IBM: Test 937: IBM Tivoli Compliance Insight Manager V8.5 Implementation

Professional Certification
About the program
About the member site
Certifications
	By product
	Test information
	Updates and revisions
Policy
Process
News
Contact

Related links
	Member site sign in
	Mastery tests
	Training
	Linux certification
	Business Partner Training and certification
	IBM Press
	CEIS

Professional certification

Certifications

Test information

	Test 937: IBM Tivoli Compliance Insight Manager V8.5 Implementation

Overview

Objectives

alt="" height="1" width="30"

Test Preparation

Section 1: Planning

Given the customer reporting needs, determine which report requirements can be supported by TCIM so that a reporting plan can be established for the implementation.

Identify the customer report needs.
Analyze the reports requested by the customer.
Determine which of these reports can be generated by TCIM.
Categorize the reports per platform.
Deliver a list of reports that can be produced.
Discuss with the customer how the reports should be distributed – per platform, per department, with or without scoping.

Given the customer report needs, review the requirements and assess which event sources will be required so that you can deliver a list of event sources needed for the TCIM environment.

Review the reporting requirements determined during the assessment of the customer reporting needs.
Assess which event sources will be required to support the reporting requirements.
Deliver a list of event sources that need to be deployed.

Given the list of event sources needed to support the customer reporting needs, determine the best collection option for each event source so that you identify the appropriate collection method for each event source.

Review the list of event sources determined during the assessment of the customer reporting needs.
Discuss the collection options for each event source with the customer.
Discuss the advantages and disadvantages of each collection mechanism (per event source).
Assess the number of events per second to determine appropriate collection method for SNMP and syslog event sources.
Determine the best collection option for each event source based on the customer feedback.

Given each target platform and the specific procedures, determine and configure the audit settings so that the desired events can be logged and ready for collection.

Identify the Event Source.
Identify the audit setting configuration procedure for the particular target platform.
Specify audit events desired from target platform based on the customer reporting needs.
Specify audit settings for desired platform.
Assess impact of desired settings.
Configure audit settings for desired platform.
Enable auditing on desired platform.
Verify desired events are being logged.

Given hardware and software prerequisites, verify processors' speed, the RAM and hard disk space amounts, available ports and hard disk space partitions so that it is determined that the system meets prerequisites and server is ready to be configured for IBM Tivoli Compliance Insight Manager.

Verify the required hardware and software is available.
Determine the rate of flow of collected data.
Verify CD-ROM drive is available on all TCIM Servers included in installation.
Verify servers and production network are available.
Verify TCP/IP connectivity between monitored servers and TCIM Standard Server(s) is ensured.
Identify the ports to be used by the installation.

Verify that SSH is utilized.
Verify that your server’s hard drives are partitioned in a RAID level 5 configuration.
Determine the appropriate hard disk space for the servers and Point of Presences, depending on the amount of daily log data that you collect for your monitored platforms and applications.
Determine the appropriate hard disk space on the audited machines to support the expected audit volume.

Given the event sources, processors, audited logs, hard drive partitions, memory, GEM databases and delivered reports, determine the number of servers required so that IBM Tivoli Compliance Insight Manager can be implemented.

Define What Platform types will be audited.
Define Number of Machines Per each Platform type will be audited
Determine the size of the audit files to be collected at a given rate for each Target Platform.
Determine the number of event sources the environment will handle.
Determine the number of GEM databases that will support the reporting requirements.
Determine the amount of events that will be generated by syslog.

Given the main components of IBM Tivoli Compliance Insight Manager, describe the purpose of the components so that key components are identified.

Describe the purpose of the standard server.
Describe the purpose of the management console.
Describe the purpose of the Web portal.

Describe the purpose of the enterprise server.
Describe the actuator.

Given the collection, load, and restart schedules, plan the scheduled tasks so that continuity and completeness of data is maintained.

Determine when the restart task should take place.
Determine when the collects should take place.
Determine when the loads should take place.
Determine when the report distribution should take place.

Given the GEM database and W7 grammar, explain how event values are mapped to the GEM fields and categorized into W7 groups so that the W7 and GEM models are described.

List the W7 dimensions.
List the GEM fields.
Describe the relationship between the W7 grammar elements and the GEM fields.
Explain how the event values are mapped to the GEM fields.
Explain how event values are categorized into W7 groups.

Given TCIM policies, describe how policy exception and attention event are generated so that security rules are identified.

