Symantec Enterprise Security Manager User Guide. Version 10.0

Transcription

1 Symantec Enterprise Security Manager User Guide Version 10.0

2 Symantec Enterprise Security Manager User Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version: 10.0 Legal Notice Copyright 2010 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, ActiveAdmin, BindView, bv-control, and LiveUpdate are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party ( Third Party Programs ). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR and subject to restricted rights as defined in FAR Section "Commercial Computer Software - Restricted Rights" and DFARS , "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

3 Symantec Corporation 350 Ellis Street Mountain View, CA

4 Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week Advanced features, including Account Management Services For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: Contacting Technical Support Customers with a current maintenance agreement may access Technical Support information at the following URL: Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, and NIC information Operating system

5 Version and patch level Network topology Licensing and registration Customer service Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: Customer service information is available at the following URL: Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and maintenance contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals

6 Maintenance agreement resources If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America Additional enterprise services Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions Managed Security Services Consulting Services Educational Services These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring, and management capabilities. Each is focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about Enterprise services, please visit our Web site at the following URL: Select your country or language from the site index.

7 Contents Technical Support... 4 Chapter 1 Chapter 2 Introducing Symantec Enterprise Security Manager About Symantec Enterprise Security Manager About separating security duties About Symantec Enterprise Security Manager accounts and permissions Components of Symantec Enterprise Security Manager About the ESM console About Symantec ESM managers About Symantec ESM agents What you can do with Symantec Enterprise Security Manager About the policies About the snapshots About the templates About the modules About suppressions About Symantec Enterprise Security Manager Reporting How Symantec Enterprise Security Manager works About the Client Server Protocol About the domains About the security data How Symantec Enterprise Security Manager displays information Using the Symantec Enterprise Security Manager console Starting the ESM console Configuring the ESM console on Windows Accessing the ESM console About the console timeout configuration About changing the ESM console password Using the ESM console controls About the menu bar... 46

8 8 Contents About the toolbar information About the enterprise tree Renaming the enterprise About the grid information About modifying the GUI options Configuring and editing the disclaimer Connecting to a manager Disconnecting an ESM manager About viewing the manager information About viewing the agent information About gathering security information About running security checks About evaluating your network security About scheduling routine security checks Using the Policy Run wizard About filtering report contents About creating and viewing reports Chapter 3 Configuring Symantec Enterprise Security Manager About enterprise license management What you can do with enterprise licenses Types of enterprise licenses Installing a new license Distributing a license Revoking enterprise licenses Re-allocating enterprise licenses Redistributing an enterprise license How Symantec ESM stores the enterprise license information About updating the license information during upgrades Viewing the manager license information About configuring managers and regions About the regions Adding a region to the ESM console Renaming a region Deleting a region from the ESM console Adding a manager to the ESM console Adding a manager to a region Removing a manager from a region Deleting a manager from the ESM console Displaying a manager name... 76

9 Contents 9 Moving an installed manager About locking an SU level on the manager Configuring logging levels for the manager About configuring the agents and domains Creating a new domain Renaming a domain Duplicating a domain Deleting a domain Adding an agent to a domain Searching an agent Viewing agent information Deleting an agent from a manager Deleting an agent from a domain About moving ESM agents across managers Checking the status of agents About configuring the user accounts Adding new accounts Replicating a user account Deleting a manager account About modifying a manager account Disabling a manager account Changing the password on a manager account Setting the manager password configuration Changing the ESM console passwords Auditing Symantec Enterprise Security Manager events About updating Symantec Enterprise Security Manager Enabling and disabling LiveUpdate on agents Exporting a list of updatable or non-updatable agents Performing a LiveUpdate Creating domains for specific UNIX operating systems Performing a remote upgrade Checking remote agent upgrade status Exporting an agent list About agent recovery re-registration Exporting the Symantec ESM agent list Re-registering the ESM agents Chapter 4 Managing policies, modules, and templates About the policies, modules, and templates About the policies About the modules About editing a module

10 10 Contents About managing the policies Creating a policy Renaming a policy Duplicating a policy Backing up a policy Restoring a policy Replicating a policy Maintaining the policies Updating the policy information About the policy tool Before using the policy tool About accessing the Policy tool About the Policy tool command line formatting About the Policy tool values About the Policy tool options About the Policy tool functions Performing policy runs Executing and scheduling a policy by using the Policy Run Wizard About executing a single module About executing multiple modules Limiting the number of messages Scheduling a policy run Editing a policy run schedule About manager pulling data About job throttling Sending completion notices by Sending notification messages Viewing the status of a policy run Querying Policy Runs Viewing scheduled policy run information Selecting agents randomly for a policy run Stopping a policy run Stopping policy runs at user-defined intervals Deleting a policy run Updating the policy run information About managing templates Creating a template Editing the template rows Copying a template Editing a template Editing sublists in a template Adding an item to a template

11 Contents 11 Adding hierarchical items to a template Updating template information Deleting a template Removing unused templates About managing security checks Enabling and disabling security checks About specifying options for security checks About validating the security checks Editing name lists About Users and Groups name list precedence Chapter 5 Viewing security data About viewing the summary and detailed data Retrieving summary data for regions and managers Updating summary data at the domain level About using the ESM console grid and chart Using the drill-down mode Using the summary mode Using the trend mode Setting the chart graphics About obtaining information on the messages Filtering the security data Using the grid functions Customizing the chart appearance Showing or hiding the chart legend Showing or hiding the series labels Selecting 2D or 3D chart graphics Selecting pie or bar chart graphics Chapter 6 Using the command-line interface About the command-line interface conventions About the case-sensitive characters About the quotation marks About the short module names About the brackets About running the batch files Creating a batch file that specifies a policy: an example Creating a batch file that specifies name list entries: an example Creating a batch file to write a report to a file: an example Running the CLI interactively Accessing a manager using the command-line interface

12 12 Contents About navigating within the command-line interface About the command-line interface help About the Create command About the Create access command About the Create agent command About the Create domain command About the Create policy command About the Create suppression command About the Delete command About the Delete access command About the Delete agent command About the Delete domain command About the Delete job command About the Delete policy command About the Delete module command About the Delete suppression command About the Delete template command About the Grant/Revoke command Granting permissions on a policy: an example Revoking permissions on a policy: an example Granting permissions on a template: an example Revoking permissions on a template: an example Granting permissions on domains: an example Revoking permissions on domains: an example Granting advanced rights to user: an example Revoking advanced rights to user: an example About the Insert command About the Insert agent command About the Insert module command About the Insert name command About the Login command About the Logout command About the nexport agents command About the Ping command About the Query command About the Quit command About the Remove command About the Remove agent command About the Remove agtcache command About the Remove module command About the Remove name command About the Rename agent command About the Run command

13 Contents 13 About the Set command About the Set access command About the Set agtdesc command About the Set config command About the Set dmnflag command About the Set dmndesc command About the Set luagent command About the Set password command About the Set proxy command About the Set variable command About the Set option command About the Show command About the Show access command About the Show agent command About the Show config command About the Show crc command About the Show domain command About the Show dmnflag command About the Show job command About the Show license command About the Show module command About the Show permission command About the Show policy command About the Show sumfinal command About the Show summary command About the Show variable command About the Show suppression command About the Show status command About the Show template command About the Show version command About the Shutdown command (UNIX only) About the Sleep command About the Status command About the Stop command About the Update snapshot command About the Upgrade agent command About the Version command About the View command About the View agent command About the View audit command About the View checks command About the View custom command About the View differences command

14 14 Contents About the View domain command About the View policy command About the View report command About the View summary command Chapter 7 Generating and viewing the reports About the Symantec ESM reports Generating standard reports Generating a Security report Generating a Domain report Generating a Policy report Generating a Policy run report Generating a Template report Generating an Executive report Saving a report Opening a report Printing a report ing a report Deleting a report Customizing a report About setting trend datapoints Chapter 8 Conforming to the regulatory policies Securing the network About suppressing a Security report item Creating a suppression Editing a suppression Replicating a suppression Viewing a suppression Deleting a suppression Correcting a Security report item Reversing corrections to a Security report item Updating templates Updating snapshots Chapter 9 Using the Symantec ESM utilities About the Symantec ESM utilities conventions About the case-sensitive entries About the quotation marks About the brackets About using the Policy tool

15 Contents 15 Prerequisites for using the Policy tool About accessing the policy tool About formatting the Policy tool About the values for the Policy tool About the options for the Policy tool Examples of using the Policy tool About the Policy tool logs About the Assign New Permission utility Using the Assign New Permission utility About the Change Agent Case utility Using the Change Agent Case utility About using the Database Conversion tool Accessing the external database About the database file structure Prerequisites for using the Database Conversion tool Accessing the Database Conversion tool Formatting the Database Conversion tool About the options for the Database Conversion tool Creating a property file for the Database Conversion tool Using an encrypted password for the Database Conversion tool About the parameters for the Database Conversion tool Examples of using the Database Conversion tool View security data in the drill-down mode Appendix A Finalizer log file About the Finalizer log file Appendix B Format file syntax for View custom command Syntax rules Symantec ESM keywords Format file structure General directives Header definition directives Record definition directives Footer definition directives Appendix C Symantec ESM summary databases About the summary databases Manager sumfinal database Local summary database

16 16 Contents Local summary database file structure Agents table AgentTrend table DatabaseInfo table DomainAgent table Domains table DomainTrend table LatestAgentPolicyRuns table Managers table ManagerTrend table MessageInstance table Messages table Modules table Policies table PolicyModule table PolicyRuns table PolicyTrend table RegionManager table Regions table RegionTrend table Managing the manager sumfinal database Synchronizing and purging the local summary database Querying the local summary database Appendix D Symantec ESM environment variables Environment variables Appendix E Symantec ESM communications About Symantec ESM communications security Symantec ESM communication ports Appendix F Symantec ESM file structure About the directory and the file descriptions About /esm/ About /esm/bin/ About /esm/bin/ostype/ About /esm/config/ About /esm/config/manager.dat & manager.org About /esm/config/server.dat & server.org About /esm/config/tcp_port.dat & tcp_port.org About /esm/esm

17 Contents 17 About /esm/esmdeinstall About /esm/esmrc About /esm/esmsetup About esm/format/ About /esm/output/ About /esm/platform About /esm/register/ About /esm/system/hostname/ About /esm/system/hostname/db/ About /esm/system/hostname/reports/ About /esm/system/hostname/temp/ About /esm/template About /esm/utility About /esm/words Index

18 18 Contents

19 Chapter 1 Introducing Symantec Enterprise Security Manager This chapter includes the following topics: About Symantec Enterprise Security Manager Components of Symantec Enterprise Security Manager What you can do with Symantec Enterprise Security Manager How Symantec Enterprise Security Manager works About Symantec Enterprise Security Manager Corporations handle large amounts of information in complex computer environments with multiple platforms and integrated networks. The client or the server system solves the challenge of accessing this information quickly and easily. However, client or the server computers can leave sensitive data vulnerable to unauthorized access or modification. Organizations need to secure their data against unauthorized use while still providing easy access to authorized users on multiple platforms. They need a way to apply security policies, then monitor and enforce compliance throughout the enterprise network. Symantec provides the solution to security policy management with the Symantec Enterprise Security Manager (ESM). Symantec ESM manages sensitive data and enforces security policies across the following client or server platforms: Windows

20 20 Introducing Symantec Enterprise Security Manager About Symantec Enterprise Security Manager UNIX Symantec ESM administers and enforces the policies and procedures that your organization establishes to control access to secured areas. Symantec ESM identifies the potential security risks and recommends actions to resolve the potential breaches in security. When the potential breaches are resolved, Symantec ESM delivers frequent updates to ensure protection against new threats. Symantec ESM has a broad reporting capability to keep you informed of the security status of the network. Symantec ESM achieves the goals of confidentiality, integrity, and availability of secured information for your organization. The primary functions of Symantec ESM are as follows: Manage security policies. Detect changes to security settings or files. Evaluate and report computer conformance with security policies. To effectively evaluate the security of your enterprise, you can customize the Symantec ESM environment to match the needs of your organization. You can then continue to adapt Symantec ESM to the changing conditions in the network. About separating security duties Symantec ESM lets you separate the duties of system administrators and security officers to ensure effective computer security. When an individual or a system administrator has both the network and the security administration tasks, the following common problems occur: One person may not have the time to do both the network and the security administration It may be difficult to perform the necessary checks and balances if all the tasks are assigned to one person. If you assign network administration and security administration tasks to different individuals, you can ensure the following: Each task is performed appropriately. Well defined tasks that are assigned to each role helps in performance enhancement. System administrators and the security officers perform complementary tasks. Table 1-1 illustrates the separation of administrative and security tasks.

21 Introducing Symantec Enterprise Security Manager About Symantec Enterprise Security Manager 21 Table 1-1 Separation of administrative and security tasks System administrator Performs the day-to-day network operations Installs and maintains computer systems Configures the computers to conform to company security policy Security officer Determines the security standards and policy for day-to-day operations Monitors the compliance of computer systems to security policy Makes the recommendations and monitors overall conformity to security standards of computers About Symantec Enterprise Security Manager accounts and permissions Symantec ESM supports the separation of administration and security tasks by providing different types of manager accounts for the Symantec ESM users. Symantec ESM managers support the following types of accounts: Read-only ESM administrator System administrator Security officer Register only You can use these account types to separate the security and the administration duties. Each account gives a user access to only the information that is necessary to perform the assigned duties. Table 1-2 describes each account type and its access permissions.

22 22 Introducing Symantec Enterprise Security Manager About Symantec Enterprise Security Manager Table 1-2 Account types and access permissions Account type Read-only ESM administrator Description These accounts are useful for creating specialized accounts, starting with minimal permissions. ESM administrators have the same permissions that the superuser account has. These accounts can be deleted. Access permissions These accounts have permissions to view assigned domains, policies, and templates. They also have permissions to modify their own passwords. Read-only users cannot start policy runs, but they can use the functions that are associated with messages. To use the message-related functions, the users need appropriate permissions on the specific agent host computers. These permissions give a user full access to Symantec ESM functions for all domains, policies, reports, and templates. All accounts that have these permissions can limit user functions to assigned domains, policies, and templates. These permissions include the following: View domains, policies, templates, and reports. Modify domains, policies, and templates. Run policies and domains Create new domains, policies, and templates Update domain snapshots Manage user permissions and password configuration requirements Modify own password. Modify Symantec ESM options including audit log configuration and manager sumfinal database options. Upgrade agents. Register agents with a manager. Modify read only policies

23 Introducing Symantec Enterprise Security Manager About Symantec Enterprise Security Manager 23 Table 1-2 Account types and access permissions (continued) Account type Description Access permissions System administrator System administrators provide the security tools that the computer owners need to maintain their computers. The following specific permissions are provided to the system administrators: View domains, policies, templates, and reports. Run policies and domains Assign to all current and future policies Security officer Register only Security officers set the security policies and monitor the day-to-day operations. The Register only users distribute the Symantec ESM across the enterprise. The following specific permissions are provided to the security officers: View domains, policies, templates, and reports Modify domains, policies, and templates. Run policies and domains. Create new domains, policies, and templates. Modify own password. The Register only users cannot log on to the ESM managers. These users can register the agents using the following methods: Launch the Symantec ESM installation program Launch the Symantec ESM register program from the command prompt using the register command The register command requires an account with permissions to register the agents even though no logon is required. Table 1-3 lists the domain access rights for each Symantec ESM account. Table 1-3 Account type Read-only Default domain access permissions Domain access permissions View Apply to all domains

24 24 Introducing Symantec Enterprise Security Manager About Symantec Enterprise Security Manager Table 1-3 Account type ESM administrator Default domain access permissions (continued) Domain access permissions View Modify Run policies Snapshot updates Apply to all domains Create new domains System administrator Security officer Register only View Modify Run policies Snapshot updates Apply to all domains Create new domains View Modify Run policies Apply to all domains Create new domains Create View Modify Table 1-4 lists rights that pertain to policy access rights for Symantec ESM user accounts. Table 1-4 Account type Read-only ESM administrator Default policy access permissions Policy access permissions View Assign to all current and future policies View Modify Run Assign to all current and future policies Create new policies Modify read only policies

25 Introducing Symantec Enterprise Security Manager About Symantec Enterprise Security Manager 25 Table 1-4 Account type Default policy access permissions (continued) Policy access permissions System administrator Security officer Register only View Run Assign to all current and future policies View Modify Run Assign to all current and future policies Create new policies Modify Assign to all current and future policies Create new policies Table 1-5 lists rights that pertain to templates for Symantec ESM user accounts. Table 1-5 Account type Read-only ESM administrator Default template access permissions Template access permissions View Apply to all templates View Modify Apply to all templates Create new policies System administrator Security officer Register only View Modify Apply to all templates View Modify Apply to all templates Create new templates Modify Apply to all templates Create new templates

26 26 Introducing Symantec Enterprise Security Manager Components of Symantec Enterprise Security Manager Table 1-6 lists the advanced manager rights for each Symantec ESM manager account. Table 1-6 Account type Read-only ESM administrator Default advanced manager permissions Advanced manager permissions Modify own password Manage user rights Modify own password Modify ESM options Perform upgrades or register agents with managers Manage read only policies System administrator Security officer Register only Modify own password Modify own password Register agents with managers Although the Register only account contains all access rights, you cannot use this account to connect to a manager from the ESM console. Users can register agents only with the installation program or the register program. Components of Symantec Enterprise Security Manager Symantec ESM has the following components: Console Manager Agent See About Symantec ESM managers on page 28. See About Symantec ESM agents on page 29. About the ESM console The ESM console is one of the primary components of Symantec Enterprise Security Manager. The ESM console receives input and sends requests to the other Symantec ESM components. As the data is returned, the ESM console formats

27 Introducing Symantec Enterprise Security Manager Components of Symantec Enterprise Security Manager 27 and displays the information by using the following types of graphical representations: Spreadsheet reports Pie charts Bar charts The ESM console can connect to any manager on the network. ESM console connects to the other components by using CSP connections. See About Symantec ESM managers on page 28. See About Symantec ESM agents on page 29. About the regions The ESM console lets you connect to multiple managers. Regions help you to organize managers and access them from a single area on the enterprise tree. Symantec ESM provides the default All Managers region. You can create other regions as needed. See About Symantec ESM managers on page 28. About the local summary database The local summary database is a component of the ESM console that contains security data about managers and agents. When the ESM console creates a user account, it also creates a local summary database file for the account. You can query the database for summary data and module message details from policy runs to help analyze and report network vulnerabilities. The local summary database is a Microsoft Access relational database in.mdb native file format. You can access this database with Microsoft Access, or use it as an ODBC data source. If you have compatible third-party software, you can use the local summary database to produce custom reports. You can use the discretionary Access Control List (ACL) in Windows to secure the local summary database file. Only the user that is logged on to the ESM console account should have full control over the file. About the scheduler Symantec ESM has a scheduling feature that lets you automate some tasks that are related to security management. For example, you can automate conformance checking by using the scheduler. You can use it to start a policy run immediately. You can also schedule a new policy run to occur each hour, day, week, month, or

28 28 Introducing Symantec Enterprise Security Manager Components of Symantec Enterprise Security Manager year. When a run completes, the scheduler can notify designated personnel by . The contains a summary of the security status. See About the policy runs on page 28. About the policy runs You can use the ESM console to initiate policy runs. When you initiate a policy run, you can select the policies and agents that you want to audit. You can also retrieve current information about your network resources. Policy runs return the following information: Security status of the agents When the policy run was started Which modules were run Which modules remained in the queue The ESM console lets you stop or delete policy runs and show any scheduled policy runs. See About the modules on page 32. About the template editor The Template Editor is a component of the ESM console that lets you do the following: Change template fields and attributes in the templates Disable or enable snapshot checks Some modules use templates to define aspects of security checks such as file attributes, the files to be monitored, registry keys, and values. See About managing templates on page 166. About Symantec ESM managers Symantec ESM managers do the following: Control and store policy data, and pass the data to agents or ESM console as needed. Gather and store security data from agents. Pass the data to ESM console.

