Front Cover

Front cover
Certification Study Guide:

IBM Tivoli Compliance
Insight Manager V8.5
Developed specifically for Tivoli
Compliance Insight Manager
Explains the certification path

and prerequisites
Includes sample test

questions and answers
Axel Buecker
Frank Muehlenbrock
Murat Yildiz
ibm.com/redbooks
International Technical Support Organization

IBM Tivoli Compliance Insight Manager V8.5
September 2008
SG24-7664-00
Note: Before using this information and the product it supports, read the information in
“Notices” on page vii.
First Edition (September 2008)
This edition applies to Version 8.5 of IBM Tivoli Compliance Insight Manager.
© Copyright International Business Machines Corporation 2008. All rights reserved.
Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP
Schedule Contract with IBM Corp.
Contents
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
The team that wrote this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Become a published author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Comments welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Chapter 1. Certification overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1 IBM Professional Certification Program . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1.1 Benefits of certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.2 Tivoli Software Professional Certification . . . . . . . . . . . . . . . . . . . . . . 4
1.2 IBM Tivoli Compliance Insight Manager V8.5 certification . . . . . . . . . . . . . 7
1.2.1 Job description and target audience . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2.2 Key areas of competency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.2.3 Required prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.2.4 Test 937 objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.3 Recommended educational resources . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
1.3.1 Courses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Chapter 2. Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.2 Product architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
2.2.1 Tivoli Compliance Insight Manager cluster . . . . . . . . . . . . . . . . . . . . 43
2.2.2 Tivoli Compliance Insight Manager Enterprise Server . . . . . . . . . . . 43
2.2.3 Tivoli Compliance Insight Manager Standard Server . . . . . . . . . . . . 45
2.2.4 Actuators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
2.2.5 Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
2.2.6 The iView Web portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
2.2.7 Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
2.2.8 Component architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
2.3 Product processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
2.3.1 Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
2.3.2 Mapping and loading. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
2.3.3 Data aggregation and consolidation . . . . . . . . . . . . . . . . . . . . . . . . . 72
2.3.4 Reporting and presentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
2.4 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Chapter 3. Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
© Copyright IBM Corp. 2008. All rights reserved. iii

3.1 Planning of the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
3.1.1 Supported software and operating systems . . . . . . . . . . . . . . . . . . . 78
3.1.2 Network traffic requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
3.1.3 Centralized user management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
3.2 Installation of Tivoli Compliance Insight Manager . . . . . . . . . . . . . . . . . . . 81
3.2.1 Security Server installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
3.2.2 Installation of Tivoli Compliance Insight Manager Standard Server . 82
3.2.3 Installation of Tivoli Compliance Insight Manager Enterprise Server 88
3.2.4 Registering a Standard Server with the Enterprise Server . . . . . . . . 88
3.3 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Chapter 4. Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
4.1 Auditing settings for the Windows platforms . . . . . . . . . . . . . . . . . . . . . . . 92
4.1.1 Auditing settings for the Windows Security log . . . . . . . . . . . . . . . . . 92
4.1.2 Active Directory audit policy settings. . . . . . . . . . . . . . . . . . . . . . . . . 93
4.1.3 File server settings: Object access auditing . . . . . . . . . . . . . . . . . . . 96
4.2 Auditing settings for UNIX-based platforms . . . . . . . . . . . . . . . . . . . . . . 102
4.2.1 Configuration of the auditing settings on an AIX system. . . . . . . . . 102
4.3 Configuring the new event sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
4.3.1 Create the GEM database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
4.3.2 Create system group and add Windows machines . . . . . . . . . . . . . 104
4.3.3 Add event sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
4.4 Installing an Actuator on a target machine . . . . . . . . . . . . . . . . . . . . . . . 116
4.5 Configuration of the audit policy (W7 groups and rules) . . . . . . . . . . . . . 119
4.5.1 Adding User Information Sources (UIS) . . . . . . . . . . . . . . . . . . . . . 119
4.5.2 Configuring a new policy with W7 rules . . . . . . . . . . . . . . . . . . . . . 127
4.5.3 Load the database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
4.6 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Chapter 5. Performance tuning and problem determination. . . . . . . . . . 151

5.1 Problem determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
5.1.1 Problem determination of installation errors . . . . . . . . . . . . . . . . . . 152
5.1.2 Problem determination of operation errors . . . . . . . . . . . . . . . . . . . 156
5.2 Troubleshooting using log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
5.2.1 Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
5.3 Diagnostic and performance tuning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
5.3.1 Dynamical Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
5.4 The Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
5.5 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Chapter 6. Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

6.1 Administration of a Tivoli Compliance Insight Manager environment . . . 180
6.1.1 Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
6.1.2 Primary administration responsibilities . . . . . . . . . . . . . . . . . . . . . . 181
iv Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5

6.2 Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
6.2.1 iView reporting application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
6.2.2 Log Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
6.2.3 Policy Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
6.2.4 Scoping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
6.3 Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Appendix A. Sample questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Answer key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

IBM Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Other publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Online resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
How to get Redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Help from IBM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Contents v
vi Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult
your local IBM representative for information on the products and services currently available in your area.
Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product, program, or service that
does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document.
The furnishing of this document does not give you any license to these patents. You can send license
inquiries, in writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such
provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION
PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer
of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made
to the information herein; these changes will be incorporated in new editions of the publication. IBM may
make improvements and/or changes in the product(s) and/or the program(s) described in this publication at
any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any
manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the
materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without
incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published
announcements or other publicly available sources. IBM has not tested those products and cannot confirm
the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on
the capabilities of non-IBM products should be addressed to the suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them
as completely as possible, the examples include the names of individuals, companies, brands, and products.
All of these names are fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming
techniques on various operating platforms. You may copy, modify, and distribute these sample programs in
any form without payment to IBM, for the purposes of developing, using, marketing or distributing application
programs conforming to the application programming interface for the operating platform for which the
sample programs are written. These examples have not been thoroughly tested under all conditions. IBM,
therefore, cannot guarantee or imply reliability, serviceability, or function of these programs.
© Copyright IBM Corp. 2008. All rights reserved. vii

Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business
Machines Corporation in the United States, other countries, or both. These and other IBM trademarked
terms are marked on their first occurrence in this information with the appropriate symbol (® or ™),
indicating US registered or common law trademarks owned by IBM at the time this information was
published. Such trademarks may also be registered or common law trademarks in other countries. A current
list of IBM trademarks is available on the Web at http://www.ibm.com/legal/copytrade.shtml
The following terms are trademarks of the International Business Machines Corporation in the United States,
other countries, or both:
AIX 5L™ IBM® Tivoli®

AIX® Redbooks® z/OS®
DB2® Redbooks (logo) ®
The following terms are trademarks of other companies:
Snapshot, and the NetApp logo are trademarks or registered trademarks of NetApp, Inc. in the U.S. and
other countries.
Novell, the Novell logo, and the N logo are registered trademarks of Novell, Inc. in the United States and
other countries.
Oracle, JD Edwards, PeopleSoft, Siebel, and TopLink are registered trademarks of Oracle Corporation
and/or its affiliates.
Java, JavaScript, Solaris, Sun, and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in
the United States, other countries, or both.
Active Directory, Internet Explorer, Microsoft, Win32, Windows NT, Windows Server, Windows, and the
Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Other company, product, or service names may be trademarks or service marks of others.
viii Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
Preface
This IBM® Redbooks® publication is a study guide for IBM Tivoli® Compliance
Insight Manager Version 8.5 and is meant for those who want to achieve IBM
Certifications for this specific product.
The IBM Tivoli Compliance Insight Manager Certification, offered through the
Professional Certification Program from IBM, is designed to validate the skills
required of technical professionals who work in the implementation of the IBM
Tivoli Compliance Insight Manager Version 8.5 product.
This book provides a combination of theory and practical experience needed for
a general understanding of the subject matter. It also provides sample questions
that will help in the evaluation of personal progress and provide familiarity with
the types of questions that will be encountered in the exam.
This publication does not replace practical experience, and it is not designed to
be a stand-alone guide for any subject. Instead, it is an effective tool that, when
combined with education activities and experience, can be a very useful
preparation guide for the exam.
The team that wrote this book

This book was produced by a team of specialists from around the world working
at the International Technical Support Organization, Austin Center.
Axel Buecker is a Certified Consulting Software IT Specialist

at the International Technical Support Organization (ITSO),
Austin Center. He writes extensively and teaches IBM classes
worldwide on areas of software security architecture and
network computing technologies. He holds a degree in
Computer Science from the University of Bremen, Germany.
He has 21 years of experience in a variety of areas related to
workstation and systems management, network computing, and e-business
solutions. Before joining the ITSO in March 2000, Axel worked for IBM in
Germany as a Senior IT Specialist in Software Security Architecture.
© Copyright IBM Corp. 2008. All rights reserved. ix

Frank Muehlenbrock is an IBM Information Security Manager.
After supporting pre-sales and services activities in Germany
for the IBM Tivoli Security Compliance Manager, he has
specialized in recent years in implementing, managing, and
maintaining security policies, standards, and guidelines, as well
as in the areas of Security Management, IT Risk Assessment,
Governance, and Operational Risk Management. He has
managed Information Security for a large global outsourcing customer of IBM
that has a presence in Europe and North America. Frank studied Information
Management at the Fachhochschule Reutlingen, Germany. He is an accredited
Security Architect and also holds the CISM certification of the ISACA
organization (Certified Information Security Manager). He also holds several
other industry certifications (MCSE and MCT), which he achieved during his 21
years in the information technology industry. Frank was the co-author for two
previous IBM Redbooks publications about Tivoli Compliance Insight Manager.
He has also published several technical articles and a book about implementing
security guidelines. He is currently writing an additional book on computer
forensics, which will be published in Q4 of 2008.
Murat Yildiz is an Information Security Manager with

international experience in IT security, privacy, and risk and
compliance management. During the last eight years with IBM
Germany, Murat worked on multiple global strategic
outsourcing accounts as the Information Security Manager
responsible for the security transition of customer IT
environments. Murat developed and implemented several IT
security policies, processes, and procedures. He also conducted physical and
logical security audits with a Europe-wide scope. Murat studied Computer
Science Communication Technology at the University of Applied Sciences,
Worms, Germany. He holds the professional certifications Certified Information
Security Manager (CISM), Certified Information Systems Security Professional
(CISSP), and Project Management Professional (PMP).
Thanks to the following people for their contributions to this project:
Wade Wallace
International Technical Support Organization, Austin Center
Stephanie Blackwood, Martijn Naber, Rudy Tan

IBM Netherlands
x Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5

Become a published author
Join us for a two- to six-week residency program! Help write a book dealing with
specific products or solutions, while getting hands-on experience with
leading-edge technologies. You will have the opportunity to team with IBM
technical professionals, Business Partners, and Clients.
Your efforts will help increase product acceptance and customer satisfaction. As
a bonus, you will develop a network of contacts in IBM development labs, and
increase your productivity and marketability.
Find out more about the residency program, browse the residency index, and
apply online at:
ibm.com/redbooks/residencies.html
Comments welcome
Your comments are important to us!
We want our books to be as helpful as possible. Send us your comments about

this book or other IBM Redbooks in one of the following ways:
򐂰 Use the online Contact us review Redbooks form found at:
ibm.com/redbooks
򐂰 Send your comments in an e-mail to:
redbooks@us.ibm.com
򐂰 Mail your comments to:
IBM Corporation, International Technical Support Organization
Dept. HYTD Mail Station P099
2455 South Road
Poughkeepsie, NY 12601-5400
Preface xi
xii Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
1
Chapter 1. Certification overview

This chapter provides an overview of the skill requirements needed to obtain an
IBM Advanced Technical Expert certification. The following sections are
designed to provide a comprehensive review of specific topics that are essential
for obtaining the certification:
򐂰 IBM Professional Certification Program
򐂰 IBM Tivoli Compliance Insight Manager Version 8.5 certification
򐂰 Recommended study resources
© Copyright IBM Corp. 2008. All rights reserved. 1

1.1 IBM Professional Certification Program
Having the right skills for the job is critical in the growing global marketplace. IBM
Professional Certification, designed to validate skills and proficiency in the latest
IBM solution and product technology, can help provide that competitive edge.
The IBM Professional Certification Program Web site is available at:
http://www.ibm.com/certify/index.shtml
The Professional Certification Program from IBM offers a business solution for
skilled technical professionals seeking to demonstrate their expertise to the
world.
The program is designed to validate your skills and demonstrate your proficiency
in the latest IBM technology and solutions. In addition, professional certification
can help you excel at your job by giving you and your employer confidence that
your skills have been tested. You may be able to deliver higher levels of service
and technical expertise than non-certified employees and move on a faster
career track. Professional certification puts your career in your control.
The certification requirements are tough, but not impossible. Certification is a

rigorous process that differentiates you from everyone else. The mission of IBM
Professional Certification is to:
򐂰 Provide a reliable, valid, and fair method of assessing skills and knowledge
򐂰 Provide IBM with a method of building and validating the skills of individuals
and organizations
򐂰 Develop a loyal community of highly skilled certified professionals who
recommend, sell, service, support, and use IBM products and solutions
The Professional Certification Program from IBM has developed certification role
names to guide you in your professional development. The certification role
names include IBM Certified Specialist, IBM Certified Solutions/Systems Expert,
and IBM Certified Advanced Technical Expert for technical professionals who
sell, service, and support IBM solutions.
For technical professionals in application development, the certification roles

include IBM Certified Developer Associate and IBM Certified Developer. IBM
Certified Instructor certifies the professional instructor.
The Professional Certification Program from IBM provides you with a structured
program leading to an internationally recognized qualification. The program is
designed for flexibility by enabling you to select your role, prepare for and take
tests at your own pace, and, in some cases, select from a choice of elective tests
best suited to your abilities and needs. Some roles also offer a shortcut by giving
credit for a certification obtained in other industry certification programs.
2 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5

You might be a network administrator, systems integrator, network integrator,
solution architect, solution developer, value-added reseller, technical
coordinator, sales representative, or educational trainer. Regardless of your role,
you can start charting your course through the Professional Certification Program
from IBM today.
1.1.1 Benefits of certification

Certification is a tool to help objectively measure the performance of a
professional on a given job at a defined skill level. Therefore, it is beneficial for
individuals who want to validate their own skills and performance levels, their
employees, or both. For optimum benefit, the certification tests must reflect the
critical tasks required for a job, the skill levels of each task, and the frequency by
which a task needs to be performed. IBM prides itself in designing
comprehensive, documented processes that ensure that IBM certification tests
remain relevant to the work environment of potential certification candidates.
In addition to assessing job skills and performance levels, professional

certification may also provide such benefits as:
򐂰 For employees:
– Promotes recognition as an IBM Certified Professional
– Helps to create advantages in interviews
– Assists in salary increases, corporate advancement, or both
– Increases self-esteem
– Provides continuing professional benefits
򐂰 For employers:
– Measures the effectiveness of training
– Reduces course redundancy and unnecessary expenses
– Provides objective benchmarks for validating skills
– Makes long-range planning easier
– Helps to manage professional development
– Aids as a hiring tool
– Contributes to competitive advantage
– Increases productivity, morale, and loyalty
Chapter 1. Certification overview 3

򐂰 For Business Partners and consultants:
– Provides independent validation of technical skills
– Creates competitive advantage and business opportunities
– Enhances prestige of the team
– Contributes to IBM requirements for various IBM Business Partner
programs
Specific benefits might vary by country (region) and role. In general, after you
become certified, you should receive the following benefits:
򐂰 Industry recognition
Certification may accelerate your career potential by validating your
professional competency and increasing your ability to provide solid, capable
technical support.
򐂰 Program credentials
As a certified professional, you receive an e-mail with your certificate of
completion and the certification mark associated with your role for use in
advertisements and business literature. You can also request a hardcopy
certificate, which includes a wallet-size certificate.
The Professional Certification Program from IBM acknowledges the individual
as a technical professional. The certification mark is for the exclusive use of
the certified individual.
򐂰 Ongoing technical vitality
IBM Certified Professionals are included in mailings from the Professional
Certification Program from IBM.
1.1.2 Tivoli Software Professional Certification

The IBM Tivoli Professional Certification Program offers certification testing that
sets the standard for qualified product consultants, administrators, architects,
and partners.
The program also offers an internationally recognized qualification for technical

professionals who are seeking to apply their expertise in today's complex
business environment. The program is designed for those who implement, buy,
sell, service, and support Tivoli solutions and who want to deliver higher levels of
service and technical expertise.
Whether you are a Tivoli customer, partner, or technical professional wanting to

put your career on the fast track, you can start your journey to becoming a Tivoli
Certified Professional today.

Benefits of being Tivoli certified
Tivoli Certification has the following benefits:
򐂰 For the individual:
– IBM Certified certificate and use of logos on business cards
Note: Certificates are sent by e-mail; however, a paper copy of the

certificate and a laminated wallet card can also be requested by
sending an e-mail to certify@us.ibm.com.
– Recognition of your technical skills by your peers and management

– Enhanced career opportunities
– Focus for your professional development
򐂰 For the Business Partner:
– Confidence in the skills of your employees
– Enhanced partnership benefits from the Business Partner Program
– Higher rates for billing out your employees
– Stronger customer proposals
– Demonstration of the depth of technical skills available to prospective
customers
򐂰 For the customer:
– Confidence in the services professionals handling your implementation
– Ease of hiring competent employees to manage your Tivoli environment
– Enhanced return on investment (ROI) through more thorough integration
with Tivoli and third-party products
– Ease of selecting a Tivoli Business Partner that meets your specific needs
Certification checklist
Here is the certification checklist:
1. Select the certification you would like to pursue.
2. Determine which tests are required by reading the certification role
description.

3. Prepare for the test, using the following resources:
– Test objectives
– Recommended educational resources
– Sample/Assessment test
– Other reference materials
– Opportunities for experience
Note: These resources are available from each certification description

page and from the Test information page.
4. Register to take a test, by contacting one of our worldwide testing vendors:

– Thomson Prometric
– Pearson Virtual University Enterprises (VUE)
Note: When providing your name and address to the testing vendor, be
sure to specify your name exactly as you would like it to appear on your
certificate.
5. Take the test. Be sure to keep the Examination Score Report provided upon
test completion as your record of taking the test.
Note: After you take the test, the results and demographic data (such as
name, address, e-mail, and phone number) are sent from the testing
vendor to IBM for processing (allow two to three days for transmittal and
processing). After all the tests required for a certification are passed and
received by IBM, your certificate will be issued.
6. Repeat steps three through five until all required tests are successfully
completed for the certification. If there are additional requirements (such as
another vendor certification or exam), follow the instructions on the
certification description page to submit these requirements to IBM.
7. After you met the requirements, you will be sent an e-mail asking you to
accept the terms of the IBM Certification Agreement.
8. Upon your acceptance, you receive an e-mail with the following deliverables:
– A Certification Certificate in PDF format, which can be printed in either
color or black and white
– A set of graphic files containing the IBM Professional Certification mark
associated with the certification achieved

– Guidelines for the use of the IBM Professional Certification mark
9. To avoid an unnecessary delay in receiving your certificate, ensure that your
current e-mail is on file by keeping your profile up to date. If you do not have
an e-mail address on file, your certificate will be sent by postal mail.
After you receive a certificate by e-mail, you can also contact IBM at
certify@us.ibm.com to request that a hardcopy certificate be sent by postal mail.
Note: IBM reserves the right to change or delete any portion of the program,
including the terms and conditions of the IBM Certification Agreement, at any
time without notice. Some certification roles offered through the IBM
Professional Certification Program require recertification.
1.2 IBM Tivoli Compliance Insight Manager V8.5

certification
In this section, we categorize the certification process for the IBM Tivoli
Compliance Insight Manager.
Important: IBM offers the following promotion code, which is good for a 15%
discount on the indicated Tivoli certification exams if taken at any Thomson
Prometric testing center:
򐂰 Code: 15T937
򐂰 Percentage off: 15%
򐂰 Valid for exams: 000-937
򐂰 Expires: 12/31/2009
1.2.1 Job description and target audience

An IBM Certified Deployment Professional - Tivoli Compliance Insight Manager
V8.5 is an individual who has demonstrated the ability to implement and support
an IBM Tivoli Compliance Insight Manager solution. It is expected that this
person is able to perform the following tasks independently a majority of the time,
and in some situations, take leadership and provide mentoring to peers. It is
expected that this person will be able to perform these tasks with limited
assistance from peers, product documentation and vendor support services.

1.2.2 Key areas of competency
The following list gives you an overview of the key areas of competency you
should be familiar with:
򐂰 Describe the IBM Tivoli Compliance Insight Manager V8.5 architecture and
components.
򐂰 Plan and design an IBM Tivoli Compliance Insight Manager V8.5 solution
based on customer requirements/environment.
򐂰 Install and configure prerequisites to IBM Tivoli Compliance Insight Manager
V8.5.
򐂰 Install and configure IBM Tivoli Compliance Insight Manager V8.5
infrastructure components.
򐂰 Use available interfaces to configure and administer the IBM Tivoli
Compliance Insight Manager V8.5 environment.
򐂰 Perform performance tuning and problem determination for IBM Tivoli
Compliance Insight Manager V8.5.
1.2.3 Required prerequisites

The required prerequisites needed to pass the Certification Test 937 include:
򐂰 In depth understanding and knowledge of IBM Tivoli Compliance Insight
Manager V8.5
򐂰 Hands-on experience administering an IBM Tivoli Compliance Insight
Manager V8.5
򐂰 Strong working knowledge of networks and network management
򐂰 Strong working knowledge of protocols, including TCP/IP and SNMP
򐂰 Working knowledge of operating systems (UNIX® and Windows®)
򐂰 Working knowledge of scripting languages (shell scripting, Rules files, and
regular expressions)
򐂰 Working knowledge of SQL
򐂰 Working knowledge of operating system utilities (ftp, telnet, sftp, ssh, and text
editors)

1.2.4 Test 937 objectives
Let us take a closer look at the five objective areas for this test:
򐂰 Planning
򐂰 Installation
򐂰 Configuration
򐂰 Performance Tuning and Problem Determination
򐂰 Administration
Section 1: Planning
This section provides further information about the planning area of the test.
򐂰 Given the customer reporting needs, determine which report requirements
can be supported by Tivoli Compliance Insight Manager so that a reporting
plan can be established for the implementation. The emphasis is on being
able to perform the following steps:
– Identify the customer report needs.
– Analyze the reports requested by the customer.
– Determine which of these reports can be generated by Tivoli Compliance
Insight Manager.
– Categorize the reports per platform.
– Deliver a list of reports that can be produced.
– Discuss with the customer how the reports should be distributed: per
platform, per department, and with or without scoping.
򐂰 Given the customer report needs, review the requirements and assess which
event sources will be required so that you can deliver a list of event sources
needed for the Tivoli Compliance Insight Manager environment. The
emphasis is on being able to perform the following steps:
– Review the reporting requirements determined during the assessment of
the customer reporting needs.
– Assess which event sources will be required to support the reporting
requirements.
– Deliver a list of event sources that need to be deployed.

򐂰 Given the list of event sources needed to support the customer reporting
needs, determine the best collection option for each event source so that you
identify the appropriate collection method for each event source.The
– Review the list of event sources determined during the assessment of the
customer reporting needs.
– Discuss the collection options for each event source with the customer.
– Discuss the advantages and disadvantages of each collection mechanism
(per event source).
– Assess the number of events per second to determine the appropriate
collection method for SNMP and syslog event sources.
– Determine the best collection option for each event source based on the
customer feedback.
򐂰 Given each target platform and the specific procedures, determine and
configure the audit settings so that the desired events can be logged and
ready for collection. The emphasis is on being able to perform the following
steps:
– Identify the Event Source.
– Identify the audit setting configuration procedure for the particular target
platform.
– Specify audit events desired from target platform based on the customer
reporting needs.
– Specify audit settings for desired platform.
– Assess impact of desired settings.
– Configure audit settings for desired platform.
– Enable auditing on desired platform.
– Verify that the desired events are being logged.
򐂰 Given the hardware and software prerequisites, verify the processors' speed,
RAM and hard disk space amounts, available ports, and hard disk space
partitions so that it is determined that the system meets the prerequisites and
the server is ready to be configured for IBM Tivoli Compliance Insight
Manager. The emphasis is on being able to perform the following steps:
– Verify that the required hardware and software is available.
– Determine the rate of flow of collected data.
– Verify that a CD-ROM drive is available on all Tivoli Compliance Insight
Manager Servers included in the installation.
– Verify that the servers and production network are available.

– Verify that TCP/IP connectivity between monitored servers and Tivoli
Compliance Insight Manager Standard Server(s) is ensured.
– Identify the ports to be used by the installation.
• Determine which port will be used for the database.
• Determine which port will be used for the Directory Server.
• Determine which port will be used for server and Actuator
communications; by default, this is port 5992.
• Verify that TCP port 139 is open to allow communication with Windows
event sources.
• Verify that the TCP port 22 is open to allow communications with UNIX
SSH event sources.
• Verify that the database port and the file share port are open for
communication between Standard and Enterprise Server.
– Verify that SSH is utilized.
– Verify that your server’s hard drives are partitioned in a RAID 5
configuration.
– Determine the appropriate hard disk space for the servers and Point of
Presences, depending on the amount of daily log data that you collect for
your monitored platforms and applications.
– Determine the appropriate hard disk space on the audited machines to
support the expected audit volume.
򐂰 Given the event sources, processors, audited logs, hard drive partitions,
memory, GEM databases and delivered reports, determine the number of
servers required so that IBM Tivoli Compliance Insight Manager can be
implemented. The emphasis is on being able to perform the following steps:
– Define What Platform types will be audited.
– Define the Number of Machines Per each Platform type that will be
audited.
– Determine the size of the audit files to be collected at a given rate for each
Target Platform.
– Determine the number of event sources the environment will handle.
– Determine the number of GEM databases that will support the reporting
requirements.
– Determine the amount of events that will be generated by syslog.

򐂰 Given the main components of IBM Tivoli Compliance Insight Manager,
describe the purpose of the components so that key components are
identified. The emphasis is on being able to perform the following steps:
– Describe the purpose of the Standard Server.
– Describe the purpose of the management console.
– Describe the purpose of the Web portal.
• Describe iView.
• Describe log manager.
• Describe policy generator.
• Describe scoping.
– Describe regulatory compliance.
– Describe the purpose of the Enterprise Server.
– Describe the Actuator.
򐂰 Given the collection, load, and restart schedules, plan the scheduled tasks so
that continuity and completeness of data is maintained. The emphasis is on
being able to perform the following steps:
– Determine when the restart task should take place.
– Determine when the collects should take place.
– Determine when the loads should take place.
– Determine when the report distribution should take place.
򐂰 Given the GEM database and W7 grammar, explain how event values are
mapped to the GEM fields and categorized into W7 groups so that the W7
and GEM models are described. The emphasis is on being able to perform
the following steps:
– List the W7 dimensions.
– List the GEM fields.
– Describe the relationship between the W7 grammar elements and the
GEM fields.
– Explain how the event values are mapped to the GEM fields.
– Explain how event values are categorized into W7 groups.

򐂰 Given Tivoli Compliance Insight Manager policies, describe how policy
exceptions and attention events are generated so that security rules are
identified. The emphasis is on being able to perform the following steps:
– Describe with the W7 Model what would be an acceptable behavior of an
event.
– Describe how a policy exception is generated.
– Describe how an attention event is generated.
򐂰 Given an installed Tivoli Compliance Insight Manager V8.0 or V7.0
environment, create an implementation plan so that a Tivoli Compliance
Insight Manager upgrade can be performed. The emphasis is on being able to
perform the following steps:
– Ensure that you have a backup of your current installation of Tivoli
– Document the current environment.
– Assess the current environment for capacity considerations
– Define the rollback plan.
– Choose which server will be designated as the security server.
– Determine which Tivoli Compliance Insight Manager servers and
components to upgrade.
– Determine the order of components to upgrade.
– Ensure that there is enough hard disk space for the upgrade.
– Ensure that the media has been acquired or downloaded.
– Acquire the latest patches.
Section 2: Installation
The section provides further information about the installation area of the test:
򐂰 Given the installation media and a Windows 2003 server, install the database
engine, directory server, and Standard Server, so that a Tivoli Compliance
Insight Manager security server is defined for centralized user management.
The emphasis is on being able to perform the following steps:
– Log in to the Windows server as a user with administrative privileges.
– Verify that the system prerequisites have been met.
– Install the middleware.
– Install the Standard Server.
– Apply the current patches and platform updates.
– Verify the installation.

򐂰 Given the installation media and a Windows 2003 server, install a Standard
Server, so that audit trails can be collected. The emphasis is on being able to
– Install the middleware.
• Install the database engine.
• Install the directory server or connect to an existing security server.
Install the Standard Server.
򐂰 Given the installation media and a Windows 2003 server, install an Enterprise
Server so that a Tivoli Compliance Insight Manager cluster is defined. The
– Install middleware.
• Install the database engine.
• Install the directory server or connect to an existing security server.
Install the Enterprise Server.
– Subscribe servers to the cluster.
򐂰 Given the installation media, upgrade a Standard Server to an Enterprise
Server so that a Tivoli Compliance Insight Manager cluster can be defined.
– Identify the Standard Server to be upgraded.
– Launch the server installation.
– Perform a custom setup.
– Choose the enterprise components.
– Complete the installation.
– Subscribe servers to the cluster.

򐂰 Given the Tivoli Compliance Insight Manager hotfix code on Windows
platform, apply the hotfix so that Tivoli Compliance Insight Manager is
updated to the desired level. The emphasis is on being able to perform the
following steps:
– Verify that the current hotfix level is installed.
– Apply the hotfix.
– Verify that the hotfix has been successfully applied.
򐂰 Given the Tivoli Compliance Insight Manager hotfix code on the UNIX
platform, apply the hotfix to the current environment so that the Tivoli
Compliance Insight Manager is updated to the desired level. The emphasis is
on being able to perform the following steps:
– Apply the hotfix.
– Verify that the hotfix has been successfully applied.
򐂰 Given a running Tivoli Compliance Insight Manager installation, verify the
ability to log in, and that key processes and services are running so that the
successful installation is confirmed. The emphasis is on being able to perform
– Verify that you are able to log in to the Management Console and Tivoli
Compliance Insight Manager Web applications.
– Verify that all Tivoli Compliance Insight Manager services started after a
successful installation.
– Review the installation log files.
– Verify that the Tivoli Compliance Insight Manager directory structure has
been created.
– Verify that the main processes are running.
򐂰 Given the Compliance report media, verify the execution of the compliance
setup program so that the compliance module is installed in the iView
application. The emphasis is on being able to perform the following steps:
– Verify Compliance Reports Media and size.
– Verify the available space.
– Copy the compliance reports setup to a temporary directory.
– Run the setup.
– Verify a successful installation.
– Delete the compliance reports setup from the temporary directory.

