Baseline configuration

The appliance status is displayed in the Appliance Status icon in the dynamic toolbox. It is displayed as a Status link next to a traffic light symbol which shows the overall status of the appliance. See Appliance status for more information.

Appliance Status Drop-down

A drop-down dialog is displayed when you click Appliance Status in the dynamic toolbox.
It shows the following information:

  • Appliance Name: the name of the appliance
  • Appliance Time: the time read from the appliance's internal clock
  • ECA Engines: the number of ECA engines running. You cannot change the number of ECA engines, but it affects the maximum number of concurrent discovery requests. For more information, see Discovery.

The link description is one of the following:

  • No Problems Detected: The status is green. No problems have been detected.
  • Status Information Available: The status is green, but at least one potential problem has been detected which has an information level message.
  • Minor Problems Detected: At least one minor problem has been detected with your appliance.
  • Major Problems Detected: At least one major problem has been detected with your appliance.
  • Critical Problems Detected: At least one critical problem has been detected with your appliance.

One or more of the following actions can be configured to occur if the appliance status is reported as critical, major, or minor.

  • Send Email
  • Restrict Network Access
  • Stop Discovery

You can configure the precise levels at which states change. This is described in the following section.

Configuring appliance status options

You can configure the appliance baseline options such as the recipients of automatic emails, and the messages to be included. You must have setup email on the appliance before using this feature. See Setting Up Appliance Mail Settings for more information.
To do this:

  1. From the Appliance section of the Administration tab, select Baseline Status. The Appliance Baseline page is displayed.
    The Appliance Baseline page can also be reached by clicking on Appliance Status in the dynamic toolbox, and then clicking the link in the drop-down list.
  2. Click Configure Options.
  3. The Appliance Baseline Options page is displayed.
    The options on this page are described below:

    Field Name

    Details

    Email Recipients

    The email address or addresses which will be sent an email. This is entered as a single email address or a comma separated list of addresses.

    Email Subject Template

    The template used to create the email subject. By default this is: ADDM Baseline: %(appliance_name)s: %(message)s (%(severity)s)
    Where:
    %(appliance_name) – replaced with the name of the appliance.
    %(message) – replaced with the passed message or failed message appropriately.
    %(severity) – replaced with the severity of the highest severity check that failed, or ok if the checks all passed.

    Passed Message

    The message to include in the email when the test is passed.

    Failed Message

    The message to include in the email when the test is failed.

    Services To Allow

    Select one or more of the following services to remain open if network access is restricted according to the actions configured:
    • HTTP
    • HTTPS
    • SMTP
    • SSH
    • DNS
    • LDAP
    For example, where a critical problem is detected, you may choose to limit network access to and from the appliance to HTTP or HTTPS only. To do this, select HTTP and HTTPS, ensure the other services are deselected.

Note: If the appliance mail server settings are set to an invalid mail server, configuring baseline to send email introduces a delay of approximately three minutes while the appliance attempts to contact the SMTP server, each time baseline is run. Baseline is run hourly by cron, and may be run manually by a user.

Configuring actions on changing appliance status

You can configure the actions that will occur when the appliance status changes. To do this:

  1. From the Appliance section of the Administration tab, select Baseline Status.
    The Appliance Baseline page is displayed.
    The Appliance Baseline page can also be reached by clicking Appliance Status in the dynamic toolbox, and then clicking the link in the drop-down list.
  2. Click Configure Actions.
  3. The Appliance Baseline Actions page is displayed.
    The options on this page are described below:

    Field Name

    Details

    Actions to take on CRITICAL failure

    Select the actions to take when a CRITICAL failure occurs. The following options are available:
    • Send Email
    • Restrict Network Access
    • Stop Discovery

    Actions to take on MAJOR failure

    Select the actions to take when a MAJOR failure occurs. The following options are available:
    • Send Email
    • Restrict Network Access
    • Stop Discovery

    Actions to take on MINOR failure

    Select the actions to take when a MINOR failure occurs. The following options are available:
    • Send Email
    • Restrict Network Access
    • Stop Discovery

    Actions to take on INFO only

    Select the actions to take when a INFO failure occurs. The following options are available:
    • Send Email
    • Restrict Network Access
    • Stop Discovery

    Actions to take on SUCCESS

    Select the action to take when there are no failures. The following option is available:
    • Send Email

Checks performed

The checks that are performed for each item in the Appliance Baseline Page are described in the following table:

Name

Check Performed

Severity

Apache Configuration

Checks to ensure that the Apache configuration has not been changed since the last baseline.

