t l security compliance manager -...

Tivoli® Security Compliance Manager

Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes

Version 5.1 — Fix Pack 5.1.0-TIV-SCM-FP0009 — December 17, 2004

GI11-4617-00

��

Note

Before using this information and the product it supports, read the information in “Notices,” on page 65.

First Edition (December 2004)

This edition applies to fix pack 5.1.0-TIV-SCM-FP0009 of version 5, release 1, modification 0 of IBM Tivoli Security

Compliance Manager (product number 5724-F82) and to all subsequent releases and modifications until otherwise

indicated in new editions.

© Copyright International Business Machines Corporation 2004. All rights reserved.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract

with IBM Corp.

Contents

Chapter 1. Fix pack 5.1.0-TIV-SCM-FP0009 overview . . . . . . . . . . . . . . . . . 1

Chapter 2. Novell NetWare client component support . . . . . . . . . . . . . . . . 3

Before you install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Installing the client component on a NetWare system . . . . . . . . . . . . . . . . . . . . . . 3

Changing the password used by the client . . . . . . . . . . . . . . . . . . . . . . . . . 5

Uninstalling the client component on a NetWare system . . . . . . . . . . . . . . . . . . . . . 5

jacclient command (NetWare systems) . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Chapter 3. Administration console changes . . . . . . . . . . . . . . . . . . . . 9

Administration console supported on Linux systems . . . . . . . . . . . . . . . . . . . . . . 9

Preference changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Client page changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Client types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Collectors page changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Users/Roles page changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Creating a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Setting the password for a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Modifying user information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Viewing the audit log for a user . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Viewing assigned user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Viewing the roles assigned to a user . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Removing a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Creating a user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Changing the description of a user group . . . . . . . . . . . . . . . . . . . . . . . . 14

Changing the name of a user group . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Adding a user to a user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Adding a user to multiple user groups . . . . . . . . . . . . . . . . . . . . . . . . . 15

Assigning roles to a user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Removing a user from a user group . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Removing a user from multiple user groups . . . . . . . . . . . . . . . . . . . . . . . 15

Removing roles from a user group . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Removing a user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Creating a role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Changing the description of a role . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Changing the type of a role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Renaming a role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Adding permissions to a role . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Viewing permissions granted to a role . . . . . . . . . . . . . . . . . . . . . . . . . 17

Adding resources to a role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Inheriting permissions from a template . . . . . . . . . . . . . . . . . . . . . . . . . 18

Disinheriting permissions from a template . . . . . . . . . . . . . . . . . . . . . . . . 18

Removing permissions from a role . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Removing resources from a role . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Removing a role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Policies page changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Structure of both system and data tables viewable . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 4. Command changes . . . . . . . . . . . . . . . . . . . . . . . . . 21

Handling of special characters in options . . . . . . . . . . . . . . . . . . . . . . . . . 21

Environment variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

scmadduser command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

scmaddusergroup command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

scmaddusergrouprole command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

scmcreatesnapshot command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

© Copyright IBM Corp. 2004 iii

scmlistavailableroles command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

scmlistgroupclients command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

scmlistgrouppolicies command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

scmlistusergroups command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

scmregisterclient command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

scmremoveuser command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

scmremoveusergroup command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

scmremoveusergrouprole command . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

scmresetclient command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

scmrunpolicycollectors command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

scmsetuserinfo command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

scmsuspendclient command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Chapter 5. Documentation updates . . . . . . . . . . . . . . . . . . . . . . . 49

Supported operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Uninstalling components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Obtaining IBM HTTP Server Version 1.x . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Updating clients from server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Column data types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Collector documentation updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

aix.any.SecPasswdV1.jar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

unix.any.AnonFtpPasswdV1.jar . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

unix.any.FileSearchV1.jar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

unix.any.UsersV1.jar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

unix.multi.NddV1.jar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

unix.multi.ShadowV1.jar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

win.any.NavV1.jar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

win.any.SnmpActiveV1.jar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Chapter 6. Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Appendix. Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Additional notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Notice for Apache Software Foundation . . . . . . . . . . . . . . . . . . . . . . . . . 67

Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

iv IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes

Chapter 1. Fix pack 5.1.0-TIV-SCM-FP0009 overview

Fix pack 5.1.0-TIV-SCM-FP0009 for IBM® Tivoli® Security Compliance Manager

Version 5.1 provides numerous enhancements.

The Novell NetWare operating system has been added as a supported platform for

the client component of Tivoli Security Compliance Manager. Collectors supporting

NetWare systems are available on the Tivoli Security Compliance Manager Utilities

Web page at:

http://www.ibm.com/support/docview.wss?uid=swg24007082

The administration console is now supported on some Linux™ systems. In

addition, many enhancements have been made to the administration console to

permit operations to be performed on multiple collectors at a time, and to provide

the ability to run all the collectors associated with a policy on a client or client

group. A snapshot can be created for a single client or client group as well.

Users and user groups can now be managed using new administration commands.

An enhanced Users/Roles page is available in the administration console that

permits actions to be taken on multiple objects at a time, and permits you to view

the user groups and roles associated with a particular user.

The data collection activity on a client or client group can be suspended using the

new scmsuspendclient command. Clients that are suspended are shown in the

administration console with different icons. The scmsuspendclient command also is

used to resume data collection.

A new environment variable, SCMRMI_TIMEOUT, is provided to adjust the

amount of time that administration commands wait for a response from the server.

Additional information has been added describing the handling of special

characters, such as an ampersand (&) or forward slash (/) in command options.

A new environment variable, SCMCLI_ERRORLOG, is provided to specify the

name of a file to contain error messages produced by the administration

commands. In addition, all administration commands now support an –errorlog

option.

Support for managing the client component of Tivoli Security Compliance Manager

using IBM Tivoli License Manager has been added. Refer to the Tivoli License

Manager documentation for information on license management.

© Copyright IBM Corp. 2004 1

http://www.ibm.com/support/docview.wss?uid=swg24007082

2 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes

Chapter 2. Novell NetWare client component support

Novell NetWare has been added as a supported platform for the client component.

The client component is supported on Novell NetWare versions 5.1, 6.0, and 6.5.

Before you install

Before installing the client on a NetWare system, you must install a suitable JRE

and copy the installation files to the system.

Java™ runtime environment required

Before installing the client component on a NetWare system, you must install a

suitable Java runtime environment (JRE). Install the Novell JVM 1.3.1 on the

NetWare system before installing Tivoli Security Compliance Manager.

NJCLv2 required

Tivoli Security Compliance Manager uses the NJCL Java classes to authenticate the

client with NDS. However, only NJCLV2 is supported; NJCL is not supported.

To configure the Novell JVM to use NJCLv2 instead of NJCL, do the following.

1. Locate the NJCLv2 files in the SYS:\JAVA\NJCLV2 directory.

2. Copy the files in the SYS:\JAVA\NJCLV2\LIB directory to the SYS:\JAVA\LIB

directory.

3. Copy the files in the SYS:\JAVA\NJCLV2\BIN directory to the SYS:\JAVA\BIN

directory.

4. Make a backup copy of the Java.CFG file.

5. Edit the Java.CFG file and change the NJCL entry from njcl.jar to njclv2.jar.

TCP/IP required

Tivoli Security Compliance Manager uses the TCP/IP protocol for its network

communications. Ensure that the NetWare systems have TCP/IP installed and

configured.

Files required for installation

The installation wizard for NetWare is packaged with fix pack

5.1.0-TIV-SCM-FP0009, or later, and consists of two files:

scmNWclient_win32.exe

scmNWclient.jar

Copy both files to the NetWare system where the client is to be installed.

Installing the client component on a NetWare system

The client component is installed using the InstallShield MultiPlatform wizard

provided.


Before installing the client, ensure that the Novell JVM 1.3.1 has been installed, that

the JVM has been configured to use NJCLv2, and that the NetWare installation

wizard files have been made available on the NetWare system.

The installation wizard is a Microsoft® Windows® application that you run on the

Windows system. The wizard must have access to the NetWare file system in order

to update system files and install the client component software. A Java runtime

environment (JRE) for Windows is installed with the client component to enable

the uninstallation program, as well as the problem determination tools, to run on

Windows. This JVM cannot be used under NetWare.

The installation panels are very similar to the ones shown in the IBM Tivoli Security

Compliance Manager Installation Guide: Client Component and IBM Tivoli Security

Compliance Manager Installation Guide: All Components documents and are not

reproduced in this document. The panels are displayed in the same sequence,

however several additional panels are added to permit the gathering of

NetWare-specific information.

If you are not familiar with installing the client component of Tivoli Security

Compliance Manager, read the information in the IBM Tivoli Security Compliance

Manager Installation Guide: Client Component document before proceeding.

1. Login to Microsoft Windows with a user that is a member of the

Administrators group.

2. Go to the directory where the files for the NetWare installation wizard are

located.

3. Start the installation wizard.

scmNWclient_win32.exe

4. Select the desired language from the language selection panel and click OK.

5. Read the information displayed in the Welcome panel and then click Next to

continue.

6. Read the license agreement and after agreeing to the conditions, click Next to

continue.

7. Specify the location where the Tivoli Security Compliance Manager files are to

be installed on the NetWare system. Specify the directory using the Windows

drive that is mapped to the NetWare volume along with the desired directory

path. For example, if you want to install the files in the \IBM\NW\SCM

directory on the SYS:\PUBLIC NetWare volume, then map a Windows drive

(such as S:) to the SYS: volume and specify the installation location as

S:\PUBLIC\IBM\NW\SCM.

8. A new NetWare volume information panel is displayed. In the NetWare

volume and path mapped by the S: drive field, specify the NetWare volume

name and path associated with the installation location specified in the

previous window, such as SYS:\PUBLIC. In the Location of autoexec.ncf file

field, specify the fully qualified directory path and file name for the

autoexec.ncf using the mapped Windows drive. For example, specify

s:\system\autoexec.ncf where S: is the Windows drive mapped to the desired

NetWare volume. Click Next to continue.

9. A new NetWare Configuration panel is displayed. In the User context field,

enter the Novell user context that the client and the collectors are to run with.

In the Password field, enter the password associated with the user context

specified. In the Location of the Novell Java classes field, verify that the

location for the NJCLv2 classes is correct. Typically, the classes are located in

the sys:\java\njclv2\lib\njclv2.jar file. Click Next to continue.


10. Complete the installation by following steps 8 through 12 in the, ″Installing

the Tivoli Security Compliance Manager client″ chapter of the installation

document. This information is in Chapter 2 of the IBM Tivoli Security

Compliance Manager Installation Guide: Client Component book, and in Chapter 3

of the IBM Tivoli Security Compliance Manager Installation Guide: All Components

book.

