Deploying clients

The project team starts the Security Compliance Manager client rollout activities already at the beginning of the project, as illustrated in Figure 6-1 on page 116. The IT infrastructure is managed by local teams using different methods and techniques to install and maintain the systems. Therefore, the project team delegates the rollout of the Security Compliance Manager client software to the local teams, who decide on the method of the client installation. Some local administration teams use a response file to silently install the software, as described in “Client installation” on page 38. Other teams integrate the Security Compliance Manager client software into a Tivoli Software Distribution

environment. Regardless of the installation method, the central project team provides the following guidelines for the local teams to implement:

򐂰 For each platform, the central team specifies a home directory for the Security Compliance Manager software. It is easier for the central support team if, in case of installation problems, if all the Security Compliance Manager client installations follow the same rules.

򐂰 The Security Compliance Manager home directory should not be on the root file system. In later project phases, additional policies will be implemented that cause more collectors to be deployed to the client systems. Therefore, on UNIX based systems, the Security Compliance Manager client is installed in its own file system with a size of 150 MB or more.

򐂰 If the clients are connected directly to the Security Compliance Manager server, they are configured as push clients, which reduces the number of connections that are open at the Security Compliance Manager server system. Push clients require less resources on the Security Compliance Manager server than pull clients. Pull clients are configured only if they are connected through a proxy relay or if required by firewall rules.

Client organization (grouping)

avoiding unnecessary administration overhead in the security compliance process.

The project team starts analyzing the ABBC’s IT administration organization. It turns out that each geography runs several teams that are responsible for a particular subset of technologies, for example, there are UNIX teams covering the different UNIX flavors, Windows teams, and database teams. The project team have an organizational view as depicted in Figure 6-3.

Figure 6-3 Mapping of ABBC’s IT organization to Security Compliance Manager groups The next step is to map the administration teams and the machines they are responsible for to Security Compliance Manager client groups. The grouping of Security Compliance Manager clients aims to achieve the following targets:

򐂰 The Security Compliance Manager clients must be assigned to user groups so that the administration teams have only access to their own machines. Administration teams can find their own machines more easily and do not mix up machines.

򐂰 Security Compliance Manager reports and operational reports can be reduced to groups belonging to an administration team.

USA Admin team 1 (UNIX) Admin team 2 (UNIX) Admin team 3 (Windows) DMZ DMZ Production zone Production zone webs1.ab_bank.com webs2.ab_bank.com webs3.ab_bank.com oba_p1.ab_bank.com oba_p2.ab_bank.com . . .

Organizational view ITSCM console view

Admin team 4 (Databases)

Production zone Production zone

Figure 6-3 on page 122 also depicts the mapping of the organizational entities to Security Compliance Manager client groups. The first level of groups separates the different administration teams. Access to the first level provides access to all systems in the subgroups of the team. The second level differentiates between groups having different security policies. An important feature of Security Compliance Manager is the possibility to add one Security Compliance Manager client to different groups. For example, the UNIX administration team1 manages the system oba_p1.ab_bank.com. The database team4 is managing the same system being responsible for the DB2 database. In our example,

oba_p1.ab_bank.com is a member of the group US.Team1.AIX.PROD and a member of the group US.Team4.DB2. Both administration teams have access to the same Security Compliance Manager client, but are using different policies attached to the corresponding group.

Bulk registration of clients

Having created the group schema in the Security Compliance Manager database, the project team starts to upload the IT systems to the Security Compliance Manager database. The IT systems are listed in a central database, including all relevant information required for registering with the Security Compliance Manager server. The project team wants to automate the registration process in the beginning of the project, as several thousand

machines are involved. They export the list of IT systems in a comma separated value (CSV) format. Based on this list, there are two options to automatically register the clients:

򐂰 Security Compliance Manager command line tools

Security Compliance Manager provides the command line tool

scmregisterclient to register clients. The command takes the following client attributes:

– Name of the client – Client type (push or pull) – Client port

This information is sufficient to register a client. Additional fields, like the proxy relay to be used and the description field, have to be filled in manually. The CLI command scmaddgroupclient adds clients to their client groups. Using the CLI commands does not require a Security Compliance Manager server reboot and is the recommended method.

򐂰 Database import

There is the option to import the CSV data directly into Security Compliance Manager’s database, which is very useful for the initial upload of many IT

Manager server so that the server recognizes the new clients. Additionally, a unique client ID has to be provided.

The project team already created a complete CSV list containing ABBC’s IT systems. Each line of the CSV file is formatted in the following way:

<client ID>, <IP address>, <proxy ID>, <client port>, <can masquerade>, <client name>, <offline (’x’=offline)>, <client type(3=PULL,2=PUSH)>, <description>

Here are some example entries from this CSV file:

2,"10.92.93.57.68",1,1950,,"webs1.ab_bank.com","3",,"Web server" 3,"10.92.93.57.69",1,1950,,"webs2.ab_bank.com","3",,"Web server" 4,"10.92.93.57.70",1,1950,,"webs3.ab_bank.com","3",,"Web server"

5,"10.93.25.10",1,1950,,"oba_p1.ab_bank.com","3",,"Online banking system" 6,"10.93.25.11",1,1950,,"oba_p2.ab_bank.com","3",,"Online banking system"

Another CSV file contains client IDs and group IDs reflecting the group membership of the new clients. The client IDs in both examples correspond to the values shown in Figure 6-3 on page 122. Here are some entries from this CSV file: 2,2 2,3 2,4 15,5 15,6

The complete list of clients and their group membership information can be uploaded using the following DB2 commands:

db2 import from <client CSV file> of del messages /tmp/scm_import.msg insert into jac_sys.clients

db2 import from <group CSV file> of del messages /tmp/scm_import.msg insert into jac_sys.gro_cli_members

After importing the client and group information, the Security Compliance Manager server needs to be restarted. Therefore, this method is not recommended to be used after the initial upload. The advantage of this method is that the clients are uploaded using one command and all required fields like proxy information and description fields are included.