29 Introducing Symantec Enterprise Security Manager Components of Symantec Enterprise Security Manager 29 The manager uses the control information files (CIF) server to communicate with agents and ESM console. Several data files that the CIF server accesses are stored in a proprietary format on the manager workstation or server. The control information files (CIF) server is the primary component of the manager and an important part of the Symantec ESM information exchange process. The manager stores the following data: Manager access Domains Agents Policies Policy runs Templates Suppressions About Symantec ESM agents Messages that the security modules in the CIF server generate The CIF server provides access to the CIF files. When the ESM console or command-line interface (CLI) needs information from the CIF files, it communicates with the CIF server. The CIF server accesses the CIF files and relays the information back to the ESM console or CLI. The CIF server also relays requests to other components of the manager. For example, when a client sends a request for a policy run, the CIF server starts the job starter and tells it to start a policy run. The ESM console or CLI establishes communications with the CIF server by logging on with the manager name, manager account name, password, and protocol. The net server is another component of the manager. It provides CIF server, local file, and agent server access to remote clients. The net server uses the Symantec ESM client server protocol (CSP) to provide communication between processes on different computers. While the manager component is initially small and the CIF servers remain small, raw reports can consume at least 2 MB per agent. See About Symantec ESM agents on page 29. Symantec ESM agents consist of a module server and a communications component that is attached to the server.

30 30 Introducing Symantec Enterprise Security Manager What you can do with Symantec Enterprise Security Manager In the Symantec ESM system, the agent gathers and interprets the data that pertains to the security of the host computer. The agent returns this data in response to a policy run request from a manager. Security modules in the policy analyze the configuration of the following: Workstation Server Computer where the agent resides Computer where the agent acts as a proxy The agent server gathers the resulting data and returns it to the manager that initiated the request. The manager responds by updating the appropriate files in its database. Symantec ESM agents do the following: Store snapshot files of computer-specific and user account information Make user-requested corrections to the files Update the snapshot files when corrections occur See About Symantec ESM managers on page 28. What you can do with Symantec Enterprise Security Manager Symantec ESM lets you perform a variety of functions. Table 1-7 describes these functions and explains how each component works: Table 1-7 Task Symantec ESM functions Description Perform policy runs Policy runs audit your computers to find potential areas of vulnerability. When you perform policy runs, Symantec ESM reports security problems and their severity. You initiate policy runs from either the graphical user interface or the command-line interface. Symantec ESM uses agents to perform the policy runs. Policy runs are host-based. Symantec ESM provides a module that lets you perform network-based scans of computers without installing an agent on each computer.

31 Introducing Symantec Enterprise Security Manager What you can do with Symantec Enterprise Security Manager 31 Table 1-7 Task Customize policies Create reports Symantec ESM functions (continued) Description Symantec ESM lets you create your own custom policies and apply the policies that are tailored to your needs. You can implement the policies that are specific to your industry, or you can implement the policies that ensure compliance with a government mandate. Symantec ESM has a powerful reporting tool that lets you dynamically create reports. You can report on any aspect of your Symantec ESM application. You can create reports on managers, agents, user accounts, or any other item that you choose. The reports can be broad and show only security states of managers or domains. They can also be detailed enough to show a specific security check on a few selected computers. About the policies About the snapshots Symantec ESM groups security checks into modules, and modules into policies. When a policy runs on an agent, the checks that are enabled in the modules examine the agent computer and report detected vulnerabilities. Symantec ESM contains the following policies: Sample policies Standards-based policies Regulatory policies See About managing the policies on page 134. Several modules establish security baselines by creating snapshot files of agent and object settings the first time that they run. Subsequent module or policy runs report changes to security-related settings. You can accept a change by updating the snapshot, or you can fix the problem and then rerun the module or policy. Snapshot files for users, groups, devices, and file configurations are created for each agent. User snapshots contain the user account information such as permissions and privileges. Group snapshots contain group permissions, privileges, and membership information. Device snapshots contain device ownership, permissions, and attributes. The file snapshot compares current settings to a template, helping you to locate unauthorized file modifications, viruses, and

32 32 Introducing Symantec Enterprise Security Manager What you can do with Symantec Enterprise Security Manager Trojan horses. The UNIX version has an additional snapshot file that monitors new setuid and setgid files for the File Find module. Application modules define and use their own snapshot files. See Updating snapshots on page 277. About the templates Several modules use templates to store authorized agent and object settings. Differences between the current agent and object settings and the template are reported when the module is run. For example, the File Attributes module uses templates to validate current file settings. The OS Patches module uses templates to verify the presence of operating system patches. The Registry module uses templates to confirm registry key values. You can accept a new agent setting by updating the template, or you can fix the problem and then rerun the module or policy. Template files reside on the Symantec ESM manager computers. See About managing templates on page 166. About the modules Modules are common to all agents. The modules are the most important part of an agent configuration. Modules contain executables and security checks that do the actual checking at the server or the workstation level. Symantec provides frequent updates to the modules to protect network environments from unauthorized access, data corruption, and denial-of-service attacks. Agents support a mix of security, query, and dynamic assessment modules. The following table describes these modules: Security Networked computers are vulnerable to unauthorized access, tampering, and denial-of -service attacks in the following critical areas: User accounts and authorization Network and server settings File systems and directories Security modules evaluate each area of critical vulnerability. These modules include the checks that assess the control settings of the operating system in a systematic way.

33 Introducing Symantec Enterprise Security Manager What you can do with Symantec Enterprise Security Manager 33 Query These modules report general information. You can use this information to aid in computer administration. For example, a query module may list all of the users in a particular group or all of the users with administrator privileges. Dynamic assessment These modules provide an easy way to extend dynamic security assessment and reporting capabilities for Symantec ESM. You can add new functions to perform queries, security checks, or other tasks not currently available within Symantec ESM. You can also use these capabilities to protect network resources from new forms of unauthorized access, data corruption, or denial-of-service attacks. About suppressions The ESM console lets you use suppressions to focus on priority security problems. Some Symantec ESM messages may report the known policy exceptions that your organization's security policy allows. You can temporarily or permanently suppress these messages. You do not have to adjust the policy or exclude important areas of the computer from a check. Suppressions do not correct security problems; they only prevent the messages that the agents report from appearing in future Security reports. You can suppress messages by the following parameters: The message title The message name The message information Agent You can suppress specific messages or use wildcards to suppress all messages of a certain type. See About suppressing a Security report item on page 266. About Symantec Enterprise Security Manager Reporting Symantec ESM Reporting is a tool that must be installed separately from Symantec ESM Managers and Agents. Components of this Symantec ESM Reporting include the Symantec Enterprise Reporting application, a Web server, a separate database, and a database conversion tool. This reporting feature supports a separate authentication system and lets you create, populate, and customize reports. Symantec ESM Reporting also features the queries that let you add and remove data from reports dynamically. Table 1-8 lists and explains the components of Symantec Enterprise Security Manager Reporting.

34 34 Introducing Symantec Enterprise Security Manager How Symantec Enterprise Security Manager works Table 1-8 Component Symantec ESM Reporting components Description Symantec ESM Reporting Database Symantec ESM Reporting Database Link Symantec ESM Reporting uses a database to store the data that is generated and stored on your managers in the Symantec ESM proprietary database. The database holds data for all of your managers and lets you combine this data. This component exports the data from your Symantec ESM Manager databases to the Symantec ESM Reporting Database. See About the Symantec ESM reports on page 255. About the reports Symantec ESM Reporting has many standard reports that you can use to view your Symantec ESM data. These reports let you select information about managers, domains, agents, or other data. Reports are static. While you can specify the data that you want to see in the report, the columns of the reports remain constant. Reports have enhanced display and charting capabilities, and let you see trends over time. About the queries You can use queries to view information about all aspects of your Symantec ESM data. Queries are dynamic. You can take out columns and replace them with others. You can take a query that shows the security level of managers in a domain and add a column to the query. You can then dynamically see information about the security levels of agents on managers in a domain. You can add a column and see that same information for a specific policy, or see which agents comply with a specific check. Queries let you filter data and allow you to see information for only those components that you need. How Symantec Enterprise Security Manager works Symantec ESM uses a flexible agent and manager architecture to scale the product over the enterprise. This architecture lets you adapt Symantec ESM to changes in network structure by adding agents for new operating systems and platforms.

35 Introducing Symantec Enterprise Security Manager How Symantec Enterprise Security Manager works 35 The Symantec ESM structure consists of the following components: the agent, manager, and ESM console. In addition, Symantec ESM provides the command-line interface (CLI) as an alternate way to run security functions. Symantec ESM also provides utilities to do the following: Copy security information from the managers to a database Produce standard or custom reports from the information in the database Note: All references to managers, agents, ESM console, and the command-line interface refer to the Symantec ESM unless otherwise specified. About the Client Server Protocol The Client Server Protocol (CSP) is an integral part of Symantec ESM communications. The CSP packages and sends data from component to component, using the various transport protocols that Symantec ESM supports.

36 36 Introducing Symantec Enterprise Security Manager How Symantec Enterprise Security Manager works About the domains About the security data To protect confidentiality, Symantec ESM encrypts the data it transfers over the network between ESM console, managers, and agents. A domain involves a select group of agents. Symantec ESM provides the default domains that group the agents by operating systems. These domains include all supported Windows, UNIX, NetWare/NDS, and OpenVMS operating systems. Because a manager may need to assess groups of agents separately, you can create additional domains to facilitate queries of those groups. You can create domains to reflect organizational divisions, such as accounting computers, production computers, or marketing computers. You can also create geographic divisions, such as Building C computers or Denver computers. Because Symantec ESM has a scalable architecture, you can locate these computers in one room or spread them across the wide geographic distances. Managers can connect to all of the agent computers in the enterprise. See About Symantec ESM agents on page 29. See About configuring the agents and domains on page 82. Symantec ESM assigns security levels and ratings to audited objects to rate each object's conformity to a policy. You can use this data to prioritize your efforts to address potential problems. The security levels are color-coded and the security ratings are numeric. See About viewing the summary and detailed data on page 177. About the security levels Symantec ESM has the following security levels: red, yellow, and green. Table 1-9 defines each security level: Table 1-9 Level Red Yellow Security levels Threat Serious Moderate Description Red indicates a serious security vulnerability that requires immediate attention. Yellow indicates a moderate security vulnerability.

37 Introducing Symantec Enterprise Security Manager How Symantec Enterprise Security Manager works 37 Table 1-9 Level Green Security levels (continued) Threat Information Description Green indicates that no corrective action is required. The summary branch of the enterprise tree displays the security level colors that give you an overall sense of each object's conformity to policy. Symantec ESM depicts each object at its highest level. For example, if one agent in a domain is red, then the entire domain is red. Similarly, if the highest module in a policy is yellow, then the entire policy is yellow. About the security ratings The security score uses numeric values to rate each object's conformity to policy. Objects with a higher rating are considered a greater security risk. Security ratings come from the security messages that the modules report during policy runs on agent systems. Red level messages are critical and receive a significantly higher rating than yellow messages. Table 1-10 defines the numeric weight that is assigned to each security level. Table 1-10 Level Red Yellow Green Security ratings Numeric weight Description A red message indicates a severe security vulnerability. Each red message contributes ten points to an object's overall score. Yellow messages indicate a moderate security vulnerability. Each yellow message contributes one point to an object's overall score. Green messages do not contribute to the overall score. An object's rating is derived from the following formula: 10 points for each red message + 1 point for each yellow message While interpreting the rating, you must understand that the rating stems from the number of messages multiplied by the value of the rating. An object that has a high yellow rating may not pose the same threat as an object that has a low red rating. You must generally address the red messages first.

38 38 Introducing Symantec Enterprise Security Manager How Symantec Enterprise Security Manager works Although security level and scores are related, they should be considered separately. During a policy run, Symantec ESM compares the current state of the agent computer to the security checks that are enabled in the policy. Symantec ESM messages report exceptions and other information that includes the following: Non-compliant, policy-based conditions. Differences between the most recent snapshot file and the state of the computer at the time of the policy run. Differences between the module template and the state of the computer at the time of the policy run. The information that is related to system administration. Symantec ESM assigns each message a security level and a score to classify the severity of the problem. Messages with a green security level have a rating of 0, which indicates that the message is informative and does not require corrective action. A message with a yellow security level has a rating of 1, which identifies it as a problem that needs attention. A message with a red security level has a rating of 10, which indicates that the problem is serious and requires prompt attention. Symantec ESM assigns a security level and calculates a rating for each module in the policy run as follows: Symantec ESM compares the security levels of the messages that a module reports, and assigns the most severe security level to the module. For example, Symantec ESM assigns a yellow security level to the module if the Password Strength module reports the following: 50 green messages and 20 yellow messages No red messages Symantec ESM sums the ratings of the messages that a module reports to calculate an overall rating for the module. In the previous example, the 50 green messages that the Password Strength module reports have a rating of zero. The 20 yellow messages have a rating of 20. Symantec ESM calculates a rating of 20 for the Password Strength module. Symantec ESM compares the security levels of all the modules in the policy run and assigns the most severe security level to the policy. Symantec ESM sums the ratings of all the modules and assigns this total to the policy. Symantec ESM repeats this process, rolls the level, and rates the information up from policy to agent and agent to domain.

39 Introducing Symantec Enterprise Security Manager How Symantec Enterprise Security Manager works 39 At the domains level, Symantec ESM compares the security levels of all the agents. Symantec ESM then assigns the most severe security level to the agent level for domains. Symantec ESM also calculates an average agent score for domains. Symantec ESM repeats this process, rolls the average agent level and rates information up the remainder of the enterprise tree. How Symantec Enterprise Security Manager displays information Symantec ESM uses a variety of methods to display security information. Several charts are embedded in Graphical User Interface (GUI) of the Symantec ESM. These charts let you see the security state of your agent computers. You can view information using grids, pie charts, trees, and tables. See About using the ESM console grid and chart on page 179.

40 40 Introducing Symantec Enterprise Security Manager How Symantec Enterprise Security Manager works

41 Chapter 2 Using the Symantec Enterprise Security Manager console This chapter includes the following topics: Starting the ESM console Configuring the ESM console on Windows Accessing the ESM console About the console timeout configuration About changing the ESM console password Using the ESM console controls About modifying the GUI options Configuring and editing the disclaimer Connecting to a manager Disconnecting an ESM manager About viewing the manager information About viewing the agent information About gathering security information About running security checks Using the Policy Run wizard

42 42 Using the Symantec Enterprise Security Manager console Starting the ESM console About filtering report contents About creating and viewing reports Starting the ESM console The Symantec ESM console lets you connect with local and remote managers. You can use the ESM console to do the following: Configure and administer security policies within the managers. Run security checks. Process and view security reports. Make computer corrections. The ESM console is supported only on the Windows operating system, and runs only on the computer on which it is installed. To start the ESM console on Windows Do one of the following: Double-click the ESM Enterprise Console icon on the desktop. On the Windows taskbar, click Start > Programs > Symantec > Enterprise Security Manager > Symantec ESM Enterprise Console. See Accessing the ESM console on page 43. See Using the ESM console controls on page 45. Configuring the ESM console on Windows ESM console controls are easily accessible. The graphics in printed reports look best if you set the Windows display to at least 256 colors and 800 x 600 pixels. To verify the display settings 1 On the Windows taskbar, click Start > Settings > Control Panel > Display, and then click the Settings tab. 2 Verify the following settings: Color Palette Set this option to at least 256 colors, although the ESM console can run in 16 colors. Desktop Area

43 Using the Symantec Enterprise Security Manager console Accessing the ESM console 43 Set this option to at least 800 x 600 pixels, although the ESM console can run in 640 x 480 pixels. Accessing the ESM console The ESM console and the managers use separate password-protected accounts. You must log on to the ESM console to access a Symantec ESM manager. You can connect to several managers simultaneously to make the ESM console function for every manager in your enterprise. However, you should always limit the number of manager connections to correspond to the user's specific area of responsibility. The ESM console creates a separate account and a user environment for each user. If you are a new ESM console user, you can type an unused name and set up your own password-protected ESM console account. The ESM console prompts for a manager connection when it stores a new user environment. To connect with a manager, you must type the following: Each manager has a superuser account that Symantec ESM sets up during the manager software installation. This account has complete privileges on the product. You can use the superuser account to set up additional user accounts on the manager. These new accounts can have restricted privileges that limit access to policies, domains, and templates. Make sure that you disable or delete any unused accounts on a manager. The ESM console protects the credentials of each manager connection by encrypting the credentials with the ESM console password. You can select an option in the ESM console to cache the credentials. Caching the credentials restores the manager connections automatically when you log on. The Symantec ESM 10.0 console is compatible with Symantec ESM 6.x or later managers. To log on to the ESM console 1 Double-click the Symantec ESM Enterprise console icon on the Windows desktop. 2 Type a user name.