The installation program adds an entry to the autoexec.ncf file to start the Tivoli

Security Compliance Manager client each time the NetWare server is started. To

start the client immediately after the installation is complete, use the following

command on the NetWare server console:

NetWare_Install_Dir\client\jacclient start

Changing the password used by the client

Whenever the password associated with the user context used by the client

component is changed, you must modify the client.pref file to specify the new

password.

To change the password used by the client component to authenticate with NDS,

do the following.

1. Make a backup copy of the client.pref file located in the installation directory in

the client subdirectory.

2. Edit the client.pref file and locate the [netware user password] stanza.

3. Specify the new password as the value for the user_password key in that

stanza.

4. Save your changes.

5. Restart the client component.

NetWare_Install_Dir\client\jacclient restart

When the client component starts, the password is read, obfuscated (if it is in plain

text), and then written back to the file in obfuscated form.

Uninstalling the client component on a NetWare system

The client component is uninstalled in the same manner as other components.

However, the client component must be explicitly stopped and there is an

additional panel to complete in the uninstallation wizard.

The client component must be explicitly stopped on a NetWare system before

uninstalling the component. To stop the component:

NetWare_Install_Dir\client\jacclient stop

After stopping the client component, you use the uninstallation program to remove

the client component. The uninstallation wizard is a Microsoft Windows

application that you run on the Windows system. The wizard must have access to

the NetWare file system in order to update system files and remove the client

component software.

The uninstallation panels are very similar to the ones shown in the IBM Tivoli

Security Compliance Manager Installation Guide: Client Component and IBM Tivoli

Security Compliance Manager Installation Guide: All Components documents and are

not reproduced in this document. The panels are displayed in the same sequence,

however one additional panel is displayed to obtain NetWare-specific information.

Chapter 2. Novell NetWare client component support 5

If you are not familiar with uninstalling the client component of Tivoli Security

Compliance Manager, read the information in the IBM Tivoli Security Compliance

Manager Installation Guide: Client Component document before proceeding.

After step 6 of the procedure described in the ″Uninstalling Tivoli Security

Compliance Manager″ chapter of either the IBM Tivoli Security Compliance Manager

Installation Guide: Client Component or IBM Tivoli Security Compliance Manager

Installation Guide: All Components document, a new NetWare panel is displayed. In

the Location of autoexec.ncf file field, specify the fully qualified directory and file

name for the autoexec.ncf file using the mapped Windows drive. For example,

specify s:\system\autoexec.ncf where S: is the Windows drive mapped to the

desired NetWare volume. Click Next to continue.

Continue the uninstallation with step 7 in either the IBM Tivoli Security Compliance

Manager Installation Guide: Client Component or IBM Tivoli Security Compliance

Manager Installation Guide: All Components document.

jacclient command (NetWare systems)

Controls the client component on a NetWare system.

Syntax

jacclient { start [password] |

stop |

restart [password] |

status |

version }

Options

start [password]

Starts the client component. The password stored in the client.pref file is

used unless the optional password value is specified.

stop Stops the client component.

restart [password]

Stops and then starts the client component. The password stored in the

client.pref file is used to start the client component unless the optional

password value is specified.

status Displays the runtime status of the client component.

version

Displays the version of the client component.

Authorization

admin user

Location

Client installation directory.

Usage notes

Enter the command without arguments to display syntax information.


If the NDS authentication fails, the client component logs an error but continues

running. Collectors that do not require NDS authentication run as expected;

collectors requiring NDS authentication will fail.

Note: UNIX® and Linux systems use a similar jacclient command.

Examples

Start the client with the specified password:

NetWare_Install_Dir\client\jacclient start new45pwd

Stop the client:

NetWare_Install_Dir\client\jacclient stop

Restart the client using the password stored in the client.pref file:

NetWare_Install_Dir\client\jacclient restart

Display the status of the client:

NetWare_Install_Dir\client\jacclient status

Display the version number of the client:

NetWare_Install_Dir\client\jacclient version

Chapter 2. Novell NetWare client component support 7

Chapter 3. Administration console changes

A number of enhancements have been made to the administration console.

Administration console supported on Linux systems

The administration console is now supported on selected Linux systems.

To run the administration console on a Linux system, do the following.

1. Install the administration utilities component of Tivoli Security Compliance

Manager on the desired Linux system.

2. From a command shell, go to the directory where the administration utilities

are installed. By default, this is the /opt/IBM/SCM/admin directory.

3. Run the jacgui command.

Related information

“Supported operating systems” on page 49The list of supported operating systems in IBM Tivoli Security Compliance

Manager Installation Guide has been updated.

Preference changes

A new preference setting is provided to enable the enhanced Users/Roles page in

the administration console.

To enable the enhanced Users/Roles page, do the following.

1. Click File → Preferences in the administration console to open the Preferences

page.

2. Click Use enhanced users and groups interface.

3. Click Save to save your changes.

Related information

“Users/Roles page changes” on page 11Additional functions are available on the Users/Roles page.

Client page changes

Additional functions are now available on the Clients page.

Multiple collectors are now added with the same schedule

Multiple collectors added to a client or client group at the same time are now set

with the same schedule. Previously, when multiple collectors were added using

either the Clients → Collector → Add collector menu option or the pop-up menu,

you were prompted to set an individual schedule for each collector.

If needed, you can modify the schedule for each collector instance individually

later using the Edit collector schedule option from the pop-up menu.


Multiple collector schedules can be modified simultaneously

The Edit collector schedule option from the pop-up menu can now be used when

multiple collector instances are selected. This action results in the same schedule

being set for all of the selected collectors.

At least one collector instance selected must have a schedule that can be modified

in order for the Edit collector schedule option to be enabled. If a collector instance

was added to a client group, the schedule only can be modified for the client

group, not for each individual client. If multiple collector instances are selected,

but not all of them can be modified, a window is displayed to indicate which

instances can be changed.

Collected data is immediately available after collectors are manually run

After one or more collectors are run using the Run collector option, the data

collected is immediately sent to the server and stored in the database.

You no longer need to wait for the next client/server heartbeat or use the Actions

→ Soft reset request option to cause the collected data to be sent to the server and

stored in the database.

Policy-related changes

Two new options have been added to the Policies drop-down menu.

After selecting a client or client group in the left pane, right-click a policy. The new

Run policy collectors option causes all the collectors associated with the policy to

be run on the selected client or client group. The data collected is immediately sent

to the server and stored in the database.

Similarly, the new Create Snapshot option creates a policy snapshot for the

selected client or client group. Previously, snapshot creation could be done only

from the Policies page, and only for a client group, not a specific client.

Client connection checking enhanced

The Actions → Check client connection option can now be used on clients that are

shown as inactive. The connection checking has been enhanced to verify not only

that the server can contact the client, but also that the client can contact the server.

Icon changes when client is suspended

When data collection on a client changes is suspended using the scmsuspendclient

command, the icon changes to indicate that the client is suspended. The icon

returns to normal when data collection is resumed.

Client types

Clients are of one of three types. The icon preceding the alias of the client indicates

the type of the client. When the data collection on a client is suspended, the icon

changes. The client types and their associated icons are described in Table 1 on

page 11.


Table 1. Client types

Client type Icon

Icon when

suspended

Description

push client

A client that permits communication with the

server to be initiated by either the client or the

server.

pull client

A client that permits communication with the

server to be initiated by only the server.

DHCP push

client

A client that has a dynamic IP address that

permits communication with the server to be

initiated by either the client or the server.

Use this option for systems using DHCP, or for

systems that frequently change their host name

or IP address.

Collectors page changes

Additional functions are now available on the Collectors page.

Setting default collector schedules

You can set a default schedule for a registered collector by double-clicking the

graphical representation of the schedule in the right pane. A new option has been

added so that you also can right-click a collector in the left pane and click Set

default schedule.

A default schedule for multiple collectors can be set by selecting one or more of

them, or by selecting a folder containing them, doing a right-click and then click

Set default schedules. An attempt to set a schedule for a collector that is not

registered results in an error being displayed. Otherwise, you are prompted to

confirm the collectors to be changed.

Users/Roles page changes

Additional functions are available on the Users/Roles page.

Menu changes

The following menu options have been changed to use consistent terminology:

v Manage actions is now Manage permissions

v Manage objects is now Manage resources

Enhanced Users/Groups page added

The Users/Groups page has been enhanced to provide a view with separate panes

for Users and User Groups. Use the Preferences window to enable the enhanced

Users/Roles page. See “Preference changes” on page 9 for details.

The descriptions for the tasks related to users, user groups, and roles that are

affected by this change have been updated and included in this document.

Chapter 3. Administration console changes 11

Creating a user

To create a user:

1. Click the Users/Roles tab on the administration console.

2. Click the Users tab.

3. Click Create User.

4. Enter a user name in the User ID field. User names are not case sensitive.

5. Optional: Enter information in the other fields:

Full Name

Name of the user.

Employee Information

Information associated with the user.

Telephone Number

The telephone number of the user.

E-mail address

The e-mail address of the user.6. Click OK to create the user.

After creating the user, you must:

v Set the password for the user. The user cannot log in without a password.

v Add the user to a user group. Adding the user to a user group with one or more

roles assigned gives the user the ability to perform one or more functions in the

administration console. Related information

“Setting the password for a user”

“Adding a user to a user group” on page 14

“Adding a user to multiple user groups” on page 15

Setting the password for a user

To set a user’s password:



3. Select the user name in the Users pane.

4. Click the Set password button in the User Information pane.

5. Enter the new password in both fields.

6. Click OK.

To change your own password, click File → Change Password from the menu bar.

No special permission is needed to change your own password.

Modifying user information

To modify the information associated with a user:



3. Select the user to modify.


4. Click the User Information tab.

5. Modify the desired information in one or more fields:

Full Name

Name of the user.

Employee Information

Information associated with the user.

Telephone Number

The telephone number of the user.

E-mail The e-mail address of the user.

Comments

Additional information about the user.6. Click Save.

Viewing the audit log for a user

To display the audit log for a user:



3. Select the desired user name.

4. Click the Show Audit Log button in the User Information pane. The audit log

is displayed in a separate window. Each entry consists of a time stamp and the

message logged to the server.

5. Click the Past week drop-down box to select a different range of time.

6. Click Close to close the window.

Viewing assigned user groups

To display the user groups that a user is a member of:




4. Click the User Groups tab.

The user groups associated with the user are displayed.

Viewing the roles assigned to a user

To display the roles assigned to a user:




4. Click the Roles tab. The roles associated with the user are displayed.

5. Optional: Right-click the name of a role and click Show role to view the

definition of the role, including the assigned resources and the permissions

granted.