Describe with the W7 Model what would be an acceptable behavior of an event.
Describe how a policy exception is generated.
Describe how an attention event is generated.

Given an installed TCIM 8.0 or 7.0 environment create an implementation plan so that a TCIM upgrade can be performed.

Ensure that you have a backup of your current installation of TCIM.
Document the current environment.

Define rollback plan.
Choose which server will be designated as the security server.
Determine which TCIM servers and components to upgrade.
Determine the order of components to upgrade.
Ensure there is enough hard disk space for the upgrade.
Ensure media has been acquired or downloaded.
Acquire latest patches.

Section 2: Installation

Given the installation media and a Windows 2003 server, install the database engine, directory server, and standard server, so that a TCIM security server is defined for centralized user management.

Log in to the Windows server as a user with administrative privileges.
Verify system prerequisites have been met.
Install the middleware.
Install the standard server.
Apply current patches and platform updates.
Verify the installation.

Given the installation media and a Windows 2003 server, install a standard server, so that audit trails can be collected.

Log in to the Windows server as a user with administrative privileges.
Verify system prerequisites have been met.
Install the middleware.

Install the standard server.
Apply current patches and platform updates.
Verify the installation.

Given the installation media and a Windows 2003 server, install an enterprise server, so that a TCIM cluster is defined.

Log in to the Windows server as a user with administrative privileges.
Verify system prerequisites have been met.
Install middleware.

Install the enterprise server.
Apply current patches and platform updates.
Verify the installation.
Subscribe servers to the cluster.

Given the installation media, upgrade a standard server to an enterprise server so that a TCIM cluster can be defined.

Identify the standard server to be upgraded.
Launch the server installation
Perform a custom setup.
Choose the enterprise components.
Complete the installation.
Subscribe servers to the cluster.

Given the TCIM hotfix code on Windows platform, apply the hotfix so that TCIM is updated to the desired level.

Verify the current hotfix level is installed.
Apply hotfix.
Verify the hotfix has been successfully applied.

Given the TCIM hotfix code on the UNIX platform, apply the hotfix to the current environment so that the TCIM is updated to the desired level.

Apply hotfix.
Verify the hotfix has been successfully applied.

Given a running TCIM installation, verify the ability to log in, and that key processes and services are running so that the successful installation is confirmed.

Verify you are able to log in to the Management Console and TCIM Web applications.
Verify that all TCIM services started after successful installation.
Review the installation log files.
Verify the TCIM directory structure has been created.
Verify the main processes are running.

Given Compliance report media, verify the execution of the compliance setup program so that the compliance module is installed in the iView application.

Verify Compliance Reports Media and size.
Verify the available space.
Copy the compliance reports setup to a temporary directory.
Run set up.
Verify successful installation.
Delete the compliance reports setup from the temporary directory.

Given the actuator code and cfg file, install the actuator code on a supported platform so that an actuator is installed and ready to collect audit trails.

Log in to the server where the Point of Presence is to be installed.
Mount the agent installation media.
Launch the agent setup program.
Install the agent code.
Provide the agent cfg file to establish the Point of Presence to server configuration.
Verify the installation.

Given the management console and properly configured actuator and target machine, use the add machine process so that the actuator code is remotely installed.

Verify what other applications running on the target system that may interfere with the installation.
Launch the management console.
Add a new machine.
Select the system type.
Select the machine or machines to be audited.
Select local for the point of presence.
Define the communication port.
Select automatic for the installation type.
Enter the NetBios name for the machine or machines.
Enter the operating system credentials for the actuator service.
Enter the operating system credentials to be used to complete the installation.
Define the event source or sources to be audited.
Complete the add machine process.

Given an installed TCIM 8.0 or earlier Standard Server perform the upgrade so that TCIM 8.5 and all of its components are functional.

Identify components to be upgraded.
Log in to the windows server using account with administrative privileges.
Verify that prerequisites have been met.
If using a central user information store, install a security server.
Upgrade the Enterprise Server (if present).
Upgrade all Standard Servers
Register Standard Servers with Enterprise Server.
Upgrade the Point of Presences.
Verify the upgrade was successful.

Section 3: Configuration

Given the security compliance reporting requirements for a specific audit platform, configure the audit subsystem so that the collected security audit data can be used to generate the required security compliance reports.

Translate the Security Compliance reporting requirements to the required Audit Setting Configurations on the target platform.
Review the current audit settings on the target platform.
Apply changes to the current audit settings.
Verify that the audit settings changes have been committed.
Verify that the data collected (after committed the audit setting changes) meet the Security Compliance reporting requirements.

