Baseline configuration

Appliance Baseline is a set of conditions that are verified to get a health check of an appliance and decide whether it is healthy, whether it might be tuned for better performance, or whether it requires immediate attention. For every problem severity level, depending on the configuration, appliance status changes might launch a notification email, limit network access, or even stop the discovery process. The high-level status message is displayed in the Appliance Status box in the dynamic toolbox. Detailed results of the appliance baseline check are available on the Appliance Baseline status page.

Checks performed

Click here to see a comprehensive list of the checks performed

The checks that are performed for each item in the Appliance Baseline Page are described in the following table:

Name	Check Performed	Severity
Apache Configuration	Checks to ensure that the Apache configuration has not been changed since the last baseline.	Major
Apache HTTPS	Checks that the HTTPS configuration which allows secure web access (enabled/disabled) on the appliance is the same as that configured in the baseline.	Major
Appliance Backup Status	Checks the elapsed time since the last backup. If this is more than seven days (by default), a backup is suggested (`tw_backup`). The value can be changed, see Configuring audit and application options. This check is skipped if the appliance was commissioned within the time period.	Info
Appliance Compact Status	Checks the elapsed time since the last compaction of the datastore. If this is more than 60 days (by default), a compaction is suggested (`tw_ds_compact`). The value can be changed, see Configuring audit and application options. This check is skipped if the appliance was commissioned within the time period, or is running a multi-generational datastore.	Info
Appliance Configuration Files Tripwire	Checks the tripwire logs to ensure that no appliance configuration files have been added, deleted, or edited since the last baseline.	Major
Appliance Disk Space	Checks the available disk space against the free disk space monitoring settings: the thresholds for warning, stopping discovery, and shutting services.	Major
Appliance Firewall (IPv6)	Checks that the IPv6 firewall (iptables) configuration matches that recorded in the baseline.	Major
Appliance Firewall	Checks that the firewall (iptables) configuration matches that recorded in the baseline.	Critical
Appliance HTML Files Tripwire	Checks the tripware logs to ensure that no appliance HTML files have been added, deleted, or edited since the last baseline.	Major
Appliance Network Interfaces	Checks that the eth0 configuration on the appliance is the same as that configured in the baseline. The following items are checked: Speed Duplex Autonegotiation	Minor
Appliance Specification	Checks whether the appliance specification matches that recorded in the baseline.	Major
Appliance System Files Tripwire	Checks the tripwire logs to ensure that no system files have been added, deleted, or edited since the last baseline.	Major
Application Configuration	Checks to ensure that the application configuration has not been changed since the last baseline.	Minor
Application Server	Checks that the UI service is alive.	Critical
AppServer Configuration	Checks to ensure that the application server configuration has not been changed since the last baseline.	Minor
AppServer Start Script	Checks to ensure that the application server start script has not been edited since the last baseline.	Minor
Audit Settings	Checks to ensure that the audit settings have not been changed since the last baseline.	Minor
BMC Discovery OS RPM	Checks that the BMC Discovery Operating System (OS) RPM version number matches that in the baseline.	Minor
BMC Discovery RPM	Checks that the BMC Discovery RPM version number matches that in the baseline.	Critical
Cluster Configuration	Checks to ensure that the Cluster Manager configuration matches the baseline configuration.	Major
Cluster Manager Service	Checks to ensure that the Cluster Manager service settings have not been changed since the last baseline.	Major
Cluster_manager start script	Checks that the settings in the Cluster_manager start script match those in the baseline.	Major
CMDB Sync (Exporter) Service	Checks to ensure that the CMDB Synchronization Export settings have not been changed since the last baseline.	Major
CMDB Sync (Transformer) Service	Checks to ensure that the CMDB Synchronization Transformer settings have not been changed since the last baseline.	Major
CMDB Sync Blackout Windows	Checks to ensure that the CMDB blackout windows settings have not been changed since the last baseline.	Major
Consolidation	Checks to ensure that the consolidation settings (scanning or consolidation appliance and configured connections including status) have not been changed since the last baseline.	Major
Credentials	Checks that the Discovery login credentials for hardware, storage, and hardware devices match those in the baseline.	Major
Crontab	Checks that the cron tab setting on the appliance is the same as that configured in the baseline.	Minor
DataStore SoftLimit	Checks that the datastore soft limit matches that in the baseline.	Minor
