Baseline configuration
Appliance Baseline is a set of conditions that are verified to get a health check of an appliance and decide whether it is healthy, whether it might be tuned for better performance, or whether it requires immediate attention. For every problem severity level, depending on the configuration, appliance status changes might launch a notification email, limit network access, or even stop the discovery process. The high-level status message is displayed in the Appliance Status box in the dynamic toolbox. Detailed results of the appliance baseline check are available on the Appliance Baseline status page.
Checks performed
Viewing the high-level appliance status
To view the appliance status, click Appliance Status in the dynamic toolbox.
The appliance status list shows the following information:
- Appliance Name—The name of the appliance.
- Appliance Time—The time read from the appliance's internal clock.
- ECA Engines—The number of ECA engines running. The number of ECA engines affects the maximum number of concurrent discovery requests. For more information, see Configuring discovery.
- Summary link— A link to the detailed baseline status information. It is labeled with one of the following high-level status messages that describe the overall status of the appliance:
- No Problems Detected—The status is green. No problems have been detected.
- Status Information Available—The status is green, but at least one potential problem has been detected which has an information level message.
- Minor Problems Detected—At least one minor problem has been detected with your appliance.
- Major Problems Detected—At least one major problem has been detected with your appliance.
- Critical Problems Detected—At least one critical problem has been detected with your appliance.
Viewing detailed appliance baseline status
To open detailed appliance baseline check results:
- From the main menu, click the Administration icon.
The Administration page opens. - From the Appliance section, click Baseline Status.
A list of baseline checks, their recent results, and available actions are displayed:
Where baseline checks have failed, you can click the entry to see more details on the change. For some check, this takes you to a new page where you can view the differences, and if appropriate, accept the change.
If a critical baseline problem is detected, a banner is displayed on all pages: - Where no baseline errors exist, the status icon reflects this:
Configuring appliance status options
You can configure appliance baseline options such as the recipients of automatic emails and the messages to be included.
Before you begin
You must set up an email on the appliance before using this feature. For more information, see Setting Up Appliance Mail Settings.
To configure appliance status options:
- From the main menu, click the Administration icon.
The Administration page opens. - In the Appliance section, click Baseline Status.
The Appliance Baseline page can also be accessed by clicking Appliance Status in the dynamic toolbox and then clicking the link in the drop-down list. Click Configure Options.
The Appliance Baseline Options displays the following options:Field Name
Details
Email Recipients
The email address or addresses which will be sent an email. This is entered as a single email address or a comma-separated list of addresses.
Email Subject Template
The template used to create the email subject. By default this is:
ADDM Baseline: %(appliance_name)s: %(message)s (%(severity)s)
Where:
•%(appliance_name)s
—Replaced with the name of the appliance.
•%(message)s
—Replaced with the passed message or failed message appropriately.
•%(severity)s
—Replaced with the severity of the highest severity check that failed, or OK if the checks all passed.Passed Message
The message to include in the email when the test is passed.
Failed Message
The message to include in the email when the test is failed.
Services To Allow
Select one or more of the following services to remain open if network access is restricted according to the actions configured. Blocking services such as DHCP or ICMPv6 can prevent the appliance from obtaining an address and it could become unreachable. Also, blocking HTTP, HTTPS, and SSH blocks all remote access to the appliance. In this instance, you need to use the system console to fix the problems.
• CLUSTER_MANAGER
• DATASTORE
• DHCP
• DHCPv6
• DNS
• HTTP
• HTTPS
• ICMPv6
• LDAP
• REASONING
• SMTP
• SSH
For example, where a critical problem is detected, you might choose to limit network access to and from the appliance to HTTP or HTTPS only. To do this, select HTTP and HTTPS, and ensure the other services are deselected. When a failure occurs that you have configured to restrict network access, the firewall is raised. When the problem is fixed, the firewall is not lowered. To do this you must restart the firewall.
If the appliance mail server settings are set to an invalid mail server, configuring baseline to send email introduces a delay of approximately three minutes while the appliance attempts to contact the SMTP server, each time baseline is run. Baseline is run hourly and can be run manually by a user.
