require preventive security
controls and you do not have them deployed, Tivoli Compliance Insight Manager
might help you to detect and monitor this, which means, that you are at least in
control of the non-compliance, but the product cannot fix this. To conclude this
topic, regulatory standards may require security controls, which fall outside the
technical remit and must be taken care of on the business level.
304
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch10.fm
Similar to this, clicking on the report Log storage provides an overview of the log
storage files created together with the storage data and the event source, of
which the log data is taken from the log database into storage. The example
report for the Tivoli Financial Accounting Services infrastructure is shown in
Figure 10-16 on page 306.
305
7530ch10.fm
10.3 Conclusion
These configurations conclude our custom reporting and compliance reporting
example for Tivoli Compliance Insight Manager at Tivoli Financial Accounting
Services.
We have covered how to create custom reports, how to distribute them via e-mail
and how to use the compliance reporting options of Tivoli Compliance Insight
Manager.
The examples demonstrate that the reporting can be only as good and
meaningful as the definition of a policy. Reports that show a great number of
exceptions, only because these have not been covered in the policy, can create
more disturbance then clarification, so that it is important to perform acceptance
reviews with the receivers of the reports.
306
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
11
Chapter 11.
System Z integration
In Chapter 6, Introducing Tivoli Financial Accounting Corporation on page 129,
we described Tivoli Financial Accounting Corporations profile and high level
requirements. To summarize, we have to institute controls over data access and
use within the corporate perimeter on many different platforms. We already
covered the distributed environment in Chapter 8, Basic auditing on page 157,
Chapter 9, Extending auditing to other platforms on page 243 and Chapter 10,
Customized and regulatory reporting on page 289. The next step for Tivoli
Financial Accounting Corporation to implement a compliance management
solution and fulfill the business requirements is System Z integration.
Keeping compliance in mind, the business requirements we have identified in
Chapter 7, Compliance management design on page 137, addressed the
implementation processes to help achieve regulatory compliance and reduce
operational risk. In particular, we identified monitoring and reporting on high
privilege user accounts and activities, and access to sensitive company assets
including financial and business data, as well as confidential customer data that
is stored on their servers, as highest priority processes to implement.
By mapping identified business requirements to the underlying reasons and
expanding the reasons in increasing detail, we extracted functional requirements
for multi-platform support, from data collection from the critical systems to
Basel II reporting, including System Z. One of the outstanding capabilities of
Tivoli Compliance Insight Manager is to collect data from distributed systems
such as Unix, Linux, Windows together with midrange event data and System Z.
307
7530ch11.fm
In our scenario some of the business critical applications run on System Z, such
as the corporate banking transaction system, the branch bank teller and
customer online home banking applications. They exploit CICS to process
sensitive financial, business, and customer data stored on the DB2 backend. We
do not go into details here, but Tivoli Financial Accounting Corporations network
deployment from Chapter 6, Introducing Tivoli Financial Accounting
Corporation on page 129 is shown again for reference in Figure 11-1, with
System Z highlighted in bold in production zone.
In the following sections we show the System Z integration based on our general
design discussion in Chapter 4, Compliance management solution design on
page 73 and the scenario specific design discussion in Chapter 7, Compliance
management design on page 137, followed by applying the same approach for
log collection and management, policies, reporting and regulatory requirements
as those shown in the distributed environment. We start with reporting
requirements as a first step in the analysis phase.
308
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
Description
309
7530ch11.fm
Basel II report
Description
Let us add some comments about the Basel II reports from the above table:
Operational change control (8.1.2): The system update report shows changes
to key system components. This report, when used with the incident tracking
report, allows changes to be monitored and recorded and tracked using an
external incident tracking system.
Operator log (8.4.2): Basel II requires that operational staff maintain logs of
their activities. Using this report you can verify the activities of the IT Admin
staff against this log. Examples of these actions include creating, modifying,
deleting administrator accounts, password resets, logon and logoff
successes, and so on.
Review of user access rights (9.2.4, 9.7): This report shows accesses by
users to key resources and shows success and failures. Failures indicate that
the user rights are not sufficient to access the resource. These failures need
to be reviewed to determine whether this user has a legitimate need to
access this data. Similarly, successful accesses must be reviewed on a
regular basis to determine if these users should still have the right to access
this resource and if not have the access revoked or changed.
System access and use (9.2.4.c, 9.7): This report shows accesses by users
to key resources and shows success and failures. Failures indicate that the
user rights are not sufficient to access the resource. These failures need to be
reviewed to determine where the user has a legitimate need to access this
data. Similarly, successful accesses must be reviewed on a regular basis to
determine if these users are still permitted access rights to this resource and
if not have their access revoked or changed.
User responsibilities and password use (9.3): This report shows failed
attempts to logon to the systems and services in the network. Failed logons
can be as simple as someone having forgotten a password to an attempted
breach of security. This report is an excellent starting point for someone
looking to determine in appropriate use of user information or identity theft.
User identification and authentication (9.5.3): This report shows successful
logon and logoff events based on event data collected from systems and
services throughout the enterprise. Using this event data, you can see all user
IDs that are currently in use, determine whether these user IDs and
passwords are being used responsibly, and do a visual inspection to ensure
310
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
that the user IDs do not reveal the user's role or responsibility in the
enterprise.
Information access restrictions (9.6.1): Monitoring access to key information
systems and access success and failures is key. This report shows who
accessed which key systems.
Sensitive system isolation (9.6.2): This report shows accesses by users to
key resources and shows success and failures. Groups HR DATA, Sensitive
Data, Source code, financial data, and proprietary data are monitored with
this report. Failures indicate that the user rights are not sufficient to access
the resource. These failures need to be review to determine if this user does
have legitimate needs to access this data. Similarly, successful accesses
should be reviewed on a regular basis to determine if these users should still
have rights to access this resource and if not have the access revoked
changed.
Logging and reviewing events (9.7.2.3): Basel II requires that logs be
collected and that these logs not be tampered with. Using this report, you can
see through the Tivoli Compliance Insight Manager self-audit events, whether
any actions have been taken that would compromise this event data. This
report requires a valid Tivoli Compliance Insight Manager policy that
represents the Tivoli Financial Accounting Corporations security policy.
Control of operational software (10.4.1): Control of change and update to
system files and resources is essential to control risk. This report shows who
accessed and changed which system resources. Modification made to the
audit subsystem need to be reported because any modification affects the
level of information in any of the other reports discussed.
Data access (12.1.4): The data access report monitors access to key data
resources. The report shows access to resources defined in the HR_DATA,
SENSITIVE_DATA, PROPRIETARY_DATA, FINANCIAL_DATA and
GENERAL_DATA, who accessed the data and from where.
We show real data from our scenario for some of these reports later in Reports
on page 351.
Our next step is to specify the audit data to collect in order to support our
reporting requirements. We provide audit settings that support Tivoli Financial
Accounting Corporations Basel II System Z required reports in the next section.
311
7530ch11.fm
most cases, auditing every action is not an option, thus we analyze the audit
subsystem and determine, evaluate, and provide audit settings that support
reporting requirements for event sources on the System Z platform.
For audit data Tivoli Compliance Insight Manager uses the event data that is
created through normal System Management Facilities (SMF) processing on
System Z.
SMF is a component providing a standardized method for writing records of
activity to a file (or a data set using System Z terms). SMF provides full
instrumentation of all baseline activities running on System Z, including I/O,
network activity, software usage, error conditions, processor utilization, and so
on. It forms the basis for many monitoring and automation utilities. Each SMF
record has a numbered type (for example "SMF 120" or "SMF 89"), and
operators have great control over how much or how little SMF data to collect.
Based on reporting requirements example identified in previous sections, we
determined the System Z audit settings example needed for our scenario, shown
in Table 11-2 below:
Table 11-2 System Z Basel II audit settings example
SOX report
Audit settings
None
SMF 9, SMF 11, SMF 52, SMF 53, SMF 54, SMF 55, SMF
56, SMF 58, SMF 80 events SETROPTS, CHAUDIT, SMF
90 subtypes 1, 3, 4, 6, 16, 18, 19, 20, 21, 22, 23, 24, 25, 27,
28, 29, 31
SMF 9, SMF 11, SMF 14, SMF 15, SMF 17, SMF 18, SMF
52, SMF 53, SMF 54, SMF 55, SMF 56, SMF 58, SMF 61,
SMF 62, SMF 64, SMF 65, SMF 66, SMF 80 events
SETROPTS, CHAUDIT, ALTDSD, PERMIT, RALTER,
RDEFINE, RDELETE, ADDVOL, RENAME, DELETE,
DELVOL, DEFINE, DELDSD, ADDSD, ACCESSSMF, SMF
90 subtypes 1, 3, 4, 5, 6, 13, 14, 16, 18, 19, 20, 21, 22, 23,
24, 25, 27, 28, 29, 31, SMF 92 subtypes 10, 11, SMF 118
SMF 9, SMF 11, SMF 52, SMF 53, SMF 54, SMF 55, SMF
56, SMF 58, SMF 80 events SETROPTS, CHAUDIT, SMF
90 subtypes 1, 3, 4, 6, 16, 18, 19, 20, 21, 22, 23, 24, 25, 27,
28, 29, 31
312
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
SOX report
Audit settings
SMF 9, SMF 11, SMF 14, SMF 15, SMF 17, SMF 18, SMF
52, SMF 53, SMF 54, SMF 55, SMF 56, SMF 58, SMF 61,
SMF 62, SMF 64, SMF 65, SMF 66, SMF 80 events
SETROPTS, CHAUDIT, ALTDSD, PERMIT, RALTER,
RDEFINE, RDELETE, ADDVOL, RENAME, DELETE,
DELVOL, DEFINE, DELDSD, ADDSD, ACCESSSMF, SMF
90 subtypes 1, 3, 4, 5, 6, 13, 14, 16, 18, 19, 20, 21, 22, 23,
24, 25, 27, 28, 29, 31, SMF 92 subtypes 10, 11, SMF 118
SMF 9, SMF 11, SMF 14, SMF 15, SMF 17, SMF 18, SMF
52, SMF 53, SMF 54, SMF 55, SMF 56, SMF 58, SMF 61,
SMF 62, SMF 64, SMF 65, SMF 66, SMF 80 events
SETROPTS, CHAUDIT, ALTDSD, PERMIT, RALTER,
RDEFINE, RDELETE, ADDVOL, RENAME, DELETE,
DELVOL, DEFINE, DELDSD, ADDSD, ACCESSSMF, SMF
90 subtypes 1, 3, 4, 5, 6, 13, 14, 16, 18, 19, 20, 21, 22, 23,
24, 25, 27, 28, 29, 31, SMF 92 subtypes 10, 11, SMF 118
SMF 9, SMF 11, SMF 14, SMF 15, SMF 17, SMF 18, SMF
52, SMF 53, SMF 54, SMF 55, SMF 56, SMF 58, SMF 61,
SMF 62, SMF 64, SMF 65, SMF 66, SMF 80 events
SETROPTS, CHAUDIT, ALTDSD, PERMIT, RALTER,
RDEFINE, RDELETE, ADDVOL, RENAME, DELETE,
DELVOL, DEFINE, DELDSD, ADDSD, ACCESSSMF, SMF
90 subtypes 1, 3, 4, 5, 6, 13, 14, 16, 18, 19, 20, 21, 22, 23,
24, 25, 27, 28, 29, 31, SMF 92 subtypes 10, 11, SMF 118
SMF 9, SMF 11, SMF 14, SMF 15, SMF 17, SMF 18, SMF
52, SMF 53, SMF 54, SMF 55, SMF 56, SMF 58, SMF 61,
SMF 62, SMF 64, SMF 65, SMF 66, SMF 80 events
SETROPTS, CHAUDIT, ALTDSD, PERMIT, RALTER,
RDEFINE, RDELETE, ADDVOL, RENAME, DELETE,
DELVOL, DEFINE, DELDSD, ADDSD, ACCESSSMF, SMF
90 subtypes 1, 3, 4, 5, 6, 13, 14, 16, 18, 19, 20, 21, 22, 23,
24, 25, 27, 28, 29, 31, SMF 92 subtypes 10, 11, SMF 118
None
313
7530ch11.fm
SOX report
Audit settings
SMF 9, SMF 11, SMF 14, SMF 15, SMF 17, SMF 18, SMF
52, SMF 53, SMF 54, SMF 55, SMF 56, SMF 58, SMF 61,
SMF 62, SMF 64, SMF 65, SMF 66, SMF 80 events
SETROPTS, CHAUDIT, ALTDSD, PERMIT, RALTER,
RDEFINE, RDELETE, ADDVOL, RENAME, DELETE,
DELVOL, DEFINE, DELDSD, ADDSD, ACCESSSMF, SMF
90 subtypes 1, 3, 4, 5, 6, 13, 14, 16, 18, 19, 20, 21, 22, 23,
24, 25, 27, 28, 29, 31, SMF 92 subtypes 10, 11, SMF 118
314
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
11.3 Implementation
Based on our analysis and the System Z Basel II audit settings example
configuration, a new Standard Server will be dedicated for the System Z and
added to the Tivoli Compliance Insight Manager cluster as show in Figure 11-2,
with the System Z and Tivoli Compliance Insight Manager cluster highlighted in
bold in production and management zone respectively.