44 44 Using the Symantec Enterprise Security Manager console About the console timeout configuration 3 Type a password. For an initial logon, you must choose a password with at least six characters including at least one non-alphabetical character. ESM console account passwords can have up to 20 characters. If the input name does not match an existing account, the ESM console prompts you to create a new account. If you click Yes, the ESM console prompts you to confirm the password. 4 Confirm the password. When you confirm the password, Symantec Enterprise Security Manager creates a new user environment and a local summary database for the current user session. If the name and password entries match an existing user environment, the console uses the environment and local summary database for the current user session. If the local summary database does not have any manager information, the ESM console prompts you to add a manager. If you decide not to add any managers, the ESM console cannot display any security information. After you complete the current ESM console session, secure the local summary database object. To secure the local summary database object, edit its discretionary access control list (ACL). See Using the ESM console controls on page 45. About the console timeout configuration You can configure the ESM console to close automatically if the console is not active for a specified period of time. You can enter the timeout value for the console in the CONSOLEIDLETHRESHOLD=" parameter in the console.conf file. The console.conf file is present at the following location: #Symantec\Enterprise Security Manager\Symantec ESM Enterprise Console The console is monitored for input events such as keyboard click, mouse click and so on for the specified period of time. The console closes if the console does not receive any such input event during the time that you specify in the "CONSOLEIDLETHRESHOLD=" parameter. For example, if the value for the "CONSOLEIDLETHRESHOLD=" parameter is "1", then the console monitors for input events for an hour. If there is no input event for an hour, then the console automatically closes down. Certain ESM functions, such as move agents, LiveUpdate, policy replication and so on, are time consuming and do not require any input event. When such functions are in the process, the console is considered to be active even if there are no input events. Hence, the

45 Using the Symantec Enterprise Security Manager console About changing the ESM console password 45 console does not close even if the required time for the completion of these functions exceeds the timeout value for the ESM console. The CONSOLEIDLETHRESHOLD=" parameter takes the value in hours. For example, to configure the console to close down if the console is idle for an hour, then enter the following: CONSOLEIDLETHRESHOLD=1 The timeout value in the console.conf file is "0" by default. About changing the ESM console password You must enter a password for your ESM console account when you first create the account, and each time you log on the ESM console. Change the ESM console password regularly to ensure that it has not been cracked or guessed. ESM console account passwords can have up to 32 characters. To change the ESM console password 1 On the ESM console menu, click Edit > Change Password. 2 In the Current Password text box, type the current password. 3 In the New Password text box, type the new password. 4 In the Confirm New Password text box, retype the new password. 5 Click OK to save the changes. Using the ESM console controls You can access controls in the ESM console on the menu bar, the toolbar, and the enterprise tree display. Additional controls are available when you right-click the enterprise tree and grid. The ESM console retains your preferences for the chart display. These preferences include the following: Legend displays. 2D or 3D graphics. Summary or object views. Pie chart or bar chart displays The ESM console controls include the following: Menu bar

46 46 Using the Symantec Enterprise Security Manager console Using the ESM console controls About the menu bar Toolbar Enterprise tree Chart Grid See About the menu bar on page 46. See About the toolbar information on page 47. See About the enterprise tree on page 47. See About the grid information on page 49. Pull-down menus provide the following options: Connect the ESM console to a new manager. Establish a new region for the managers. Manage your local summary database. Change display options. Request reports. About the chart information Information in the chart pertains to the level immediately beneath the object that is selected in the Summary branch of the enterprise tree. For example, click the summary chart on the toolbar and then click an agent object in the Summary branch. These actions cause the chart and the grid to display security level information about the most recent policy runs on the agent. If your environment supports connections to all network managers, the chart and the grid display the following information when you select the ESM enterprise object: Enterprise-wide level information Average rating information The summary chart displays a count of the red, yellow, and green objects for the level that is under the selected object. You select the summary chart for an object from the Summary branch. The drill-down chart displays the level and the score information for each object. You can click on the chart to expand the Summary branch to the next level and show the chart for that level. If you select trend mode, the chart displays the

47 Using the Symantec Enterprise Security Manager console Using the ESM console controls 47 cumulative results of policy runs over a period of time. The Summary filter settings can limit the information that is displayed in the chart and the grid. About the toolbar information The following table displays Symantec ESM toolbar icons: Table 2-1 Title Open Drill-down Mode Summary Mode Trend Mode Symantec ESM toolbar icons Function Open and save report files View security level and the score of objects from recent policy runs View total number of objects at each security level from recent policy runs View security data as it changes over time View/Edit summary filter settings Policy Run Wizard Download all managers' summary data LiveUpdate About View or edit summary filter settings Access the Policy Run wizard Download summary data from the managers Perform a LiveUpdate Display information about Symantec ESM Enterprise Console About the enterprise tree The enterprise tree is located in the upper-left pane of the main window. At the top of the tree, the My ESM Enterprise node consists of the regions that contain managers. Each manager has four types of objects: domains, policies, policy runs, and templates. The names of the regions, managers, domains, agents, policies, and modules are specific to your network. Expand the summary branch to display the agents in each manager domain. The managers can transfer LiveUpdate data to agents with a color-coded icon. The managers cannot update agents with a gray icon. Further expansion of the summary branch displays security level information for policies, modules, and policy runs.

48 48 Using the Symantec Enterprise Security Manager console Using the ESM console controls You can expand the Policies branch to see the modules in each policy. Further expansion shows the operating systems that the modules check and also provides access to message suppressions. Note: Red, yellow, and green colors on the icons in the summary branch indicate the security level of each object. Gray and black colors indicate that no data is available. You can double-click a policy name in the Policies branch to access the policy editor. The policy editor lets you select the modules that comprise the policy. You can double-click a module name and an operating system within a policy to expand the Policies branch to do the following: Enable or disable module security checks. Edit name lists. Renaming the enterprise Select other options that are related to module checks. You can click an object in the Policy Runs branch to view and take action regarding a policy run. You can click an object in the Templates branch to edit the templates that specific security modules use. See Renaming the enterprise on page 48. You can rename the enterprise as necessary.

49 Using the Symantec Enterprise Security Manager console About modifying the GUI options 49 To rename the enterprise 1 Right-click My ESM Enterprise and then click Rename. 2 In the Enter New Name for the Enterprise text box, type the new name for the enterprise. 3 Click OK. About the grid information See About the enterprise tree on page 47. Information in the grid applies to the level immediately beneath the object that is selected in the summary branch of the enterprise tree. On the Summary branch, the grid displays the average agent level and the score information for each node from My ESM Enterprise to domains. When you select a domain, the grid displays the level and the score information for each agent. If you select an agent, the grid displays level and the score information for each policy. When you select a policy, the grid displays the level and the score information for each module. On the Policies branch, the grid displays the status of the modules and the security checks in a policy. To enable or disable a check inside a module or change the contents of a name list, do one of the following: Double-click a policy name. Right-click a policy name and then click Properties. On the Policy Runs branch, the grid displays policy run status. A context menu provides options to stop, delete, or view the properties of policy runs. On the Templates branch, the grid provides access to an editor that can change the contents of the template files. About modifying the GUI options Use the GUI Options in the Edit menu on the ESM console to set the following parameters: Policy run message count (per-user setting) Symantec ESM sets the default maximum message count to 3000 security messages. When a report reaches this limit, it returns a red message. The red message indicates that the report has reached the maximum number of messages. If a report returns this message, you can type or select a new maximum message count or remove the message count limit. Then re-run the policy to see all of the messages.

50 50 Using the Symantec Enterprise Security Manager console Configuring and editing the disclaimer ESM console options On large networks with many Agents, summary updates of the ESM console can take a while. If you select the Manual Summary Updates check box, you can perform manager maintenance functions without any delay. The manager maintenance functions include the following tasks: Add, modify, or delete ESM manager accounts. Edit the settings of Symantec ESM policies, modules, security checks, name lists, or templates. View the status of policy runs. However, the ESM console does not display summary information until you perform a summary update manually. Also, the ESM console does not prompt you to view the results of completed policy runs. To modify the GUI options 1 On the ESM console menu bar, click Edit > GUI Options. 2 In the GUI Options dialog box, in the Policy run message count (pre-user setting) area, do the following: In the Maximum policy run message count box, type the maximum policy run message count. You can also use to up or down arrows to enter the message count. The message count value is 3000 by default. If you do not want to specify any limit for the maximum message count, then click No message count limit. 3 In the Console Options area, click Manual summary update if you want to manually perform Manager maintenance functions. Configuring and editing the disclaimer You must create the Disclaimer.rtf file and use the file during upgrade if you want a disclaimer to be displayed before you launch the console. The Disclaimer.rtf is a configurable file and you can have customized information in the disclaimer as per the requirements of your organization. Before you upgrade the console to this version of ESM, you must copy the contents of the Symantec_Enterprise_Security_ Manager_10.0_Win.iso from the media and save it on your local computer. Alternatively, copy the contents of the Symantec_Enterprise_Security_ Manager_10.0_Win.iso to a shared folder on your network. To configure the disclaimer before you silently upgrade to this version of ESM, you must edit the "DISCLAIMER_PASSWORD=" parameter in the ConsoleSilentInstallSample.bat to enter a valid password.

51 Using the Symantec Enterprise Security Manager console Configuring and editing the disclaimer 51 Note: You have to provide the same password if you want to change the disclaimer.rtf file contents in the future. You must have the ConsoleSilentInstallSample.bat file to silently upgrade the console. The.bat file is present at the ESMConsole\example folder. You can edit the disclaimer as you need. However, to be able to modify the disclaimer, you must have an administrator's rights on the computer where you have the console installed. Note: The disclaimer must be in the Rich Text File format. If you do not want to configure a disclaimer, you have to delete the disclaimer.rtf file from the ESMConsole folder before you proceed with the upgrade. If the disclaimer file gets corrupted due to any reason, you must create a new Disclaimer.rtf. You have to use the Modify option in the setup wizard to uninstall and reinstall the console using the new Disclaimer.rtf file. Perform the following steps in the given order to launch the ESM console with the modified disclaimer: Run the setup wizard in the Modify mode from the ESMConsole folder. The ESMConsole folder must be present on your local computer or in a shared folder on your network. Note: Do not use the Modify option from Add/Remove Programs. In the Custom Setup panel, select the ESM console for uninstallation. Copy the correct disclaimer.rtf file to the ESMConsole folder. The ESMConsole folder must be present on your local computer or in a shared folder on your network. Run the setup.exe from the ESMConsole folder and select the Modify mode. To configure the disclaimer for a silent upgrade of the ESM console 1 Open a WordPad and create a disclaimer.rtf file with the disclaimer information and save it in the ESMConsole folder that you have copied to your local computer or in a shared folder on your network. 2 Go to ESMConsole\example and copy the ConsoleSilentInstallSample.bat file that you require to silently upgrade the console, or the console and the manager.

52 52 Using the Symantec Enterprise Security Manager console Configuring and editing the disclaimer 3 Save the ConsoleSilentInstallSample.bat file in the ESMConsole folder. 4 In the.bat file, type your password for the Disclaimer.rtf file in the "DISCLAIMER_PASSWORD=" field. 5 Execute a silent upgrade of ESM console. For more information on how to silently upgrade the ESM console and the other ESM components, see the Symantec Enterprise Security Manager Installation Guide. To configure the disclaimer for an interactive upgrade of ESM console 1 Open WordPad and create a disclaimer.rtf file with the disclaimer information and save it in the ESMConsole folder that you have copied to your local computer or in a shared folder on your network. 2 Execute an interactive upgrade of the ESM console. The installation wizard displays the Disclaimer Option panel if you save the Disclaimer.rtf file in the ESMConsole folder on your local computer. 3 In the Disclaimer Options panel, type a password for the Disclaimer.rtf file. Note: The password can be used for any future changes to the disclaimer.rtf file. 4 Execute an upgrade of the ESM console. For more information on how to silently upgrade the ESM console and the other ESM components, see the Symantec Enterprise Security Manager Installation Guide. To edit the disclaimer 1 Create a new.rtf file that contains the modified disclaimer information and save on your local computer. 2 On the ESM console menu bar, click Edit > Configure Disclaimer. 3 In the Configure Disclaimer dialog box, do the following: In the Password to change the file text box, enter your disclaimer password. The password must be the same as the password that you enter in the Disclaimer Option panel or in the DISCLAIMER_PASSWORD field of the.bat file. Click the browse option to navigate to the location where you have saved the.rtf file and then click OK.

53 Using the Symantec Enterprise Security Manager console Connecting to a manager 53 An error message is displayed if you select the Disclaimer.rtf file that is currently in use. Connecting to a manager You must use the ESM console to connect to a manager to access security data. Each manager has a superuser account that Symantec ESM sets up during the manager software installation. This account has all of the privileges for the application. Use the superuser account to set up additional user accounts on the manager. Each account gives users only the necessary access rights that they need to perform specific tasks. The ESM console prompts for at least one manager connection when it creates a new user environment. You can add other manager connections when you initially log on. You can also select New Manager from the File menu to add the manager connections later. You must specify connections to all of the network managers for the ESM console to display information for the entire enterprise. Make sure that each user's access is limited to only managers within that person's area of responsibility. The ESM console can optionally cache the credentials of each manager connection to eliminate the logon prompt each time that you connect with a manager. The Symantec ESM 6.x or later managers can connect to Symantec ESM 10.0 consoles. To connect to a manager 1 Do one of the following to display the New Manager window: On the File menu, click New manager. Right-click My ESM Enterprise on the enterprise tree, and then click New manager. Right-click All managers on the enterprise tree, and then click Add manager. 2 Type the name of the manager computer in the manager text box. 3 In the Manager account information pane, type the user name and password of a manager account with the necessary privileges. 4 Check the Savethisnameandpassword check box to automatically reconnect the ESM console and manager without having to re-enter the user name and password. 5 In the Port text box, enter port number. The default port number is 5600.

54 54 Using the Symantec Enterprise Security Manager console Disconnecting an ESM manager See Disconnecting an ESM manager on page 54. Disconnecting an ESM manager You can disconnect an ESM manager from the ESM console when you do not require the security information from that ESM manager. To disconnect an ESM manager 1 Right-click the ESM manager that you want to disconnect. 2 Click Disconnect. See Connecting to a manager on page 53. About viewing the manager information Use the Manager Properties dialog box to display information about the ESM manager currently connected to the ESM console. The General tab displays the following information: Name of the ESM manager that is connected to the ESM console. Connection protocol. Port number that the ESM console uses to connect to the manager. Connection status. Operating system of the manager. Version of the manager. Build date of the manager. SU lock-level information. The Access Records tab displays user accounts that the ESM administrator has created on the selected manager. The Audit Log Configuration tab lets you enable the Audit Log for the selected manager. The Password Configuration tab displays the following configuration information: The password configuration for the selected manager. The number of invalid logon attempts before the user account is locked out. The reset lockout time in minutes.

55 Using the Symantec Enterprise Security Manager console About viewing the agent information 55 The Policies tab displays the policies and the policy versions that are installed on the selected manager. The License tab displays the selected manager's license information. The Current Access Records tab displays the account information of the currently logged on user account. The Options tab displays the information on the manager database purge values. You can configure the selected manager to check the status of the agents that are registered to the manager. To view the manager information 1 Right-click the manager and click Properties. 2 Click the General tab. Symantec Enterprise Security Manager displays the connection information of the current manager. About viewing the agent information The Properties tab displays the following information for the agents: Name of the agent. IP addresses of the agent computer. FQDN of the agent computer. Hostname of the agent computer. Operating system of the agent. Version of the agent. Security Update version of the agent. Communication protocol. Proxy agent, if the agent and the proxy agent names do not match. The agent description can contain up to 1024 characters. The Modules tab displays the version information for each module. The Applications tab displays information about the applications that have been discovered using Symantec ESM application modules. To view the agent information Do one of the following: Double-click the agent.

56 56 Using the Symantec Enterprise Security Manager console About gathering security information Right-click the agent and then click Properties. About gathering security information The ESM console obtains information about the security of the computers and the servers in the enterprise from the managers on the network. The managers gather this information from their registered agents during policy runs. The ESM console can connect to multiple managers. If the connections in your environment involve all managers of an enterprise, the console gathers the level and the average score for the entire enterprise. The ESM console gathers this information in the following ways: When the ESM console initially connects with a manager during a session, it retrieves domain, agent, and summary data from the manager. When you use the ESM console to start a policy run, the following events occur: The participating agents run security checks on the agent computers. The manager is updated with the results. The manager updates the ESM console. In this instance, you can decide if you want the ESM console to auto-navigate the enterprise tree and to view the report data. When changes to managers and agents occur on the ESM console, do the following to ensure that the ESM console displays the current information: Right-click a node at the domains level and click Update to update the summary information. Right-click a node at the regions level and click Retrieve Summaries to retrieve the summary information from all of the managers in a region. About running security checks Policies contain the checks that evaluate the security of network resources. The ESM console lists the following policies in the Policies branch of the enterprise tree: Phase 1 Phase 2 Phase 3:a Relaxed Phase 3:b Cautious

57 Using the Symantec Enterprise Security Manager console About running security checks 57 Phase 3:c Strict Dynamic Assessment Queries These policies provide high levels of security. You can edit the modules in these policies and you can enable or disable specific security checks to conform to your company s security policy. Periodically, Symantec provides security updates, best practice policies, and agent software improvements through LiveUpdate technology. Use LiveUpdate monthly to ensure that you have the best possible security assessment tools. About evaluating your network security The Phase 1 policy is the best place to begin evaluating your network security. This policy identifies the most significant and the potentially problematic security problems with network resources. Problems in these areas are important and easy to solve. Move on to the Phase 2 policy after you correct the red level problems on the network resources that the Phase 1 policy reports. The Phase 2 policy contains all of the available modules, but enables only the key security checks in each module. These checks identify the remaining critical security problems in the network. After you correct the red level problems on all network resources that the Phase 2 policy reported, move on to the Phase 3 policy. This policy provides the following distinct levels of security as required by the company s security policy: Relaxed Cautious Strict-level network security Immediately run security checks on a single agent computer or on all the agent computers in a manager domain, by doing one of the following: Click the Policy Run wizard icon on the toolbar. Drag the policy from the policies branch and drop it on the agent computer or manager domain in the summary branch. To run a specific security check, drag and drop a single module instead of running the whole policy.