Given the management console, use the add machine process so that an audit trail is collected locally.

Launch the management console.
Add a new machine.
Select the system type.
Select the machine or machines to be audited.
Select local for the point of presence.
Define the communication port.
Select automatic or manual for the installation type.

Define the event source or sources to be audited.
Complete the add machine process.

Given a Windows target machine, configure the machine so that security audit logs can be successfully collected via remote collection mechanism.

Configure or verify the Windows Domain relationship required for the remote collection of the target machine from TCIM server (or Windows Actuator).
Configure or verify that the Windows Services and network settings on the target machine required for remote collection are properly configured.
Configure or verify that the Windows Services and network settings on the TCIM server (or Windows Actuator) required for remote collection are properly configured.
Configure or verify that the TCP/IP connectivity between TCIM server (or Windows Actuator) and the target windows machine required for remote collection are enabled.
Configure or verify that the TCIM Server (or Windows Actuator) service run account has security privileges to perform a successful remote of the security log data from the target machine.
Add the remote collect windows target machine to the management console.
Add the corresponding event sources to the remote collect windows target machine.
Configure the event source properties of the remote event sources in the management console.
Verify that the security log data from the Windows target can be successfully collected.

Determine the SSH daemon is running on the audited system.
Ensure PuTTY is installed on the point of presence.
Determine the authorization key pair to use.
Enable a user account on the audited system.
Create the user.

Test the communication between the point of presence and the audited machine.
Start the Add Machine wizard to add the audited system.
Ensure the collect is successful.

Given the network identity of the appliance, add the network appliance to the TCIM server so that security logs from the network appliance can be successfully collected.

Ensure that the communication path between the TCIM server (or Point of Presence) and the appliance allows unblocked transmission of the security events from the appliance.
Verify that appliance events are directed to TCIM.
Add the appliance as an audited machine to the TCIM server.
Verify that the security events from the appliance can be collected by the TCIM server.

Given a supported syslog ng environment and remote SSH collection is properly configured, configure the TCIM syslog collector so that the syslog events can be collected by TCIM.

Determine appropriate syslog collection method.

Configure the syslog collector and the designated Point of Presence for SSH collection
Ensure syslog message format meets requirements.
Add the appropriate event source to TCIM
Verify successful syslog message collection and mapping

Given the scripts, configurations, mapping definition files, collection and load processes, add an event source so that audit trails can be stored, mapped and loaded into GEM databases.

Open the management console
Select the Event Source View
Click Add Event Source
Select Machine from witch to collect from
Select the Event Source Type
Define the Event Source Properties
Define Collect Schedule
Select GEM for data loads
Define Load Schedule

Given the management console, use the add machine process so that a W7 log file is collected.

Define a process that takes the custom log file and converts it to the W7 Log modified format (CSV or XML).
Implement the log file conversion process.
Launch the management console.
Add a new machine.
Select the system type.
Select the machine or machines to be audited.
Select local for the point of presence.
Define the communication port.
Select automatic or manual for the installation type.

Define the event source as W7 Log (choosing the appropriate format of CSV or XML).
Define the event source properties.
Complete the add machine process.

Given the location information of a user and grouping store, configure the user information source to collect the user and grouping information from the store so that the user information source collects the user and grouping information.

Configure or verify that the TCIM server (or Windows Actuator) service run account has security privileges to perform a successful collection of the user and grouping information from the store.
Configure or verify that the user account (provided as part of User Information Source property) has security privileges to successfully collect the user and grouping information from the store.
Configure or verify that the Windows Services network settings are properly configured on the store for user and grouping information collection.
Configure or verify that the TCP/IP connectivity between TCIM server (or Windows Actuator) and the user and grouping store are enabled.
Configure or verify that the Windows Services network settings on the TCIM server (or Windows Actuator) required for user and grouping information collection are properly configured.
Add the User Information Source to the management console.
Configure the User Information Source properties in the management console.
Verify successful collection from the User Information Source.

Given the Attention rules, protocol, severity and recipient list, set an alert so that the alert communicates an attention rule to the recipient list.

Identify the Attention Rule ID to use in the alert.
Select the Alert Maintenance Icon in the Management Console.
Create the Alert using the Rule ID, Protocol, Recipient, Severity.
Verify the Alert are received or generated.

Given the management console, use the policy explorer and the company security to define a basic policy so that the customer reporting needs are met.

