Skip to Content

Customizing a component template

To accommodate the specific requirements of your data center, you can change or add to the imported component templates.

Warning

Customizing the component template is optional. Immediately after installation, you can use the contributory component templates. However, adjustments are typical and expected.

To constrain the incidence of false positive change notifications or alerts, your FIM component templates should only include files and directories that are not expected to change.. If you consistently see the same objects listed in the change tracking reports and consistently determine that the changes are expected, you should probably alter the templates to eliminate those objects. For example, log files are commonly excluded from monitoring because their size and timestamp change regularly.

The following sections describe how to customize a component template:

Opening a Component Template

You can examine the contents of a component template on the TrueSight Server Automation Console. The following procedure assumes that you are logged on to the Console.
To open a component template:

  1. If you recently imported new templates, select File > Refresh.
  2. Expand the Component Templates folder.
  3. To view imported contributory component templates, locate the PCI File Integrity Templates folder and expand two levels below it.
    worddav7087b4b5314309c7e52548b2537f8d6f.png
  4. Right-click a component template and select Open.
    worddavab42c29f2828d84589860658a3e6992c.png
    The template opens in the content editor. (The content editor is typically located in the upper right corner of the Console.)
  5. To review the contents of a component template, click the tabs at the bottom of the content editor. The following sections describe each tab.

General Tab

The General tab sets the operations that you want TrueSight Server Automation to perform using this component template. In the PCI FIM scenario, the operations are Discover, Browse, Snapshot, and Audit. The Deploy and Compliance operations are not checked as Allowed Operations because the FIM standards do not include deploying objects or testing objects for compliance with rules.
 To verify operations:

  1. If it is not already displayed, click the General tab.
    worddavda19b2fc85c042b17d3effd923009ca6.png
  2. Verify that the operations match the ones shown in the preceding example.
  3. If you made any changes, select File > Save on the Console menu bar.

Parts Tab

The Parts tab specifies the objects (files, directories, and Windows registry entries) to monitor. Using the Parts tab, you can add new files and directories to monitor. Be sure to use appropriate include or exclude options to:

  • Include .dll, .exe, and .inf files
  • Include critical libraries that are most subject to attach
  • Include files that are not likely to change outside of a patching scenario
  • Exclude .log files and other files that are expected to change

To add parts:

  1. Click the Parts tab. The Parts panel shows a list of objects to be monitored and the allowed operations.
    worddav89265ad83685d415608a5fbcca0a591c.png

    Warning

    For PCI FIM, the Discover operation applies to servers, not to server objects.

  2. Click Add worddav9e7b35904ee1557f7991f4d92ae9241b.png. The Select Parts panel appears.
    worddav70a5e392f380e3709b824f82a095f59a.png
  3. Add new parts using either of these methods:

    • Expand the folders in the left panel and navigate to objects. In the Servers list, navigate to a server with the same OS for which you are building the template (in this case, a Windows 2003 server). Select additional directories and files that you want to monitor. Using the arrow buttons in the middle of the panel, move your selection into the Selected Parts list. Make each selection separately.

      Warning

      The objects that you select using this method must have the same name on every server running the same OS.

    • Alternatively, you can construct path names by clicking Add New.
      worddav970d35a94e0b55a78a4682ecd5f81874.png
      The New Component Template Part dialog appears.
      worddav847a1bbdc1df3e71ec7a85a531c90d1b.png
  4. For Type, select any value that represents a file, a directory, or a Windows Registry object. Other Type values are not appropriate for PCI FIM objectives. For example, the Active Directory types shown below are not appropriate for a PCI FIM component template.
    worddav740655e4a13714a5263f9fa1c9419f39.png
  5. For Name/path, you can:
    • Type a full or partial path name.
    • Click Browse and navigate to a full path name. For example: C:\WINDOWS\system32.
    • Click Select Property to see a list of defined properties and select one that represents a file or directory. For example: SYSTEMROOT.

    • Parameterize a path name. For example, TARGET.SYSTEMROOT\system32.
       By parameterizing path names with properties, you can track (and compare) the same files, even when the files have different absolute path names on different servers. For example, the system root directory is commonly C:\WINDOWS, but sometimes it might be C:\WINNT or W:\WINDOWS. The TARGET.SYSTEMROOT\system32 property appropriately maps to the system32 folder on hosts with different %SYSTEMROOT% variables.
      worddave26ed778495d27fd28ffb815e2bb2f32.png

      Warning

      The dimmed names in the list have extensions. To display and select extensions, click the arrow on the same line as the dimmed name. For example, to select TARGET.SYSTEMROOT, click the arrow to the right of TARGET, and then select SYSTEMROOT.

