Filter
Top Products
Chapter 6. Compliance subsystem implementation 153
The user password settings on the client workstation have to be following the
policy, which means that the password must be at least eight characters in
length and it must be renewed at least every 90 days.
The appropriate operating system service pack level must be installed, which
is Service Pack 4 for Windows 2000 and Service Pack 2 for Windows XP.
Appropriate hotfixes must be applied. As an example we use the KB896423
and KB893756 hotfixes.
The personal firewall must be running. We have used a ZoneAlarm personal
firewall as the example. However, the rules can be easily modified to support
other types as well.
In the sections below we describe the detailed processes of creating these
policies. But first we want to introduce the posture collectors in more details.
6.2.1 Posture collectors
A posture collector collects compliance data the same way as a regular data
collector. In most cases, one of the regular data collectors is included as part of
the posture collector and the compliance data gathered is stored in the same
database tables as the data collector. Posture collectors can be added to clients
and client groups like regular collectors, and can run on an assigned schedule
and return the collected data back to the Tivoli Security Compliance Manager
server. Queries, reports, and policies can be defined and run to verify
compliance using the data collected.
However, posture collectors differ from regular collectors in a number of
substantial ways. First, posture collectors run automatically when the client is
started or restarted. The information that is collected by the posture collectors is
cached on the client system and can be used by the
com.ibm.scm.nac.posture.PolicyCollector collector (or policy collector, for short)
running on the client to make a security posture policy decision without
contacting the Tivoli Security Compliance Manager server. The policy collector
can run the posture collectors at any time to obtain the latest compliance data.
Posture collectors also store posture information in an additional database table
on the server, which indicates the security posture status of the client.
Posture items and posture elements
Every time a posture collector is run, a basic object called a posture item is
created and cached. Each posture item consists of one or more posture
elements that reflect the status of the data collection activity and the security
posture checks performed by the posture collector. The PolicyCollector running
on the client can directly access the posture items associated with the posture
collectors and uses this information to make a security posture determination.