DDD Removal Blackout Windows	Checks to ensure that the DDD removal blackout windows settings have not been changed since the last baseline.	Major
Discovery File Content Filters	Checks that the file content filters configured on the appliance match those in the baseline.	Major
Discovery Process Filters	Checks that the Discovery Process Filters match these in the baseline.	Major
Discovery Scripts	Checks that the Discovery commands match those in the baseline.	Major
Discovery Service	Checks that the Discovery service is alive.	Critical
Discovery start script	Checks that the following settings in the Discovery start script match those in the baseline: Mode - record or playback Log level Pool data expiry time	Minor
DNS Configuration	Checks that the following DNS settings match those in the baseline: Name servers Domain	Minor
Exclusion Ranges	Checks to ensure that the exclude ranges have not been changed since the last baseline.	Major
Export Adapter Configurations	Checks that the Export Adapter configurations match that in the baseline.	Minor
Export Adapter	Checks that the Export Adapter matches those in the baseline.	Minor
Export Exporter Configurations	Checks that the Export Exporter configurations match that in the baseline.	Minor
Export Mapping Sets	Checks that the Export mapping sets match that in the baseline.	Minor
Installed Devices	Checks whether the installed devices match that recorded in the baseline.	Minor
Integrations start script	Checks that the settings in the Integration start script match those in the baseline.	Minor
JDBC Drivers	Checks that the JDBC drivers match those in the baseline.	Minor
Miscellaneous Global Settings	Checks to ensure that the miscellaneous global settings have not been changed since the last baseline.	Major
Miscellaneous Local Settings	Checks to ensure that the miscellaneous local settings have not been changed since the last baseline.	Major
Model Service	Checks that the model service is alive.	Critical
Model Start Script	Checks to ensure that the model start script has not been edited since the last baseline.	Minor
NTP Configuration	Checks whether the NTP configuration matches that recorded in the baseline.	Minor
NTP Running	Checks whether the NTP status (enabled/disabled) matches that in the baseline. When ntpd is running, the message ntpd is not configured to run at run level 5 is displayed this is incorrect and can be ignored.	Minor
Operating System	Checks whether the OS version matches that in the baseline.	Critical
Pattern Configuration Modification	Checks that the pattern configuration matches that in the baseline.	Major
Pattern Modification	Checks that the patterns match those in the baseline.	Major
Port Scan Settings	Checks that the port scan settings match those in the baseline. The check is performed for each port that is enabled for TCP, UDP, or both.	Major
Reasoning Service	Checks that the Reasoning service is alive.	Critical
Reasoning Start Script	Checks that the log level for Reasoning matches that in the baseline.	Minor
Reports Service	Checks to ensure that the Reports service settings have not been changed since the last baseline.	Major
Reports start script	Checks that the settings in the Reports start script match those in the baseline.	Minor
RSSO Certificate Expiration	Checks that the BMC Remedy SSO certificates are still valid. The check triggers five days before the expected expiration of the certificates.	Major
Security Options	Checks that the security service options match those in the baseline.	Major
Security Service	Checks that the security service matches those in the baseline.	Critical
Security Start Script	Checks to ensure that the security start script has not been edited since the last baseline.	Minor
SSL Appliance Key	Checks that the appliance SSL key file MD5 checksums match those in the baseline.	Major
SSL CA Key	Checks that the appliance certificate authority file MD5 checksums that match those in the baseline.	Major
Usage Data Collection	Checks that the usage data collection configuration matches that recorded in the baseline.	Minor
Vault Service	Checks to ensure that the Vault service settings have not been changed since the last baseline.	Major
VMware Time Sync	Checks to ensure that the VMware Time Sync settings match those in the baseline. If not running on a VMware platform, the test is skipped.	Major
VMwareTools Running	Checks that VMwareTools is installed and running. If not running on a VMware platform, the test is skipped. If the platform cannot be determined, VMware is be assumed; in this case, if VMwareTools are not required, the test can be disabled.	Major
Windows Proxy Availability	Checks that all of the Windows proxies respond when pinged.	Info
Windows Proxy Configuration	Checks that the Windows proxy configuration on the appliance (not the external Windows proxies) matches that recorded in the baseline. This includes checking the type, version, and position in the Windows proxy order.	Major
Windows Proxy Configuration File	Checks to ensure that the winproxy.conf file on each connected Windows proxy has not been edited since the last baseline.	Major
Windows Proxy Pool Configuration	Checks that the Windows proxy pool configuration on the appliance (not the Windows proxies) matches that recorded in the baseline.	Major