Configuring actions on changing appliance status
You can configure the actions that will occur when the appliance status changes to critical, major, or minor. Available actions are:
- Send Email
- Restrict Network Access
- Stop Discovery
To configure actions on changing appliance status:
- From the main menu, click the Administration icon.
The Administration page opens. - In the Appliance section, click Baseline Status.
The Appliance Baseline page can also be accessed by clicking Appliance Status in the dynamic toolbox and then clicking the link in the drop-down list. - Click Configure Actions.
The Appliance Baseline Actions page is displayed, it shows the following options:
Field Name
Details
Actions to take on CRITICAL failure
Select the actions to take when a CRITICAL failure occurs. The following options are available:
• Send Email
• Restrict Network Access
• Stop DiscoveryActions to take on MAJOR failure
Select the actions to take when a MAJOR failure occurs. The following options are available:
• Send Email
• Restrict Network Access
• Stop DiscoveryActions to take on MINOR failure
Select the actions to take when a MINOR failure occurs. The following options are available:
• Send Email
• Restrict Network Access
• Stop DiscoveryActions to take on INFO only
Select the actions to take when an INFO failure occurs. The following options are available:
• Send Email
• Restrict Network Access
• Stop DiscoveryActions to take on SUCCESS
Select the action to take when there are no failures. The following option is available:
• Send Email
Tripwire commissioning and configuration
Tripwire is a third-party software tool that monitors a given set of configuration, system, and source files on an appliance. For further information about Tripwire, see http://sourceforge.net/projects/tripwire/. Tripwire is installed by the kickstart process but is not commissioned. When Tripwire has been commissioned, it is run hourly. You can also run it manually, see Running Tripwire checks manually for more information.
The Tripwire reports are stored in the following directory: /usr/tideway/var/tripwire/report
You must create this directory if it does not exist. As the tideway user, enter the following command:
mkdir -p /usr/tideway/var/tripwire/report
Adding tripwire configuration to appliance backup
The tripwire configuration is not included in an appliance backup by default. If you want to include it, add the following to the $TIDEWAY/etc/backup_config.xml
file.
<archive name="addm_tripwire_etc" description="Tripwire configuration" src_dir="$TIDEWAY/tripwire/etc" restore="false" clear="false"> <include>*.txt</include> </archive>
The tripwire directory is archived into the backup directory in a file called addm_tripwire_etc.tgz
. The archive is not restored when the backup is restored but can be copied manually onto the restored appliance and recommissioned using the Commissioning Tripwire passkeys procedure.
Commissioning Tripwire passkeys
Commissioning Tripwire passkeys is a one-off procedure. You must be able to log in as the root user to complete Tripwire passkeys commissioning.
- Log in as the root user.
The default Tripwire policy file is/usr/tideway/etc/twpol.txt
. Edit the file and enter the hostname of the appliance (as returned by the
hostname
command), replacinglocalhost
.
An excerpt of the file is shown below:@@section GLOBAL TWROOT="/usr/tideway/tripwire/sbin"; TWBIN="/usr/tideway/tripwire/sbin"; TWPOL="/usr/tideway/tripwire/etc"; TWDB="/usr/tideway/tripwire/var/lib"; TWSKEY="/usr/tideway/tripwire/etc"; TWLKEY="/usr/tideway/tripwire/etc"; TWREPORT="/usr/tideway/var/tripwire/report"; ARCH="x86_64"; HOSTNAME="localhost";
- If you want to monitor any additional files, add the full path to that file to the policy file.
- If you want to monitor any additional directories, add the full path to that directory to the policy file.
- Copy the
/usr/tideway/etc/twpol.txt
file to/usr/tideway/tripwire/etc/twpol.txt
, overwriting the existing file. - Run the following command, which sets up the initial database and passwords allowing changes to the Tripwire configuration
/usr/tideway/tripwire/sbin/tripwire-setup-keyfiles
- When you are prompted to create a site and a local password, record these passwords or you will need to reinstall the Tripwire database.
The local password is required to remove Tripwire violations.