Determine which policies in the company security policy can be mapped to a TCIM security policy.
Launch the management console.
Open the policy explorer.
Duplicate the latest committed TCIM policy.
Edit the duplicate TCIM policy.
Define the appropriate W7 groups to support the company security policy.
Define the appropriate policy rules to support the company security policy.
Define the appropriate attention rules to support the company security policy.
Save and test the new TCIM policy.
Continue testing until the desired reporting needs are met.
Commit the new TCIM policy.

Given that scoping is required, assign assets so that access can be regulated.

Identify assets which require scoping.
Configure scoping for unassigned assets.

Given the list of reports needed to satisfy customer needs, determine which reports will require a custom solution so that the customer reporting needs are met.

Review the list of list of reports needed to satisfy customer needs.
Determine which reports can be satisfied by the standard reports.
Determine which reports will require a custom solution.
For each custom report requirement, determine the following criteria:

Use the report wizard or a text editor to create the custom report.

Given a set of GEM load schedules, configure the TCIM Automated Report Distribution manager such that the GEM database reports are successfully sent on-time to a corresponding set of recipients.

Configure the general setting for report distribution.
Determine a time-line at which GEM database load completes and the GEM reports become available for distribution.
Determine the schedule for setting up the report distribution for each GEM database.
Verify with a test report distribution task that the report can be sent successfully to a test recipient.
Add the Report Distribution tasks for each GEM database.
Verify that the reports are distributed to the correct set of recipients on-time.

Section 4: Performance Tuning and Problem Determination

Given TCIM activities, identify log files so that troubleshooting can take place for the TCIM solution.

Identify log file that shows a collection has been successful.
Identify log file that shows the progress of a load into a GEM database, as well as the archiving of them.
Identify log file that shows the progress of a connection to a remote host and to the TCIM server.
Identify log file that shows iView reporting errors.
Identify the log where the actuator run on the point of presence shows its collection activity.
Identify the schedule restart log and sub log of the processes it runs.
Identify the Management Console activities events and the log where they can be found.
Identify the Consolidation log file.
Identify the successful database mount and activity log.
Identify the Log Manager activity log.
Identify the log file where iView activity can be found.
Identify the log file where lost chunks will be shown if they have been transferred to the depot.
Identify the log file showing reports have been delivered by the Distribution scheduled task or error occurred.
Identify log file indicating authentication to the web portal application.
Identify log file where Policy Generator Activity is found.
Identify the application that collects most of the log files for troubleshooting.

Given a GEM database, investigate the set of activities taking place during the GEM load so that the basic stages of load are described.

Identify the type of the GEM database load.
Identify the different phases of the GEM load.
Identify the type of mapping used by the GEM database.
Determine the current stage of the load.
Determine whether any error occurred during the load, and in which phase of the load.
When an error occurs during any phase of the load, determine the set of log files that need to be preserved for further investigation.
Determine the duration of each phase of the load.
Determine whether the load has completed at any point in time, and the total duration of the load.

Given the verification of possible failures, troubleshoot the logon failure so that successful logon is achieved.

Verify TCIM services are running.
Verify database and directory services are running.
Verify correct user name and password are being used.
Verify the restart task.
Verify the recnotify.
Verify the blrec.

Given the log files and error message, apply standard problem determination techniques so that the problem can be resolved.

Identify the component that is failing (such as server, management console, web portal, and so on).
Determine the type of failure (login, connectivity, and so on).
Identify the log file needed to gather additional information on the failure.
Review the appropriate log file.
Correct the problem or call support.

Given a TCIM Server or a Windows Point of Presence, generate and deliver diagnostics such that the diagnostics is complete and is successfully delivered to the Support recipient.

Identify the TCIM Server or Windows Point of Presence where the diagnostics needs to be generated.
Ensure that there is enough disk space to store the diagnostics.
Determine under what situations a diagnostics file may be generated.
Locate the Windows program menu for Diagnostics generation and start up the Diagnostics generation task.
Choose the path where the Diagnostics file has to be generated.
Ensure that the diagnostics file has been generated.
Ensure that the diagnostics file is complete.
Deliver the diagnostics to the intended support recipient.
Verify that the support recipient has successfully received the diagnostics file.

Given the management console, test the connectivity, so that there is a successful connection to point of presence.

Right-click machine name.
Choose the properties option.
Click the Network Tab.
Click the Test IP and Port button.
Verify that message Port is listening appears.
Review log files to determine if there are any connections errors.