򐂰 Given the Actuator code and cfg file, install the Actuator code on a supported
platform so that an Actuator is installed and ready to collect audit trails. The
– Log in to the server where the Point of Presence is to be installed.
– Mount the agent installation media.
– Launch the agent setup program.
– Install the agent code.
– Provide the agent cfg file to establish the Point of Presence to server
configuration.
򐂰 Given the management console and properly configured Actuator and target
machine, use the add machine process so that the Actuator code is remotely
installed. The emphasis is on being able to perform the following steps:
– Verify any other applications running on the target system that may
interfere with the installation.
– Launch the management console.
– Add a new machine.
– Select the system type.
– Select the machine or machines to be audited.
– Select local for the point of presence.
– Define the communication port.
– Select automatic for the installation type.
– Enter the NetBIOS name for the machine or machines.
– Enter the operating system credentials for the Actuator service.
– Enter the operating system credentials to be used to complete the
installation.
– Define the event source or sources to be audited.
– Complete the add machine process.
򐂰 Given an installed Tivoli Compliance Insight Manager V8.0 or earlier Standard
Server, perform the upgrade so that Tivoli Compliance Insight Manager V8.5
and all of its components are functional. The emphasis is on being able to
– Identify components to be upgraded.
– Log in to the Windows server using an account with administrative
privileges.

– Verify that the prerequisites have been met.
– If using a central user information store, install a security server.
– Upgrade the Enterprise Server (if present).
– Upgrade all Standard Servers.
– Register Standard Servers with Enterprise Server.
– Upgrade the Point of Presences.
– Verify that the upgrade was successful.
Section 3:Configuration
The section provides further information about the configuration area of the test:
򐂰 Given the security compliance reporting requirements for a specific audit
platform, configure the audit subsystem so that the collected security audit
data can be used to generate the required security compliance reports. The
– Translate the Security Compliance reporting requirements to the required
Audit Setting Configurations on the target platform.
– Review the current audit settings on the target platform.
– Apply changes to the current audit settings.
– Verify that the audit settings changes have been committed.
– Verify that the data collected (after committing the audit setting changes)
meet the Security Compliance reporting requirements.
򐂰 Given the management console, use the add machine process so that an
audit trail is collected locally. The emphasis is on being able to perform the
following steps:
– Select automatic or manual for the installation type.
• If automatic installation is selected, enter the NetBIOS name for the
machine or machines.
• If automatic installation is selected, enter the operating system
credentials for the Actuator service.

credentials to be used to complete the installation.
– Define the event source or sources to be audited.
򐂰 Given a Windows target machine, configure the machine so that security
audit logs can be successfully collected through remote collection
mechanism. The emphasis is on being able to perform the following steps:
– Configure or verify the Windows Domain relationship required for the
remote collection of the target machine from Tivoli Compliance Insight
Manager server (or Windows Actuator).
– Configure or verify that the Windows Services and network settings on the
target machine required for remote collection are properly configured.
– Configure or verify that the Windows Services and network settings on the
Tivoli Compliance Insight Manager server (or Windows Actuator) required
for remote collection are properly configured.
– Configure or verify that the TCP/IP connectivity between Tivoli
Compliance Insight Manager server (or Windows Actuator) and the target
Windows machine required for remote collection are enabled.
– Configure or verify that the Tivoli Compliance Insight Manager Server (or
Windows Actuator) service run account has security privileges to perform
a successful remote of the security log data from the target machine.
– Add the remote collect Windows target machine to the management
console.
– Add the corresponding event sources to the remote collect Windows target
machine.
– Configure the event source properties of the remote event sources in the
management console.
– Verify that the security log data from the Windows target can be
successfully collected.
Given SSH is configured, follow the add machine wizard so that remote SSH
collection is installed. The emphasis is on being able to perform the following
steps:
– Determine that the SSH daemon is running on the audited system.
– Ensure that PuTTY is installed on the point of presence.
– Determine the authorization key pair to use.
– Enable a user account on the audited system.
– Create the user.

• Ensure that the partition that contains the user home directory has
enough free space to store a copy of the collected log data.
• Ensure that the user has all the necessary access to the log files and
directories used during collection.
• Ensure that all commands to be run are in the user path and that the
user is allowed to execute them.
• Create a special subdirectory in the user home directory to contain its
authorized keys.
– Test the communication between the point of presence and the audited
machine.
– Start the Add Machine wizard to add the audited system.
– Ensure that the collection is successful.
򐂰 Given the network identity of the appliance, add the network appliance to the
Tivoli Compliance Insight Manager server so that security logs from the
network appliance can be successfully collected. The emphasis is on being
– Ensure that the communication path between the Tivoli Compliance
Insight Manager server (or Point of Presence) and the appliance allows
unblocked transmission of the security events from the appliance.
– Verify that appliance events are directed to Tivoli Compliance Insight
Manager.
– Add the appliance as an audited machine to the Tivoli Compliance Insight
Manager server.
– Verify that the security events from the appliance can be collected by the
Tivoli Compliance Insight Manager server.
򐂰 Given a supported syslog-ng environment and remote SSH collection is
properly configured, configure the Tivoli Compliance Insight Manager syslog
collector so that the syslog events can be collected by Tivoli Compliance
Insight Manager. The emphasis is on being able to perform the following
steps:
– Determine the appropriate syslog collection method.
• If a built-in syslog receiver is appropriate, ensure that a communication
path from each audited system to Tivoli Compliance Insight Manager
receiver through UDP port 514 is open and available.
• Configure the audited system to forward syslog messages to Windows
Point of Presence.

• If syslog collector is appropriate, ensure communication path from
each audited system to syslog collector via UDP port 514 is open and
available.
• Ensure SSH communication between the syslog collector and the
designated Point of Presence is open and available.
• Ensure that audited systems are appropriately configured to forward
messages to the syslog collector.
– Configure the syslog collector and the designated Point of Presence for
SSH collection.
– Ensure the syslog message format meets requirements.
– Add the appropriate event source to Tivoli Compliance Insight Manager.
– Verify successful syslog message collection and mapping.
򐂰 Given the scripts, configurations, mapping definition files, and collection and
load processes, add an event source so that audit trails can be stored,
mapped, and loaded into GEM databases. The emphasis is on being able to
– Open the management console.
– Select the Event Source View.
– Click Add Event Source.
– Select Machine from which to collect from.
– Select the Event Source Type.
– Define the Event Source Properties.
– Define Collect Schedule.
– Select GEM for data loads.
– Define Load Schedule.
򐂰 Given the management console, use the add machine process so that a W7
log file is collected. The emphasis is on being able to perform the following
steps:
– Define a process that takes the custom log file and converts it to the W7
Log modified format (CSV or XML).
– Implement the log file conversion process.

– Select automatic or manual for the installation type.
• If automatic installation is selected, enter the NetBIOS name for the
machine or machines.
credentials for the Actuator service.
credentials to be used to complete the installation.
– Define the event source as W7 Log (choosing the appropriate format of
CSV or XML).
– Define the event source properties.
򐂰 Given the location information of a user and grouping store, configure the
user information source to collect the user and grouping information from the
store so that the user information source collects the user and grouping
information. The emphasis is on being able to perform the following steps:
– Configure or verify that the Tivoli Compliance Insight Manager server (or
Windows Actuator) service run account has security privileges to perform
a successful collection of the user and grouping information from the
store.
– Configure or verify that the user account (provided as part of the User
Information Source property) has security privileges to successfully collect
the user and grouping information from the store.
– Configure or verify that the Windows Services network settings are
properly configured on the store for user and grouping information
collection.
– Configure or verify that the TCP/IP connectivity between Tivoli
Compliance Insight Manager server (or Windows Actuator) and the user
and grouping store are enabled.
– Configure or verify that the Windows Services network settings on the
Tivoli Compliance Insight Manager server (or Windows Actuator) required
for user and grouping information collection are properly configured.
– Add the User Information Source to the management console.
– Configure the User Information Source properties in the management
console.
– Verify successful collection from the User Information Source.

򐂰 Given the Attention rules, protocol, severity, and recipient list, set an alert so
that the alert communicates an attention rule to the recipient list. The
– Identify the Attention Rule ID to use in the alert.
– Select the Alert Maintenance Icon in the Management Console.
– Create the Alert using the Rule ID, Protocol, Recipient, and Severity.
– Verify the Alert are received or generated.
򐂰 Given the management console, use the policy explorer and the company
security to define a basic policy so that the customer reporting needs are met.
– Determine which policies in the company security policy can be mapped to
a Tivoli Compliance Insight Manager security policy.
– Open the policy explorer.
– Duplicate the latest committed Tivoli Compliance Insight Manager policy.
– Edit the duplicate Tivoli Compliance Insight Manager policy.
– Define the appropriate W7 groups to support the company security policy.
– Define the appropriate policy rules to support the company security policy.
– Define the appropriate attention rules to support the company security
policy.
– Save and test the new Tivoli Compliance Insight Manager policy.
– Continue testing until the desired reporting needs are met.
– Commit the new Tivoli Compliance Insight Manager policy.
򐂰 Given that scoping is required, assign assets so that access can be
regulated. The emphasis is on being able to perform the following steps:
– Identify assets which require scoping.
– Configure scoping for unassigned assets.
• On the entry page, click Enable Scoping.
• On the Confirm Status Change page, click Start to enable scoping or
Cancel to end your operation.
• If you clicked Start, the Changing Scoping Status page is displayed.
Wait till the change of the scoping status is complete.
• Define Scoping groups and assign users to these groups.
• Move a selection of W7 groups to the Scoping groups.

• Create similar Scoping groups for the Who, Where, and OnWhat
categories
• Reload the test data and log on into iView with one of the users that
have restricted viewing capabilities as defined through the Scoping
module.
򐂰 Given the list of reports needed to satisfy customer needs, determine which
reports will require a custom solution so that the customer reporting needs
are met. The emphasis is on being able to perform the following steps:
– Review the list of reports needed to satisfy customer needs.
– Determine which reports can be satisfied by the standard reports.
– Determine which reports will require a custom solution.
– For each custom report requirement, determine the following criteria:
• Report layout: Report type and column selection
• Report criteria: Event selection and conditions
– Use the report wizard or a text editor to create the custom report.
򐂰 Given a set of GEM load schedules, configure the Tivoli Compliance Insight
Manager Automated Report Distribution manager such that the GEM
database reports are successfully sent on time to a corresponding set of
recipients. The emphasis is on being able to perform the following steps:
– Configure the general setting for report distribution.
– Determine a timeline at which the GEM database load completes and the
GEM reports become available for distribution.
– Determine the schedule for setting up the report distribution for each GEM
database.
– Verify with a test report distribution task that the report can be sent
successfully to a test recipient.
– Add the Report Distribution tasks for each GEM database.
– Verify that the reports are distributed to the correct set of recipients on
time.

Section 4: Performance Tuning and Problem Determination
The section provides further information about the performance tuning and
problem determination area of the test:
򐂰 Given Tivoli Compliance Insight Manager activities, identify log files so that
troubleshooting can take place for the Tivoli Compliance Insight Manager
solution. The emphasis is on being able to perform the following steps:
– Identify the log file that shows a collection has been successful.
– Identify the log file that shows the progress of a load into a GEM database,
as well as the archiving of them.
– Identify the log file that shows the progress of a connection to a remote
host and to the Tivoli Compliance Insight Manager server.
– Identify the log file that shows iView reporting errors.
– Identify the log file where the Actuator run on the point of presence shows
its collection activity.
– Identify the schedule restart log and sub log of the processes it runs.
– Identify the Management Console activities events and the log where they
can be found.
– Identify the Consolidation log file.
– Identify the successful database mount and activity log.
– Identify the Log Manager activity log.
– Identify the log file where iView activity can be found.
– Identify the log file where lost chunks will be shown if they have been
transferred to the depot.
– Identify the log file showing that reports have been delivered by the
Distribution scheduled task or that an error occurred.
– Identify the log file indicating authentication to the Web portal application.
– Identify the log file where the Policy Generator Activity is found.
– Identify the application that collects most of the log files for
troubleshooting.
򐂰 Given a GEM database, investigate the set of activities taking place during
the GEM load so that the basic stages of load are described. The emphasis is
on being able to perform the following steps:
– Identify the type of the GEM database load.
– Identify the different phases of the GEM load.
– Identify the type of mapping used by the GEM database.

– Determine the current stage of the load.
– Determine whether any errors occurred during the load, and in which
phase of the load.
– When an error occurs during any phase of the load, determine the set of
log files that need to be preserved for further investigation.
– Determine the duration of each phase of the load.
– Determine whether the load has completed at any point in time, and the
total duration of the load.
򐂰 Given the verification of possible failures, troubleshoot the logon failure so
that successful logon is achieved. The emphasis is on being able to perform
– Verify that Tivoli Compliance Insight Manager services are running.
– Verify that database and directory services are running.
– Verify that the correct user name and password are being used.
– Verify the restart task.
– Verify the recnotify.
– Verify the blrec.
򐂰 Given the log files and error message, apply standard problem determination
techniques so that the problem can be resolved. The emphasis is on being
– Identify the component that is failing (such as server, management
console, Web portal, and so on).
– Determine the type of failure (login, connectivity, and so on).
– Identify the log file needed to gather additional information about the
failure.
– Review the appropriate log file.
– Correct the problem or call support.
򐂰 Given a Tivoli Compliance Insight Manager Server or a Windows Point of
Presence, generate and deliver diagnostics such that the diagnostics are
complete and are successfully delivered to the Support recipient. The
– Identify the Tivoli Compliance Insight Manager Server or Windows Point of
Presence where the diagnostics need to be generated.
– Ensure that there is enough disk space to store the diagnostics.
– Determine under what situations a diagnostics file may be generated.

– Locate the Windows program menu for Diagnostics generation and start
up the Diagnostics generation task.
– Choose the path where the Diagnostics file has to be generated.
– Ensure that the diagnostics file has been generated.
– Ensure that the diagnostics file is complete.
– Deliver the diagnostics to the intended support recipient.
– Verify that the support recipient has successfully received the diagnostics
file.
򐂰 Given the management console, test the connectivity so that there is a
successful connection to Point of Presence. The emphasis is on being able to
– Right-click the machine name.
– Choose the properties option.
– Click the Network tab.
– Click the Test IP and Port button.
– Verify that message Port is listening appears.
– Review log files to determine if there are any connections errors.
򐂰 Given a set of report distribution schedules, troubleshoot the report
generation and distribution process such that the reports are successfully
generated and distributed to the designated user. The emphasis is on being
– Identify the status message contained in the e-mail sent by the distribution
task.
– Ensure that the report was successfully exported by the GEM database
load process.
– Ensure that the distribution schedule for the exported report was
successful.
– Ensure that the exported file format can successfully handle the amount of
events exported to the report.
Section 5: Administration
The section provides further information about the administration area of the test:
򐂰 Given the management console application, navigate through the different
views so that you can perform the basic administration activities for audited
machines. The emphasis is on being able to perform the following steps:

– Open the audited machine view or event source view.
– Determine which machines are being audited.
– Determine to which machine group each audited machine is assigned.
– Add a new audited machine.
– Determine which event sources are being collected for each audited
machine.
– Determine the audit settings applied to each event source.
– Determine where the event sources are being collected (local or remote).
– Add a new event source.
– Determine the state of each Point of Presence.
– Determine the last collection date and time.
– Determine the collection schedule for an event source.
– Configure the collection schedule for an event source.
– View the basic settings for a Point of Presence.
– Test the connection to a Point of Presence.
– Generate a new password when the secure channel between the server
and a Point of Presence is broken.
– Add a user information source.
򐂰 Given the management console application, navigate through the database
view so that you can perform the basic administration activities for databases.
– Open the database view.
– Determine the load schedule for a database.
– Determine the load status for a database.
– Associate an event source with an existing database.
– Add a new database.
– Manually load a database.
򐂰 Given the management console application, navigate to the alert window so
that you can perform the basic administration activities for alerts. The
– Open the alerts window.

– View or modify existing alerts.
– Define a new alert.
– Create an alert rule that is only triggered by the eventid of an attention
rule.
– Verify that alerts are sent.
򐂰 Given the management console application, navigate to the user
management window so that you can perform the basic administration
activities for users. The emphasis is on being able to perform the following
steps:
– Create or modify a user.
– Assign appropriate roles to a user.
– Define database access for a user.
– Delete a user.
򐂰 Given the management console application, navigate to the policy explorer so
that you can perform the basic administration activities for policies. The
– Open the policy explorer
– List the previously committed policies.
– List the policies in draft mode.
– Edit a draft policy.
• Add or modify grouping files.
• Add or modify policy and attention rules.
– Commit a draft policy.
– Open a committed policy.
– Create a new policy based on an existing policy.
– View an automatic policy.
򐂰 Given the Tivoli Compliance Insight Manager Web portal and Tivoli
Compliance Insight Manager user account with access to iView, navigate
iView so that the functionalities are described. The emphasis is on being able
to perform the following steps:
– Access Tivoli Compliance Insight Manager Portal.
– Access iView.

– Describe Compliance Dashboard.
• Describe Enterprise Overview.
• Describe trend graphic.
• Configure the trend graphic settings.
• Describe Database overview.
• Configure the Dashboard settings.
– Describe GEM Summary.
• Describe Event Information.
• Describe Status of the Database.
• Describe Data in the Database.
– Describe Event Details.
• Describe Detail and Group for the W7 Dimensions.
• Describe Incident Tracking.
• Describe Additional information.
• Describe Investigate.
– Execute a Standard report for a GEM.
– Execute a Regulatory Report for a GEM.
– Verify the groups on the loaded data.
– Verify the applied Policy on the loaded data.
– Verify the trends on the loaded data.
– Describe general iView settings.
– Schedule reports to be delivered for a GEM.
򐂰 Given the Tivoli Compliance Insight Manager Web portal and a Tivoli
Compliance Insight Manager user with access to log manager, navigate the
log manager so that the log manager functionalities are described. The
– Access Log Manager Application.
– Describe the Log Manager Dashboard.
– Describe the Collect History Status, including an explanation of how the
collect status is determined.
– Describe the Log Continuity Status.
– Describe History.

– Describe Continuity, including an explanation of the CCRG scheduler and
the underlying algorithm.
– Describe Activity.
– Describe Investigate.
– Describe Retrieval.
򐂰 Given the Tivoli Compliance Insight Manager Web portal and a Tivoli
Compliance Insight Manager user account with access to the policy
generator, navigate the policy generator so that the policy generator
functionalities are described. The emphasis is on being able to perform the
following steps:
– Access the Policy Generator Application
– Define the name of the policy to generate.
• Select the data to use.
• Generate an Automatic Policy file.
• Test data in a GEM with a policy.
򐂰 Given the depot and collected chunks, perform an export so that collected
audit trails are archived. The emphasis is on being able to perform the
following steps:
– Verify disk space for export.
– Determine export location.
– Configure an export schedule based on the customer’s retention policy.
– Verify that the export was successful.
򐂰 Given the depot and archived chunks, perform an import so that archived
audit trails are restored. The emphasis is on being able to perform the
following steps:
– Determine when the requested data was archived.
– Locate the appropriate archived data.
– Import the appropriate archived data.
– Verify that the data was successfully imported.
򐂰 Given a Tivoli Compliance Insight Manager installation, verify the status of
collects, loads, report generation and distribution, and real time alerting so
that the overall health of the Tivoli Compliance Insight Manager installation
environment is verified. The emphasis is on being able to perform the
following steps:

– Verify that all services related to the Tivoli Compliance Insight Manager
server are running.
– Determine the audited machines involved in the Tivoli Compliance Insight
Manager installation.
– Verify that collections are happening on schedule from all audited
machines.
– Verify that the collected data from the audited machines is complete and
consistent.
– Verify that the GEM loads are occurring regularly and the GEM loads
complete successfully.
– Verify that the data loaded in the GEM database is complete and
consistent.
– Verify that real time alerts (if configured) are sent out and the recipients
have received it successfully.
– Verify that the reports are generated by the GEM database.
– Verify that the GEM database reports are distributed and received
successfully by the intended recipients in a timely manner.
– Verify that the GEM database reports are complete and consistent.
1.3 Recommended educational resources

Courses and publications are offered to help you prepare for the certification
tests. The courses are recommended, but not required, before taking a
certification test. If you want to purchase Web-based training courses or are
unable to locate a Web-based course or classroom course at the time and
location you desire, contact one of our delivery management teams at:
򐂰 Americas:
tivamedu@us.ibm.com
򐂰 EMEA:
tived@uk.ibm.com
򐂰 Asia-Pacific:
tivtrainingap@au1.ibm.com
Note: Course offerings are continuously being added and updated. If you do
not see courses listed in your geographical location, contact the delivery
management team.

1.3.1 Courses
This section provides information about the currently available or planned Tivoli
Compliance Insight Manager V8.5 courses. Refer to the Tivoli software education
Web site to find the appropriate courses and education delivery vendor for each
geography, available at:
http://www.ibm.com/software/tivoli/education
General training information is available at the following Web site:

http://ibm.com/training
IBM Tivoli Compliance Insight Manager V8.5 Installation

This training will equip you with the knowledge to administer an IBM Tivoli
Compliance Insight Manager environment. You will learn how to develop IBM
Tivoli Compliance Insight Manager policies to demonstrate compliance with your
company’s IT security policy or a regulatory standard. By working through
outlined steps, you will be able to create an IBM Tivoli Compliance Insight
Manager security policy that reflects an IT security policy with a custom set of
reports. Each step has a theoretical presentation and a hands-on exercise.
Course duration
This is a two-day, classroom course.
Objectives
After completing this course, you should be able to accomplish the following:
򐂰 Explain the function of each Tivoli Compliance Insight Manager component.
򐂰 Describe a Tivoli Compliance Insight Manager cluster.
򐂰 Install a Tivoli Compliance Insight Manager server.
򐂰 Define a Point of Presence.
򐂰 Define an event source.
򐂰 Install an Actuator.
򐂰 Manually collect and load data.
򐂰 Configure remote collection.
򐂰 Configure collection for a custom log file.

Outline
This course follows this outline:
򐂰 Architecture
Lesson 1: Components and Functions
Lesson 2: Architecture
Lesson 3: Collection and Process Flow
򐂰 Server Installation
Lesson 1: Prerequisites
Lesson 2: Standard Server Installation
Lesson 3: Enterprise Server Installation
򐂰 Actuator Installation
Lesson 1: Collecting and Archiving
Lesson 2: Actuator Installation Options
Required skills
The following are the skills required to take this course:
򐂰 Some knowledge of the Windows audit subsystem.
򐂰 Technical skills in UNIX variants, Win32®, and DBMS.
򐂰 Understanding of security practices, principles, security technologies, and so
on.
򐂰 Working knowledge of security auditing and operational risk management
concepts.
IBM Tivoli Compliance Insight Manager V8.5 Administration

and Reporting
This training will equip you with the knowledge to administer a Compliance
Insight Manager environment. You will learn how to develop IBM Tivoli
Compliance Insight Manager policies to demonstrate compliance with your
company’s IT security policy or a regulatory standard. By working through
outlined steps, you will be able to create an IBM Tivoli Compliance Insight
Manager security policy that reflects an IT security policy with a custom set of
reports. Each step has a theoretical presentation and a hands-on exercise.
Course duration
This is a three-day, classroom course.

Objectives
After taking this course, you will be able to accomplish the following:
򐂰 Describe the General Event Model (GEM).
򐂰 Describe the W7 Model.
򐂰 Explain the purpose of Tivoli Compliance Insight Manager policies.
򐂰 Add and assign roles to Tivoli Compliance Insight Manager users.
򐂰 Collect, archive, and report on audit trails.
򐂰 Add event sources for audit trail collection.
򐂰 Apply collection and report generation schedules.
򐂰 Navigate the reporting interface.
򐂰 Create reports on historical data.
򐂰 Use built-in reports.
򐂰 Use Regulatory Compliance reports.
򐂰 Archive reports for auditor review.
򐂰 Configure alerts on security relevant events.
Outline
The course follows this outline:
1. Monitoring Compliance
Lesson 1: Monitoring Compliance
2. Navigating the Management Console
Lesson 1: Management Console Overview
Lesson 2: Audited Machines
Lesson 3: Event Sources
Lesson 4: Databases
Lesson 5: Alert Maintenance
Lesson 6: Policies
Lesson 7: User Management
Lesson 8: Export and Import
3. Navigating the Web Portal
Lesson 1: Web Portal Overview
Lesson 2: iView
Lesson 3: Log Manager

Lesson 4: Policy Generator
Lesson 5: Scoping
4. Policies
Lesson 1: Tivoli Compliance Insight Manager Policy
Lesson 2: Policy Creation
Lesson 3: Managing Policies
Lesson 4: Managing Grouping Definitions
Lesson 5: Policy and Attention Rules
Lesson 6: Policy Management and Maintenance
5. Reporting
Lesson 1: Getting Started
Lesson 2: Standard Reports
Lesson 3: Custom Reports
Lesson 4: Distributing Reports by e-mail
Lesson 5: Compliance Reports
Required skills
The following skills are required for this course:
򐂰 Some knowledge of the Windows audit subsystem
򐂰 Understanding of security practices, principles, and security technologies
򐂰 Working knowledge of security auditing and operational risk management
concepts
򐂰 Publications
IBM Tivoli Compliance Insight Manager guides and Redbooks are useful tools for
preparing to take Test 937.
IBM Tivoli Compliance Insight Manager product

documentation
You might want to refer to the following guides:
򐂰 Installation guide
– IBM Tivoli Compliance Insight Manager Installation Guide, GC23-6580
򐂰 User guides
– IBM Tivoli Compliance Insight Manager User Guide, GC23-6581

– IBM Tivoli Compliance Insight Manager User Reference Guide,
GC23-6582
򐂰 Module installation guides
– IBM Tivoli Compliance Insight Manager Basel II Management Module
Installation Guide, GC23-6583
– IBM Tivoli Compliance Insight Manager FISMA Management Module
Installation Guide, GI11-8708
– IBM Tivoli Compliance Insight Manager GLBA Management Module
– IBM Tivoli Compliance Insight Manager HIPAA Management Module
– IBM Tivoli Compliance Insight Manager ISO 27001 Management Module
– IBM Tivoli Compliance Insight Manager PCI-DSS Management Module
– IBM Tivoli Compliance Insight Manager Sarbanes-Oxley Management
Module Installation Guide, GC23-6587
To obtain the online publications for IBM Tivoli Compliance Insight Manager, visit
the following Web site.
http://publib.boulder.ibm.com/tividd/td/IBMTivoliComplianceInsightManag
er8.0.html
IBM Redbooks
Refer to the following IBM Tivoli Compliance Insight Manager-related Redbooks:
򐂰 Compliance Management Design Guide with IBM Tivoli Compliance Insight
Manager, SG24-7530
To comply with government and industry regulations such as Sarbanes-Oxley,
Gramm-Leach-Bliley, and COBIT, enterprises must constantly detect,
validate, and report unauthorized changes and out-of-compliance actions
within the IT infrastructure.
The IBM Tivoli Compliance Insight Manager solution allows organizations to
improve the security of their information systems by capturing comprehensive
log data, correlating this data through sophisticated log interpretation and
normalization, and communicating results through a dashboard and full set of
audit and compliance reporting.

This IBM Redbooks publication discusses the business context of security
audit and compliance software for enterprises and describes the logical and
physical components of IBM Tivoli Compliance Insight Manager. It also
presents a typical deployment within a business scenario.
This IBM Redbooks publication is a valuable resource for security officers,
administrators, and architects who want to understand and implement a
centralized security audit and compliance solution.
򐂰 Deployment Guide Series: IBM Tivoli Compliance Insight Manager,
SG24-7531
In order to comply with government and industry regulations, such as
Sarbanes-Oxley, Gramm-Leach-Bliley, and COBIT, enterprises have to
constantly detect, validate, and report unauthorized change and
out-of-compliance actions on their IT infrastructure.
The IBM Tivoli Compliance Insight Manager solution allows organizations to
improve the security of their information systems by capturing comprehensive
log data, correlating this data through sophisticated log interpretation and
normalization, and communicating results through a dashboard and a full set
of audit and compliance reporting.
This IBM Redbooks publication discusses the business context of security
audit and compliance software for organizations, and it shows a typical
deployment within a business scenario.
This IBM Redbooks publication is a valuable resource for security officers,
administrators, and architects who wish to understand and deploy a
centralized security audit and compliance solution.

2
Chapter 2. Planning
In this chapter, we give an overview of the IBM Tivoli Compliance Insight
Manager. We describe the major components and their position in a real network
environment. This description provides an overview of items that are important to
planning and architecting the design of a compliance and reporting system. It
also covers migration planning, tools, and issues.

2.1 Overview
The process that an organization operates in accordance with expectations is
called compliance management. The expectations are formalized as
requirements in the policies and can include requirements derived from external
laws and regulations (such as country-specific data privacy laws,
Sarbanes-Oxley, or Basel II) and from the individual mission statement of an
organization (like ethical behavior or business conduct guidelines).
Information security defines the level of protection for information assets of an

organization and summarizes all activities around the security controls applied in
order to achieve a desired level of confidentiality, integrity, and availability of
information assets. In a best practice approach, the desired level is derived by
determining the balance between risks resulting from a compromised information
security and the benefit aligned with the information asset. It is a good business
practice to minimize the security risk to information in proportion to the
importance of such information to the business. Security controls are usually
defined in a security policy framework.
The benefit of a policy framework is the reduction of interpretation to a minimum,

the translation of broad business directions into corresponding work instructions
for processes and technical settings for systems, and the provision of extensive
editable records about management direction on information security.
Bringing both definitions together, security compliance is understood as the

process that guarantees that the operations of an organization meet the
requirements defined in the security policies, which again consolidate legal and
regulatory obligations and management direction. Compliance management
requires the ability to identify compliance criteria and to assess, analyze,
consolidate, and report on the previous, the current, and the expected
compliance status of security controls.
Security controls exist at the organizational, process, and technical levels:

򐂰 An organizational level security control can be a concept such as separation
of duties (for example, ensuring that someone changing something is not the
same person controlling the business need and proper execution of the
change). This type of security control might require an organizational setup
where those two employees report to different managers.
򐂰 A process level security control can be a concept like the four eyes principle,
where a specific authorization requires two signatures (or passwords) to be
presented before a transaction can be completed. As a result, this process
step would always require two employees to be available for execution.