Removing a user

To remove a user:



3. Right-click the user name in the Users list.

4. Select Remove user from the menu.

5. Click Yes in the Remove User dialog box to confirm the action.

Creating a user group

To create a user group:



3. Click Create User Group.

4. Specify a name for the user group and click OK.

5. Optional: In the Group Information pane, enter a description for the user

group and click Save.

6. Click the Roles tab.

7. Assign roles to the user group by selecting one or more roles in the Available

Roles pane.

8. Click the double arrow button (<<) to move the role to the Assigned Roles

pane. Changes to the assigned roles occur immediately.

Changing the description of a user group

To change the description of a user group:



3. Select the user group to be modified.

4. Click the Group Information tab.

5. Change the text in the Description pane.

6. Click Save to save the change.

Changing the name of a user group

To change the name of a user group:



3. Right-click the user group to be renamed and click Rename User Group.

4. Enter the new name for the user group and then click OK.

Adding a user to a user group

A user must be added to a user group in order to be granted any type of access. To

add a user to a user group:


2. Click the Users Groups tab.


3. Select the user group where you want to add a user.

4. Click the Users tab in the adjacent pane.

5. Click Add Users To User Group.

6. Select one or more users to add. Click OK.

Adding a user to multiple user groups

To add a user to multiple user groups at the same time:



3. Select the user that you want to add to one or more user groups.

4. Click the User Groups tab in the adjacent pane.

5. Click Add User To User Groups.

6. Select one or more user groups. Click OK to add the user to the selected user

groups.

Assigning roles to a user group

To assign one or more roles to a user group:




4. Click the Roles tab in the adjacent pane.

5. Select one or more roles to be added to the user group from the Available

Roles pane.

6. Click the double arrow button (<<), located between the Assigned Roles and

Available Roles panes, to move the selected roles to the Assigned Roles pane.

Removing a user from a user group

To remove a user from a user group:


2. Click the Users Groups tab.

3. Select the desired user group.

4. Click the Users tab in the adjacent pane.

5. Select one or more users to remove.

6. Right-click on a selected user and click Remove Users From User Group. The

selected users are immediately removed from the user group.

Removing a user from multiple user groups

To remove a user from one or more user groups:



3. Select the desired user.

4. Click the User Groups tab in the adjacent pane.

5. Select one or more user groups to remove.


6. Right-click on a selected group and click Remove User from User Group. The

selected user is immediately removed from the selected user groups.

Removing roles from a user group

To remove one or more roles from a user group:




4. Click the Roles tab in the adjacent pane.

5. Select one or more roles to be removed from the user group from the Assigned

Roles pane.

6. Click the double arrow button (>>), located between the Assigned Roles and

Available Roles panes, to remove the selected roles from the user group. The

roles are now shown in the Available Roles pane.

Removing a user group

To remove a user group:



3. Right-click the user group to be removed and click Remove User Group.

4. Click Yes to remove the user group.

Creating a role

To create a role:



3. Click Create Role.

4. Enter the name of the role.

5. Click OK.

Changing the description of a role

To change the description of a role:



3. Click the role to be changed in the Roles pane.

4. Change the description for the role.

5. Click Save Role Information to save the change.

Changing the type of a role

To change the type of a role:



3. Click the role to be changed in the Roles pane.


4. Change the type of the role.

5. Click Save Role Information to save the change.

Renaming a role

To rename a role:



3. Right-click the role that is to be renamed and click Rename Role.

4. Enter the new name of the role.

5. Click OK.

Adding permissions to a role

To add permissions to a role:



3. Select the role to be changed in the Roles pane.

4. Click the resource category tab in the Role Definition pane for the permission

to be added. If the desired resource tab is not displayed, click Add Resource

Tabs to add it.

5. Mark the check boxes for the permissions to be granted.

6. Repeat steps 4 and 5 to grant permissions in other resource categories.

7. Click Save Role Information to save the changes.

Viewing permissions granted to a role

To view the permissions granted to a role:



3. Select the role to be displayed in the Roles pane.

4. Click each of the displayed resource category tabs in the Role Definition pane

to view the permissions granted for each resource category. For a normal role,

the resources for which the permission is granted are displayed also.

Adding resources to a role

To add resources to a normal type role:



3. Select the role to be changed in the Roles list view.

4. Select the resource category tab associated with the resource to be added.

5. Click Add Resources. The Add Resources button is enabled only for normal

roles. Global and template roles cannot have roles associated with them.

6. Select one or more resources to add.

7. Click OK.



Inheriting permissions from a template

To have a role inherit permissions from a template:



3. Right-click the role in the Roles pane that is to inherit from a template and

select Inherit permissions from template.

4. Select the template to inherit the permissions from and click OK.

5. Click Save Role Information to save the changes. Changing the roles in a

template automatically changes the roles that have inherited permissions from

the template.

Disinheriting permissions from a template

To remove from a role all of the permissions that are currently inherited from a

template:



3. Right-click the role in the Roles pane from which you want to disinherit a

template and select Disinherit template.

4. Click Yes in the Disinherit Template dialog box.


Removing permissions from a role

To remove permissions from a role:



3. Select the role to be changed in the Roles pane.

4. Click the resource category tab in the Role Definition pane for the permission

to be removed.

5. Clear the check boxes for the permissions to be removed from the role.

6. Repeat steps 4 and 5 to remove permissions in other resource categories.


Removing resources from a role

To remove objects from a role:



3. Select the role to be changed in the Roles list view.

4. Select the resource category tab associated with the resource to be removed.

5. Locate the resource to be removed. Right-click the resource and click Remove

Resource.



Removing a role

To remove a role:



3. Right-click the role to be removed and then click Remove Role.

4. Click Yes to remove the role.

Policies page changes

Additional functions are now available on the Policies page.

Schedules of multiple collector instances can be changed simultaneously

Both the Collector and Compliance views of the Policies page have been changed

to permit the schedules of multiple collector instances to be changed at the same

time. Previously, you had to change the schedule for each collector instance

individually.

To change the schedule of multiple collector instances, do the following.

1. Click the Policies tab on the administration console.

2. If the desired policy is not displayed in the Policies pane, double-click the

Policies folder.

3. Select the policy.

4. Click the Collectors tab in the adjacent pane to switch to the Collectors view.

5. Select one or more collector instances.

6. Set the schedule.

7. Click OK.

8. Click Save Collector List to save the changes.

You can modify the schedule for each collector instance individually later, if

needed.

New informational severity for violations

A new severity level for compliance query violations, called Informational, has

been added. Informational violations, displayed using blue text, do not count

toward the violation count of a snapshot. If other compliance queries indicate a

Low (orange), Normal (red), or High (bold red) severity violation, those violations

are counted toward the violation count of the snapshot. Violations can still be

suppressed (yellow) based on specific conditions.

The Informational violation is intended for those administrators that want to

provide compliance queries that indicate that clients are in compliance with, rather

than in violation of, a specific condition within a policy.

Structure of both system and data tables viewable

The database table structure for both data tables and system tables can now be

directly viewed.


New Browse system tables option added

A new option has been added to the Tools menu of the administration console to

display the structure of the database tables used by Tivoli Security Compliance

Manager to manage its data collection.

Click Tools → Browse system tables to view the structure of the system database

tables.

Browse tables option changed to Browse data tables

The Browse tables option has been renamed Browse database tables to

differentiate the existing option from the new Browse system tables option.

To view the structure of the database tables that store the compliance data

gathered by the collectors, click Tools → Browse data tables.


Chapter 4. Command changes

Changes have been made to existing commands and new commands have been

added.

Timeout value increased and customizable

The amount of time that the administration console and the administration

commands wait for a response from the server has increased from 5 minutes to 30

minutes. A new environment variable, SCMRMI_TIMEOUT, is provided to

customize the value.

New -errorlog option provided on all commands

All existing and new administration commands have been updated to support a

new –errorlog command option. In addition, a new environment variable,

SCMCLI_ERRORLOG, is provided that sets the default path and file name for the

log file.

Changed commands

The scmcreatesnapshot command now permits you to create a snapshot for a

specific client. A new option is provided to control whether the results of a

snapshot are stored in the database.

The scmregisterclient command has a new –pull option that permits pull clients to

be registered. A new –clientport option also has been added. Multiple push and

pull clients can be registered using the new –list option.

New commands

The scmrunpolicycollectors command is provided to run all the collectors

associated with a policy on a specific client or client group.

The scmsuspendclient command is provided to suspend the data collection activity

on a client or client group. This command is subsequently used to resume a client

or client group that has had data collection suspended.

The scmresetclient command is provided to reset a client.

Users and user groups can now be managed using additional new administration

commands.

Handling of special characters in options

Enclose option values containing spaces in quotation marks. Some command shells

perform special processing when certain characters, such as an ampersand (&) or a

forward slash (/) are encountered in the command stream. Enclose options

containing special characters in quotation marks to ensure that they are processed

as expected by the command.


Note: On Windows systems, the quotation mark character must be preceded by a

backslash character (\).

For example, to add a group called Windows 2000 using the scmaddgroup

command:

UNIX and Linux

./scmaddgroup -u admin -s myserver.mycomp.com -group "Windows 2000"

Windows

scmaddgroup -u admin -s myserver.mycomp.com -group \"Windows 2000\"

Option values that are the same as command options must be enclosed in

quotation marks. For example, to create a group called -group:

scmaddgroup -u admin -pw mypw -s a4serv.mycomp.com -group \"-group\"

Environment variables

Environment variables can be used to provide default values for options on the

administration commands.

Use the following environment variables to provide default values for some

options on the administration commands:

SCMCLI_USER

The user ID to use to authenticate with the server. Used if the –user option

is not specified on the command.

SCMCLI_PASSWORD

The password corresponding to the specified user ID. Used if the

–password option is not specified on the command. If neither the

–password option is specified or the SCMCLI_PASSWORD environment

variable is set, the user is prompted to enter the password.

SCMCLI_SERVER

The host name of the server. Used if the –server option is not specified on

the command.

SCMCLI_PORT

The port number to use to communicate to the server. Used if the –port

option is not specified on the command. If neither the –port option is

specified nor the SCMCLI_PORT environment variable is set, 1955 is used

as the port number.

SCMCLI_ERRORLOG

The fully qualified name of the file to be used to record messages

generated by the administration commands. Used if the –errorlog option is

not specified on the command. If neither the –errorlog option is specified

nor the SCMCLI_ERRORLOG environment variable is set, messages are

written to the standard error output stream.

Note: The user running the administration command must have the

appropriate file and directory permissions to create and append data

to the file specified.

SCMRMI_TIMEOUT

The amount of time to wait, in seconds, for a response from the server. If

not specified, the default value is 1800 seconds (30 minutes).


Note: On Windows and Linux systems, setting this variable as a system

environment variable also changes the amount of time that the

administration console on that system waits for a response from the

server.

