policy minder administrator's guide · exportingandimportingscript packages 60 fixit 62...

Policy MinderUser Guide

PTPM2.1.3 021116

ContentsWelcome 4

What is Policy Minder and Why UseIt? 5

Help for Managing your Com-pliance Requirements and yourServers 5

Getting Started 7

Getting Started 8

Web browser troubleshootingtips 10

Licensing 10

Adding a Server to Manage 12

Options when adding a server 12

Adding Multiple Servers from aCSV File 14

Viewing Servers by Group 16

Initializing Policies 17

Copying Policies to AnotherServer and using the Export /Import Feature 19

Hover Text 22

Time out 22

Adding Policy Minder Users 23

Current Version 24

Upgrading to the Current Ver-sion 24

Using Policy Minder 25

of 68 PowerTech | A Division of HelpSystems | www.helpsystems.com

United States: +1 952-933-0609 | Outside the US: +44 (0) 870 120 3148

Defining Policies 25

Configuration Values 26

Initializing 26

Using the Configuration Category 26

Running a compliance check 26

Running FixIt 27

Daemons 29

Initializing 29

Using the Daemon category 29


Discovering new daemons 30

Running FixIt 30

Exported Directories 33

Initializing 33


Running FixIt 33

Defining Templates 34

User Accounts 35

Files 48


Scripts 57

Defining a Script Policy 57

Running a Compliance Check 59

Running FixIt 59

Return Codes 60

Exporting and Importing ScriptPackages 60

FixIt 62

FixIt in Test Mode 62

Running FixIt 62

FixIt Restrictions 62

Scheduling Policy Minder Jobs 64

Backing Up Policy Minder 65

Removing Policy Minder fromyour Servers 65

Index 67

PowerTech | A Division of HelpSystems | www.helpsystems.com


of 68

WelcomeThank you for using PowerTech Policy Minder for AIX and Linux. Policy Minder helps you withautomating security administration as well as policy and security configuration management,compliance and monitoring. This manual provides information on how to use Policy Minder. If youcan’t find the answer to your question in this manual, see PowerTech Support for additionalresources and help.

Welcome



http://www.helpsystems.com/powertech/technical-support

What is Policy Minder and Why Use It?PowerTech Policy Minder is a product that automates security administration and policy compliancetasks and reporting. With Policy Minder you can:

l Check compliance and configuration of user accounts, directories, files, configuration settings,daemons, exported directories and more.

l Monitor for changes to ownership, permissions and attributes for a specific set of files or directories.

l Deploy and run custom scripts to managed servers through the integrated cron function.

l Report the compliance status of running user-written scripts using the Policy Minder reportingfunction.

l Monitor for changes to the contents of critical application, configuration or server files.

l Use the Export/Import function to:

o enforce the same policy requirements across multiple servers.

o copy the required settings to new servers and configuring them using FixIt to set them to yourrequired settings

l Email exception-based compliance reports, policy, FixIt or Message log reports to yourself andothers.

l Document your security implementation with unique templates that reflect your security policyrequirements.

l Use “Fix-It” to return out of compliance items to your security policy specifications.

Help for Managing your ComplianceRequirements and your ServersPolicy Minder is a tool for to help you reduce the cost of attaining and staying in compliance with yoursecurity policy requirements. In addition, many organizations are using Policy Minder to address - notonly compliance - but security administration issues as well. Here are some of the ways Policy Minderis being used:

What is Policy Minder and Why Use It?



of 68

Note:Most of our clients performed many of the following processes “manually”before implementing Policy Minder to replace them. By automating such procedures,they reduced the time and resources it took them to ensure that their systems remainin compliance, resulting in measurable cost savings.

l Discover files with either the SUID or SGID bit set then monitor them for changes to their ownership,permissions or attributes.

l Discover when the sudoers file has been changed by using the checksum function.

l Ensure key system files are not world-writable.

l Schedule a cron job to run regular compliance checks on the daemons category to find when adaemon has been activated that shouldn't have been. Schedule the FixIt function to set the daemonsto the appropriate value (turn them on or off as appropriate).

l Upload your user-written scripts to run customized compliance checks and FixIt scripts.

l Ensure all user accounts have been created - and remain - with the appropriate attributes.

l Discover new admin accounts.

l Discover user accounts with UID of 0 (root being the allowed exception, of course!)

l Discover user accounts with non-unique UIDs.

l Ensure all files for an application have the appropriate owner, group and permissions. Receive adetailed report specifying any files not figured correctly. Run FixIt to change the settings.

l Discover and manage inactive user accounts.

l Ensure that the exported directories that are required for your servers remain along with theirappropriate settings.

l Aid with auditor and compliance requirements by ensuring password rules are set appropriately -both for the global settings and at the user level.

l Easily set-up new servers by defining file and user account templates, daemon and configurationsettings, exporting the policies to the new server and running FixIt to set the configuration.

l Use the integrated cron function to setup regular compliance checks and immediate FixIt tasks tokeep your servers in compliance.

l Document policy exceptions along with the policy then print the policy when the auditor appears - nomore scrambling to find previous years' documentation or writing up the exception in the middle ofyour audit.

What is Policy Minder and Why Use It?



Getting Started

Installing PowerTech Policy Minder

Policy Minder is obtained by downloading it from the PowerTech website. You have a choice as towhere you want to run the console – either from an AIX partition, Red Hat Linux or from Windows.Choose the version of the software appropriate for the operating system the console will be runningon. Once you have downloaded the installation code, you will need to move the executable to thesystem which is going to be the console. Once the console has been installed, you can add AIX and/orLinux servers to be managed. The managed server is installed and configured when you add theserver to the Policy Minder console.

Supported Operating Systems for the Console

l Windows 7

l Windows Server 2003 or later

l AIX 5.3 or later

l RHEL (Red Hat Enterprise Linux)

l Ubuntu

l CentOS

l Oracle Linux

Supported Browsers for Accessing the Console

The console User Interface is accessed via a browser. Supported browsers for accessing the consoleare:

l Chrome and Chrome for Android (most recent)

l Firefox 5+

l Safari 9 on iPhone, iPad, and Mac

l IE 11

Getting Started



of 68

Getting StartedFollow the instructions for the operating system you’re using to run the console to get started.