򐂰 A simple technical security control can be a required length for a password or
specific permissions that are defined for accessing an operating system
resource or business data. Operating systems and applications provide
configuration settings that allow the administrator to specify minimum
password lengths so that the system itself can enforce this control. A more
complex technical security control can be the requirement to run an antivirus
service (with up to date virus definition files) on a computer system or a
correctly configured port filter.
Technical security controls are the easiest to monitor, as computer systems save
audit trails and configuration files, which can be checked for fulfillment of
requirements. Security controls on the organizational and the process level
(especially when process steps are not performed with the help of technology)
are harder to check and to control, as they are less persistent, and audit trails are
not created automatically and can be easier manipulated.
This book is intended for administrators and system programmers whose roles
include security officer, security manager, EDP auditor, or one who monitors
events in the enterprise IT environment and are planning for IBM Tivoli
Compliance Manager certification.
Individuals who manage and handle such security standards as Sarbanes-Oxley,

GLBA, HIPAA, Basel II, and ISO 27001 can use this publication to learn the
basics of using all pertinent aspects of IBM Tivoli Compliance Insight Manager or
get hints about where to find in-depth information.
Tivoli Compliance Insight Manager is a security compliance system that operates

as a system on your network to collect, analyze, and archive log data and
produce detailed security reports about information security policy compliance.
The following sections discuss the components of the Tivoli Compliance Insight
Manager system and explain how it works at a high level.
Chapter 2. Planning 41
2.2 Product architecture
The Tivoli Compliance Insight Manager environment includes a number of key
components that are depicted in Figure 2-1:
򐂰 Enterprise Server
򐂰 Standard Server
򐂰 Actuators
򐂰 Management Console
򐂰 Web Portal (iView)
· Archive audit trails

· Normalization of audit trails
· Archive security policies
· Preparation of reports
· Alerts and e-mail notification
Standard
Server
· Collection of audit trails

· Consolidation of statistics from multiple
· Collection of user information
databases
· Overall compliance checking
· Forensic search indexing Tivoli
· Administration of log archives
Enterprise Compliance Actuators
Server
Insight
Manager
Management · Tivoli Compliance Insight Manager

Web Portal network configuration
· Report viewing Console · Configuration of data for report
- Compliance preparation
- Event detail · Alert and e-mail notification
- Log management configuration
- Forensic search · Security policy violation definition
· Policy management using Policy Generator · Tivoli Compliance Insight Manager
· Scoping user management
Figure 2-1 Tivoli Compliance Insight Manager architecture
In this section, we describe each of these components.

2.2.1 Tivoli Compliance Insight Manager cluster
An operational Tivoli Compliance Insight Manager cluster configuration is
comprised of one Enterprise Server and one or more Standard Servers.
The sections that follow outline the major functional capabilities of each of these
servers.
2.2.2 Tivoli Compliance Insight Manager Enterprise Server

The Tivoli Compliance Insight Manager Enterprise Server is a Windows-based
server that provides centralized log management and forensic functions, allowing
these features to operate across multiple Tivoli Compliance Insight Manager
Standard Servers. As a general guide, we recommend monitoring up to three
Standard Servers per Enterprise Server. From one Enterprise Server, you can
get a consolidated view of log collections and log continuity, in addition to being
able to search and download logs. The enterprise server also consists of the
following basic components:
򐂰 iView reporting application
A Web-based user interface providing a trend dashboard, event drill-down,
and detailed reports.
򐂰 Policy generator
A Web-based user interface that builds security policies.
򐂰 Log Manager
A Web-based user interface for reporting on log collections and continuity and
for searching and downloading logs.
An administrative interface for configuring policies and for adding, removing,
and managing audited systems, Tivoli Compliance Insight Manager servers,
users, and groups.
Centralized log management
As shown in Figure 2-2, the Enterprise Server offers consolidated log
management facilities over all connected Tivoli Compliance Insight Manager
Standard Servers. From one Enterprise Server, you can get a consolidated view
of log collections and log continuity. This simplifies the management of a Tivoli
Compliance Insight Manager cluster, reducing your operational impact as well as
providing a single view for auditors to examine the complete log history. Finally,
the centralized management feature provides a point of access to query and
download the original log data collected by standard servers.
Figure 2-2 A Tivoli Compliance Insight Manager cluster environment
Centralized forensics
The Enterprise Server also provides forensic search capabilities. The Enterprise
Server allows you to search the archived logs for evidence without using the
GEM and W7 tools. Sometimes you may want to look for the raw traces without
going through the report preparation process.
Note: The GEM and W7 tools are used by Tivoli Compliance Insight Manager
for mapping and loading the data. They are described in detail in 2.3.2,
“Mapping and loading” on page 61.

2.2.3 Tivoli Compliance Insight Manager Standard Server
Tivoli Compliance Insight Manager uses a centralized Windows-based server,
called the Standard Server, as the heart of its security audit and compliance
system. The Standard Server performs the following main functions:
򐂰 Collects security logs from the audited event sources.
򐂰 Archives the logs.
򐂰 Normalizes the event data and loads it into the reporting databases.
򐂰 Sends e-mail alerts when a high severity event is detected.
򐂰 Creates reports.
The security status of the audited systems can be viewed through the
Web-based reporting application called iView. iView is described in 2.2.6, “The
iView Web portal” on page 48.
Another main component of the Tivoli Compliance Insight Manager system is the
Management Console, which is used to manage and configure the system. Each
Standard Server has its own configuration database managed by the
Management Console. The Management Console is described further in 2.2.5,
“Management Console” on page 46.
To exchange information between its components, Tivoli Compliance Insight

Manager uses a virtual private network consisting of agents that maintain
encrypted communication channels. This network runs on the TCP/IP layer of the
existing organizational network.
It is beneficial to get familiar with ports, clusters, software, and hardware

requirements in preparing for the certification test, especially which default ports
are used for server and Actuator communication (port 5992) and which Windows
and UNIX ports have to be opened (port 139 for Windows and port 22 for UNIX).
Detailed information about these items can be found in IBM Tivoli Compliance
Insight Manager Installation Guide Version 8.5, GC23-6580.
2.2.4 Actuators
Depending on the platform, Actuator software is installed on audited systems as
a service or daemon. Each Actuator consists of an Agent and numerous
Actuator scripts. The Agent is responsible for maintaining a secure link with
Actuators running on the Tivoli Compliance Insight Manager server and other
audited systems. The Actuator scripts are invoked by the Agent (at the request of
the Tivoli Compliance Insight Manager server) to collect the log for a particular
event source. There is a different script for every supported event type. The
Actuator is depicted in Figure 2-3.
Actuator
Actuator
Scripts
Agent
Figure 2-3 Actuator software
The Actuator software can be installed locally on the target system or remotely.
We describe the log collection process in “Data collection using Actuators” on

page 54.
2.2.5 Management Console

The Management Console is responsible for the configuration and management
of the Enterprise Server and the Standard Server(s).
The Management Console can operate locally or in a distributed manner, as

shown in Figure 2-4 on page 47. All that is required for remote operation apart
from the Management Console itself is a local Point of Presence to which it can
communicate.
Note: A system that has a Tivoli Compliance Insight Manager Actuator

installed is referred to as a Point of Presence. “Data collection using
Actuators” on page 54 describes this concept in more detail.
You can use the Management Console to perform numerous tasks related to the
configuration and management of the Tivoli Compliance Insight Manager
servers:
򐂰 Activate the Agents and have them collect audit trails from different platforms.
򐂰 Define the security policy and attention rules.
򐂰 Define users and their access rights.

򐂰 Start the preparations of the reports.
Figure 2-4 Management Console component overview
All the actions on the Management Console are performed by the Tivoli
Compliance Insight Manager server. You can think of the Management Console
as being the user interface for the Tivoli Compliance Insight Manager server.
Here you would also define event sources, perform log management, do forensic
search, and monitor overall compliance. After the reports have been prepared by
the server, a Tivoli Compliance Insight Manager user may generate the specific
reports using the iView component.
Planning for the usage and installation of the Tivoli Compliance Insight Manager
requires knowledge of the hardware and software prerequisites. Depending on
your system requirements, you can choose one or more of the available
installation options (please also refer to Chapter 3, “Installation” on page 77).
The IBM Tivoli Compliance Insight Manager Installation Guide Version 8.5,
GC23-6580 gives you detailed information about technical prerequisites.
Possible installation options are:
򐂰 Tivoli Compliance Insight Manager Enterprise Server
򐂰 Tivoli Compliance Insight Manager Standard Server
򐂰 Point of Presence
2.2.6 The iView Web portal
The events found in the logs are normalized and stored in databases. The data in
the databases is available for further investigation through the Web-based tool
called iView. iView is a reporting application that Tivoli Compliance Insight
Manager administrators can use to generate specific reports about compliance
level and policy violations. It uses an HTTP-server, authorizing users to view
reports through their Web browser.
For a detailed description about how to use the iView Web portal, read the IBM
Redbooks publication Deployment Guide Series: IBM Tivoli Compliance Insight
Manager, SG24-7531.
2.2.7 Databases
Tivoli Compliance Insight Manager supports and maintains a set of embedded
databases. These databases store the audit data from security logs and other
sources of event information, for example, Syslog. In the flow from collection to
archive, audit data is indexed and normalized to facilitate analysis, forensics,
information retrieval, and reporting.
An embedded database is also used to store configuration information about the

Tivoli Compliance Insight Manager environment itself.
The appropriate hard disk space required for the IBM Tivoli Compliance Insight
Manager is based on the amount of daily log data that is collected for the
platforms and applications you plan to monitor.
The amount of data that is to be kept in the log repository determines the
required hard disk space. The repository size can be approximately calculated
using the following formula:
1.5 * (total GB of daily logs / 10 compression factor) * number of days to keep in

repository + 25 GB
for program files, temp files, and databases, with a minimum of 200 GB.
The disk size for the Enterprise Server should be enlarged depending on the
number of Standard Servers it manages. (For each Standard Server, the
Enterprise Server builds a depot index that can be as large as the depot size of
the Enterprise Server itself.) For example, the extra disk size needed for the
Standard Server can be calculated using the following formula:
Depot size of Standard Server 1 + depot size of Standard Server 2 + ....

Before installation, the hardware must have a minimum of 2.5 GB of disk space
available.
Storing security audit data

Tivoli Compliance Insight Manager uses a file system based log repository as a
collection depot for the original security logs, and the embedded databases to
store normalized audit data, aggregated data, and consolidated data.
Depot
Collected logs are stored in the log Depot, which is a compressed, online, and
file system based log repository.
Reporting database
Data is stored in an instance of an embedded database. It is mapped into the W7
format, which is explained in further detail in “The W7 model” on page 63. The
W7 model stands for the seven main questions Who, What, When, Where, On
What, Where from, and Where to. The reporting databases are also known as
GEM databases. GEM stands for Generic Event Model and is an easy to
understand data model. It is explained in more detail in “Mapping” on
page 62.They are periodically emptied and then filled with more recent data.
Typically, this refresh cycle is done on a daily scheduled basis, meaning that data
from the previous period is present and available for analysis and reporting. Data
from a Depot can be mapped and manually loaded into the reporting database
for processing.
Aggregation database
The aggregation process takes a large number of individual events and
duplicates them into a more manageable set of information. In addition, the
aggregation process creates statistical data that can be used to provide
management level trending data, charts, and reports. It takes multiple events that
have a relationship and consolidates them into a single event. The aggregation
process involves two key operations:
򐂰 A statistical database of events, exceptions, failures, and attentions is
created. The events are used to generate management charts, reports, and
trending information. For example, users can report on policy exception
trends over a selected time period.
򐂰 It copies across the exceptions and attentions from the scheduled loads for
each database that is configured. This provides the user with significant
forensic capability. With these events in the same database as the statistical
events, it is possible to perform drill down operations into the data for
forensics, trending, and analysis.
Aggregation is performed as part of the normal scheduled load processing. After
a successful scheduled load, aggregation is performed for each reporting
database. Aggregation vastly reduces the amount of event information that
needs to be online, and allows users to have an organization view of security
events through iView (the Tivoli Compliance Insight Manager dashboard).
Additionally, these aggregated statistics are used for providing long-term trending
information and are typically held for several years (dictated by local or statutory
requirements). This is highly valuable data and provides a historical database of
an organization’s performance against defined security policies and regulations.
Consolidation database
The consolidation database consolidates all the aggregation databases in a
Tivoli Compliance Insight Manager cluster. This provides an overall view of all
servers in the cluster for trending and statistical purposes.
Tivoli Compliance Insight Manager configuration data

The configuration data for the Tivoli Compliance Insight Manager environment
itself is also stored in embedded databases known as Configuration Databases.
Configuration database
The configuration database for each server is managed through the
Management Console. Each Configuration Database includes information such
as the Actuator configuration, collect schedules, location of audit log data,
available GEM databases, the list of audited machines, and so on.
2.2.8 Component architecture

All of the components of Tivoli Compliance Insight Manager that have been
outlined so far work together to create a compliance management solution. Each
of the different components interact with one another and a number of processes
are performed by each of them.
Figure 2-5 on page 51 encapsulates the key components and processes in the
Tivoli Compliance Insight Manager environment. Each of the components and
the role that they play in the Tivoli Compliance Insight Manager environment are
discussed in further detail throughout the remainder of this chapter.

Figure 2-5 Tivoli Compliance Insight Manager architecture
2.3 Product processes

The Tivoli Compliance Insight Manager product runs several automated
processes. Together, these processes provide a complete solution from
collecting and analyzing logs to reporting and auditing activities for compliance.
Event data is retrieved from the audited systems through a process called
collection. It is then stored on the Standard Server in the Depot.
For analysis, the data is taken from the Depot and normalized into a data model
called General Event Model (GEM). This process is called mapping.
Subsequently, the mapped data is loaded into a reporting database called a
GEM database.
Data and statistics, spanning a longer period, are maintained by a process called
aggregation. The aggregation process builds a special database, called the
aggregation database, from which trends and summaries can be extracted.
In order to check and investigate the information security status, the Tivoli
Compliance Insight Manager system offers a large number of reports. These are
produced on request by a Web-based application called iView. It can be used to
view GEM databases as well as the aggregation database.
Figure 2-6 shows the key processes performed by a Tivoli Compliance Insight
Manager server. A Tivoli Compliance Insight Manager Enterprise Server also
performs two extra processes, namely indexing and consolidation.
Figure 2-6 Tivoli Compliance Insight Manager key processes flowchart
These key processes are described in further detail in the following sections.

2.3.1 Collection
Collection is the process of centralizing event data by retrieving it from the
audited machines and applications and archiving it in the Depot, the central
storage repository for log data on the Tivoli Compliance Insight Manager server.
The reliable, verifiable collection of original log data is a key part of the process
required for compliance. Through Tivoli Compliance Insight Manager, you can
automate the collection process from your audited machines. Security audit data
is collected in its native form, transferred securely from the target, and stored in
the server’s Depot in the form of a chunk. The term chunk is used to refer to a set
of compressed logs and is the unit of collection in Tivoli Compliance Insight
Manager.
Each chunk consists of a header file and one or more data files, which are called
sub-chunks. A chunk log contains the security log of a given system or
application for a given period of time. For example, assume that the Tivoli
Compliance Insight Manager system is collecting audit data every hour, on the
hour. One chunk log records events from 1 p.m. to 2 p.m. At 2 p.m., Tivoli
Compliance Insight Manager runs a batch collect and collects the audit data from
the application. The next chunk records events from 2 p.m. to 3 p.m. At 3 p.m.,
Tivoli Compliance Insight Manager runs another batch collect and collects the
audit data from the application. Both chunks, from 1 p.m. to 2 p.m. and from
2p.m. to 3 p.m., are portions of the security log from the audited application.
Together, the chunks constitute the whole security log.
The Depot supports the consolidation function of Tivoli Compliance Insight

Manager and data remains there until it is explicitly backed up and removed. This
way, log data is preserved for forensic analysis and investigations.
Tivoli Compliance Insight Manager provides a set of tools to verify that the
collection process is operating and to detect if collection failures have occurred.
Tivoli Compliance Insight Manager alerts selected administrators if a collection
failure occurs so that immediate action can be taken to prevent possible loss of
log data.
Tivoli Compliance Insight Manager provides specific reporting for administrators

and auditors to verify collections are occurring on schedule without problems. It
also allows you to verify that there is a continuous collection of logs available.
Tivoli Compliance Insight Manager can send alerts if the event data indicates
there is cause for concern and further investigation is needed. Finally, it is
possible to download selected logs from the Depot to a user’s local machine for
further analysis outside of Tivoli Compliance Insight Manager.
Methods of data collection
The most common mechanism for retrieving security log data is through a
process called batch collect. A security log is created on the audited machine by
the application, system, or device being audited. In general, such logs contain
records of many events, which all get processed as a batch. The Tivoli
Compliance Insight Manager Server initiates the collection of security logs from
the audited machines. This action is either triggered by a set schedule, or
manually through the Management Console. After receiving the security logs, the
Tivoli Compliance Insight Manager Server archives the security logs in the
Depot.
Event data is collected using a variety of methods to establish the consolidated

archive stored in the Depot. Events can be collected in numerous ways,
including:
򐂰 Logs
򐂰 Syslog
򐂰 SNMP
򐂰 NetBIOS
򐂰 ODBC
򐂰 External APIs
򐂰 SSH
There are two methods of data collection:

1. Locally installed software (Actuator) on the target machine.
2. Agentless collection. This can be achieved by either:
a. A remote Actuator installation that allows you to collect the application
security log that is located on a different host machine.
b. The Tivoli Compliance Insight Manager server acting as a Point of
Presence to collect the data.
Data collection using Actuators

A typical Tivoli Compliance Insight Manager network consists of the Tivoli
Compliance Insight Manager Server and a number of host machines to be
audited. These host machines may be running one or more applications, each of
which can be audited by the Tivoli Compliance Insight Manager Server. These
host machines are often referred to as the audited systems.
The Tivoli Compliance Insight Manager Actuator is comprised of Agent software

and numerous Actuator scripts. Refer to Figure 2-3 on page 46 for a graphical
representation of this architecture. The Actuator is used to facilitate the data

collection process. The server where the Actuator is installed is referred to as a
Point of Presence (POP). It can collect and forward security logs for the operating
system, applications, databases, or devices on which it is installed. Every
application that generates security audit log data is referred to as an event
source.
Each event source that is monitored has an associated Actuator. For example,
the security log on a Sun™ Solaris™ server is collected by the Actuator for the
Solaris event source. The same server running Oracle® could use the same
Actuator to collect and monitor the Oracle security log. There is a different
Actuator script for every supported type of event, so the Actuator can process
logs for several different event sources. In this example scenario, the Actuator is
collecting the logs from two event sources, namely “Solaris” and “Oracle for
Solaris”.
The Agent listens continuously on a reserved port for collect requests issued by
the Tivoli Compliance Insight Manager server. When a request is received, the
Agent invokes the appropriate script to gather the logs. After the Actuator has
collected the security audit log for a particular event source, the Agent
compresses and transfers the logs to the centralized Depot. The Agent maintains
an encrypted channel for all communication between the target machine and the
Tivoli Compliance Insight Manager serve, that is, it provides a secure and
guaranteed transmission service.
Note:
1. The audited system often acts as the target system for event sources.
2. In regards to audit configurations, the audited system and the target
system can be described as the audited system, a system on which the
audited instance of the event source is hosted.
3. The Tivoli Compliance Insight Manager server can act as a Point of
Presence in some configurations. If this is the case, no Actuator needs to
be installed, because it is already included in the server installation.
Otherwise, an Actuator corresponding to the operating system running on
the Point of Presence needs to be installed.
For the examples throughout the remainder of this chapter, in the event that the
audited systems also act as the target systems for the Tivoli Compliance Insight
Manager server to access the audit trail, the term audited system will be used.
IBM Tivoli Compliance Insight Manager Installation Guide Version 8.5,

GC23-6580, provides excellent information about event sources and data
collection. Understanding the complexity of event sources and data collection for
supported operating systems will help in passing the certification test.
Agent collection mechanism
Figure 2-7 illustrates the steps involved in collecting data from an audited
system.
Figure 2-7 Agent data collection method
Note that:
1. The collection schedule is automatically triggered based on configured
settings. Alternatively, a manual collect command is given to the Tivoli
Compliance Insight Manager server through the Management Console.
2. The Tivoli Compliance Insight Manager server issues an audit trail
collect command to the Actuator. This command activates the Actuator on
the audited machine.
3. The appropriate Actuator script reads the security log and collects only those
new records since the last collection.
4. The Actuator formats the collected records into chunk format and compresses
the chunks. A chunk can contain many different log types from the audited
machine.
5. The Agent reads the chunk log data.
6. The Agent securely sends the chunk data in encrypted form to the Agent on
the Tivoli Compliance Insight Manager server.

7. The Agent on the server receives the chunk. The server application stores the
chunk in the Depot and archives the chunks by registering them in the
logmanager application and configuration database.
8. After successfully sending the chunks to the Tivoli Compliance Insight
Manager server, the Actuator deletes its local copy of the chunk. In addition,
on some platforms, you can also have the Actuator delete the original audit
trail.
Agentless collection
Tivoli Compliance Insight Manager supports agentless collection on Windows,
Novell®, and UNIX platforms. When using agentless remote collection, the
picture is slightly different than agent-based collection, but the steps remain the
same. This Point of Presence establishes the secure connection to the Tivoli
Compliance Insight Manager server, sending all agentless collected data
securely to the Depot.
Note: In the case of Windows, the agentless data collection requires one
Point of Presence per domain.
Agentless collection reduces the operational impact compared to an

agent-based approach. The SSH approach with UNIX provides a secure
connection; the NetBIOS approach used with Windows remote collection does
not provide a secure connection due to limitations inherent to the Windows
environment.
Windows agentless collection
The most common implementation of remote collection is on the Microsoft®
Windows domain. To audit several machines in a domain, only one of them
needs to be a Point of Presence and have an Actuator installed. Figure 2-8
shows the typical configuration used to perform an agentless collection when the
audited systems are Windows machines. Be aware, however, the agentless
collection method is not supported on all event sources.
Figure 2-8 Agentless data collection over NetBIOS
Note that:
1. The collection schedule is automatically triggered based on site specific
settings. Alternatively, a manual collect command is given to the Tivoli
Compliance Insight Manager server through the Management Console.
2. The Tivoli Compliance Insight Manager server issues a collect log
command to the Actuator. This command activates the Actuator on the target
machine.
3. The Actuator reads the security log from the remote server(s) using a
NetBIOS connection, collecting only those new events since the last
collection cycle.
4. The log data is processed and sent to the Depot on the Tivoli Compliance
Insight Manager server.
UNIX agentless collection

Tivoli Compliance Insight Manager also supports agentless collection for UNIX
servers. It uses SSH to perform the collection, so it is secure. The basic
configuration for a UNIX agentless collection is shown in Figure 2-9 on page 59.

Figure 2-9 Agentless data collection over SSH
Tivoli Compliance Insight Manager uses a PuTTY client to establish the SSH
connection, which needs to be appropriately configured. The UNIX server also
needs to be running an SSH daemon, set up with the appropriate privileges, as
per the Tivoli Compliance Insight Manager documentation.
Ubiquitous log collection

Tivoli Compliance Insight Manager can collect logs from any source. In some
cases, no mapping or normalization will be available for a specific source, but
indexers can be built for forensic analysis of these logs.
Tivoli Compliance Insight Manager offers a toolkit that shows how to configure an
event source to collect arbitrary log data. This method allows the collection of log
data that meets the following criteria:
򐂰 File based
򐂰 Record oriented
򐂰 Text
You can refer to IBM Tivoli Compliance Insight Manager User Reference Guide
Version 8.5, SC23-6582 for further information about how to customize
ubiquitous collect event sources for forensic search and analysis.
Syslog and SNMP collect
Tivoli Compliance Insight Manager can process and analyze security events that
are collected through the syslog and SNMP network logging mechanisms. The
support for syslog and SNMP messages is done either using a built-in
syslog/SNMP receiver or directly from a syslog-NG server. The Tivoli
Compliance Insight Manager Actuator has a built-in listening component that can
be activated on any Windows Point of Presence and can receive SNMP and
syslog messages. The collection of syslog messages captured by a syslog-NG
server is done through a Windows POP that collects the syslog files through
SSH.
Indexing and forensics

As previously mentioned, in a Tivoli Compliance Insight Manager cluster
environment, you have the forensic capability for in-depth investigation into your
raw log data.
When a chunk is placed in the Depot, it is indexed using the specific indexer that
has been configured for that event source. Indexers do not normalize the data;
they only split it into fields. The fields, or terms, are indexed using a proprietary
technique so the data can be easily searched using the forensic investigation
user interface.
You can build your own indexers using the Generic Scanning Language (GSL)
Toolkit to include collected arbitrary log data in forensic investigations or in cases
where the default indexer does not provide the analysis required.
Through the user interface, you are able to search by:

򐂰 Date
򐂰 Event source
򐂰 Field within that event source
A simple query language is available that supports Boolean operators (AND and
OR) and allows the grouping of terms through parentheses.
The forensic tools operate over all of the Standard Servers associated with the
Enterprise Server. They access the Depots through normal Windows file share
protocols.
Forensic analysis needs to happen once a problem is suspected or detected. It

can be carried out through the normal reporting databases very effectively.
However, there are circumstances where this is not adequate, such as when
specific log data that is not part of the W7 model needs to be searched and
correlated or where the criteria of the search is not practical for W7 analysis. For
such situations, Tivoli Compliance Insight Manager provides a forensic

investigation tool to search original unprocessed/non-normalized data in the
Depot. This allows searches to be carried out over many years worth of data
across a number of Standard Servers in a Tivoli Compliance Insight Manager
cluster.
Detailed information about the GSL toolkit can be found in Tivoli Compliance
Insight Manager User Reference Manual, SC23-6582.
2.3.2 Mapping and loading

Once log data has been centralized in the Depot, it can be processed and
analyzed. This process is shown in Figure 2-10.
Figure 2-10 Mapping and loading steps
Mapping
To make the audit trail data accessible, it is translated (or normalized) into an
easy-to-understand data model called the Generic Event Model (GEM).
The Tivoli Compliance Insight Manager mapping process for each and every
platform is coded using the Generic Scanning Language (GSL) and the Generic
Mapping Language (GML) in files that reside on the Tivoli Compliance Insight
Manager server. The chunks are sorted based on their timestamps and are
processed sequentially by the appropriate mappers. These mappers determine
the field translation values, that is, the mapper interprets the original log data and
translates the chunk data into the GEM database model.
Determine attributes
Security log data consists of records. Each record usually describes one event
that happened on the audited system. Central to GEM is the classification of
these events according to their W7 attributes. This is the process of normalizing
the data. W7 is an English Language format that describes: Who did What,
When, Where, From Where, Where To, and on What. The use of W7 formatted
information enables security specialists and non-technical personnel, including
auditors, to interpret audit information without the need for detailed knowledge of
each source. Most operating systems, infrastructure applications, and almost
every security device produces log data that is not readily understandable,
therefore mapping to the W7 format translates data into powerful audit
information.
Group and apply rules

To prepare data for reporting, the Tivoli Compliance Insight Manager
administrator will define one or more W7 grouping functions and policies that
each resemble a set of filters. These filters determine how the attributes
associated with each GEM event are classified. This grouping process takes the
fields from the GEM tables and labels them according to the W7 model defined
by the administrator.
The process of adding meta-information from the currently active policy to the
GEM records using the W7 classification scheme for the assets is often referred
to as grouping (or filtering).
The process of comparing each GEM event with the defined policies allows the
severity of each event to be evaluated. The policies applied to the event data
throughout this process determines the contents of the policy exception and
attention reports. When high severity events such as policy violations are
detected, an automatic e-mail alert can be sent to predefined recipients.

Loading
During the loading phase, the server uploads the GEM records together with the
meta-information into a relational GEM database. Usually, GEM databases are
periodically emptied and filled with recent data, often on a daily basis. This
means the data of the last day is present in the database in W7 format, ready for
analysis. If necessary, other data from the Depot can be mapped and loaded
through manual commands for analysis.
Note: Because mapping precedes and serves loading, the combination of the
two is also called load (in short form).
In the remainder of this section, we describe the key concepts related to mapping
and loading in more detail.
The W7 model
A security log consists of event records. Each record usually describes a single
event that occurred on the audited system. Tivoli Compliance Insight Manager
normalizes the collected event data into an English-based language called W7
so that it can easily be interpreted. All Tivoli Compliance Insight Manager
security events have seven basic attributes:
Who Which user or application initiated the event?
What What kind of action does the event represent?
When When did the event occur?
Where On which machine did the event happen?
OnWhat What object (file, database, and printer) was involved?
WhereFrom From which machine did the event originate?
WhereTo Which machine is the target or destination of the event?
Figure 2-11 shows the W7 model.
Figure 2-11 The W7 model
Benefit of using W7
The disparate platforms and systems generating the logs will often use different
terminology for the same action. For example, one operating system may use the
term logging on, while another operating system uses login. Similarly, one
system may request a user ID while another system asks for a user name.
Unless you are an expert in all of the different systems used by your
organization, it is very difficult to search through the logged data manually to find
all instances of a given action or user.
Mapping the raw event data into a standard set of seven distinctive attributes
enables a consistent method for monitoring, analyzing, and reporting,
irrespective of the original format of the event. When translating log records into
W7 format, the seven Ws of the event are determined from the structure and
content of the original log record. Log record formats are very different for every

distinct event source; therefore, the normalization of data into W7 requires a
specialized knowledge of each event source to be mapped. The logic required to
do this mapping is built into the mapper code that resides on each audited
machine or device.
W7 is a grammar that enables you to check if a certain GEM event is in

compliance with the security policy. Through the use of this grammar, you can
differentiate between events that are compliant, that are considered exceptions,
and that require special attention.
Groups
In order to apply logic and draw conclusions from the normalized data, the events
have to be classified. Knowing that an event happened on Monday at 8.30 a.m. is
one thing, but in order to draw conclusions, it is more interesting to know whether
it happened during or outside a specific time period, for example, office hours.
Similarly, a user ID has certain access rights, detailing what a user is allowed to
initiate. These user access rights are usually dependent on their role, for
example, based on whether he or she is an administrator, regular user, or guest.
Therefore, all W7 attributes are classified into W7 groups. There are five types of
groups:
1. Who groups for classification of users and processes
2. What groups for classification of event types
3. When groups for classification of time periods
4. Where groups for classification of machines and devices
5. onWhat groups for classification of objects
The Where, Where from, and Where to attributes are all classified using the
same Where groups.
The correct classification for a particular object is site specific and is

automatically synchronized across the servers being audited. For example, in
which Who group does each user belong and to which Where group should each
system be assigned? The Tivoli Compliance Insight Manager administrator
defines the W7 elements and the grouping function that tells on which W7
element each GEM event attribute is projected. All GEM event table values that
are not covered by the specified grouping functions will be classified into one of
the default groups: Other Periods, Other Sources, Other Events, Other
Platforms, or Other Objects.
The Tivoli Compliance Insight Manager administrator can review and update this
information in the Grouping editor on the Tivoli Compliance Insight Manager
Management Console.
Figure 2-12 shows how the GEM event data is linked to the W7 model.
Figure 2-12 The relationship between the GEM event and the W7 model
Each W7 value of a GEM event is classified by the grouping process under a W7

group label. If you look at the W7 model as a five dimensional space, you can
see that the GEM event in the example is linked to the W7 point determined by
the W7 rule (EVENING, USERS, LOGON LOGOFF, LOCALMACHINE, and
SYSTEM). Security policy rules are also represented by a combination of W7
group labels. Only the GEM events that collide with a W7 point that represents a
policy rule are in compliance with the security policy. Attention rules are also
represented by a combination of W7 group labels. GEM events are classified as
attention events if they collide with a W7 point that represents an attention rule,
that is, the W7 model can be used to determine if some GEM database records
need special attention or whether the records comply with the set of policy rules.
The result of the grouping for a particular record can be viewed in the Event
detail report in iView, as shown in Figure 2-13 on page 67.