Figure 11-2 Tivoli Financial Accounting Corporation Tivoli Compliance Insight Manager cluster
315
7530ch11.fm
Installation
The steps for the Standard Server installation are as follows:
1. Install the database engine provided with Tivoli Compliance Insight Manager.
2. Install the desired Tivoli Compliance Insight Manager components for the
Standard Server.
3. Register the Standard Server with the Enterprise Server.
We do not describe the Standard Server installation and registration to the
Enterprise Server here as it is straightforward. For more details on each of these
steps see the IBM Tivoli Compliance Insight Manager Installation Guide Version
8.0, GI11-8176-00.
Configuration
Tivoli Compliance Insight Manager configuration involves the following high level
steps in the Tivoli Compliance Insight Manager Management Console:
1. Create a GEM database to store the event data
2. Create a System Z Machine Group
Each of these steps are outlined in the following sections.
316
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
The new SystemZ Machine Group is now displayed in the Machine View window
as shown in Figure 11-6.
317
7530ch11.fm
After the new Standard Server is installed and registered with the Enterprise
Server and both the GEM database and Machine Group are prepared, we can
focus on on our System Z target and implement Actuators to start collecting
required audit data.
318
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
Note: The original SMF data is not deleted, changed or moved, the data is
only copied. This means that other processes that use this data to report on
specific data and events in the System Z environment are not affected by
Tivoli Compliance Insight Manager. This also preserves the originating data
for further processing or forensic analysis tasks where it may be required for
chain of evidence needs.
System requirements
Here is a list of the system requirements on System Z for implementing the
Actuator.
SMF processing has to be activated.
UNIX System Services (USS) have to be available.
A user id is needed with the authority to:
Define users, groups, directories and file systems.
Define a set of IP ports to be allocated for the Agent.
Create and mount recommended HFS or zFS filesystems.
Setup STARTED or SURROGAT profiles.
Update access to one of the procedure libraries of the Job Entry
Subsystem.
Create entries in the Job Scheduler and/or Automated Operations.
Adjust and synchronize USS timezone(s).
Unicode support.
TCP/IP security.
Tivoli zSecure 1.7.0 at PTF PZ01300 or higher.
Preparation
It is recommended to use separate file systems for the Actuator software and the
Agent data.
It is also recommended to create two separate RACF users:
One that owns the Actuator software and directories.
One that owns the Agent data and directories and has read and execute
permission on the Actuator software and directories.
The defaults shown in Table 11-3 on page 320 are used here:
319
7530ch11.fm
data
Owning User
C2RUSER
C2RAUDIT
Owning Group
C2RGROUP
C2EGROUP
Directory
/usr/lpp/c2e/vx.y
u/c2eaudit/actuatr1
Mountpoint
/usr/lpp/c2e
u/c2eaudit
Filesystem
OMVS.C2R.HFS
OMVS.C2EAUDIT.HFS
Variable
C2ESW
C2EPATH
Software installation
In order to install the software follow these steps.
1. Run the job C2RZCHFS from the CNRINST library to prepare the location
where the software is to be installed. This job must be executed under root
authority.
2. The recommended install directory is /usr/lpp/c2e/v8.0. The install directory is
referred to as C2ESW.
3. Upload the file C2EPAX.Z from the z/OS directory on the Tivoli Compliance
Insight Manager CD into an HFS or zFS file on System Z in binary mode.
4. Run the job C2EUNPAC from the CNRINST library to unpack the software.
This job can be run as root where C2RUSER and C2RGROUP is substituted
in shown step or as SURROGAT where USER=C2RUSER and
GROUP=C2RGROUP.
5. Provide the location of the C2EPAX.Z file and the software installation
directory (C2ESW) to the job.
Agent installation
1. Edit or at least uncomment the Actuators specific parameter section in the
zSecure configuration (default C2R$PARM of library C2RPARM). Specific
parameters are C2ECUST, C2EPATH, C2ESW, C2ELVPFX,and C2ELVLLQ.
Only C2EPATH and C2ELVPFX are mandatory.
The parameters are documented in Appendix E in zSecure Suite:
CARLa-Driven Components Version 1.8.1, SC23-6556-00.
2. Run the job C2EZAUSR in the CNRINST library to create the Agent's owner,
group, home directory, and filesystem if needed.
3. Change the USER parameter to the user id that will run the agent.
320
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
4. Include the location of the Agent's typical C2R$PARM that contains the
correct C2EPATH parameter in the C2EJSTRT job.
5. Set the C2ESW parameter to the software install directory (/usr/lpp/c2e/v8.0).
6. Run the job C2EAROOT in the SCKRSAMP library to build the agent's root
directory. Among others this creates a symbolic link in the root directory
called bin to the C2ESW.
Attention: Do not start the Agent job or procedure until after having set up
the secure connection.
For more information on Software and/or Agent installation see zSecure Suite:
CARLa-Driven Components Version 1.8.1, SC23-6556-00.
Agent activation
Before starting the Agent activation, let us consider how the following
recommendations about performance and multiple LPARs apply to the Tivoli
Financial Accounting Corporation System Z environment:
Generally recommended setup:
Separate Agents on each System Z LPAR that you want to monitor.
Live strategy for the event source, with a schedule as frequent as it
corresponds to the demand to have events available on the Tivoli Compliance
Insight Manager server in a reasonable time.
If the Agent for Tivoli Compliance Insight Manager is the only component of
zSecure, also use a Live strategy for the User Information Source. A collect
schedule of once a day is sufficient for most cases.
Multiple System Z LPARs recommended setup:
When processing multiple System Z LPARs, the recommended setup is that
each System Z LPAR has its own Agent, processing SMF, CKFREEZE, and
the security database from that System Z LPAR. However, when most of the
DASD is shared, a performance gain can be achieved by not writing all
shared information to all CKFREEZEs.
A multiple System Z LPAR Agent usually requires more processing than
several single Agents. This is because each event source collects references
to all User Information Source data, for example: CKFREEZEs, and possibly
UNLOADs from all System Z LPARs are processed during each chunk of
SMF collection.
In general, multiple System Z LPAR Agents are not recommended. If you run
with a common SMF accumulation data set and do not wish to split that, you
may consider setting up a single System Z LPAR Agent on each System Z
321
7530ch11.fm
LPAR and use a Live event source. This way, each Agent only processes its
own System Z LPARs SMF. There is no objection against combining the Live
event source with a Poll or Wait User Information Source.
Each of the LPARs on System Z that need to be audited should be added as a
new machine. Tivoli Financial Accounting Corporation will place each of its
System Z targets into the new SystemZ Machine Group. In this section, the setup
and configuration for auditing one of the System Z LPARs is shown. Tivoli
Financial Accounting Corporation repeats this process for adding other System Z
LPARs.
These steps are performed to add each System Z LPAR:
1. With focus on the SystemZ Machine Group in the Management Console
Machine View, we start Add Machine Wizard, as shown in Figure 11-7.
2. In next window we select the Audited Machine Type from the available
drop-down menu. For Tivoli Financial Accounting Corporations System Z, the
correct machine type is IBM z/OS or OS/390 as shown in Figure 11-8.
322
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
Note: Checking the Show Available Event Source Types checkbox causes the
Event Source Type panel on the right hand side of the screen to appear. This
allows you to browse the supported event sources for the type of machine you
are adding.
3. In the next window we enter the name of the target machine(s) to be audited
in the Name input box within the Machine frame. Figure 11-9 shows our first
target on System Z, LPAR ANIT.
323
7530ch11.fm
5. The DNS lookup should resolve host name or IP address of the machine as
shown in Figure 11-11.
6. Next, a local Actuator is installed on each of the target machines. This option
is selected as shown in Figure 11-12.
324
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
7. The default IP port that is used for communication is 5992. We check the
availability of the configured port, and if the system requirements discussed at
the beginning of this section are met, we receive the following message box
shown in Figure 11-13.
325
7530ch11.fm
As also shown in the above figure, the Install Type is always manual by default
for IBM z/OS or OS/390 Machine Type.
However, the default port tested might not be free, as shown in the example
message box below, with details, in Figure 11-15.
If the IP port is not free, you can find one as shown in Figure 11-16. By default, IP
port 23000 is used in that case, if available.
326
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
Note: You may find the IP physical address this way, but there is no absolute
guarantee.
327
7530ch11.fm
328
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
11.Before we finish our configuration we save the configuration file needed for
Agent activation. Click Save and enter a filename as shown in Figure 11-19.
12.We now transfer this configuration file in text mode to the Agent root directory
on System Z (C2EPATH).
13.To initialize the Agent, we run the C2ECNNT job located in CNRINST under
the user id that owns the Agent install directory (C2EAUDIT). To verify
success we check the agent.log file located in the C2EPATH/log directory for
the string: LCM: Initial certification completed successfully.
Note: A configuration file is only valid for 24 hours before it expires.
14.Run the C2EJSTOP job in SC2RJOBS library, again using the C2EAUDIT
user id, to stop the initialization process.
15.Continue to activate the Agent using the C2EJSTRT job in SC2RJOBS library
using C2EAUDIT user id.
329
7530ch11.fm
2. Next we define z/OS Event Source properties. We use default settings with
the Live collection strategy as recommended before. Table 11-4 provides
properties explanation.
Table 11-4 Event Source properties
330
Property
Description
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
Property
Description
Collect strategy
Error retention
Number of days that message log files are kept. Older log files
are deleted at the next event source collect.
Data set from which data is collected when the collect strategy is
Poll or Wait. For normal production, you should specify your SMF
accumulation data set here. Often, installations off load their
active SMF into a data set that is member of a Generation Data
Group (GDG), for instance: off load into
SYS2.WEEKLY.SMF(0),and once a week create
SYS2.WEEKLY.SMF(+1). If your installation uses a GDG, you
can specify SYS2.WEEKLY.SMF(0), which represents the most
recent member of the GDG. Processing ACF2 data by an Agent
that runs on a RACF system, or reverse, is not supported. This
field must be empty when the collect strategy is Live.
Enter the proper Event Source Properties now as shown in Figure 11-21 on
page 332. Click Next to continue.