Major

Apache HTTPS

Checks that the HTTPS configuration which allows secure web access (enabled/disabled) on the appliance is the same as that configured in the baseline.

Major

Appliance Configuration Files Tripwire

Checks the tripwire logs to ensure that no appliance configuration files have been added, deleted, or edited since the last baseline.

Major

Appliance eth0

Checks that the eth0 configuration on the appliance is the same as that configured in the baseline. The following items are checked:
• Speed
• Duplex
• Autonegotiation

Minor

Appliance Firewall

Checks that the firewall (iptables) configuration matches that recorded in the baseline.

Critical

Appliance HTML Files Tripwire

Checks the tripwire logs to ensure that no HTML files have been added, deleted, or edited since the last baseline.

Major

Appliance System Files Tripwire

Checks the tripwire logs to ensure that no system files have been added, deleted, or edited since the last baseline.

Major

Application Configuration

Checks to ensure that the application configuration has not been changed since the last baseline.

Minor

Application Server

Checks that the UI service is alive.

Critical

AppServer Configuration

Checks to ensure that the application server configuration has not been changed since the last baseline.

Minor

AppServer Start Script

Checks to ensure that the application server start script has not been edited since the last baseline.

Minor

Atrium Discovery RPM

Checks that the BMC Atrium Discovery RPM version number matches that in the baseline.

Critical

Atrium Export Credentials

Checks to ensure that the Atrium credentials have not been changed since the last baseline.

Major

Audit Settings

Checks to ensure that the audit settings have not been changed since the last baseline.

Minor

Basket Service

Checks to ensure that the basket service settings have not been changed since the last baseline.

Minor

Consolidation

Checks to ensure that the consolidation settings (scanning or consolidation appliance and configured connections including status) have not been changed since the last baseline.

Major

Crontab

Checks that the cron tab setting on the appliance is the same as that configured in the baseline.

Minor

Custom rules and actions

Checks that the custom rules and actions that are used by BMC staff have not been changed since the last check.

Major

DataStore SoftLimit

Checks that the datastore soft limit matches that in the baseline.

Minor

Default Scan Level

Checks that the default scan level matches that in the baseline.

Minor

Discovery Configuration

Checks that the Discovery configuration matches that in the baseline.

Major

Discovery Filters

Checks that the sensitive data filters configured on the appliance match those in the baseline.

Major

Discovery Mode

Checks that the Discovery mode (Record/Playback/Normal) matches that in the baseline.

Major

Discovery Scripts

Checks that the Discovery commands match those in the baseline.

Major

Discovery Service

Checks that the Discovery service is alive.

Critical

Discovery Start Script

Checks that the following settings in the Discovery start script match those in the baseline:
• Mode - record or playback
• Log level
• Pool data expiry time

Minor

DNS Configuration

Checks that the following DNS settings match those in the baseline:
• Name servers
• Domain

Minor

Exclusion Ranges

Checks to ensure that the exclude ranges have not been changed since the last baseline.

Major

File Export Credentials

Checks to ensure that the file export credentials have not been changed since the last baseline.

Major

Integrations Configuration

Checks to ensure that integration points and software credential groups, and their constituent queries and connections/credentials have not been changed since the last baseline.

Major

JDBC Export Credentials

Checks to ensure that the JDBC export credentials have not been changed since the last baseline.

Major

Login Credentials

Checks that the Discovery login credentials match those in the baseline.

Major

Model Service

Checks that the model service is alive.

Critical

Model Start Script

Checks to ensure that the model start script has not been edited since the last baseline.

Minor

NTP Configuration

Checks whether the NTP configuration matches that recorded in the baseline.

Minor

NTP Running

Checks whether the NTP status (enabled/disabled) matches that in the baseline. When ntpd is running, the message ntpd is not configured to run at run level 5 is displayed this is incorrect and can be ignored.

Minor

Operating System

Checks whether the operating system version matches that in the baseline.

Critical

Options Service

Checks to ensure that the options service settings have not been changed since the last baseline.

Critical

Pattern Configuration Modification

Checks that the pattern configuration matches that in the baseline.