Figure 2-13 Event Detail view
The column called Field shows the GEM field values of a GEM event. The
column Group shows for each GEM field value which W7groups are linked to the
value to the left of it. For example, the GEM field value Administrator
(MSTESTCE\ADMINISTRATOR) is linked to at least two W7 groups:
Administrators and IT.
Policy management
Whether or not an event deserves special treatment is determined by comparing
the W7 groups it is classified into against a set of rules defined by the Tivoli
Compliance Insight Manager administrator. As previously mentioned, there are
two kinds of rules:
Policy rules These rules describe acceptable users, for example,
allowed behavior.
Attention rules These rules identify events deserving special attention.
Policy rules are used to monitor the way that information and processes are
being used within an organization, that is, they specify which actions can be
performed by which people on which systems at what times. Actions that do not
match a policy rule generate policy exceptions. Policy rules have an associated
priority that can be set to enable differentiation so that policy violations and other
exceptions can be processed according to their severity or importance. This
allows security administrators and auditors to focus on addressing those events
that have the most significant impact on the business.
By refining policy rules, you can ensure that existing policies are effective and
can even establish new policies that reflect the actual behavior of users, as
opposed to theoretical activities contained in policy manuals and non-automated
tracking systems.
Automatically applying the policy rules makes it easy to quickly determine

whether or not each monitored action does or does not comply with policy.
Attention rules are used to highlight instances of events that are critical to the
organization. One typical application for these rules is to monitor change
management activities even if the events are allowed by your policy rules.
Actions that match an attention rule generate actions. For example, by looking for
a specific instance of a data attribute in any of the W7 dimensions for certain
events, you can set an alert to notify someone of a change to a server’s
configuration.

Figure 2-14 illustrates the process of comparing a logged event to the specified
policy and attention rules to determine whether actions and alerts are necessary.
Figure 2-14 Applying policy and attention rules
Alerting and notification
Alerts are messages that Tivoli Compliance Insight Manager sends when a
serious or potentially harmful security event has occurred. Alerts allow for a fast
response to the event by a systems manager or system administrator. The aim of
alerts is to raise attention for events that require a follow-up, that is, special
attention events or events above a defined severity level, such as security policy
exceptions. These properties are evaluated in the policy evaluation step of the
Map/Load process. The Map/Load process (mapper) sends alerts, as mentioned
in “Group and apply rules” on page 62.
Tivoli Compliance Insight Manager can send alerts through the following
protocols:
SMTP Alerts are sent as e-mails.
SNMP Alerts are sent as SNMP traps.
Custom alerts Alerts are sent through a mechanism invoked with a
user-provided program or script.
For more information about alerts, refer to Chapter 17, “Managing Alerts”, in IBM
Tivoli Compliance Insight Manager User Guide Version 8.5, SC23-6581.
Which IT security policies to map into policy rules

Corporate IT security policies generally cover a whole range of controls,
including:
򐂰 Awareness programs
򐂰 Security clearance
򐂰 Authorization matrixes
򐂰 Logon policies
Only those IT security policy rules that interact with the security functions on a
platform may be considered to become Tivoli Compliance Insight Manager
security policy rules.
The following requirements must be met in order to use Tivoli Compliance Insight
Manager to report on a particular policy:
1. The security functions on the target must contain audit functions to monitor
the actions relating to the rule.
2. Tivoli Compliance Insight Manager must support the platform and collect the
information that the target provides.

Figure 2-15 describes some high level steps in the process of evaluating the
corporate IT security policy and creating rules to be used in the Tivoli
Compliance Insight Manager security policy.
Drop the rule if

no match is
Translate the rule found. Backup
into W7, the rule with
recognizing procedures if
Subjects, Objects a partial match
and Verbs. is found.
Commit
Corporate IT TCIM
Security security
Policy rule. policy.
Classify it as either a Determine if the Add an appropriate W7

policy rule or an audit trail on the policy rule to the TCIM
attention rule. target can be security policy.
configured to
provide entities
that match the
Subject, Object or
Verb.
Figure 2-15 Creating policies in Tivoli Compliance Insight Manager
Policy generation and enforcement

Policies are used as the baseline to filter all events (which are kept for forensic
investigations and regulatory compliance purposes) facilitating the exposure of
exceptions to the rules. Policies can be changed and adapted easily at any time.
Tivoli Compliance Insight Manager provides an easy to use integrated policy
generation tool, the Policy Generator, which allows the user to create policy rules
simply by looking at current event data and making a decision as to what
constitutes acceptable use of, or access to, information resources. Normal,
acceptable behavior becomes the rule. Policy generation is an evolving process.
If legitimate user actions are triggering policy exceptions and alerts in Tivoli
Compliance Insight Manager, then the security administrator needs to adjust the
policy to ensure that it reflects the “real world” environment and permissible
actions. Rules within policies can be adjusted at any time.
If the policy is formulated to reflect the rules of a regulation, such as the

Sarbanes-Oxley Act1 (SOX) or Gramm-Leach-Bliley Act2 (GLBA), or has been
established as part of a security framework, such ISO177993 or COBIT4, Tivoli
Compliance Insight Manager provides the ideal reporting tool to meet your
regulatory compliance obligations.
The Policy Generator is an automated tool for creating policies from loaded event
data in a database and, based upon the built-in knowledge of various platforms,
builds the most applicable policy from that data. This policy can then be loaded
and modified if desired using the Policy Editor in the Management Console.
2.3.3 Data aggregation and consolidation

An aggregation process maintains data and statistics, spanning a longer period.
The aggregation process builds an “aggregation database” from which trends
and summaries can be extracted.
When a scheduled load is performed, part of the GEM database contents is

copied into the aggregation database. In particular, the following contents are
copied:
򐂰 The number of GEM events represented by the W7 categories
򐂰 All GEM events that need attention or do not comply to a policy rule set
For enterprise-wide trending in a Tivoli Compliance Insight Manager cluster

environment, aggregation databases from multiple Standard Servers are brought
together into a single consolidation database.
2.3.4 Reporting and presentation

Tivoli Compliance Insight Manager’s Web-based reporting tool, iView, provides a
large number of standard and custom reports. These are produced on request by
iView, which pulls information from mapped data, including information stored in
the aggregation database. The Tivoli Compliance Insight Manager possibilities
1
More information about SOX can be found at http://www.soxlaw.com/.
2
More information about GLBA can be found at
http://www.ftc.gov/privacy/privacyinitiatives/glbact.html.
3
More information about ISO17799 can be found at http://www.17799central.com/.
4
More information about COBIT can be found at
http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/TaggedPageDisplay
.cfm&TPLID=55&ContentID=7981.

for reporting are very powerful and numerous, which is why we can only list a few
examples here:
򐂰 Attempts to breach security
򐂰 (Attempted) access to critical resources
򐂰 (Daily) reports of last login time stamps
Both standard and custom reports let you examine exceptions and events that
require special attention, and since the data presented in these reports is in the
W7 format, no specialized knowledge is required to interpret the output. Reports
are clear, concise, and integrate all security data for your review. Tivoli
Compliance Insight Manager provides a dashboard with graphical and statistical
overviews of logged activities, with drill-down capabilities to identify and examine
related events. Additionally, Tivoli Compliance Insight Manager’s clear illustration
of policy exceptions enables you to continuously monitor and tailor your security
policies to your changing business needs.
Custom reports
The Tivoli Compliance Insight Manager comes with standard reporting
capabilities like logon failures and so on. However, such a report does not
consider company-specific thresholds or provide a graphical representation of
the events, which can help to directly identify an account that might be under
attack. To create a custom report, follow these steps:
1. Open the portal and select iView → Reports → Add Custom Report.
2. Enter general information in the Report Editor page.
3. Complete the Report Layout.
4. Define the Report Type and select the columns you want to see in the report.
5. Select the events that should be reported.
6. Enter the conditions to the report.
7. Save the report.
A detailed description of creating customized reports and when and how reports
are distributed can be found in the IBM Redbooks publication Compliance
Management Design Guide with IBM Tivoli Compliance Insight Manager,
SG24-7530.
Compliance management modules
From the boardroom to information technology departments, rules and
regulations are placing ever-increasing demands on organizations of all sizes. In
the middle are IT security managers and auditors, who face the overwhelming
task of understanding the regulations and implementing a wide array of
compliance measures.
Tivoli Compliance Insight Manager has plug-in compliance management

modules available that provide optionally installable sets of capabilities to allow a
customer to monitor and maintain compliance with a selected standard. These
modules include sample policies and compliance report templates to assist
customers in meeting their regulatory requirements.
Regulations underscore the need to understand who is touching the most crucial
corporate data, and whether this behavior complies with security policy. You can
use Tivoli Compliance Insight Manager to monitor all security events and audit
them against your security policy.
Compliance management modules for the following regulations or best practice

sets exist:
򐂰 Sarbanes-Oxley Act
򐂰 Health Insurance Portability and Accountability Act5 (HIPAA)
򐂰 ISO17799
These management modules are described in more detail in IBM Tivoli

Compliance Insight Manager User Guide Version 8.5, SC23-6581.
Report distribution
Tivoli Compliance Insight Manager Version 8.5 provides the functionality for the
automated distribution of reports in full or as excerpts to a predefined group of
Tivoli Compliance Insight Manager users. This report distribution functionality is
available through the Web interface of iView. More information about the report
distribution functionality can be found in Chapter 32, “Distributing Reports”, in
IBM Tivoli Compliance Insight Manager User Guide Version 8.5, SC23-6581.
5
More information about HIPAA can be found at http://www.hhs.gov/ocr/hipaa/.

User roles
You can assign every Tivoli Compliance Insight Manager user specific access
and viewing rights from the Management Console. This level of granularity in
setting user access lets you customize views and management rights for specific
users, and limit access to administrative functionality. The ability to define the
mailing lists for alerts regarding high severity events also allows the Tivoli
Compliance Insight Manager administrator to control access to the security event
data. Any Tivoli Compliance Insight Manager user activity, from administrative
actions to report viewing, is automatically self-audited and included in the
organization wide security reporting.
2.4 Conclusion
Tivoli Compliance Insight Manager gathers audit information from across the
organization and compares activity to the acceptable use policies defined by both
your organization and by your regulators. The core of Tivoli Compliance Insight
Manager is based on a secure, reliable, and robust log collection engine that
supports effective, complete log collection and fast, efficient query and retrieval.
By focusing on security from the inside, it uses the W7 methodology (Who, did
What, on What, When, Where, Where from, and Where to) to consolidate,
normalize, analyze, and report on vast amounts of user behavior and system
activity. As a result, organizations can quickly and easily reveal who touched
what within the organization (with alerts and proactive reports) and compare that
activity to an established internal policy or external regulations. Numerous
organizations rely on the policy-based approach of Tivoli Compliance Insight
Manager to simplify monitoring the activities of privileged users, such as
administrators and outsourcers, improving security auditing, compliance
monitoring, and enforcement for heterogeneous environments, ranging from
super servers to the desktop.
After having read and understood this chapter and the additional sources that
were mentioned in this chapter, you should be able to answer all planning
questions of the certification test. Please note that practical experience is
essential in passing the certification test successfully.
3
Chapter 3. Installation
A Compliance Management System consists of many components and requires
extensive planning, as we discussed in Chapter 2, “Planning” on page 39. In this
chapter, we provide a high-level overview of the Tivoli Compliance Insight
Manager installation process. For more detailed, step-by-step installation
instructions, refer to the Deployment Guide Series: IBM Tivoli Compliance Insight
Manager, SG24-7531 and IBM Tivoli Compliance Insight Manager Installation
Guide Version 8.5, GC23-6580.
After having read and understood this chapter and the additional sources that will
be provided in this chapter, you should be able to answer all of the exam
questions related to the installation process. Please note that practical
experience is essential in passing the certification exam successfully.

3.1 Planning of the installation
Depending on your system requirements, you can choose one or more of the
following installation options:
򐂰 Tivoli Compliance Insight Manager Enterprise Server
This installs the Enterprise Server, the Web applications, the Management
Console, and the consolidation database.
򐂰 Tivoli Compliance Insight Manager Standard Server
This installation method installs the Standard Server, the Web applications,
and the Management Console.
򐂰 Point of Presence
This installs the Actuator component.
This installs the Actuator and the Management Console.
In this context, we take a closer look at the following functional areas that are
crucial for the installation of the Tivoli Compliance Insight Manager:
򐂰 Supported software and operating systems
򐂰 Network traffic requirements
򐂰 Centralized user management
3.1.1 Supported software and operating systems

Tivoli Compliance Insight Manager Standard Server and Tivoli Compliance
Insight Manager Enterprise Server are Windows-based servers that have the
following software requirements:
򐂰 Microsoft Windows Server® 2003 with Service Pack 1
– NetBIOS enabled
– TCP/IP network connection configured to all other systems hosting Tivoli
Compliance Insight Manager components
– NTFS file system
򐂰 Microsoft Internet Information Server (IIS) 6 for Windows Server 2003
(required for Web applications)

Tivoli Compliance Insight Manager Management Console requires the following
software components:
򐂰 Microsoft Windows Server 2003 with Service Pack 1
򐂰 Internet Explorer® 6.0
Tivoli Compliance Insight Manager Web Applications has the following software
requirements:
򐂰 Internet Explorer 6.0
– Style sheet supported and enabled
– JavaScript™ supported and enabled
– Java™ applets supported and enabled
– Cookies enabled
The following operating systems will be supported by Tivoli Compliance Insight

Manager Actuator:
򐂰 AIX® 5L™ V5.1, 5L V5.2, and 5L V5.3
򐂰 Sun Solaris 7 - 10
򐂰 HP-UX 10.20, 11i = 11.11
򐂰 Windows NT® 4.0 with Service Pack 6, Windows 2000 with Service Pack 2,
or Windows XP Professional or Windows Server 2003 with Service Pack 1
򐂰 Windows NT 4.0 with Service Pack 6, Windows 2000 with Service Pack 2,
Windows XP Professional with Service Pack 2, or Windows Server 2003 with
Service Pack 1
– NetBIOS enabled
– NTFS file system
Tivoli Compliance Insight Manager Actuator has the following software

prerequisites:
򐂰 Install the Standard Server and the Management Console before installing
the Actuator.
򐂰 The Actuator must have access to the Tivoli Compliance Insight Manager
servers through a TCP/IP network.
򐂰 The Server, Management Console, and Actuator components of the Tivoli
Compliance Insight Manager system use a range of ten ports with base 5992
(default) or other as determined in the Add Machine wizard. Any routers or
firewalls between these systems should allow two-way connections on these
ports.
Chapter 3. Installation 79
򐂰 Connect the Actuator to the Tivoli Compliance Insight Manager servers
through a TCP/IP network.
3.1.2 Network traffic requirements

In order to allow the TCP/IP communication required by the Tivoli Compliance
Insight Manager, the following ports need to be opened:
򐂰 The components (Tivoli Compliance Insight Manager Standard Server,
Management Console, and Actuators) require a two-way connection on the
base port itself (default of 5992).
򐂰 Monitored Windows event sources require TCP port 139 with a one-way
connection.
򐂰 Monitored UNIX SSH event sources require a defined TCP port (Default of
TCP 22) with a one-way connection.
򐂰 The default Database Port uses port 50001 between the Enterprise Server
and Standard Server.
򐂰 The IBM Tivoli Directory Server Port uses port 389 between Enterprise
Servers and Standard Servers.
򐂰 Standard Windows File Share is available between the Enterprise Server and
any attached Standard Servers.
3.1.3 Centralized user management

Centralized user management is enabled by the use of a Tivoli Compliance
Insight Manager Security Group. The Tivoli Compliance Insight Manager servers
in a Security Group authenticate users and authorize access through a directory
on a designated server called a Security Server. The Tivoli Compliance Insight
Manager servers that authenticate through the Security Server are called
Grouped Servers.
The database engine must be installed on all servers. However, only the Security
Server has an LDAP server installed. During installation of the database engine
and the LDAP server, you specify one of the following:
򐂰 You want to install the user directory (for a Security Server)
򐂰 You want to connect to the user directory (for a Grouped Server)
Both the Security Server and the Grouped Servers can be either Tivoli
Compliance Insight Manager Standard Servers or Enterprise Servers. However,
because of the resource requirements of an Enterprise Server, you may want to
consider using a Standard Server for the Security Server.

More details about the installation of the Security Server will be provided in 3.2.1,
“Security Server installation” on page 81.
3.2 Installation of Tivoli Compliance Insight Manager

Before you begin your installation, decide which computer will be the Security
Server and which computers will be Grouped Servers. In addition, decide which
computers will be Standard Servers and which will be Enterprise Servers.
Ensure that each server or workstation hosting the Tivoli Compliance Insight
Manager components meets the system requirements. Information about the
software requirements are in 3.1.1, “Supported software and operating systems”
on page 78. In order to get further details about the system requirements, refer to
the IBM Tivoli Compliance Insight Manager Installation Guide Version 8.5,
GC23-6580.
The only difference between a Tivoli Compliance Insight Manager Enterprise

Server and a Tivoli Compliance Insight Manager Standard Server is the
consolidation database in the Enterprise Server. This component allows you to
view aggregated data from multiple servers. Every Standard Server that is
registered to an Enterprise Server automatically aggregates the data it collects
by group. The Enterprise Server collects aggregated data of all Standard Servers
in the Enterprise Server database (the consolidation database).
In environments with multiple Standard Servers, you can add an Enterprise

Server to create a Tivoli Compliance Insight Manager cluster. A cluster is
composed of one Enterprise Server and up to three Standard Servers.
Deployment of a typical Tivoli Compliance Insight Manager Standard Server

consists of the following procedures:
򐂰 Install the database engine provided by the Tivoli Compliance Insight
Manager.
򐂰 Install the desired Tivoli Compliance Insight Manager components.
3.2.1 Security Server installation

Typically, the first step in a Tivoli Compliance Insight Manager deployment is to
install a Security Server. The Security Server will provide centralized user
management for the other Tivoli Compliance Insight Manager servers in the
environment. If you do not want to leverage the centralized user management
feature, you will have to perform the same installation steps on every Tivoli
Compliance Insight Manager server in your environment.
Prior to the installation of the Tivoli Compliance Insight Manager, you first need to
install and configure the DB2® database and IBM Tivoli Directory server that will
be used for hosting the GEM database and the user directory. The installation
needs to be performed by a user with sufficient privileges to install the software,
such as a Local Administrator.
For more information about the installation of the Security Server, see the IBM
Tivoli Compliance Insight Manager Installation Guide Version 8.5, GC23-6580.
3.2.2 Installation of Tivoli Compliance Insight Manager Standard

Server
The steps of the Standard Server installation are as follows:
Installing the database engine

Tivoli Compliance Insight Manager provides its own database engine that needs
to be installed.
Figure 3-1 on page 83 shows all of the details that need to be entered as part of
the database engine installation.

Figure 3-1 Tivoli Compliance Insight Manager Database Engine Setup
After the installation of the database engine is complete, you must reboot your
system before continuing with the installation of the other Tivoli Compliance
Insight Manager components.
Installing Tivoli Compliance Insight Manager components

For the Tivoli Compliance Insight Manager Standard Server, the following
software components will be installed:
򐂰 Tivoli Compliance Insight Manager Server
򐂰 Web applications
After entering the target directory for the installation, we continue with the
creation of the Tivoli Compliance Insight Manager user account. Figure 3-2
shows the creation of the Tivoli Compliance Insight Manager user account.
Figure 3-2 Tivoli Compliance Insight Manager account name configuration
In the database connection window shown in Figure 3-3 on page 85, we specify
the database instance. This is a database instance that Tivoli Compliance Insight
Manager can use that was specified during the installation of the database
engine.

Figure 3-3 Tivoli Compliance Insight Manager database connection
After entering the required parameters, you will see the target directories where
the components will be installed. For a step-by-step explanation of the Tivoli
Compliance Insight Manager Standard Server installation process, refer to IBM
Tivoli Compliance Insight Manager Installation Guide Version 8.5, GC23-6580.
Verification of the Standard Server installation
After finishing the setup, we need to ensure that the installation was successful.
Figure 3-4 shows the Setup Complete window displayed after the completion of
the installation. This window lists the Tivoli Compliance Insight Manager
components that were installed, and whether the installation succeeded.
As an example, an error message about the cancellation of the Tivoli Compliance

Insight Manager Web Applications was used intentionally in Figure 3-4.
Figure 3-4 Tivoli Compliance Insight Manager Setup finished window
To determine the completeness of the installation, the following steps need to be

performed:
1. Search the following logs:
– Install_Dir\Server\log\Install.log for a line similar to Installation Tivoli
Compliance Insight Manager Server finished successfully
– Install_Dir\ManConsole\install.log for a line similar to Installation Tivoli
Compliance Insight Manager Management Console finished successfully
– Install_Dir\iView\log\install.log for a line similar to Installation Tivoli
Compliance Insight Manager Web Applications finished successfully

2. Check the availability of the following Tivoli Compliance Insight Manager
services:
– IBM Tivoli Compliance Insight Manager Server V8.5
– IBM Tivoli Compliance Insight Manager Event Mapper DBName
– IBM Tivoli Compliance Insight Manager Tomcat
There will be an IBM Tivoli Compliance Insight Manager EventMapper service
for each reporting database created (including the SelfAudit database).
3. Check the availability of the following DB2 and Tivoli Directory Server
services:
– IBM Tivoli Directory Server Instance V6.1 - idsinst
– IBM Tivoli Directory Server Admin Daemon V6.1 - idsinst
– DB2 - CIFCOPY - CIFINST-0
– DB2 - IDSCOPY - DB2IDS-0
– DB2 - IDSCOPY - IDSINST
– DB2 Remote Command Server (CIFCOPY)
– DB2 Remote Command Server (IDSCOPY)
4. Use the Tivoli Compliance Insight Manager administration account (the
default is cifowner) to log on into the Management Console.
5. Use the same Tivoli Compliance Insight Manager administrator account to log
on the Web Portal.
6. Check the contents of the register.ini files for the Management Console, Tivoli
Compliance Insight Manager Server, and iView components for errors.
Typically these files can be found in the following directories:
– Install_Dir\ManConsole
– Install_Dir\IBM\TCIM\server
– Install_Dir\IBM\TCIM\iView
The directory Install_Dir\log\patches contains detailed information for every

patch that has been applied. If a patch fails to apply, you must determine the
cause for the error, fix the problem, and delete the entries for this patch and all
subsequent entries in the registry.ini. After this is done, apply the patches again
using the previously described method. In Chapter 5, “Performance tuning and
problem determination” on page 151, we describe how to handle this kind of
technical problem.
For more information about the installation of the Tivoli Compliance Insight
Manager Standard Server, see the IBM Tivoli Compliance Insight Manager:
Installation Guide, GC23-6580.
3.2.3 Installation of Tivoli Compliance Insight Manager Enterprise
Server
There are two primary installation options for the Enterprise Server: You can
install a new server or upgrade a Standard Server. When performing an upgrade
from a Standard Server, you simply install the consolidation component.
Verification of the Enterprise Server installation

The Enterprise Server installation verification steps are the same as listed earlier
for the installation of the Standard Server with the following additional tasks:
1. Check the Install_Dir\Consolidation\log\install.log file for errors.
2. Check the status of the IBM Tivoli Compliance Insight Manager Indexer
hostname services.
3. Open the Install_Dir\server\log\IndexerDaemonXXX.log file to verify that
Indexer Daemon activity is being logged.
Chapter 5, “Performance tuning and problem determination” on page 151

contains a detailed explanation describing the resolution of the potential
technical problems.
For more information about the installation of the Tivoli Compliance Insight
Manager Enterprise Server, see the IBM Tivoli Compliance Insight Manager:
Installation Guide, GC23-6580.
3.2.4 Registering a Standard Server with the Enterprise Server

To consolidate data from Standard Servers to a Consolidation Server and enable
Centralized Log Management, register each Standard Server with the Enterprise
Server.
Figure 3-5 on page 89 shows a message box that comes up once the Standard
Server of Tivoli Compliance Insight Manager is installed. If you install an
Enterprise Server later and would like to register this Standard Server to the
Enterprise Server, then you can do so by running the command that is saved in a
text file. The location of this text file is shown in this message box. You can
retrieve this text file and copy the command for use when you register the
Standard Server with the Enterprise Server.

Figure 3-5 Location of the text file containing the command to register to an Enterprise
Server
The registration of the Standard Server to the Enterprise Server is as follows:

1. On the Enterprise Server, open a command prompt.
2. Navigate to the consolidation\bin subfolder:
cd \ibm\tcim\consolidation\bin
3. To add the Standard Server, type the following command at the command
prompt, or retrieve the text file where the registration command was saved
during the Standard Server installation. Modify the parameters as required
and paste the command at the command prompt:
beat.bat -setsrv hostname TCPport dataserver DB_cifowner_user
DBcifownerpwd OS-user OS-user_password
Where:
򐂰 hostname is the name of the system on which dataserver is installed.
򐂰 TCPport is the TCP port that the database uses to communicate. (The default
value is 50001.)
򐂰 dataserver is the database server where the engine for the Standard Server
to be registered resides.
򐂰 DBcifownerpwd is the password for the DB_cifowner_user user account.
򐂰 OS-user is the operating system user account for Server on the Standard
Server
򐂰 OS-user password is the password for the OS-user account.
3.3 Conclusion
In this chapter, we gave an overview of how to plan the installation of the Tivoli
Compliance Insight Manager. We also showed how to install the Tivoli
Compliance Insight Manager Standard Server, including the registration of the
Standard Server to the Enterprise Server.
Chapter 4, “Configuration” on page 91 guides you through the configuration of

the event sources that will be monitored.

4
Chapter 4. Configuration
Before Tivoli Compliance Insight Manager can collect the audit trails for
monitoring, the auditing functionality must be enabled and configured properly on
the target systems. In this section, we describe the auditing configuration of the
Windows and AIX platforms. We also explain how to configure the new event
sources and the deployment of the Actuators. The last section of this chapter
shows how to create the policies. In this context, we describe how to create and
modify W7 groups and how to use these groups in policies.
After having read and understood this chapter and the additional sources that will
be provided in this chapter, you should be able to answer all of the exam
questions related to the configuration process. Please note that practical
experience is essential in passing the certification exam successfully.

4.1 Auditing settings for the Windows platforms
Windows supports auditing of various account and system related events. This
allows you to monitor system security so you can identify security breaches. The
level of auditing will depend on the reporting needs of your organization. Some
companies may only require basic auditing while other organizations may require
a more detailed level. A balance must be achieved between the audit level,
server performance, and disk space. Enabling every audit setting could result in
a very large audit trail or a loss in data if the audit trail is rolled over.
In this section, we describe the settings that are configured for all of the Windows
2003 servers, as well settings specific to the Active Directory® and File and Print
servers.
4.1.1 Auditing settings for the Windows Security log

The Microsoft Management Console (MMC) can be used to set the Audit Policy
for the Windows servers. The following steps are used to configure the policy:
1. Select Start → All Programs → Administrative Tools → Local Security
Policy.
2. In the left hand menu, navigate to Local Policies → Audit Policy.
3. Set the Audit Policy to log the appropriate events.
Figure 4-1 on page 93 shows the configuration of the audit policy settings by
using the Microsoft Management Console (MMC).

Figure 4-1 MMC Audit Policy settings
4.1.2 Active Directory audit policy settings

In order to configure the audit policy settings on the Active Directory servers,
select Administrative Tools → Domain Security Policy and Administrative
Tools → Domain Controller Security Policy. Figure 4-2 appears, showing the
configuration on the Windows 2003 Active Directory servers.
Figure 4-2 Domain security settings
Chapter 4. Configuration 93
By default, the Active Directory is configured to log critical and error events only.
Only change this behavior if a detailed investigation is needed, because
extensive logging of events can quickly consume data storage space.
The following types of events that can be written to the event log are defined in
the Active Directory:
򐂰 Knowledge Consistency Checker (KCC)
򐂰 Security Events
򐂰 ExDS Interface Events
򐂰 MAPI Events
򐂰 Replication Events
򐂰 Garbage Collection
򐂰 Internal Configuration
򐂰 Directory Access
򐂰 Internal Processing
򐂰 Performance Counters
򐂰 Initialization/Termination
򐂰 Service Control
򐂰 Name Resolution
򐂰 Backup
򐂰 Field Engineering
򐂰 LDAP Interface Events
򐂰 Setup
򐂰 Global Catalog
򐂰 Inter-Site Messaging
Microsoft has defined the following levels of diagnostic logging for the Active
Directory:
0 - (None) Only critical events and error events are logged at this
level.
1 - (Minimal) Very high-level events are recorded in the event log at this
setting.
2 - (Basic) Events with a logging level of 2 or lower are logged.
3 - (Extensive) Events with a logging level of 3 or lower are logged.
4 - (Verbose) Events with a logging level of 4 or lower are logged.