331
7530ch11.fm
For better understanding we depict System Z Live as well as Wait and Poll
strategies in Figure 11-22 and Figure 11-23 respectively. In the Live strategy,
the Event Source will only read the intercepted SMF datasets.
LPAR
OS Batch
SMF MANx
datasets
SMF Archive
datasets
CARLa
extract
Compressed
extract
TCIM
Actuator and
Agent function
332
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
LPAR
OS Batch
SMF MANx
datasets
CARLa
extract
SMF Archive
datasets
SMF Archive
datasets
SMF Archive
datasets
Compressed
extract
TCIM
Actuator and
Agent function
333
7530ch11.fm
5. For the Load Schedule we choose to load data on a working day basis, at 3
am, as shown in Figure 11-26. Click Next to continue.
This schedule allows for System Z audit data to be collected on time from all
System Z LPARs and then loaded into the FINANCE GEM database. On the
other hand, audit data collected from Friday to Sunday is loaded as late as
Monday morning, but there is no expected high activity during the weekend
on System Z, thus we do not expect the Tivoli Compliance Insight Manager
server to be overloaded.
For reporting reasons we want last weeks data available at any time, thus we
are using a seven day sliding schedule as shown in Figure 11-26.
334
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
6. We complete the Add Event Source wizard as shown in Figure 11-27. Click
Finish.
335
7530ch11.fm
After we have repeated the implementation process to the current point for all
three Tivoli Financial Accounting Corporations System Z LPARs, namely ANIT,
ASRU, and AZEN, the Tivoli Compliance Insight Manager Management Console
Machine View reflects the status of System Z LPARs as shown in Figure 11-28.
336
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
In the following step we configure a User Information Source with a Live collect
strategy using the Management Console. We have to run at least one User
Information Source collect before we run any Event Source collect, otherwise the
Event Source collect will fail, because the CKFREEZE data set was never written
into. Thus we postpone loading and testing the FINANCE database for now.
337
7530ch11.fm
The user information source is actually yet another event source responsible for
the collection of the user database information. The collected information is also
stored in the Tivoli Compliance Insight Manager server archive as a chunk. The
information is already stored as a grouping function definition and is used during
a scheduled load of a database.
We add the z/OS user information source using the Management Console to
include RACF user and IOCONFIG information in the reports.
In this section we illustrate how to complete the Add User Information Source
Wizard for the z/OS user information source on the ANIT System Z LPAR.
1. We start with the Add User Information Source Wizard welcome screen that is
displayed as shown in Figure 11-31. Click Next to continue.
338
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
When loading data into a GEM database, Tivoli Compliance Insight Manager
uses the group definitions from the user information source in addition to the
groups defined in the policy. User information from a user information source
is applied to all event sources from the same operating system.
3. We chose z/OS grouping for our scenario as shown in Figure 11-33. Click
Next to continue.
339
7530ch11.fm
4. Next we define z/OS Event Source properties. We use default settings, with a
Live collection strategy as recommended before and shown in Figure 11-34.
Click Next to continue.
340
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
341
7530ch11.fm
Description
Collect strategy
Complex name
Error retention
IOCONFIG
Dataset Name
342
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
343
7530ch11.fm
After we repeat adding user information source configuration for all three Tivoli
Financial Accounting Corporations System Z LPARs, namely ANIT, ASRU, and
AZEN, the Tivoli Compliance Insight Manager Management Console Machine
View reflects the status of System Z LPARs as shown in Figure 11-37.
344
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
Lastly, there are no changes in the Database View in Tivoli Compliance Insight
Managers Management Console as shown in Figure 11-39.
This concludes our section about the Actuator implementation. We can begin
collecting audit data now. The last step before we can show System Z Basel II
compliance reports is the Basel II compliance management modulel
implementation.
345
7530ch11.fm
Configure W7 groups
Adjust reports
Commit policy
Re-evaluate
In this section we go through the life cycle of the Basel II compliance
management module, which includes the installation, implementation, and finally
Basel II compliance reports as identified in the Tivoli Financial Accounting
Corporation requirements. The goal is to produce Basel II compliance reports for
its System Z environment.
Installation
The IBM Tivoli Basel II Management Module Installation Guide Version 8.0,
GI11-8177-00 provides an overview and installation information for the IBM Tivoli
Basel II compliance management module, so we do not go into details here.
After successful installation from a self-extracting executable on a separate CD,
the Basel II compliance management module is displayed in the Tivoli
Compliance Insight Manager Management Modules section of the portal as
shown in Figure 11-40.
346
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
Figure 11-40 Tivoli Compliance Insight Manager Basel II compliance management module
Optionally, the templates, reports, and documentation associated with the Basel
II compliance management module can be accessed in the iView Regulations
Resource Center as shown in Figure 11-41.
347
7530ch11.fm
Classification Template
A W7 Classification Template helps us build W7 groups according to the Basel II
regulation.
The Classification Template is a link to the grouping.cfg file that contains a
complete list of all group names for each and every W7 category used by the
Basel II compliance management module report and Tivoli Compliance Insight
Manager policy. The template can be exported using the download button, but it
is recommended to use the Windows file explorer to copy the file from the
\iView\Web\regulations\basel\ directory to the destination in the policy directory.
Figure 11-42 partially shows the onWhat category in the Basel II classification
template.
348
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
Policy Template
The Policy Template contains a set of policy and attention rules based on the
regulation's recommendation.
This is the link to the policy.pcy file that is installed with the grouping file
belonging to the Basel II compliance management module. Again, this file can be
downloaded using the download button, but is recommended to use the windows
file explorer to do this from \iView\Web\regulations\basel\directory.
Policy Rules from Basel II Policy Template are shown in Figure 11-43.
349
7530ch11.fm
The Policy Template contains policy and attention rules based on the
recommendations in the Basel II regulation. These recommendations were
evaluated and translated into the W7 model and included if meaningful coverage
can be achieved.
A partial list of all Attention Rules from the Basell II Policy Template is shown in
Figure 11-44.
350
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
As with the grouping.cfg file or Classification Template, the file contents are used
in the Tivoli Compliance Insight Manager default policy. Once used there, the
groups and rules will build the dashboard contents in iView. The policy rules
used in the Management Module are derived from the Basel II compliance
regulation.
Reports
The reports section contains the reports required by the regulation.
The most important link of the Basel II compliance management module is the
Reports link. It provides access to the set of reports specially defined for the
Basel II compliance management module. Every report has a link to a paragraph
in the compliance regulation that discusses the need for information of the type
shown in the report.
351
7530ch11.fm
These reports are build according to the report requirements recognized in the
Basel II regulatory compliance document.
Figure 11-45 shows a partial list of Basel II regulation reports.
Import
Once the compliance management module has been installed we need a
working policy. Because we want System Z to be compliant to Basel II
regulations, we use templates that come with Basel II compliance management
module and customize them to suit Tivoli Financial Accounting Corporations
System Z need. This paragraph explains what needs to be done.
It is a recommended approach in Tivoli Compliance Insight Manager to create a
duplicate of Tivoli Financial Accounting Corporations default predefined policy,
located in the committed folder in
\Server\config\grouping\committed\20000101000000 and start with that.
352
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
Although it can be used as a template for all supported systems, at the moment
we dont want to deal with anything else but System Z.
1. We create a new empty System Z policy called SystemZ in the work directory
(..\Server\config\grouping\work on hard drive), as shown in Figure 11-46.
Later on, we can merge this policy into a common Tivoli Financial Accounting
Corporation policy, where System Z plays an integral part.
2. Next we open the SystemZ policy and import all needed components. From
the ..\iView\Web\regulations\basel directory we import the Basel II grouping
file grouping.cfg as shown in Figure 11-47.
353
7530ch11.fm
3. Finally we import Basel II policy rules and attention rules from the template
policy.pcy located in the same Basel II regulation directory
..\iView\Web\regulations\basel as before and as shown in Figure 11-48.
Note: The same file policy.pcy is used to import policy rules as well as
attention rules, but import is done separately for each of the two.
Once imported, Basel II policy and attention rules are displayed as shown in
Figure 11-49 and Figure 11-50 respectively.
354
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
Now that the policy is in place, we have to customize it for Tivoli Financial
Accounting Corporations System Z environment. We do not modify any policy
and attention rules, as they are based on the Basel II regulation
recommendations, which were evaluated and translated into the W7 model.
In the next paragraph we customize W7 Groups for Tivoli Financial Accounting
Corporations System Z environment.
W7 groups
First we assign entities to the classification template groups. When the policy is
used, these grouping is merged and used together with the latest grouping from
the user information source.
Figure 11-51 shows an example of Tivoli Financial Accounting Corporations
assignment for the W7 category When and in part for category Where (Customer
Information systems group).
355
7530ch11.fm
356
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
After we save our first policy, it is time to load the System Z audit data, see the
first resulting reports and make adjustments if necessary.
Reports
To load the System Z audit data into the FINANCE database, we first have to
disable the existing associated load schedule in the Tivoli Compliance Insight
Managers Management Console as shown in Figure 11-52.
Note: In a production environment we recommend using a specificly created
test GEM database, so we do not have to interrupt any scheduled load or
report on our FINANCE database.
Then we start loading the database, using our draft policy, as illustrated next.
1. First we select our FINANCE database and start the Load Database Wizard
as shown in Figure 11-53. Click Next to continue.
357
7530ch11.fm
3. For the data we want to load, we have to specify the time frame as shown in
Figure 11-55. Click Next to continue.
358
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
4. We also specify whether we want the latest data from the event sources in
addition to audit data already present in the Depot, or just the latest, as shown
in Figure 11-56. Click Next to continue.
359
7530ch11.fm
5. Finally, we choose our policy to use for this load, as shown in Figure 11-57.
Click Next to continue.
360
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
We are now ready to request the System Z audit data to be loaded into the
FINANCE database.
After successful load, we open the dashboard, to have a first look at Tivoli
Financial Accounting Corporations System Z Basel II compliance status, as
shown in Figure 11-59.
At a first glance we see a grid dashboard, which clearly indicates that a majority
of exceptions are related to customer data on System Z.
We can also check the status of audit data and the FINANCE database itself, as
shown in Figure 11-60.
361
7530ch11.fm
We see that the database was loaded successfully with the automated policy
used together with our SystemZ work policy. We also see the amount of audit
data in the database together with the time frame for each of the Tivoli Financial
Accounting Corporations System Z LPAR.
We end the Reports section with some actual Basel II reports for Tivoli Financial
Accounting Corporations System Z, as requested and identified in Reporting
requirements on page 309. These reports are depicted from Figure 11-61
through Figure 11-69 on page 367.
362
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
363
7530ch11.fm
364
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
365
7530ch11.fm
366
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
367
7530ch11.fm
Commit
We are satisfied with the reports and want to put them into automatic mode. To
be more exact, we want to schedule System Z audit data load with Basel II
policy.
1. First we re-enable the load schedule for the FINANCE database as shown in
Figure 11-70.
2. Last but not least, we commit the Basel II policy, to be used for subsequent
scheduled loads, as shown in Figure 11-71.
368
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch11.fm
11.4 Conclusion
Demonstrating a proper understanding of operational risk is a critical aspect of
the complying with the Basel II regulation. In todays business environment, IT
security is a critical component of operational risk management. IT security
manages a growing number of operational controls and is a repository for
evidence of operational incidents, so it becomes critical for IT security to support
risk management in its Basel II compliance efforts. This requires implementing a
series of mechanisms to monitor, measure, and control risks and incidents. This
close interaction between risk management and IT security will not only
accelerate regulatory compliance, but will also significantly improve the
effectiveness of operational risk management thorough the enterprise.