Options specified on the command override the setting of the corresponding

environment variable. The environment variables are used only if set.

scmadduser command

Defines a new user and assigns a user to a user group.

Syntax

scmadduser {-user|-u} user_ID [{-password|-pw} password]

{-server|-s} server_name [{-port|-p} port]

[{-errorlog|-e} file_name] {-adminuser|-a} admin_name

[{-newpassword|-npw} admin_pw] [{-usergroup|-ug} group_name] [-?]

Options

–user | –u user_ID

The user ID to use to authenticate with the server.

Required option unless the SCMCLI_USER environment variable is set.

–password | –pw password

The password corresponding to the specified user ID. If no password is

specified and the SCMCLI_PASSWORD environment variable is not set,

you are prompted for the password.

–server | –s server_name

The host name of the server that is the target of the command.

Required option unless the SCMCLI_SERVER environment variable is set.

–port | –p port

The port number to use to communicate with the server. If this option is

not specified and the SCMCLI_PORT environment variable is not set, 1955

is used.

–errorlog | –e file_name

Optional. The fully qualified name of the file where error messages

produced by the command are to be saved. The file is created if it does not

exist. Messages are appended to the end of the file and the file grows

without limit. If this option is not specified and the SCMCLI_ERRORLOG

environment variable is not set, error messages are written to the standard

error output stream.

–adminuser | –a admin_name

The name of the user to add. If the user specified does not exist, it is

created. User names are not case sensitive.

–newpassword | –npw admin_pw

Optional. The password to be set for the user, if the user is being created.

Passwords are case sensitive.

–usergroup | –ug group_name

Optional. The name of the user group that the user should be added to.

–? The usage statement for the command.

Chapter 4. Command changes 23

Notes

The scmadduser command can be used to:

v add a new user

v add a new user and assign that user to a user group

v add an existing user to a user group

In order for the user to login, the user must have a password. If the password is

not set when the user ID is created, use either the scmpasswordreset command or

the Users/Roles page of the administration console to set a password.

Authorization

You must have a valid administrator user ID and password on the server and must

have the required authority to perform the task.

Examples

v Add a new user called policyadmin:

scmadduser -u admin -pw p42q9b -s x4.mycompany.com -p 1955 –adminuser policyadmin

v Add a user called molly with a password and add that user to the existing

Managers user group:

scmadduser -u admin -server swest19.mycomp.com \

–a molly -newpassword y4q989z -ug Managers

v Add the existing molly user to the auditing user group:

scmadduser -u admin -server swest19.mycomp.com \

–adminuser molly -usergroup auditing

Note: If the user ID did not already exist, the user ID would automatically be

created without a password and then added to the user group.

Return values

The following values can be returned:

0 The command completed successfully.

-1 The command failed.

scmaddusergroup command

Defines a new user group.

Syntax

scmaddusergroup {-user|-u} user_ID [{-password|-pw} password]


[{-errorlog|-e} file_name] {-usergroup|-ug} group_name [-?]

Options












–port | –p port



is used.









The name of the user group to add.


Authorization



Example

Add a new user group called ISOAuditors:

scmaddusergroup -u admin -pw z42b94 -s itscm.mycompany.com –usergroup ISOAuditors

Return values




scmaddusergrouprole command

Add a role to a user group.

Syntax

scmaddusergrouprole {-user|-u} user_ID [{-password|-pw} password]


[{-errorlog}-e} file_name] {-usergroup|-ug} group_name

{-role|-r} role_name [-?]

Options












–port | –p port



is used.









The name of the user group to which the specified role is to be added.

–role | –r role_name

The name of the role to be added to the specified user group.


Notes

If the user group or role specified contain spaces or special characters, enclose

them in quotation marks (″) to prevent the command processor from interpreting

them. On Windows systems, the quotation marks must be preceded by a backslash

character (\).

Authorization



Examples

v Add the Senior Admin Role to the FirewallAdmins user group on a Linux

system:

scmaddusergrouprole -u admin -pw z42b94 -s itscm.mycompany.com \

–usergroup FirewallAdmins -role "Senior Admin Role"

v Add the User Admin Role to the B982 user group on a Windows system:

scmaddusergrouprole -u admin -s itscm.myco.com –ug B982

-role \"User Admin Role\"

Return values





scmcreatesnapshot command

Creates a policy snapshot and, optionally, writes the result of the snapshot to a file.

Syntax

scmcreatesnapshot {-user|-u} user_ID [{-password|-pw} password]


[{-errorlog|-e} file_name] {-policy|-pol} policy_name

[ [{-group|-g} group_name] |

[ {-clientid|-c} client_ID] ]

[{-file|-f} policy_snapshot_file_name]

[{-text|-t}] [-nosave] [-?]

Options











–port | –p port



is used.








–policy | –pol policy_name

The name of the policy to use to create the snapshot. This option is

required.

–group | –g group_name

Optional. The name of the client group that the policy snapshot should be

restricted to. Cannot be specified with the –clientid parameter.

–clientid | –c client_ID

Optional. The ID of the client that the policy snapshot should be restricted

to. Cannot be specified with the –group parameter.

–file | –f policy_snapshot_file_name

Optional. The name of the file where the policy snapshot is saved. The

output is in HTML format unless the -text option is specified.


–text | –t

Optional. If specified, indicates that the output from the snapshot should

be saved in the file indicated by the -file parameter as plain text instead of

as HTML.

–nosave

Optional. If specified, the results of the snapshot are not saved in the

database.

Note: If this parameter is specified without the –file parameter, no

snapshot is taken.


Notes

The results of the snapshot are saved in the database by default. Use the –nosave

and –file parameters to write the results of the snapshot to a file but not save the

results in the database. If the –nosave parameter is specified without the –file

parameter, no snapshot is taken.

Attention: A snapshot is created regardless of whether any data has been

collected. Running a snapshot against a client group that does not have

the policy added does not generate an error, but does complete

indicating no violations.

Authorization



Examples

Create a snapshot of the policy and restrict the snapshot to the data collected by

clients in the AIXEast client group:

scmcreatesnapshot -u becky -pw qwerty4z -s s44srv.mycomp.com -p 1955

-policy AIX2004 -group AIXEast -file AIX2004_AIXEast_20040509_snapshot.html

Create a snapshot of the policy using all collected data:

scmcreatesnapshot -u rashid -pw q9y3y42b -s scmrules.mycomp.com

-policy Windows_2000

Create a snapshot of the policy on the client with an ID of 44. In addition, save the

results of the snapshot to a file and do not save the results in the database:

scmcreatesnapshot -u woj -pw big4fun -s itscm.mycomp.com

-p 1955 -policy Windows_XP -c 44 -f winxp.htm -nosave

Create a snapshot of a policy and save the results as plain text in a file:

scmcreatesnapshot -u biff -pw c4982hk -s scm.mycomp.com

-policy AIX_Policy -file aixpolicy.txt -text

Return values





scmlistavailableroles command

Display the roles that can be assigned to a user group..

Syntax

scmlistavailableroles {-user|-u} user_ID [{-password|-pw} password]


[{-errorlog|-e} file_name] [{-usergroup|-ug} group_name]

[-?]

Options











–port | –p port



is used.









Optional. The name of the user group for which the available roles are to

be displayed. If this option is omitted, all available roles are displayed.


Authorization



Examples

v List all the available roles that can be assigned to user groups:

scmlistavailableroles -u useradmin -pw q8u4u4a -s sc.mycompany.com -p 1955

v List the available roles for the Managers user group:

scmlistavailableroles -u barney -pw ru88le -s scm.myco.com -ug Managers

Return values





scmlistgroupclients command

Displays the clients defined to a specified client group or to all client groups.

Syntax

scmlistgroupclients {-user|-u} user_ID [{-password|-pw} password]


[{-errorlog|-e} file_name] [{-group|-g} group_name] [-?]

Options











–port | –p port



is used.









Optional. The name of the client group for which the clients are to be

displayed. If this option is omitted, clients of all client groups are

displayed.


Authorization



Examples

List all members of all client groups defined on server scmserver.mycompany.com:

scmlistgroupclients -u jaya -pw r7y4yy5 -s scmserver.mycompany.com -p 1955

List the members of the Windows client group:


scmlistgroupclients -u fuzzy -pw b7e4u8a -s itscm.mycompany.com -g Windows

Return values




scmlistgrouppolicies command

Displays the policies defined to a specified client group or to all client groups.

Syntax

scmlistgrouppolicies {-user|-u} user_ID [{-password|-pw} password]


[{-errorlog|-e} file_name] [{-group|-g} group_name] [-?]

Options











–port | –p port



is used.









Optional. The name of the client group for which the policies are to be

displayed. If this option is omitted, policies for all client groups are

displayed.


Authorization




Examples

List all policies that are defined on server itscm.mycompany.com:

scmlistgrouppolicies -u mikey -pw oh62389p -s itscm.mycompany.com -p 1955

List the policies associated with the AIX® client group:

scmlistgrouppolicies -u zuddy -pw q04bGab -s tscm5.mycompany.com -g AIX

Return values




scmlistusergroups command

Display the user groups defined on a server.

Syntax

scmlistusergroups {-user|-u} user_ID [{-password|-pw} password]


[{-groupusers|-gu}] [{-grouproles|-gr}]

[{-errorlog|-e} file_name] [-?]

Options











–port | –p port



is used.








–groupusers | –gu

Optional. Indicates that the users in the user groups are to be displayed.


–grouproles | –gr

Optional. Indicates that the roles assigned to the user groups are to be

displayed.


Authorization



Examples

v List all the user groups assigned to the server:

scmlistusergroups -u useradmin -pw q8u4u4a -s sc.mycompany.com

v List all the user groups, including the users assigned to each user group:

scmlistusergroups -u barney -pw ru88le -s scm.myco.com -p 1955 -gu

v List all the user groups and the roles assigned to each user group:

scmlistusergroups -u admin -pw d1o2g3 -s itsc.mycompany.com -p 1955 -gr

v List all the user groups, including the users and roles assigned:

scmlistusergroups -u admin -pw f4u7k9u -s g0.myco.com -p 1955 -gu -gr

Return values




scmregisterclient command

Registers one or more clients with a server.

Syntax

scmregisterclient {-user|-u} user_ID [{-password|-pw} password]


[{-errorlog|-e} file_name]

{ {-client|-c} client_name[{,|:}alias]

[ client_name[{,|:}alias] ]...

[{-clientport|-cp} client_port] [{-pull | -push}] |

-list spreadsheet_file_name } [-?]

Options












–port | –p port



is used.








–client | –c client_name [ {,|:}alias] [client_name{,|:}alias]...

The clients to be registered. The client_name is the host name or IP address

of the client to be registered and the alias is the optional client alias. The

client_name and the alias can be up to 100 characters in length. If alias is not

specified, client_name is used.