Given a set of report distribution schedules, troubleshoot the report generation and distribution process such that the reports are successfully generated and distributed to the designated user.

Identify the status message contained in the email sent by the distribution task.
Ensure that the report was successfully exported by the GEM database load process.
Ensure that the distribution schedule for the exported report was successful.
Ensure that the exported file format can successfully handle the amount of events exported to the report.

Section 5: Administration

Given the management console application, navigate through the different views so that you can perform the basic administration activities for audited machines.

Launch the management console.
Open the audited machine view or event source view.
Determine which machines are being audited.
Determine to which machine group each audited machine is assigned.
Add a new audited machine.
Determine which event sources are being collected for each audited machine.
Determine the audit settings applied to each event source.
Determine where the event sources are being collected (local or remote).
Add a new event source.
Determine the state of each point of presence.
Determine the last collection date and time.
Determine the collection schedule for an event source.
Configure the collection schedule for an event source.
View the basic settings for a point of presence.
Test the connection to a point of presence.
Generate a new password when the secure channel between the server and a point of presence is broken.
Add a user information source.

Given the management console application, navigate through the database view so that you can perform the basic administration activities for databases.

Launch the management console.
Open the database view.
Determine the load schedule for a database.
Determine the load status for a database.
Associate an event source with an existing database.
Add a new database.
Manually load a database.

Given the management console application, navigate to the alert panel so that you can perform the basic administration activities for alerts.

Launch the management console.
Open the alerts panel.
View or modify existing alerts.
Define a new alert.
Create an alert rule that is only triggered by the eventid of an attention rule.
Verify alerts are sent.

Given the management console application, navigate to the user management panel so that you can perform the basic administration activities for users.

Launch the management console.
Create or modify a user.
Assign appropriate roles to a user.
Define database access for a user.
Delete a user.

Given the management console application, navigate to the policy explorer so that you can perform the basic administration activities for policies.

Launch the management console.
Open the policy explorer
List the previously committed policies.
List the policies in draft mode.
Edit a draft policy.

Commit a draft policy.
Open a committed policy.
Create a new policy based on an existing policy.
View an automatic policy.

Given the TCIM Web portal and TCIM user account with access to iView, navigate iView so that the functionalities are described.

Access TCIM Portal
Access iView
Describe Compliance Dashboard

Describe GEM Summary

Describe Event Details

Execute a Standard report for a GEM
Execute a Regulatory Report for a GEM
Verify the groups on the loaded Data
Verify the applied Policy on the loaded Data
Verify the trends on the loaded data
Describe general iView settings.
Schedule reports to be delivered for a GEM

Given the TCIM Web portal and a TCIM user with access to log manager, navigate the log manager so that the log manager functionalities are described.

Access TCIM Portal.
Access Log Manager Application
Describe the Log Manager Dashboard
Describe the Collect History Status, including an explanation of how the collect status is determined.
Describe the Log Continuity Status
Describe History
Describe Continuity including an explanation of the CCRG scheduler and the underlying algorithm.
Describe Activity
Describe Investigate
Describe Retrieval

Given the TCIM Web portal and a TCIM user account with access to the policy generator, navigate the policy generator so that the policy generator functionalities are described.

Access TCIM Portal.
Access the Policy Generator Application
Define the name of the policy to generate.

Given the depot and collected chunks, perform an export so that collected audit trails are archived.

Verify disk space for export.
Determine export location.
Configure an export schedule based on the customer’s retention policy.
Verify that the export was successful.

Given the depot and archived chunks, perform an import so that archived audit trails are restored.

Determine when the requested data was archived.
Locate the appropriate archived data.
Import the appropriate archived data.
Verify the data was successfully imported.

Given a TCIM installation, verify the status of collects, loads, report generation and distribution, real time alerting so that the overall health of the TCIM installation environment is verified.

Verify that all services related to the TCIM server are running.
Determine the Audited machines involved in the TCIM installation.
Verify that collects are happening on schedule from all audited machines.
Verify that the collected data from the audited machines is complete and consistent.
Verify that the GEM loads are occurring regularly and the GEM loads complete successfully.
Verify that the data loaded in the GEM database is complete and consistent.
Verify that real time alerts (if configured) are sent out and the recipients have received it successfully.
Verify that the reports are generated by the GEM database.
Verify that the GEM database reports are distributed and received successfully by the intended recipients in a timely manner.
Verify that the GEM database reports are complete and consistent.

Test registration

Authorized Prometric test centers (worldwide testing)