Tivoli Financial Accounting Corporation effectively defined and produced Basel II
compliance reports for its System Z environment, and showed that the controls
are in place, active and working.
The very last phase in the Tivoli Financial Accounting Corporation scenario is
discussed in the next chapter Tivoli Security Operations Manager integration on
page 371.
369
7530ch11.fm
370
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
12
Chapter 12.
371
7530ch12.fm
372
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
they are generally very simple scripts that use some of the basic integration
features that have been built in to the two main components of the SIEM solution.
The integrations can also be extended or modified to meet whatever customer
requirements are provided, for example, rather than locking you into a single way
of doing this that does not meet every organizations requirements.
In 12.2.1, General integration approach below we begin the integration
scenarios by showing how to have Tivoli Security Operations Manager audit
events made available to Tivoli Compliance Insight Manager for policy
evaluation. Later in this section we describe how this same approach can be
used to have other policy breach events detected by Tivoli Security Operations
Manager and made available to Tivoli Compliance Insight Manager for complete
compliance dashboard coverage.
373
7530ch12.fm
Compliance Insight Manager. The W7Log SDK extends the Tivoli Compliance
Insight Manager product with support for collecting and processing using
generalized input formats. This event format provides complete coverage for the
same W7 dimensions that are used in the normalization process for the natively
supported event sources in Tivoli Compliance Insight Manager. We use the CSV
generic event format available in the W7Log SDK to create the Tivoli Security
Operations Manager audit trail directly in the W7 grammar. This provides
immediate coverage of Tivoli Security Operations Manager through Tivoli
Compliance Insight Manager's comprehensive set of audit and compliance
reports. This concept is illustrated in Figure 12-1 on page 374. More details on
the W7Log SDK is provided in 3.4, The W7LogSDK on page 59.
We augment Tivoli Security Operations Manager with an audit trail capability in a
standardized format.
InSight
Depot
Target
Application
Native
W7Log
Actuator
InSight
reports
Figure 12-1 Tivoli Security Operations Manager integration via W7Log SDK
374
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
375
7530ch12.fm
12.2.3 Prerequisites
This integration uses Tivoli Compliance Insight Manager 8.0 on Windows 2003,
and Tivoli Security Operations Manager 3.1 on Linux RedHat Enterprise Server.
One additional tool is required on the Tivoli Compliance Insight Manager 8.0
server, which is the PuTTY toolset. Specifically, the tools puttygen.exe, plink.exe
and pscp.exe are used in this prototype. This toolset can be found on the Tivoli
Compliance Insight Manager 8.0 distribution media, disk 2. Alternatively, these
tools can be downloaded from the following Website
(http://www.chiark.greenend.org.uk/~sgtatham/putty/).
376
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
Description
--when='<utime>'
--who='<realname,logonname>'
--what='<verb,noun,success>'
--where='<type,name>'
--wherefrom='<type,name>'
--whereto='<type,name>'
--onwhat='<type,path,name>'
--info='<description>'
Let us look an example use of the tcimlogger script when called from an Action in
Tivoli Security Operations Manager:
tcimlogger --what='Detect,WORM,Warning' \
--wherefrom='-,$srcip' \
--whereto='-,$dstip' \
--onwhat='RULE,-,$rule'
In this example, the default values are used for the unspecified parameters
When, Who, Where and Info.
377
7530ch12.fm
The source code of the sample tcimlogger script is provided in Example 12-1 on
page 378.
Example 12-1 tcimlogger script source code
#!/usr/bin/perl -w
#
# Sample TCIM audit logger for TSOM
# Version: 0.1, 2007-06-26
use strict;
use Fcntl ':flock';
use Getopt::Long;
open LOG, ">>/var/log/tcim/audit.log";
flock LOG, LOCK_EX;
seek LOG, 0, 2;
# print header if new file
print LOG format_header() if tell(LOG) == 0;
my ($when,$what,$who,$where,$onwhat,$wherefrom,
$whereto,$info);
GetOptions( "when=s"
"what=s"
"who=s"
"where=s"
"onwhat=s"
"wherefrom=s"
"whereto=s"
"info=s"
=>
=>
=>
=>
=>
=>
=>
=>
\$when,
\$what,
\$who,
\$where,
\$onwhat,
\$wherefrom,
\$whereto,
\$info );
378
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
12.2.5 Installation
Let us now take a closer look at the different installation steps.
mkdir -p /var/log/tcim
chown -R root.ns /var/log/tcim
chmod -R 764 /var/log/tcim
cp tcimlogger /usr/local/bin
chmod 754 /usr/local/bin/tcimlogger
379
7530ch12.fm
#!/bin/sh
PATH=/bin
cd /var/log/tcim
if [ -f audit.log ]; then
mv audit.log audit-`date +%s.%N`.log
fi
Next, you need another executable file /usr/local/bin/tcim-postcollect as below,
which is responsible for removing the Tivoli Security Operations Manager audit
log information after Tivoli Compliance Insight Manager has reliably collected it.
Example 12-4 Tivoli Compliance Insight Manager post-collect script
#!/bin/sh
PATH=/bin
cd /var/log/tcim
rm -f audit-*.log
Both files need to have the correct ownership and permissions that allow read
and execution by the service users used by both Tivoli Security Operations
Manager and Tivoli Compliance Insight Manager (a typical user to use for this
purpose would be the ns user on the Tivoli Security Operations Manager
Central Management Server, for example, you could run chown root.ns tcim-*
and chmod 754 to get right permissions).
The collect from the Tivoli Compliance Insight Manager server is performed
using SSH. The instructions below detail how to create a public/private key pair
for the ns user on the Tivoli Security Operations Manager server.
1. Run the following commands:
# cd ~ns
# mkdir .ssh
# ssh-keygen -b 1024 -t rsa
This generates the public/private rsa key pair.
a. Enter file in which to save the key (/root/.ssh/id_rsa): .ssh/id_rsa
380
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
381
7530ch12.fm
e:
cd \IBM\TSOM
plink -i id_rsa.ppk ns@192.168.111.111
Simply accept the Tivoli Security Operations Manager server keys, and after the
connection is established, type exit in the Tivoli Security Operations Manager
shell to log out.
Next, create the following collect script on the Tivoli Compliance Insight Manager
server in the D:\IBM\TSOM directory:
Make sure you have the PuTTY tools plink.exe and pscp.exe in your
Windows search path, or fully qualify the file names with the directory they
can be found in.
Replace the IP address in the script with the IP address or DNS host name of
the Tivoli Security Operations Manager server.
Also modify the directory and drive of where you want Tivoli Compliance
Insight Manager to be able to find the audit files, which is the directory
structure created in the previous step.
Example 12-5 depicts the file tcim-collect.cmd.
Example 12-5 tcim-collect.cmd
@echo off
set tsom=192.168.111.111
e:
cd \ibm\tsom
plink -i id_rsa.ppk ns@%tsom% /usr/local/bin/tcim-precollect
pscp -i id_rsa.ppk ns@%tsom%:/var/log/tcim/audit-*.log .\temp
plink -i id_rsa.ppk ns@%tsom% /usr/local/bin/tcim-postcollect
move .\temp\*.* .\Staging
This script takes care of rolling-over the current audit log file on the Tivoli
Security Operations Manager server, then copies any available rolled-over file to
the Tivoli Compliance Insight Manager server into a temporary directory using
scp. Then the post-collect script is called to dispose of the old logs on the Tivoli
Security Operations Manager server, and finally the files are copied from the
temporary directory to the event source staging directory.
382
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
The script should now be scheduled to run regularly through the Windows
Scheduler. For a proof of concept, a recommended interval would be five
minutes.
It is fairly easy to test this process with the following steps:
1. Create a file /var/log/tcim/audit.log on the Tivoli Security Operations Manager
server that is owned by the ns user.
2. Manually kick-off the tcim-collect.cmd script.
3. The log directory on the Tivoli Security Operations Manager server should
now be empty, and a new file can be found in the Staging directory on the
Tivoli Compliance Insight Manager server.
Figure 12-3 Create a GEM database for Tivoli Security Operations Manager audit events
2. Now we add a new event source through the Add Event Source Wizard (see
Figure 12-4). Click Next to continue.
383
7530ch12.fm
3. Select the host on which the tcim-collect script and staging directory exist (in
Figure 12-5 we only have one machine set up). Click Next to continue.
Figure 12-5 Select the point of presence responsible for collecting Tivoli Security
Operations Manager events
384
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
4. Find the Tivoli Security Operations Manager event source in the list (see
Figure 12-6). Click Next to continue.
Figure 12-6 Select the Tivoli Security Operations Manager event source
5. Make sure to enter the correct Staging directory that was set up in the
previous step (see Figure 12-7). Click Next to continue.
385
7530ch12.fm
6. Now choose a collect frequency (see Figure 12-8). You may also choose to
select Never, and collect on-demand during a manual load of the GEM DB.
This schedule may be changed later to match more precisely your collection
requirements (we have found that collecting daily with a seven day sliding
load window most meets our requirements). When the collect is performed it
moves the data from the staging directory into a sub directory of the Depot
directory and preserves the information in the standard chunk format used by
Tivoli Compliance Insight Manager.
Click Next to continue.
7. The wizard requires you to select a GEM database in which to load the data
from this event source. Select the one we just created, or another database
that you wish to use (see Figure 12-9 on page 387). Click Next to continue.
386
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
387
7530ch12.fm
With the infrastructure elements in place, we are now ready for an example
where we can generate some audit information from Tivoli Security Operations
Manager.
Next we show you how Tivoli Security Operations Manager detects a user
logging in to the Tivoli Security Operations Manager Web interface, and forwards
this event to Tivoli Compliance Insight Manager. It is admittedly a simple
example, but it is easy to set up and demonstrate most of the integration features
to meet the requirements of a full SIEM. In later sections we show other
integrations that extend this basic example.
Tivoli Security Operations Manager is self auditing and captures audit
information within its event repository for many different types of actions ranging
from user logins, user logouts, failed logins, modification of rules, modification of
configuration options, to rules being triggered. As a simple example when a user
logs in to Tivoli Security Operations Manager it shows an event as depicted in
Figure 12-12 in its event console.
388
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
389
7530ch12.fm
/usr/local/bin/tcimlogger --what="Logon,User,Success" \
--who="$username[1],$username[1]" \
--wherefrom="TSOM System,9.3.5.160" \
--onwhat="TSOM AUDIT RULE,-,$rule" \
--info="$info"
In Example 12-6 we have defined that the action creates a new audit entry for
Tivoli Compliance Insight Manager with the following plain english meaning.
A successful user logon was performed by $username[1] (this value is replaced
by Tivoli Security Operations Manager with the actual userid), the audit event is
from the TSOM System with the IP address 9.3.5.160. This was generated by
a TSOM AUDIT RULE and the rule name was $rule (this is replaced by Tivoli
Security Operations Manager with the actual rule name. Additional information
that is provided to Tivoli Compliance Insight Manager by Tivoli Security
390
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
391
7530ch12.fm
Figure 12-14 The Tivoli Security Operations Manager audit rule definition
392
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
You should now open a new Web browser window and log on to CMS again to
trigger this action. To verify that the action has logged the event, have a look at
the audit log on the Tivoli Security Operations Manager server (ls -l
/var/log/tcim/audit.log gives you a last modified date for the file which should
indicate that it was modified recently). The contents should contain a W7LogSDK
format representation of the Tivoli Security Operations Manager login event
similar to the example below (Example 12-7).
Example 12-7 Tivoli Security Operations Manager audit log event
393
7530ch12.fm
394
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
3. If you have configured the Tivoli Security Operations Manager event source
in Tivoli Compliance Insight Manager without a regular collect schedule, or if
you want to collect the Tivoli Security Operations Manager data from the
Staging directory immediately, select the Collect option in the next screen as
shown below (Figure 12-18). Click Next to continue.
