©Copyright International Business Machines Corporation 2009. All rights reserved. U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
NOTE: Before using this information and the product it supports, read the general information under Notices in this document.
Date: 2010 January 12
This fix pack corrects problems in IBM Tivoli Compliance Insight Manager, Version 8.0.0. It requires that IBM Tivoli Compliance Insight Manager, Version 8.0.0, is installed. After installing this fix pack, your Tivoli Compliance Insight Manager installation will be at level 8.0.0.10.
This fix pack package contains:
This fix pack is distributed as an electronic download from the IBM Support Web Site.
This fix pack package supports the same operating system releases as the Tivoli Compliance Insight Manager release that are listed in the Hardware and software requirements document.
This fix pack supersedes the Windows, AIX and Solaris parts of fix packs 8.0.0-TIV-TCIM-FP001, 8.0.0-TIV-TCIM-FP002, 8.0.0-TIV-TCIM-FP003, 8.0.0-TIV-TCIM-FP004, 8.0.0-TIV-TCIM-FP005, 8.0.0-TIV-TCIM-FP006, 8.0.0-TIV-TCIM-FP007, 8.0.0-TIV-TCIM-FP008 and 8.0.0-TIV-TCIM-FP009. For the HP-UX actuator the last fix pack is 8.0.0-TIV-TCIM-FP007. For the z/OS actuator the last fix pack is 8.0.0-TIV-TCIM-FP005.
Tivoli Compliance Insight Manager supports multiple platforms, for each platform requiring updates a separate package is installed. The package will contain the updates for all components installed on that platform.
The following problems are corrected by this fix pack. For more information about the APARs listed here, refer to the Tivoli Compliance Insight Manager support site.
Please be aware of the following considerations before installing this fix pack:
Before installing the fix pack on a Microsoft Windows system:
To install the fix pack, run 8.0.0-TIV-TCIM-Win32-FP010.exe.
The fix pack installation program determines which Tivoli Compliance Insight Manager components are installed on the system and applies the necessary updates to those components. If you have previously installed one or more interim fixes to the system, the fix pack automatically detects them and applies the necessary fixes.
To apply the Fix Pack for Tivoli Compliance Insight Manager Actuator for AIX, follow these steps:
# gzip -dc 8.0.0-TIV-TCIM-AIXPPC32-FP010.tar.gz | tar xvf -# sh apply.sh /usr/lpp/IBM/TCIM/actuator# ps -ef | grep agentTo apply the Fix Pack for Tivoli Compliance Insight Manager Actuator for Solaris, follow these steps:
# gzip -dc 8.0.0-TIV-TCIM-SolarisSparc-FP010.tar.gz | tar xvf -# sh apply.sh /opt/IBM/TCIM/actuator# ps -ef | grep agentAfter the fix pack has been installed it is possible that one or more web applications are not accessible (for instance, failing with code 404). To solve this problem, stop the "IBM Tivoli Compliance Insight Manager Tomcat" service, delete all subfolders from the following directory:
<TCIM folder>\iView\tomcat\webapps
Do not delete the files in that folder, only the subdirectories. After that, restart the "IBM Tivoli Compliance Insight Manager Tomcat" service, and all web applications will be accessible again.
Addendum for TCIM v80 Install Guide, Tivoli Compliance Insight Manager 8.0 Installation Guide, Installing Tivoli Compliance Insight Manager, Planning the installation (page 10)
Additional, 5th Note should be added:
5. When installing database engine, the TCIM password policy needs to be applied for any new user created (TCIM v80 User Guide, page 84):
"Passwords must start with a letter, can include up to 20 alphanumeric characters, but cannot include spaces, punctuation, or other symbol characters, such as ~ or +".
Although it is not enforced, it is important to use passwords, which are acceptable by TCIM in further installation steps.
Addendum for TCIM v80 install manual, Tivoli Compliance Insight Manager 8.0 Installation Guide (page 334), requirement 4
If a firewall is present, ports 446, 448 and 449 also need to be opened, as they're needed to perform DDM/DRDA on iSeries.
Correction for TCIM v80 install manual, Tivoli Compliance Insight Manager 8.0 Installation Guide (page 338), "Configuring iSeries manually" point 12
The final step of the manual configuration of iSeries (point 12, scheduling a job) should be skipped, as it will override the operation at point 10; also, the functionality of that scheduled job is already taken care of by the actions of point 11 of the same section. In case that job has already been scheduled, make sure to remove it and repeat the operations described in point 10.