Major

Pattern Definition Modification

Checks that pattern definitions match those in the baseline.

Major

Pattern Modification

Checks that the patterns match those in the baseline.

Major

Port Scan Settings

Checks that the port scan settings match those in the baseline. The check is performed for each port that is enabled for TCP, UDP, or both.

Major

Reasoning Service

Checks that the Reasoning service is alive.

Critical

Reasoning Start Script

Checks that the log level for Reasoning matches that in the baseline.

Minor

Security Options

Checks that the security service options match those in the baseline.

Major

Security Service

Checks that the security service match those in the baseline.

Critical

Security Start Script

Checks to ensure that the security start script has not been edited since the last baseline.

Minor

Windows Proxy Availability

Checks that all of the Windows proxies respond when pinged.

Info

Windows Proxy Configuration

Checks that the Windows proxy configuration on the appliance (not the external Windows proxies) matches that recorded in the baseline. This includes checking the type, version, and position in the Windows proxy order.

Major

Windows Proxy Configuration File

Checks to ensure that the winproxy.conf file on each connected Windows proxy has not been edited since the last baseline.

Major

Windows Proxy Pool Configuration

Checks that the Windows proxy pool configuration on the appliance (not the Windows proxies) matches that recorded in the baseline.

Major

.

SNMP Credentials

Checks that the Discovery SNMP credentials match those in the baseline.

Major

SSL Appliance Key

Checks that the appliance SSL key file MD5 checksums that match those in the baseline.

Major

SSL CA Key

Checks that the appliance certificate authority file MD5 checksums that match those in the baseline.

Major

System Settings

Checks that the system settings match those in the baseline.

Major

VMwareTools Running

Checks that VMwareTools is installed and running. If not running on a VMware platform, the test will be skipped. If the platform cannot be determined, VMware will be assumed; in this case, if VMwareTools are not required, the test can be disabled.

Major

Tripwire commissioning and configuration

Tripwire is a third-party software tool that monitors a given set of configuration, system, and source files on an appliance. For further information about Tripwire, see: http://sourceforge.net/projects/tripwire/. Tripwire is installed by the kickstart process but is not commissioned. When Tripwire has been commissioned, it is run hourly. You can also run it manually, see #Running Tripwire Checks Manually for more information.

Tripwire reports

The Tripwire reports are stored in the following directory: /usr/tideway/var/tripwire/report
You must create this directory if it does not exist. As the tideway user, enter the following command:

mkdir -p /usr/tideway/var/tripwire/report
Commissioning tripwire passkeys

Commissioning Tripwire passkeys is a one-off procedure. You must be able to log in as the root user to complete Tripwire passkeys commissioning.

  1. Log in as the root user.
    The default Tripwire policy file is /usr/tideway/etc/twpol.txt.
  2. Edit the file and enter the hostname of the appliance (as returned by the hostname command), replacing localhost.
    An excerpt of the file is shown below:

    @@section GLOBAL
    TWROOT="/usr/tideway/tripwire/sbin";
    TWBIN="/usr/tideway/tripwire/sbin";
    TWPOL="/usr/tideway/tripwire/etc";
    TWDB="/usr/tideway/tripwire/var/lib";
    TWSKEY="/usr/tideway/tripwire/etc";
    TWLKEY="/usr/tideway/tripwire/etc";
    TWREPORT="/usr/tideway/var/tripwire/report";
    ARCH="x86_64";
    HOSTNAME="localhost";
    
  3. If you want to monitor any additional files, add the full path to that file to the policy file.
  4. If you want to monitor any additional directories, add the full path to that directory to the policy file.
  5. Copy the /usr/tideway/etc/twpol.txt file to /usr/tideway/tripwire/etc/twpol.txt, overwriting the existing file.
  6. Run the following command which will set up the initial database and passwords allowing changes to the Tripwire configuration
    /usr/tideway/tripwire/sbin/tripwire-setup-keyfiles
  7. You are prompted to create a site and a local password. Record these passwords or you will need to reinstall the Tripwire database.
    The local password is required to remove Tripwire violations.
    The site password is required to update the Tripwire policy file.
  8. You are prompted to sign the configuration file twcfg.txt and the policy file twpol.txt.
  9. Change the ownership and permissions of the /usr/tideway/tripwire/etc/twpol.txt and the /usr/tideway/tripwire/etc/twcfg.txt files to the tidewayuser. Enter the following commands:

    cd /usr/tideway/tripwire/
    chown tideway:tideway etc
    chmod 750 etc
    cd etc
    chown tideway:tideway twcfg.txt twpol.txt
    chmod 640 twcfg.txt twpol.txt
    
Initializing the tripwire database

Initializing the Tripwire database is a one-off procedure. This procedure should be performed as the tideway user.