58 58 Using the Symantec Enterprise Security Manager console Using the Policy Run wizard About scheduling routine security checks Use the Schedule window to schedule and routinely run key security checks. To access the Schedule window, do the following: Click the Policy Run wizard icon on the console toolbar. Click Next until you reach the Schedule panel, and then click Schedule. Alternatively, do the following: Right-click a policy. Drag the policy from the policies branch and drop it on the agent computer or manager domain in the summary branch. This feature automatically initiates policy runs on agents at predetermined intervals and provides a security-status report. Symantec ESM can notify security officers and system administrators by sending an message when a policy run completes. The message includes the security level and average score from the run. Using the Policy Run wizard The Policy Run wizard serves as a guide to help you when you create a policy run. To use the Policy Run wizard 1 On the toolbar, click the Policy Run wizard icon. 2 Select the manager that you want to use in the policy run. 3 Select the policy that you want to run on the agent computers. 4 Select the modules that you want to include in the policy run. 5 Select the domain where you want to run the policy. 6 Select the agent computers that you want to run the policy. 7 Enable LiveUpdate for the agents if you want to enable LiveUpdate. 8 Select the message count for the policy run. 9 Review your selections for the policy run. 10 Do one of the following: Run the policy immediately. Schedule the policy run for a later time. If you decide to run the policy later, the Schedule dialog box prompts for a start time. Use this dialog to set up a recurrence pattern and run the

59 Using the Symantec Enterprise Security Manager console About filtering report contents 59 policy hourly, daily, weekly, monthly, or yearly. Also, set up notification of policy run, agent summary, or module summary results. Note: Policy Run wizard can spawn over one domain, one policy, multiple modules and on one Manager. About filtering report contents You can select options in the Filter dialog boxes to selectively exclude information from the summary displays of the following: Enterprise tree Chart Grid Symantec ESM reports The following information describes the filter options: Policy You can do one of the following: Use the most recently run policy. Select the latest Phase 1, Phase 2, Phase 3:a Relaxed, Phase 3:b Cautious, or Phase 3:c Strict policy. Modules Operating systems You can include all of the modules in the policy run or select specific modules. You can select the operating systems of all the agents that are registered to the manager or you can exclude specific operating systems.

60 60 Using the Symantec Enterprise Security Manager console About creating and viewing reports Messages You can show long message text, suppressed messages, or policy run message differences. If you choose to show differences, do the following: Pick new messages only in the newer policy run. Pick old messages only in the older policy runs. Pick unchanged messages both in the old and new policy runs. In addition, you can choose to compare the current policy run with one of the following: The previous numbered run. A run from a specified number of days in the past. About creating and viewing reports You can view and print the following reports from the ESM console with an HTML browser. The following information describes the types of reports that you can view: Security This report contains information about the object that is currently selected in the summary branch. The report lists the results of the most recent policy runs in spreadsheet format. The report identifies which policy run provides the information for each module. For example, if the most recent run involves a single module, the report lists the following: The most recent run number for that module. The most recent of the previously run numbers for each of the other modules. Policy This report contains information about the modules in a policy and the activated checks in the modules. Policy run This report lists the policy runs for each of the connected managers. Information in the report includes the current status, the start time, the finish time in case the policy run has completed, the policy name, and the domain name. Template Domain This report lists the objects in the template. This report lists the properties for each agent in the selected domain. These properties include the agent s operating system, version number, network protocol, network port number, and computer type. Executive The Executive Report is a one-page summary that displays the enterprise s conformity to each security module.

61 Using the Symantec Enterprise Security Manager console About creating and viewing reports 61 To create a report 1 Select an object in the related branch of the enterprise tree. 2 From Reports on the menu bar, choose the type of report. For example, to produce an agent security report, select the agent in the summary branch, then click Security in the Report pull-down menu. The Report Options dialog box lets you configure the report. When you select Report Options, you must designate a location for the resulting report files. Because these files contain sensitive data, you should specify a secure location for them on a network drive. Each report folder has a datestamp and a timestamp with the name of the node that was used to create the report. Before you a report, compress the entire report directory. Notify the recipients that they must load the frames.html file to view the report.

62 62 Using the Symantec Enterprise Security Manager console About creating and viewing reports

63 Chapter 3 Configuring Symantec Enterprise Security Manager This chapter includes the following topics: About enterprise license management About configuring managers and regions About configuring the agents and domains About configuring the user accounts Setting the manager password configuration Changing the ESM console passwords Auditing Symantec Enterprise Security Manager events About updating Symantec Enterprise Security Manager About agent recovery re-registration About enterprise license management The Symantec Enterprise Licensing feature lets you obtain and distribute licenses for Enterprise Security Manager. Enterprise Licensing also lets you install and distribute licenses among the ESM managers. The permanent licenses do not have an end date. The temporary licenses are not specific to a computer and have a start and an end date. You can install a temporary license only within the period of 365 days before its end date.

64 64 Configuring Symantec Enterprise Security Manager About enterprise license management If you have multiple permanent licenses installed on the same console, then the cumulative count of all the permanent licenses is displayed. For example, if you have three permanent licenses with 500 units each, then the total unit for permanent licenses is displayed as For ESM 10.0 and later, only versioned licenses are accepted for a fresh installation. You can install Enterprise Licensing Scheme v2.0 licenses on the Console. The License Management functionality is disabled, until ELS v2.0 licenses are installed. After you upgrade, you can continue working with the ESM licenses, but the License Management functionality is not available, so new allocation or modification of allocated units is not possible until ELS v2.0 licenses are installed. See Installing a new license on page 65. See Distributing a license on page 65. See Revoking enterprise licenses on page 68. See Re-allocating enterprise licenses on page 69. What you can do with enterprise licenses You do the following to manage the enterprise licenses through the ESM console: Install an enterprise license on ESM console. Specify information about the managers to whom you need to assign the license. Specify the number of agents that can register to the manager to whom the license is assigned. Distribute a license to different managers. Revoke the licenses that have been assigned to a manager. Re-allocate a license to a manager. Redistribute an enterprise license. Types of enterprise licenses Move licenses from one manager to another. You must have the Modify ESM Options access rights to install, distribute, revoke, or re-allocate enterprise licenses. You can install the following types of enterprise licenses:

65 Configuring Symantec Enterprise Security Manager About enterprise license management 65 Permanent license The permanent licenses are no longer specific to a particular computer. Permanent licenses do not have an end date. The license count that is displayed for the permanent license is the cumulative count of the permanent license units that are currently installed. Temporary license The temporary licenses are not specific to a computer and have a start and an end date. You can install a temporary license only within the period of 365 days before its end date. Installing a new license Distributing a license You can install new licenses by using the Enterprise Licensing Scheme. After you install a license, you can distribute the license among ESM managers. To install a new license 1 On the enterprise tree, right-click My ESM Enterprise. 2 Click Enterprise License > Install New License. 3 In the Open dialog box, browse to the location where you have stored the license. The ELS licenses contain a.slf extension. 4 Select the license and click Open. 5 A message prompt appears stating that you have successfully installed the license. See About enterprise license management on page 63. See Distributing a license on page 65. You can distribute Symantec ESM licenses among ESM managers by using the Enterprise Licensing feature. You can assign licenses to an ESM manager by using multiple consoles. Note: If you assign a license to a manager from a console and then add a license from another console, the new license overwrites the existing license. However, the first console continues to display the previous license assignment for the specified manager. If you have multiple permanent licenses installed, then you can use the cumulative units of the permanent licenses and assign the licenses to one manager. For

66 66 Configuring Symantec Enterprise Security Manager About enterprise license management example, you have three permanent licenses with 500 units each. Now, you can use 1500 units of permanent licenses to one ESM manager. Note: You must have the Modify ESM option rights to distribute enterprise licenses. To distribute a license 1 On the enterprise tree, right-click My ESM Enterprise, and then click Enterprise License > License Management. In the License Management dialog box, the Installed Enterprise Licenses box displays the following: Type of the installed license. Number of agents that the license is applicable for. Number of available units that can be distributed. End date of the license, in case of a temporary license. 2 The Enterprise License distribution per manager box displays the following: Manager name. Number of licenses that have been allocated to the manager. System ID of the computer on which the ESM manager is installed. 3 Select a license from the Installed Enterprise Licenses list box and click Distribute. In the Distribute License dialog box, the Available Enterprise License details section displays the following: Type End Date Displays the type of the selected license. The expiration date of the selected license, in case of a temporary license. In case of a permanent license, the End Date text box is not displayed. Total Units Available Units Displays the total number of agents that the selected license is applicable for. Displays the available number of licensing units that can be assigned to ESM managers.

67 Configuring Symantec Enterprise Security Manager About enterprise license management 67 4 In the Manager Selection section contains the following options: Manager Displays the ESM managers that are connected to the console. Lets you select the manager that you want to allocate the enterprise license to. You can type the name of the manager if the manager is not connected to the console. System ID Current Allocation Displays the computer name on which the ESM manager is installed. Displays the number of licenses that are currently allocated to the manager from the selected enterprise license. When you distribute licenses for the first time, the Current Allocation text box appears blank. New Allocation Lets you type the number of licenses that you want to assign to the manager. The license count that you type cannot be more than the value that is displayed in the Available Units text box. User Name Password Port Lets you type the user name of the ESM manager that you want to assign the license to. If the manager is connected to a console, then the same credentials of the manager account are used for license management. Lets you type the password for the ESM manager that you want to assign the license to. Lets you type the port number of the Symantec ESM Manager services. The default value is Click Add. You can add multiple managers. To add another manager, repeat the steps 1-5. You can also delete a manager from the Selected Managers list box by pressing the Delete key in your keyboard. The Selected Managers list box displays the following information about the selected manager:

68 68 Configuring Symantec Enterprise Security Manager About enterprise license management The manager name The system ID The number of licenses that are currently allocated The number of new licenses that have been allocated Object Type 6 Click Distribute. Revoking enterprise licenses The Status panel displays the success or failure of license allocation. See About enterprise license management on page 63. See Installing a new license on page 65. See Re-allocating enterprise licenses on page 69. See Revoking enterprise licenses on page 68. Enterprise License Management lets you revoke licenses from an ESM manager. When you revoke the licenses, the policy run fails on the agents that are registered to the manager until you allocate the new licenses. You must assign new licenses to the manager for a successful policy run. However, the agents that are already registered to the manager are not unregistered when you revoke a license from the manager. You cannot register new agents to a manager that does not have a valid license. To revoke licenses 1 On the enterprise tree, right-click My ESM Enterprise and then click Enterprise License > License Management. 2 Select the license that you want to revoke from the Installed Enterprise Licenses list box and click Distribute. In the Distribute License dialog box, the Available Enterprise License details section displays the details of the license that you have selected. In the Manager Selection section, the Current Allocation text box displays the number of licenses that have been allocated to the selected manager. 3 From the Manager drop-down list, select the manager from which you want to revoke the license. 4 In the New Allocation text box, type a 0 (zero), and then click Add. The Selected Managers list box displays the following information: Name of the selected manager.

69 Configuring Symantec Enterprise Security Manager About enterprise license management 69 System ID of the selected manager. Number of the licenses that are currently allocated to the manager. Number of the licenses that have been newly allocated. Object Type You can select a manager from the Selected Managers list and press Delete on your keyboard to delete the manager from the list. 5 Click Distribute, and then click Close. The licenses that were previously allocated to the selected manager are now revoked and the total available licenses are incremented to include the revoked license count. See About enterprise license management on page 63. See Installing a new license on page 65. See Distributing a license on page 65. See Re-allocating enterprise licenses on page 69. Re-allocating enterprise licenses You can revoke enterprise licenses from a manager and re-allocate the licenses to another manager. To re-allocate licenses 1 On the enterprise tree, right-click My ESM Enterprise and then click Enterprise License > License Management. 2 Select a license from the Installed Enterprise Licenses list box and click Distribute. In the Distribute License dialog box, the Available Enterprise License details section displays the details of the license that you have selected. In the Select managers section, the Current Allocation text box displays the number of licenses that have been allocated to the selected manager. 3 In the New Allocation text box, type the number of licenses and then click Add. The Selected Managers list box displays the following information: Name of the selected manager. System ID of the selected manager. Number of the licenses that are currently allocated to the manager.

70 70 Configuring Symantec Enterprise Security Manager About enterprise license management Number of the licenses that have been newly allocated. 4 From the Select managers section, click another manager from the Manager drop-down list. The New Allocation text box displays the number of remaining licenses. For example, the total number of licenses available for Manager1 is 2000 and you allocate 1500 licenses. The number of licenses that are displayed in the New Allocation text box for Manager2 is Click Add. You cannot delete a manager from the Selected managers list after you re-allocate the manager's licenses to another manager. 6 Click Distribute and then click Close. See About enterprise license management on page 63. See Installing a new license on page 65. See Distributing a license on page 65. See Revoking enterprise licenses on page 68. Redistributing an enterprise license Enterprise License Management lets you redistribute unassigned units of an Enterprise license by using the Console License Redistribution feature. You can create a new CSL (Console Sub License) file, import it on another console, and redistribute it among managers registered with that console. Redistributing an Enterprise license involves the following steps: 1 Creating a new license file. 2 Importing the new Console Sub License 3 Distributing the license See Distributing a license on page 65. To create a console license 1 On the enterprise tree, right-click My ESM Enterprise and select option Enterprise License > License Management. 2 Select a license from the Installed Enterprise Licenses list box and click Distribute. 3 On the Distribute License panel, click the Console tab. 4 Enter the following information

71 Configuring Symantec Enterprise Security Manager About enterprise license management 71 Console name Name of the console to which you want to add the new license New Allocation Number of units you want to allocate to the new license Description or note description 5 Click Add. 6 Click Distribute 7 The new license file is created and stored at a default location <#Console installed Directory>/export/license. To Import a new Console Sub License 1 On the enterprise tree, right-click My ESM Enterprise 2 Click Enterprise License > Import Console License. 3 In the Open dialog box, browse to the location where you have stored the license. The Console Sub Licenses file has a.csl extension. 4 Select the license and click Open. 5 A message prompt appears stating that you have successfully installed the license. Note: You cannot import CSL license on a console where Symantec License File(SLF) is already installed. How Symantec ESM stores the enterprise license information The information about how the licenses have been distributed to the managers is stored on the ESM console in an XML file. The XML file resides at the following location: <console_installation_dir>\database\esmldinfo.xml A default XML file is shipped with Symantec ESM and it gets updated as and when you install the licenses. If this file is not present or corrupt, you cannot manage the Enterprise Licenses from the ESM console. Make sure that you backup this file regularly and do not edit it separately.

72 72 Configuring Symantec Enterprise Security Manager About configuring managers and regions About updating the license information during upgrades In ESM 10.0 only ELS v2.0 licenses are accepted and installed by the console. In case of an upgrade to ESM console 10.0, the prior license allocations continue to function as in the earlier version, but the License Management functionality is not available until ELS v2.0 licenses are installed. License Management functionality cannot be used to distribute any older versions of the ESM Licenses. Viewing the manager license information Use the License tab to display the license information for the ESM manager currently connected to the ESM console. To view the manager license information 1 On the enterprise tree, right-click the manager and click Properties. 2 Click the License tab. 3 Symantec ESM displays the following license information for the current manager: License Type The License Type box displays the type of license that the ESM manager uses. The following types of licenses exist: Temporary Permanent License Expiration System ID Number of Agents The License Expiration box displays the date on which the license expires if it is a temporary license. If the license is permanent, the field displays the following message: No expiration. The System ID box displays the system ID (system name) of the computer on which the ESM manager software is installed. The Number of Agents box displays the number of ESM agents that the ESM manager is licensed to check. About configuring managers and regions The ESM console organizes managers into regions. The ESM console automatically lists all connected managers in the region named All managers.

73 Configuring Symantec Enterprise Security Manager About configuring managers and regions 73 About the regions You can create new regions to organize the managers on the network. You can then assign managers to the new regions on the basis of the organizational structures or geographical locations. You can add or delete regions as needed; however, you cannot delete the default All managers region. The ESM console uses regions as a convenient method to organize the ESM managers. You can locate any manager on the ESM console in the All Managers region that Symantec ESM creates during installation. Symantec ESM automatically places any new managers that you add to the ESM console in the All Managers region. Symantec ESM lets you create additional regions to organize the managers on the ESM console. You can create and group regions according to organizational structures or geographical location. You can add or delete regions as needed; however, you cannot delete, rename, or move Managers out of the default All Managers region. Regions are the only a way to group the managers on the ESM console. Symantec ESM does not use regions in policy executions or in any of the administrative functions. Symantec ESM stores the region information along with your user preferences in your ESM console account workspace of the registry. Adding a region to the ESM console Renaming a region You can add regions to the ESM console as needed. To add a new region 1 Do one of the following: On the enterprise tree, right-click My ESM Enterprise, and click New Region. From the toolbar, click the File menu and then click New Region. 2 In the Enter New Region Name dialog box, enter the name of the new region. You can rename a region as necessary. However, you cannot rename the default All Managers region.

74 74 Configuring Symantec Enterprise Security Manager About configuring managers and regions To rename a region 1 On the enterprise tree, right-click the region that you want to rename. 2 Click Rename. 3 In the New Region Name box, type the new name for the region. Region names can contain up to 253 characters and can include special characters. You cannot leave a region name blank. Deleting a region from the ESM console You can delete a region that you no longer need from the ESM console. To delete a region from the ESM console On the enterprise tree, right-click the region and then click Delete. Adding a manager to the ESM console You can add managers to the ESM console at any time by accessing the New Manager dialog box. To add a manager to the ESM console 1 Do one of the following: On the console task bar, click menu, click File > New Manager. On the enterprise tree, right-click My ESM Enterprise, then click New Manager. Right-click the All Managers region, then click Add Manager. 2 In the New Manager dialog box, in the Manager text box, type the name of the ESM manager that you want to add to the ESM console. 3 In the Manager account information section, do the following: In the Name text box, type the name of the manager user account that you want to use to connect to the manager. In the Password text box, type the password of the user account. Check Save this name and password if you want to cache your manager user account. You can connect to the manager without supplying your manager user account credentials if you cache the manager user account.