The IBM Tivoli Identity Manager event source has the following editable properties after applying this FP:
Database Product: The name of the database product where IBM Tivoli Identity Manager audit records are stored. Possible values are: DB2, MS SQL, and Oracle.
Database Name: The name of the database where IBM Tivoli Identity Manager audit records are stored. The default value is itimdb.
Database Schema: The name of the database schema where the Tivoli Identity Manager audit tables reside. The default value is itimuser. Note: For IBM Tivoli Identity Manager 4.6, the only possible value is enrole. For IBM Tivoli Identity Manager 4.6, the schema of the audit tables is enrole and cannot be configured.
Database Port: The port number on the audited system that is assigned to the IBM Tivoli Identity Manager database service. The default ports are:
User Name: The name of the user account that Tivoli Compliance Insight Manager can use to connect to the IBM Tivoli Identity Manager database back-end. This account must have at least read permissions on the AUDIT_EVENT, AUDIT_MGMT_TARGET, and AUDIT_MGMT_DELEGATE, AUDIT_MGMT_PROVISIONING tables of the Tivoli Identity Manager database. The default value is username.
User Password: Defines the password for the user account defined in the User Name property. The default value is "" (empty).
Collect Directory: The name of the directory to store temporary files. The default value is /tmp. (This property is not present for Windows systems.)
Addendum for TCIM v80 installation manual, Chapter 45. Configuring auditing for BMC Control-SA, page 264
"ESS Version 3.2.03 or higher" should be replaced by "ESS Version 3.2.03"
Addendum for TCIM v80 installation manual, Chapter 54. Configuring auditing for McAfee IntruShield IDS, page 354
"McAfee Version 1.9 or higher" should be replaced by "McAfee Version 1.9"
Addendum for TCIM v80 installation manual, Chapter 56. Configuring auditing for Novell Advanced Audit Service, page 365
"Novell NetWare 6.0 Support Pack 2 or higher" should be replaced by "Novell NetWare 6.0 Support Pack 2"
Addendum for TCIM v80 installation manual, Chapter 52. Configuring auditing for Symantec AntiVirus, page 347
"Symantec AntiVirus Version 9.0 and higher." should be replaced by "Symantec AntiVirus Version 9.0"
Please have a look at Available Compliance Management Modules and Event Sources for the platforms that are supported by TCIM. Note: some of the supported platforms may require an additional installation of an event source.
Addendum for TCIM v80 installation manual, Chapter 47. Configuring auditing for Microsoft SQL Server, page 284, and the readme for the MSSQL 2008 ES
Windows Authentication is not possible for this Event Source, only MSSQL Authentication is possible.
Addendum for TCIM v80 install manual, Chapter 50. Configuring auditing for iSeries, Configuring the platform for auditing
It's important to confirm that the iSeries Remote Collect user profile (i.e. TCIM) is fully authorized
to itself. In the rare case that the collect user isn't fully authorizated to it's profile, the CHGAUT (Change Authority)
iSeries CL command may be used to provide full permissions to the collect user profile on the object representing collect
user profile (*USRPRF). For example, if the collect user name is TCIM, the full command is:
CHGAUT OBJ('/qsys.lib/tcim.usrprf') USER(TCIM) DTAAUT(*RWX) OBJAUT(*ALL)
The MS SQL Server event source that is provided with Tivoli Compliance Insight Manager Version 8.0 supports the audit trails only for systems running Microsoft SQL Server versions 2000 SP3, 2000 SP4, 2005 (default instances). The existing 'MS SQL Server' event source was renamed to 'MS SQL Server 2000-2005(deprecated)'.
The new MS SQL Server 2000-2008 event source that is provided adds support for named instances of MS SQL Server 2000, 2005, and 2008 MS SQL Server clusters.
A new option, 'MSSQL instance name,' is used to provide access to clusters and named instances:
The format of the 'MSSQL instance name' option is: server_name\instance_name
To connect to the named (non-default) instance of an SQL Server, specify the option as server_name\instance_name. To connect to an MS SQL Server on clusters, specify instance_name.
server_name is the hostname (or IP) of the server where the MS SQL instance is located; instance_name is the name of an MS SQL instance (or MS SQL cluster). When collecting from default instances, the 'MSSQL instance name' option is not needed.
NOTES:
Addendum for TCIM v80 install manual, Installing Tivoli Compliance Insight Manager components (page 12), item 14
The iText path should not contain space characters.
Addendum for TCIM v80 install manual, Enabling the PDF export function after installation (page 17), item 1
The iText path should not contain space characters.