  6. When you are finished constructing the new part name, click OK. The new value appears in the right panel.
    worddave88142d7309012d309c1fc2f8511e0d3.png
  7. Continue adding new parts to the list.
  8. To incorporate the new parts into the list of all parts, click OK. The Parts tab now includes the original and the new parts.
    worddaveaeb3661da2ef934565b89c66108f548.png
  9. To remove parts from the list, select the part and then click Delete worddav0f98bcadcfedb8ba53d0e5320d9f2199.png.
  10. To change a part name or the operations that are allowed on the part, select the part and then click Update worddav221d9cc407830d50bc1d5f986af18de3.png.
  11. To set inclusion and exclusion rules on parts that are directories, do the following:
    1. Select the part on which you want to set an inclusion or exclusion rule.
    2. Click Add in the Options section in the bottom left corner of the Parts tab.
    3. Set the inclusions or exclusions on specific file types and click OK.
      worddav32a1b14d8ed7cd2185e1181f8f64fb43.png
  12. To save your changes on the Parts tab, click File > Save from the Console menu bar.

Adding Granularity to Parts Monitoring

The contributory component templates monitor parts (files and directories) for the occurrence of a change. The change tracking results show changed file and directory names, but not the specific change to the file contents.
You can change the component templates to include more granular monitoring. You have several options:

  • To capture MD5 checksums, on the Snapshot tab, check the md5sums option for a part.

  • To track specific entries in a file, add the part as a Config file object (rather than File oibject) on the Parts tab. Then you can monitor changes to lines such as to /etc/passwd or C:\WINDOWS\System32\drivers\etc\hosts.

    Warning

    Although an option exists on the Snapshot tab to track file contents, do not check that option.

Discover Tab

The Discover tab contains rules that define the set of servers to monitor. If you follow the best practice illustrated in this document, server selection is a two-tiered process:

  1. A PCI FIM server smart group defines all servers in your data center that require PCI FIM. The smart group selects servers based on conditions such as the existence of one or more applications, or even a custom configuration option that identifies the server as a PCI FIM server. For information, see Creating-the-PCI-FIM-Server-Smart-Group.

  2. Discover rules in the component templates select subsets from the server smart group. The contributory component templates test for OS. In addition, you might include rules that test for the presence of specific applications.

    Error

    The contributory component template for Windows discovers only Windows 2003 servers. The following procedure shows how to change discover rules to include Windows 2008._

    To verify and change discover rules:

  3. Click the Discover tab. The following example shows the Discover contents from the Windows PCI FIM component template immediately after installation.
    worddav4b13923694f159e689d51fa10b387779.png
  4. To edit the Discover rules, click Edit on the right side of the Rule Definition. The Rules Editor window appears. You can add new rules, delete rules, apply the NOT operator to rules, cut, copy, and paste rules, rearrange rules, and change rules.
    worddaveb9a64f7c72e6cc1431b0cab919ae80e.png
  5. To change a discover rule, double-click the line that you want to change. The text in the selected line is converted into editable fields.
    worddav5ff29654cac0a12ddb62ee31316e2c4b.png
  6. To change the operation, select a new value in the operation drop-down list. In the following example, the selected operation is is one of.
    worddavfb28ddff5e8219ea7e2a55e911cfcd08.png
  7. To change the operand values (for example, to change 2003 to include 2003 and 2008), click Edit worddav8b332b9429a3226c88c8c4d2d24eb118.pngnext to the field. To make Edit appear (if it is not visible), click inside the field.
    worddav33f51235ea6ee8f016a13114c6a08619.png
  8. In the Edit List Values dialog box, type a value. To add another line for an additional value, click Add worddav7f93230d7675ba8170a6f090a23fc32e.png.
    worddave18a8c3938306996464312db197bb69e.png
  9. When you finish adding values, click OK. The new values appear in the edited fields.
    worddav4df3d8614c6295d15c194569ab3b8be4.png
  10. To accept the new rule, click the green checkmark. The Rule Definition tab shows the edited Discover rules. The Save button is now enabled.
    worddavdb71702e5040b11cbf4999f60d6fa16c.png
  11. To save the edited rules, click Save.

Browse, Snapshot/Audit, Compliance, and Local Configuration Objects Tabs

The following tabs provide another view of the identified parts and the inclusion/exclusion rules on them. Typically, you do not need to change information about these tabs.

  • Browse — You might have reasons to remove the Browse operation on selected parts.
  • Snapshot/Audit — For PCI FIM, this tab typically contains all of the parts from the parts list. It specifies the individual template parts to use in Snapshot Jobs after a component is associated with a server.
  • Compliance — For PCI FIM, this tab is blank. Compliance testing is not a goal of PCI-FIM.
  • Local Configuration Objects — This tab is typically not used in PCI-FIM component templates.
     Use the Add and Delete functions on these tabs to adjust operations on parts.

Local Properties Tab

This tab defines local properties used in other sections of the component template. For information about adding and using local properties, see Working-with-properties.
The most commonly used properties are predefined, so you might not need any local properties. Local properties are typically not needed in server change-tracking scenarios but they can be useful for application change tracking. Some uses for local properties in a component template are:

  • Defining parts.
  • Enabling the discovery of multiple instances of the same component on the same server.
  • Making reports more meaningful.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

TrueSight Server Automation 23.1