Viewing the high-level appliance status

To view the appliance status, click Appliance Status in the dynamic toolbox.

The appliance status list shows the following information:

Appliance Name—The name of the appliance.
Appliance Time—The time read from the appliance's internal clock.
ECA Engines—The number of ECA engines running. The number of ECA engines affects the maximum number of concurrent discovery requests. For more information, see Configuring discovery.
Summary link— A link to the detailed baseline status information. It is labeled with one of the following high-level status messages that describe the overall status of the appliance:
- No Problems Detected—The status is green. No problems have been detected.
- Status Information Available—The status is green, but at least one potential problem has been detected which has an information level message.
- Minor Problems Detected—At least one minor problem has been detected with your appliance.
- Major Problems Detected—At least one major problem has been detected with your appliance.
- Critical Problems Detected—At least one critical problem has been detected with your appliance.

Viewing detailed appliance baseline status

To open detailed appliance baseline check results:

From the main menu, click the Administration icon.
The Administration page opens.
From the Appliance section, click Baseline Status.
A list of baseline checks, their recent results, and available actions are displayed:

Where baseline checks have failed, you can click the entry to see more details on the change. For some check, this takes you to a new page where you can view the differences, and if appropriate, accept the change.
If a critical baseline problem is detected, a banner is displayed on all pages:
Where no baseline errors exist, the status icon reflects this:

Configuring appliance baseline options

You can configure appliance baseline options such as the recipients of automatic emails and the messages to be included.

Before you begin

You must set up an email on the appliance before using this feature. For more information, see Setting Up Appliance Mail Settings.

To configure appliance baseline options

From the main menu, click the Administration icon.
The Administration page opens.
In the Appliance section, click Baseline Status.
The Appliance Baseline page can also be accessed by clicking Appliance Status in the dynamic toolbox and then clicking the available link.

Scroll down to the bottom of the UI page, and click Configure Options.
The Appliance Baseline Options displays the following fields:

Field Name	Description
Email Recipients	The email address or addresses to which an email must be sent. Enter a single email address or a comma-separated list of addresses.
Email Subject Template	The template to be used to create the email subject. By default this is: `ADDM Baseline: %(appliance_name)s: %(message)s (%(severity)s)` Where: • `%(appliance_name)s`—is replaced with the name of the appliance. • `%(message)s`—is replaced with the appropriate passed message or failed message. • `%(severity)s`—is replaced with the severity of the highest severity check that failed, or OK if the checks all passed.
Passed Message	The message to include in the email when the test passes.
Failed Message	The message to include in the email when the test fails.
Services To Allow	Select one or more of the following services to remain open if network access is restricted according to the actions configured. Blocking services such as DHCP or ICMPv6 can prevent the appliance from obtaining an address and it could become unreachable. Also, blocking HTTP, HTTPS, and SSH blocks all remote access to the appliance. In this instance, you need to use the system console to fix the problems. • CLUSTER_MANAGER • DATASTORE • DHCP • DHCPv6 • DNS • HTTP • HTTPS • ICMPv6 • LDAP • REASONING • SMTP • SSH For example, where a critical problem is detected, you might choose to limit network access to and from the appliance to HTTP or HTTPS only. To do this, select HTTP and HTTPS, and ensure the other services are deselected. When a failure occurs that you have configured to restrict network access, the firewall is raised. When the problem is fixed, the firewall is not lowered. To do this you must restart the firewall.