75 Configuring Symantec Enterprise Security Manager About configuring managers and regions 75 4 In the Port text box, enter the port number that the new manager will use to connect to the console. The value by default is Adding a manager to a region 5 Click Add to add the manager to the ESM console. 6 Click Close after adding the last manager connection. You can add managers to a region by copying or moving the managers. You can move a manager from one region to another as your needs change. The manager's functionality does not get affected if you move the manager list from one region to another. You can move or copy a manager to and from regions. To copy a manager to a region, drag and drop the manager onto the region. To add a manager to a region 1 On the enterprise tree, right-click the region and click Add manager. 2 Select the managers that you want to add to the region from the Available managers list. Click the left arrow to move the managers. Removing a manager from a region The Available managers list displays managers that are not part of the region. The Included managers list displays managers that are in the region, or were added to the region. To add a manager that is not on the Available managers list, you must first connect the ESM console to the manager. You can remove a manager from any region at any time. You can delete or move a manager to remove it from a region. The Available managers list displays managers that are not part of the region. The Included managers list displays the managers that are in the region, or the managers that were added to the region. Note: Remove the manager from the local setup only when you want to disconnect the ESM console from the manager. To remove or delete a manager from a region 1 On the enterprise tree, right-click a manager within a region. 2 Click Delete > From Region.

76 76 Configuring Symantec Enterprise Security Manager About configuring managers and regions To move a manager from a region 1 On the enterprise tree, right-click the region and click Add manager. 2 From the Included managers list, select the managers that you want to remove from the region. 3 Click the right arrow to move the managers. Deleting a manager from the ESM console Displaying a manager name You can delete a manager from the ESM console if you no longer want to include it in any displays. To delete a manager from the ESM console On the enterprise tree, right-click the manager and click Delete > From Local Setup. Symantec ESM removes the manager from the ESM console, along with all locally cached summary data that is associated with the manager. Symantec ESM stores summary data in the manager sumfinal database. If you reconnect the ESM console to the manager, Symantec ESM restores the summary data that is associated with that manager to the ESM console. You can find a manager name in the ESM console. The name of the manager can be any one of the following: IP address of the computer on which the ESM manager is installed. The hostname of the computer on which the ESM manager is installed. The Fully Qualified Domain Name (FQDN) of the computer on which the ESM manager is installed. The FQDN of the manager is displayed if the manager resides within a domain. To display the manager name from the ESM console 1 On the enterprise tree, right-click the manager and click Properties. 2 Click the License tab. To display the manager name without using the ESM console Do one of the following: For Windows operating systems, go to Start > Settings > Control Panel > System, and then click the Network Identification tab. The procedure for

77 Configuring Symantec Enterprise Security Manager About configuring managers and regions 77 other Windows operating systems may vary. Consult the Windows help for detailed instructions. For UNIX operating systems, use the hostname command. Moving an installed manager You must take appropriate steps to restore the manager operations if you move the ESM manager to another host computer. In this version of ESM, the permanent licenses are not associated with the name of the computer on which you install the manager. The ESM features such as Move agents, Export agent list, and Agent Recovery Reregistration can be used to restore the agents to a new manager. To move a manager to a different computer 1 List the agent computers that are currently registered to the manager. You can use the Export Agent List feature to have a copy of the All Agents domain. 2 Copy the manager.dat files to a temporary folder. On Windows operating systems, copy the files from the symantec\enterprise Security Manager\esm\system\<computer_name>\db folder. On UNIX operating systems, copy the files from the /esm/system/<computer_name>/db directory. 3 Revoke the licenses assigned to the manager. You can revoke the licenses only if the licenses to that manager are assigned through the ESM 10.0 console. Note: The ESM version of the target computer must be the same as the ESM version of the source computer. 4 Uninstall the manager software from the current host computer. 5 Install the manager software on the target computer and assign licenses from the ESM console to the new manager. 6 Stop the manager and the agent processes. On computers with Windows operating systems, stop the Symantec ESM Manager and the Symantec ESM Agent services. On computers with UNIX operating systems, stop the Symantec ESM daemons.

78 78 Configuring Symantec Enterprise Security Manager About configuring managers and regions 7 Copy the.dat files from the temporary directory. On computers with Windows operating systems, copy the files to the symantec\enterprise Security Manager\esm\<computer>\<computer_name>\db folder. On computers with UNIX operating systems, copy the files to the symantec/enterprise Security Manager/esm/<computer>\<computer_name>\db directory. 8 Copy the Reports folder. On computers with Windows operating systems, copy the files to the symantec\enterprise Security Manager\esm\<computer>\<computer_name>\reports folder. On computers with UNIX operating systems, copy the files to the symantec/enterprise Security Manager/esm/<computer>\<computer_name>\reports directory. 9 Restart the manager and the agent processes. 10 Register all of the previously registered agents to the manager. You can use the Agent recovery re-registration feature to register the agents. See About agent recovery re-registration on page 125. Do not register an agent to an earlier version of a manager. Instead, upgrade all managers on the network to the latest Symantec ESM version before you register the agent. To move the manager to a computer with the same name 1 Back up the volume that contains the Symantec directory. List the agent computers that are currently registered to the manager. You can use the Export agent list feature to have a copy of the All Agents domain. 2 Revoke the licenses assigned to the manager. You can revoke the licenses only if the licenses to that manager are assigned through the ESM 10.0 console. 3 Change the computer hardware. 4 Assign the original computer ID to the new computer. 5 Reinstall the manager software on the new computer and assign licenses from the ESM console to the new manager. When you reinstall the manager, ESM restores all the necessary computer settings on the computers with Windows operating systems.

79 Configuring Symantec Enterprise Security Manager About configuring managers and regions 79 6 Copy the backup volume that contains the Symantec directory to the same volume on the new computer. 7 Register all of the previously registered agents to the manager. You can use the Agent recovery re-registration feature to register the agents. To change a manager name 1 List the agent computers that are currently registered to the manager. You can use the Export agent list feature to have a copy of the All Agents domain. 2 Revoke the licenses assigned to the manager. You can revoke the licenses only if the licenses to that manager are assigned through the ESM 10.0 console. 3 After you change the manager host name and restart the computer, reinstall the manager on the computer and assign licenses from the ESM console to the manager. When you reinstall the manager, ESM restores all the necessary computer settings on the computers with Windows operating systems. 4 Register all of the previously registered agents to the manager. You can use the Agent recovery re-registration feature to register the agents. About locking an SU level on the manager You can lock an SU version on a manager so that the manager does not get updated with the contents of a higher SU version. When you lock an SU version, the SU content on the manager does not get updated even when you register an agent with a higher SU to the manager. You can successfully register an agent to the manager although the SU contents do not get updated on the manager. This feature helps you maintain a consistent environment in your enterprise in terms of policy runs and compliance report. At any point of time, the displayed SU version on the console in the manager properties, is the SU level of the highest SU installed on the agent, registered to that manager. If you unregister the agent with the highest SU, then the manager compares the SU level of the unregistered agent and the SU level of the remaining agents. The console displays either the SU version of the unregistered agent, or the highest SU version among the remaining agents, whichever is higher. This scenario occurs when you delete, unregister, or move an agent from a manager. The highest SU version amongst all the agents that are registered to a manager determines the SU lock level on the manager. For example, you have two agents registered to Manager1. One agent has SU 32 installed and one agent has SU 36 installed. Now, the SU level that you can lock on Manager1 is SU 36.

80 80 Configuring Symantec Enterprise Security Manager About configuring managers and regions Note: You can use the SU lock-down feature only for ESM or later consoles, managers, and agents. For ESM Manager, the ESM agent must be of version only. But for ESM 10.0 there is no such limitation. For example, you have an ESM manager Manager1 that you have locked for SU 35. Agent1 is registered to Manager1 and has SU 36 installed. The SU contents of Agent1 do not update the contents of Manager1 even when you do the following: When you register or re-register Agent1 with a higher SU to Manager1 that has a lower SU. You can register or re-register an agent by using any of the following methods: By using the registration menu for a UNIX agent and by using the registration wizard for a Windows agent. By using the register.exe. By performing a silent registration. By performing a silent installation and registration. When you move Agent1 with a higher SU to Manager1 that has a lower SU. When you import an agent list by using the Agent Recovery Registration option on "Manager1" that has a lower SU. When you apply a TPK on Agent1. When you apply LiveUpdate of a higher SU version from the ESM console. The manager prevents SU updates on its database (CDB) if it cannot detect the SU version of the agent during registration. This may also happen if you register the agent without providing the -r or the -A switches. In such scenarios, an appropriate message is entered in the manager log file. Note: After you register an agent, refer to the manager log file to verify whether the manager has been updated with the SU or not. Locking and unlocking an SU level on the manager You can lock an SU version on a manager so that the manager does not get updated with the contents of a higher SU version. You must have ESM or later console, manager, and agent to use the SU lock-down feature. For ESM Manager, the ESM agent must be the version only. This limitation does not exist for ESM If the manager does not have any agents registered, then the value for SU level is displayed as 0.

81 Configuring Symantec Enterprise Security Manager About configuring managers and regions 81 If the manager that you have selected is not locked yet, then the Current SU lock level is displayed as N/A. Note: You can lock the manager only at the SU level that is displayed in the Maximum SU level at which the manager can be locked field. Locking an SU level on the manager 1 On the enterprise tree, right-click the manager that you want to lock, and then click Properties. 2 In the General tab, in the SU Locking area, do the following and then click OK. Lock SU level to Check to lock the manager at the highest available SU level. Allow SU updates up to current lock level Click to allow the manager to get updated with SU content up to the level at which the manager is locked. A higher SU version cannot update the manager. Block all SU updates to this manager Click to prevent the manager from getting updated with the SU content that is higher or lower than the current SU lock level. Note: Manager can be locked either for "Block all SU updates" or "Allow SU update up to current lock level" state. Manager can also be switched from one state to another. For example, if Manager is locked for "Block all SU updates", it can be switched to "Allow SU update up to current lock level" and if Manager is locked for "Allow SU update up to current lock level", it can be switched to "Block all SU updates". To unlock an SU level on the manager 1 On the enterprise tree, right-click the manager that you want to unlock, and then click Properties. 2 Check the Unlock SU level check box, and then click OK.

82 82 Configuring Symantec Enterprise Security Manager About configuring the agents and domains Configuring logging levels for the manager You can configure the logging levels for the manager by setting the ESM_LOG_LEVEL variable of manager.conf. The default level is 0 and you can set the variable to a value from 0 to 7, where 7 is the highest logging level. The manager.conf is located in <Install_dir\config\> on Windows computers and in /esm/config/> on UNIX computers. About configuring the agents and domains A domain consists of an agent or several agents that are grouped together to run policies. Managers create the following domains by default: All Agents domain Operating system domains This domain includes all of the agents that are registered to the manager. Symantec ESM automatically adds any new agents that you register with the manager to the All Agents domain. These domains include the registered agents that are running the same operating system. For example, the UNIX domain includes the agents that run on computers with UNIX operating systems. Managers automatically create the correct operating system domain when the first agent on an operating system registers with the manager. Symantec ESM adds other agents with the same operating system to the domain as they register with the manager. In addition to the default domains, you can create custom domains and add agents as necessary to support the needs of the organization. Symantec ESM lets you duplicate, rename, or delete these user-created domains. If you remove or unregister an agent from a manager, Symantec ESM removes the agent from the following domains: All Agents domain Related operating system domain Any other domains that contain the agent Note: Your user account must have the "Modify Domains" right to modify the domain properties.

83 Configuring Symantec Enterprise Security Manager About configuring the agents and domains 83 Creating a new domain Renaming a domain Duplicating a domain Symantec ESM lets you create your own domains. You can use these domains to group agents by function, location, or organizational structure, such as finance, development, or sales. You can also group agents according to any other classification that you specify. To create a new domain, the account that you use to connect the ESM console to the manager must have the Create New Domains permissions. Users that are restricted from viewing specific domains can access new domains after getting permissions from the following accounts: Superuser account Any account that has unrestricted domain access To create a new domain 1 On the enterprise tree, right-click Domains. 2 Click New domain. 3 Type the name of the new domain. Domain names can have up to 61 characters and you can use special characters in the name. You can rename any existing domain, except the All Agents domain, by using the Duplicate option. The default domains such as All Agents and UNIX Agents cannot be deleted. To rename a domain, the account that you use to connect the ESM console to the manager must have the Create New Domains permissions. To rename a domain using the Duplicate feature 1 On the enterprise tree, right-click the domain and then click Duplicate. 2 In the Copy Domain dialog box, in the New Domain Name text box, type the name of the new domain. 3 Delete the old domain. Instead of creating a new domain, you can do the following: Duplicate an existing domain. Give the duplicate a new name. Edit the new domain by adding or deleting agents.

84 84 Configuring Symantec Enterprise Security Manager About configuring the agents and domains Deleting a domain To duplicate a domain, your user account must have the following access rights: The default permissions are granted on the duplicated domain if your user account does not have the required access rights on the domain. You can duplicate a domain either by right-clicking the domain node or by using the -D option in the Create domain command. To duplicate a domain by right-clicking the domain node 1 On the enterprise tree, right-click the domain and then click Duplicate. 2 In the Copy Domain dialog box, in the New Domain Name text box, type the name of the new domain. 3 In the Description box, enter a brief description about the domain. This field is optional. 4 Check the Duplicate Access Permissions check box if you want to replicate the access rights of the current user account on the duplicated domain. The Duplicate Access Permissions check box is available only if your user account has sufficient rights. You can delete any existing domain except the All Agents domain. The default operating system domains must contain no agents before you can delete these domains. Agents are automatically placed in the default operating system domains when they are registered to a manager. The only way to remove agents from the default operating system domains is to unregister the agents from the manager. To delete a domain, the account that you use to connect the ESM console to the manager must have the Create New Domains access right. To delete a domain 1 On the enterprise tree, expand the Domain node and then right-click the domain that you want to delete. 2 Click Delete. Adding an agent to a domain Symantec ESM lets you organize the agent computers into domains on the manager. You may add an agent to more than one domain on more than one manager. You can drag and drop individual agents into a specific domain in the ESM console. When several agents are involved, you can use the Add Agent dialog box.

85 Configuring Symantec Enterprise Security Manager About configuring the agents and domains 85 To add an agent to an established domain, the agent must belong to the All Agents domain. The account that you use to connect the ESM console to the manager must have both the Modify and Create New Domains access rights enabled. The Available agents list displays agents that are not part of the domain. The Included agents list displays agents that are in the domain. To copy an agent to a domain Searching an agent Drag and drop the agent onto the domain. Symantec ESM copies the agent to the domain. It does not remove the agent from the original domain. To add an agent to a domain 1 On the enterprise tree, right-click the domain and then click Add agent. 2 Select the agents on the Available Agents list that you want to add to the domain, and then click the left arrow to move the agents. To add an agent that is not on the Available agents list, you must first register the agent with the manager. You can search agents from any node in the enterprise tree. For an agent to be searchable, the manager that the agent is registered to must be connected to the console. To search an agent 1 In the enterprise tree, right-click any node and click Search Agent from the menu that appears. 2 In the Search agents in treeview dialog box, type the keyword for the agent that you want to search. You can use the asterisk (*) as a wildcard to search the agent. For example, if you type *xyz, the search result shows all the agent names that end with xyz. If you type xyz*, the search result shows all the agent names that begin with xyz. If you type xy*z, the search result shows all the agent names that begin with xy and end with z. 3 If you want to search for the exact agent name, then check Match complete string. 4 If you want the search criteria to match the rules of a Regular Expression, then check Regular Expression. Table 3-1 lists the Regular expression operators and descriptions.

86 86 Configuring Symantec Enterprise Security Manager About configuring the agents and domains 5 If you want to specify the ESM manager to which the agent is registered, then click the manager from the Manager name drop-down list. Only the managers that are connected to the console are displayed in the drop-down list. 6 If you want to specify the domain, then click a domain from the Domain name drop-down list. The Domain name drop-down list becomes available only if you click a manager name from the Manager name drop-down list. 7 Click Search. The Search Results list box displays the agents that match your query. If the Domains node is not enumerated, then only the All Agents domain is searched for the agent. Also, if the Domains node is not enumerated, then the Expand domains of this manager before navigating to the agent check box becomes available. 8 Select the agent from the Search Results list box, and then check Expand domains of this manager before navigating to the agent. 9 Click Auto Navigate. The agent that you searched for appears selected in the enterprise tree. Table 3-1 Operator. Regular expression operators and description Description Any single character. For example: h.t matches hat, hit, hot and hut. [ ] Any one of the characters in the brackets. Any of a range of characters separated by a hyphen. A character class operator. For example: h[aeiou][a-z] matches hat, hip, hit, hop, and hut; [A-Za-z] matches any single letter; x[0-9] matches x0, x1,, x9. [^] Any character except for those after the caret sign. For example: h[^u]t matches hat, hit, and hot, but not hut. ^ The start of a line (column 1).

87 Configuring Symantec Enterprise Security Manager About configuring the agents and domains 87 Table 3-1 Operator $ Regular expression operators and description (continued) Description The end of a line, but not the line break characters. Use this for restricting matches to characters at the end of a line. For example: 'end$' only matches 'end' when it is the last word of a line. '^end' only matches 'end' when it is the first word of a line. * Matches zero or more of the preceding characters or expressions. For example: 'ho*p' matches 'hp', 'hop' and 'hoop'. But *hop* does not work.? Matches zero or one of the preceding characters or expressions. For example: 'ho?p' matches 'hp', and 'hop', but not 'hoop'. + Matches one or more of the preceding characters or expressions. For example: 'ho+p' matches 'hop', and 'hoop', but not 'hp'. Viewing agent information Symantec ESM lets you view information about each agent that is registered to a manager. The Agent properties window provides tabs with the following information: Agent name. IP addresses of the agent computer. FQDN of the agent computer. Hostname of the agent computer. Operating system that is running on the agent. Details about the operating system that includes service packs, version, and build number. Symantec ESM agent version. Protocol that the agent uses to communicate with the manager. Proxy agent name. This name is the agent name if proxy agents are not used.