Tracking of the rollout progress

The Security Compliance Manager administration console displays the Security Compliance Manager clients as inactive as long as the actual rollout of the client software takes. During the rollout phase, more and more Security Compliance Manager clients will change automatically into the active state. Security Compliance Manager provides the CLI command scmlistclients. This command lists the client attributes and the client status, as shown in Example 6-1 on page 125.

Example 6-1 Result of the scmlistclients command

Registered clients for server: abbc_scm1

Client name: cc_p1.ab_bank.com (ID = 1) - active Client name: webs1.ab_bank.com (ID = 2) - active Client name: webs2.ab_bank.com (ID = 3) - inactive Client name: webs3.ab_bank.com (ID = 4) - active Client name: oba_p1.ab_bank.com (ID = 5) - inactive Client name: oba_p2.ab_bank.com (ID = 6) - inactive

The client list, including the clients’ status, provides enough information for the project team to control if the Security Compliance Manager client software is installed and if the client connectivity is configured correctly at the firewalls between the Security Compliance Manager server and the subnetworks. Alternatively, the project team can create a Security Compliance Manager internal report querying the Security Compliance Manager client’s operating system version. When the Security Compliance Manager client is connected successfully, the client provides the operating system version to the Security Compliance Manager server, which stores the value in the column OS_NAME of the Security Compliance Manager database table jac_sys.clients. The

corresponding report uses the following SQL statement:

select cli_id, alias, primary_ip from jac_sys.clients where OS_NAME is null

This query lists all clients that were never connected to the Security Compliance Manager server.

Implementing delegated administration

Security Compliance Manager provides a role based access control system that is conceptually described in 3.2.5, “Delegated administration” on page 63. The project team implements the administration model depicted in Figure 6-4.

User Groups US_Team1 US_Team2 US_Team3 … Maintenance Audit Roles

System Admin Role (Template) US-Team1 US-Team2 US-Team3 ...

Senior Admin Role Snapshot Admin Role Policy Admin Role

Administration team US_Team1 Maintenance team Security Audit Functions: Manage snapshots Execute reports Test collector View clients Group Objects: US.Team1.AIX.DMZ US.Team1.AIX.PROD US.Team1.Solaris Policy Objects: ABBC_AIX_PROD ABBC_AIX_DMZ ...

The first step is to define the user groups. There is one user group for each local administration team, the maintenance team, and the security audit team. The project team assigns Security Compliance Manager’s default

Senior Admin Role

to the

Maintenance

user group. It provides the maintenance team with all administration rights. The security audit team requires only the ability to schedule snapshots and assign policies. This functionality is provided by the default roles Snapshot Admin and

Policy Admin

.

The local IT administration teams require all the same Security Compliance Manager functions to create ad-hoc snapshots, run reports, and validate the Security Compliance Manager client status, but on different Security Compliance Manager objects. Therefore, the project team creates the role template

System

Admin Role

, which grants the required Security Compliance Manager functions. The required Security Compliance Manager objects, such as group objects and policy objects, are assigned to the team roles.

Start the Security Compliance Manager administration console and open the folder Users/Roles → Roles, click the Create Role button, specify a role name, and confirm by clicking OK. Next, select Template in the Type section. Clicking

Add Resource Tabs opens a window that offers the function types that you can

add to the role template. Select Client Groups, Clients, Policies, and Reports, as shown in Figure 6-5.

Click OK and select the functions for each function type as required. For the administration teams select View groups, Test collectors, Manage snapshots, and Execute reports. Click Save Role Information. In the next step, you have to create an administration team role. Click Create Role again and specify the role name US-Team1. This time, select Normal as the role type. Right-click the newly created role and select Inherit permissions from template, as shown in Figure 6-6.

Figure 6-6 Inheriting permissions from a template

The user team role is now listed as a child of the System Admin Role template, as shown in Figure 6-7. Add the resource objects to the team role. For example, in the Client Groups tab in the Role Definition section, click Add Resources. In the Add Resources windows, select the groups belonging to the administration team, and click OK.

Figure 6-7 Adding objects to the team role

you should consider using SQL statements to add clients to a role. For example, if all clients belonging to US-Team1 should be added to the role, you can use the SQL statement shown in Example 6-2. You have to replace ROLE_NAME with the name of the role, as displayed in the Security Compliance Manager administration console, and LIST_OF_GROUP_IDS with the Security

Compliance Manager group IDs belonging to the role. The Security Compliance Manager server makes use of the new configuration immediately.

Example 6-2 Adding clients to a role using SQL

select distinct r.rol_id, o.obj_id, c.cli_id from jac_sys.clients c, jac_sys.roles r, jac_sys.gro_cli_members m, jac_sys.groups g, jac_sys.object_class o where

m.cli_id_child = c.cli_id and g.gro_id = m.gro_id_parent and g.gro_id in (<LIST_OF_GROUP_IDS>) and c.cli_id not in

( select rm.id from jac_sys.rol_obj_mapping rm

where rm.rol_id = r.rol_id and rm.obj_id = o.obj_id ) and o.classname = ’com.ibm.jac.server.JACClientImpl’ and

r.name = <ROLE_NAME>

In document IBM Tivoli Security Compliance Manager (Page 135-142)