If the appliance mail server settings are set to an invalid mail server, configuring baseline to send email introduces a delay of approximately three minutes while the appliance attempts to contact the SMTP server, each time baseline is run. The baseline is run hourly and can be run manually by a user.

Configuring disk monitoring options

The Disk Monitoring Options section displays the partitions present on the appliance and the free disk space available on each partition. You can configure the threshold limits on each partition for three parameters, Warning, Stop Discovery, and Shutdown Services. When the threshold limit for a parameter is reached, a banner is displayed in the UI for administrators and users who have the necessary permissions for the appliance baseline.

For example, if you set the Stop Discovery parameter for a partition to 10%, then when the amount of free disk space falls to 10% of the total space on the partition, a UI banner is displayed that the Discovery service will be stopped. The banner also alerts you about the limit threshold when the system would shut down. If you have already configured the email recipients, email alerts are sent out in addition to the UI banner. You can dismiss the UI banner for a maximum of five minutes, after which it is displayed again, expecting you to either resolve the disk space issue or configure new threshold limits. You cannot disable the UI banner display. In the case of clusters, the cluster members display a UI banner when a member reaches a threshold limit. The disk monitoring feature is not supported on scanners in consolidating systems.

To configure disk monitoring options

From the main menu, click the Administration icon.
The Administration page opens.
In the Appliance section, click Baseline Status.
The Appliance Baseline page is displayed.

Click the Appliance Disk Space link on this page.
Alternatively, you can scroll down to the bottom of this page, and click Configure Options.
The following page is displayed.

The Disk Monitoring Options section displays the following fields:

Field Name	Description
Partition	The name of the partition that is available on the appliance.
Mount point	The directory path that is created as part of the root filesystem.
Disk Size	The total size of the partition expressed in MB or GB.
Free Disk Space	The amount of disk space currently free on the partition.
Use %	Displays the partition's free disk space, and the other threshold fields as a percentage. By default, this field is selected. Clear the check box if you want to view or configure the threshold fields in absolute values of MB or GB.
Warning Limit	Set the free disk space threshold limit on the partition which, when reached, must trigger a warning banner in the UI. You can set this value as a percentage or as an absolute value in MB or GB, depending on whether the Use % field is selected or not. For example, if you set this field to 25% then when the amount of free disk space falls to 25% of the total space on that partition, a warning banner is displayed in the UI.
Stop Discovery	Set the free disk space threshold limit on the partition which, when reached, must stop the discovery service. You can set this value as a percentage or as an absolute value in MB or GB, depending on whether the Use % field is selected or not.
Shutdown Services	Set the free disk space threshold limit on the partition which, when reached, must shut down all the discovery services. You can set this value as a percentage or as an absolute value in MB or GB, depending on whether the Use % field is selected or not.

Click Apply to save your changes.
(Optional) If you want to revert to the default threshold limits of the system, click Reset Disk Monitoring Options.

The following screenshot is a sample of the Warning Limit banner:

The following screenshot is a sample of the Stop Discovery banner:

Configuring actions on changing appliance status

You can configure the actions that will occur when the appliance status changes to critical, major, or minor. The available actions are:

Send Email
Restrict Network Access
Stop Discovery

To configure actions on changing appliance status:

From the main menu, click the Administration icon.
The Administration page opens.
In the Appliance section, click Baseline Status.
The Appliance Baseline page can also be accessed by clicking Appliance Status in the dynamic toolbox, and then clicking the available link.
Click Configure Actions.