4. Choose a policy to apply to the data on load (see Figure 12-19). Click Next to
continue.
395
7530ch12.fm
The GEM database is now loading, and when the load operation has completed,
the Management Console shows a green GEM database icon (see
Figure 12-21).
396
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
Figure 12-21 The Tivoli Security Operations Manager GEM database load has completed
397
7530ch12.fm
Figure 12-22 Tivoli Security Operations Manager audit events displayed in the iView portal
A drill-down into the event details of this event shows the following event
properties (see Figure 12-23).
398
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
Figure 12-23 The Tivoli Security Operations Manager audit event in Tivoli Compliance Insight Manager
Conclusion
In this section we have outlined a basic approach to make Tivoli Security
Operations Manager events available to Tivoli Compliance Insight Manager. In
the next section we provide several more examples.
399
7530ch12.fm
12.3.1 Approach
These integrations are very simple extensions of the integration performed
previously. We are again using the tcimlogger script but in this case what we
need to do further is to identify which events are of use to monitor our audit
policies in Tivoli Compliance Insight Manager and then categorize them
according to the Tivoli Compliance Insight Manager W7 event taxonomy.
Tivoli Security Operations Manager provides and categorizes many different
types of event via its various correlation mechanisms. Typically as a result of
detecting some type of policy breach or attack Tivoli Security Operations
Manager creates a meta event which represents the attack or policy breach. A
meta event could represent many 100s or even 1000s of individual original
events and can be used to indicate any type of incident that an organization
desires. When Tivoli Security Operations Manager is installed it comes with
many existing rules and a default event classification/taxonomy. These rules and
the event taxonomy can be extended to represent anything that is needed by an
organization. Then once an event has been categorized correctly or a meta
event has been created it makes it very easy to then trigger an audit logging
action using our previously described approach. Typically the highest level of
event, for example, events that represent key incidents or policy breaches is of
the most interest from an audit perspective and therefor of most interest to Tivoli
Compliance Insight Manager.
Some of the rule categories used be Tivoli Security Operations Manager which
will generate these types of events include:
Attack Detection Rules - this category of rules correlate the incoming events
against each other to detect and highlight attacks. The category includes
simple cases such as unusually high volumes of events targeting a specific
host, attacks that have successfully traversed the firewalls, automated scan
attempts and attempts to administer network/network security devices from
external locations. Some of the rules also re categorize or group events into
an event class that more closely mirrors the actual action. For example
events generated that target specific well known database ports (generated
400
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
from say a firewall) will be categorized as app.db to indicate that the events
are database related events. Some of these types of rules will generate
events that may be of interest to Tivoli Compliance Insight Manager.
Policy Breach Detection Rules - Include rules such as identifying that there
are services available at the perimeter that are considered dangerous,
general misuse such as accessing porn sites or gambling sites or use of chat
protocols. Use of un-encrypted protocols for login information. Successful
logins in close proximity to 3 unsuccessful logins (for example, if our policy is
to lock accounts after 3 unsuccessful login attempts). Policy rules tend to
build on general attack rules and other categorization rules. This type of rule
will generate events that may be of interest to Tivoli Compliance Insight
Manager.
Compliance Rules - these rules examine incoming high threat events and
previously identified incidents (see the previous two bullet points) to
determine if those events are related to our compliance resources. For
example if a policy breach such as unsecured protocols used to administer a
system is detected and the target of that administration attempt is a resource
relevant to our financial reporting obligations (for example, an important
resource from a Sarbanes-Oxley compliance perspective - this concept is
captured using Tivoli Security Operations Managers watchlist capability) then
a new meta event is created that represents a Sarbox compliance issue (the
exact meta event created is of class compliance.sarbox). This type of event
would then be of a great deal of value to Tivoli Compliance Insight Manager.
401
7530ch12.fm
/usr/local/bin/tcimlogger --what="Detect,Worm,Warning" \
--wherefrom="-,$srcip[1]" \
--whereto="-,$dstip[1]" \
--onwhat="RULE,-,$rule" \
--info="$info"
Once you have completed adding this action to Tivoli Security Operations
Manager the action definition looks like this (see Figure 12-24 on page 403):
402
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
Figure 12-24 The Action Definition for our Worm Detection Audit action
403
7530ch12.fm
The contents of the generated audit log then looks something like Figure 12-26
on page 405.
404
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
The next time our Tivoli Security Operations Manager GEM database is loaded
these new worm detected audit events will appear in the Tivoli Compliance
Insight Manager portal as depicted in Figure 12-27 on page 405.
Figure 12-27 Worm audit events displayed in Tivoli Compliance Insight Manager
405
7530ch12.fm
/usr/local/bin/tcimlogger --what="Detect,Policyviolation,Warning" \
--wherefrom="-,$srcip[1]" \
--whereto="-,$dstip[1]" \
--onwhat="RULE,-,$rule" \
--info="$type"
Note: In this case we have used the $type field from the Tivoli Security
Operations Manager event. This is typically more interesting for policy
violation events than the Tivoli Security Operations Manager $info field. The
type field indicates what type of policy violation has been detected by Tivoli
Security Operations Manager. For example it may contain values such as
unauthorized Web browsing or unauthorized chat client.
Our Tivoli Security Operations Manager rule definition is depicted in Figure 12-28
on page 408. Note that the important part is the rule event signature where we
are only triggering the rule on detection of an event of class policy.violation.
Again this is very easily implemented as all of the heavy lifting required to identify
the policy violation has been performed in other Tivoli Security Operations
Manager rules. From this and the previous examples you can realize to see how
simple the integration between Tivoli Security Operations Manager and Tivoli
Compliance Insight Manager is.
406
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
407
7530ch12.fm
408
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
When this rule has run and the information has been collected by Tivoli
Compliance Insight Manager the resulting events appear in the Tivoli
Compliance Insight Manager event views as illustrated in Figure 12-29.
Figure 12-29 Tivoli Security Operations Manager policy violation events viewed in Tivoli Security
Operations Manager
12.3.4 Conclusion
In this section we have extended our original Tivoli Security Operations Manager
to Tivoli Compliance Insight Manager event integration to integrate additional
event types. In the next section we introduce a mechanism for using Tivoli
Compliance Insight Manager to manage syslog data collected by Tivoli Security
Operations Manager.
409
7530ch12.fm
12.4.1 Prerequisites
This integration pre-supposes that Tivoli Security Operations Manager and Tivoli
Compliance Insight Manager are already installed. It also requires that a Tivoli
Security Operations Manager Event Aggregation Module (EAM) is installed on
RedHat Enterprise Linux 3 (RHEL) (these same steps could be used on a non
RHEL system) and that the basic syslog daemon installed when you install RHEL
has been replaced with the more capable and better performing syslog-ng
daemon (the process for replacing the stock syslog daemon with the syslog-ng
daemon has been described in the IBM Redbook deliverable Deployment Guide
Series: IBM Tivoli Security Operations Manager 4.1, SG24-7439-00.
Note: The syslog-ng component is used by many organizations as a high
speed syslog replacement. Syslog-ng is available as both an open source
edition and a premium edition from the site:
http://www.balabit.com/network-security/syslog-ng
410
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
#
#
#
#
#
411
7530ch12.fm
keep_hostname (yes);
};
# these next entries define the standard event sources
source s_internal { internal(); };
source s_local { unix_stream("/dev/log"); };
source s_udp { udp(); };
source s_tcp { tcp(); };
source s_kernel { pipe ("/proc/kmsg" log_prefix("kernel: ")); };
# these next two destination entries define where we want events to go
destination eam_messages {
file ("/var/log/messages");
};
destination d_kernel {
file ("/var/log/kern");
};
# these next entries tie the sources together with the destinations
# in this config we are basically saying we want all events except
# kernel generated events to go into our /var/log/messages file
log
log
log
log
log
{
{
{
{
{
source(s_udp); destination(eam_messages); };
source(s_tcp); destination(eam_messages); };
source(s_local); destination(eam_messages); };
source(s_internal); destination(eam_messages); };
source(s_kernel); destination(d_kernel); };
412
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
Create an account on the audited machine for use by the Tivoli Compliance
Insight Manager server (in our case we are using the insight user that we
used previously).
Create and transfer the authentication tokens (for example, the PuTTY public
and private key pairs that we are going to use). The public key for the point of
presence machine needs to be in the authorized_keys file on the EAM for the
insight user (for example, in the .ssh/authorized_keys file). The private key
needs to be placed in the C:\IBM\TCIM\Server\run\sshkeys directory).
Perform a one time PuTTY connection as the cearoot user to our target
system for collection so that the appropriate key entries are added to the
Windows registry.
You can test the SSH connectivity using the chksshconn tool located in the
C:\IBM\TCIM\Tools directory as follows:
chksshconn -h demosys -u ns -k id_rsa.ppk
The -h option specifies the host to test, -u specifies the user to use on the
remote host and -k specifies the private key file to use from the sshkeys
directory.
Once this has been done and SSH connectivity has been confirmed we can
more onto step 3.
413
7530ch12.fm
414
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
2. Select the Audited Machine Type of Linux (see Figure 12-31 on page 415).
Click Next to continue.
3. Now add your machine name (in our case we are using the IP address of
192.168.164.200 (see Figure 12-32 on page 416). Click Next to continue.
415
7530ch12.fm
4. Next select the Point of Presence that will do the collection for us. In our case
we are using the TCIMDEMO Point of Presence (Note: this is where the SSH
connection we setup earlier needs to work from). This is shown in
Figure 12-33 on page 416. Click Next to continue.
5. In our case we are choosing to collect Snort logs so we want to define this
event source type as Snort syslog from syslog host (see Figure 12-34). Click
Next to continue.
416
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
6. Next the Add Event Source Wizard automatically starts (see Figure 12-35 on
page 417). Click Next to continue.
7. Sdd the appropriate details for the SSH KeyFile, SSH Port, user and host (in
our case the key file is called key.ppk, the port is the default 22 port, the user
417
7530ch12.fm
418
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
9. Next we choose the GEM database that we want the Snort data to be loaded
into (we have previously created a database labeled Snort for this purpose).
This is illustrated in Figure 12-38. Click Next to continue.
419
7530ch12.fm
To test this configuration we are going to create a simple policy using the
standard Snort policy groupings that are provided with Tivoli Compliance Insight
Manager.
420
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
First we create a new empty policy called SNORT in the same way as is
described in several other places throughout this book including later in this
chapter in 12.7, Laying down standard policy on Tivoli Security Operations
Manager data on page 438. We add the Snort policy groupings as follows.
Open the policy and right click in the Policy section to Import the Group Definition
Set for Snort as shown in Figure 12-40 on page 421. The Snort group definition
file that we are after is named snort_group.cfg.
Then create a basic policy as defined below in Figure 12-41 on page 422. In this
example we have also modified some of the system groups, specifically the
SensitiveSystems group, where we have defined our Snort system (with IP
Address 192.168.164.200) as being a sensitive system with a significance of 99.
Our very basic policy should highlight non reconnaissance traffic and traffic that
is targeting our sensitive system. We have chosen this policy as reconnaissance
traffic is often considered white noise in the sea of events that a system will
receive. With our policy reconnaissance traffic is considered normal, any other
type of traffic is considered abnormal and should be highlighted. Also any traffic
that is specifically targeting our Sensitive System will be highlighted as worth
investigation.
421
7530ch12.fm
Next we collect, load and apply our Snort policy to the loaded data. After this has
been done the results displayed in the iView portal for the Snort database will
look similar to what is in Figure 12-42 on page 423.
422
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
Further drill down into our exceptions result in a report similar to that shown in
Figure 12-43 on page 423.