This option is required if the –list option is not specified. If the –list option

is specified, this option is ignored.

–clientport | –cp client_port

The port number used by the client to communicate with the server. If this

option is not specified, 1950 is used.

This option is ignored if the –list option is specified.

–push Optional. Indicates that the clients are to be registered as push clients. If

neither this option nor the –pull option is specified, clients are registered

as push clients.


–pull Optional. Indicates that the clients are to be registered as pull clients. If

neither this option nor the –push option is specified, clients are registered

as push clients.


–list spreadsheet_file_name

The fully qualified name of a file containing information on the clients to

be registered. If the spreadsheet file specified is a tab-delimited text file,

the file extension must be .txt. If the spreadsheet file is a comma-separated

value (CSV) file, the file extension must be .csv. The first row of the file is

treated as a comment. Each subsequent row in the file describes a client to

be registered.

This option is required if the –client option is not specified.


Notes

When registering a pull client that has an IP address that changes but a host name

that remains constant, specify the client with an IP address of 0.0.0.0, such as

-client 0.0.0.0:host_name

This setting results in the server performing a DNS lookup using the host name to

obtain the IP address of the client.


The spreadsheet specified using the –list option is either a tab-delimited or

comma-separated value (CSV) file. The first line of the file is treated as a comment.

Each subsequent line contains the following values:

Client type

The type of client. Valid values are push and pull.

Fully qualified host name

The host name of the client system to be registered.

This field maps to the alias value on the –client option and can be up to

100 characters in length.

IP address

The IP address of the client system to be registered.

This field maps to the client_name value on the –client option and can be

up to 100 characters in length.

If a client has a host name that does not change but an IP address that

might change, specify the IP address as 0.0.0.0. This setting results in the

server performing a DNS lookup using the host name to obtain the IP

address of the client.

Port number

The port number used by the client to communicate with the server. If this

option is not specified, 1950 is used.

Comment

The rest of the line, up to a maximum of 250 characters, is stored as a

comment and is displayed in the Client Information pane of the

administration console.

Figure 1 shows a comma-separated value file that defines several clients. Because

the first client does not specify a port number, the default port of 1950 is used.

A sample spreadsheet file is provided that can be modified and exported to a

tab-delimited or comma-separated value (CSV) file for use with the –list option.

The sample file is called $SCM_HOME/admin/ClientInformation.xls. Use a

spreadsheet application, such as Lotus® SmartSuite® or Microsoft Excel, to view

and update the file.

Note: If the file is a comma-separated value (CSV) file, the file extension must be

.csv. A tab-delimited value file must have a file extension of .txt.

Authorization



Examples

v Register a push client to a server:

First line in the file is a comment

push,liza.myco.com,192.168.11.115,,Liza Fharley

pull,joe.myco.com,192.168.11.4,1960,Joseph Zabra

pull,snow.myco.com,192.168.11.122,1950,Rashid Snow

push,mchess.myco.com,192.168.11.5,1950,Max Chess

Figure 1. Sample CSV file for the scmregisterclient command


scmregisterclient -u a_user -pw password -s scmserver.myco.com -p 1955

-client amail422.dev.myco.com -push

v Register three push clients with aliases on a UNIX system:


-client jclam.myco.com,Jaya pcoole.nyco.com,Jose rhuen.myco.com,Rachel

v Register two push clients (with aliases with spaces in them) on a Windows

system:


-client \"zsmith.myco.com:Zachary Smith\" \"pdogh.myco.com:Pratish Dogh\"

v Register a pull client with an alias and using client port 2000:

scmregisterclient -u a_user -pw a_password -s server.myco.com -p 1955

–client theone.myco.com5:theOne –pull –clientport 2000

v Register two pull clients with aliases and using client port 2004:

scmregisterclient -u a_user -pw a_password -s server.myco.com -p 1955

–client test.myco.com:Tester nway.myco.com:NoWay –pull –cp 2004

v Register several clients using a tab-delimited value file:

scmregisterclient -u wiley -pw acme11bugs -s scm.myco.com \

–list /var/client_spreadsheet.txt

v Register several clients using a comma-separated value file:

scmregisterclient -u admin -pw 94hGh9b -s scm.myco.com \

–list /var/client_spreadsheet.csv

Return values




scmremoveuser command

Removes a user or removes a user from a user group.

Syntax

scmremoveuser {-user|-u} user_ID [{-password|-pw} password]


[{-errorlog|-e} file_name] {-adminuser|-a} admin_name

[{-usergroup|-ug} group_name] [-?]

Options












–port | –p port



is used.









The name of the user to be processed. User names are not case sensitive. If

the –usergroup option is not specified, the user is removed from the server.

Otherwise, the user is removed from the specified user group.


Optional. The name of the user group from which the user should be

removed.


Notes

The scmremoveuser command can be used to:

v remove a user

v remove a user from a specific user group

Removing a user removes that user from any user groups that it was a member of

and any authorization keys that the user created are also deleted.

Authorization



Examples

v Remove a user called policyadmin:

scmremoveuser -u admin -s x4.mycompany.com –adminuser policyadmin

v Remove the user molly from the Managers user group:

scmremoveuser -u admin -server swest19.mycomp.com \

-p 1955 –a molly -ug Managers

Return values




scmremoveusergroup command

Removes a user group.


Syntax

scmremoveusergroup {-user|-u} user_ID [{-password|-pw} password]


[{-errorlog|-e} file_name] {-usergroup|-ug} group_name [-?]

Options











–port | –p port



is used.









The name of the user group to remove.


Authorization



Examples

Remove a user group called WebMasters:

scmremoveusergroup -u admin -pw 98qg74gh4 -s s4.mycompany.com –ug WebMasters

Return values




scmremoveusergrouprole command

Remove a role from a user group.


Syntax

scmremoveusergrouprole {-user|-u} user_ID [{-password|-pw} password]


[{-errorlog|-e} file_name] {-usergroup|-ug} group_name

{-role|-r} role_name [-?]

Options











–port | –p port



is used.









The name of the user group to which the specified role is to be removed.

–role | –r role_name

The name of the role to be removed from the specified user group.


Notes

If the user group or role specified contain spaces or special characters, enclose

them in quotation marks (″) to prevent the command processor from interpreting

them. On Windows systems, the quotation marks must be preceded by a backslash

character (\).

Authorization



Examples

v Remove the Senior Admin Role to the FirewallAdmins user group on a Linux

system:

scmremoveusergrouprole -u admin -pw z42b94 -s itscm.mycompany.com \

–usergroup FirewallAdmins -role "Senior Admin Role"


v Remove the User Admin Role to the B982 user group on a Windows system:

scmremoveusergrouprole -u admin -s a4.myco.com –ug B982

-role \"User Admin Role\"

Return values




scmresetclient command

Resets a client.

Syntax

scmresetclient {-user|-u} user_ID [{-password|-pw} password]



{-clientid|-c} client_ID [{-hard|-ha}] [-?]

Options











–port | –p port



is used.








–clientid | –c client_ID [group_name]...

The numeric ID of the client to be reset. This option is required.

–hard | –ha

Optional. If specified, indicates that a hard reset request is to be sent to the

client specified. Otherwise, a soft reset request is sent.



Authorization



Notes

A soft reset request is sent to the client unless the –hard option is specified. If the

–hard option is specified, a hard reset request is sent. This command performs the

same function as the Clients → Actions → Soft reset request and Clients → Actions

→ Hard reset request options in the administration console.

Regardless of whether the administration console or the scmresetclient command is

used, no further operations can be directed to the client until the reset operation

completes. The time required for the operation to complete depends on the number

of policies and collectors assigned to the client, as well as the amount of network

traffic to the server. In general, a hard reset request takes longer than a soft reset

request.

Examples

v Reset the client with an ID of 15:

scmresetclient -u scmadmin -pw p42q9b -s x4.mycompany.com -p 1955 –clientid 15

v Send a hard reset request to the client with an ID of 4:

scmresetclient -u scmadmin -s scms1.mycompany.com –clientid 4 -hard

Return values




scmrunpolicycollectors command

Runs all the collectors in the specified policy on a specific client or client group.

Syntax

scmrunpolicycollectors {-user|-u} user_ID [{-password|-pw} password]


[{-errorlog|-e} file_name] {-policy|-pol} policy_name

{ {-clientid|-c} client_ID | {-group|-g} group_name }

[-wait] [-?]

Options












–port | –p port



is used.








–policy | –pol policy_name

The name of the policy containing the collectors that are to be run. This

option is required.


The numeric ID of the client where the collectors associated with the

specified policy are to be run. Either this option or the –group option is

required.


The name of the client group where the collectors associated with the

specified policy are to be run. Either this option or the –clientid option is

required.

–wait Optional. If specified, the command does not return until the data

associated with running the collectors has been stored in the database.


Authorization



Notes

This command is used to run all the collectors associated with a policy on the

specified client. Before running this command, ensure that the client is a member

of the specified client group, and the policy is assigned to that client group. By

default, the command returns after scheduling the collectors to be run on the

specified client or client group. Use the –wait option to cause the command to wait

until the data has been collected and stored in the database tables.

After correcting compliance issues on a client, use this command, with the –wait

option, to collect updated security compliance data for the client. After the

command completes, a snapshot can be taken to verify whether or not all issues

have been resolved.

Examples

Run all the collectors defined in the HPUX04 policy on the client with an ID of 5

and do not return until the data collected has been stored in the database tables:

scmrunpolicycollectors -u admin -pw pd4qr3yt29s -s jcas.mycom.com

-p 1955 –policy HPUX04 -clientid 5 -wait


Run all the collectors defined in the WIN2003 policy on all the clients in the

Workstation client group:

scmrunpolicycollectors -u clyde -pw ba1942xz -s scm.mycomp.com

-p 1955 –policy WIN2003 -group Workstation

Return values




scmsetuserinfo command

Set or change information about a user.

Syntax

scmsetuserinfo {-user|-u} user_ID [{-password|-pw} password]



{-adminuser|-a} admin_name [{-fullname|-fn} full_name]

[{-phone|-ph} phone_number] [{-email|-em} email_address]

[{-empinfo|-ei} employee_info] [{-usercomment|-uc} comment_text]

[-?]

Options











–port | –p port



is used.









The name of the user to be processed. User names are not case sensitive.

–fullname | –fn full_name

Optional. The full name of the user.


–phone | –ph phone_number

Optional. The telephone number of the user.

–email | –em email_address

Optional. The e-mail address of the user.

–empinfo | –ei employee_info

Optional. The employee information associated with the user.

–usercomment | –uc comment_text

Optional. The comment text associated with the user.


Notes

Use the scmpasswordreset command or the Users/Roles page of the administration

console to change a user’s password.