Launching the console from Windows

OnWindows, the Database and Tomcat start automatically during installation.

To start the application

1. Go to Start > All Programs > PowerTech Policy Minder > Policy Minder. Your browser opensthe Policy Minder login screen.

2. The first time you login, use user pmadmin and password pmadmin for your login credentials.

Note: You can manually start and stop the Database and Tomcat, and configure theirsettings using additional shortcuts in the Windows Start menu.

Starting Policy Minder on AIX or Linux

Navigate to the directory where the console was installed and run the startpm.sh script.

Getting Started



Launching the application from your browser

OnWindows, the Start Menu shortcut opens Policy Minder using 'localhost.' Whether you are usingWindows, Linux, or AIX, if you are launching your browser on the system on which the console isrunning, you can use the following 'localhost' URL to access the application:

http://localhost:8080/policyminder/

Otherwise, type the TCP/IP address or server name:

http://172.20.0.60:8080/policyminder/

Note: Both of the above URLs assume you have not changed the port the web serveris listening on (the default is 8080). If you have changed the port, replace "8080" withthe new port.

The Policy Minder login screen appears:

Sign on with the user pmadmin and password pmadmin. After this initial sign on you’ll want to createyour own user account to run the product. See the section,Adding Policy Minder Users later in thischapter for instructions.

Getting Started



of 68

To end Policy Minder on AIX or Linux

1. Log out of the application.

2. Close your browser.

3. To go the directory where the console was installed and run the stoppm.sh script.

To end Policy Minder on Windows

Close the browser. If you would like to stop the Policy Minder database and Tomcat services, you cando so under the Windows Start menu (Start > PowerTech Policy Minder > Start Policy Minder).

Web browser troubleshooting tipsl Make sure that the database is started.

l Make sure that Tomcat is started.

l OnWindows, to start both the database and Tomcat go to Start > PowerTech PolicyMinder > Start policy Minder.

l If the web page is not displayed, make sure there are no local or network firewalls or routers blockingaccess.

Licensing

Licenses

You will be given temporary licenses that you can use to manage some servers for a period of time.During this time Policy Minder is fully functional but it will stop working at the end of the temporarylicense period.

After purchasing Policy Minder, you will be provided with a file containing permanent licenses for thenumber of servers you are going to manage through Policy Minder. The managed server license file isimported to the console. Licenses are NOT entered on each server being managed. Licenses are notassigned to each managed server; therefore, you can choose which servers are managed throughthe console but the number cannot exceed the number of purchased licenses. If you run out oflicenses, you must purchase more.

Getting Started



You can stop managing a server through the console and ‘free up’ the license, but to do so, you mustdelete the server from the console. Doing that removes all of the data for that system and you muststart all over if you choose to manage it again in the future.

Uploading the License File

To upload the license file into the console, do the following:

1. Go to Admin Tasks > Manage Licenses.

2. You will see prompts for Customer name and Key. These should be entered EXACTLY as they weresent to you in an email. The easiest way to ensure they are entered correctly is to use the copy andpaste feature.

3. Browse to the location of the license file sent to you.

4. Upload the file. Or, you can place the license file in the following directory (where Policy Minder wasinstalled):

…/PowerTech/Policy Minder/tomcat/webapps/policyminder/WEB-INF/license

Getting Started



of 68

Adding a Server to ManageYou can manage both AIX and Linux servers from the same Policy Minder console. The supportedversions and distributions are:

l AIX 5.3, 6.1 and 7.1

l RHEL, Ubuntu, CentOS and Oracle Linux

Note: sudo must be installed on the Linux server PRIOR to adding a Linux managedserver.

To add a server, go to Admin Tasks > Add a Server or click Add on the Manage Servers page. Fillin the dialog with the details of the server you want to manage through the Policy Minder console.

When you click Save the user account named pmadmin will be created on the server you’re adding.The initial connection does NOT have to be as root; however, it must have sufficient rights to modifythe sudoers file on the server being added.

Options when adding a serverOption 1: If you take the default settings, you will need to provide root’s password to make the initialconnection. When the connection is made, the Policy Minder User policym and the Policy MinderGroup policym will be created and the sudoer’s file updated to provide the user policym with the abilityto run the commands needed for the Policy Minder product. Subsequent connections are made viaSSH and use certificates, not user / password to establish the connection.

Getting Started



Alternative to Option 1: Some organizations do not allow root to make an SSH connection. In thiscase you can use su. Use the drop down box for Connect How and choose su. You will be prompted toenter root’s password (so you can use SU on the server you’re adding). You must also specify a userand password to make the initial connection. This user MUST be able to SU to root.

Another alternative to Option 1: Ubuntu doesn’t have the concept of root so when adding anUbuntu server, use the option to connect with sudo. To choose this option, use the drop down box forConnect How and choose sudo. The user specified in the Installation User Name field must be a userwho can execute admin commands using sudo.

Option 2: By default a user and a group named policym will be created on each server. You may wantto create a user and/or group by a different name than policym. Or you may want to specify the UID orGID for the user/group. To do so, name the user, group, and specify a UID and GID. (Note: if the useror group do not already exist, they will be created with the UID / GID specified (if any).)

Option 3: By default, the commands required by Policy Minder will be added on the server beingadded in the /etc/sudoers.d file. If you uncheck this option, the commands will be added directly to thesudoers file. However, some organizations control how and by whom the sudoers file is updated. Ifthis is the case, you can add the stanza to the sudoers file yourself. Add the Managed Server. In the

Getting Started



of 68

Install log that is generated will be the stanza that needs to be added to the sudoers file. As part ofadding the stanza to the sudoers file, be sure to change the host name to the server you’re adding.Once that stanza is added (with the current host server name), run the Add Managed Server again.Policy Minder will detect that the commands have already been added and the install will completesuccessfully.

Adding Multiple Servers from a CSV FileIf you have many servers to manage you may want to define the servers in a csv and create them allat once rather than one by one.