The results of this are that we now have events that were collected by the Tivoli
Security Operations Manager Event Aggregation Module (EAM) component
available to Tivoli Compliance Insight Manager for further processing and
application of policies. Tivoli Compliance Insight Manager can also now perform
log management for Tivoli Security Operations Manager collected syslog data.
By applying this approach to all of the syslog data collected by Tivoli Security
Operations Manager we reduce the requirement to manage Tivoli Security
Operations Manager syslog data for long periods of time. The key benefit of this
is that we now have realtime Security Event Management available in a way that
meets our long term auditing requirements.
423
7530ch12.fm
12.4.7 Conclusion
In this section we have shown how to use the Tivoli Security Operations Manager
EAM to both collect events for real time processing by Tivoli Security Operations
Manager as well capture the same event data for long term log management and
policy reporting by Tivoli Compliance Insight Manager. In the next section we
show how Tivoli Financial Accounting Corporation implemented a mechanism
where by Tivoli Security Operations Manager data can be supplemented with
policy breach data captured by Tivoli Compliance Insight Manager and where
Tivoli Compliance Insight Manager can use the rules facility in Tivoli Security
Operations Manager for sophisticated automation.
12.5.1 Prerequisites
This integration scenario requires that Tivoli Security Operations Manager and
Tivoli Compliance Insight Manager be installed at functioning. It also requires
that the Tivoli Security Operations Manager product have the latest device rules
update as this has Tivoli Compliance Insight Manager support (device rules prior
to October 2007 may not have device support for Tivoli Compliance Insight
Manager).
424
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
Figure 12-44 Open the Tivoli Compliance Insight Manager Alerts management console
2. Double click on the alert to bring up the following dialog box (see Figure 12-45
on page 426) and enter the following values:
425
7530ch12.fm
Protocol = custom
Recipient = TSOM
Severity = 70
Rule ID(s) = alert_to_TSOM
Note: We use the Rule ID alert_to_TSOM later when we create attention
rules that we would like to generate alerts to Tivoli Security Operations
Manager.
426
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
5. In the resulting dialog box enter the following details (see Figure 12-47 on
page 428).
c:\IBM\TSOM\run\alert.cmd <eventfile>
Note: The <eventfile> parameter will be substituted for a comma separated
representation of the alert when Tivoli Compliance Insight Manager
generates it.
427
7530ch12.fm
6. Next create the cmd file that is referenced above and the alerts directory for
Tivoli Compliance Insight Manager to place its alerts log into (see
Example 12-12 for the contents of the cmd file). Run these commands:
mkdir C:\IBM\TSOM\alerts
mkdir C:\IBM\TSOM\run
notepad C:\IBM\TSOM\run\alert.cmd
Then enter the details into the alert.cmd file and save it. At this point if a rule
is triggered with the id alerttotsom by Tivoli Compliance Insight Manager it
will be written to the tcimalert.log.
Example 12-12 alert.cmd file
@echo off
type %1 >> C:\IBM\TSOM\alerts\tcimalert.log 2>nul:
428
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
reflects the correct alert file location and the IP address of the Tivoli Compliance
Insight Manager server.
1. To do this search through the ucm.cfg file until you find the Consul entry and
then modify it so that it looks like Example 12-13. In our case the IP address
of the Tivoli Compliance Insight Manager server is 192.168.164.150.
Example 12-13 UCM configuration change
#
# create file tailer 25 for consul
#
ucm.tailer.file.filename.25=c:/IBM/TSOM/alerts/tcimalert.log
ucm.tailer.file.buffer.size.25=1024
ucm.tailer.file.sensortype.25=consul
ucm.tailer.file.saves.file.name.25=consul-1
ucm.tailer.file.start_at_end.25=false
ucm.tailer.file.hostname.25=192.168.164.150
2. Now we can define the Tivoli Security Operations Manager sensor for Tivoli
Compliance Insight Manager. This is done in the standard way that any Tivoli
Security Operations Manager sensor is defined (more information on this may
be found in IBM Tivoli Security Operations Manager 3.1 Installation Guide
or in the IBM Tivoli Compliance Insight Manager User Reference Guide
Version 8.0, SC23-6545-00). The basic steps for defining our new Tivoli
Security Operations Manager sensor are shown in the next few of figures.
First define the sensor at the CMS as shown in Figure 12-48.
429
7530ch12.fm
Then define the sensor at the EAM as shown in Figure 12-49 on page 431.
430
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
Figure 12-50 Tivoli Compliance Insight Manager attentions in Tivoli Security Operations Manager
431
7530ch12.fm
Now we can use Tivoli Security Operations Managers rules to run some
automation, send e-mail, and escalate to other systems management
products when special attention alerts are captured. For example, if we
wanted to run some automation we could define a Tivoli Security Operations
Manager action that looks like Figure 12-51 on page 432 and a rule that looks
like Figure 12-52 on page 433.
Figure 12-51 Define a Tivoli Security Operations Manager Action to respond to a special
attention alert
432
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
433
7530ch12.fm
12.5.5 Conclusion
In this section we have shown how to have Tivoli Compliance Insight Manager
generated alerts made available to Tivoli Security Operations Manager for further
rules based processing and correlation. In the next section we explain
mechanisms for integrating the visual aspects of the Tivoli Security Operations
Manager and Tivoli Compliance Insight Manager tools so that reports can be
accessed from a common location.
434
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
of the iView portal (see Figure 12-53 on page 435). The subdirectories will
typically be prefixed with app to represent applications that can be invoked from
the iView portal and sec for subsections of the iView portal view.
To create a new application or section of the iView portal we need only replicate
these app or sec directories as required. For our purposes we have created three
new app directories, one for each of the applications we wish to launch and one
new sec directory to contain these applications. In Figure 12-53 these are
labelled app-tsom, app-tsomreports, app-tsomscheduledreports and
sec-tsomportal. These directories initially are just direct copies of one of the other
existing app or sec directories as required. We will modify the directory contents
435
7530ch12.fm
so that the final result is an iView portal that looks like the figure below (see
Figure 12-54 on page 436).
First we will start with the contents of the app-tsom directory. After the copy it will
contain three files. The application.xml file controls what application will be
invoked when you click on the link in the portal, the resources.properties file
controls what text will be displayed in the iView portal and the gif file is the icon
that will be displayed in the portal.
To add a link to the Tivoli Security Operations Manager real time events console
from the portal we modified the contents of the application.xml file to reflect what
is in Figure 12-55 on page 437. The key value we are modifying is the URL that is
invoked by clicking on the link. In our case we modify it to point at our Tivoli
Security Operations Manager real time event portal (which is at
http://192.168.164.200).
436
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
We then modify the resources.properties file so that it looks like Figure 12-56, for
example, it reflects the link name of TSOM and the description of Open TSOM
Realtime Event Portal.
This has now defined our link to the Tivoli Security Operations Manager real time
event viewer portal. The other two applications are defined in the same way as
this except in the case of the link to the Tivoli Security Operations Manager
Reports Portal we will use the URL that takes us to the Tivoli Security Operations
Manager Reports Portal.
For the Tivoli Security Operations Manager Scheduled Reports link we have
used a Tivoli Security Operations Manager capability provided via its reporting
portal. The capability allows us to automatically schedule and generate a report
in html format and publish that to a specified location (in our case a reporting
Web server). Conceptually what we have done is provide a single entry point to
these pre generated reports from the iView portal.
In addition it would be possible to use Tivoli Compliance Insight Manager to
monitor the access to that portal in order to confirm compliance. Most
compliance regulations dont just state that audit reports should be generated,
they also state that those reports should be reviewed. By using a portal based
approach to presenting the combined set of reports from both Tivoli Compliance
Insight Manager and Tivoli Security Operations Manager we can also leverage
Tivoli Compliance Insight Managers Web server audit capabilities to monitor
whether the audit reports are being reviewed.
Now we create a new section within the iView portal to contain our Tivoli Security
Operations Manager components. This is done by copying one of the existing
sec directories to sec-tsomportal and modified its contents. The sec-tsomportal
437
7530ch12.fm
By creating and modifying these sec and app configurations and then restarting
the Tomcat server we are now able to provide a consistent entry point to all of
our SIEM components as show in Figure 12-54 on page 436.
438
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
1. Create a blank policy called TSOMPolicy (see Figure 12-59 on page 439).
2. Open your new policy and create a new Tivoli Security Operations Manager
policy group (as in Figure 12-60 on page 439) and name it TSOM.
439
7530ch12.fm
3. Then import the global_policy group (see Figure 12-60 on page 439). This
should give you the following policy groups defined (
4. Next double click on your TSOM Policy Group to display the W7 groupings
ready for definition.
You should define the following groups for your who definitions:
Who
Who
Who
This will result in your who definition shown in Figure 12-62 on page 440.
What
What
This will result in your what definition shown in Figure 12-63 on page 441.
440
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
On What
On What
This will result in your OnWhat definition shown in Figure 12-64 on page 441.
441
7530ch12.fm
5. Next create some rules based on these policy groupings. In our rule we are
stating (admittedly this is a very simple rule) the following:
TSOMAdmins are allowed to logon anytime they need. Any other
TSOMAdmin action will be marked as an exception.
NotAdmins are only allowed to logon in business hours. Any other
NotAdmin action will be marked as an exception.
We dont want any exceptions generated by the System user (as this user
is the user that will be the source of all our Tivoli Security Operations
Manager events that are not audit related).
The first of these rules is created by first right clicking in the Policy Rules area
of the window (see Figure 12-65 on page 442).
442
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
The other rules are created in the same manner. When you have completed
the Policy Rules window will look as in Figure 12-67 on page 443.
12.7.1 Results
After we have created this policy and applied it to the data collected from Tivoli
Security Operations Manager our results will be a dashboard as illustrated in
Figure 12-68 on page 444.
443
7530ch12.fm
Figure 12-68 The results of applying our Tivoli Security Operations Manager policy
This report is telling us that we have collected 107 events. Of those 107 events
three are policy exceptions. The dashboard further informs us that the
NotAdmins who group is where exceptions lie, for example, some of our non
administrators must have logged in out of normal office hours. Typically the
intersection of the NotAdmins Who group and the Logons group will display in
the color red to indicate that exceptions occur in this group. From this report we
can navigate to the exceptions very easily by clicking on the event summary icon
next to the policy exceptions list. Doing this will result in a report as in
Figure 12-69 on page 444.
From here we can quickly drill down to find the original event that generated the
policy exception.
444
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ch12.fm
From this example you can see that it is fairly easy to apply policy to Tivoli
Security Operations Manager data. The value of this approach is that once you
have defined policies across your enterprise you can extend those policies to
new platforms such as Tivoli Security Operations Manager with little difficulty.
12.8 Conclusion
In this chapter we discussed multiple Tivoli Security Operations Manager and
Tivoli Compliance Insight Manager integration scenarios and showed how these
integrations can be easily implemented using the integration features that have
been designed into each of the components. We then went on to show how Tivoli
Compliance Insight Manager policy could be applied to Tivoli Security
Operations Manager data, generating some policy reports using a simple
example that should demonstrate the business value that will ultimately be
achieved by Tivoli Financial Accounting Corporation. In conclusion to this
chapter we should reiterate that IBM only recently acquired both components of
the SIEM solution, so the integration is at an early stage. However, the
integration that has been performed is already powerful and is to improve in the
future.
445
7530ch12.fm
446
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ax01.fm
Appendix A.
This study can process the same threats and risks applied to different assets, but
concludes at a different level of liability, based on your particular business
environment. Then the decision has to be made: accept, mitigate, or transfer the
risk. This process can be handled by external consultants, such as IBM Global
Services, or by an internally appointed team. The process can use both formal
and informal methods, but the result is usually a blend of these approaches. The
threat identification, as well as this severity study, using a formal approach is
done in conjunction with the organization by applying a standard and a proven
methodology.
