IBM Tivoli and Cisco User Manual
Page 75
Chapter 3. Component structure
57
remediation object should also be provided. Details of the policy creation and
deployment process are discussed here:
Remediation object creation and publishing (1a)
A
remediation object
that can remediate violations must be provided. The
naming and creation of these objects is dependent on the corresponding
Security Compliance Manager posture collectors and certain naming
conventions. For example, posture collectors that check for hotfixes will have
a different name mapping than those that check for local system settings, and
the remediation objects that will be created for these collectors must take this
name mapping into account. Details on naming conventions and the creation
and publishing of remediation objects are provided in 8.2.4, “Installation of the
Software Package Utilities” on page 394.
Compliance policy creation (1b)
A
compliance policy
must be created or updated on the Security Compliance
Manager server. The policy may include:
–
Posture collectors
of appropriate types to detect violations
– The collectors’ parameters, which must be configured with the values that
will be checked against when making compliance decisions
– Information specific to the remediation object that will remediate violations
when detected as noted in step 1a
– Other attributes that are used to support automated remediation
Each policy must include a
policy collector
, which must have its collector
parameters updated for Policy_Version. The new value must be noted for
entry in the ACS policy.
Be aware that only a single policy containing the policy collector can be
deployed to a client. You can define multiple Security Compliance Manager
policies, each with a policy collector instance, but you should never assign
more than one of these policies to a group (and thus a client).
Policy deployment (1c)
Security Compliance Manager provides a means to deploy the policy file to
the client, which requires that the client has direct access to the Security
Compliance Manager server. Whenever a client is in communication with the
server, the appropriate policy updates are automatically downloaded to the
client. Our reference architecture provides for the Security Compliance
Manager client to be in contact with the Security Compliance Manager Server
regardless of whether it is being quarantined, which will allow quarantined
clients to download required policy updates using the standard Security
Compliance Manager method.