5 - (Internal) All events are logged, including debug strings and
configuration.
In this stage of the process, the desired level of logging on Security Events and
Directory Access needs to be decided. These settings are applied through the
registry settings as follows:
1. Run regedit on the Active Directory target machine.
2. Navigate to the registry subkey
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diag
nostics.
3. Assign a value from 0 to 5 for each of the available REG_DWORD values in
this Diagnostics subkey. Figure 4-3 shows some example values from the
registry.
Figure 4-3 Registry settings
4. Close the registry.
Note: The example in this chapter describes the monitoring of a single Active
Directory server only. For bigger Active Directory implementations where a
domain forest has been implemented, the process for monitoring the single
Active Directory server shown in this chapter would need to be repeated for
each member of the forest.
4.1.3 File server settings: Object access auditing

This section describes how to monitor and audit the file shares. To enable and
configure auditing of access to a specific folder, these steps are performed on the
target system:
1. Open Windows Explorer, right-click the folder, and select Properties, as
shown in Figure 4-4.
Figure 4-4 Folder Properties

2. Click the Security tab and then the Advanced button, as shown in
Figure 4-5.
Figure 4-5 Advanced Security options
3. Select the Auditing tab. Figure 4-6 shows the default contents of this tab.
Figure 4-6 Auditing Security settings for a Windows folder

4. Configure auditing for a new user or group by clicking Add. An input box will
be displayed. You can enter the name of the user group to be monitored and
click OK. In Figure 4-7, as an example, the Domain Users group has been
added because all authenticated users of the systems are contained in this
group.
Figure 4-7 Select User, Computer, or Group input box
5. An Auditing Entry window for the selected folder is displayed. Select an Apply
onto option from the available drop-down menu and check the appropriate
access options before clicking OK. As you can see in Figure 4-8, we decided
to monitor the create, read, write, and delete access to this folder, as well as
all subfolders and files.
Figure 4-8 Auditing Entry window
6. The new auditing entry will now appear in the Advanced Security Settings
window, as shown in Figure 4-9 on page 101.
Figure 4-9 The new auditing entry is displayed in the Advanced Security Settings window
7. Click OK to close.
For additional guidance about how to configure the Windows audit settings for
use with Tivoli Compliance Insight Manager, refer to the IBM Tivoli Compliance
Insight Manager Installation Guide Version 8.5, GC23-6580.

4.2 Auditing settings for UNIX-based platforms
UNIX systems have always maintained log files that record who has logged on or
off on a system. Over time, the amount of information in the UNIX log files has
increased significantly. Today, many UNIX-based operating systems provide
expanded audit and logging facilities to record more detailed information. Here
are a few examples:
򐂰 Which files have been transferred over the network
򐂰 Attempts by users to use the su command (to become a super user)
򐂰 Summary of information about all electronic mail messages sent and received
򐂰 Every web page that is downloaded, and so on
4.2.1 Configuration of the auditing settings on an AIX system

The AIX audit subsystem supports two modules of information collection:
򐂰 BIN
򐂰 STREAM
We suggest using the BIN module for the production servers. To start, stop, and
query the audit subsystem, use the /usr/sbin/audit command.
The configuration of the audit subsystem is contained in a series of files. The

config file contains the basic configuration settings. Using this file, you configure
the collection mode, the audit classes, and to which users event auditing applies.
The bincmds file contains the commands used by the auditbin daemon to flush
data in bin files to the audit trail.
To audit object access on an AIX system, you must define the object audit event
types and which objects you want to monitor.
For additional guidance on how to configure the AIX audit subsystem for use with
Tivoli Compliance Insight Manager, refer to IBM Tivoli Compliance Insight
Manager Installation Guide Version 8.5, GC23-6580.
4.3 Configuring the new event sources
Now that the audit subsystems have been configured on the target machines, the
Tivoli Compliance Insight Manager server needs to be configured to monitor the
targets. This configuration involves the following high level steps in the Tivoli
Compliance Insight Manager Management Console:
1. Create a GEM database to store the event data.
2. Create a Windows and an AIX Machine Group and add the machines to be
audited.
3. Add the individual event sources for each target machine.
4.3.1 Create the GEM database

You can create new GEM databases for event data in the database view of the
Management Console as follows:
1. Open the Tivoli Compliance Insight Manager Management Console.
2. Switch to the Database View.
3. Select Database → Add GEM Database.
4. The Add GEM Database window will appear. Fill out the name and size for the
new database and click OK. Figure 4-10 shows the database that will be used
to store the event data originating from the Windows systems.
Figure 4-10 Add GEM Database

5. Figure 4-11 shows how the new database will now appear in the Database
View.
Figure 4-11 New database
4.3.2 Create system group and add Windows machines

In order for Tivoli Compliance Insight Manager to monitor one or more event
sources on a particular machine, the machine needs to be registered in the
Management Console. If desired, the registered machines can be grouped
together into system groups to organize the audited systems.
As an example, we decided to group the audited Windows machines into a

system group called “Windows” in the Machine View of the Management
Console.
Create Windows system group

This section describes how to create a system group from the Machine View
window.
To create a system group:

1. From the Machine View in the Management Console, select System →
Create Machine Group. The Create Machine Group window is displayed.
2. In the New group name field, type a name for the group (see Figure 4-12).
Figure 4-12 Create machine group
3. Click OK to confirm the action.

4. The new Machine Group is now displayed in the Machine View window.
Add Windows target machines

Each of the Windows 2003 servers to be audited should be added as a new
machine. In this section, the setup and configuration for auditing of one domain
controller server will be shown. The process needs to be repeated for adding the
other Windows target machines.
These steps should be performed to add each machine:
1. Right-click the WindowsSystems machine group shown in the Management
Console Machine View and select Add Machine. The Add Machine Wizard
will begin (see Figure 4-13).
Figure 4-13 Add Machine Wizard

2. Select the Audited Machine Type from the available drop-down menu, as
shown in Figure 4-14. Select Next.
Figure 4-14 Choose Machine Type
3. Enter the name of the target machine(s) to be audited in the Name input box
within the Machine frame and click the Add button. As illustrated in
Figure 4-15 on page 107, the machine name now appears in the Selected
frame. Click Next.
The Tivoli Compliance Insight Manager server, in turn, relies on the Computer
Browser service to obtain a database of all existing systems in the domain as
well as in the other domains or workgroups. The Computer Browser service is
used for the NETBIOS name resolution (port 139) that runs on every Microsoft
Windows target system. If the systems are separated by a firewall, the user must
ensure that the netbios-ssn (port 139) on the firewall is opened in both directions.
Note: Checking the Show Available Event Source Types box causes the
Event Source Type panel on the right hand side of the window to appear. This
allows you to browse the supported event sources for the type of machine you
are adding.
Figure 4-15 Choose Audited Machines
4. A local Actuator will be installed on each of the target machines. This option is
selected in Figure 4-16. Click Next.
Figure 4-16 Select Point of Presence

5. The default port that will be used for the Point of Presence is 5992. You can
check the availability of your configured port by clicking the Test Port button.
In this window, you can select to perform an Automatic or a Manual install. For
demonstration purposes, this chapter will show a manual Actuator installation
on a single Windows 2003 target system, as shown in Figure 4-17. When
adding the remaining Windows 2003 server machines in Tivoli Compliance
Insight Manager, the option of automatically installing the Windows Actuators
on the targets could be used.
Figure 4-17 Configure new Point of Presence
6. Providing that the port you have configured is available, the message box
shown in Figure 4-18 will be displayed. Click OK on the Test IP and Port
message box. Click Next in the New Point of Presence window to advance
the Wizard.
Figure 4-18 Test port success
7. The Choose Event Source Type window appears. In Figure 4-19 on

page 109, both Microsoft Active Directory and Microsoft Windows have been
selected. Select Next.
Note: When adding the Windows 2003 server machines that are not Active
Directory servers, only the Microsoft Windows event source would be
selected.
Figure 4-19 Choose Event Source Type

8. Figure 4-20 shows the Completing the Add Machine Wizard window that
appears. Click Finish to complete the Add Machine setup.
A configuration file is created for each audited machine based on the choices
made during the previous Add Machine steps. The Management Console stores
the configuration file in the default folder Install_Dir\Server\config\machines. If
the Management Console is running on a remote system, the configuration file is
stored on the remote system under Install_Dir\ManConsole.This file will be
needed during the manual installation of the Actuator on the audited machines.
Figure 4-20 Complete Add Machine Wizard
4.3.3 Add event sources

Immediately after the Add Machine wizard completes, the Event Source wizard
will automatically run once for each event source that was selected in step 7 of
“Add Windows target machines” on page 104.
The steps that follow describe how to complete the Microsoft Active Directory
Event Source wizard for an example server:
1. Click Next on the Event Source Wizard welcome window that is displayed in
Figure 4-21.
Figure 4-21 Add Event Source Wizard

2. The Choose an Audit Policy Profile window is displayed in Figure 4-22. We
select the option None in order to leave the existing audit settings on the
target systems without any changes. Click Next.
Figure 4-22 Choose an Audit Policy Profile
3. Within Tivoli Compliance Insight Manager, it is possible to define schedules
for the event sources to automatically collect the security data from the audit
platform. Every time a schedule runs, the Tivoli Compliance Insight Manager
server connects to the event source and instructs it to collect the security
data. The data is then transmitted to the Tivoli Compliance Insight Manager
server as a chunk. The next window that appears allows you to choose a
Collect Schedule, as shown in Figure 4-23. Configure the desired schedule
and click Next.
Figure 4-23 Choose a Collect Schedule

4. The event source data collected can be scheduled to load into one or more
GEM databases, as shown in Figure 4-24. We will be storing all Windows
events in the GEM database called GENERAL that was created in 4.3.1,
“Create the GEM database” on page 103. We select GENERAL, as shown in
Figure 4-24, and click Next.
Figure 4-24 Choose a GEM Database
5. Figure 4-25 on page 115 shows the next window that is displayed. This
window allows you to configure a Load Schedule for loading the data from the
event source into the GEM database. The Load Schedule should be related to
the Collect Schedule that was configured in step 3. Configure the Load
Schedule and click Next.
Note: In general, set the load frequency to an interval as long as or longer
than the Collect Schedule interval. For example, data may be collected
hourly, and loaded twice a day. It is unlikely that you would want to collect
data twice a day, and load it hourly.
Set the Load Schedule time at least 15 minutes after each scheduled
collection time. This delay ensures that Tivoli Compliance Insight Manager
loads the most recently collected data into the database.
Figure 4-25 Choose a Load Schedule

6. The Event Source Wizard is now complete and the final window is shown in
Figure 4-26. Click the Finish button.
Figure 4-26 Complete the Add Event Source Wizard
For more information about the configuration of the new event sources, refer to
IBM Tivoli Compliance Insight Manager Installation Guide Version 8.5,
GC23-6580.
4.4 Installing an Actuator on a target machine

The Add Machine Wizard can be used to install the Actuator automatically when
creating a Point of Presence, as shown in Figure 4-17 on page 108. However, if
you cannot use the automatic option provided by the Add Machine Wizard, you
will need to perform the installation manually.
To install the Actuator manually, run the setup.exe program in the \NT directory of
the IBM Tivoli Insight Manager for Windows 2003 CD3. After entering the
directory for the Actuator installation, you will be asked to also enter the path to
the configuration file shown in Figure 4-27. The configuration file was created
when adding the event source through the Management Console.
Figure 4-27 Select Configuration File

In the next step, the Enter OS Account window allows you to configure an
operating system account that will be used to run the Tivoli Compliance Insight
Manager Actuator as a service, as shown in Figure 4-28.
.
Figure 4-28 Enter OS Account
In the next step the setup will be performed. The installation wizard will
automatically install the updates that have been included with the installation
media. After the successful installation, the current patches and platform updates
need to be obtained from IBM Tivoli Support. Verification of the installation can
be done by viewing the register.ini file.
For more information about the Actuator installation, refer to the IBM Tivoli
Compliance Insight Manager Installation Guide Version 8.5, GC23-6580.
4.5 Configuration of the audit policy (W7 groups and
rules)
Now that the audit subsystems have been configured on the servers and the
event sources have been registered with Tivoli Compliance Insight Manager, the
W7 rules can be configured on the Standard Server. In particular, the groups
need to be defined, along with the appropriate W7 policy and attention rules.
4.5.1 Adding User Information Sources (UIS)

In order to create meaningful policy and attention rules, it is important to define
W7 groups that represent the structure of your IT environment.
To assist with creating these W7 groups, Tivoli Compliance Insight Manager

allows you to import grouping data from an existing User Information Source
(UIS). In the following example, we import the user information from Active
Directory to simplify the creation of their W7 grouping definitions.
The following steps illustrate how to import this UIS data:

1. Open the System menu and select Add → User Information Source, as
Figure 4-29 Add User Information Source

2. The Add User Information Source Wizard will start. Click Next in the welcome
window shown in Figure 4-30.
Figure 4-30 Add User Information Source Wizard welcome window
3. The next window that is displayed allows us to select the machine where the
User Information Source resides. Figure 4-31 shows that, for this example,
the server FSPDC is selected. Click Next.
Figure 4-31 Choose a Machine

4. The next window shown in Figure 4-32 allows us to select what User
Information Source should be used. Active Directory groupings from FSPDC
are being used. Click Next.
Figure 4-32 Choose a User Information Source
5. The User Information Source properties are displayed on the next window, as
shown in Figure 4-33. We click the Edit button to modify the Domain name.
Figure 4-33 Define User Information Source Properties

6. We can now enter the name of the Active Directory domain. In the example
below (See the Figure 4-34), the domain name INSIGHT has been used to
represent all of the users who are being monitored by Tivoli Compliance
Insight Manager. Click Next.
Figure 4-34 Define User Information Source Properties
7. Now we can choose a Collection Schedule for extracting information from the
specified UIS before clicking Next to continue (refer to Figure 4-35).
Figure 4-35 UIS collection schedule

8. The Add User Information Source completion window is displayed. Click the
Finish button to complete the process, as shown in Figure 4-36.
Figure 4-36 Completing the Add User Information Source Wizard
9. The new User Information Source is now displayed in the Event Source view
of Management Console, as shown in Figure 4-37.
Figure 4-37 Grouping Active Directory UIS is available in the Management Console
Viewing the User Information Source
Once the first scheduled UIS collection is complete, we can view the user
information grouping definitions that have been collected.
Select Policy → View Automatic Policy and choose the current time in order to
get the most recent grouping definition.
4.5.2 Configuring a new policy with W7 rules

Policy building is a crucial part of using Tivoli Compliance Insight Manager to
effectively monitor your environment. Policy building is essentially the
combination of W7 groups. You can combine W7 elements to create policy and
attention rules.
The following process can be used to create a new policy that includes grouping
and policy rules for the Windows event sources that are being monitored:
1. Duplicate the latest committed policy to create a new working policy.
2. The new working policy can be used for customizing the W7 group definitions.
The Group Definition Set from the UIS can be imported into this policy.
3. Create appropriate W7 policy rules and attention rules for policy building.
4. Load the database using this working policy.
5. Commit the policy when the W7 rules are producing the desired results.
Each of these five steps are described in more detail in this section.
Create a new working policy

We use the default committed policy that is installed with Tivoli Compliance
Insight Manager as the foundation for the policy that we need to develop.

To create a Work policy in the Management Console Policies View, we right-click
the most recent committed policy and select Duplicate, as shown in Figure 4-38.
Figure 4-38 Create a new working policy
A new policy appears under the Work folder, as shown in Figure 4-39.
Figure 4-39 Work policy
Import UIS group definitions

The imported group definitions from the UIS can be included into the new
working policy as follows:
1. Open the working policy in the Policies window and right-click the policy
name. Select Import Group Definition Set, as shown in Figure 4-40 on
page 129.
Figure 4-40 Import Group Definition Set
2. We can use the Browse button to search for the correct configuration file, as
Figure 4-41 Browse for the configuration file name

3. The imported group definitions from the UIS are stored in an automatic policy
by default. The automatic policies are located at
<TCIM_HOME>/Server/config/grouping/automatic, as shown in Figure 4-42.
Figure 4-42 NT folder for the automatic policy contains the config file
4. As shown in Figure 4-43 on page 131, we open the FSPDC.cfg file.
Figure 4-43 Select group definition file
5. In Figure 4-44, we configure the group definition set name to be “FSPDC” and
click OK.
Figure 4-44 Name the new definition set

6. A folder called FSPDC appears in the policy window on the right hand side.
We double click this policy group and its contents are displayed in the left
hand panel, as shown in Figure 4-45.
Figure 4-45 Locate the new group definition set in the working policy
Customize group definitions

As well as the grouping definitions imported from the UIS, we also need to create
some other grouping rules to describe sensitive company assets.
The following steps illustrate how to specify a W7 Group definition to describe an

example file share with sensitive data on a Windows server:
1. Open the NT group definitions and expand the list of onWhat groups in the left
hand panel. Locate the group for Financial Data - Medium, right-click it, and
select New Condition, as shown in Figure 4-46.
Figure 4-46 Create new condition
2. Figure 4-47 shows how to create a requirement to specify the new condition.
Right-click the condition and select New Requirement.
Figure 4-47 Create new requirement
3. As you recall, object access auditing was configured in 4.1.3, “File server
settings: Object access auditing” on page 96. These configured audit settings
on the target machine will result in user actions in the C:\Finance folder (and
its contents) being logged by Windows. These logged events describe actions
on the finance share. When mapped by Tivoli Compliance Insight Manager,
these events will have a W7 Object Path value that starts with “C:\finance”.
Therefore, the requirement “Object Path starts with C:\Finance” is configured,
as shown in Figure 4-48.
Figure 4-48 Specify condition for asset to be classified as FinancialData - Medium

4. The new requirement is now complete and can be seen in the Grouping
windows shown in Figure 4-49.
Figure 4-49 W7 group definition for the Windows financial data file share
Create W7 policy rules

The grouping definitions that have been created can now be used to formulate
W7 policy rules that describe the set of permissible W7 events.
The default committed policy that was used as the basis for the current working
policy contains a number of predefined policy rules and attention rules. We need
to analyze the existing policy and attention rules to ensure that they are all
appropriate to our IT environment.
New rules also need to be created to customize the rules to meet environment
specific needs. This section describes the process of creating one of the policy
rules that we would like to introduce to the policy. The rule is defined in Table 4-1.
Table 4-1 New W7 policy rule

W7 category Who What Where
Value System System Operations INSIGHT
The following figures show the steps involved to create the new policy rule from
the Policies view in the Management Console:
1. Ensure that the Policy tab is selected and right-click in the Policy Rules
window. Select New Rule, as shown in Figure 4-50 on page 135.
Figure 4-50 Create a new policy rule
2. As you can see in Figure 4-51, an Edit Rule window appears that allows us to
enter the W7 groups that specify the new rule. Click OK.
Figure 4-51 Edit rule window
3. The new rule appears in the Policy Rules list, as shown in Figure 4-52.
Figure 4-52 List of policy rules
4. Once the new policy rules have been defined, the working policy must be
saved. The Save option is under the Policy menu (see Figure 4-53).

Figure 4-53 Save working policy
Create W7 attention rules

Attention rules also need to be created in the working policy. The W7 attention
rules should represent events that we are interested in monitoring.
For example, we are interested in being notified whenever confidential financial

data is deleted. This section outlines the configuration in Tivoli Compliance
Insight Manager to configure an attention rule for these deletion events.
It is important to highlight here that a W7 group has been defined to represent

the deletions performed by a user in a Windows environment. Figure 4-54 on
page 137 shows this group definition.
Figure 4-54 W7 What group: User Actions - Deletions
This What group can now be used in the new Attention rule that is created.
Here is an outline of the steps involved in creating the new Attention rule for
capturing any deletion events on the Windows financial data file shares:
1. Ensure that the Attention tab is selected and right-click in the Attention Rules
window. Select the New Rule option, as shown in Figure 4-55.
Figure 4-55 Create new attention rule

2. Figure 4-56 shows the Edit Rule window that appears. The new Attention
Rule has been defined as: Any user performing a deletion (W7 What = “User
Actions - Deletions”) on objects in the financial file shares (W7 onWhat =
“Financial Data”).
We have opted to assign an ID to this attention rule so that it can be managed
easily. Tivoli Compliance Insight Manager allows these rule IDs to be used to
create alerts for individual attentions. That is, an alert can be configured in the
future to send an e-mail to the IT security administrator when events matching
this attention rule are detected by Tivoli Compliance Insight Manager.
Figure 4-56 Edit attention rule window
3. After we click OK in the Edit Rule window, the new Attention rule appears in
the Attention Rules window, as shown in Figure 4-57.
Figure 4-57 Attention rule for deletions on FinancialData
Alerts
As described in the previous section, we decided to configure an alert that sends
an e-mail to the security IT administrator staff when deletions are performed on
objects in the confidential file shares.
The following steps describe how an e-mail alert is created for the Windows
finance file share:
1. Open the Alert Maintenance window in the Management Console. Click the
New button, as shown in Figure 4-58.
Figure 4-58 Alert Maintenance window

2. Tivoli Compliance Insight Manager creates a new alert with placeholder
entries and adds it to the bottom of the existing alert list (if any). We right-click
the new alert and select Edit, as shown in Figure 4-59.
Figure 4-59 Edit the new alert
3. The Edit Alert window is displayed, as shown in Figure 4-60 on page 141. We
configure the alert to send an e-mail to the recipient admin@tfac.com when
events matching the attention rule with ID DeleteFinancials occur. Click OK.
Figure 4-60 Edit Alert options
4. The alert is updated with the new configured settings. Click the Protocol
Settings button shown in Figure 4-61 to configure the protocols in use.
Protocol settings apply to all alerts that are sent using the same protocol.
Figure 4-61 Alert Maintenance windows display the modified alert

5. The Protocol Settings window is shown in Figure 4-62. We configure the
e-mail settings for the environment and click OK.
Figure 4-62 Protocol Settings window
The alert has now been configured.
4.5.3 Load the database

Now that the Tivoli Compliance Insight Manager environment has been
configured for the event sources and a working policy has been created, we can
start with the collection and loading of the data from the target systems. Once the
data is loaded, iView can be used to view the data and the effect of the policy
mapping process.
We can wait for the next scheduled collection and load to occur. Alternatively, we
can temporarily cancel the scheduled load and manually load the database
instead.
Here is the process for manually loading the database:
1. Locate the database that you plan to load in the database view of the
Management Console. Right-click it and select Load, as shown in
Figure 4-63.
Figure 4-63 Start the load process

2. The Load Database Wizard Welcome window appears, as shown in
Figure 4-64.
Figure 4-64 Welcome to the Load Database Wizard
3. We select the GENERAL database in the next window and click Next, as
Figure 4-65 Choose a database to load

4. We specify a period of time for which collected data should be loaded, as
shown in Figure 4-66, and click Next.
Figure 4-66 Data collection period
5. In the next window, shown in Figure 4-67, we decide whether to perform a
data collection now or whether to use the data that has already been collected
through an earlier collection process.
Figure 4-67 Specify whether to collect before the load

6. Since we are performing a manual load, the wizard prompts us to specify
which policy should be used to map the data. In order to test out the policy
that we have been working on, we select the Fixed policy option and navigate
to the correct policy in the work folder, as shown in Figure 4-68. Click Next.
Figure 4-68 Select a policy to be applied to the loaded data
7. Click Finish in the completion window for the wizard, as shown in
Figure 4-69.
Figure 4-69 Complete the Load Database Wizard
8. When we refresh the database view in the Management Console, we see that
the status for that database changes to the value “Loading...” to signify that
the load process has started. When the load is complete, the status will be
“Loaded” and the time and date of the last load will also be updated.
Verification of the load process

When the security data has been loaded successfully, the database icon appears
green. If the mapping failed to load the security data, the database icon appears
red.
Every loading process generates a log file in the Install_Dir\server\log directory.

The log file name is derived from the GEM database name that was being
loaded. For example, if the database name is Lab, the generated file is called
mainmapper-lab.log. You will find a maximum of 10 archived instances of this log
file numbered from 0 to 9. The log file without an index is the one currently being
used by the mapper process. If you want to analyze the latest load process for a

certain GEM database, use the most recent archived mainmapper-xxx.log[0-9]
files.
Commit the policy

Now that the database has been loaded using the policy that we have been
working on, we need to review the data that has been collected and how it is
presented in iView. This review of the data may lead to modifications of the
groupings and rules defined in the policy. After any policy changes, the data can
be re-loaded and mapped using the policy so that the new effect of the rules can
be reviewed. Once the team is satisfied that the policy is configured as desired,
the policy can be committed. The most recently committed policy is the policy
that will automatically be applied to scheduled database loads.
To commit the working policy, we simply right-click the policy (in the work folder of
Management Console Policy Explorer) and select Commit. When the policy has
been committed, it will appear under the Committed folder.
4.6 Conclusion
Event source configuration was the main topic of this chapter. We showed how
auditing can be configured and enabled on the target systems. The next section
described how to configure new Windows event sources. Without an Actuator on
a target system, it is not possible to gather log data from that system, so we
dedicated a section in this chapter to this topic. The last section of this chapter
described how to configure an audit policy. Basically, these are the W7 groups
and the rules. To work with gathered data, it has to be loaded into the database,
which was one of the last steps described in this chapter.
We are now ready to run reports from the log data that was loaded into the
database, which we discuss in Chapter 6, “Administration” on page 179.
Note: In this chapter, the configuration of the auditing settings and the
installation of the Actuators on the target machines have been explained in
detail only for the chosen example platforms. For more information about the
remaining platforms supported by the Actuators, refer to the IBM Tivoli
5
Chapter 5. Performance tuning and

problem determination
In this chapter, we provide information about resources and tools that you can
use when identifying and resolving problems related to the IBM Tivoli

5.1 Problem determination
Problem determination or troubleshooting problems occur due to errors caused
by improper installation, configuration, and operation procedures. This section
describes basic steps for problem determination for the various stages of your
Tivoli Compliance Insight Manager installation and configuration. Later in this
chapter, we talk about Tivoli Compliance Insight Manager tools that can help you
find and determine the causes of errors. Those diagnostic tools are:
򐂰 Log files
򐂰 Dynamical tracing
5.1.1 Problem determination of installation errors

Installation errors can occur with Tivoli Compliance Insight Manager and its
components (for example, management modules and so on). To respond to
failures that occur when installing and configuring those components, refer to the
installation, configuration, and troubleshooting guides. Perform the following
tasks to respond to errors that occur during the Tivoli Compliance Insight
Manager installation:
1. Read the message text to determine the source of the problem. Depending
on the type of error, the error message might be posted in the installation
program window or a command window. If the error is severe, detailed
information is saved in a log file. See 5.2, “Troubleshooting using log files” on
page 158 for information about the logs created during installation.
2. Correct the cause of any errors described in the error message information
and retry the installation.
3. Repeat this procedure until you have concluded that any remaining
installation errors are not the result of an improper installation setup.
Known installation errors

The following issues describe known errors (and their workarounds) that relate to
installation, upgrading, or uninstalling.
򐂰 Only start one instance of the installation program.
Only run one instance of the Tivoli Compliance Insight Manager installation
program at a time. The installation program does not prevent multiple
instances from being run. Running multiple instances of the installation
program results in unpredictable results.
Work around: Only run one instance of the installation program at a time.
After launching the installation program, wait a sufficient amount of time for
the installation wizard to start.
򐂰 the installation program does not verify that different ports are used for LDAP
and DB2.
If the same port number is specified for both Tivoli Directory Server and DB2,
the installation program does not report an error. However, different ports
must be used.
Work around: Ensure that different port numbers are specified for Tivoli
Directory Server and DB2 during installation.
򐂰 After infrastructure component installation failure, you must manually remove
any installed components.
If the installation program fails while installing one of the infrastructure
components, you must manually remove any infrastructure components
previously installed, or partially installed, before running the installation
program again.
Work around: Manually remove any installed, or partially installed,
components before running the installation program again.
򐂰 The server installation fails if the installation program is run using a
nonstandard Windows shell.
If the Tivoli Compliance Insight Manager installation program is run from a
nonstandard Windows shell, the subsequent installation of the Tivoli
Compliance Insight Manager server might fail with a message such as No
suitable driver found.
Work around: If using a nonstandard Windows shell, you must reboot the
Windows system after installing the infrastructure components. You can then
install the Tivoli Compliance Insight Manager server. Alternately, only run the
installation program from Windows Explorer or the Windows Command
Prompt.
򐂰 You cannot uninstall DB2 when the Tivoli Compliance Insight Manager server
is uninstalled.
When uninstalling the Tivoli Compliance Insight Manager server, the option to
also remove the database engine is not available. You cannot have DB2
uninstalled automatically when you uninstall the Tivoli Compliance Insight
Manager server.
Work around: After uninstalling the Tivoli Compliance Insight Manager server,
uninstall DB2.
Chapter 5. Performance tuning and problem determination 153

򐂰 The installation fails if the user ID contains non-English language characters.
If the installation program is run on a non-English language system where the
user ID contains non-English language characters, the install of the
infrastructure components might fail.
Work around: Run the installation program from a user ID that only has
English characters in it. Also ensure that the name of the administrative group
also consists of only English language characters.
򐂰 The installation fails if a specified password does not comply with operating
system password rules.
The passwords specified in the installation program are not checked to
ensure that they meet the password requirements in effect for the operating
system or domain. Thus, it is possible to specify a password that cannot be
used to create a user later in the installation process.
Work around: Ensure that any passwords specified in the installation program
meet the minimum password length, password complexity, and password
history requirements being enforced by the operating system or domain.
򐂰 When installed by a domain administrator, auditing of the infrastructure
components is not enabled.
When the infrastructure components are installed by a domain administrator
(as opposed to a local administrator), the auditing of the components is not
enabled.
Work around: If the infrastructure components are going to be installed by a
domain administrator, first add the domain administrator to the local
Administrators group on the system. This ensures that auditing is enabled
when the infrastructure components are installed by the domain
administrator.
򐂰 Multiple auditctl.exe failures occur during system startup.
On a system where the infrastructure components and the Tivoli Compliance
Insight Manager have been installed, you might see multiple auditctl.exe
failures when the system is rebooted. These errors are caused by the Tivoli
Compliance Insight Manager server attempting to access Tivoli Directory
Server before Tivoli Directory Server is active.
Work around: No explicit action is required. After Tivoli Directory Server has
initialized, the Tivoli Compliance Insight Manager server will successfully
access it.
򐂰 Reinstalling the Tivoli Compliance Insight Manager server fails if previous
buffer pools and table spaces are not deleted.
If you uninstall a Tivoli Compliance Insight Manager server and then attempt
to reinstall the server on the system, the installation will fail attempting to
create a DB2 buffer pool because the buffer pool already exists.
Work around: If you intend to reinstall a Tivoli Compliance Insight Manager
server on a system, go to the DB2 Control Center and delete the buffer pools
and table spaces associated with the server. Then install the server.
򐂰 After upgrading, some information about the AggrDb summary report is
missing.
After upgrading from a previous version of Consul InSight or Tivoli
Compliance Insight Manager, some information about the AggrDb summary
report, such as the platform information, is missing.
Work around: After the first successful load after the upgrade, the information
on the summary report page will be correct.
򐂰 After upgrading, the GEM database status is shown as Loaded instead of
Cleared.
After upgrading from a previous version of Consul InSight or Tivoli
Compliance Insight Manager, the GEM databases are migrated from Oracle
to DB2. The status of the GEM databases should be indicated as cleared;
however, the status of the GEM databases in iView indicates the status of the
database at the time of the upgrade.
Work around: Ignore the status displayed for the GEM databases until the
next load.
򐂰 You cannot install the infrastructure components by using a configuration from
a previously deployed solution.
On a system where the installation program was started to install the
infrastructure components and then was cancelled, if you subsequently run
the installation program again and attempt to use a configuration from a
previous solution deployment, the installation program simply closes without
performing any action.
Work around: Do not use a configuration from a previously deployed solution
to modify an existing installation. Use the default solution configuration.
򐂰 During an upgrade, the Security Server must remain active while other
servers are upgraded.
When upgrading a grouped server, the Security Server must remain available
and operational. Otherwise, the upgrade of the grouped server might fail.
Work around: The system that will become the Security Server must be
upgraded first. When upgrading other servers or installing new servers, do
not shut down or restart the Security Server.