88 88 Configuring Symantec Enterprise Security Manager About configuring the agents and domains A check box that indicates whether LiveUpdate is enabled on the agent. You can uncheck this box to prevent the manager from updating an agent. The agent cannot accept LiveUpdates if you have not enabled LiveUpdates during agent installation. You can enable LiveUpdate also by using the LiveUpdate wizard or the Registration wizard after the agent installation. The status of this check box does not matter if you have not enabled LiveUpdate on the agent computer. A text box that you can use to record information about the agent, such as the role that the computer plays in your network. The Modules tab displays version information for each module. Because granular LiveUpdates only update modules when they are used in a policy run, the module versions may differ. The Applications tab displays information about the applications that have been discovered using Symantec ESM application modules. This information includes the application versions and shows whether the latest patches are installed on the applications. To view agent information 1 On the enterprise tree, right-click the agent and click Properties. 2 Click the tab that you want to view. Deleting an agent from a manager You can delete an agent from the manager to prevent the manager from reporting any summary data about the agent. Deleting the agent only removes the connection between the agent and the manager. It does not remove the agent software from the agent computer. After you delete an agent from a manager, you must update the Policy Runs node manually to update the policy run reports. The entries of the agent are removed from the policy run reports only after you update the Policy Runs node. See Updating the policy run information on page 165. To restore a deleted agent, you must re-register the agent with the manager. To delete an agent from the manager 1 On the enterprise tree, right-click the agent and click Delete. 2 Click From manager (unregister).

89 Configuring Symantec Enterprise Security Manager About configuring the agents and domains 89 Deleting an agent from a domain To delete an agent from a domain, the account that is used to connect the console to the manager must have the Modify access rights. The Available agents list displays agents that are not part of the existing domain. The Included agents list displays agents that are in the domain, or have been added to the domain. Note: Use the From manager (Unregister) option only when you want to delete an agent from the manager completely. ESM does not uninstall the agent software on the host computer if you unregister an agent from the manager. To delete an agent from a domain 1 On the enterprise tree, expand the domain that contains the agent that you want to delete. 2 Right-click the agent that you want to delete and then click Delete > From domain. Alternatively, perform the following steps: On the enterprise tree, right-click the domain that contains the agent that you want to delete, and then click Add agent. In the Included agents list, select the agents that you want to remove from the domain, and then click the right arrow to remove the agents. About moving ESM agents across managers You can move agents across the managers to meet the needs of your organization. This functionality makes it easy to manage the managers and agents remotely. You can move a single agent or a group of agents across the managers from the ESM console. When you move an agent to a manager, the agent is automatically registered to the target manager. You do not have to register the agent manually to the target manager. Moreover, the agent that you move automatically gets unregistered from the source manager. You cannot move an ESM agent to a target manager if the version of the target manager is earlier than the version of the agent. For example, you cannot move an ESM agent to an ESM or 6.0 manager. Before you move an agent to a target manager, you must ensure that there are no current or scheduled policy runs on the agent. You must import the available policy run data from the agent by using the Reporting Database Link or the Database Conversion tool.

90 90 Configuring Symantec Enterprise Security Manager About configuring the agents and domains You can do the following when you move an agent to a new manager: Select one or multiple agents to move across managers. Connect to the target manager by either using the account information of the source manager or by using new account information. Delete or retain the raw reports that are stored on the source manager. You can move agents from a manager or a domain by using the following options: Right-click an agent, a manager, or a domain and click Move agent. Use the drag and drop functionality. You may choose to cancel a move of multiple agents to the target manager before the operation is complete. However, only the agents that are not yet moved are held back from being moved. In case of a single agent, you cannot cancel moving the agent to the target manager after you have started the operation. After you move an agent from a manager, you must update the Policy Runs node manually to update the policy run reports. The previous entries of the agent are removed from the policy run reports only after you update the Policy Runs node. You must have write permissions on the domain that contains the agent that you want to move. If you want to move the agent to a new domain or to an existing domain, the user account of the target manager must have the following rights: Create new domains. Modify all domains. Register agents with manager. Modify all policies. Create all domains. You must have the Create all domains right if you want to move an agent to a newly created domain. Note: The move agents functionality is not available for ESM 6.0 agents and ESM 6.0 managers. See Moving an agent from a manager by right-clicking the agent on page 91. See Moving an agent from a manager by right-clicking the manager on page 92. See Moving agents from a manager by dragging and dropping the source manager on page 94. See Moving an agent from a manager by dragging and dropping on the target manager on page 95.

91 Configuring Symantec Enterprise Security Manager About configuring the agents and domains 91 See Moving an agent from a domain by dragging and dropping on the target manager on page 96. See Moving agents by right-clicking a domain on page 98. Moving an agent from a manager by right-clicking the agent You can move an agent from a manager by right-clicking the agent that you want to move. To move an agent from a manager by right-clicking the agent 1 Right-click the agent that you want to move and click Move Agent from the menu that appears. 2 In the Move Agent from dialog box, the Manager Name drop-down list in the Target Manager section displays the managers that are in a connected state. Click the manager to which you want to move the agent. 3 Check Use Credentials Of The Source Manager if you want to use the credentials of the source manager to access the new manager. When you check Use Credentials Of The Source Manager, the Access Name and the Password fields become unavailable. 4 If you do not want to use the credentials of the source manager for the new manager, then do the following: In the Access Name text box, type the user name that you want to use to access the new manager. In the Password text box, type the password that you want to use to authenticate your user name. 5 In the Domain Name on the Target Manager section, do one of the following: Click Create New Domain to create a new domain for the agent that you want to move. In the Domain Name text box, type a name that you want for the new domain. Click Use Existing Domain to use the existing domain name. The Domain Name drop-down list contains the All Agents domain name and the names of the customized domains on the target manager. 6 Check Delete Raw Reports from the Source Manager to remove the existing reports of the selected agent from the source manager.

92 92 Configuring Symantec Enterprise Security Manager About configuring the agents and domains 7 Click Move. The Moving Agent(s) dialog box displays the names of the source manager and the target manager. The Moving Agent(s) dialog box also displays the progress of agent registration. 8 Click Cancel to cancel the agent registration or click Done when the registration is complete. See Moving an agent from a manager by right-clicking the manager on page 92. See About moving ESM agents across managers on page 89. See Moving agents from a manager by dragging and dropping the source manager on page 94. See Moving an agent from a manager by dragging and dropping on the target manager on page 95. See Moving an agent from a domain by dragging and dropping on the target manager on page 96. See Moving agents by right-clicking a domain on page 98. Moving an agent from a manager by right-clicking the manager You can move an agent from a manager by right-clicking the source manager To move the agents from a manager by right-clicking the manager 1 Right-click the manager from which you want to move agents and click Move Agents from the menu that appears. 2 In the Move agent(s) dialog box, select the agents that you want to move from the Available Agent(s) list box. You can select one, multiple, or all agents from the Available Agent(s) list box. To select multiple agents, press the Ctrl key while you select each agent. To select all the agents in the Available Agent(s) list box, select the first agent, press the Shift key and then select the last agent. 3 Click >> to add the selected agents to the Selected Agent(s) list box. 4 Click Next. 5 In the Move Agent from dialog box, the Manager Name drop-down list in the Target Manager section displays the managers that are in a connected state. Click the manager to which you want to move the selected agents.

93 Configuring Symantec Enterprise Security Manager About configuring the agents and domains 93 6 In the Account Information section of the Move Agent from dialog box, check the Use Credentials Of The Source Manager option. If you check the Use Credentials Of The Source Manager option, you can use the credentials of the source manager to access the new manager. When you check Use Credentials Of The Source Manager, the Access Name and the Password fields become unavailable. 7 If you do not want to use the credentials of the source manager to access the new manager, then do the following: In the Access Name text box, type the user name that you want to use to access the new manager. In the Password text box, type the password that you want to use to authenticate your user name. 8 In the Domain Name on the Target Manager section, do one of the following Click Create New Domain to create a new domain for the agent that you want to move. In the Domain Name text box, type a name that you want for the new domain. Click Use Existing Domain to use the existing domain name. The Domain Name drop-down list contains the All Agents domain name and the names of the customized domains on the target manager. 9 Check Delete Raw Reports from the Source Manager to remove the existing reports of the selected agent from the source manager. 10 Click Move. The Moving Agent(s) dialog box displays the names of the source manager and the target manager. The Moving Agent(s) dialog box also displays the progress of agent registration. 11 Click Cancel to cancel the agent registration or click Done when the registration is complete. See About moving ESM agents across managers on page 89. See Moving an agent from a manager by right-clicking the agent on page 91. See Moving agents from a manager by dragging and dropping the source manager on page 94. See Moving an agent from a manager by dragging and dropping on the target manager on page 95. See Moving an agent from a domain by dragging and dropping on the target manager on page 96.

94 94 Configuring Symantec Enterprise Security Manager About configuring the agents and domains See Moving agents by right-clicking a domain on page 98. Moving agents from a manager by dragging and dropping the source manager You can move the agents from a manager by dragging and dropping the manager that contains the agents that you want to move. Note: You must have the Create all domains right if you want to move an agent to a newly created domain. To move an agent from a manager by using the drag-and-drop functionality 1 Select the manager that contains the agents that you want to move and drag and drop it on the target manager. The target manager must be connected to the console. 2 In the Move agent(s) dialog box, select the agents that you want to move from the Available Agent(s) list box. You can select one, multiple, or all agents from the Available Agent(s) list box. To select multiple agents, press the Ctrl key while you select each agent. To select all the agents that are listed in the Available Agent(s) list box, select the first agent, press the Shift key and then select the last agent in the list box. 3 Click >> to add the selected agents to the Selected Agent(s) list box. 4 Click Next. 5 In the Move Agent(s) from dialog box, the Manager Name drop-down list in the Target Manager section displays the IP address of the target manager. 6 In the Account Information section, check Use Credentials Of The Source Manager if you want to use the same credentials to access the new manager. When you check Use Credentials Of The Source Manager, the Access Name and the Password fields become unavailable. 7 If you do not want to use the same credentials for the new manager as that of the source manager, then do the following: In the Access Name text box, type the username that you want to use to access the new manager. In the Password text box, type the password that you want to use to authenticate your username. 8 In the Domain Name on the Target Manager section, do one of the following:

95 Configuring Symantec Enterprise Security Manager About configuring the agents and domains 95 Click CreateNewDomain if you want to create a new domain for the agent that you want to move. In the Domain Name text box, type a name for the new domain. Click Use Existing Domain if you want to use the existing domain name. 9 Check Delete Raw Reports from the Source Manager if you want to remove the existing reports of the selected agent. 10 Click Finish. The Moving Agent(s) dialog box displays names of the source manager and the target manager. The Moving Agent(s) dialog box also displays the progress of agent registration. Click Cancel if you want to cancel the agent registration or click Done when the registration is complete. See About moving ESM agents across managers on page 89. See Moving an agent from a manager by right-clicking the agent on page 91. See Moving an agent from a manager by right-clicking the manager on page 92. See Moving an agent from a manager by dragging and dropping on the target manager on page 95. See Moving an agent from a domain by dragging and dropping on the target manager on page 96. See Moving agents by right-clicking a domain on page 98. Moving an agent from a manager by dragging and dropping on the target manager You can move an agent from a manager by dragging and dropping the agent on the target manager. To move an agent from a manager by using the drag and drop functionality 1 Select the agent that you want to move and drag and drop the agent on the target manager. The target manager must be connected to the ESM console. 2 In the Account Information section of the Move Agent from dialog box, check Use Credentials Of The Source Manager if you want to use the credentials of the source manager. If you check Use Credentials Of The Source Manager, you can access the new manager by using the credentials of the source manager. When you check Use Credentials Of The Source Manager, the Access Name and the Password fields become unavailable. 3 If you do not want to use the credentials of the source manager, then do the following:

96 96 Configuring Symantec Enterprise Security Manager About configuring the agents and domains In the Access Name text box, type the user name that you want to use to access the new manager. In the Password text box, type the password that you want to use to authenticate your user name. 4 In the Domain Name on the Target Manager section, do one of the following: Click Create New Domain to create a new domain for the agent that you want to move. In the Domain Name text box, type a name that you want for the new domain. Click Use Existing Domain to use the existing domain name. The Domain Name drop-down list contains the All Agents domain name and the names of the customized domains on the target manager. 5 Check Delete Raw Reports from the Source Manager to remove the existing reports of the selected agent from the source manager. 6 Click Move. The Moving Agent(s) dialog box displays the names of the source manager and the target manager. The Moving Agent(s) dialog box also displays the progress of agent registration. 7 Click Cancel to cancel the agent registration or click Done when the registration is complete. See About moving ESM agents across managers on page 89. See Moving an agent from a manager by right-clicking the agent on page 91. See Moving an agent from a manager by right-clicking the manager on page 92. See Moving agents from a manager by dragging and dropping the source manager on page 94. See Moving an agent from a domain by dragging and dropping on the target manager on page 96. See Moving agents by right-clicking a domain on page 98. Moving an agent from a domain by dragging and dropping on the target manager You can move an agent from a domain by dragging and dropping the agent on the target manager from a domain.

97 Configuring Symantec Enterprise Security Manager About configuring the agents and domains 97 Note: You must have the Create all domains right if you want to move an agent to a newly created domain. To move agents from a domain using drag and drop functionality 1 Select the domain from which you want to move agents and drop it on the target manager. The target manager must be connected to the ESM console. 2 In the Account Information section of the Move Agent from dialog box, check Use Credentials Of The Source Manager. If you check Use Credentials Of The Source Manager, you can use the credentials of the source manager to access the new manager. When you check Use Credentials Of The Source Manager, the Access Name and the Password fields become unavailable. 3 If you do not want to use the same credentials for the new manager as that of the source manager, then do the following: In the Access Name text box, type the user name that you want to use to access the new manager. In the Password text box, type the password that you want to use to authenticate your user name. 4 In the Domain Name on the Target Manager section, do one of the following: Click Create New Domain to create a new domain for the agent that you want to move. In the Domain Name text box, type a name that you want for the new domain. Click Use Existing Domain to use the existing domain name. The Domain Name drop-down list contains the All Agents domain name and the names of the customized domains on the target manager. 5 Check Delete Raw Reports from the Source Manager to remove the existing reports of the selected agent from the source manager. 6 Click Move. The Moving Agent(s) dialog box displays the names of the source manager and the target manager. The Moving Agent(s) dialog box also displays the progress of agent registration. 7 Click Cancel to cancel the agent registration or click Done when the registration is complete. See About moving ESM agents across managers on page 89. See Moving an agent from a manager by right-clicking the agent on page 91.

98 98 Configuring Symantec Enterprise Security Manager About configuring the agents and domains See Moving an agent from a manager by right-clicking the manager on page 92. See Moving agents from a manager by dragging and dropping the source manager on page 94. See Moving an agent from a manager by dragging and dropping on the target manager on page 95. See Moving agents by right-clicking a domain on page 98. Moving agents by right-clicking a domain You can move agents from a domain by right-clicking the domain from which you want to move the agents. To move agents from a domain using the right-click menu 1 Right-click the domain from which you want to move agents and click Move Agents from the menu that appears. 2 In the Move Domain from dialog box, the Manager Name drop-down list in the Target Manager section displays the managers that are in a connected state. Click the manager to which you want to move the agent. 3 In the Account Information section of the Move Agent from dialog box, check the Use Credentials Of The Source Manager option. If you check Use Credentials Of The Source Manager, you can use the credentials of the source manager to access the new manager. When you check Use Credentials Of The Source Manager, the Access Name and the Password fields become unavailable. 4 If you do not want to use the credentials of the source manager to access the new manager, then do the following: In the Access Name text box, type the user name that you want to use to access the new manager. In the Password text box, type the password that you want to use to authenticate your user name. 5 In the Domain Name on the Target Manager section, do one of the following: Click Create New Domain to create a new domain for the agent that you want to move. In the Domain Name text box, type a name that you want to give for the new domain. Click Use Existing Domain to use the existing domain name. The Domain Name drop-down list contains the All Agents domain name and the names of the customized domains on the target manager.

99 Configuring Symantec Enterprise Security Manager About configuring the agents and domains 99 6 Check Delete Raw Reports from the Source Manager to remove the existing reports of the selected agent from the source manager. 7 Click Move. The Moving Agent(s) dialog box displays the names of the source manager and the target manager. The Moving Agent(s) dialog box also displays the progress of agent registration. 8 Click Cancel to cancel the agent registration or click Done when the registration is complete. See About moving ESM agents across managers on page 89. See Moving an agent from a manager by right-clicking the agent on page 91. See Moving an agent from a manager by right-clicking the manager on page 92. See Moving agents from a manager by dragging and dropping the source manager on page 94. See Moving an agent from a manager by dragging and dropping on the target manager on page 95. See Moving an agent from a domain by dragging and dropping on the target manager on page 96. Checking the status of agents The ESM manager refers to a cache to check the status of the agents each time you perform a policy run on the agents. The cache is created for those agents whose domain has the Perform Agent Status Check enabled. The cache is populated when the manager is not able to contact the agent during a policy run. The creation of this cache is an incremental process and is created for every agent on which the manager tries to run a policy. The ESM manager does not contact the agent in the cache for a specified period. This time period is a configurable value that is specified in the manager.conf file, which is located in the \esm\config folder. The manager.conf file contains a parameter named AGENT_CACHE_TIMEOUT_HOURS that you use to specify the timeout period. The minimum and the default value for AGENT_CACHE_TIMEOUT_HOURS is 1 hour. The maximum value that you can specify is 8760 hours (365 days).

100 100 Configuring Symantec Enterprise Security Manager About configuring the agents and domains Note: The Perform Agent Status Check setting gets reset, if you add an ESM agent with a version earlier than 10.0 to a standard domain. You must select the Perform Agent Status Check option again to re-configure agent status check on the selected standard domain. The cache contains entries of the agents that the manager was unable to contact for any of the following reasons: The agent computer was not running. The agent was not able to acknowledge the manager s request for connection within a specified time. You can enable the ESM manager to check the agent's status each time you perform a policy run. You must have the following rights to enable agent status check on the ESM manager: Modify Domain rights to enable or disable the Perform Agent Status Check option. Modify All Domains rights to enable the Perform Agent Status Check option from the manager properties. To check the agent's status at the domain level Right-click a domain and click Perform agent status check from the menu that appears. After you click Perform agent status check, the ESM manager checks the agent status each time you perform a policy run in this domain. To disable the agent status check option, right-click the domain and click Perform agent status check again. To check the agent's status at the manager level 1 Right-click a manager and click Properties from the menu that appears. 2 In the Options tab, in the Agent status check section, check Perform status check for all the domains. After you check Perform agent status check for all the domains, the ESM manager checks the agent status for all the domains under the selected manager. To disable the agent status check option on manager level 1 Right-click the ESM manager and click Properties from the menu that appears. 2 In the Options tab, uncheck Perform status check for all domains.