447
7530ax01.fm
It is tempting to directly translate the threat analysis into a technical solution, but
it should first lead to the corporate policy and standards. These documents will
highlight the risks and present how they must be handled enterprise wide.
The first document that must be written is therefore the corporate policy
document. It must outline the high-level directions to be applied enterprise wide.
It is absolutely not technical; it is derived from the business of the enterprise and
should be as static as possible, as seen in Figure A-1.
Static
Corporate
Policy
Standards
Standards
Standards
Standards
ProceduresPractices
ProceduresPractices
Procedures
Technical
Attention: Policies is a very common term and in many products you will find
specific policies sections. These are the product related policies that are
covered in the practice or procedure documents. The corporate policy is not
related to products and is a high level document.
448
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ax01.fm
Practical example
Here is an example of how a policy is defined and implemented with procedures
and practices.
The operations manager has reported an increased workload on the help desk
due to problems caused by employees downloading non-business related
programs onto their systems.
The problems range from the introduction of viruses to disruption of business
processes, with a real financial impact. To address this problem, upper
management incorporated, in the corporate policy, the following directive: The
corporate assets may be used only to perform enterprise related tasks.
First, the policy must be communicated to all employees in the enterprise.
The standards for the networking part explain which services may be allowed on
the employee computer. The practice will then explain how to set up the
449
7530ax01.fm
Windows or Linux clients according to the standards, and the procedures will
explain how to perform a request, the requirements, and the approval paths, to
get special services installed on your computer.
The existing clients will be updated and controls will be performed to verify the
compliance, in addition to further audit of the environment.
The five steps we went through are summarized in Figure A-2. It is a common
approach adopted in many methodologies.
Policies
Implement
Manage
Risk
Audit
450
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ax01.fm
Examples of these external drivers are shown in this section. The list is not
exhaustive, nor is each description complete. It is provided as a guide to the type
of standards that may (or may not) apply to your organization and, therefore,
some of the external factors you must consider when creating policies.
Many organizations use these external standards as a guide to help them
formulate their own corporate policies. It is not uncommon to find organizations
using the ISO17799 standards, but without having them externally audited and
certified. These standards are seen as a good foundation for security.
451
7530ax01.fm
provides safeguards for the area of administration processes and the physical
and technical infrastructure and defines the rights of individuals and the
related obligations for organizations in the health industry with regard to
Personal Health Information (PHI).
The requirements of the HIPAA standard have since then been adopted into
health industry regulation of many other countries, for example in Germany.
Gramm-Leach-Bliley Act (GLBA)
GLBA was established in 1999 and deals with the protection of the privacy of
customers or financial institutions as well as the security requirements to be
met by financial institutions. The two significant impacts of the act are on one
hand the obligation of strict separation between corporate and private
banking and insurance activities on financial institutions in the USA in
contrast to the widely spread universal banking approach taken by financial
institutions in Europe. On the other hand, the act introduces the requirement
to take precautions against Social Engineering, which is referred to as
Pretexting in the act. Also, the act requires financial institutions to establish a
security framework to protect their own and their customers financial data.
Common Criteria
This is a set of tests originally based upon the US Orange book and
European/Australian ITSEC evaluations. It is currently recognized by 14
countries. There are seven levels of tests. Evaluation Assurance Levels (EAL)
14 are usually used in the commercial areas, while the tests representing the
higher EALs 57 are reserved for the security testing of highly secure
environments.
CAPS UK
In addition to internationally recognized evaluations, there maybe local
evaluations that impact an organization. The UK Government's
Communications-Electronic Security Group (CESG) have produced the Assisted
Products Scheme in effort to help commercial product vendors produce
cryptographic products suitable for use by the British government. It is called
CAPS (CESG Assisted Product Scheme). CAPS is similar in purpose to the FIPS
140 (for the US and Canadian governments) and the Cryptographic Advisory
Note (CAN) (for the Australian and New Zealand governments).
452
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530ax01.fm
BS7858
BS7858 is just one example of some of the other less well known standards that
could affect security policy. Specifically, BS7858 gives recommendations for the
security screening of personnel to be employed in an environment where the
security of people, goods, or property is a significant feature of the employing
organization's operations.
453
7530ax01.fm
Summary
Corporate policies must be thought of as business level requirements. They are
primarily internal business drivers, but they may be impacted upon by external
factors, so corporate policies will have to take account of these factors.
Subsidiary standards and the procedures and practices that result in turn are
also produced.
Corporate policies should be relatively static and technology free, while
standards, practices, and procedures can be more fluid and technology specific.
454
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530glos.fm
Glossary
8-bit UCS/Unicode Transformation Format is a
variable-length character encoding for Unicode. It is
able to represent any character in the Unicode
standard, yet the initial encoding of byte codes and
character assignments for UTF-8 is consistent with
ASCII.
455
7530glos.fm
Authentication In computer security, verification
of the identity of a user or process and the
construction of a data structure that contains the
privileges that were granted to the user or process.
Contrast with authorization.
Authorization The process of granting a user
either complete or restricted access to an object,
resource, or function. Contrast with authentication.
Basel II A round of deliberations by central
bankers from around the world, under the auspices
of the Basel Committee on Banking Supervision
(BCBS) in Basel, Switzerland, aimed at producing
uniformity in the way banks and banking regulators
approach risk management across national borders.
The Basel II deliberations began in January 2001,
driven largely by concern about the arbitrage issues
that develop when regulatory capital requirements
diverge from accurate economic capital calculations.
Basel II recommends three pillars: risk appraisal and
control, supervision of the assets, and monitoring of
the financial market, to bring stability to the financial
system.
Batch Collect Mechanism for retrieving security
log data.
British Standard 7799 A standard code of
practice and provides guidance on how to secure an
information system. It includes the management
framework, objectives, and control requirements for
information security management systems.
Can Spam Act of 2003 is a commonly used name
for the United States Federal law more formally
known as S. 877 or the Controlling the Assault of
Non-Solicited Pornography and Marketing Act of
2003. The law took effect on January 1, 2004. The
Can Spam Act allows courts to set damages of up to
$2 million when spammers break the law. Federal
district courts are allowed to send spammers to jail
and/or triple the damages if the violation is found to
be willful.
CCO See Chief Compliance Officer.
456
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530glos.fm
Glossary
457
7530glos.fm
Computer Emergency Response Team
(CERT) The CERT/CC is a major reporting center
for Internet security problems. Staff members
provide technical advice and coordinate responses
to security compromises, identify trends in intruder
activity, work with other security experts to identify
solutions to security problems, and disseminate
information to the broad community. The CERT/CC
also analyzes product vulnerabilities, publishes
technical documents, and resents training courses.
The CERT/CC is located at the Software
Engineering Institute (SEI), a federally funded
research and development center (FFRDC)
operated by Carnegie Mellon University (CMU).
Configuration Compliance The comparison of
known state to a compliant state and may include
automated actions. After discovery or scanning is
performed, devices are said to be either compliant or
noncompliant.
Consolidation Database An Enterprise Server
database that delivers enterprise-wide trend and
summary reports.
Control A means of managing a risk or ensuring
that an objective is achieved. Controls can be
preventative, detective, or corrective and can be
fully automated, procedural, or technology-assisted
human-initiated activities. They can include actions,
devices, procedures, techniques, or other
measures.
Control Objectives for Information and related
Technology (COBIT) is a set of best practices
(framework) for information technology (IT)
management created by the Information Systems,
Audit and Control Association (ISACA), and the IT
Governance Institute (ITGI) in 1992. COBIT
provides managers, auditors, and IT users with a set
of generally accepted measures, indicators,
processes and best practices to assist them in
maximizing the benefits derived through the use of
information technology and developing appropriate
IT governance and control in a company.
COSO See Committee of Sponsoring
Organizations of the Treadway Commission.
458
CSV
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530glos.fm
Glossary
459
7530glos.fm
460
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530glos.fm
Glossary
461
7530glos.fm
Proxy Server A server that acts as an intermediary
between a workstation user and the Internet so that
the enterprise can ensure security, administrative
control, and caching service. A proxy server is
associated with or part of a gateway server that
separates the enterprise network from the outside
network and a firewall server that protects the
enterprise network from outside intrusion.
Pull Client A client that permits communication
with the server to be initiated by only the server.
Push Client A client that permits communication
with the server to be initiated by either the client or
the server.
PuTTY is a free software SSH, Telnet, rlogin, and
raw TCP client. It was originally available only for
Windows, but is now also available on various Unix
platforms.
Regulatory Compliance Refers to systems or
departments at corporations and public agencies to
ensure that personnel are aware of and take steps
to comply with relevant laws and regulations.
Remote Collect Agentless log collection facilitated
by SSH or by NetBIOS for Windows.
462
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530glos.fm
Glossary
463
7530glos.fm
Simple Network Management Protocol
(SNMP) Defined by the Internet Engineering Task
Force (IETF). SNMP is used by network
management systems to monitor network-attached
devices for conditions that warrant administrative
attention.
464
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530glos.fm
Glossary
465
7530glos.fm
466
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530bibl.fm
Related publications
The publications listed in this section are considered particularly suitable for a
more detailed discussion of the topics covered in this book.
IBM Redbooks
For information about ordering these publications, see How to get Redbooks on
page 469. Note that some of the documents referenced here may be available in
softcopy only.