Addendum for TCIM v80 user manual, Exporting iView data to other formats, Exporting to PDF format (page 185)
Only reports up to 32 000 rows can be exported as PDF. For larger reports, one of the other formats has to be used.
To improve the speed of opening the iview dashboard, additional forms of the NodeGrid on the GEM dashboard page are introduced. Besides the "Full" dashboard, the only mode that was available before this fix, the mode "Reduced" and the mode "Disabled" are introduced. Which mode will be used for GEM databases, can be defined on the Settings page, in the section "NodeGrid Mode".
When the "Full" mode is enabled, the NodeGrid is calculated based on all events in the GEM database. This mode can be slow when a lot of data is stored in the GEM database.
When the "Reduced" mode is enabled, on the GEM Db Summary page a "reduced" version of NodeGrid is shown in order to speed up the time of opening the page. The "reduced" mode of NodeGrid is based on the first N events in the gem event table. The default N value is 1 000 000.
To change the performance of the "Reduced" mode, it's possible to change the N that is used for this mode. To change N - the value of events limit,
the following lines should be added to [TCIM directory]\iView\tomcat\conf\iview.ini file:
where parameter nodegrid_reduced_limit indicates the value of the limit (N).
[NodeGrid]
nodegrid_reduced_limit=3000000
The less the value for nodegrid_reduced_limit is, the faster db summary opens and the less NodeGrid looks like full NodeGrid, because it is based only on the part of the events. The "reduced" version of NodeGrid also does not contain composite groups. It contains only the information about the events of selected or the most important groups. The caption of NodeGrid reflects the fact that NodeGrid is reduced.
When the "Disabled" mode of NodeGrid is enabled, no NodeGrid is shown on GEM Db Summary page. Instead of NodeGrid message "NodeGrid is disabled" is shown. This mode is used to get the best time perfomance of opening the GEM dashboard.
For experienced TCIM users only, when in doubt, please contact TCIM L2
During the mapping phase, the "gethostname" GSL operator queries the DNS for the host name corresponding to the supplied argument, which is assumed to be an IP address. Use of this operator can seriously reduce the performance of the mapper.
To solve the performance problem, it's possible to disable the "gethostname" function in "gensub.ini", at the cost of not having the reverse lookups in the mapped results.
To disable the "gethostname" function for all ESes, the following lines have to be added to <TCIM directory>\server\run\gensub.ini:
[RegexOperators]
gethostname=nl.consul.cea.gensub.scanning.regex.OperLit
It's also possible to disable the operator for a specific GSL file. To disable the function for a specific GSL file, the following lines should be added to the <TCIM directory>\server\run\gensub.ini file:
[RegexOperators.<GSL file name without the extension>]
gethostname=nl.consul.cea.gensub.scanning.regex.OperLit
For instance, the following lines will disable the "gethostname" function for FW1.gsl:
[RegexOperators.FW1]
gethostname=nl.consul.cea.gensub.scanning.regex.OperLit
When configuring RSA, ensure that only RSA authentication logfiles will be found in the Eventsource Properties RSA Log directory because all files in this directory will be processed and deleted, even when these are not logfiles.
For the following Event Sources we added an additional property 'Collect Directory':
This property could be used to specify a path to the directory where the TCIM Actuator stores its temporary files; these temporary files contain audit data created during collect before it is transferred to the log depot. The default value points to the directory /tmp. This value can be changed. Ensure that the directory exists; otherwise, collect will not start.
Note: For SSH version of the event sources, represented above, the 'Collect Directory' property is not used. The TCIM Actuator stores its temporary files in the run directory in the SSH user's home directory.
This document contains some additional information which is missing in the IBM Tivoli Compliance Insight Manager (TCIM) version 8.0 and 8.5 user manuals.
The depot investigation tool works in 2 steps:
Therefore it is possible that the "Search summary" will list some block of events while the "Search results" doesn't contain any results.
This is illustrated by the following example:
This is explained by the fact that "Cleve400" is contained in the block of events, but NOT in the field "result".
Precedence of logical operators
The search query isn't case sensitive regarding the logical operators (for example "or" is the same "OR").
The query parser starts evaluating the search query from the right to the left and works by creating a (binary) tree of nodes.
Attention: This is not in line with some other logical parsers where the AND operator takes precedence over the OR operator.
Therefore it is recommended always to use parentheses in the search query in case of using more than a single logical operator.