Using this method assumes that you have already performed the following configuration steps oneach server to be managed:

l Created a user and group under which Policy Minder tasks will run

l Populated the sudoers or sudoers.d file with the following:

AIX:

USER_NAMESERVER_NAME=NOPASSWD: /bin/cat, /usr/bin/aclget, /usr/bin/aclput,/usr/bin/chmod, /usr/bin/chown, /usr/bin/chsec, /usr/bin/chuser, /usr/bin/csum, /usr/bin/find,/usr/bin/ls, /usr/bin/lssrc, /usr/bin/mv, /usr/bin/odmget, /usr/bin/rm, /usr/bin/sed,/usr/bin/startsrc, /usr/bin/stopsrc, /sbin/chkconfig, /usr/sbin/lsuser, /home/policym/skyscript.sh

RHEL:

USER_NAMESERVER_NAME=NOPASSWD: /bin/cat, /bin/chmod, /bin/chown, /bin/cp,/bin/cut, /usr/bin/sha1sum, /usr/bin/lastlog, /bin/find, /bin/ls, /bin/mv, /bin/rm, /bin/sed,/sbin/chkconfig, /sbin/service, /usr/bin/chage, /usr/bin/id, /usr/bin/find, /usr/sbin/userdel,/usr/sbin/usermod, /usr/sbin/groAupdel, /sbin/runlevel, /home/policym/skyscript.shDefaults:skyview !requiretty

l Added the public key of a public/private key pair in the following directory. This key pair will be used toestablish the SSH connection between the console and the server being managed.

l USER_HOME/.ssh

Next you must create a CSV file in the following format:

name, server_type, group, description, name_or_ip, ssh_port, pm_user

Getting Started



Notes:

l The file must be a CSV, not a spreadsheet such as an xlsx.

l Server type: valid types are - AIX, RHEL, Ubuntu, CentOS and Oracle (Linux)

l If group is left blank the server is added to the default – Server Systems group

l If ssh_port is left blank the default ssh port is used

l If pm_user is left blank the user is assumed to be policym

Once these configuration steps have been completed you can use the Add Multiple Servers option toinstall the servers. Go to Admin Tasks > Add Multiple Servers. You will be prompted to paste inthe private key of the key-pair you generated as well as upload the CSV file as shown below. Be sureyou copy in the entire key which includes everything including the leading and trailing dashes (-----).Once both of those are completed, click on Start CSV install.

Getting Started



of 68

Viewing Servers by GroupTo help with the management of large numbers of servers, you can create groups to help youmanage the view of these servers. You can create a new group when adding a new server. If you donothing, all servers will be in the default group – Server Systems.

Getting Started



Initializing PoliciesOne quick way to get started using Policy Minder is to initialize your policies. When you initialize acategory, Policy Minder retrieves the current settings for the category and establishes that as thebaseline policy for that category.

To initialize policies, click on Console Tasks > Initialize Policies. On the Servers tab on theInitialize Policies dialog, select one or more servers.

Getting Started



of 68

On the Policies tab, select the Categories to be initialized then click Initialize.

Note: The policies you select will be initialized on all of the servers selected on theServers tab.

Getting Started



Copying Policies to Another Server and usingthe Export / Import FeatureOnce you have defined your policies on one of your servers, you can use the export/import function tocopy the policies from one server to another. You might want to use this feature whenconfiguring/setting up a server ensuring the settings are the set properly on the new server, topropagate user account policies to all servers to ensure consistent policy compliance, to ensuresettings on QA servers are consistent with production, etc.

Before you can copy a policy to another server, you must first Export it. Go to Console tasks >Export. You’ll see the following dialog:

Getting Started



of 68

Do the following:

l On the Servers tab specify which server you are exporting from (you can only specify oneserver.)

l On the Policies tab specify the policies you want to export.

l One the Destinations tab specify the servers you want to import (or copy) policies to.

Note: Exporting a file provides the option to create an .xml file of the exportedpolicies. If the server you are importing (copying policies) to is managed by thisconsole, you can simply choose the option to copy the policy to the server(s) andavoid having to import via the exported file.

Replace Template Options

l By default, policies defined on the target system are over-laid if they also exist on the server to whichthey are being imported.

Getting Started



l When specifying Replace templates N and a template exists on the target system with the samename as a template on the master system, the master system template will be imported and will havea number added to the end of the name.

Importing Policies

You may want to import a policy file from another console or one that you have acquired elsewhere.

To import a policy file, go to Console tasks > Import:

l For consoles running on Windows you can Browse to find the policy file and upload it.

l For consoles running on AIX or Linux, place the .xml file in the following directory (where PolicyMinder was installed).

…/PowerTech/PolicyMinder/tomcat/webapps/policyminder/exports

(this also works for Windows consoles)

Once you have uploaded the policy file or placed it in the proper directory, it will be listed as one of thefiles available to be imported. In the example below, the AIX Security Check-up file is available forimport.

Getting Started



of 68

The next chapters will explain how to define policies and templates as well as what to expect whenand using the CheckIt and FixIt functions.

Hover TextPolicy Minder makes extensive use of hover text. For example, if you are unsure of the definition of aconfiguration item or daemon, simply hover over the name and a definition will appear.

Time outPolicy Minder sessions time out after 15 minutes of inactivity. This is to ensure compliance withvarious laws and regulations and to ensure sessions are not left available for others to use. If you arein the middle of creating or modifying a template and you stop working on it for 15 minutes or more,your work will be lost.

Getting Started



Adding Policy Minder UsersTo get started, you’ll sign on with the user pmadmin and password pmadmin. After this initial sign onyou’ll want to create your own user account to run the product. To create your own user account, dothe following:

1. Go to the task bar and choose Admin Tasks > Manage Users.

2. ClickAdd User.

3. Complete the form and clickAdd User.

Since many laws and regulations forbid the use of default passwords, we highly recommend that youchange the password for the user; however, make sure you remember what it is because it’s non-recoverable if you lose it. A safeguard would be to have another user defined so you can always signon to the Policy Minder console.

Getting Started



of 68

Current VersionTo determine what version of Policy Minder is installed on your console, go to Help > About PolicyMinder. Choose Help > PowerTech Website to open the PowerTech website where you can findthe current version.

Upgrading to the Current VersionIf you already have Policy Minder installed, you will follow the same installation steps to upgrade theproduct as you did when first installing the product. First, you may want to export your policies to a fileto back-up your work prior to the upgrade. (For more information, see the section on using the Export/ Import feature earlier in this chapter.)