Deployment Guide Series: IBM Tivoli Security Compliance Manager,
SG24-6450-00
Enterprise Security Architecture Using IBM Tivoli Security Solutions,
SG24-6014-04
Understanding SOA Security Design and Implementation, SG24-7310-01
Deployment Guide Series: IBM Tivoli Compliance Insight Manager,
SG24-7531-00
Deployment Guide Series: IBM Tivoli Security Operations Manager 4.1,
SG24-7439-00
Building a Network Access Control Solution with IBM Tivoli and Cisco
Systems, SG24-6678-01
Accounting and Auditing on AIX 5L, SG-6396-00
Other publications
These publications are also relevant as further information sources:
IBM Tivoli Compliance Insight Manager Installation Guide Version 8.0,
GI11-8176-00
IBM Tivoli Compliance Insight Manager User Guide Version 8.0,
SC23-6544-00
IBM Tivoli Compliance Insight Manager User Reference Guide Version 8.0,
SC23-6545-00
Addional IBM Tivoli Compliance Insight Manager related manuals:
467
7530bibl.fm
Online resources
These Web sites are also relevant as further information sources:
IBM Software support Web site
http://www.ibm.com/software/support
To find more information about Basel II check out this URL:
http://www.bis.org/publ/bcbsca.htm
To find more information about the Sarbanes-Oxley Act check out this URL:
http://www.soxlaw.com/
To find more information about PCI check out this URL:
https://www.pcisecuritystandards.org/
To find more information about HIPAA check out this URL:
http://www.hhs.gov/ocr/hipaa/
IBM Training and certification Web site
http://www.ibm.com/software/sw-training/
468
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530bibl.fm
Related publications
469
7530bibl.fm
470
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530IX.fm
Index
A
access rights 34
action
Security Operations Manager 373
Active Directory
audit policy settings 161162
diagnostic logging 164
event source 157
event source configuration 179
Actuator 28, 59, 80, 82
data collection 40
installation 185
script 32, 40, 42
software 32
System Z 318
administrative accounts 152
Agent 32
activation 34
collection mechanism 41
encrypted communication 41
agentless
collect 40
collection for UNIX 44
collection for Windows 43
collection mechanism 43
aggregated data 35
aggregated information 15
aggregation
database 35, 38, 57
process 35, 38, 57
AIX
audit subsystem 246
event source configuration 250
log management 245
login files 245
alert 54
attention rule 214
analyzing trends 238
anomalous activity 115
antivirus
application 114
service 5
API
471
7530IX.fm
add to system group 173
AIX 251
data collection 39
registration 172
system 32, 40
auditing
AIX 245
Domino 262
Oracle 272
SAP 279
System Z 307
automated processes 37
awareness programs 55
B
Basel II 4, 6, 289, 345, 451
compliance management module 303, 309
reporting goals 148, 160
reports 352
System Z compliance 345
batch collect 39
BBBin.log 96
brute force attack 290, 296
BS7799 453
BS7858 453
business
assurance 113
conduct guidelines 4
context 3
data 152
objectives 133
requirements 138
scenario 129
tasks 21
C
central dashboard 28
centralized
forensics 31
log management 30, 95
CFR 21 Part 11 451
change management 22
activities 53
CheckPoint OPSEC 115
Chief Financial Officer 119
Chief Information Officer 119
Chief Information Security Officer 119, 122, 134
chunk 39, 42, 82
472
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
D
daily verification report 234
dashboard 28, 36, 57, 106, 157, 225, 444
log continuity 99
data
aggregation 57
basic collection approach 245
collection 89
collection methods 39
collection task 94
compression 108
consolidation 57
integrity 139
7530IX.fm
investigation 39
longterm storage 36
mining 116
database
administrator 122
check 89
manual load 219
store 35
define users 34
Depot 35, 37, 108
collection 39
indexing 45
log continuity report 95
weekly check 90
depth of reporting 8
design objectives 145
detailed investigation report 236
deterministic threat analysis 109
device events 21
discovery and analysis 74
distribution of reports 58
Domino
Administration Requests Database 262
attention alerts 270
event source configuration 262
journaling 267
log management 262
policy violations 267
DR550 97
duration check 8
E
encrypted channel 41
encrypted communication 32
Enterprise Server 28, 30
forensic tools 46
installation 159
job schedules 95
Point of Presence 80
synchronization task 94
European Data Directive 95/46/EC 454
event
attributes 60
collection 15, 108
correlation 120
detail report 52
repository 388
source 14, 40
Index
473
7530IX.fm
sources 18
type 14, 19
Event Aggregation Module 410
event source
Active Directory 157
adding an ... 179
AIX 250
configuration 171
Domino 262
Oracle 274
SAP 281
exception report 48
exceptions 35
Extensible Markup Language
see XML
external
auditor 122
external API
event collection 40
F
failures 35
file based
collection of log data 45
filter 48, 56
firewall 114
forensic
activity 82
analysis 39, 111112
capability 45
function 30
investigation 56
review 28
tools 46
Format Verification tools 71
four eyes principle 5
frequency of checks 8
FTP
collect 83
functional design 73, 78
functional requirements 139
G
Gartner 16
GEM 28, 374
data normalization 47
database 35, 37, 75, 383, 394
... for System Z 316
474
H
harmful security event 54
Health Insurance Portability and Accountability Act
451
help-desk ticketing systems 116
heterogeneous environment 85
HIPAA 6, 58
compliance management module 303
historical log data 138
historical reporting 116
I
IBM
Method for Architecting Secure Solutions
see MASS
SIEM solution 17, 108
IBM System Storage DR550 97
IBM Tivoli Compliance Insight Manager
see Compliance Insight Manager
IBM Tivoli Security Compliance Manager
see Security Compliance Manager
IBM Tivoli Security Operations Manager
see Security Operations Manager
identity
revalidation process 22
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
L
large deployment 86
legal obligations 9
level
of automation 9
of reporting 8
liability 447
line of business security 118
7530IX.fm
Linux
SSH collect 83
Syslog receiver 83
load period 394
load schedule 94, 183
log
aggregation 114
analysis 114
collection 99, 112
continuity 31
continuity dashboard 99
continuity report 112
generator 95
continuous collection 39
correlation 114
data 97
data capturing 15
depot 108
event collection 40
historical data 138
history 31
management 31, 112, 120
management for AIX 245
management for Domino 262
management for Oracle 272
management for SAP 279
management for System Z 307
management portal 108
manager 88
script 379
logging
business requirement 141
requirements 28
IT security policy 148
standards 111
login files
AIX 245
Logon Failure Summary report 235
logon policies 55
logs 96
longterm storage 36
M
Magic Quadrant for Security Information and Event
Management 16
mainmapper
log files 94
mainmapper-.log 96
Index
475
7530IX.fm
maintain compliance 58
maintenance
compliance 10
malware 114
managed security services 25, 117
management charts 35
Management Console 28, 3233, 36, 82, 98, 157,
345
manual
collect command 42
mapper 50, 55
mapping
process 37, 46
MASS 78
medium deployment 85
meta
event 400, 403
information 48
misconfiguration 114
monitor compliance 58
monitored environment 22
monitoring 15, 87
requirements 101
MTP 115
multivendor environment 114
N
NetBIOS
agentless collection 4344
event collection 40
network
administrators 122
analysis 106
appliance auditing 84
availability 113
models 78
operations 122
security devices 104
traffic 112
zones 81
non-functional requirements 87, 145
non-repudiation 304
normalization
W7 data 50
normalized audit data 35
normalized log data 28
normalizing
GEM data 48
476
O
ODBC
event collection 40
OnWhat 49
operational efficiency 74
operational requirements 87
Oracle
attention rule 278
audit policy 275
data collection 40
event source 274
log management 272
Orange book 452
organizational
complexity 9
level design 23
level security control 5
P
password
length 5
patch management 22
PCI 6, 111, 119
people events 20
performance efficiency 10
plugger.log 96
Point of Presence 33, 40, 81, 83, 245
Domino 262
Enterprise Server 80
Oracle 274
port configuration 177
SAP 281
policies and standards 10
policy
attention report 48
breach detection rule 401
breach on AIX 259
compliance management 104
corporate 447
definition
business requirement 142
exception report 48, 202
exceptions 226, 444
exceptions for AIX 258
framework 4
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530IX.fm
R
RACF 314
raw
data 97
event data
mapping 50
log data 45
traces 31
real time
correlation 18, 120
event collection 112
record oriented
collection of log data 45
Redbooks Web site 469
Contact us xiv
regulatory
changes 13
compliance 74, 104, 138
reporting 303
obligations 9
requirements 22, 137, 148
remote
data collection 43
report
distribution 95
generation task 94
policy exception 48
reporting 120
business requirement 144
customized 290
database 35
detailed investigation 236
iView 233
Logon Failure Summary 235
policy exception 202
process 57
requirements 74, 101, 160, 309
reports 22, 357
Request for Proposal 22
restart task 95
restart.log 96
retention of records 108
retention policy 108
RFP 22
risk
assessment 74, 106, 147
management 6
role 20
root cause analysis 290
Index
477
7530IX.fm
rule-based correlation 109, 115
S
SAN 75, 86, 97
SAP
attention rules 284
audit log 279
event source 281
log management 279
Sarbanes-Oxley 4, 5758, 119, 401
compliance management module 303
Sarbanes-Oxley Act 22, 451
scalability 99
scenario
business objectives 133
business requirements 138
cluster configuration 153
compliance monitoring 134
design objectives 145
functional requirements 139
high level design 153
implementation approach 148
IT environment 130
regulatory requirements 137
reporting requirements 160
scope of compliance checking 8
secure connection
SSH 43
security
administrator 122
architecture 78
clearance 55
compliance 5
compliance architecture 13
compliance monitoring 134
controls 45, 8
dashboard 124
devices 104
domain 79
incident 113
incident management 106
incident response capabilities 15
log 39
operations center 107
operations dashboard 120
operator 106
Oracle log 40
policies 5
478
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530IX.fm
Index
479
7530IX.fm
event source 330
log management 307
LPAR recommendations 321
policy rule 349
reporting requirements 309
SMF data 318
systematic attack detection 290
V
Virtual IP Addressing 327
virtual private network 32, 114
vulnerability
correlation 115
management 106
W7
target
system 22
user 22
tasks 94
tcimlogger script 400
technical
direction 13
security control 5
tasks 21
technological complexity 9
technology changes 14
text based
collection of log data 45
threat
analysis 109
assessment 106
management 14, 104
threshold event 292
ticketing system 116
Tivoli Compliance Insight Manager 57
Tivoli Enterprise Console 116
Tivoli Omnibus 116
trending information 35
trends 238
U
ubiquitous log collection 44
UK Data Protection Act 1998 454
Universal Collection Module 424
installation 428
UNIX
agentless collection 4344
SSH collect 83
user behavior 20
User Information Source 194
UTF-8 encoding 68
480
analysis 46
attention rule 212
attributes 48
categories 57
category 57
classification scheme 48
Classification Template 348
data store 35
dimension 60
dimensions 374
format 57, 59
grammar 50
grouping functions 48
groups 50, 52, 157, 194, 202, 355
language 28, 438
log event format 59
log event sources 59
methodology 71
model 46, 49
parameters 375
policies 48
policy rule 210
rules
configuration 194, 202
W7LogSDK 59, 373, 393
collect custom log data 45
CSV format 67
Format Verification tools 71
toolkit 27
XML format 68
Web portal 28, 88
logs 96
Web-based reporting application 32
What 49
When 49
Where 49
WhereFrom 49
WhereTo 49
Who 49
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
7530IX.fm
Windows
agentless collection 43
audit subsystem 75
event management API 83
Windows 2003 Server
audit policy 161
wizard 388
work policy
creation 202
worm
detection event 401
propagation attempt 402
X
XML 115
log file 59, 70
Z
z/OS 124
log 124
Index
481
7530IX.fm
482
Compliance Management Design Guide with IBM Tivoli Compliance Insight Manager
483
(0.5 spine)
0.475<->0.875
250 <-> 459 pages
(1.0 spine)
0.875<->1.498
460 <-> 788 pages
(1.5 spine)
1.5<-> 1.998
789 <->1051 pages
7530spine.fm
smooth which has a PPI of 526. Divided 250 by 526 which equals a spine width of .4752 . In this case, you would use the .5 spine. Now select the Spine width for
the book and hide the others: Special>Conditional Text>Show/Hide>SpineSize(-->Hide:)>Set . Move the changed Conditional text settings to all files in your
book by opening the book file with the spine.fm still open and File>Import>Formats the Conditional Text Settings (ONLY!) to the book files.
Compliance Management
Design Guide with IBM Tivoli
Compliance Insight Manager
(0.2spine)
0.17<->0.473
90<->249 pages
484
(2.5 spine)
2.5<->nnn.n
1315<-> nnnn pages
7530spine.fm
smooth which has a PPI of 526. Divided 250 by 526 which equals a spine width of .4752 . In this case, you would use the .5 spine. Now select the Spine width for
the book and hide the others: Special>Conditional Text>Show/Hide>SpineSize(-->Hide:)>Set . Move the changed Conditional text settings to all files in your
book by opening the book file with the spine.fm still open and File>Import>Formats the Conditional Text Settings (ONLY!) to the book files.
Compliance
Management Design
Guide with IBM Tivoli
Compliance
Management Design
Guide with IBM Tivoli
(2.0 spine)
2.0 <-> 2.498
1052 <-> 1314 pages
Back cover
Compliance Management
Design Guide
with IBM Tivoli Compliance Insight Manager
Enterprise
integration for
operational and
regulatory
compliance
INTERNATIONAL
TECHNICAL
SUPPORT
ORGANIZATION
Complete
architecture and
component
discussion
BUILDING TECHNICAL
INFORMATION BASED ON
PRACTICAL EXPERIENCE
Deployment scenario
with hands-on
details
ISBN