Enclose options with spaces or special characters, such as an ampersand (&) or a

greater-than sign (>), in quotation marks (″) to prevent the command processor

from interpreting them. On Windows systems, the quotation marks must be

preceded by a backslash character (\).

Authorization



Examples

v Update the e-mail address and telephone number of user scmadmin from a

UNIX system:

scmsetuserinfo -u admin -server x4.mycompany.com –adminuser scmadmin \

-em "[email protected]" -ph "+1-512-555-1212"

v Update the comment for user loni from a Microsoft Windows system:

scmsetuserinfo -u admin -s zx.myco.com –a loni -uc \"Manager of Tahiti Site\"

Return values




scmsuspendclient command

Suspends or resumes data collection activity on a specific client or client group.

Syntax

scmsuspendclient {-user|-u} user_ID [{-password|-pw} password]



{ {-clientid|-c} client_ID | {-group|-g} group_name }

[ [-suspend [-begin yyyy/mm/dd[:hh:mm]]

[ [-until yyyy/mm/dd[:hh:mm]] |

[-length duration_in_minutes] ] ]

| [-resume] ] [-?]


Options











–port | –p port



is used.









The numeric ID of the client that is to be suspended or resumed. Either

this option or the –group option is required.


The name of the client group that is to be suspended or resumed. Either

this option or the –clientid option is required.

–suspend

Optional. Causes the data collection on the specified client or client group

to be suspended. The start and end times of the suspension are specified

using the –begin, –length, and –until options. Cannot be specified with the

–resume option.

–begin yyyy/mm/dd[:hh:mm]

Optional. Indicates the date, and optionally the time, when the data

collection on the affected clients is to be suspended. If time is omitted, then

midnight (00:00) is assumed. If this option is not specified, data collection

is suspended immediately.

–until yyyy/mm/dd[:hh:mm]

Optional. Indicates the date, and optionally the time, when the data

collection on the affected clients is to resume. If time is omitted, then

midnight (00:00) is assumed. If neither this option nor the –length option is

specified, data collection is suspended until explicitly resumed using the

scmsuspendclient command with the –resume option.

–length duration_in_minutes

Optional. Indicates the length of time, in minutes, that the affected clients

are to be suspended. After the time elapses, the affected clients are

resumed.


–resume

Optional. If specified, resumes the data collection on the specified client or

client group. Cannot be specified with the –suspend option.


Authorization



Notes

If neither the –suspend or the –resume option is specified, the default action is to

suspend the specified client or client group.

Only one suspend and resume request can be scheduled at a time for a client. If a

client is currently active and is scheduled to be suspended, making another

suspend request replaces the one that is currently scheduled. After a client has

been suspended, other requests to suspend the client are rejected. Similarly, if a

client is currently suspended and is scheduled to be resumed, another resume

request replaces the one that is currently scheduled.

Examples

Suspend the data collection on a particular client immediately. The client remains

suspended until resumed.

scmsuspendclient -u admin -pw pd4qr3yt29s -s jcas.mycom.com

-p 1955 –clientid 55 -suspend

Resume the data collection on the specified client.

scmsuspendclient -u admin -pw pd4qr3yt29s -s jcas.mycom.com

-p 1955 –clientid 55 -resume

Suspend the data collection on a client starting on April 1, 2005 at midnight:

scmsuspendclient -u clyde -pw bonnie1 -s scm.mycomp.com

-clientid 41 -suspend -begin 2005/04/01

Suspend the data collection on all clients in client group WindowsXP for 30

minutes, starting immediately:

scmsuspendclient -u bonnie -pw clyde1 -s scm.mycomp.com

-group WindowsXP -suspend -length 30

Suspend the data collection on all clients in client group Accounts until 8:00 a.m.

on January 3, 2005:


-group Accounts -suspend -until 2005/01/03:08:00

Suspend the data collection on all clients in client group Tax2004 from 4:30 p.m.

until 6:30 p.m. on Friday, April 15, 2005:


-group Tax2004 -suspend -begin 2005/04/15:16:30 -length 120

Return values



Chapter 5. Documentation updates

Several problems in the documentation have been corrected.

Supported operating systems

The list of supported operating systems in IBM Tivoli Security Compliance Manager

Installation Guide has been updated.

The tables reflect the addition of Microsoft Windows 2003 and Novell NetWare as

supported platforms.

The following tables list the supported operating systems for the Tivoli Security

Compliance Manager server, client, collectors, and administration utilities. No

specific patch or maintenance level is required for any operating system. However,

keeping installed systems at the most current patch or maintenance level helps to

ensure that known security vulnerabilities in the operating system are corrected.

Table 2. Server

Operating system Level

IBM AIX 5.1

IBM AIX 5.2

IBM AIX 5.3

Microsoft Windows 2000 Server

Microsoft Windows 2003 Server Standard Edition and Enterprise

Edition

Sun Solaris Operating Environment 2.8


SUSE Linux Enterprise Server 8

Table 3. Clients, collectors, and proxy relay


IBM AIX 5.1

IBM AIX 5.2

IBM AIX 5.3

HP-UX 11.0

HP-UX 11i

Novell NetWare 5.1

Novell NetWare 6.0

Novell NetWare 6.5

Red Hat Linux for Intel® IA32 and xSeries® 6.2

Red Hat Linux for Intel IA32 and xSeries 7.0





Table 3. Clients, collectors, and proxy relay (continued)








Microsoft Windows NT® 4.0 Server

Microsoft Windows NT 4.0 Workstation


Microsoft Windows 2000 Advanced Server

Microsoft Windows 2000 Professional

Microsoft Windows XP Professional

Microsoft Windows 2003 Server Standard Edition and

Enterprise Edition

Red Hat Enterprise Linux for Intel IA32 and xSeries 2.1

Red Hat Enterprise Linux Advanced Server for Intel IA32

and xSeries

3.0 (see note below)

Red Hat Enterprise Linux for zSeries® 3.0

Red Hat Enterprise Linux for iSeries™ or pSeries® 3.0

Red Hat Enterprise Linux for zSeries 7.2

Red Hat Enterprise Linux Advanced Server 2.1

SUSE LINUX 7.0

SUSE LINUX Enterprise Server 8

SUSE LINUX Enterprise Server for zSeries 8

SUSE LINUX Enterprise Server for iSeries or pSeries 8

Note: The Red Hat Enterprise Linux Advanced Server 3.0 platform can only be

installed using the console mode on Japanese language systems.

Table 4. Administration console




Microsoft Windows 2003 Server Standard Edition

and Enterprise Edition

Red Hat Enterprise Linux Advanced Server for Intel IA32 and

xSeries

3.0

SUSE LINUX Enterprise Server (xSeries) 8

Table 5. Administration command line interface


IBM AIX 5.1


Table 5. Administration command line interface (continued)


IBM AIX 5.2

IBM AIX 5.3



Microsoft Windows 2000 Advanced Server


Microsoft Windows 2003 Server Standard Edition

and Enterprise Edition



HP-UX 11

HP-UX 11i

SUSE LINUX Enterprise Server 8

Red Hat Linux for Intel IA32 and xSeries 9

Red Hat Enterprise Linux Advanced Server for Intel IA32 and

xSeries

3.0

Red Hat Enterprise Linux for iSeries or pSeries 3.0

SUSE LINUX Enterprise Server for iSeries or pSeries 8

Uninstalling components

Additional information on uninstalling IBM Tivoli Security Compliance Manager

components on Microsoft Windows systems is provided.

On Microsoft Windows systems, do not use the Add/Remove Programs option

from the Control Panel to uninstall components of Tivoli Security Compliance

Manager. That option does not completely remove the product from the system,

and might leave one or more components listed as Windows services. Instead, use

the procedure described in the section entitled ″Uninstalling Tivoli Security

Compliance Manager″ in the IBM Tivoli Security Compliance Manager Installation

Guide.

Obtaining IBM HTTP Server Version 1.x

Information on obtaining IBM HTTP Server for use with the IBM Tivoli Security

Compliance Manager Operational Reports.

In the ″Operational Reports″ section of the IBM Tivoli Security Compliance Manager

Release Notes, the procedure mentions that the IBM HTTP Server Version 1.x is

required but that it is not provided. To obtain IBM HTTP Server Version 1.x, go to:

http://www.ibm.com/software/webservers/httpservers/download.html

Select IBM HTTP Server version 1.3.28.1 for Windows. Version 2.x can not be used

with IBM Tivoli Security Compliance Manager.

Chapter 5. Documentation updates 51

http://www.ibm.com/software/webservers/httpservers/download.html

Updating clients from server

An additional step might be needed before updating clients automatically from a

server running on a UNIX or Linux system.

The client software running on client systems can be updated automatically from

the server using the Server page of the administration console. On UNIX and

Linux systems, if a client update JAR file is already in use, you must ensure that

the permissions on the file permit the server to replace the file. If the file

ownership or permissions are not set correctly, an error might occur when you

attempt to replace the JAR file from the administration console.

This problem usually occurs after installing an interim fix or patch, where the JAR

file might have been installed by the root user with file permissions of 755. To

correct the problem, change the owner of the file to be the scmsrver user ID in the

scmsrver group. Alternately, the permissions on the JAR file can be set to 777, but

this permits any user to change the file. After correcting the problem, click Update

client code again to replace the file.

Column data types

Each column in a collector table contains data that is mapped from a Java data

type to a DB2® data type.

The size of a column must be sufficient to store the largest data item that could be

collected. Otherwise, the collected data might be truncated. Tivoli Security

Compliance Manager does not impose any restriction on the total amount of data

that can be collected in a table.

The following SQL data types are supported by Tivoli Security Compliance

Manager:

SMALLINT

INTEGER

BIGINT

REAL

FLOAT

DOUBLE

CHAR

VARCHAR

DATE

TIME

TIMESTAMP

“Column data types” summarizes the mappings of Java data types to DB2 data

types in DB2 Universal Database™ for Linux, UNIX, and Windows systems. When

more than one data type is listed, the first data type is the recommended data

type.

Table 6. Mappings of Java data types to DB2 data types for updating DB2 tables

Java data type SQL data type

short, boolean, byte (see Note) SMALLINT

int, java.lang.Integer INTEGER


Table 6. Mappings of Java data types to DB2 data types for updating DB2

tables (continued)

Java data type SQL data type

long, java.lang.Long BIGINT

float, java.lang.Float REAL, FLOAT

double, java.lang.Double DOUBLE

java.lang.String CHAR(n)

where n <= 254

java.lang.String VARCHAR(n)

where n <= 32672

java.sql.Date DATE

java.sql.Time TIME

java.sql.Timestamp TIMESTAMP

Note: DB2 has no exact equivalent for the Java boolean or byte data types, but the

best fit is SMALLINT.