After backing up your policies, do the following:

To Upgrade on Windows

1. Go to Start > All Programs > PowerTech PolicyMinder > Stop PolicyMinder.

2. Launch the executable that you’ve downloaded from the PowerTech website and follow theinstructions.

To Upgrade on AIX or Linux

1. Navigate to where Policy Minder was installed and run the stoppm.sh script.

2. Follow the install instructions.

Getting Started



Using Policy Minder

Defining Policies, Running Compliance Checks, and Using FixIt

The previous chapter provided instructions for starting to use Policy Minder. This chapter describeseach category in depth.

Defining PoliciesPolicy Minder allows you to define policies for the following areas of the AIX and Linux operatingsystems:

l Global configuration settings

l User account attributes

l Directory and file attributes, ownership and permissions (and more)

l Daemons

l Exported directories

l Scripts

You can initialize the values for the global configuration, daemon and exported directories categories.When you initialize the policies for one of these categories, it brings in the current values on thatserver and sets them as the policy values for the category.

You will create templates in the user account and directory / file policy categories to meet yourorganization’s requirements. Templates are simply a way to define within Policy Minder which usersor which files to examine and the attributes to check when a compliance check is run.

You can import your user-written scripts to be run by the integrated cron feature and utilize thereporting features of the product.

Using Policy Minder



of 68

Configuration ValuesPolicy Minder allows you to define your policy for global configuration settings.

InitializingMany administrators are comfortable with the current settings for these configuration settings andwant to make sure that they remain set that way. The way to use Policy Minder to ensure they remainthe same is to start by initializing the Policy Minder Configuration category.

1. Go to Console Tasks > Initialize Policies.

2. Select the server or servers you would like to initialize.

3. Click the Policies tab.

4. Choose the Configuration category.

5. Click Initialize.

Using the Configuration CategoryIf you are not familiar with all of the attributes listed in this category, simply click on the attribute nameand a description will be displayed. You’ll notice that for an AIXmanaged server, some attributes,such as the minlen attribute as defined in the User Account Creation – Password category have avalue of “No Entry Policy.” This means that, when a user account is created, there is no entry forminlen in the /etc/security/user file. (If there’s an entry at the user level, it overrides (takes precedenceover) the global value.) Instead, the value for minlen is to come from the minlen global setting. Thisvalue is defined in Policy Minder in the User Account Default – Password minlen attribute. The “NoEntry Policy” is not applicable for this attribute since this is the global (highest level) attribute.

Running a compliance checkYou may want to check all of the values listed in the Configuration category. Or, because only some ofthem are meaningful for your organization you only want to check a few. If this is the case, you canchange the policy value to be “Any value”. This means that it doesn’t matter what the value is and it willnever be checked during a compliance check or identified as out of compliance.

When a compliance check is run against the Configuration category, the values you specify for yourpolicy will be compared against the actual value of the configuration item. The item will be in

Configuration Values



compliance if the actual value is the same as the value you have defined in the policy. If the actualsetting is different than the value defined in the policy, the value will be flagged as “out of compliance”.

To run a compliance check, do one of the following:

l On the Servers and Policies screen, click for the Attribute under the Action column.

l On the Manage Servers screen, click next to a server to open the server's Configuration policies.CheckAttribute to select all Attributes and clickCheckIt in the upper right. This will run acompliance check on all of the attributes in the Configuration category.

l Choose Console Tasks > CheckIt. Choose the server(s) and then the category, then clickCheckIt.

l Schedule a regular compliance check. Choose Admin tasks > Manage Scheduled Jobs.

Running FixItIf an item is identified as Out of compliance ( ), you can have Policy Minder change the value tomake it match the policy by running the Policy Minder FixIt function. By default, FixIt is not enabled.You must enable FixIt.

Note: You must first run a compliance check to identify what is out of compliancebefore you can run FixIt

Once a compliance check has been run and FixIt is enabled, do one of the following:

l On the Servers and Policies screen, click for the setting under the Action column.

l Check the individual item or all items and then click FixIt and choose Console Tasks > FixIt.Choose the server and then the category, then click FixIt

l Schedule a regular compliance check and FixIt. Choose Admin Tasks > Manage ScheduledJobs.

Note: FixIt cannot be used for all AIX configuration settings. Obviously, prior to using FixIt, allchanges should be reviewed carefully; however, some settings seemed as those they had significantchance of causing disruption if changed. Therefore, these values cannot be changed through FixIt:




of 68

l auth_type

l pwd_algorithm

l auth1

l auth2

l SYSTEM

l default_roles

l roles

l auditclasses

l dictionlist

l pwdchecks

l account_locked

l rlogin

These settings are also noted in the Configuration category with an ‘*’. These items will be identifiedas out of compliance but FixIt will not modify their values.




DaemonsPolicy Minder allows you to define your policy for daemons regardless of whether they should berequired to be running, restricted from running, or whether it doesn’t matter whether they are runningor not.

InitializingInitializing this category will result in a list of the daemons currently on the server. To initialize thePolicy Minder Daemon category, go to Console Tasks > Initialize Policies and choose to initializethe Daemon category.

l Daemons currently running will be set to a policy value ofRequired.

l Daemons not running will be set to a policy value of Prohibited.

Using the Daemon categoryOnce initialized, you can alter the daemon settings to indicate whether they are Required (must berunning), Prohibited (cannot be running) or Allowed (can be running or stopped.)

You can delete a daemon from the category. This does NOT delete the daemon from the server –only from the policy and subsequent compliance checks.

Running a compliance checkWhen a compliance check is run against the Daemon category, the values specified in the policy willbe compared against the setting of the daemon on the server. The daemon will be in compliance if theserver setting is the same as the Policy Value (or if the Policy Value is set to allowed). If the currentsetting is different than the value defined in the policy, the value will be flagged as “out of compliance.”


Daemons



of 68

l On the Manage Servers screen, click next to a server to open the server's Daemon policies.

l Click for the Daemon under the Action column. Or,

l Select one or more Daemons and clickCheckIt. This will run a compliance check on all theselected daemons in the Daemon category.

l Choose Console Tasks > CheckIt. Choose the server from the Servers tab and then Daemons’from the Policies tab, then clickCheckIt.

l Schedule a regular compliance check. Go to Admin tasks > Manage Scheduled Jobs.