The tree contains compound nodes (OR nodes and AND nodes) and single nodes that signify simple expressions.
For example the search query:
a OR b AND C
gets interpreted in the query parser as
OR[a, AND [b,c]]
Some additional examples :
| Search query | Equivalent to | Interpreted by parser |
|---|---|---|
| a | a | a |
| A | a | a |
| (a) | a | a |
| a or b | a OR b | OR[a, b] |
| a OR b OR c | a OR (b OR c) | OR[a, OR[b, c]] |
| a AND b | a AND b | AND[a, b] |
| a OR b AND c | a OR (b AND c) | OR[a, AND[b, c]] |
| (a OR b) AND c | (a OR b) AND c | OR[a, AND[b, c]] |
| (a OR b) AND (c OR d) | (a OR b) AND (c OR d) | AND[OR[a, b], OR[c, d]] |
| (a OR b) AND (c OR d OR e) | (a OR b) AND (c OR (d OR e)) | AND[OR[a, b], OR[c, OR[d, e]]] |
| a OR b AND c OR d OR e | a OR (b AND (c OR (d OR e))) | OR[a, AND[b, OR[c, [OR[d, e]]]]] |
Special characters and wildcards in search query
The Depot Investigation Tools handles also special characters like "@_&#$%/\:" in the search query.
Please note that using special characters doesn't work in combination with wildcard characters "*".
Prerequisites
Follow the steps described at the installation manual for remote SSH collection ("Chapter 9. Enabling collect using SSH event sources").
Installing Syslog NG
Many distributions offer packages that automatically install Syslog NG on a Linux system. For instance in Fedora Core, the following command can be used:
yum install syslog-ng
In Debian based distributions:
apt-get install syslog-ng
Use the automated method whenever it is available, as the necessary configuration is applied automatically. A source code distribution is also offered by Syslog NG manufacturer, which can be found at its Web site (http://www.balabit.com/downloads/files/syslog-ng/sources/stable/src/), which should work in most Linux distributions.
To use host names (and a DNS server is not set in the network), the "/etc/hosts" file needs to be modified to add any remote machine IP address. For instance, if we want to assign the host name "redhat" to the "192.168.116.40" IP address, we should add the following line:
192.168.116.40 redhat redhat
The Syslog NG configuration file (located at "/etc/syslog-ng/syslog-ng.conf") needs to be modified in order to place the procuded logs at the right place and with the right format. The following configuration data can be used:
source s_udp {
udp(ip(0.0.0.0) port(514));
};
filter f_ism_hosts { host("999.999.999.999"); };
destination d_ism {
file("/var/log/tcim/$HOST/syslog-$YEAR-$MONTH-$DAY.log"
template("<$PRI>$DATE $HOST $MSG\n")
create_dirs(yes)
owner(insight)
group(insight)
perm(0600)
dir_owner(insight)
dir_group(insight)
dir_perm(0700)
);
};
log { source(s_udp); filter(f_ism_hosts); destination(d_ism); };
Make sure to substitute "999.999.999.999" with the adequate IP address, if not using DNS, or host name, if it is. It was assumed that the created TCIM user name for SSH collection was "insight" (change if it's different). The default folder where logs are store is located at "/var/log/tcim", but any other folder may be used as long as the event source "Log dir" property at TCIM's management console is updated to reflect the right location.
In case that host names are preferred over IP addresses, change the value of the "use_dns" option to "yes" in the "options" section of the Syslog NG configuration file. It's important to keep in mind that host names are case sensitive in Linux, and it's recommended to always use lowercase.
In most cases, Linux will have an "iptables" firewall that will prevent the exchange of syslog messages. In order to allow it, add the following line to "/etc/sysconfig/iptables" (just before the line with "-j REJECT" on it):
-A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT
After the modifications are made, make sure to restart the modified services. To restart the network services:
/etc/rc.d/init.d/network restart
To restart Syslog NG:
/etc/rc.d/init.d/syslog-ng restart
To restart iptables firewall:
service iptables restart
If you install a Tivoli Compliance Insight Manager component to the system after the fix pack has been applied, you must reinstall the fix pack on that system, so that all components are at the same level.
After applying the fix for APAR IZ08467 (which will strip the @domain from the logonname and name) there might be some duplicates in the mapping due a non related mapper issue (this is being handled in internal defect QE070B008).
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both:
AIX IBM IBM logo iSeries pSeries OS/390 Tivoli Tivoli logo xSeries zSeries z/OS
Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Other company, product, and service names may be trademarks or service marks of others.