By convention, Tivoli Security Compliance Manager uses a value of 1 for

true and a value of 0 for false.

Collector documentation updates

The documentation for the following existing collectors has been updated to

provide additional and corrected information.

aix.any.SecPasswdV1.jar

Collects password information, such as user name, flags, and the date that the

password was last updated, from the /etc/security/passwd file.

Tables

AIX_SECPASSWD_V1

Table 7. Column information for AIX_SECPASSWD_V1

Column Name Description Type (size)

USERNAME The name of the user. VARCHAR (30)

ALLOW_ADMIN A Boolean flag indicating that only the root user can change the

password information.

SMALLINT

ALLOW_ADMCHG A Boolean flag indicating that a member of the security group or

the root user last changed the password.

SMALLINT

ALLOW_NOCHECK A Boolean flag indicating that none of the system password

restrictions defined in the /etc/security/user file are enforced for

this password.

SMALLINT

LASTUPDATE The time (in seconds) since the epoch (00:00:00 GMT, January 1,

1970) when the password was last changed

TIMESTAMP

PASSWD_EXISTS A Boolean flag indicating whether the password exists. Returns 1

(true) if the password is active or locked; otherwise, returns 0

(false) if the password does not exist.

SMALLINT


Table 7. Column information for AIX_SECPASSWD_V1 (continued)


PASSWD_LOCKED A Boolean flag Indicating whether the password is locked.

Returns 0 (false) if the password does not exist or is active.

SMALLINT

Parameters

None.

Notes

If the /etc/security/passwd file does not exist, message HCVHC0011W is logged

on the client and the collector returns empty headers.

Error messages

v HCVHC0000E

v HCVHC0001E

v HCVHC0002E

v HCVHC0011W

unix.any.AnonFtpPasswdV1.jar

Collects the user and password fields present in the password file used by

anonymous FTP.

Tables

UNIX_ANONFTP_PASS_V1

Table 8. Column information for UNIX_ANONFTP_PASS_V1


USER_NAME The name of the user. VARCHAR (32)

IS_PASSWD_EMPTY A Boolean flag indicating if the password field is

empty. If the entry is an encrypted password, it

indicates if the password entry matches an encrypted

blank password.

SMALLINT

IS_ACCOUNT_ACTIVE A Boolean flag indicating whether or not the account

is active. If the account is locked, then 0 (False) is

returned..

SMALLINT

IS_PASSWD_ENCRYPT_USERNAME A Boolean flag indicating that an encrypted password

entry is the same as the user name. If an encrypted

password does not exist in the file, null is returned.

SMALLINT

IS_MD5 A Boolean flag indicating whether the password is

MD5 encrypted.

SMALLINT


Parameters

Table 9. Parameter information for unix.any.AnonFtpPasswdV1.jar

Parameter Name Description Required Default Value

ANONFTP_PASSWD_FILE Location of the anonymous FTP password file

relative to the anonymous FTP user’s home

directory.

No /etc/passwd

SCAN_REMOTE A Boolean flag indicating that files on remote file

systems are to be processed.

No 0 (False)

Notes

If the ANONFTP_PASSWORD_FILE parameter is not specified, the /etc/passwd

file is used. If the password file does not exist or is empty, message HCVHC0029W

is logged on the client and the collector returns empty headers.

Error messages

v HCVHC0000E

v HCVHC0001E

v HCVHC0002E

v HCVHC0003E

v HCVHC0009E

v HCVHC0010E

v HCVHC0011W

v HCVHC0028W

v HCVHC0029W

v HCVUA0020E

v HCVUA0021E

v HCVUU0005W

v HCVUU0006E

unix.any.FileSearchV1.jar

Searches the specified file for a specific string, and returns the name of the file and

the lines with the matching string.

Tables

UNIX_FILE_SEARCH_V1

Table 10. Column information for UNIX_FILE_SEARCH_V1


FILENAME The name of the file. VARCHAR (256)

SEARCHSTRING The search string used or null if FILENAME does

not exist.

VARCHAR (128)

LINE The line containing the matching string. VARCHAR (512)


Parameters

Table 11. Parameter information for unix.any.FileSearchV1.jar

Parameter Name Description Required Default

Value

FILENAME The fully qualified name of a file to search.

Wildcards are not permitted. Blanks are

respected for this parameter variable.

Yes None.

SEARCHSTRING The string to search for in the specified file.

Wildcards can be used and blanks are

respected for this parameter value

Yes None.

IGNORECASE A Boolean value indicating whether case

should be ignored while performing the

search.

No 1 (true)

COMMENT_DELIM The beginning character of a comment line. No None.

LINE_CONT_DELIM The delimiter for line continuation. No None.

Notes

Searches the specified file for a string, and returns the name of the file and the

lines with the matching string. If the search string occurs on more than one line in

the file, each occurrence is returned in a separate row. Only one file can be

specified. To search multiple files, use multiple instances of this collector.

Error messages

v HCVHC0000E

v HCVHC0004E

v HCVHC0005E

v HCVHC0008E

v HCVHC0022W

v HCVHC0023W

v HCVHC0030E

v HCVUA0070E

v HCVUA0071E

unix.any.UsersV1.jar

Returns user ID information.

Tables

UNIX_USERS_V1

Table 12. Column information for UNIX_USERS_V1


USERNAME User ID or logon name. VARCHAR (32)

IS_ACCOUNT_ACTIVE A Boolean value indicating whether the user’s account

is locked.

SMALLINT

IS_PASSWD_EMPTY A Boolean value indicating whether the user’s

password field in the /etc/passwd file is empty or is

the encrypted empty string .

SMALLINT


Table 12. Column information for UNIX_USERS_V1 (continued)


IS_PASSWD_ENCRYPT_USERNAME A Boolean value indicating whether the password is

the same as the user name.

SMALLINT

IS_MD5 A Boolean value indicating whether the user’s

password is MD5 encrypted

SMALLINT

UID Unique numeric ID for the user. INTEGER

GID Principal group ID of user. INTEGER

GECOS General information associated about the user that is

not used by the system, such as an office location or

phone number.

VARCHAR (200)

HOME Fully qualified path name to the home directory of the

user.

VARCHAR (200)

SHELL Initial program or shell that is executed after a user

invokes the login or su command.

VARCHAR (200)

Parameters

Table 13. Parameter information for unix.any.UsersV1.jar

Parameter Name Description Required Default Value

SCAN_REMOTE A Boolean flag indicating whether or not the data for remote

users is to be collected. Specify 1 (true) to collect remote user

data.

No 0 (false)

Notes

Collects user information from the /etc/passwd file. If the file does not exist, then

message HCVHC0011W is logged on the client and the collector returns empty

headers.

Error messages

v HCVHC0000E

v HCVHC0001E

v HCVHC0002E

v HCVHC0010E

v HCVHC0011W

v HCVHC0028W

v HCVHC0029W

v HCVHC0030E

v HCVUA0190W

v HCVUA0191E

v HCVUU0005W

v HCVUU0006E

unix.multi.NddV1.jar

This collector reports the configuration parameters of TCP/IP drivers.


Supported platforms

HP-UX, and Sun Solaris Operating Environment

Tables

UNIX_NDD_V1

Table 14. Column information for UNIX_NDD_V1


DRIVER The name of the driver. VARCHAR (60)

ATTRIBUTE The name of the setting. VARCHAR (128)

INTEGER_VALUE The configuration value of the setting. INTEGER

Parameters

Table 15. Parameter information for unix.multi.NddV1.jar

Parameter Name Description Required Default

Value

DRIVER_NAME The name of the TCP/IP driver. Yes None.

DRIVER_ATTRIBUTE The configuration setting for the driver

specified as first parameter.

Yes None.

Notes

If an attribute for a device has multiple integer values, then multiple rows are

returned. Only one driver name can be specified. To gather data about multiple

drivers, use multiple instances of this collector.

Error messages

v HCVHC0000E

v HCVHC0004E

v HCVHC0005E

v HCVHC0006E

v HCVHC0007E

v HCVHC0010E

v HCVUM0031E

v HCVUM0032E

v HCVUM0033E

v HCVUM0035E

v HCVUM0036E

v HCVUM0037W

unix.multi.ShadowV1.jar

Collects password parameter information from the /etc/shadow file.

Supported platforms

HP-UX, Linux, and Sun Solaris Operating Environment


Tables

UNIX_SHADOW_V1

Table 16. Column information for UNIX_SHADOW_V1


USERNAME The user name. VARCHAR (32)

LASTCHG The date of the last password change. DATE

MINAGE The minimum number of days that are required

between password changes.

INTEGER

MAXAGE The maximum number of days that the password is

valid.

INTEGER

WARNDAYS The number of days before a password is set to expire

that the user receives a message.

INTEGER

INACTIVE The number of days of inactivity allowed for the user. INTEGER

EXPIRE The date after which the login can no longer be used.

A value of null indicates that the password does not

expire.

DATE

FLAG Currently not used. VARCHAR (10)

IS_ACCOUNT_ACTIVE A Boolean flag indicating whether the account is

active.

SMALLINT

IS_PASSWD_EMPTY A Boolean flag indicating whether the password is

null or empty.

SMALLINT

IS_PASSWD_ENCRYPT_USERNAME A Boolean flag indicating whether the password is the

same as the user name.

SMALLINT

IS_MD5 A Boolean flag indicating whether the password is

MD5 encrypted.

SMALLINT

Parameters

None.

Notes

Collects password parameter information from the /etc/shadow file. If the file

does not exist, message HCVHC0011W is logged on the client and the collector

returns empty headers. If the file exists but does not contain any valid data,

message HCVHC0028W is logged on the client and the collector returns empty

headers.

On Linux systems, the password is set to two exclamation points (!!) if no

password is set. If the account is locked, the encrypted password in the file is

preceded with a single exclamation point. Accounts without a password cannot be

locked.

On Sun Solaris Operating Environment systems, an account with no password is

represented by the characters ″NP″. An account that is locked is represented by the

characters ″LK″.

The collector interprets the conditions where !!, NP, or LK is set as meaning that

the user account is not active and setting IS_ACCOUNT_ACTIVE to 0 (false).


Most HP-UX systems do not support the use of the /etc/shadow file. However, if

a patch has been applied adding the function, and the pwconv command has been

run, the file might be present.

Error messages

v HCVHC0000E

v HCVHC0001E

v HCVHC0002E

v HCVHC0011W

v HCVHC0028W

v HCVHC0029W

win.any.NavV1.jar

Collects information about Norton and Symantec AntiVirus Corporate Edition

software running on Windows systems. This information replaces the description

in the IBM Tivoli Security Compliance Manager Collector and Message Reference.