The Appliance Baseline Actions page is displayed, it shows the following options:

Field Name	Details
Actions to take on CRITICAL failure	Select the actions to take when a CRITICAL failure occurs. The following options are available: • Send Email • Restrict Network Access • Stop Discovery
Actions to take on MAJOR failure	Select the actions to take when a MAJOR failure occurs. The following options are available: • Send Email • Restrict Network Access • Stop Discovery
Actions to take on MINOR failure	Select the actions to take when a MINOR failure occurs. The following options are available: • Send Email • Restrict Network Access • Stop Discovery
Actions to take on INFO only	Select the actions to take when an INFO failure occurs. The following options are available: • Send Email • Restrict Network Access • Stop Discovery
Actions to take on SUCCESS	Select the action to take when there are no failures. The following option is available: • Send Email

Tripwire commissioning and configuration

Tripwire is a third-party software tool that monitors a given set of configuration, system, and source files on an appliance. For further information about Tripwire, see: http://sourceforge.net/projects/tripwire/. Tripwire is installed by the kickstart process but is not commissioned. When Tripwire has been commissioned, it is run hourly. You can also run it manually, see Running Tripwire checks manually for more information.

The Tripwire reports are stored in the following directory: /usr/tideway/var/tripwire/report
You must create this directory if it does not exist. As the tideway user, enter the following command:

mkdir -p /usr/tideway/var/tripwire/report

Adding tripwire configuration to appliance backup

The tripwire configuration is not included in an appliance backup by default. If you want to include it, add the following to the $TIDEWAY/etc/backup_config.xml file.

    <archive name="addm_tripwire_etc"
             description="Tripwire configuration"
             src_dir="$TIDEWAY/tripwire/etc"
             restore="false"
             clear="false">
        <include>*.txt</include>
    </archive>

The tripwire directory is archived into the backup directory in a file called addm_tripwire_etc.tgz. The archive is not restored when the backup is restored but can be copied manually onto the restored appliance and recommissioned using the Commissioning Tripwire passkeys procedure.

Commissioning Tripwire passkeys

Commissioning Tripwire passkeys is a one-off procedure. You must be able to log in as the root user to complete Tripwire passkeys commissioning.

Log in as the root user.
The default Tripwire policy file is /usr/tideway/etc/twpol.txt.

Edit the file and enter the hostname of the appliance (as returned by the hostname command), replacing localhost.
An excerpt of the file is shown below:

@@section GLOBAL
TWROOT="/usr/tideway/tripwire/sbin";
TWBIN="/usr/tideway/tripwire/sbin";
TWPOL="/usr/tideway/tripwire/etc";
TWDB="/usr/tideway/tripwire/var/lib";
TWSKEY="/usr/tideway/tripwire/etc";
TWLKEY="/usr/tideway/tripwire/etc";
TWREPORT="/usr/tideway/var/tripwire/report";
ARCH="x86_64";
HOSTNAME="localhost";

If you want to monitor any additional files, add the full path to that file to the policy file.
If you want to monitor any additional directories, add the full path to that directory to the policy file.
Copy the /usr/tideway/etc/twpol.txt file to /usr/tideway/tripwire/etc/twpol.txt, overwriting the existing file.
Run the following command, which sets up the initial database and passwords allowing changes to the Tripwire configuration
/usr/tideway/tripwire/sbin/tripwire-setup-keyfiles
When you are prompted to create a site and a local password, record these passwords or you will need to reinstall the Tripwire database.
The local password is required to remove Tripwire violations.
The site password is required to update the Tripwire policy file.
You are prompted to sign the configuration file twcfg.txt and the policy file twpol.txt.
Change the ownership and permissions of the /usr/tideway/tripwire/etc/twpol.txt and the /usr/tideway/tripwire/etc/twcfg.txtfiles to the tideway user by entering the following commands:
```
cd /usr/tideway/tripwire/
chown tideway:tideway etc
chmod 750 etc
cd etc
chown tideway:tideway twcfg.txt twpol.txt
chmod 640 twcfg.txt twpol.txt
```

Initializing the Tripwire database

Initializing the Tripwire database is a one-off procedure that you perform as the tideway user.

