[BESAdmin-Announcements] NEW Security Configuration Management (SCM) Content Sites for Unix Systems

[Announcements for BES Administrators]

IBM Tivoli Endpoint Manager for Security and Compliance

NEW Security Configuration Management (SCM) Content Sites for Unix Systems
Release Announcement for 15 June 2011 Unix content release with new fixlet
parameterization model

In addition to the recently announced update to the existing SCM content
sites for Unix, IBM is pleased to announce the availability of new fixlet
content sites for Unix security configuration management.

The main purpose of this release of new SCM content for Unix systems is to
now offer a new model for editing the parameters for checks and remediation
actions. This is the same usage model for parameterization already
available in the DISA STIG checklists for Windows systems. This release
also contains several updates and fixed issues. Additional information is
included below.

Each of these content sites contain security configuration checks that
evaluate and, if desired, remediate the security settings of your endpoints
according the US Department of Defense DISA STIGs, which "contain technical
guidance to 'lock down' information systems/software that might otherwise
be vulnerable to a malicious computer
attack" (http://iase.disa.mil/stigs/). As with most of the existing SCM
content in the Tivoli Endpoint Manager for Security and Compliance library,
most checks include a corresponding analysis property to report actual
values (not just pass/fail), and many checks have a parameterized setting
enabling simple customization for compliance evaluation and remediation.


---- AFFECTED SITES ----
The following content sites are NEW and use the new model for
parameterization:

DISA STIG Checklist for AIX 5.1      site version 2
DISA STIG Checklist for AIX 5.2      site version 1
DISA STIG Checklist for AIX 5.3      site version 1
DISA STIG Checklist for AIX 6.1      site version 1
DISA STIG Checklist for HPUX 11.00   site version 1
DISA STIG Checklist for HPUX 11.11   site version 1
DISA STIG Checklist for HPUX 11.23   site version 1
DISA STIG Checklist for RHEL 3       site version 1
DISA STIG Checklist for RHEL 4       site version 1
DISA STIG Checklist for RHEL 5       site version 1
DISA STIG Checklist for Solaris 8    site version 1
DISA STIG Checklist for Solaris 9    site version 1
DISA STIG Checklist for Solaris 10   site version 1

The following sites, which were also updated earlier today to address
several issues, are SUPERSEDED by the sites listed above, although
customers may continue to use them (these sites will continue to be
available and supported for some time).

SCM Checklist DISA STIG on AIX 5.1      site version 17
SCM Checklist DISA STIG on AIX 5.2      site version 15
SCM Checklist DISA STIG on AIX 5.3      site version 17
SCM Checklist DISA STIG on AIX 6.1      site version 13
SCM Checklist DISA STIG on HP-UX 11.00  site version 15
SCM Checklist DISA STIG on HP-UX 11.11  site version 13
SCM Checklist DISA STIG on HP-UX 11.23  site version 13
SCM Checklist DISA STIG on RedHat 3     site version 13
SCM Checklist DISA STIG on RedHat 4     site version 13
SCM Checklist DISA STIG on RedHat 5     site version 11
SCM Checklist DISA STIG on Solaris 8    site version 13
SCM Checklist DISA STIG on Solaris 9    site version 13
SCM Checklist DISA STIG on Solaris 10   site version 19

*Note: RHEL/RedHat content is also supported on CentOS.


---- CHANGES ----
MULTIPLE FIXLETS - a new model for parameterizing checks and remediation is
now available. Where available, each check contains information and a form
on the fixlet Description tab that allows a user with WRITE permissions for
the site in the Console to set the value(s) for the check and remediation
directly within the instance of the fixlet, allowing the compliance check
and the desired values to be self-contained within each fixlet. This
differs from the previous implementation in which each fixlet had a
separate, corresponding "control parameterization" task that changed the
values being checked and remediated in an externalized file on the
endpoint.

GEN000460, GEN000540, GEN000560, GEN000600a, GEN000620, GEN000680,
GEN000700, GEN000800, GEN000880, GEN001440, GEN001460, GEN001500,
GEN001520, GEN001540, GEN001860, GEN001880, GEN001900, GEN001960,
GEN001980, GEN002000, GEN002020, GEN002040, GEN002060c, GEN002060d,
GEN002140, GEN004780, GEN005000, GEN005040, GEN005120a, GEN005120b,
GEN005180 - modified to ignore netgroups in the /etc/passwd file.

GEN000600a - resolved an issue on AIX in which remediation would fail if
the default: stanza AND an individual user's stanza were out of compliance.

GEN000460, GEN000580, GEN000600a, GEN000600b, GEN000620, GEN000640 - a
parameter has been added for Linux fixlets to allow the console operator to
define in which PAM file to look for the desired setting.

GEN000460 - the fixlet description was modified.

GEN000800 - the shell script for Linux was revised to make it more
consistent with the other PAM checks; removed remediation capabilities on
Linux.

SCM Reporting site - updated to accommodate the new checklists.


---- KNOWN ISSUES ----
GEN001700 on Solaris systems may create STDERR if it encounters a dead
symbolic link. This should not affect the compliance status of this fixlet.

Create Custom Checklist Wizard - under certain circumstances after a
significant number of fixlets have been deleted in custom sites, an error
may occur when attempting to use the wizard to create a new custom site.
Should you encounter this issue please contact IBM technical support (ref
43156, ref 39094).


---- ACTIONS TO TAKE ----
All customers that currently license the Tivoli Endpoint Manager for
Security and Compliance product, the BigFix SCMv3 solution module, the
BigFix SCVM solution pack, or the BigFix SLM+SCVM solution bundle are
entitled to the new content. If you are using BES 8.0 or Tivoli Endpoint
Manager 8.1 and you are entitled to the new content, you may use the
License Overview dashboard to enable and gather the sites.


---- PRE-REQUISITES AND ADDITIONAL INSTRUCTIONS ----
- Minimum version of the Tivoli Endpoint Manager client on all endpoints to
run the new content: 8.1.551.0.

- Ensure you have enabled the SCM Reporting content site.

- Do not subscribe computers to the external sites. Instead, content should
be copied to a custom site using the "Create Custom Checklist Wizard".

- Once the content is copied to the custom site:
   -- Remove any undesired checks and analyses.
   -- Deactivate all analyses except those for which you desire measured
values reports. This will reduce the amount of time that the client
       takes to complete a full evaluation cycle and will also reduce
unnecessary network traffic between the endpoints, relays and server.
   -- Set the computer subscriptions for the site, taking care to use
appropriate selection criteria for the particular site.

 - To deploy:
   -- Use the "Configure Filesystem Scan Options" fixlet to control which
file systems and directories are included and excluded in a given scan.
       Note that on older and larger systems a scan can take significant
time to complete, so care should be taken to only include what you
       need for your security policy.
   -- Optionally change the current values by using the check
parameterization forms available on the Description tab of applicable
fixlets.
   -- Execute the "Deploy and Run Security Checklist" task. This task
enacts your parameter changes and executes a scan of the targeted
      endpoints using the current parameters contained in each fixlet and
the settings defined in the "Configure Filesystem Scan Options" fixlet.

       Once this task has completed, and the client has completed its
evaluation loop, compliance results will be visible in the TEM console and
       Security and Compliance Analytics will reflect the latest pass/fail
state, desired values, and measured values upon the next import.




Please contact IBM Tivoli Endpoint Manager Technical Support if you have
any questions regarding this update.

We hope you find this latest release of SCM content useful and effective.

Thank you!
  -- The Tivoli Endpoint Manager for Security and Compliance product team