򐂰 During an upgrade, the Oracle to DB2 migration fails if different passwords
are used.
When upgrading from a previous version of Consul InSight or Tivoli
Compliance Insight Manager, the migration of data from Oracle to DB2 fails if
the Oracle password and DB2 password are different.
Work around: Run the installation program from a user ID that only has
English characters in it. Also ensure that the name of the administrative group
also consists of only English language characters.
5.1.2 Problem determination of operation errors

Information about the various components that process requests and operations
is located in the various log files for the Tivoli Compliance Insight Manager. You
can use the information in the logs to determine how an operation was handled.
Messages are logged by the Tivoli Compliance Insight Manager components
while handling a task.
Known server application errors

The following issues describe errors and their workarounds related to server
applications:
򐂰 You cannot create a GEM database with the same name as a user.
Attempting to add a GEM database that has the same name as an existing
user ID on the system results in an error and the database is not created.
Work around: Do not use the name of an existing user as the name of a GEM
database.
򐂰 Changes made on other servers are not reflected in the User Management
view.
Changes made on other servers in the Security Group that affect the data in
the User Management view of the Management Console are not reflected in
the view.
Work around: Close and then open the User Management view again to see
any recent changes made by users on other servers in the Security Group.
򐂰 Attempting to install a grouped server with a different locale than the Security
Server fails.
If you attempt to install a grouped server with a different locale than the locale
used by the Security Server, the installation will fail. This is a problem with all
federated DB2 systems and is not specific to Tivoli Compliance Insight
Manager.
Work around: Ensure that all servers in a Security Group have the same
locale set.
򐂰 Performing a manual load of a GEM database with a set sliding schedule
stops scheduled loads.
If a manual load of a GEM database is done on a database with a sliding
schedule set, future scheduled loads of the database do not occur as
expected.
Work around: Do not perform a manual load of a GEM database if a sliding
schedule is set. If this cannot be avoided, after performing the manual load,
reestablish the schedule and then restart the mapper service.
򐂰 Running many concurrent loads of GEM databases can result in errors or a
possible deadlock.
When multiple concurrent loads are being performed to the GEM databases,
it is possible that some might fail with unexpected errors and some might
encounter a deadlock situation (2977096565).
Work around: Try to run loads of the GEM databases serially as much as
possible. Alternately, you can increase the size of the locklist by running the
following DB2 command:
db2 update db cfg using locklist 30000
The default value is 15000.
When determining problems using the db2 audit facility, it must be stopped and
started explicitly. While being started, it uses existing audit configuration
information. Since this facility is independent of the DB2 server, it will remain
active even if the instance is stopped. When the instance is stopped, an audit
record may be generated in the audit log.
The db2 audit facility will affect the Tivoli Compliance Insight Manager server
performance. Run the command db2audit prune all frequently from the current
audit log.
Let us now discuss the details of the various log files and available diagnostic
tools.

5.2 Troubleshooting using log files
With this book in your hands, you have decided to get a Tivoli Compliance Insight
Manager certification. Many questions in the test will be of technical origin. That
is why we feel it is beneficial and important to know about the various log files
used for problem determination of the Tivoli Compliance Insight Manager.
The Tivoli Compliance Insight Manager Log Manager contains a set of reports to
monitor log collection activities. Please refer to Tivoli Compliance Insight
Manager User Reference, SC23-6581 for a detailed description of reports.
The History Report shows the number of log collection events that occurred
during a given period of time. A log collection event is each instance when Tivoli
Compliance Insight Manager attempted to collect audit data. This report tracks
the status of log collection events; in the case of a failed log collection, the report
provides diagnostic information that you can use to resolve the issue. The Log
Continuity Report analyzes log sets, the collected logs stored in the log depot,
and reports on how complete the logs sets are. If a log set is incomplete, then the
report provides diagnostic information that you can use to resolve the issue. Log
Manager reports are only available on the Enterprise Server.
Although all of the following information can be found in Compliance

Management Design Guide with IBM Tivoli Compliance Insight Manager,
SG24-7530, we think it is necessary to discuss the purpose, the location, and the
content of the most used log files created during the operation of the Tivoli
5.2.1 Tasks
Before we look at these log files, we need to discuss several schedules in a Tivoli
Compliance Insight Manager environment that create and write to the log files.
Some of the tasks relate to synchronization between the Enterprise and

Standard Servers, and others relate to the collection of data and generation of
reports. The Standard Servers in a Tivoli Compliance Insight Manager cluster
are responsible for the collection of the log files and the generation of reports and
alerts. Both collection and report generation are normally scheduled through the
Management Console in the Standard Server.
The schedules that should be synchronized for Standard Servers are collect,
load, restart, and report distribution.
The collect schedule depends on the amount of log data that the event source
produces. Collection on a daily basis after regular office hours is suggested and
recommended.
The user information source collection schedule should be prior to any last
collection of the day, before the load schedule runs. For example, if the last
collection of the day is at 10:00 p.m., the user information source collect schedule
should be a few minutes before 10:00 p.m.
As with the collect schedule, the load schedule should be sequential, that is, the
next load schedule should begin after the last load has completed. Analyze the
mainmapper log files related to the GEM database to determine how long it takes
to load the GEM database.
The restart task performs the following actions:

򐂰 Clears any unused memory and processes.
򐂰 Performs maintenance on the Depot.
򐂰 Runs a shrink tablespace task (during the daily restart on Sundays) to
optimize the size of the Tivoli Compliance Insight Manager database files.
The restart task should be scheduled before the start of the first scheduled daily
mapping. By looking at the database view in the Management Console, you can
determine when this first mapping takes place. This task should be scheduled
every 12 hours.
Report distribution should be scheduled after the load schedule has completed.
There are several job schedules that should be considered in the Enterprise
Server: consolidation, indexer, log continuity report generator, and centralized
log management. The jobs that can be scheduled are consolidation and the log
continuity report generator, because all others are scheduled automatically.
For reference, the centralized log management runs every minute, and the
indexer is scheduled to re-index every Sunday at 10:00 p.m.
The consolidation job is represented by the beat.bat file on the Enterprise

Server. This job reads the aggregation databases from the Standard Servers and
copies the tables to the consolidation database (also referred to as the Beat
database) on the Enterprise Server. The aggregation databases are updated
during the post-processing job on a scheduled GEM database load. Therefore,
you should schedule the consolidation job after all GEM databases are loaded on
the Standard Servers.

The log continuity report generator job regenerates the continuity report in the
log manager. From the user’s point of view, it is helpful if this task is scheduled to
run at the beginning of each working day. The time it takes to generate the report
depends on the size of the Depot on the Standard Servers. The task can be
scheduled to begin around 6:00 a.m. so that the report will be generated before
the working day begins.
The chunk continuity report generator (CCRG) job is implemented as a

scheduled task that can also be run on demand. When it runs, it searches the
Depot for chunks and determines if the chunks are complete and continuous. In
order to get this information, it looks at the chunk header files of each chunk and
fills the chunk continuity tables appropriately.
In a Tivoli Compliance Insight Manager environment, all log collection

information is consolidated on the Enterprise Server.
The Tivoli Compliance Insight Manager creates and updates four different log file
types. These are:
򐂰 Server logs
򐂰 Consolidation logs
򐂰 Portal logs
򐂰 iView logs
All of these logs can be used, depending on the problem you are facing, for
troubleshooting. Let us go into more detail.
Server logs
The default directory for server logs is \server\log. The most common key files
are:
򐂰 actuatornnn.log
Each event source has a corresponding actuatornnn.log, where nnn is the
event source ID. The information about starting a collection for an event
source is logged here:
Example of log entries:
<20080208 08:30:01 utc> P259M1V0.0.314L335A5S0E10:Crm: Opened
..\log\actuator100.log. Product: eprise.product.server.app. Version:
8.5.0. Builddate: 2008/01/17/21:36. Local time: 02/08/08 09:30:01.
<20080208 08:30:01 utc> P259M1V0.0.314L598A2S0E0:Dynamical tracing
mechanism enabled.
<20080208 08:30:01 utc> P259M94V0.1.37L704A6S0E30:AuditActuator:
successfully created ChunkTool osevents
򐂰 auditctl.log
This log traces the Audit Controller activities, such as starting collection and
receiving of chunks from every event source.
<20080208 08:30:02 utc> P259M189V0.1.99L4512A6S4E125:AudCont:
ACResendCreateChunklog called with count=1 for spi VAJONT Microsoft
Windows(15.1.100) on agent Main_Srv(12.1.1)
ACResendCreateChunklog called with count=1 for spi VAJONT IBM Tivoli
Compliance Insight Manager Server Activity(15.1.101) on agent
Main_Srv(12.1.1)
Directory Server(15.1.103) on agent Main_Srv(12.1.1)
ACResendCreateChunklog called with count=1 for spi VAJONT Internet
Information Server (IIS)(15.1.104) on agent Main_Srv(12.1.1)
Compliance Insight Manager Web Applications(15.1.105) on agent
Main_Srv(12.1.1)
received log from eventsource VAJONT Microsoft Windows(18.1.100) on
Main_Srv(12.1.1) (VAJONT:2008 02 08 09:30:02)
received log from eventsource VAJONT IBM Tivoli Compliance Insight
Manager Server Activity(18.1.101) on Main_Srv(12.1.1) (VAJONT:2008
02 08 09:30:02)
򐂰 authdaemon.log
At least the following events are logged:
– Open/close connection
– Usage of fallback-account
– Reset fallback password
– Start and end of user-grants synchronization run
– Start and end of gemdb-permission synchronization run
– Start and end of CIFOWNER password reset
– Schedule that was read from ini-file

– Logon-failures
– Start-registration failures
<20080208 08:22:40 utc> P259M1877V0.0.15L142A7S0:Reading schedule
from ini file.
<20080208 08:22:40 utc> P259M1877V0.0.15L142A7S0:Set synchronization
period = 60 seconds
<20080208 08:22:40 utc> P259M1877V0.0.15L142A7S0:Open connection
with CIFDB
<20080208 08:22:40 utc> P259M1877V0.0.15L142A7S0:Starting
registration.
<20080208 08:22:41 utc> P259M1877V0.0.15L142A7S0:Server already
registered.
<20080208 08:22:41 utc> P259M1877V0.0.15L142A7S0:Initialazation is
completed.
<20080208 08:22:41 utc> P259M1877V0.0.15L142A7S0:Grants
synchronization is started.
<20080208 08:22:43 utc> P259M1877V0.0.15L142A7S0:Grants
synchronization is finished.
򐂰 BBBin.log
In this log, you can find information about bluebook activities, user password
synchronization, ODBC errors, and information about access to the
Management Console
<20080208 08:18:35 utc> P259M1V0.0.314L598A2S0E0:Dynamical tracing
mechanism enabled.
<20080208 08:18:35 utc> P259M1V0.0.314L598A2S0E0:CIFOWNER password
synchronization mechanism enabled.
<20080208 09:49:49 utc> P259M143V0.3.569L1249A3S0E300:SECLOGIN,
Success, 0, cifowner, (Main_Srv, User Interface), (Main_Srv,
BlueBook), ()
<20080208 09:49:49 utc> P259M143V0.3.569L1249A3S0E300:USERGETALL,
Success, 0, , (Main_Srv, User Interface), (Main_Srv, BlueBook), ()
<20080208 09:49:49 utc> P259M143V0.3.569L1249A3S0E300:GETUSERROLES,
Success, 0, , (Main_Srv, User Interface), (Main_Srv, BlueBook),
("CIFOWNER")
<20080208 09:49:50 utc> P259M143V0.3.569L1010A3S0E20:BlueBook:
bluebook call 3800 for user 8.111990001.1 from
Main_Srv(12.1.1):userinterface failed, return code: 1705; arguments:
'((time) 0.000000(uint) 0)'
'((time) 0.000000(uint) 0)'
'((objid) 15.1.100)'
򐂰 IndexerDaemon.Vajont.log
From this log, the following information can be taken:
– The storage of indexer
– The beginning of the indexer process
– Chunks that should be indexed
– The list of GSLs that are used for indexing
– The number of records and platform events that are indexed
<20080208 08:23:36 utc> P542M1533V0.0.70L453A7S0:IndexerDaemon:
IndexerDaemon started.
<20080208 08:23:36 utc> P542M1533V0.0.70L566A7S0:IndexerDaemon: Next
check for changed GSL at Sat Feb 09 22:00:36 CET 2008
check for new chunks processing at Fri Feb 08 09:24:36 CET 2008
...
<20080208 08:30:36 utc> P542M1533V0.0.70L282A7S0:Chunk scheduled to
be indexed: \\Vajont\CIFDEPOT\VAJONT.100\2MVWVJ0
<20080208 08:30:36 utc> P542M1533V0.0.70L282A7S0:Chunk scheduled to
be indexed: \\Vajont\CIFDEPOT\VAJONT.101\2MVWVJ0
...
<20080208 08:30:36 utc> P542M1533V0.0.70L532A7S0:Saving state at Fri
Feb 08 09:30:10 CET 2008
check for new chunks processing at Fri Feb 08 09:31:36 CET 2008

<20080208 08:30:37 utc> P542M541V0.0.264L222A7S0:GSL Scanner: GSL
file used for scanning: gsl#1=nt.gsl
<20080208 08:30:37 utc> P542M540V0.0.151L676A7S0:Reading chunk
\\Vajont\CIFDEPOT\VAJONT.100\2MVWVJ0
<20080208 08:30:38 utc> P542M540V0.0.151L287A7S0:The date has
changed to Fri Feb 08 02:37:19 CET 2008
<20080208 08:30:38 utc> P542M540V0.0.151L760A7S0:# records 356
<20080208 08:30:38 utc> P542M540V0.0.151L761A7S0:# platformevents
356
<20080208 08:30:38 utc> P542M540V0.0.151L764A7S0:Time per record of
Security Log (not original):0.6573034 ms.
<20080208 08:30:38 utc> P542M540V0.0.151L747A7S0:Finished:Fri Feb 08
09:30:38 CET 2008
򐂰 install.log
Here you will find information about the initial installation of the Tivoli
Compliance Insight Manager Server.
<20080208 08:46:21> Starting installation at :2-8-2008, 08:46:21
Local Time
<20080208 08:46:21> Setup mode : First Install
<20080208 08:46:21> Tivoli Compliance Insight Manager Server, v8.5.0
...
<20080208 09:18:25> Finished stopping the DB2 instance with success.
<20080208 09:18:25> Starting the DB2 instance for DB2-Copy 'CIFCOPY'
<20080208 09:18:25> Path of DB2-Copy 'C:\PROGRA~1\IBM\SQLLIB'
<20080208 09:18:25> Starting DB2 instance ...
<20080208 09:18:26> Finished starting the DB2 instance with success.
<20080208 09:18:26> Finished restarting the DB2 instance with
success.
<20080208 09:18:27>
<20080208 09:18:27> Installation Tivoli Compliance Insight Manager
Server finished successfully.
<20080208 09:18:27> Closing log-file at :2-8-2008, 09:18:27 Local
Time
򐂰 mainmapper-<GEM_DB_Name>.log
This log file gives you information about the load process of the GEM
database. You will not only find errors in this log file, but also indications of
mapper/bulk loading and postprocessing times. <GEM_DB_Name> is a
placeholder for the GEM database name. The detailed information in these
logs is about:
– Processing
– Mapping
– Loading
– Aggregation
Also, information about:
– Postprocessing
– Bulk loading
– GSLs used while loading
– Number of events
– Records in chunk
– Execution time of aggregation
will be listed here.
<20080208 11:05:03 utc> P542M550V0.0.75L231A7S0:Starting to map
chunk(s)
<20080208 11:05:03 utc> P542M550V0.0.75L286A7S0:MainMapper: load
window set to 0: intermediate loads have been disabled
<20080208 11:05:03 utc> P542M550V0.0.75L298A7S0:MainMapper: bulk
loads will happen serially.
<20080208 11:05:03 utc> P542M550V0.0.75L89A7S0:gensub.ini
[SubMapper] buckets_to_cache = 512
<20080208 11:05:03 utc> P542M550V0.0.75L89A7S0:gensub.ini
[SubMapper] keylimit = 500000
<20080208 11:05:03 utc> P542M550V0.0.75L734A7S0:MainMapper: Starting
GroupMapper
<20080208 11:05:03 utc> P542M550V0.0.75L122A7S0:BcpWriter: opening
bcp.mapping file for gem_property
<20080208 11:05:03 utc> P542M550V0.0.75L131A7S0:Using automatic
policy of 20080208120201

<20080208 11:05:03 utc> P542M550V0.0.75L155A7S0:Using matching user
policy ..\config\grouping\committed\20000101000000
<20080208 11:05:03 utc> P542M550V0.0.75L765A7S0:STATUS: Group
mapping succeeded for GEM.
bcp.mapping file for gem_eventtypegroup
bcp.mapping file for gem_periodgroup
...
<20080208 11:05:03 utc> P542M545V0.0.64L605A7S0:Processing chunk:
C:\IBM2\TCIM\depot\VAJONT.107\DN2XVJ0.
<20080208 11:05:04 utc> P542M551V0.0.142L200A7S0:id information of 0
users after nt_group.cfg
<20080208 11:05:04 utc> P542M551V0.0.142L233A7S0:STATUS: merged
nt_group.cfg for nt
<20080208 11:05:04 utc> P542M541V0.0.264L222A7S0:GSL Scanner: GSL
file used for scanning: gsl#1=nt.gsl
...
<20080208 11:05:04 utc> P542M540V0.0.151L549A7S0:
C:\IBM2\TCIM\depot\VAJONT.107\DN2XVJ0 #records: 486 #events: 483
time: 984 % mapped: 99.38271 t/#r: 2.0246913 memory: 1973688
<20080208 11:05:04 utc> P542M540V0.0.151L237A7S0:Finished mapping
<20080208 11:05:04 utc> P542M540V0.0.151L266A7S8:(5) Loading
database
<20080208 11:05:04 utc> P542M540V0.0.151L247A7S0:Loading GEM
database GEM
...
<20080208 11:05:07 utc> P542M540V0.0.151L337A7S0:MainMapper
finishing platform:NT 4:18.1.107
<20080208 11:05:07 utc> P542M550V0.0.75L245A7S0:BcpWriter: closing
BCP files
<20080208 11:05:07 utc> P542M550V0.0.75L180A7S0:STATUS: Bulk loading
started for GEM.
...
<20080208 11:06:25 utc> P542M550V0.0.75L194A7S0:STATUS: Bulk loading
finished for GEM.
<20080208 11:06:30 utc> P542M902V0.0.59L294A7S0:PostProcessing:
checkTableIntegrity - start
<20080208 11:06:30 utc> P542M902V0.0.59L309A7S0:PostProcessing:
checkTableIntegrity - done
...
<20080208 11:06:36 utc> P542M902V0.0.59L353A7S0:STATUS:
Postprocessing succeeded for GEM.
...
<20080208 11:06:37 utc> P647M902V0.0.59L895A7S0:Got aggregation
database AggrDb
<20080208 11:06:37 utc> P647M902V0.0.59L909A7S0:Adding lock on
AggrDb for GEM
...
<20080208 11:06:56 utc> P647M902V0.0.59L966A7S0:Aggregation run for
CIFDB.GEM completed
<20080208 11:06:56 utc> P647M902V0.0.59L968A7S0:Execution time:
19141 millis
<20080208 11:06:56 utc> P542M540V0.0.151L390A7S0:STATUS: Aggregation
succeeded for GEM.
<20080208 11:06:56 utc> P542M540V0.0.151L260A7S0:Finishing contract
for GEM
<20080208 11:06:56 utc> P542M540V0.0.151L266A7S8:(4) Database loaded
successfully
<20080208 11:06:56 utc> P542M540V0.0.151L323A7S0:Finished contract
for GEM
򐂰 plugger.log
The plugger.log file contains information about which platform plugs and
applied hotfixes have been applied during installation and the result of the
installation.
<20080208 09:00:36> The following Platform Plugs have FAILED to
apply:
<20080208 09:00:36>
<20080208 09:00:36> The following Platform Plugs have SUCCESSfully
been applied:
<20080208 09:00:36> - actdir

<20080208 09:00:36> - aix
<20080208 09:00:36> - arbitrary
<20080208 09:00:36> - bluecoat
<20080208 09:00:36> - bmccontrolsa
<20080208 09:00:36> - cea
<20080208 09:00:36> - cisco
<20080208 09:00:36> - ciscovpn
<20080208 09:00:36> - csacs
򐂰 restart.log
In this log file, you will find information about the result of the daily scheduled
restart.
At the time of the creation of this IBM Redbooks publication, there was no
dedicated example available from the development teams. Please make
yourself familiar with the contents by opening this log file and studying the
contents.
Consolidation logs
Any key consolidation logs can be found in the consolidation\log directory. The
most important logs are:
򐂰 install.log
This log files contains information about the initial consolidation installation of
the Tivoli Compliance Insight Manager.
local Time
<20080208 09:18:53> Tivoli Compliance Insight Manager Consolidation,
v8.5.0
...
<20080208 09:22:37> Finished setting security permissions ...
<20080208 09:22:37> File or folder 'C:\IBM2\TCIM\Indexes' marked as
compressed !
<20080208 09:22:37> Stopping service InSightTomCat
<20080208 09:22:39> Restarting service InSightTomCat
<20080208 09:22:40>
Consolidation finished successfully.
򐂰 consolidation.log
The information contained herein is about Standard Servers added to
Enterprise Server and the addition of the Indexer for all added servers. Also,
information about the scheduled beat task can be found here.
<20080208 08:22:31 utc> P647M649V0.0.161L158A7S0:Beat initialisation
complete
<20080208 08:22:31 utc> P647M649V0.0.161L158A7S0:Add connection to
configuration file '../ini/beat.ini'.
<20080208 08:22:31 utc> P647M649V0.0.161L252A7S0:Testing inifile
../ini/beat.ini
<20080208 08:22:31 utc> P647M649V0.0.161L158A7S0:Host 'localhost'
already present in DB2Catalog. OK to use.
<20080208 08:22:31 utc> P647M649V0.0.161L110A7S0:Reading [beat]
section from ../ini/beat.ini
<20080208 08:22:32 utc> P647M649V0.0.161L158A7S0:Starting
CLMDB.DataSync_AddInstance('CIFDB',****,****)
<20080208 08:22:32 utc>
P647M649V0.0.161L158A7S0:DataSync_AddInstance finished successfully
<20080208 08:22:32 utc> P647M649V0.0.161L158A7S0:Executing
'InstallIndexerService.bat Vajont -user .\cifadmin -password *****'
<20080208 08:22:35 utc> P647M649V0.0.161L158A7S0:Indexer for Vajont
was installed successfully.
<20080208 08:22:35 utc> P647M649V0.0.161L158A7S0:Server Vajont added
to consolidation, CLM and indexing.
Web Portal logs

You can find key Web Portal logs in the default directory \iview\tomcat\logs. The
most important logs are:
򐂰 InsightPortal:AuditTrail.log
This log file contains information about the usage of the portal itself.
򐂰 LogManager:AuditTrail.log
In this log file, you will find information about the reports generation.

For both log files, we currently cannot provide examples. Please look in the files
on the system and make yourself familiar with the content.
iView logs
\iview\log, \iview\server, and \iView\tomcat\logs are the default directories for
these logs. The following log files should be considered important when
administering the Tivoli Compliance Insight Manager environment:
򐂰 \iView\tomcat\logs\iView.log
Here you can find the start time of iview session, its end time, logged user,
roles auditing process, and so on.
<20080208 08:22:49 utc> P465M447V0.0.401L141A7S0:classpath =
C:\Program
Files\Java\j2re1.4.2_08\lib\tools.jar;C:\IBM2\TCIM\iView\tomcat\bin\
bootstrap.jar; (v48.0)
<20080208 08:22:49 utc> P465M447V0.0.401L144A7S0:running as:
cifadmin
<20080208 08:22:49 utc> P465M447V0.0.401L73A7S0:[html]path =
'/iview/'
<20080208 08:22:50 utc> P465M444V0.0.216L46A7S0:MinerManagerImpl
startup complete
<20080208 08:22:50 utc> P465M444V0.0.216L87A7S0:iView initialisation
complete
<20080208 08:22:50 utc> P465M447V0.0.401L112A7S0:SessionManagerImpl
startup
<20080208 08:22:50 utc> P465M447V0.0.401L113A7S0: SessionAgeLimit =
0 sec
<20080208 08:22:50 utc> P465M447V0.0.401L114A7S0: ConnectionLimit =
300 sec
...
<20080208 11:29:46 utc> P465M447V0.0.401L671A7S0:Creating a new
session d1da3cd3
<20080208 11:29:46 utc> P465M673V0.0.214L105A7S4: type: oracle
driver: oracle.jdbc.driver.OracleDriver not loaded
<20080208 11:29:46 utc> P465M673V0.0.214L105A7S4: type: sybase
driver: com.sybase.jdbc2.jdbc.SybDriver not loaded
<20080208 11:29:46 utc> P465M673V0.0.214L105A7S4: type: db2 driver:
com.ibm.db2.jcc.DB2Driver v3.4 loaded
<20080208 11:29:47 utc> P465M782V0.0.21L100A7S0: roles of 'CIFOWNER'
from 'EPRISEDB': [CEAEXRPT, CEAEDPOL, CEAIVIEW, CEAADSYS, CEAUSCRP,
CEAMNCON, CEAADCRP, CEAUSRMN, CEAINVST, CEAADAUD, CEADLPOL,
CEADLLOG, CEAADINC]
<20080208 11:29:47 utc> P465M447V0.0.401L1002A7S0:@d1da3cd3: AUDIT:
Use:Role/Success CEAIVIEW
Logon "CIFOWNER" from Unavailable to EPRORADB succeeded.
<20080208 11:29:47 utc> P465M447V0.0.401L1002A7S0:@d1da3cd3: new
connection
Generating report "Dashboard" for database CIFDB/AGGRDB succeeded.
Generating report "Summary" for database CIFDB/GEM succeeded.
Logoff.
<20080208 12:00:35 utc> P465M447V0.0.401L238A7S0:@d1da3cd3 removing
session
<20080208 12:00:35 utc> P465M447V0.0.401L1002A7S0:@d1da3cd3: closing
connection of d1da3cd3
򐂰 iView\tomcat\logs\LogManager.log
This log file contains information about:
– Filtering and sorting of data
– Chunks that are downloaded
<20080208 13:34:36 utc> INFO
nl.consul.ilm.glue.reportmodel.ojb.FilteredSortedSourceInstance -
P1510M1804V0.0.17L383A7S0: *** Step 2 : orig chunks analysis took
3953 msec for serverVajont
<20080208 13:34:36 utc> INFO
P1510M1804V0.0.17L399A7S0: In Vajont number of original chunks:121
<20080208 13:34:36 utc> INFO
P1510M1804V0.0.17L472A7S0: *** Step 3 : sorting took 16 msec
<20080208 13:34:36 utc> INFO