  1. The Tripwire database must be initialised with the contents of the Tripwire policy file.
  2. Run the following command to initialize the Tripwire database:

    sudo /usr/tideway/tripwire/sbin/tripwire --init
    
  3. Run the following command to rebaseline the Tripwire database:

    /usr/tideway/bin/tw_tripwire_rebaseline
    

    An error is reported as a database backup file is created.

  4. Run the following command again to rebaseline the Tripwire database:

    /usr/tideway/bin/tw_tripwire_rebaseline
    

    This time, no errors are reported as no files have been added. The tripwire database is now initialised and baselined.

Initial appliance baseline configuration

When you have freshly configured the tripwire database, the appliance baseline must be updated to ensure that the correct status is shown in the user interface.

Warning

This will cause all of the appliance baseline checks to be reset. Make sure that all existing baseline failures are addressed.

  1. Run /usr/tideway/bin/tw_baseline or click Check Baseline Now in the user interface to execute all the baseline tests.
  2. Verify that only tripwire related tests are failing. Trip wire test names end with "tripwire".
  3. Update the tripwire report and then update the appliance baseline as follows:

    sudo /usr/tideway/tripwire/sbin/tripwire --check > /usr/tideway/var/tw_tripwire.txt
    /usr/tideway/bin/tw_baseline --rebaseline
    
    

The appliance status is updated, and tripwire commissioning is now complete.

Tripwire maintenance

Updating after a violation

When you use the tw_tripwire_rebaseline utility to rebaseline the Tripwire database, you accept that all files that are being monitored are correct. This procedure should be performed as the tideway user. To update the Tripwire database after an error:

  1. Check the items that are reported in the violation report and ensure that the reported changes are what you expected.
  2. Run the following command:

    /usr/tideway/bin/tw_tripwire_rebaseline
    
Updating the tripwire policy file

Sometimes you will need to update the Tripwire policy file. This may be due to:
• An EFix being applied
• A full system upgrade
• Appliance relocation or change of IP Address
• Files changing too frequently and creating false positive alerts
Edit /usr/tideway/tripwire/etc/twpol.txt and make the necessary changes. Save the file using the same name.
Clear all violations before updating the Tripwire policy file by rebaselining the Tripwire database. The system must be in a known good state to update the policy database. This procedure should be performed as the tideway user.

  1. Run the following command to rebaseline the Tripwire database:

    /usr/tideway/bin/tw_tripwire_rebaseline
    
  2. Run the following command (on one line) to update the Tripwire policy file:

    cd /usr/tideway/tripwire/etc/
    sudo /usr/tideway/tripwire/sbin/tripwire --update-policy twpol.txt
    

    You will need both the local and site password for this operation.

  3. Check that the update has been performed correctly. Enter:

    sudo /usr/tideway/tripwire/sbin/tripwire --check
    
  4. Run the following command to rebaseline the Tripwire database:

    /usr/tideway/bin/tw_tripwire_rebaseline
    

For more information about the tw_tripwire_rebaseline utility, see tw_tripwire_rebaseline.

Running tripwire checks manually

By default, Tripwire is run hourly and the output is written to the tw_tripwire.txt file. If a deviation from the baseline has been detected, the tw_tripwire.txt file is updated with the details. The monitor which sets the appliance status in the user interface checks the tw_tripwire.txt file hourly and sets certain restrictions if configured.
If you have rebaselined the Tripwire database, you should run the following commands to ensure that the correct status is shown in the user interface.

sudo /usr/tideway/tripwire/sbin/tripwire --check > /usr/tideway/var/tw_tripwire.txt
/usr/tideway/bin/tw_baseline --rebaseline

The appliance status is updated.

For more information about the tw_baseline utility, see tw_baseline.

Was this page helpful? Yes No Submitting... Thank you

Comments