Discovering new daemonsAs mentioned earlier, you can remove a daemon from the category. Deleting a daemon does notremove it from the server. If you wish to include the daemon again or discover other daemons thatmay be running on the server, do the following:

l Run a compliance check on the category and resolve any compliance issues (if any)

l Go to Console Tasks > Initialize and initialize the policy for the Daemon category. This will bring inthe daemons currently on the partition, including any daemons previous deleted from the category.

Running FixItIf an item is identified as Out of compliance ( ), you can have Policy Minder change the value tomake it match the policy by running the Policy Minder FixIt function. By default, FixIt is not enabled.You must enable FixIt.

Note:You must first run a compliance check to identify what is out of compliance beforeyou can run FixIt.FixIt will start or stop the daemon based on the setting defined in the policy. FixIt willnot take any action on daemons whose setting is Allowed.

Once a compliance check has been run and FixIt is enabled, do one of the following:

l Check the individual daemon or all daemons and then click FixIt.

l Choose Console Tasks > FixIt. Choose the server and then the category, then click FixIt.

Daemons



l Schedule a regular compliance check and FixIt. Choose Admin Tasks > Manage ScheduledJobs.

Note: FixIt cannot be used for all daemons. Changing some daemons could becatastrophic; therefore, FixIt is not allowed for the following:

Daemons



of 68

o biod

o cron

o ctrmc

o IBM AuditRM

o IBM.CSMAgentRM

o IBM.DMSRM

o IBM.DRM

o IBM.ERRM

o IBM.HostRm

o IBM.HWCTRLRM

o IBM.LPRM

o IBM.SensorRM

o IBM.ServiceRM

o inetd

o nfsd

o portmap

o qdaemon

o rpc.lockd

o rpc.statd

o sshd

o syslogd

o xntpd

These daemons will also be noted in the Daemons category with an ‘*’. These items will be identifiedas out of compliance but FixIt will not modify their values.

Daemons



Exported DirectoriesPolicy Minder allows you to define your policy for exported directories.

InitializingInitializing this category will create a list of the exported directories on the server. To initialize thePolicy Minder Exported Directories category, go to Console Tasks > Initialize Policies and chooseto initialize the Exported Directories category.

Note: The initialize will read the exports file and compare it to what’s configured onthe server. It also looks for errant spaces and the setting of the no_root_squash flag. Ifyou don’t want this analysis performed on the exported directories, simply uncheckthe appropriate box(es).

Running a compliance checkWhen a compliance check is run against the Exported Directories category, the values specified in thepolicy will be compared against the settings of each Exported Directory. The directory will be incompliance if the setting the same as the value you have defined in the policy. If the settings aredifferent than the values defined in the policy for the exported directories, the directory will be flaggedas “out of compliance.”


l On the Manage Servers screen, click next to a server to open the server's Exported Directoriespolicies. Then clickCheckIt. This will run a compliance check on all of the exported directories in thecategory.

l Choose Console Tasks > CheckIt. Choose the server and then the category, then clickCheckIt.

l Schedule a regular compliance check. Choose Admin tasks > Manage Scheduled Jobs.

Running FixItFixIt is not available for the Exported Directories category.

Exported Directories



of 68

Defining TemplatesThe User Account and Files categories use templates to select what is going to be examined and theattributes to analyze.

Template Tips:

l When you define a template, the first tab allows you define what items – user accounts, directories orfiles you want to select to be examined when a compliance check is run on this template. You caninclude or omit items using specific or generic names. The Policies tab allows you to define theattributes that will be examined during a compliance check.

l You can specify a value for each attribute or you can leave the value as the default of ‘any’ value.‘Any’ value means that it doesn’t matter what the value is, this particular attribute will always be incompliance. In other words, this attribute is ignored when a compliance check is run for the template.




User AccountsWhat user account attributes need to be checked and the requirements for user profile compliancewill vary from organization to organization. Some of the common user account templates we seeconfigured are used to check for:

l New admin accounts

l Inactive accounts

l Members of a particular group to be configured with specific settings such as logon and auditsettings.

l Accounts with UID of 0 (other than root)

l Multiple accounts with the same UID

Let’s walk through some examples to get you started:

User Accounts



of 68

Example – Detecting New Admin Accounts on AIX

Defining the template

1. To get to the User account category, on the Manage Servers page, click on the category next tothe desired server.

2. Or go to Servers and Policies > [server name] > User Accounts.

3. ClickNew.

4. Fill out the General tab – example below.

5. Click on the Selections tab, then click on Add to choose (select) the user accounts that will beexamined during a compliance check. For this example we’re selecting Admin but you can selectusers based on:

l user account name (using the full name or a generic (as in bob*))

l accounts that have a specific primary group

User Accounts



l members of a specific group

l number of days the account has been inactive

l number of days since the last password change

l UID (to check for accounts with UID of 0 – in addition to root, for example)

l Non-unique UIDs

User Accounts



of 68

6. Click on the Policies tab. This is where you specify what user account attributes will be checkedwhen a compliance check is run. For this example, we’re not going to select any user accountattributes. Rather, we are going to disallow new accounts. To do so, select the Don't Allow Newradio button.

7. Click Save.

Run a compliance check

The first time a compliance check is run on this template, a baseline of all of the current adminaccounts is established. On subsequent compliance checks, if new admin accounts are created oraccounts are changed to be an admin, the compliance check will identify any account not in thebaseline as out of compliance.

User Accounts



To run a compliance check, do one of the following

l On the Manage Servers screen, click next to a server to open the server's Files policies.

l Click for the Template under the Action column. Or,

l Select one or more Templates and clickCheckIt. This will run a compliance check on all theselected user account Templates.

l Choose Console Tasks > CheckIt. Choose the server from the Servers tab and then user accountTemplates from the Policies tab, then clickCheckIt.


The first time a compliance check is run on this template all accounts will be in compliance.

If the template is out of compliance, then a new admin account has been discovered. Click on thetemplate name and then the Compliance tab to determine the new admin account name. In theexample below, the Show Compliant box has been unchecked to only show the non-compliantaccounts. In this case, the markj account is out of compliance.