The Tripwire database must be initialised with the contents of the Tripwire policy file.
Run the following command to initialize the Tripwire database:
```
sudo /usr/tideway/tripwire/sbin/tripwire --init
```
Run the following command to rebaseline the Tripwire database:
```
/usr/tideway/bin/tw_tripwire_rebaseline
```
An error is reported as a database backup file is created.
Run the following command again to rebaseline the Tripwire database:
```
/usr/tideway/bin/tw_tripwire_rebaseline
```
This time, no errors are reported as no files have been added. The tripwire database is now initialised and baselined.

Initial appliance baseline configuration

When you have freshly configured the tripwire database, the appliance baseline must be updated to ensure that the correct status is shown in the user interface.

Warning

This causes all of the appliance baseline checks to be reset. Make sure that all existing baseline failures are addressed.

Run /usr/tideway/bin/tw_baseline, or click Check Baseline Now in the user interface to execute all the baseline tests.
Verify that only tripwire related tests are failing. Tripwire test names end with "tripwire."

Update the tripwire report and then update the appliance baseline as follows:

sudo /usr/tideway/tripwire/sbin/tripwire --check > /usr/tideway/var/tw_tripwire.txt
/usr/tideway/bin/tw_baseline --rebaseline

The appliance status is updated, and tripwire commissioning is now complete.

Tripwire maintenance

Updating after a violation

When you use the tw_tripwire_rebaseline utility to rebaseline the Tripwire database, you accept that all files that are being monitored are correct. This procedure should be performed as the tideway user. To update the Tripwire database after an error:

Check the items that are reported in the violation report and ensure that the reported changes are what you expected.

Run the following command:

/usr/tideway/bin/tw_tripwire_rebaseline

Updating the Tripwire policy file

Sometimes you must update the Tripwire policy file. For example:
• An EFix being applied
• A full system upgrade
• Appliance relocation or change of IP Address
• Files changing too frequently and creating false positive alerts

Edit /usr/tideway/tripwire/etc/twpol.txt and make the necessary changes. Save the file using the same name.

Clear all violations before updating the Tripwire policy file by rebaselining the Tripwire database. The system must be in a known good state to update the policy database. This procedure should be performed as the tideway user.

Run the following command to rebaseline the Tripwire database:
```
/usr/tideway/bin/tw_tripwire_rebaseline
```
Run the following command (on one line) to update the Tripwire policy file:
```
cd /usr/tideway/tripwire/etc/
sudo /usr/tideway/tripwire/sbin/tripwire --update-policy twpol.txt
```
You need both the local and site password for this operation.
Check that the update has been performed correctly. Enter:
```
sudo /usr/tideway/tripwire/sbin/tripwire --check
```
Run the following command to rebaseline the Tripwire database:
```
/usr/tideway/bin/tw_tripwire_rebaseline
```

For more information, see tw_tripwire_rebaseline.

Running Tripwire checks manually

By default, Tripwire is run hourly and the output is written to the tw_tripwire.txt file. If a deviation from the baseline has been detected, the tw_tripwire.txt file is updated with the details. The monitor which sets the appliance status in the user interface checks the tw_tripwire.txt file hourly and sets certain restrictions if configured.

If you have rebaselined the Tripwire database, you should run the following commands to ensure that the correct status is shown in the user interface.

sudo /usr/tideway/tripwire/sbin/tripwire --check > /usr/tideway/var/tw_tripwire.txt
/usr/tideway/bin/tw_baseline --rebaseline

The appliance status is updated.

For more information about the tw_baseline utility, see tw_baseline.