101 Configuring Symantec Enterprise Security Manager About configuring the user accounts 101 To purge the agent status cache 1 Right-click a manager and click Properties from the menu that appears. 2 In the Options tab, in the Agent status check section, click Reset. To check the agent's status at the command line Use the following command-line options to check the status of an agent: set dmnflag Enable or disable the domain flag for a domain See Checking the status of agents on page 99. show dmnflag Check the status of the domain flag for a domain See About the Set dmnflag command on page 227. remove agtcache Remove the cache from the manager that is currently connected About configuring the user accounts Symantec ESM gives you the ability to administer manager user accounts from the ESM console. You can use this function to control user access and permissions to manage specific domains, policies, or policy runs. Administrative functions include the following: Adding new accounts Deleting accounts Disabling accounts Changing the passwords of accounts Modifying account access rights Replicating user accounts Duplicating user accounts Adding new accounts The Account wizard can help you create five default types of accounts: Read-only, ESM administrator, System administrator, Security officer, and Register only. When you create an account and select a user type, the Account wizard automatically assigns the appropriate access rights to the account. The wizard also lets you choose the domains and policies that the new account can access.

102 102 Configuring Symantec Enterprise Security Manager About configuring the user accounts The wizard helps you create accounts for users who manage single domains or policies. When you create a new domain, policy, or template, Symantec ESM gives access to the following accounts: The superuser account that Symantec ESM created during the manager installation. The account that was used to create the domain, policy, or template. Accounts on the manager that apply to all domains, policies, or templates. Other accounts can be modified to grant access to the new domain, policy, or template. Note: The credentials of an ESM user account are stored by using the SHA256 algorithm, which is FIPS-compliant. To add a new account 1 On the enterprise tree, right-click the manager and click Properties. 2 Click the Access records tab. 3 Click Add. 4 When prompted, specify the user name and password, together with the type of account. The following conditions apply to the manager user names and passwords: Manager account user names can have up to 32 characters. Manager account passwords can have up to eight characters. Passwords should have at least six characters, including at least one non-alphabetical character. Do not use any of the following special characters in a manager password: Pipe Ampersand Semicolon Left parenthesis Right parenthesis Less than Greater than & ; ( ) < >

103 Configuring Symantec Enterprise Security Manager About configuring the user accounts 103 Space Tab The system shells interpret these special characters as commands. You can also select the domains, the policies, and the templates that you want the account to manage. You can give account access to every domain and policy on the manager, or to any combination of domains and policies. This method is the preferred method to create an account to manage a single domain or policy. When you log on to the new user account for the first time, Symantec ESM prompts you to change your password. The Symantec ESM administrator account that is created during the installation of Symantec ESM is not required to change its password on the first logon. All other users that are created later need to change their passwords on the first logon. To change your password on the first logon 1 After you log on, click OK on the window that prompts you to change the password. 2 In the Change password dialog box, do the following: In the Old password text box, type the original password of your account. In the New password text box, type the new password. In the Confirm password text box, re-type the new password. 3 Click OK. Replicating a user account Logon to the manager again with the new password after you change it on the first logon. You can select one or more user accounts and replicate them on managers in the enterprise with or without the same set of permissions. You must have the Manage users access permission on the source and the target managers to be able to replicate user accounts. You cannot replicate the ESM superuser account. You can use the Replicate User Accounts wizard to perform user account replications on a target manager.

104 104 Configuring Symantec Enterprise Security Manager About configuring the user accounts When you replicate a user account, all the properties of the user account are also replicated on the target manager. The replicated properties may include the current state and expiration date of the user account, password history, and so on. To replicate user accounts by using the Replicate User Accounts wizard 1 Right-click the manager from which you want to replicate a user account, and then select Replicate User Account. 2 In the Welcome panel of the Replicate User Accounts, click Next. 3 In the Select users panel, from the Available users list box, select the user account that you want to replicate, and then click > to add the user to the Selectedusers list box. The Availableusers list box displays the user accounts that are present on the selected ESM manager. You can click >> to add all the user accounts that are displayed in the Available users list box. You can remove a user account from the Selected users list box by clicking <. You can also move all the user accounts from the Selected users list box to the Available users list box by clicking <<. 4 Click Next. 5 In the Password settings panel, do one of the following: Click Use the existing password of the selected user account, if you want to use the existing password of the user account after you replicate the user account on the target manager. If you use the Use the existing password of the selected user account option, and the version of source manager is 10.0, then the target manager must have the ESM 10.0 version or later. If the source manager version is earlier than ESM 10.0, then the target manager can be of any version. Click Use a common password, if you want to use a common password for all the replicated user accounts on the selected manager. Enter the common password in the Password and Confirm Password text boxes, if you choose to have a common password for all the replicated user accounts. If you provide a common password that does not comply with the password policy of target manager, then the replication operation is skipped.the error is logged on the console log, which is located at #Symantec\Enterprise Security Manager\Symantec ESM Enterprise Console\Logs. Note: The password history for the original user account and the replicated user account are the same.

105 Configuring Symantec Enterprise Security Manager About configuring the user accounts In the Select managers panel, from the Available managers list box, select the manager on which you want to replicate the user account, and then click > to add the manager to the Selected managers list box. The Available managers list box displays the ESM manager that are added to the ESM console. You can click >> to add all the ESM managers that are displayed in the Available managers list box. You can remove a manager from the Selected managers list box by clicking <. You can also move all the ESM managers from the Selected managers list box to the Available managers list box by clicking <<. 7 In the Manager Logon dialog box, check Use credentials by which manager is connected to the console if you want the user to use the same credentials by which the manager is connected to the console. Else, enter the user name and password in the respective text boxes. These credentials are used to replicate the users on to the target manager. The user, who replicates the user accounts on the target manager, must use the credentials that you specify in the Manager Logon dialog box. 8 Click Next. Selecting options for user account replication in case a user account by the same name already exisits on the target manager In the Selecting options for the user account replication operation panel, do one of the following, and then click Next: Click Preserve the user account on the target manager, if you want to retain the already existing accounts of the same name on the target ESM manager. If you choose to retain the existing user account, then the replication operation for the particular account is skipped. However, the replication operation continues for the other user accounts that you have selected. Click Overwrite the existing user account on the target manager, if you want to overwrite the user account on the target manager. If you choose to overwrite the existing user account, then the account that you have selected from the source manager replaces the account on the target manager. However, if the user account is not present on the target manager, then a new account is created on the target manager.

106 106 Configuring Symantec Enterprise Security Manager About configuring the user accounts Granting permissions on the replicated user account 1 Click Stamp permissions to replicate the permissions. The permissions will be replicated as is, if a domain, policy, or template by the same name exist or are created in the future on the target manager. 2 Click Do not stamp permissions if you do not want to replicate the permissions. If you choose not to stamp the permissions, then you have to grant a fresh set of permissions to the user account on the target manager. Completing the replication operation Deleting a manager account 1 Click Start to start the replication operation for the user accounts that you have specified by using the wizard. 2 Click Finish when the Replicate User Accounts wizard completed successfully message appears on the panel. If the manager account that you use has Manage User Rights enabled, you can delete any user account except the following: Superuser account that Symantec ESM created during manager installation Account that you are logged on to To delete a manager account 1 On the enterprise tree, right-click the manager and click Properties. 2 Click the Access Records tab. 3 Select the account that you want to delete. 4 Click Delete. About modifying a manager account If the manager account that you use has Manage User Rights enabled, you can modify an existing manager account. Modifications may include the following: Disabling or activating an account Changing an account's password or password settings Viewing or modifying an account's access rights to domains, to policies, or to templates

107 Configuring Symantec Enterprise Security Manager About configuring the user accounts 107 Disabling a manager account You can disable inactive accounts so that they cannot be used to obtain unauthorized access to the manager. If you try to connect the ESM console to the manager using a disabled account, Symantec ESM displays a disabled account error message. To disable a manager account 1 On the enterprise tree, right-click the manager and click Properties. 2 Click the Access Records tab. 3 Select the account that you want to disable. 4 Click Modify. 5 Click Disabled. Changing the password on a manager account System administrators may periodically assign new passwords, or they may require users to change their own passwords at set intervals. System administrators can set a password expiration date or set a password to never expire. Seven days before the password's expiration date, Symantec ESM starts notifying you about the password change every time you log on to the Manager. You also get an option to change the password with each notification. If you do not change your password within these seven days, Symantec ESM locks your account. You need to get your password reset to start using your account again. The superuser account has the necessary rights to change a user's password without first entering the old password. To change a password on a manager account 1 On the enterprise tree, right-click the manager and click Properties. 2 Click the Access Records tab. 3 Select the account that you want to change. 4 Click Modify. 5 Click Change password. 6 In the Old password text box, type the current password. 7 In the Password text box, type the new password. Manager account passwords can have up to eight characters.

108 108 Configuring Symantec Enterprise Security Manager About configuring the user accounts Passwords should have a minimum of six characters and a maximum of 32 characters, including at least one non-alphabetical character. 8 Type the new password again in the Confirm password text box. To set a password expiration date 1 On the enterprise tree, right-click the manager and click Properties. 2 Click the Access records tab. 3 Select the account that you want to change. 4 Click Modify. 5 In the Password expiration box, type or select the date when you want the password to expire, or use the calendar to change settings. To set the password to never expire 1 On the enterprise tree, right-click the manager and click Properties. 2 Click the Access Records tab. 3 Select the account that you want to change. 4 Click Modify. 5 Check the Password never expires check box. About assigning access rights to the manager accounts When you create or modify a manager user account, you give the account-specific access rights to domains, to policies, and to templates. Users can perform only those functions that these access rights allow. The Account wizard automatically assigns access rights when you create a new account on the manager. You can modify existing accounts by assigning the access rights that are specific to job responsibilities. You should assign to manager accounts only the minimum rights that users need to perform their assigned tasks. For example, you can set up an account with permissions to manage a single domain or policy. You can then restrict the user from viewing unauthorized domains or policies. Before you can assign access rights to a manager account, you must log on to the manager using an account that already has those rights. Symantec ESM does not let you exceed the access rights of the account that is in use. Access rights apply only to the manager and to the nodes directly beneath the manager on the enterprise tree.

109 Configuring Symantec Enterprise Security Manager About configuring the user accounts 109 Note: Due to the security that the manager logon requirements provide, ESM console users can freely add, or remove regions and managers. Symantec ESM applies the access rights for a manager account when a user connects the ESM console to the manager. If you change the access rights of the accounts, the active account users do not see the change until they do the following: Terminate their current manager session Reconnect to the manager. Symantec ESM provides the following privilege categories: Domains Policies Templates Advanced manager rights The following tables describe the access rights that Symantec ESM provides for domains:

110 110 Configuring Symantec Enterprise Security Manager About configuring the user accounts Table 3-2 Privilege categories and assignable domain rights Privilege category Domain Assignable rights View This right lets you see the domain and the policy run summaries on the agents in the domain. Symantec ESM displays the domain only if the account has View access. Modify This right lets you remove an existing domain from domains, or an agent from the domain. You can do the following if you have the Create New Domains access rights enabled: Create a new domain. Copy a current domain. Delete an existing domain. Add an agent to an existing domain. You cannot change the default system domains such as All Agents, and NT Agents. Run Policies This right lets you run policies on agent computers in the domain if you also have the Run access rights enabled in policies. The Policy Run wizard can lead you through the process of starting or scheduling policy runs. Snapshot Updates This right lets you update snapshots, templates, and name lists. Apply to all domains This right lets you apply changes to all current and future domains. Create new domains This right lets you create new domains. Note: Any user with the View access rights to domains can correct the policy report items from the Symantec ESM. To correct the report items, you need to log on to the agent computer using an account with administrative, supervisory, or superuser privileges.

111 Configuring Symantec Enterprise Security Manager About configuring the user accounts 111 Table 3-3 describes the access rights that Symantec ESM provides for policies. Table 3-3 Privilege categories and assignable policy rights Privilege category Policy Assignable rights View This right lets you see the policy. Symantec ESM displays the policy only if the account has View access. Modify This right lets you do the following: Add or remove modules in policies. Enable or disable security checks in modules. Edit the name lists and the templates that are associated with checks. Delete the policies, if the account has the Modify and the Create New Policies access rights enabled. Run This right lets you run policies on agent computers in the domain if you also have the Run Policies access rights enabled in domains. The Policy Run wizard can lead you through the process of starting or scheduling policy runs. Assign to all current and future policies This right lets you apply changes to all current and future policies. Create new policies This right lets you create new policies. Table 3-4 describes the access rights that Symantec ESM provides for templates.

112 112 Configuring Symantec Enterprise Security Manager About configuring the user accounts Table 3-4 Privilege categories and assignable template rights Privilege category Template Assignable rights View This right lets you see the template. Symantec ESM displays the template only if the account has View access. Modify This right lets you add, change, or remove the following if the account also has the Create New Templates access rights enabled: Templates Directories Files Registry keys or their related sublists Assign to all templates This right lets you apply changes to all current and future templates. Create new templates This right lets you create new templates. Table 3-5 describes the access rights that Symantec ESM provides for administering Symantec ESM.

113 Configuring Symantec Enterprise Security Manager About configuring the user accounts 113 Table 3-5 Privilege categories and advanced manager rights Privilege category Advanced manager rights Assignable rights Manager user rights This right lets you change the access rights of any account on the manager except the default superuser account. You can also change password configuration requirements. Modify own password This right lets you change account passwords. New passwords must comply with password configuration requirements. Modify ESM options This right lets you change audit log configuration and manager sumfinal database options. You can also assign manager licenses. Perform remote upgrades This right lets you upgrade the agent software on remote computers. Register agents with managers This right lets you use the installation program or the register program to register an agent to the manager. User accounts with this right should have no other access rights. Read-only account This right lets you view user access rights. The read-only user accounts cannot modify permissions. Note: You can use the read-only account only for Reporting Database Link (RDL) user accounts. Manage read-only policies Lets you mark the policies as Read-Only and replicate the policies. Note: You can modify the pre-defined access rights that ESM provides.

114 114 Configuring Symantec Enterprise Security Manager About configuring the user accounts Modifying the manager user account access rights You can modify the manager user account access rights by modifying the manager's properties. To modify manager user account access rights 1 On the enterprise tree, right-click the manager and click Properties. 2 Click the Access Records tab. 3 Select the account that you want to change. 4 Click Modify. 5 In the Access rights list, select a privilege category, and then click View/Modify. For example, select domains to view the Access to Domains dialog box. 6 Do one of the following: Check Create new domains to give the manager account the right to create new domains. Check Apply to all domains if you want any domain rights that are assigned to the manager account to be applied to all domains. All domains also include the domains that are created in the future by other accounts. Uncheck Apply to all domains if you want to limit manager account access rights to any domains. Select the wanted domain in the list. For each selected domain, check the check boxes to assign access rights. You must start with the View permission, then you can select from among the other domain rights. Duplicating a user account on the manager You can clone an existing user account on a manager from the Access Records tab of the ESM manager. When you create a duplicate user account, the access rights of the source user account are replicated on the duplicate user account. You must have the "Manage user rights, view user audits" permission to be able to create a duplicate user account. You can duplicate a user account either from the manager properties or by using the -D option with the Create access command. To duplicate a user account from the manager properties 1 On the enterprise tree, right-click a manager and click Properties. 2 Click the Access Records tab.

115 Configuring Symantec Enterprise Security Manager Setting the manager password configuration In the Access Records tab, select the user that you want to duplicate, and then click Duplicate. You cannot duplicate the superuser account. 4 In the User Name And Password dialog box, provide the user name and password of the duplicate user account. 5 Click Finish. Setting the manager password configuration Symantec ESM lets you set the configuration requirements for the passwords on manager accounts. This option helps secure Symantec ESM by ensuring that the passwords that are used to access managers meet the minimum security requirements. To modify the password configuration requirements on a manager, you must connect to the manager using an account with the following rights: Manage User Rights Modify ESM Options Any changes to password settings apply only to subsequent user accounts. The existing user accounts are not automatically updated.

116 116 Configuring Symantec Enterprise Security Manager Setting the manager password configuration To set the manager password configuration 1 On the enterprise tree, right-click the manager and click Properties. 2 Click the Password Configuration tab.

117 Configuring Symantec Enterprise Security Manager Setting the manager password configuration Click one of the following options: Minimum length This option requires the password to contain a user-determined minimum number of characters. The password should have at least six characters. Manager account passwords can contain up to eight characters. History length Require non-alphabetical character Check against word lists Maximum password age Password change notification period before expiration Number of invalid logon attempts before lockout Reset counter after This option determines the number of passwords that Symantec ESM stores before letting you reuse old passwords. This option requires the password to contain at least one non-alphabetical character. This option directs Symantec ESM to check the password against its word lists to ensure that it cannot be easily guessed. This option determines how long a user can keep the same password. This option determines the number of days when a password expiry notification is initiated before the user password expires. Note: The value that you enter must be lesser than the Maximum password age. This option determines how many times a user can try to log on and fail before Symantec ESM locks the account. This option specifies the time span within which the number of invalid logon tries must occur. For example, set the number of invalid logon tries to 3 and the reset counter to 30 minutes. 3 invalid logon tries within 30 minutes locks out the account. However, 3 invalid tries in a two-hour period do not lock out the account. Duration This option lets you specify the length of time that can elapse before Symantec ESM resets a locked account. The lockout duration starts from the time of the last failed logon try.