User Accounts



of 68

If you click on the user account name, you’ll see that the account is out of compliance because it’sNew. Some organizations grant admin rights to individuals temporarily for a special project. Leavingthe account out of compliance will serve as a reminder to remove the admin rights once the project iscomplete.

The ‘Allow new accounts’ policy attribute is not limited to finding new admin accounts. You can use the‘Allow new accounts’ for other templates - perhaps to track newmembers of a particular group.

Example – Managing Inactive Accounts

Ensuring user accounts are unable to be used when they are no longer active is both a good securitypractice as well as required by many laws and regulations. Let’s see how you can automate thisprocess:

Define the template

1. To get to the User account category, either click on the “U” category next to the desired server asshown below:

User Accounts




3. ClickNew.

4. Fill in the General tab – see below:

User Accounts



of 68

5. Click on the Selections tab, click on the drop down and choose Days Inactive.

6. Enter the number of days inactive you want to select on.

7. ClickAdd if you want to omit any accounts from being examined during the compliance check.

User Accounts



8. Click the Policies tab. In this example we’ve opened up the Login category so that we can specifywhat the values should be for the account_locked, login and rlogin attributes. These will be comparedto the user account settings during a compliance check.Notice the “Enforce No Entry” field in themiddle column. There are times, when you want to force values to come from the user account globalsettings – for example, you typically want this to occur for the password attributes so that you canmanage password composition rules on a global basis, rather than an individual basis. But in thiscase, we don’t want these settings to come from the global value. We actually want them to be set inthe entry for the inactive user accounts.

9. Click Save.


When you run a compliance check on this template any user account inactive 90 days or more will beexamined. The accountlocked attribute must be true and login and rlogin must be false. If anyattributes do not match these rules, the user account will be identified as out of compliance.


User Accounts



of 68

l Click the box next to the template name and then clickCheckIt.

l Go to Console Tasks > CheckIt, choose the server.Note: This runs a compliance check against alltemplates in the User account category.

l Create a cron job to run the compliance check. Go to Admin tasks > Manage Scheduled Jobs(creating scheduled jobs is discussed later).

If the template is out of compliance (indicated by a in the Compliant column), click on the templatename and then the Compliance tab to determine the accounts out of compliance. Click on the accountname to see the details of why it’s out of compliance.

Run FixIt

FixIt changes the settings of the user account to match the policy (as defined by the template.) To runFixIt, you must first enable it for this template. To enable FixIt, click on the template name then, on theGeneral tab, check the Enable FixIt box. Once you have enabled FixIt, you can run it on the individualuser account that is out of compliance or run it on the entire category by selecting the user or templateand clicking the FixIt button.

Example – Checking for UID of 0

Making sure there are no other user accounts besides root with UID of 0 is a routine request of manyauditors. Here’s how you’d configure that template:

User Accounts



Define the template

1. To get to the User account category, either click on the category next to the desired server.


3. ClickNew.

4. Fill in the General tab – see next example:

User Accounts



of 68

5. Click on the Selections tab and clickAdd.

6. Choose UID from the drop-down and specify 0 for the Comparison value.

7. ClickAdd again and omit User Logon Name root from being examined (we know that root shouldhave UID of 0).

8. Click Save.


When you run a compliance check on this template any user account that has a UID of 0 – with theexception of root, will be identified as being out of compliance.


l Click next to the template name (under the Action column).

l Check the box next to the template name and then clickCheckIt.

User Accounts



l Go to Console Tasks > CheckIt, choose the server.

Note: this runs a compliance check against all templates in the User accountcategory.

l Create a cron job to run the compliance check. Go to Admin tasks > Manage Scheduled Jobs(creating scheduled jobs is discussed later).

If the template is out of compliance (indicated by a in the Compliant column), click on the templatename and then the Compliance tab to determine the accounts out of compliance. (In this case, theaccounts with UID of 0.)

User Accounts



of 68

FilesYou can create templates to regularly check the permissions, ownership and other attributes ofdirectories and files. You can also use templates to find new files that didn’t exist during the lastcompliance check - for example, a new executable with the SUID bit set. Or you can monitor a set offiles for ownership or group changes. Use your imagination and there are some very powerfuladministration and compliance tasks that can be automated. Let’s take a look at some examples.

Example 1 – Finding all files with the SUID bit and Monitor Ownership

You may have an application or set of files configured to run with the permission of the owner (i.e., theSUID bit is on.) If one of these files’ owner changes, you’d obviously want to know that so that theapplication doesn’t fail or users aren’t gaining more permissions than they need. Finding those filesand then monitoring to make sure the ownership doesn’t change may be something you’ve alwayswanted to do but didn’t have the time to write the script or just didn’t have the resources to get it done.This is a very easy scenario for Policy Minder.


1. To get to the Files category, either click on the category next to the desired server as shownbelow:

Files



2. Or go to Servers and Policies > [server name] > Files.

3. ClickNew.


Files



of 68

5. On the General tab name the template, give it a description and then specify the path that is to besearched. The Notes section can provide more documentation about why the template is beingimplemented.

6. On the Selections tab, clickAdd, then click the drop-down under 'Select Using' and chooseAttributes. For the SUID parameter, select Yes. Leave the others atAnyValue.

Files



7. On the Policies tab, openMonitor then checkOwner.

8. Click Save.

Running a compliance checkWhen you run a compliance check on this template, it will include the files with the SUID bit set on. Thefirst compliance check records the current owner. Subsequent compliance checks will examine theowner of these files and if the owner is different, the file will be out of compliance. .


l On the Manage Servers screen, click next to a server to open the server's Files policies.

l Click for the Template under the Action column. Or,

l Select one or more Templates and clickCheckIt. This will run a compliance check on all theselected file Templates.

Files



of 68

l Choose Console Tasks > CheckIt. Choose the server from the Servers tab and then FileTemplates from the Policies tab, then clickCheckIt.


If the template is out of compliance (indicated by a in the Compliant column), click on the templatename and then the Compliance tab to determine the files that are out of compliance. Click on the filename to see the details of why it’s out of compliance.