The site password is required to update the Tripwire policy file. - You are prompted to sign the configuration file
twcfg.txt
and the policy filetwpol.txt
. Change the ownership and permissions of the
/usr/tideway/tripwire/etc/twpol.txt
and the/usr/tideway/tripwire/etc/twcfg.txt
files to the tideway user by entering the following commands:cd /usr/tideway/tripwire/ chown tideway:tideway etc chmod 750 etc cd etc chown tideway:tideway twcfg.txt twpol.txt chmod 640 twcfg.txt twpol.txt
Initializing the Tripwire database
Initializing the Tripwire database is a one-off procedure that you perform as the tideway user.
- The Tripwire database must be initialized with the contents of the Tripwire policy file.
Run the following command to initialize the Tripwire database:
sudo /usr/tideway/tripwire/sbin/tripwire --init
Run the following command to rebaseline the Tripwire database:
/usr/tideway/bin/tw_tripwire_rebaseline
An error is reported as a database backup file is created.
Run the following command again to rebaseline the Tripwire database:
/usr/tideway/bin/tw_tripwire_rebaseline
This time, no errors are reported as no files have been added. The tripwire database is now initialized and baselined.
Initial appliance baseline configuration
When you have freshly configured the tripwire database, the appliance baseline must be updated to ensure that the correct status is shown in the user interface.
Warning
This causes all of the appliance baseline checks to be reset. Make sure that all existing baseline failures are addressed.
- Run /usr/tideway/bin/tw_baseline, or click Check Baseline Now in the user interface to execute all the baseline tests.
- Verify that only tripwire-related tests are failing. Tripwire test names end with "tripwire."
Update the tripwire report and then update the appliance baseline as follows:
sudo /usr/tideway/tripwire/sbin/tripwire --check > /usr/tideway/var/tw_tripwire.txt /usr/tideway/bin/tw_baseline --rebaseline
The appliance status is updated, and tripwire commissioning is now complete.
Tripwire maintenance
Updating after a violation
When you use the tw_tripwire_rebaseline
utility to rebaseline the Tripwire database, you accept that all files that are being monitored are correct. This procedure should be performed as the tideway user. To update the Tripwire database after an error:
- Check the items that are reported in the violation report and ensure that the reported changes are what you expected.
Run the following command:
/usr/tideway/bin/tw_tripwire_rebaseline
Updating the Tripwire policy file
Sometimes you must update the Tripwire policy file. For example:
• An EFix being applied
• A full system upgrade
• Appliance relocation or change of IP Address
• Files changing too frequently and creating false positive alerts
Edit /usr/tideway/tripwire/etc/twpol.txt
and make the necessary changes. Save the file using the same name.
Clear all violations before updating the Tripwire policy file by rebaselining the Tripwire database. The system must be in a known good state to update the policy database. This procedure should be performed as the tideway user.
Run the following command to rebaseline the Tripwire database:
/usr/tideway/bin/tw_tripwire_rebaseline
Run the following command (on one line) to update the Tripwire policy file:
cd /usr/tideway/tripwire/etc/ sudo /usr/tideway/tripwire/sbin/tripwire --update-policy twpol.txt
You need both the local and site password for this operation.
Check that the update has been performed correctly. Enter:
sudo /usr/tideway/tripwire/sbin/tripwire --check
Run the following command to rebaseline the Tripwire database:
/usr/tideway/bin/tw_tripwire_rebaseline
For more information, see tw_tripwire_rebaseline.
Running Tripwire checks manually
By default, Tripwire is run hourly and the output is written to the tw_tripwire.txt file. If a deviation from the baseline has been detected, the tw_tripwire.txt file is updated with the details. The monitor which sets the appliance status in the user interface checks the tw_tripwire.txt file hourly and sets certain restrictions if configured.
If you have rebaselined the Tripwire database, you should run the following commands to ensure that the correct status is shown in the user interface.
sudo /usr/tideway/tripwire/sbin/tripwire --check > /usr/tideway/var/tw_tripwire.txt /usr/tideway/bin/tw_baseline --rebaseline
The appliance status is updated.
For more information about the tw_baseline
utility, see tw_baseline.
Comments
Log in or register to comment.