Tables

WIN_NAV_V1

Table 17. Column information for WIN_NAV_V1


NAV_CLIENT_VERSION The version of the Norton AntiVirus client. VARCHAR (50)

LIVE_UPDATE_TIME The time when virus definition Live Update occurs in

hh:mm format. If no Live Update is scheduled or if the

information is not available, null is returned.

VARCHAR (5)

LIVE_UPDATE_DAY_OF_WEEK The day of the week when the virus definitions are

updated, in the range 0 to 6, where 0 represents

Sunday. If no live update is scheduled or if the


INTEGER

LIVE_UPDATE_DATE_OF_MONTH The day of the month when the Live Update is

performed. If no live update is scheduled or if the


INTEGER

LAST_VIRUS_DEFN_UPDATE The time and date of the virus definition file. If the


TIMESTAMP

LAST_SCAN_DATE The time and date of the last virus scan. If the


TIMESTAMP

Parameters

None.

Notes

The values returned for each column are obtained from Windows registry keys.

Unless otherwise noted, the specified keys are used for all versions of the Norton

AntiVirus software.

Field Registry Keys

NAV_CLIENT_VERSION

InstallDir value of


HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Norton AntiVirus

NT\Install and from

KEY_LOCAL_MACHINE\SOFTWARE\INTEL\DLLUsage\VP6

LIVE_UPDATE_TIME, LIVE_UPDATE_DAY_OF_WEEK,

LIVE_UPDATE_DATE_OF_MONTH

Type value of HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\

LANDesk\VirusProtect6\CurrentVersion\PatternManager\Schedule

LAST_VIRUS_DEFN_UPDATE

Version 5.x

SystemTime value of

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Norton

Antivirus\Virus Defs\LastUpdate

All other versions

PatternFileDate value of

HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\

LANDesk\VirusProtect6\CurrentVersion

LAST_SCAN_DATE

Version 5.x

SystemTime value of

HKEY_LOCAL_MACHINE\Software\Symantec\Norton

Antivirus\LastScan

All other versions

TimeOfLastScan value of

HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\

LANDesk\VirusProtect6\CurrentVersion

The weekly update information is not available on Microsoft Windows NT 4.0

systems. This collector returns null in the LAST_VIRUS_DEFN_UPDATE and

LAST_SCAN_DATE fields either when the registry key does not exist or the value

for the field does not exist in the registry key.

The collector can obtain information from supported versions of Norton AntiVirus

Corporate Edition software up to Version 7.x, and Version 8.x of the Symantec

AntiVirus Corporation Edition software.

Error messages

v HCVHC0000E

v HCVHC0012E

v HCVHC0013E

v HCVHC0016E

v HCVHC0017E

v HCVHC0025E

v HCVWA0100W

v HCVWA0101W

v HCVWA0102W

v HCVWU0003E

v HCVWU0004E

v HCVWU0005E

v HCVWU0006E


v HCVWU0007E

v HCVWU0008E

v HCVWU0009E

win.any.SnmpActiveV1.jar

Returns indication of the existence of public and private SNMP Registry subkeys.

This information replaces the description in the IBM Tivoli Security Compliance

Manager Collector and Message Reference.

Tables

WIN_SNMP_V1

Table 18. Column information for WIN_SNMP_V1


PUBLIC_EXIST A Boolean flag indicating that the SNMP Public key

exists.

SMALLINT

PRIVATE_EXIST A Boolean flag indicating that the SNMP Private key

exists.

SMALLINT

Parameters

None.

Notes

The collector examines the

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SNMP\\

Parameters\\ValidCommunities registry key to obtain Simple Network

Management Protocol (SNMP) community information. If the registry key does not

exist, no SNMP communities exist and an empty row of headers is returned. If the

registry key exists, the fields are set based on the type of communities defined.

Error messages

v HCVHC0000E

v HCVWA0170W


Chapter 6. Troubleshooting

Additional information on diagnosing problems with IBM Tivoli Security

Compliance Manager.

Server and client connectivity

Connectivity between the server and a client can be tested from the Clients page of

the administration console. To verify that the server can communicate with the

client and that the client can communicate with the server, select the client and

then click Actions → Check client connection. This option is available for any

client registered on the server. The response from this operation can be used to

help diagnose connectivity problems. See Table 19 for possible responses and

suggested actions.

Table 19. Check client connection responses

Response from operation Meaning and corrective actions

Client id nnn response indicates it is suspended. The client has been suspended using the

scmsuspendclient command. Retry the operation after

the client has been resumed.

Client id nnn response indicates it cannot connect

to the server.

The server was able to contact the client, but the client

cannot communicate with the server. Verify that the port

and server names in the client.pref file are correct. Verify

that network connectivity exists between the client and

the server, and that any firewalls between the client and

server are properly configured to permit network

communication on the specified ports.

Client id nnn response indicates it cannot connect

to the server. The client encountered the following

error when attempting to connect to the server:

exception-message

The server was able to communicate with the client, but

an exception occurred when the client attempted to

communicate with the server. Review the error and trace

logs on the client and the server to determine the cause

of the exception and correct the problem.

AccountingServer (ID=nnn) -

com.ibm.jac.JACException: Error connecting to

client: Connection refused: connect

The server was able to communicate with the client

system, but the client is not running. Start the client and

try the operation again.

AccountingServer (ID=nnn) -

com.ibm.jac.JACException: Error connecting to

client: Operation timed out: connect

The server was unable to communicate with the client

system. Verify that the correct host name and IP address

are specified for the client. Verify that the client type and

port number are correct on the server. Verify that the

server name and port number in the client.pref file on

the client are correct. Verify that any firewalls between

the server and the client are properly configured to

permit network communication on the specified ports.


Appendix. Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in

other countries. Consult your local IBM representative for information on the

products and services currently available in your area. Any reference to an IBM

product, program, or service is not intended to state or imply that only that IBM

product, program, or service may be used. Any functionally equivalent product,

program, or service that does not infringe any IBM intellectual property right may

be used instead. However, it is the user’s responsibility to evaluate and verify the

operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter

described in this document. The furnishing of this document does not give you

any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing

IBM Corporation

500 Columbus Avenue

Thornwood, NY 10594

U.S.A

For license inquiries regarding double-byte (DBCS) information, contact the IBM

Intellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation

Licensing

2-31 Roppongi 3-chome, Minato-ku

Tokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any other

country where such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS

PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER

EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS

FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or

implied warranties in certain transactions, therefore, this statement may not apply

to you.

This information could include technical inaccuracies or typographical errors.

Changes are periodically made to the information herein; these changes will be

incorporated in new editions of the publication. IBM may make improvements

and/or changes in the product(s) and/or the program(s) described in this

publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for

convenience only and do not in any manner serve as an endorsement of those Web

sites. The materials at those Web sites are not part of the materials for this IBM

product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it

believes appropriate without incurring any obligation to you.


Licensees of this program who wish to have information about it for the purpose

of enabling: (i) the exchange of information between independently created

programs and other programs (including this one) and (ii) the mutual use of the

information which has been exchanged, should contact:

IBM Corporation

2Z4A/101

11400 Burnet Road

Austin, TX 78758

USA

Such information may be available, subject to appropriate terms and conditions,

including in some cases, payment of a fee.

The licensed program described in this information and all licensed material

available for it are provided by IBM under terms of the IBM Customer Agreement,

IBM International Program License Agreement, or any equivalent agreement

between us.

Customers are responsible for ensuring their own compliance with various laws

such as the Graham-Leach-Bliley Act, the Sarbanes-Oxley Act, and the Health

Insurance Portability and Accountability Act. It is the customer’s sole responsibility

to obtain advice of competent legal counsel as to the identification and

interpretation of any relevant laws that may affect the customer’s business and any

actions the customer may need to take to comply with such laws. IBM does not

provide legal, accounting or auditing advice, or represent or warrant that its

products or services will ensure that customer is in compliance with any law.

Any performance data contained herein was determined in a controlled

environment. Therefore, the results obtained in other operating environments may

vary significantly. Some measurements may have been made on development-level

systems and there is no guarantee that these measurements will be the same on

generally available systems. Furthermore, some measurement may have been

estimated through extrapolation. Actual results may vary. Users of this document

should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of

those products, their published announcements or other publicly available sources.

IBM has not tested those products and cannot confirm the accuracy of

performance, compatibility or any other claims related to non-IBM products.

Questions on the capabilities of non-IBM products should be addressed to the

suppliers of those products.

All statements regarding IBM’s future direction or intent are subject to change or

withdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily business

operations. To illustrate them as completely as possible, the examples include the

names of individuals, companies, brands, and products. All of these names are

fictitious and any similarity to the names and addresses used by an actual business

enterprise is entirely coincidental.

If you are viewing this information softcopy, the photographs and color

illustrations may not appear.


Additional notices

THIRD PARTY LICENSE TERMS AND CONDITIONS, NOTICES AND

INFORMATION

The license agreement for this product refers you to this file for details concerning

terms and conditions applicable to third party software code included in this

product, and for certain notices and other information IBM must provide to you

under its license to certain software code. The relevant terms and conditions,

notices and other information are provided or referenced below. Please note that

any non-English version of the licenses below is unofficial and is provided to you

for your convenience only. The English version of the licenses below, provided as

part of the English version of this file, is the official version.

Notwithstanding the terms and conditions of any other agreement you may have

with IBM or any of its related or affiliated entities (collectively “IBM”), the third

party software code identified below are “Excluded Components” and are subject

to the following terms and conditions:

(a) the Excluded Components are provided on an “AS IS” basis;

(b) IBM DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES

AND CONDITIONS WITH RESPECT TO THE EXCLUDED COMPONENTS,

INCLUDING, BUT NOT LIMITED TO, THE WARRANTY OF

NON-INFRINGEMENT OR INTERFERENCE AND THE IMPLIED WARRANTIES

AND CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A

PARTICULAR PURPOSE;

(c) IBM will not be liable to you or indemnify you for any claims related to the

Excluded Components; and

(d) IBM will not be liable for any direct, indirect, incidental, special, exemplary,

punitive or consequential damages with respect to the Excluded Components.

Notice for Apache Software Foundation

This product includes software developed by the Apache Software Foundation

(http://www.apache.org/).

Trademarks

The following terms are trademarks or registered trademarks of International

Business Machines Corporation in the United States, other countries, or both:

AIX

DB2

DB2 Universal Database

IBM

IBM logo

Lotus

SmartSuite

Tivoli

Tivoli logo

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of

Microsoft Corporation in the United States, other countries, or both.

Appendix. Notices 67

Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation

in the United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks or registered

trademarks of Sun Microsystems, Inc. in the United States and other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, or

both.

UNIX is a registered trademark of The Open Group in the United States and other

countries.

Other company, product, and service names may be trademarks or service marks

of others.


��

Printed in USA

GI11-4617-00

t l security compliance manager -...

Documents