Example 2 – Ensuring a Specific File is Secured Correctly

You may have an audit requirement to ensure a specific file(s) is secured appropriately. Perhaps itholds PCI or HR data or perhaps you want to make sure the directory containing payroll information isonly accessible by the group processing payroll checks. Whatever the case, this is very easy toconfigure in PolicyMinder.

Files




1. To get to the Files category, either click on the category next to the desired server...

2. Or go to Servers and Policies > [server name] > Files.

3. ClickNew.


Files



of 68

5. On the General tab:

l Name the template and give it a description.

l Type the path of the directory or file you want to work with in this template.

l Specify whether or not to Include Subdirectories. If this box is unchecked, only the items in thatpath will be examined and no subdirectories will be traversed.

l Use the Notes section to document the template. (These notes are displayed at the beginningof the print policy report.)

6. On the Selections tab, clickAdd for the files you want to include in the policy. With (for example) Fileselected under the drop-down menu, specify the files in the /PCI directory that you want examined. Inthe following screen, all files with the prefix of PCI will be examined on a compliance check with theexception of the file, PCI_test_data.

Files



7. Click the Policies tab and specify the attributes that you want checked when a compliance check isrun against this policy.

8. Click Save.

Running a compliance check

When you run a compliance check on this template the files will be checked to ensure the owner isPCI_OWN, the group is PCI_GROUP, the permissions are set to user RWX, group RWX, other --- andthat the SUID, SGID and SVTX bits are not set. If any of these don’t match the current settings forthese files, the file will be identified as out of compliance.

Files



of 68


l On the Manage Servers screen, click next to a server to open the server's Daemon policies.

l Click for the file Template under the Action column. Or,

l Select one or more Templates and clickCheckIt. This will run a compliance check on all theselected Templates.

l Choose Console Tasks > CheckIt. Choose the server from the Servers tab and then fileTemplates from the Policies tab, then clickCheckIt.


If the template is out of compliance (indicated by a in the Compliant column), click on the templatename and then the Compliance tab to determine the files that are out of compliance. Click on the filename to see the details of why it’s out of compliance.

Running FixIt

FixIt changes the settings of the file to match the policy (as defined by the template.) To run FixIt, youmust first enable it for this template. To enable FixIt, click on the template name then, on the Generaltab, check the Enable FixIt box, then click Save. Once you have enabled FixIt, you can run FixIt on theindividual file that’s out of compliance or run it on the entire template by selecting either the file ortemplate and clicking the FixIt button.

Files



ScriptsThe Scripts category makes it possible for you to upload scripts into the Policy Minder console and runthem as part of your compliance checks. Running your existing scripts through the Policy Minder forAIX console allows administrators to consolidate scripts in a central location and keep track of the lasttime they were run as well as take advantage of Policy Minder’s reporting functions. The Scriptscategory shares the same features as other categories. The compliance status of each script runthrough Policy Minder is reflected in the console, included in Policy Minder reports and can be invokedthrough the integrated cron function.

The scripts run during a compliance check (CheckIt) are typically scripts written by administrators toview server configuration elements or the state of a server or element of a server but in reality, theycan be any script you want to run via and the results reported through Policy Minder.

Defining a Script PolicyDefining a script policy is a two-step process.

Step 1: Before a script policy can be defined, the script(s) must be uploaded to the server on whichthe Policy Minder console is running. Do this by going to Admin Tasks > Scripts > Upload toupload the script from your desktop to a Windows console.

Or, when running an AIX or Linux console, you can place the scripts in the following directory (wherePolicy Minder was installed):

…/PowerTech/PolicyMinder/tomcat/webapps/policyminder/scripts

Once a script has been uploaded or placed directly into the scripts directory, it will appear as aselection for the CheckIt script and FixIt script when defining a Script Policy.

Step 2:Once a script has been uploaded to the console, you can define a Script Policy. Go toServers and Policies > [server] >Scripts and clickNew to get started.

Scripts



of 68

The Policy Value is what you see as a result of running the script. Specify the Data Type that isappropriate for this result.

Note: a valid result of running a script may be nothing or no value. In this case, leavethe Policy Value field blank. When a compliance check is run on this script policy, theresult of running the script will be compared against the value you specify in thePolicy Value field. If they are equal the policy will be compliant. If they aren’t, thescript policy will be out of compliance.

Data types may be String, Integer, Boolean and date

l String values can be literal or regular expressions.

l The syntax for regular expressions follows a standard and is documented in the dialog. Thedocumentation can be viewed in a popup dialog by clicking on the icon.

l Integer values can be a specific value, a range, or a list of ranges and specific values. The syntax forintegers is also documented in the popup dialog.

Scripts



l ABoolean value is considered true if it matches (ignoring case) any of the values "true", "t", "yes", "y"or "on" or if the value can be parsed as a number and does not equal zero.

l Date values can be a specific date, a before date, an after date or a date range.

Click on the CheckIt Script drop down to choose the script.

If the script requires arguments to be passed in, specify those in the Arguments field.

Running a Compliance CheckWhen a compliance check (CheckIt) is run, the Policy Value is compared to the value returned by thescript. If the value returned by the script (which is called the Server Value in the script policy) matchesthe Policy Value, the policy is compliant. If they don’t match, it’s out of compliance (non-compliant.)

Notes:

l The line returned by the script is compared to the policy value to determine compliance status.

l A valid result of running a script may be nothing or a blank result. When this is the case, the PolicyValue field should be left empty (blank.)

l If multiple values are checked, they must be rolled up into a single line.

l A script may be given one or more arguments to be passed when invoked.

l When a script policy is run during the compliance check, the script is first transferred to the serverusing scp, run, then deleted from the server.

l See the Return Codes section for considerations when using return codes in your script.

Running FixItYou can enable FixIt for a Script Policy. If you check the Enable FixIt box, the FixIt script line willappear and you will have to select the script to run when FixIt is run for this policy. When selecting thescript for FixIt, you will not be prompted for a Policy Value since FixIt is intended to change the serverconfiguration or state to a compliant value and there will likely be no results expected from running theFixIt script.