P1510M1804V0.0.17L486A7S0: prepare data of
\\Vajont\CIFDEPOT\VAJONT.102\0T8XVJ0 for rendering
<20080208 13:34:36 utc> INFO
<20080208 13:34:36 utc> INFO
<20080208 13:34:36 utc> INFO
򐂰 \iView\tomcat\logs\LogManagerReportGenerator.log
This log file contains the information about CCRG executing, like start time,
end time, user who started the CCRG, and the duration of the CCRG
process.
<20080208 13:30:44 utc> INFO - P1506M1643V0.0.3L52A7S0:
<9.142.236.125><regenerate continuity report -
started><cifowner><ok>
<20080208 13:30:44 utc> INFO - P1506M1544V0.0.30L99A7S0: Chunk
continuity report generation started
<20080208 13:30:44 utc> INFO - JobFactory set to:
nl.consul.ilm.ccrg.quartz.CCRGJobFactory$$EnhancerByCGLIB$$cc580cbb@
f4a376
f4a376
f4a376
<20080208 13:30:47 utc> INFO - P1506M1544V0.0.30L273A7S0: Report
generation took: 3469 ms
<20080208 13:30:47 utc> INFO - P1506M1544V0.0.30L274A7S0: Chunks
processed: 121
<20080208 13:30:47 utc> INFO - P1506M1544V0.0.30L277A7S0: Average
time per chunk: 28.669421487603305 ms
<20080208 13:30:47 utc> INFO - P1506M1643V0.0.3L52A7S0:
<9.142.236.125><regenerate continuity report -
finished><cifowner><ok>
򐂰 \iView\tomcat\logs\PolicyGenerator.log
This file contains the following information:
– User logged in to the Policy generation
– Start time of policy creation
– Name of new created policy
– Number of processed events
– End time of Policy generation
<20080208 13:16:08 utc> INFO - P1407M1414V0.0.45L147A7S0: User
CIFOWNER logged on.
...
<20080208 13:16:26 utc> INFO - P1407M1443V0.0.12L110A7S0: Policy
generation started
<20080208 13:16:26 utc> INFO - P1407M1418V0.0.17L342A7S0:
ClusterEngine started in memory monitoring mode
<20080208 13:16:27 utc> INFO - P1407M1418V0.0.17L430A7S0: Events
processed: 46
<20080208 13:16:27 utc> DEBUG - P1407M1418V0.0.17L444A7S0:
nl.consul.cea.gensub.generating.model.GemDimension$Platform@19ea9a.F
ileClusterer: events accepted: 0
<20080208 13:16:27 utc> DEBUG - P1407M1418V0.0.17L444A7S0:
...
<20080208 13:16:32 utc> INFO - P1407M1414V0.0.45L110A7S0: Progress:
100
<20080208 13:16:32 utc> INFO - P1407M1414V0.0.45L120A7S0: Policy
Default-policy-name 1 created on Tivoli Compliance Insight Manager
server.
򐂰 iview\log\Install.log
This log file contains information about the installation of iView.
Local Time

<20080208 09:18:34> Tivoli Compliance Insight Manager Web
Applications, v8.5.0
...
<20080208 09:18:43> Finished setting security permissions ...
<20080208 09:18:43> Starting the InSightTomCat Service
<20080208 09:18:46> Service 'InSightTomCat' is started
<20080208 09:18:46> Key 'HKEY_CLASSES_ROOT\.cfg' does NOT exist in
registry. Creating... !
<20080208 09:18:46> Setting ValueName: 'Content
Type';REG_SZ;'text/plain' for key 'HKEY_CLASSES_ROOT\.cfg'
<20080208 09:18:46> Setting ValueName for key
'HKEY_CLASSES_ROOT\.cfg' was successful !
<20080208 09:18:46> Key 'HKEY_CLASSES_ROOT\.pcy' does NOT exist in
registry. Creating... !
<20080208 09:18:46> Setting ValueName: 'Content
Type';REG_SZ;'text/plain' for key 'HKEY_CLASSES_ROOT\.pcy'
<20080208 09:18:46> Setting ValueName for key
'HKEY_CLASSES_ROOT\.pcy' was successful !
<20080208 09:18:46> Web Service Extension
'C:\IBM2\TCIM\iView\web\miner.dll' disabled !
<20080208 09:18:46> Starting the IIS Server
<20080208 09:18:46>
Web Applications finished successfully.
Time
򐂰 iview\log\InstallCeA.log
This file contains the global information about the installation of Tivoli
<20080208 11:20:05> Copying license files to C:\IBM2\TCIM\License
<20080208 11:20:05>
<20080208 11:20:05>
------------------------------------------------------------
<20080208 11:20:05> Result of Installation/Upgrade
<20080208 11:20:05>
------------------------------------------------------------
<20080208 11:20:05> - Tivoli Compliance Insight Manager Server OK!
<20080208 11:20:05> - Tivoli Compliance Insight Manager Web
ApplicationsOK!
<20080208 11:20:05> - Tivoli Compliance Insight Manager Management
ConsoleOK!
<20080208 11:20:05> - Tivoli Compliance Insight Manager
Consolidation Error!
<20080208 11:20:05>
------------------------------------------------------------
....
<20080208 11:20:06> This is an Enterprise Server ...
<20080208 11:20:10>
<20080208 11:20:10> Installation IBM Tivoli Compliance Insight
Manager finished successfully.
Time
򐂰 iview\server\Iview_excerpt.log
Here you will find information about reports sent out by e-mail.
There is no example at this point of time for this log. Please open the
corresponding file on the system and make yourself familiar with its entries.
register.ini
There are several register.ini files, which we will explain here.
The register.ini file from the <disk>\IBM\TCIM\Server\ folder contains information

about all applied hot fixes and plugs for the server part of the Tivoli Compliance
Insight Manager.
The register.ini file from the <disk>\IBM\TCIM\iView\ folder contains information

about all applied hot fixes for the iView part of the Tivoli Compliance Insight
Manager.
The register.ini file from the <disk>\IBM\TCIM\ManConsole\ folder contains

information about all applied hot fixes for Management Console part of the Tivoli

The register.ini file from the <disk>\IBM\TCIM\Consolidation\ folder contains
information about all applied hot fixes for the consolidation part of the Tivoli
It is very beneficial to open each of the log files and register.ini files and have a
closer look at the contents of each of these files for passing the certification test.
Some of the above information is described in more detail in Chapter 4,

“Compliance Management Solution Design”, in Compliance Management Design
Guide with IBM Tivoli Compliance Insight Manager, SG24-7530.
5.3 Diagnostic and performance tuning

When Tivoli Compliance Insight Manager does not seem to work properly on
your system, then you must determine what the cause of the problem is. The
various components of the log process messages for the associated log files,
and checking them should provide insight into the cause of the problem. On a
Tivoli Compliance Insight Manager Server installed in the default directory, these
log files can be found in the \server\log directory. If the cause of the problem
cannot be determined in sufficient detail from the log files, then it may be useful
to temporarily turn on generation of additional log messages through Dynamical
Tracing.
5.3.1 Dynamical Tracing

Dynamical Tracing is a mechanism by which you can arrange, at any time, to
switch between the default mode of logging some components and a
considerably more verbose mode. Dynamical Tracing is available for the
components listed in Table 5-1. The “On Server” and “On Actuator” columns of
the table show whether the component occurs on a server system and on an
Actuator system.
Table 5-1 Dynamical Tracing

Component Log file On server On Actuator
bbbin bbbin.log Yes No
auditctl auditctl.log Yes No
agent agent.log Yes Yes
actuator actuatorXXX.log Yes Yes
bart bart.log Yes No
Component Log file On server On Actuator
marge std out Yes Yes
The verbosity of logging by these components is configured through the contents

of a file called tracing in the run directory of the server or Actuator. To turn on
more verbose logging for a component, add the following line to the tracing file:
component = yes
where component stands for the name of the component from the above table.
To turn off more verbose logging for a component, add the following line to the
tracing file:
component = no
If you replace yes or no by dynamical or remove the line completely, then the
logging by that component reverts to its default state. (This means that
dynamically tracing is turned off by default, but the software itself may decide to
turn it on for some time.)
Each of these components checks the tracing file once a minute to see if it is
supposed to change the verbosity of its logging, so any relevant change you
make to the tracing file should result in a change in the logging behavior within
one minute.
For some of these components, the verbose method of logging is very verbose,
so we do not recommend that you select verbose logging all the time.
5.4 The Management Console

While logged on to Tivoli Compliance Insight Manager as an administrator, you
can use the Management Console for several monitoring and management
tasks, such as creating or importing policies, loading and managing databases,
managing users, and so on.
The Management Console of the Tivoli Compliance Insight Manager is an

integral part of its administration. We have decided not to explain the
Management Console in this book in detail, since it would go beyond the scope
of this IBM Redbooks publication; we simply give you an overview of what you
need to know in order to pass the certification exam. Nevertheless, we strongly
recommend reading the chapters regarding the Management Console in Tivoli
Compliance Insight Manager User Guide, SC23-6581.

It is also very beneficial to have practical experience in using the Management
Console of the Tivoli Compliance Insight Manager in order to answer the exam
questions.
Note: Lack of practical experience will make it very difficult for you to pass the
certification test. Pure theoretical study can never substitute experience.
5.5 Conclusion
In this chapter, we discussed problem determination by using the most important
Tivoli Compliance Insight Manager log files. We also pointed you to additional
study resources to find information regarding the Management Console, which is
one of the most important tools for managing, tuning, and troubleshooting the
Tivoli Compliance Insight Manager.
6
Chapter 6. Administration
As a security compliance policy monitoring tool, Tivoli Compliance Insight
Manager must be optimized for your environment and be well maintained. A
Tivoli Compliance Insight Manager systems administrator should ensure that the
system runs smoothly and that any routine user or systems management tasks
are performed. A Tivoli Compliance Insight Manager systems administrator
should also be able to configure the system, including adding and removing
event sources and configuring policies. In this chapter, we discuss the
administration of the Tivoli Compliance Insight Manager, including the report
generation.
After having read and understood this chapter and the additional sources that we
will provide in this chapter, you should be able to answer all of the exam
questions related to the administration process. Please note that practical
experience is essential in passing the certification exam.

6.1 Administration of a Tivoli Compliance Insight
Manager environment
The Management Console is the configuration component for Tivoli Compliance
Insight Manager. It is used to define which systems and event sources will be
monitored by Tivoli Compliance Insight Manager. It is also used to define the
Tivoli Compliance Insight Manager policy.
6.1.1 Management Console

By default, a Management Console is installed with each server. Optionally, you
can install remote instances of the Management Console, as shown in
Figure 6-1. Using remote instances, administrators can perform configuration
tasks without having to log directly in to the server. When a Management
Console instance is installed, it is associated with a specific server. This means
that each Management Console instance can manage only one server.
Figure 6-1 Management Console component overview
You can use the Management Console to perform numerous tasks related to the
configuration and management of the Tivoli Insight Manager servers:
򐂰 Activate the Agents and have them collect audit trails from different platforms.
򐂰 Define the security policy and attention rules.
򐂰 Define users and their access rights.
򐂰 Start the preparations of the reports.
All the actions on the Management Console are performed by the Tivoli
Compliance Insight Manager server. You can think of the Management Console
as being the user interface for the Tivoli Compliance Insight Manager server.
After the reports have been prepared by the server, a Tivoli Compliance Insight
Manager user may generate the specific reports using the iView component.
6.1.2 Primary administration responsibilities

The main responsibilities of a Tivoli Compliance Insight Manager systems
administrator are listed below:
򐂰 Install agents and Actuators.
– Add event sources to Tivoli Compliance Insight Manager in the
Management Console. Modify the event source properties, if needed, to
customize the event source properties of your network environment.
– Set collection schedules for event sources.
Installation of the agents and the Actuator configuration was explained in
Chapter 4, “Configuration” on page 91. For more details about this topic, refer
to IBM Tivoli Compliance Insight Manager Installation Guide Version 8.5,
GC23-6580.
򐂰 Perform daily or weekly maintenance tasks.
– Check collections.
– Verify that the agents on the target machines are running and check
whether any of the machines are collecting empty chunks (that is, auditing
may have been turned off).
– Check loads in iView.
– Check database status, contents, and load date in the (iView) Dashboard.
– In the case of a GEM database failure, investigate the length of time since
the last GEM database load. (Note: For this task, you will need some basic
knowledge of the mainmapper so that you can read the mainmapper logs.)
– Confirm that authorized users can access iView and the Management
Console.
򐂰 Configure Tivoli Compliance Insight Manager.
– Manage databases in the Management Console.
– Add databases.
– Add/remove event sources to a database.
– Remove databases.
– Set load schedules, as needed.
Chapter 6. Administration 181

– Perform manual loads, as needed.
– Set mapping to take place at load time or at collection time.
Chapter 4, “Configuration” on page 91 explains the configuration related tasks
listed above. For more information, refer to IBM Tivoli Compliance Insight
Manager Installation Guide Version 8.5, GC23-6580.
򐂰 Manage users in the Management Console.
– Create users.
– Assign roles/databases to users.
– Configure e-mail alerts.
– Configure real-time alerts (RTA).
– Create the RTA database.
– Create and modify alert rules.
Tivoli Compliance Insight Manager users and roles are created and managed
from the User Management panel in the Management Console. The users are
stored in an LDAP directory (IBM Tivoli Directory Server). You can configure
a Standard Server to use its own user directory or a shared directory on a
Security Server. In order to get step-by-step instructions for user
management, refer to BM Tivoli Compliance Insight Manager User Guide
Version 8.5, SC23-6581.
Chapter 4, “Configuration” on page 91 explains how to configure an example
alert that sends an e-mail to the IT security administrator when deletions are
performed on objects in the confidential file shares. For more information
about the alert configuration, refer to IBM Tivoli Compliance Insight Manager
Installation Guide Version 8.5, GC23-6580.
򐂰 Export and import data.
– Make a backup of the archived data together with the Tivoli Compliance
Insight Manager security policies.
The Management Console has an interface for defining a backup schedule
and a target destination for the backup. The schedule is stored in the
EpriseDB and the backup is performed by the Tivoli Compliance Insight
Manager server. The server runs a script that copies the policies and runs an
executable file called CeaExport.exe. Exporting the archived data helps
maintain enough disk space on the Tivoli Compliance Insight Manager server.
򐂰 Develop policies and generate reports.
– Manage policies in the Management Console.
– Create and modify W7 groups.
– Create and modify policy and special attention rules.
– Test policies versus commit policies, when needed.
– Create custom reports in iView.
In 4.5, “Configuration of the audit policy (W7 groups and rules)” on page 119,
we show how to configure a new policy with W7 rules and the customization
of group definitions. For more information about this area, refer to IBM Tivoli
The toolset available for report generation is explained in 6.2, “Reporting” on
page 183, where the main functionality of the iView reporting application is
highlighted.
6.2 Reporting
Once Tivoli Compliance Insight Manager has collected, normalized, and securely
stored the audit data, it can run sophisticated analyses on the data and generate
numerous reports showing policy compliance status.
Tivoli Compliance Insight Manager offers a large number of security compliance

reports, including:
򐂰 Standard reports
򐂰 Event detail reports
򐂰 Custom reports
򐂰 Graphic reports
򐂰 Trend reports
򐂰 Log management reports
򐂰 Compliance module reports customized for a specific regulation or security
standard
Standard reports
Tivoli Compliance Insight Manager comes with numerous standard compliance
reports. The standard reports list events using the W7 normalized fieldnames, so
they identify events using every day language that can be easily understood by
non-specialists in a business context. From a standard report, you can drill down
on specific events to see the event detail report, which shows all fields from the
selected event. You can modify the standard reports in order to customize them
to your environment.

The standard reports include the following reports, and many more:
򐂰 Direct Database Access Report
򐂰 User Account Management Report
򐂰 User Summary Report
򐂰 Database System Events
򐂰 Stored Procedures Exceptions Report
򐂰 Privileged Operations Report
Event detail reports

You can see event detail reports showing all fields for a specific event by drilling
down on a bubble in the Compliance Dashboard or from any of the standard
reports. Event detail reports are often helpful when investigating a security
incident.
Custom reports
In addition to modifying the standard reports, you can create your own custom
reports using the Custom Reports wizard in iView. The main functionality of iView
will be explained in 6.2.1, “iView reporting application” on page 186.
Custom reports include the following types of reports:

򐂰 Event lists
򐂰 Summary reports
򐂰 Top-N report, where N is the number of events in a given time period
򐂰 Threshold reports
Graphic reports
The Compliance Dashboard is the first window in iView and it displays two
graphic reports. Graphic reports provide visual analyses of security policy
compliance activity. The Compliance Dashboard contains the Enterprise
Overview graph, the Database Overview, and the Trend graphic.
Trend reports
The Trend graphic is a line graph that shows changes in the percentage of policy
exceptions over a given period of time. You can quickly see whether policy
exceptions are increasing or decreasing over time.
Log management reports

The Tivoli Compliance Insight Manager Log Manager contains a set of reports to
monitor log collection activities.
The History Report shows the number of log collection events that occurred
during a given period of time. A log collection event is each instance when Tivoli
Compliance Insight Manager attempted to collect audit data. This report tracks
the status of log collection events; in the case of a failed log collection, the report
provides diagnostic information that you can use to resolve the issue.
The Log Continuity Report analyzes log sets, the collected logs stored in the log
depot, and reports on how complete the log sets are. If a log set is incomplete,
then the report provides diagnostic information that you can use to resolve the
issue.
Compliance module reports

There are several optional compliance modules that can be used with Tivoli
Compliance Insight Manager to provide reports specific to the following
regulations:
򐂰 Basel II
򐂰 GLBA
򐂰 HIPAA
򐂰 ISO 27001
򐂰 PCI
򐂰 Sarbanes-Oxley
The compliance modules contain reports that are mapped to specific line
references within the respective regulations and are associated with security
protocols that auditors may wish to review.
All reports are accessed through the reporting portal. The reporting portal is a
single point of entry for the following reporting applications:
򐂰 iView reporting application
򐂰 Log Manager
򐂰 Policy Generator
򐂰 Scoping
򐂰 Tivoli Compliance Insight Manager Management Modules

Figure 6-2 shows the reporting portal.
Figure 6-2 Tivoli Compliance Insight Manager reporting portal
6.2.1 iView reporting application

The main function of Tivoli Compliance Insight Manager, which is event auditing,
is performed with the iView reporting application. iView can be used to view
summary and detailed reports about the collected audit data. Viewing both
standard and custom iView reports enables analysis of the data in a variety of
formats and levels of detail.
After clicking iView, the application will switch to the main page of iView. The
iView Navigation Bar is displayed at the top of the page, as shown in Figure 6-3.
Figure 6-3 The iView navigation bar
We explain briefly the eight options you can choose from this menu:
򐂰 Dashboard
This shows the compliance dashboard. The dashboard window is divided into
three sections:
– The enterprise view, which shows events, by top event count, by “Who”
and “On What”
– A trend graphic, showing a percentage of policy exceptions
– A database overview with a list of all available databases along with brief
information about a selected database
򐂰 Trends
This shows all events of aggregated data of all databases for a specific period
of time.
򐂰 Reports
This shows the initial iView reporting page.
򐂰 Regulations
Here management modules can be accessed and monitored.
򐂰 Policy
Here you can set up and check Tivoli Compliance Insight Manager audit
policies.
򐂰 Groups
This gives access to the group types page of iView. This also includes group
types for the selected database, the number of groups they presently contain,
and the “Grouping Wizard”.
򐂰 Distribution
IBM Tivoli Compliance Insight Manager provides functionality for the
automated distribution of iView reports to a predefined group of Tivoli
Compliance Insight Manager users, which can be configured with help of this
option.
򐂰 Settings
This shows the user preferences, which can be configured here.

6.2.2 Log Manager
Log Manager provides centralized log management, reporting on log collection
activities, and log search and retrieval functions. Retrieved logs can be analyzed
using external tools such as log readers on the source platform. Log Manager is
available on Standard and Enterprise Servers. The difference in functionality
between these server types is the investigation option (forensic search).
6.2.3 Policy Generator

The Policy Generator is an application designed to create W7 models and policy
rules for Windows file servers and firewalls. The policy rules created suggest that
objects that are accessed frequently and successfully are candidates to become
policy rules.
6.2.4 Scoping
Scoping enables you to control access to event detail. You can specify which
contents of the database each user can view according to their different needs.
There are three classes from the W7 model that you can use to hide information
from users:
򐂰 Who
򐂰 Where
򐂰 OnWhat
You must define which groups from all three classes a user can see. If you omit a
class for a user, scoping assumes that this user is not allowed to see any of the
groups in the omitted class.
6.3 Conclusion
In this chapter, we gave a high-level functional overview for the administration of
a Tivoli Compliance Insight Manager environment, including the report
generation. We explained the primary administration responsibilities and showed
the security compliance reports that Tivoli Compliance Insight Manager offers.
A
Appendix A. Sample questions

This appendix provides sample questions for Certification Test 937.

Questions
We provide the following questions to assist you in studying for Certification Test
937. This sample test is designed to give the candidate an idea of the content
and format of the questions that will be on the certification exam. Performance on
the sample test is not an indicator of performance on the certification exam and
this should not be considered an assessment tool.
1. A customer wants to have a compliance daily report that shows the last login
time stamp of each user in a Windows domain. How can this goal be
achieved?
a. This goal cannot be achieved with IBM Tivoli Compliance Insight
Manager.
b. Perform a sliding schedule of the last 30 days to make sure that the login
events of all users are included.
c. The Log Management Investigation tool can generate a compliance report
in iView with the last login time of all users.
d. The customer can browse through the daily GEM database reports to see
if each user has any login events on that day.
2. How many event sources should be counted for a Microsoft SQL cluster of
four servers?
a. One event source.
b. Two event sources.
c. Three event sources.
d. Four event sources.
3. Which statement is true regarding Actuator support for the Sun Solaris
Platform?
a. Solaris must be running on SPARC hardware.
b. Solaris 10 is not supported by IBM Tivoli Compliance Insight Manager.
c. Solaris containers are not supported by IBM Tivoli Compliance Insight
Manager.
d. Only Solaris 8 and later are supported by IBM Tivoli Compliance Insight
Manager.
4. Which procedure in the Policy Editor should be followed when modifying
attention rules in the committed policy?
a. Open the committed policy, select the Attentions tab, right-click and
select Edit for the Attention rule to be changed, make the changes, save
the policy, test the attention rule, and commit the new policy.
b. Open the committed policy, select the Attentions tab, copy the Attention
rule to be modified to the work folder, make the changes, save the policy,
test the attention rule, and commit the new policy.
c. Duplicate the committed policy, open the draft policy, select the Attentions
tab, copy the Attention rule to be modified to the work folder, make the
changes, save the policy, test the attention rule, and commit the new
policy.
d. Duplicate the committed policy, open the draft policy, select the Attentions
tab, right-click and select Edit for the Attention rule to be changed, make
the changes, save the policy, test the attention rule, and commit the new
policy.
5. What is the default port number for communication between a standard
server and a Point of Presence?
a. 22.
b. 139.
c. 5992.
d. 50001.
6. Which statement is true about Actuators?
a. The information is sent to the IBM Tivoli Compliance Insight Manager
server over port 4321 by default.
b. The local copy of the collected audit trail is compressed, turned into a
chunk, and encrypted by the agent.
c. Actuators create a local copy of the collected audit trail in the /bin
subdirectory of the Actuator's installation directory.
d. The local copy of the collected audit trail is compressed, turned into a
chunk, encrypted, and digitally signed by the agent.
7. What is a valid collection strategy for a z/OS® event source?
a. Live, Wait, Poll.
b. Store raw data, Error, Delete.
c. Store past data, Wait, Data set.
d. Collect error, Store raw data, Delete.
Appendix A. Sample questions 191

8. Which user or users can view the list of unassigned assets for scoping?
a. Only users given access to scoping.
b. All IBM Tivoli Compliance Insight Manager users.
c. IBM Tivoli Compliance Insight Manager administrator.
d. IBM Tivoli Compliance Insight Manager administrator and normal users
given access to scoping.
9. Which two conditions cause the machine icon in the Management Console to
turn red? (Choose two.)
a. The Point of Presence host name cannot be reached.
b. The IBM Tivoli Compliance Insight Manager is not functioning.
c. The collection on one of the event sources on the Point of Presence has
failed at least twice.
d. The Point of Presence has been newly added to the Management
Console, and the agent software has not been installed.
e. The secure channel between the point of presence and the IBM Tivoli
Compliance Insight Manager server is not functioning.
10.Which Windows audit setting is required for the policy generator algorithm to
work?
a. Audit privilege user.
b. Audit object access.
c. Audit system events.
d. Audit account management.
Answer key
1. a
2. d
3. a
4. d
5. c
6. b
7. a
8. c
9. a and e
10.b
Appendix A. Sample questions 193

Glossary
8-bit UCS/Unicode Transformation Format A Aggregation Database Data and statistics,

variable-length character encoding for Unicode. It is spanning a longer period, are maintained by a
able to represent any character in the Unicode process called aggregation. The aggregation
standard, yet the initial encoding of byte codes and process builds a special database called the
character assignments for UTF-8 is consistent with aggregation database, which is used for trend and
ASCII. summary reports.
Access Management A discipline that focuses on Alerts Messages that Tivoli Compliance Insight
ensuring that only approved roles are able to create, Manager sends when a serious or potentially
read, update, or delete data, and only using harmful security event has occurred. Alerts allow for
appropriate and controlled methods. Data a fast response to the event by a systems manager
governance programs often focus on supporting or system administrator.
access management by aligning the requirements
and constraints posed by governance, risk Assurance Activities designed to reach a measure
management, compliance, security, and privacy of confidence. Assurance is different from audit,
efforts. which is more concerned with compliance to formal
standards or requirements.
Actuator A piece of software that automates the
collection of logs from event sources and transmits Audit An independent examination of an effort to
the logs to the Depot. Each Actuator consists of an determine its compliance with a set of requirements.
Agent and numerous Actuator Scripts. The server An audit might be carried out by internal or external
where the Actuator is installed is referred to as the groups.
Point of Presence.
Audit Report A report which shows infrastructure
Actuator Scripts The Actuator Scripts are invoked changes that are made to hardware and software
by the Agent (at the request of the Tivoli Compliance and who is responsible for the changes.
Insight Manager Server) to collect the log for a
particular event source. There is a different script for Audit Trail A record that can be interpreted by
every supported event type. auditors to establish that an activity has taken place.
Often, a chronological record of system activities to
Agent The Agent is a component of the Actuator. It enable the reconstruction and examination of the
listens for collect requests from the Tivoli sequence of events or changes in an event. An audit
Compliance Insight Manager Server, invokes the trail of system resource usage might include user
appropriate Actuator Script, compresses the login, file access, and triggers that indicate whether
retrieved logs, and maintains an encrypted channel any actual or attempted security violations occurred.
for communication with the Tivoli Compliance Insight
Manager Server in order to securely deliver the Audited System A system on which events occur
requested logs. and are recorded in logs that provide the audit data
for Tivoli Compliance Insight Manager.

Authentication In computer security, verification CERT See Computer Emergency Response
of the identity of a user or process and the Team.
construction of a data structure that contains the
privileges that were granted to the user or process. Certified Server Validation (CSV) A technical
Contrast with authorization. method of e-mail authentication intended to fight
spam. Its focus is the SMTP HELO-identity of Mail
Authorization The process of granting a user transfer agents.
either complete or restricted access to an object,
resource, or function. Contrast with authentication. Change Control A formal process used to ensure
that a process, product, service, or technological
Basel II A round of deliberations by central component is modified only in accordance with
bankers from around the world, under the auspices agreed-upon rules. Many organizations have formal
of the Basel Committee on Banking Supervision Change Control Boards that review and approve
(BCBS) in Basel, Switzerland, aimed at producing proposed modifications to technology
uniformity in the way banks and banking regulators infrastructures, systems, and applications. Data
approach risk management across national borders. governance programs often strive to extend the
The Basel II deliberations began in January 2001, scope of change control to include additions,
driven largely by concern about the arbitrage issues modifications, or deletions to data models and
that develop when regulatory capital requirements values for reference/master data.
diverge from accurate economic capital calculations.
Basel II recommends three pillars: risk appraisal and Chief Compliance Officer (CCO) The officer
control, supervision of the assets, and monitoring of primarily responsible for overseeing and managing
the financial market, to bring stability to the financial compliance issues within an organization. The CCO
system. typically reports to the Chief Executive Officer. The
role has long existed at companies that operate in
Batch Collect Mechanism for retrieving security heavily regulated industries such as financial
log data. services and health care. For other companies, the
rash of recent accounting scandals, the
British Standard 7799 A standard code of Sarbanes-Oxley Act, and the recommendations of
practice that provides guidance on how to secure an the U.S. Federal Sentencing Guidelines have led to
information system. It includes the management additional CCO appointments.
framework, objectives, and control requirements for
information security management systems. Chunk Data structure of the archived log files in
the Depot. A chunk consists of a header file and one
Can Spam Act of 2003 A commonly used name or more data files.
for the United States Federal law more formally
known as S. 877 or the Controlling the Assault of Client A system entity that requests and uses a
Non-Solicited Pornography and Marketing Act of service provided by another system entity, called a
2003. The law took effect on January 1, 2004. The server. In some cases, the server might itself be a
Can Spam Act allows courts to set damages of up to client of some other server. A system entity that
$2 million when spammers break the law. Federal requests and uses a service provided by another
district courts are allowed to send spammers to jail system entity, called a server. In some cases, the
or triple the damages if the violation is found to be server might itself be a client of some other server.
willful.
Cluster (Tivoli Compliance Insight
CCO See Chief Compliance Officer. Manager) The combination of a Enterprise Server
and one or more Standard Servers.
COBIT See Control Objectives for Information and Compliance Either a state of being in accordance
related Technology. with established guidelines, specifications, or
legislation or the process of becoming so. Software,
Collect History Report Tivoli Compliance Insight for example, can be developed in compliance with
Manager report that documents log collection specifications created by some standards body,
events. such as the Institute of Electrical and Electronics
Engineers (IEEE), and might be distributed in
Collector A software module that runs on a client compliance with the vendor's licensing agreement.
system and gathers data. This data is subsequently In the legal system, compliance usually refers to
sent to a server. behavior in accordance with legislation, such as the
United States' Can Spam Act of 2003, the
Committee of Sponsoring Organizations of the Sarbanes-Oxley Act (SOX) of 2002, or the United
Treadway Commission (COSO) A U.S. States Health Insurance Portability and
private-sector initiative, formed in 1985. Its major Accountability Act of 1996 (HIPAA).
objective is to identify the factors that cause
fraudulent financial reporting and to make Compliance Check A set of rules used to
recommendations to reduce its incidence. COSO determine whether a computer or group of
has established a common definition of internal computers is compliant or not. There are two types
controls, standards, and criteria against which of compliance checks: software and security.
companies and organizations can assess their
control systems. Compliance Dashboard Available in iView. It
displays an easy-to-understand, color-coded matrix
Common Criteria The Common Criteria is the that highlights degrees and level of compliance
result of the integration of information technology based on user behavior and data access.
and computer security criteria. In 1983, the US
issued the Trusted Computer Security Evaluation Compliance Management Module The Tivoli
Criteria (TCSEC), which became a standard in Compliance Insight Manager regulation-specific
1985. Criteria developments in Canada and reporting interface.
European ITSEC countries followed the original US
TCSEC work. The US Federal Criteria development Compliance Report A report that provides
was an early attempt to combine these other criteria information about the patch compliance status of all
with the TCSEC, and eventually led to the current selected target computers.
pooling of resources towards production of the
Common Criteria. The Common Criteria is Compliant State The state that a user wants an
composed of three parts: the Introduction and object to have.
General Model (Part 1), the Security Functional
Requirements (Part 2), and the Security Assurance
Requirements (Part 3). While Part 3 specifies the
actions that must be performed to gained
assurance, it does not specify how those actions are
to be conducted; to address this issue, the Common
Evaluation Methodology (CEM) was created for the
lower levels of assurance.
Glossary 197
Computer Emergency Response Team CSV See Certified Server Validation.
(CERT) The CERT/CC is a major reporting center
for Internet security problems. Staff members Data Aggregation The ability to get a more
provide technical advice and coordinate responses complete picture of information by analyzing several
to security compromises, identify trends in intruder different types of records at the same time.
activity, work with other security experts to identify
solutions to security problems, and disseminate Data Governance The exercise of
information to the broad community. The CERT/CC decision-making and authority for data-related
also analyzes product vulnerabilities, publishes matters. The organizational bodies, rules, decision
technical documents, and presents training courses. rights, and accountabilities of people and
The CERT/CC is located at the Software information systems as they perform
Engineering Institute (SEI), a federally funded information-related processes. Data governance
research and development center (FFRDC) determines how an organization makes decisions.
operated by Carnegie Mellon University (CMU).
Data Mapping The discipline, process, and
Configuration Compliance The comparison of a organizational group that conducts analysis of data
known state to a compliant state, which can include objects used in a business or other context,
automated actions. After discovery or scanning is identifies the relationships among these data
performed, devices are said to be either compliant or objects, and creates models that depict those
noncompliant. relationships.
Consolidation Database An Enterprise Server Data Privacy The assurance that a person's or
database that delivers enterprise-wide trend and organization's personal and private information is
summary reports. not inappropriately disclosed. Ensuring data privacy
requires access management, security, and other
Control A means of managing a risk or ensuring data protection efforts.
that an objective is achieved. Controls can be
preventative, detective, or corrective, and can be Delta Table A database table used for saving
fully automated, procedural, or technology-assisted changed data from subsequent runs of a collector.
human-initiated activities. They can include actions,
devices, procedures, techniques, or other Deployment The process of reconfiguring and
measures. reallocating resources in the managed environment.
Deployment occurs in response to deployment
Control Objectives for Information and related requests, created manually by administrators or
Technology (COBIT) A set of best practices automatically by the system.
(framework) for information technology (IT)
management created by the Information Systems, Depot The Tivoli Compliance Insight Manager
Audit and Control Association (ISACA), and the IT secure storage facility for storing and archiving logs.
Governance Institute (ITGI) in 1992. COBIT
provides managers, auditors, and IT users with a set Depot Server The component that stores files for
of generally accepted measures, indicators, distribution. Files are uploaded to a Depot server
processes, and best practices to assist them in using a client and stored in a directory that is
maximizing the benefits derived through the use of specified when the Depot server is installed. Depot
information technology and developing appropriate servers can replicate files to other Depot servers
IT governance and control in a company. and download files to clients.
COSO See Committee of Sponsoring Domain A logical grouping of resources in a