Scripts



of 68

Return CodesBy convention, a return code of 0 from a script indicates success. Any non-zero numeric value is, byconvention, used to indicate specific error conditions. On the Return Codes panel, values can beassociated with strings that will be shown when a script is run and returns that code. The associatedstrings are also shown in Policy Minder reports. Only when a script returns a success code AND thereturned value matches the policy value is a script policy considered compliant. Return code of 0 ispre-defined for both CheckIt and FixIt.

Exporting and Importing Script PackagesYou may want to utilize the same scripts on multiple Policy Minder consoles or those acquiredelsewhere. In either case, you will need to use the Export / Import function of the Script category. Thisdiffers from the more general Export / Import policy function because this function imports both thescript policy AND the scripts defined for the policy – we call this a script package.

To import a script package go to Admin Tasks > Scripts > Import Package.

Scripts



Note: To import a script package, it must first be on the console.

l For an AIX console, place the package in the following directory

…/PowerTech/PolicyMinder/tomcat/webapps/policyminder/exports

l For a Windows console, go to Admin Tasks > Scripts > Upload to upload it to the console

Select the script package file to import and then select the servers to which the policy will be applied.

To export a script package, go to Admin Tasks > Script > Export Package.

Scripts



of 68

FixItAs noted in the previous sections, FixIt changes the settings on the server to match the policy. FixIt isvery powerful and we encourage you to carefully review what is going to be fixed – that is, what is outof compliance – prior to running FixIt.

FixIt in Test ModePrior to running FixIt we encourage you to determine exactly what is going to be changed. You can dothat in one of two ways:

l Examine the compliance reports to see what is out of compliance. The non-compliant items will bechanged to match the policy settings.

l Take advantage of the Test mode parameter of FixIt. No changes will be made! Rather, the changesthat would have been made are logged in the Policy Minder Message Log, but no values are actuallychanged. You can then review what changes would have been made had FixIt actually changed thevalues or settings. To enable / disable Test mode, go to Admin Tasks > Preferences > General.Check (or uncheck) FixIt Test mode.

Running FixItSeveral methods are available for running FixIt once it has been configured for a template or categoryand after a compliance check has been completed. (Don’t forget, a compliance check must be runbefore FixIt is run!)

1. Enable FixIt by going into the Properties for the category or individual item. Then click on FixIt.

2. Run FixIt while viewing the items in the category or go to Console Tasks > FixIt.

3. Schedule a cron job to run FixIt.

FixIt Restrictionsl Before running FixIt, you must first run a compliance check to identify the non-compliant items. (FixItwill only run against non-compliant items.)

l If you create a directory template that begins at the root (‘/’) directory FixIt will not run against thistemplate. You can work with the objects in the template and run FixIt on an individual object in thetemplate; however, FixIt will not work on the template as a whole. This restriction prevents running

FixIt



FixIt on the entire File System, which could be quite disruptive. You can create a template that startswith a directory lower than the root directory and run FixIt, but not on a template that starts with theroot directory.

FixIt



of 68

Scheduling Policy Minder JobsPolicy Minder comes with its own, integrated scheduling function based on the traditional Unix cronfunctionality.

1. To schedule a job, choose Admin Tasks > Manage Scheduled Jobs.

2. To add a job, clickNew. On the General tab, specify the name and description along with theschedule of when the job is to run. Because the cron syntax is not at all obvious, we’ve provided someexamples for you to use as is or modify to meet your specific requirements. Simply choose theschedule that most closely matches your requirement from the Cron Example drop down.

Two other sources of help are available. Clicking on the information icon will go to another websitethat explains cron functions. The builder icon is a website that helps you build the cron expressionyourself.

On the Servers tab, choose one or more servers where the job is to run.

On the Tasks tab, specify the task(s) you wish to schedule.

Scheduling Policy Minder Jobs



Backing Up Policy MinderWe recommend that you back up the following:

Tomcat/webapps/policyminder/exports

Tomcat/webapps/policyminder/logs

Tomcat/webapps/policyminder/reports

Tomcat/webapps/policyminder/scripts

Tomcat/webapps/policyminder/WEB-INF/db

Tomcat/webapps/policyminder/WEB-INF/keys

Removing Policy Minder from your ServersRemoving Policy Minder from Servers:

To remove Policy Minder from a server, simply delete the server from the console. This removesPolicy Minder from the server as well as deletes the data from the console associated with the serverand frees its license so it can be used for another server.

Removing Policy Minder from the Console:

OnWindows, go to Start > All Programs > PowerTech > Policy Minder and run the following (inthis order):

1. Stop Policy Minder

2. Uninstall PowerTech Policy Minder

Notes:

Backing Up Policy Minder



of 68

l Make sure that the directory where Policy Minder was installed has been deleted and delete it if itremains on the computer.

l You will have to restart the computer to complete the uninstall.

On AIX or Linux, navigate to where Policy Minder was installed and run the stoppm.sh script thenexecute the Uninstall file. You may need to delete the last Installation file (used to install or upgrade) ifyou have not already done so.

Note: All user data, including all polices, templates, server definitions and logs areremoved during the uninstall process.

Backing Up Policy Minder



IndexA

Adding a Server 12

Adding Multiple Servers 14

C

Compliance Requirements

Managing 5


Defining policies 26

D

Daemons



E



F

FixIt

Restrictions 62

Running 62

Running FixIt in Test Mode 62



of 68

Testing FixIt 62

What is it? 62

G

Getting Started 8

I

Installation 7

J

Jobs

Scheduling 64

L

Launching 9

Licensing 10

Login 9

P

Policies

Configuration

Running compliance check 26

Running FixIt 27

Settings 26

Copying to another server 19

Daemons 29


Running compliance check 29

Running FixIt 30

Defining 25

Exported Directories 33

Initializing 17

Scripts 57

Defining a script policy 57

Exporting script packages 60

Importing script packages 60

Return codes 60


Running FixIt 59

PolicyMinder

Backing up 65

Removing from a server 65

What is it? 5

Why use it? 5

S

Scripts


Exporting script packages 60

Importing script packages 60



Server

Adding 12

Removing Policy Reminder 65

T

Templates

Defining 34

Files and directories 48

User account attributes 35


Troubleshooting

web browser 10

U

Users

Adding 23

policy minder administrator's guide · exportingandimportingscript packages 60 fixit 62...

Documents