Organizations of the Treadway Commission. network for the purpose of common management
and administration.
Enterprise Server A server that provides Gramm-Leach-Bliley Act An Act of the United
centralized log management, performs forensic States Congress that repealed the Glass-Steagall
searches of the GEM log archives, and creates Act, opening up competition among banks, security
reports. companies, and insurance companies. The
Glass-Steagall Act prohibited a bank from offering
Event An observable occurrence in a system or investment, commercial banking, and insurance
network. services.
Event Source Each operating system or GRC See Governance, Risk, and Compliance.
application from which Tivoli Compliance Insight
Manager collects log files (also called audit trails). GSL See Generic Scanning Language.
Extensible Markup Language (XML) A Health Insurance Portability and Accountability

general-purpose markup language. It is classified as Act (HIPAA) The United States Health Insurance
an extensible language because it allows its users to Portability and Accountability Act of 1996. There are
define their own tags. XML is recommended by the two sections to the Act:
World Wide Web Consortium. The W3C 򐂰 HIPAA Title I deals with protecting health
recommendation specifies both the lexical grammar, insurance coverage for people who lose or
and the requirements for parsing. change jobs.
򐂰 HIPAA Title II includes an administrative
File Transfer Protocol (FTP) Used to transfer simplification section which deals with the
data from one computer to another over the Internet, standardization of health care-related
or through a network. information systems. In the information
technology industries, this section is what most
Forensic Analysis Used to follow up on security people mean when they refer to HIPAA.
incidents and behavioral trends. HIPAA establishes mandatory regulations that
require extensive changes to the way that health
FTP See File Transfer Protocol. providers conduct business.
GEM See Generic Event Module. HIPAA See Health Insurance Portability and
Accountability Act.
Generic Event Module (GEM)
Databases Reporting databases that contain the IETF See Internet Engineering Task Force.
logs from different event sources.
Incident An incident is an adverse network event
Generic Scanning Language (GSL) A scripting in an information system or network or the threat of
language that enables you to describe the structure the occurrence of such an event.
and label the attributes contained in the log files of
ubiquitous collection event sources. The GSL Toolkit Information Quality Management An
eases the forensic analysis of log data by enabling information technology (IT) management discipline,
you to define attributes contained in the log data and which encompasses the COBIT Information Criteria
to describe the structure of log files. of efficiency, effectiveness, confidentiality, integrity,
availability, compliance, and reliability. The idea is
Governance, Risk, and Compliance (GRC) An for companies to have the risks of using a program
acronym often used by management in financial diminished to protect private and sensitive
institutions to acknowledge the interdependencies of information definition.
these three disciplines in setting policy.
Glossary 199
Information Systems Audit and Control ISO/IEC17799 An information security standard
Association (ISACA) An international association published by the International Organization for
for the support and improvement of professionals Standardization (ISO) and the International
whose jobs involve the auditing of corporate and Electrotechnical Commission (IEC) as ISO/IEC
system controls. 17799:2005 and subsequently renumbered ISO/IEC
27002:2005 in July 2007, bringing it in line with the
Information Technology Governance A subset other ISO/IEC 27000-series standards. It is entitled
discipline of Corporate Governance focused on Information technology - Security techniques - Code
information technology (IT) systems and their of practice for information security management.
performance and risk management. The rising The current standard is a revision of the version first
interest in IT governance is partly due to compliance published by ISO/IEC in 2000, which was a
initiatives (for example, Sarbanes-Oxley (USA) and word-for-word copy of the British Standard (BS)
Basel II (Europe)), as well as the acknowledgement 7799-1:1999.
that IT projects can easily get out of control and
profoundly affect the performance of an IT Governance Institute (ITGI) Exists to assist
organization. enterprise leaders in their responsibility to ensure
that IT goals align with those of the business, and
International Compliance The International that it deliver value, its performance is measured, its
Standards Organization (ISO) produces resources properly allocated, and its risks mitigated.
international standards such as ISO 27002. Through original research, symposia, and electronic
resources, the ITGI helps ensure that boards and
Internet Engineering Task Force executive management have the tools and
(IETF) Develops and promotes Internet standards, information they need for IT to deliver against
cooperating closely with the W3C and ISO/IEC expectations.
standard bodies, dealing in particular with standards
of the TCP/IP and Internet protocol suite. iView Tivoli Compliance Insight Manager Web
user interface for compliance reporting.
ISACA See Information Systems Audit and Control
Association. JAAS See Java Authentication and Authorization
Service.
ISO Name generally applied to quality system
standards published by the International Java Authentication and Authorization Service
Organization for Standardization. ISO certification is (JAAS) A set of APIs that enable services to
provided, on a fee basis, by third-party assessors or authenticate and enforce access controls upon
registrars through an on site, in-depth audit to users. It implements a Java technology version of
determine that a company's quality system meets the standard Pluggable Authentication Module
the requirements of the standard. (PAM) framework, and supports user-based
authorization.
ISO 27002 See ISO/IEC 17799.
Log Chunk The set of events placed in the Depot
by the collect mechanism.
Log Collection Event Each instance of collecting

an audit trail, or log chunk, from an audited machine
is called a log collection event.
Log Continuity Report Tivoli Compliance Insight Payment Card Industry Data Security Standard
Manager report that documents log continuity (PCI DSS) .Developed by the major credit card
status. companies as a guideline to help organizations that
process card payments prevent credit card fraud,
Log Manager Tivoli Compliance Insight Manager hacking, and various other security issues. A
centralized log collection, management, and company processing, storing, or transmitting credit
reporting interface. The Log Manager is only card numbers must be PCI DSS compliant or they
available on the Enterprise Server. risk losing the ability to process credit card
payments.
Logs and Audit Trails The system records that
documents all activity that occurred on the audited PCI DSS See Payment Card Industry Data
machine. Security Standard.
Management Console Enables you to load data Point of Presence The server where the Actuator
into the databases, add new audited machines and is installed is referred to as a Point of Presence
event sources, configure collection and reporting (POP).
schedules, and add and configure users.
Policy A set of one or more compliance queries
Metadata Information about a particular data set used to demonstrate the level of adherence to
that might describe, for example, how, when, and by specific security requirements.
whom it was received, created, accessed, or
modified and how it is formatted. Some metadata, Policy Bundle A file containing the information
such as file dates and sizes, can easily be seen by associated with a policy, such as the compliance
users; other metadata can be hidden or embedded queries, the collectors, and the associated
and unavailable to computer users who are not schedules. A policy bundle permits the policy to be
technically adept. Metadata is generally not saved and subsequently applied to other servers.
reproduced in full form when a document is printed.
Policy Exceptions Actions or network activity that
National Institute of Standards and Technology violates company policy.
(NIST) A unit of the US Commerce Department.
Formerly known as the National Bureau of Policy Generator Tivoli Compliance Insight
Standards, NIST promotes and maintains Manager tool that can be used to create policies
measurement standards. It also has active using existing logs to set a baseline for acceptable
programs for encouraging and assisting industry network activity.
and science to develop and use these standards.
Policy Rules A Tivoli Compliance Insight Manager
NIST See National Institute of Standards and tool that helps a user to generate automatically a set
Technology. of policy rules or extend an existing policy rule set.
Normalization The process of standardizing log PoP See Point of Presence.

data by describing them in a single, uniform
language. Proxy Relay A special pull client that acts as a
relay between the server and one or more clients. A
proxy relay is used to reach a limited number of
clients that are located behind a firewall, or that are
in an IP-address range that is not directly
addressable by the server.
Glossary 201
Proxy Server A server that acts as an intermediary Risk Management In a broad sense, to assess,
between a workstation user and the Internet so that minimize, and prevent negative consequences
the enterprise can ensure security, administrative posed by a potential threat. The term risk
control, and caching service. A proxy server is management has significantly different meanings
associated with or part of a gateway server that that can affect Data Governance programs. At an
separates the enterprise network from the outside enterprise level, risk refers to many types of risk
network and a firewall server that protects the (operational, financial, compliance, and so on);
enterprise network from outside intrusion. managing risk is a key responsibility of Corporate
Boards and Executive Teams. Within financial
Pull Client A client that permits communication institutions (or in the context of a GRC program), risk
with the server to be initiated by only the server. management might be a boundary-spanning
department that focuses on risk to investments,
Push Client A client that permits communication loans, or mortgages. At a project level, risk
with the server to be initiated by either the client or management is an effort that should be undertaken
the server. as part of project management, focusing on risks to
the successful completion of the project. From a
PuTTY A free software SSH, Telnet, rlogin, and compliance/auditing/ controls perspective, risk
raw TCP client. It was originally available only for assessments and risk management are high-effort
Windows, but is now also available on various UNIX activities included in the COSO and COBIT
platforms. frameworks and required by Sarbanes-Oxley and
other compliance efforts. Data governance
Regulatory Compliance Refers to systems or programs might be asked to support any of these
departments at corporations and public agencies. risk management efforts, and might need input from
Ensures that personnel are aware of and take steps these efforts to resolve data-related issues.
to comply with relevant laws and regulations.
Role Based Access Control Assigns users to
Remote Collect Agentless log collection facilitated roles based on their organizational functions and
by SSH or by NetBIOS for Windows. determines authorization based on those roles.
Risk The product of the level of threat with the level
of vulnerability. It establishes the likelihood of a
successful attack.
Risk Assessment The process by which risks are

identified and the impact of those risks determined.
Sarbanes-Oxley Act (SOX) Legislation enacted in Security Audit A systematic evaluation of the
response to the high-profile Enron and WorldCom security of a company's information system by
financial scandals to protect shareholders and the measuring how well it conforms to a set of
general public from accounting errors and fraudulent established criteria. A thorough audit typically
practices in the enterprise. The act is administered assesses the security of the system's physical
by the Securities and Exchange Commission (SEC), configuration and environment, software,
which sets deadlines for compliance and publishes information handling processes, and user practices.
rules on requirements. Sarbanes-Oxley is not a set Security audits are often used to determine
of business practices and does not specify how a regulatory compliance, in the wake of legislation
business should store records; rather, it defines (such as HIPAA, the Sarbanes-Oxley Act, and the
which records are to be stored and for how long. The California Security Breach Information Act) that
legislation not only affects the financial side of specifies how organizations must deal with
corporations, but also affects the IT departments information.
whose job it is to store a corporation's electronic
records. The Sarbanes-Oxley Act states that all Security Controls Individual security
business records, including electronic records and requirements that are categorized into
electronic messages, must be saved for not less security-related areas. Different organizations must
than five years. The consequences for demonstrate the implementation of the security
non-compliance are fines, imprisonment, or both. IT controls through a formal audit process to achieve
departments are increasingly faced with the the respective certification required.
challenge of creating and maintaining a corporate
records archive in a cost-effective fashion that Sensitive Data Data that is private, personal, or
satisfies the requirements put forth by the proprietary and must be protected from
legislation. unauthorized access.
Scoping Enables you to define limited access for Sensitive Information As defined by the federal
certain users or for certain groups of users. government, any unclassified information that, if
compromised, could adversely affect the national
Secure Shell (SSH) A network protocol that interest or conduct of federal initiatives.
allows data to be exchanged over a secure channel
between two computers. Encryption provides Server A system where audit data is collected and
confidentiality and integrity of data. SSH uses investigated using Tivoli Compliance Insight
public-key cryptography to authenticate the remote Manager.
computer and allow the remote computer to
authenticate the user, if necessary. Shell A UNIX term for the interactive user interface
with an operating system. The shell is the layer of
programming that understands and executes the
commands a user enters. In some systems, the shell
is called a command interpreter.
Simple Mail Transfer Protocol (SMTP) The de

facto standard for e-mail transmissions across the
Internet.
Glossary 203
Simple Network Management Protocol Tivoli Compliance Insight Manager Cluster The
(SNMP) Defined by the Internet Engineering Task combination of a Enterprise Server, one of the
Force (IETF). SNMP is used by network Standard Servers, and a collector in a network
management systems to monitor network-attached deployment.
devices for conditions that warrant administrative
attention. Tivoli Compliance Insight Manager Server A
generic term referring to the Tivoli Compliance
SMTP See Simple Mail Transfer Protocol. Insight Manager engine that collects, and
normalizes log data using the W7 methodology.
Snapshot™ The result of running all of the There are two types of Tivoli Compliance Insight
compliance queries in a policy against a set of Manger servers: Enterprise and Standard.
clients. A snapshot shows the number of violations
and indicates what clients are not adhering to the Tivoli Compliance Insight Manager Suite. Refers
security requirements being tested by the to the entire Tivoli Compliance Insight Manager
compliance queries. application. This includes the Tivoli Compliance
Insight Manager server, Point of Presence, Analysis
SNMP See Simple Network Management Engine, Web Portal, iView, Log Manager, and the
Protocol. Compliance Modules.
SOX See Sarbanes-Oxley Act. Tivoli Compliance Insight Manager Web

Portal Tivoli Compliance Insight Manager single
Special Attentions Actions or network activities sign-on interface provides access to iView, the
that cannot violate company policy but are Policy Generator, Log Manager (only on the
suspicious and require additional attention. Enterprise Server), Scoping, and Compliance
Modules.
SSH See Secure Shell.
UTF-8 See 8-bit UCS/Unicode Transformation
Standard Server The Tivoli Compliance Insight Format.
Manager server that collects, archives and
normalizes log data and generates reports. Vulnerability A flaw or weakness in a system's
design, implementation, or operation and
Syslog Often used for both the actual syslog management that could be exploited to violate the
protocol, as well as the application or library sending system's security policy.
syslog messages. Syslog is typically used for
computer system management and security W7 Attributes The following list shows the basic
auditing. W7 attributes:
1. Who Which user or application initiated the
Target System A system by which Tivoli event?
Compliance Insight Manager receives access to the 2. What What kind of action does the event
audit data. represent?
3. When When did the event occur?
Threat A potential for violation of security, which 4. Where On which system did the event happen?
exists when there is a circumstance, capability, 5. OnWhat What was the object (file, database,
action, or event that could breach security and printer) involved?
cause harm. 6. WhereFrom From which system did the event
originate?
Threat Assessment The identification of types of
7. WhereTo Which system is the target or
threats that an organization might be exposed to.
destination of the event?
W7 Methodology The Tivoli Compliance Insight
Manager patent-pending normalization
methodology, which translates log files into an
English-based language of who, what, on what,
when, where, where from, and where to.
World Wide Web Consortium (W3C) The main

international standards organization for the World
Wide Web (W3).
XML See Extensible Markup Language.
Glossary 205
Related publications
The publications listed in this section are considered particularly suitable for a
more detailed discussion of the topics covered in this book.
IBM Redbooks
For information about ordering these publications, see “How to get Redbooks” on
page 208. Note that some of the documents referenced here may be available in
softcopy only.
򐂰 Compliance Management Design Guide with IBM Tivoli Compliance Insight
Manager, SG24-7530
򐂰 Deployment Guide Series: IBM Tivoli Compliance Insight Manager,
SG24-7531
Other publications
These publications are also relevant as further information sources:
򐂰 IBM Tivoli Compliance Insight Manager Basel II Management Module
򐂰 IBM Tivoli Compliance Insight Manager FISMA Management Module
Installation Guide, GI11-8708
򐂰 IBM Tivoli Compliance Insight Manager GLBA Management Module
򐂰 IBM Tivoli Compliance Insight Manager HIPAA Management Module
򐂰 IBM Tivoli Compliance Insight Manager Installation Guide, GC23-6580
򐂰 IBM Tivoli Compliance Insight Manager ISO 27001 Management Module
򐂰 IBM Tivoli Compliance Insight Manager PCI-DSS Management Module
򐂰 IBM Tivoli Compliance Insight Manager Sarbanes-Oxley Management
Module Installation Guide, GC23-6587

򐂰 IBM Tivoli Compliance Insight Manager User Guide, GC23-6581
򐂰 IBM Tivoli Compliance Insight Manager User Reference Guide, GC23-6582
Online resources
These Web sites are also relevant as further information sources:
򐂰 Demonstration of Compliance Insight Manager Version on the IBM
Democenter Web site:
http://demos.dfw.ibm.com/on_demand/Demo/IBM_Demo_Tivoli_Compliance_I
nsight_Manager-May07.html
򐂰 Official IBM Tivoli product documentation for Compliance Insight Manager
Version 8.5
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?top
ic=/com.ibm.itcim.doc/welcome.htm
򐂰 Official IBM Tivoli product Web site for Compliance Insight Manager
http://www.ibm.com/software/tivoli/products/compliance-insight-mgr/
򐂰 Tivoli security compliance forum on IBM developerWorks:
http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1256
How to get Redbooks

You can search for, view, or download Redbooks, Redpapers, Technotes, draft
publications and Additional materials, as well as order hardcopy Redbooks, at
this Web site:
ibm.com/redbooks
Help from IBM

IBM Support and downloads
ibm.com/support
IBM Global Services

ibm.com/services
Index
checklist 5
A program 2
access rights 46
target audience 7
Active Directory
certification role names
audit settings 93
IBM Certified Advanced Technical Expert 2
diagnostic logging 94
IBM Certified Developer 2
server 96
IBM Certified Developer Associate 2
Actuator 45, 55
IBM Certified Instructor 2
configuration 181
IBM Certified Solutions/Systems Expert 2
daemon 45
IBM Certified Specialist 2
installation 116
Certification Test 937
script 45
prerequisites 8
service 45
chunk 53
Add Machine Wizard 110, 116
continuity tables 160
administration 26
header files 160
administration account 87
log data 56
agent 45–46, 55
cluster configuration 43
installation 181
COBIT 72
aggregation
collect
database 49, 159
process 51, 53
process 49, 52
schedule 159
alert 70
collect command
configuration 139
audit trail collect 56
architecting 39
collect log 58
architecture 42
manual 56, 58
attention rule 46, 180
collection 53
audit policy
events 158
configuration 119
command
Windows servers 92
su (UNIX super user) 102
audited system 54
commit policy 150
communication ports 80
B compliance 40
beat database 159 dashboard 73, 184
beat.bat 89, 159 monitoring 47
compliance management 40
modules 74
C requirements 40
CeaExport.exe 182
component architecture 50
centralized
configuration 17, 50
forensics 44
database 50
log management 44
consolidation
user management 80–81
database 50, 159
certification
job 159
benefits 3
logs 160

process 52 consolidation database 81
consolidation log 168 disk size 48
continuity tables 160 forensic search 44
custom reporting 73 installation 78, 88
success verification 88
iView reporting application 43
D Log Manager 188
dashboard 73, 184
log manager 43
data
Management Console 43
files 53
policy generator 43
mapping and loading 61
EpriseDB 182
data collection
event
agentless 57
log collection 185
batch 54
storage 48
methods 54
event source 46, 55, 159, 179
Syslog and SNMP collect 60
add 181
ubiquitous log 59
adding 110
UNIX agentless 58
configuration 103
using Actuators 54
customize 181
using Agent 56
defining 47
Windows agentless 58
modify 181
database 48, 50
wizard 110
engine install 82
event storage 48
load 142 F
success verification 149 file server
loading 63 audit settings 96
loading the ... 142 file share 96
depot 49, 51, 53, 160 forensic 60
mapping and loading 61 search 44, 47
diagnostic 176 forensic search 188
diagnostic logging
levels of ... 94
directory access 95
G
GEM 49, 62
disk space 92
create database 103
distribution
database 49, 72, 159
... of reports 74
database failure 181
dynamical tracing 152, 176
database load 159
event 62
E event table value 65
educational resources 31 normalization 51
e-mail Generic Event Model
alert 139 see GEM
e-mail support generic mapping language 62
certify@us.ibm.com 5, 7 generic scanning language 60, 62
tivamedu@us.ibm.com 31 toolkit 61
tived@uk.ibm.com 31 Gramm-Leach-Bliley Act 72
tivtrainingap@au1.ibm.com 31 group
Enterprise Server 43 definition configuration 132
H loading 63
header file 53, 160 log
collection event 158
continuity report 158
I depot 49
IBM Professional Certification Program 2
management 47
IBM Redbooks 36
manager 43, 185
indexing
repository 49
process 52
log files 152, 176
information security 40
actuatornnn.log 160
installation 13
auditctl.log 161
database engine 82
AuditTrail.log 169
Enterprise Server 78, 88
authdaemon.log 161
errors 152
BBBin.log 162
consolidation.log 169
option 78
IndexerDaemon.Vajont.log 163
options 47
install.log 164, 168
Point of Presence 78
mainmapper-.log 165
Security Server 81
plugger.log 167
software components 83
restart.log 168
Standard Server 78, 82
UNIX 102
success verification 86, 88
Log Manager 188
ISO17799 72
iView 52, 181
custom reports 183 M
custom reports wizard 184 machine group
logs 160, 170 create 104
reporting 47, 72 mainmapper log files 159, 181
reporting application 43, 185–186 Management Console 43, 45–46, 110, 180
Web portal 48 alert configuration 139
iView functions installation 78
dashboard 187 management tasks 177
groups 187 policy editor 72
policy 187 register machine to ... 104
regulations 187 troubleshooting 159
reports 187 User Management panel 182
trends 187 manually loading a database 143
mapping 61
process 51
J message 70
job schedules
Microsoft Management Console 92
chunk continuity report generator (CCRG) 160
monitor compliance 47
consolidation 159
indexer 159
log continuity report generator 159 N
network
traffic requirements 80
L
LDAP server 80
load schedule 159
Index 211
O GLBA 185
operation errors 156 HIPAA 185
organizational level ISO 27001 185
security control 40 PCI 185
Sarbanes-Oxley 185
custom 183
P database system events 184
performance
direct database access 184
tuning 24
distribution 74, 159
performance tuning 176
event detail 183
planning 9, 39
event lists 184
Point of Presence 55, 58, 60
graphic 183–184
installation 78
log continuity 185
policy
log management 183–184
commit 150
privileged operations 184
configuration 127
standard 183
generation tool 71
stored procedures exceptions 184
generator 43, 71, 185, 188
threshold 184
management 67
trend 183–184
rules 68, 70, 188
user account management 184
port
user summary 184
configuration 80
repository 49
portal logs 160
required hard disk space 48
prerequisites
requirements
for Certification Test 937 8
network traffic 80
problem determination 24, 152
software 78
installation 152
operation errors 156
using log files 158 S
process 51 Sarbanes-Oxley Act 72
collect 53 scoping 188
process level security
security controls 40 event alerting 70
product events 95
architecture 42 log 53
documentation 35 security compliance 40
system 41
security controls 40
R organizational level 40
Redbooks Web site 208
process level 40
register.ini 87, 175
technical level 41
registration
security policy 46, 180
Standard Server with Enterprise Server 88
framework 40
reporting 47, 73, 183
Security Server 80
database 49
installation 81
iView 48, 72
server logs 160
reports
service
compliance module 183
Computer Browser 106
Basel II 185
SMTP
compliance modules
alerting 70 audit settings 102
SNMP URLs
alerting 70 IBM Tivoli Compliance Insight Manager Web site
data collect 60 36
software requirements 78 user
space management 80–81, 182
... for database 48 roles 75
Standard Server 45 User Information Source
configuration 182 see UIS
installation 78, 82
success verification 86
Log Manager 188
W
W7
main functions 45
attention rules
configuration 136
syslog
attributes 62, 65
data collect 60
categories 72
system group 104
classification scheme 62
elements 127
T format 64, 73
target machine groups 65, 127
adding 104 model 49, 60, 62–63, 188
task policy rules
restart 159 configuration 134
synchronization 158 rules 119
TCP/IP communication ports 80 Web Portal logs 169
technical level Windows
security control 41 audit settings 92
Test 937 target machine 104
objectives 9
test objectives
administration 26
configuration 17
installation 13
performance tuning and problem determination
24
planning 9
Tivoli Software Professional Certification 4
tracing 177
troubleshooting
installation 152
operation errors 156
using log files 158
U
UIS
configuration 119
import group definitions 128
UNIX
Index 213
Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5
(0.2”spine)
0.17”<->0.473”
90<->249 pages
Back cover ®

IBM Tivoli Compliance
Insight Manager V8.5 ®
Developed This IBM Redbooks publication is a study guide for IBM Tivoli
specifically for Tivoli Compliance Insight Manager Version 8.5 and is meant for INTERNATIONAL
Compliance Insight those who want to achieve IBM Certifications for this specific TECHNICAL
Manager product. SUPPORT
The IBM Tivoli Compliance Insight Manager Certification,
ORGANIZATION
Explains the offered through the Professional Certification Program from
certification path IBM, is designed to validate the skills required of technical
and prerequisites professionals who work in the implementation of the IBM BUILDING TECHNICAL
Tivoli Compliance Insight Manager Version 8.5 product. INFORMATION BASED ON
Includes sample test This book provides a combination of theory and practical PRACTICAL EXPERIENCE
questions and experience needed for a general understanding of the
answers subject matter. It also provides sample questions that will IBM Redbooks are developed by
help in the evaluation of personal progress and provide the IBM International Technical
familiarity with the types of questions that will be Support Organization. Experts
encountered in the exam. from IBM, Customers and
Partners from around the world
This publication does not replace practical experience, and it create timely technical
is not designed to be a stand-alone guide for any subject. information based on realistic
Instead, it is an effective tool that, when combined with scenarios. Specific
recommendations are provided
education activities and experience, can be a very useful to help you implement IT
preparation guide for the exam. solutions more effectively in
your environment.
For more information:

ibm.com/redbooks
SG24-7664-00 ISBN 0738431621

Front Cover

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Front Cover

Enviado por

Direitos autorais:

Formatos disponíveis

Front cover

Certification Study Guide:

Explains the certification path

Includes sample test

Certification Study Guide:

First Edition (September 2008)

Chapter 1. Certification overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

© Copyright IBM Corp. 2008. All rights reserved. iii

Chapter 5. Performance tuning and problem determination. . . . . . . . . . 151

Chapter 6. Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

iv Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5

Appendix A. Sample questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

© Copyright IBM Corp. 2008. All rights reserved. vii

AIX 5L™ IBM® Tivoli®

The following terms are trademarks of other companies:

The team that wrote this book

Axel Buecker is a Certified Consulting Software IT Specialist

© Copyright IBM Corp. 2008. All rights reserved. ix

Murat Yildiz is an Information Security Manager with

Thanks to the following people for their contributions to this project:

Stephanie Blackwood, Martijn Naber, Rudy Tan

x Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5

We want our books to be as helpful as possible. Send us your comments about

Chapter 1. Certification overview

© Copyright IBM Corp. 2008. All rights reserved. 1

The certification requirements are tough, but not impossible. Certification is a

For technical professionals in application development, the certification roles

2 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5

1.1.1 Benefits of certification

In addition to assessing job skills and performance levels, professional

Chapter 1. Certification overview 3

1.1.2 Tivoli Software Professional Certification

The program also offers an internationally recognized qualification for technical

Whether you are a Tivoli customer, partner, or technical professional wanting to

4 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5

Note: Certificates are sent by e-mail; however, a paper copy of the

– Recognition of your technical skills by your peers and management

Chapter 1. Certification overview 5

Note: These resources are available from each certification description

4. Register to take a test, by contacting one of our worldwide testing vendors:

6 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5

1.2 IBM Tivoli Compliance Insight Manager V8.5

1.2.1 Job description and target audience

Chapter 1. Certification overview 7

1.2.3 Required prerequisites

8 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5

Chapter 1. Certification overview 9

10 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5

Chapter 1. Certification overview 11

12 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5

Chapter 1. Certification overview 13

14 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5

Chapter 1. Certification overview 15

16 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5

Chapter 1. Certification overview 17

18 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5

Chapter 1. Certification overview 19

20 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5

Chapter 1. Certification overview 21

22 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5

Chapter 1. Certification overview 23

24 Certification Study Guide: IBM Tivoli Compliance Insight Manager V8.5