118 118 Configuring Symantec Enterprise Security Manager Changing the ESM console passwords Changing the ESM console passwords You must type a password when you first create a new account. You can use that password each time that you log on to the ESM console. Symantec recommends that you change your password on the account to ensure security. To change the ESM console passwords 1 On the console tack bar, click Edit > Change password. 2 In the Current password text box, type the current password. 3 In the New password text box, type the new password. The following restrictions apply: ESM console account passwords can have up to 32 characters. Passwords should have at least six characters, including at least one non-alphabetical character. 4 In the Confirm new password text box, type the new password again. Auditing Symantec Enterprise Security Manager events Symantec ESM lets you maintain and view audit logs of events. Security officers can use these logs to determine if users make unauthorized changes. Audit logs record the following events: Start and finish of policy runs Template file modifications Suppression of database modifications Options changes License changes Access record modifications Tune-ups or upgrades Policy modifications Agent records modifications Report updates or corrections Manager connections (success or failure) Audit log (enable or disable)

119 Configuring Symantec Enterprise Security Manager About updating Symantec Enterprise Security Manager 119 Each manager that is connected to the ESM console can maintain an audit log. Before you can keep or view an audit log on a manager, you must enable it for that manager. The audit log is enabled by default at installation. To enable audit and disable logging 1 On the enterprise tree, right-click a manager, and then click Properties. 2 Click the Audit log configuration tab. 3 Check Audit log enabled to enable audit logging, and uncheck it to disable audit logging. 4 If you enable audit logging, then in the Max. log size box, type the maximum file size. Symantec ESM automatically starts a new log file when the current log file reaches the size that you designate. To view an audit log 1 On the enterprise tree, right-click the manager, and then click View audit log. 2 In the Account name box, select one of the following options: Click All to view internal events for all user accounts. Select a specific user account to view internal events for the account. 3 In the Server box, select one of the following options: Click All to view internal events for all connection identifiers. Click a specific connection identifier to view internal events for the connection. The unique connection identifier lets you follow a connection to the manager. The type of connection identifier depends on the manager computer's platform. Select a time period to view in the After date/time and Before date/time boxes. About updating Symantec Enterprise Security Manager Periodically, Symantec distributes security updates, best practice policies, and agent software improvements through LiveUpdate technology. Security updates add new checks and modules or improve existing checks. Best practice policies add or update industry standard policies, such as HIPAA and GLBA, to ensure that

120 120 Configuring Symantec Enterprise Security Manager About updating Symantec Enterprise Security Manager your computer configurations conform to these standards. Software upgrades enhance the manager or the agent programs. For example, you may upgrade your software to improve efficiency or to allow additional platform support. For Symantec ESM content, which includes security updates and best practice policies, LiveUpdates requires that you obtain a separate license. This license does not affect component updates such as software improvements. LiveUpdates are granular, which means that they include the updates that are specific to the modules that you use. For example, if you use Symantec ESM exclusively in a UNIX environment, LiveUpdates only download the LiveUpdate content that pertains to UNIX modules. Also, when you perform policy runs on agents, the agent gets the LiveUpdate content only for the modules that you use in that policy run. In this way, the amount of information that is transferred during the LiveUpdate of agents is reduced. For large policy runs, it can significantly increase performance. Note: Granular LiveUpdates work only with Symantec ESM 6.5 or later managers and agents. If you register a 6.x agent to a or later manager, the manager must download separate LiveUpdate packages to update the older and the newer agents. Older agents cannot support granular LiveUpdates. You should use LiveUpdates monthly to ensure that you have the best possible security assessment tools. Enabling and disabling LiveUpdate on agents Only ESM managers can make security updates, best practice policies, and agent software improvements available to updatable agents. You can change the LiveUpdate status of agents by making them updatable or non-updatable. Note: You must enable LiveUpdate locally on the agent computer as well as from the ESM console. If you expand the summary branch in the enterprise tree, Symantec ESM displays the agents in each manager domain. If you expand the All Agents domain, you can display all agents that are registered to the manager. Agents with colored LiveUpdate icons are updatable. Agents with gray LiveUpdate icons are not updatable.

121 Configuring Symantec Enterprise Security Manager About updating Symantec Enterprise Security Manager 121 To enable or disable LiveUpdate on agents 1 On the enterprise tree, right-click a domain, and then click Enable/Disable LiveUpdate. 2 To enable LiveUpdate on agents, do one of the following: Select agents in the LiveUpdate Disabled Agent(s) pane and click << to make them updatable. Do the following in the given order: In the LiveUpdate Disabled Agent(s) pane, select the ESM agents. Right-click and then click Cut. Place your cursor in the LiveUpdate Enabled Agent(s) pane, right-click, and then click Paste. 3 To disable LiveUpdate on agents, do one of the following: Select agents in the LiveUpdate Enabled Agent(s) pane and click >> to make them non-updatable. Do the following in the given order: In the LiveUpdate Enabled Agent(s) pane, select the ESM agents. Right-click and then click Cut. Place your cursor in the LiveUpdate Disabled Agent(s) pane, right-click, and then click Paste. Exporting a list of updatable or non-updatable agents You can export a list of ESM agents that are enabled or disabled for LiveUpdate. The list of agents that are updatable or non-updatable is saved at the following location by default: #Symantec\Enterprise Security Manager\Symantec ESM Enterprise Console\export To export the list of updatable or non-updatable agents 1 Right-click a domain and then click Enable/Disable LiveUpdate. 2 To export a list of updatable agents, do the following: In the LiveUpdate Enabled Agent(s) pane, select the agents that you want to export. Right-click the selected agents, and then click Export Selected Agents.

122 122 Configuring Symantec Enterprise Security Manager About updating Symantec Enterprise Security Manager Performing a LiveUpdate In the Save Agent List As dialog box, navigate to another location if you do not want to save the.csv file at the default location. 3 To export a list of non-updatable agents, do the following: In the LiveUpdate Disabled Agent(s) pane, select the agents and click Export Agent. Navigate to the location where you want to save the.csv file. The export list is saved in the <installdir>\export folder by default. See Enabling and disabling LiveUpdate on agents on page 120. LiveUpdate checks Symantec ESM to determine which updates are needed. When Symantec ESM is licensed, content updates are automatically downloaded and installed. Managers make updates available to agents when you initiate policy runs on the agents. The LiveUpdate procedure contains the following: Download the content updates from the Internet to the ESM console. Install the content updates from the ESM console to the managers. The Content updates for ESM 10.0 are available on the LiveUpdate server under ESM 6.5+ Content Updates. Note: If you use the luall command from the command line to initiate a LiveUpdate, you cannot install content updates. If you run the LiveUpdate that includes a security update or best practices policy, LiveUpdate displays a status message for the following components: Modules Templates Name lists Note: You can have only one instance of the LiveUpdate on your computer. Policy runs may display inappropriate results if you execute a policy run while a LiveUpdate instance is in progress on the manager. You can perform a LiveUpdate using one of the following two methods: To perform a LiveUpdate from the Console

123 Configuring Symantec Enterprise Security Manager About updating Symantec Enterprise Security Manager 123 To perfrom a LiveUpdate from the Managers To perform a LiveUpdate from the Console 1 On the console taskbar, click the LiveUpdate icon. 2 Click Symantec LiveUpdate to download the content updates from the Internet to the ESM console. 3 Click Install New Licenses if you want to add licenses for either Symantec ESM or Vulnerability Assessment module content updates. 4 Click Next. 5 The Welcome panel lists the Symantec products and components that are installed on the computer. Click Next and then click Finish. You can continue to use the ESM console while the LiveUpdate is in progress. To perform a LiveUpdate from the Managers 1 On the console taskbar, click Symantec LiveUpdateicon. 2 Click Directorypath(CD, localornetworkpath), that contains the LiveUpdate packages and then click Next. 3 From the list box, select the ESM managers that you want to update. 4 Click Next. 5 In the Update complete panel, click Finish. 6 In the LiveUpdate Progress panel, click the Status tab for the status of the LiveUpdate. The Error tab displays if the LiveUpdate encounters any error. Click OK. You can continue to use the ESM console while the LiveUpdate is in progress. Creating domains for specific UNIX operating systems Unlike Windows, the ESM console does not create separate domains for the UNIX operating systems in the enterprise tree. You can manually create the domains that are specific to the UNIX operating systems. To create domains for specific UNIX operating systems 1 Create a new domain for every UNIX operating system, such as AIX and HP-UX. 2 Copy the agents to their respective UNIX domains.

124 124 Configuring Symantec Enterprise Security Manager About updating Symantec Enterprise Security Manager 3 Create customized policies for each UNIX domain by using the UNIX modules. For example, you can create a new policy named Solaris by using a related UNIX module. 4 Run these customized policies on the respective UNIX domains as per your requirement. If you want to update the agents on specific UNIX operating systems, you can select the required Security Update (SU) packages during the LiveUpdate. The Granular LiveUpdate functionality lets you select the SU packages for specific UNIX operating systems. The Granular LiveUpdate functionality is available for Symantec ESM 6.5 or later managers and agents. Hence during every LiveUpdate, only those agents on UNIX operating systems get updated for whom you download the SU packages. Performing a remote upgrade Use remote upgrade to conveniently upgrade the agent software on Windows or UNIX systems from the ESM console. Remote upgrade can upgrade a single agent or all agents in a domain. To perform a remote upgrade 1 When you perform a remote upgrade for the first time, connect the console to the managers that have registered the agents that you want to upgrade. Use an account with rights to modify all domains, policies, and templates. 2 Stage the appropriate remote upgrade files on the manager by using the Liveupdate wizard. 3 Verify that LiveUpdate is enabled for the agents. 4 Right-click a domain, or an agent in a domain, and then click Remoteupgrade. 5 Check the agents for the following status: Agents that have not yet started to upgrade show a white status. Agents that are running the upgrade change to a gray status. Agents that successfully upgrade change to a green status. Agents that fail to upgrade change to a red status. 6 Double-click an agent's name to display additional information about the agent's upgrade status.

125 Configuring Symantec Enterprise Security Manager About agent recovery re-registration 125 Checking remote agent upgrade status Exporting an agent list You can disconnect the ESM manager from a console during a remote agent upgrade without affecting the upgrade process. The manager controls the agent software upgrades same as policy runs. If you reconnect the ESM console, you can monitor the progress of an agent upgrade. To check remote agent upgrade status 1 On the enterprise tree, right-click a manager, and then click Check remote upgrade status. 2 Double-click an agent's name to display additional information about the agent's upgrade status. When you have finished configuring your agents and domains, you should export an agent list to a secure location. An exported agent list serves as a backup against manager hardware failures or other problems that may require you to reconstruct your manager. You also need to export the agent list if you intend to move, upgrade, or rename a manager. Symantec ESM lets you export the agents list to a location that you select. You need this list to use the Symantec ESM re-register feature, which can automate the reregistration process. To export an agent list 1 On the enterprise tree, right-click a manager and then click Export Agent List. 2 In the Select Format dialog box, select the format of the file. 3 Click OK. 4 Navigate to the location where you want to save the agent list and click Save. 5 Click OK on the message prompt that recommends that you take a backup of the agent list. About agent recovery re-registration If your Symantec ESM manager fails, you can use this feature to recover and re-register agents that were previously registered to the manager that failed. Symantec ESM re-registration tasks include the following: Export the Symantec ESM re-registration agent list Re-register the Symantec ESM agents

126 126 Configuring Symantec Enterprise Security Manager About agent recovery re-registration See Exporting the Symantec ESM agent list on page 126. See Re-registering the ESM agents on page 127. Exporting the Symantec ESM agent list You must create and export a property file to use the Symantec ESM agent recovery and re-registration feature. The property file provides necessary information to the Symantec ESM manager during the re-registration process. You should use the Symantec ESM console to create the property file. The file lists the manager, the registered agents, the ports, and the communication protocols. The property file is a plain text, tab-delimited file. For security purposes, store the file in a safe location. If you have two agents that are registered to an ESM manager, the property file that you export displays the following format: manager_name<tab>manager_port<tab>manager_protocol agent_1_name<tab>agent_1_port<tab>agent_1_protocol<tab>shared secret<tab>agent's LiveUpdate setting agent_2_name<tab>agent_2_port<tab>agent_2_protocol<tab>shared secret<tab>agent's LiveUpdate setting The first line in the file must contain the name of the manager, its port, and protocol. The information for each agent must follow on a separate line. To export the Symantec ESM agent list 1 In the Enterprise tree view, right-click the appropriate manager, and then select Export Agent List. 2 In the Select Format dialog box, do one of the following: Click Pre-ESM 9.0 format if you want to use the format that is supported by the agents with a version that is earlier than ESM 9.0. Click ESM 9.0 format if you want to use the format that is supported by the ESM 9.0 agents. 3 Click OK. 4 Navigate to the location where you want to save the agent list and click Save. 5 Click OK on the message prompt that recommends that you take a backup of the agent list. See About agent recovery re-registration on page 125. See Re-registering the ESM agents on page 127.

127 Configuring Symantec Enterprise Security Manager About agent recovery re-registration 127 Re-registering the ESM agents After you export the agent list, you must re-register the agents that were previously registered to the manager that failed. To export the Symantec ESM re-registration agent list 1 In the Enterprise treeview, right-click the appropriate manager, and then select Agent Recovery Reregistration. 2 In the Agent Recovery Reregistration dialog box, do one of the following: Check Use Existing Credentials if you want to use the existing credentials of the manager. In the User name and Password text boxes, enter the username and password of the manager account. 3 Click Browse to navigate to the location where you want to save the agent list. 4 Click Next and then click Finish.

128 128 Configuring Symantec Enterprise Security Manager About agent recovery re-registration

129 Chapter 4 Managing policies, modules, and templates This chapter includes the following topics: About the policies, modules, and templates About managing the policies About the policy tool Performing policy runs About managing templates About managing security checks Editing name lists About Users and Groups name list precedence About the policies, modules, and templates Symantec ESM uses policies, templates, and modules to identify and evaluate network vulnerabilities and security policy violations. Policies set the standard that Symantec ESM uses to measure the security state of agent computers. Policies contain modules. Modules contain the security checks that perform the assessments. The templates and the snapshots serve as baselines to determine what conditions should exist on agent computers.

130 130 Managing policies, modules, and templates About the policies, modules, and templates About the policies Policies specify the settings, the authorizations, or the permissions that network resources must have to comply with your company policy. Symantec ESM compares the current state of each assessed computer to standards that are defined in the policy, and reports each discrepancy with its severity score. You can run policies on a single agent or on all agents in a manager domain. Sample policies Standards-based policies Regulation policies See About the sample policies on page 130. See About the standards-based policies on page 131. See About the regulatory policies on page 132. About the sample policies The sample policies that are included with Symantec ESM are already configured to assess a wide range of potential network vulnerabilities. You can use them with a minimum amount of setup time to discover and fix the most serious and the easily corrected problems first. You can then move on to progressively more sophisticated problems and resolutions. However, sample policies are not intended for long-term use. Every time you download a security update, sample policies are overwritten and you lose important template and snapshot data and settings. Note: You should duplicate sample policies and save them with new names before you download a security update from the Symantec Web site. Security updates overwrite sample policy files, which causes loss of snapshot and other data information. Six of the seven sample policies run on all supported operating systems. The Dynamic Assessment policy runs only on Windows or UNIX operating systems. The sample policies include the following: Phase 1 policy modules Report the most important and the easily resolved security problems on a computer.

131 Managing policies, modules, and templates About the policies, modules, and templates 131 Phase 2 policy modules Phase 3 policy modules Include checks from all available modules, but only the key checks in each module are enabled. Include the following: A relaxed version, which is identical to the Phase 2 policy. A cautious version, which has additional checks enabled. A strict version, which has the remaining critical security checks enabled in all modules. Queries policy modules Dynamic Assessment policy modules Report information about users, accounts, and computers with installed Symantec ESM and Symantec Intruder Alert components. Runs only on computers with UNIX and Windows operating systems. The Dynamic Assessment policy has one module, the Integrated Command Engine (ICE) module. This module reports the vulnerabilities that are detected by any executables, scripts, or templates that you provide. See About the standards-based policies on page 131. See About the regulatory policies on page 132. About the standards-based policies Standards-based policies are based on ISO and other industry standards. These policies include the preconfigured values, the name lists, the templates, and the word files that apply directly to the targeted operating system or application. Standards-based policies use the modules from Symantec ESM Security Update releases to check the following: OS patches, password settings, and other vulnerabilities on the targeted operating system or application. These policies may also introduce new templates and word lists to check conditions as required by the supported standard. See About the sample policies on page 130. See About the regulatory policies on page 132.

132 132 Managing policies, modules, and templates About the policies, modules, and templates About the modules About the regulatory policies Regulatory policies are based on governmental mandates. You can use the policies to assess compliance to the requirements of each supported regulation. Regulatory policies include the following: Preconfigured values. Name lists. Templates. Word files that directly apply to the targeted operating system or the application. The policies use the modules and templates from Symantec ESM Security Update releases to check: OS patches, password settings, and other vulnerabilities and exposures on the targeted operating system. These policies may also introduce new templates and word lists to check conditions as required by the regulation. See About the sample policies on page 130. See About the standards-based policies on page 131. Networked computers are vulnerable to unauthorized access and denial-of-service attacks in several key areas. Modules contain the checks that evaluate and report on the security of these vulnerable areas. The checks assess the settings of the security controls in a systematic way. Each check assesses one area of potential risk. Modules fall into one of the following categories: User accounts and authorizations. Network and server settings. File systems and directories. Dynamic assessment. Accessing information about checks You can obtain information about each check in a module by using the ESM console. Table 4-1 describes the information that is available about checks.

133 Managing policies, modules, and templates About the policies, modules, and templates 133 Table 4-1 Information title Description Implications Information about checks Description Describes what the check does and outlines the security concepts behind the check. Describes the reasons for the check, and the possible consequences of a security violation. Generated message Additional resources Displays the message that Symantec ESM creates if the check finds a security violation during a policy run. Displays a location where you can find more information about the security concepts. To access information about checks 1 In the Symantec ESM navigation tree, expand manager > policies > policy name > module. 2 Click the operating system node. 3 In the checks grid at the bottom of the screen, click the relevant check. To access information about checks in the Policy Properties window 1 In the policies node of the Symantec Enterprise Security Manager tree, right-click a policy, and then click Properties. 2 In the tree in the Policy Properties window, expand a module, and then expand an operating system name. 3 Click the check name, and then click Details. To print and export information about checks 1 Right-click anywhere in the ESM console pane. 2 Do one of the following: Click Open in default browser to view the data in your default Web browser. Save the data on your computer in Web page form. Click Print to send the data to a printer. About editing a module By editing the modules, you can match Symantec ESM policies to the relevant parts of your organization's security policy. You can enable or disable the security

134 134 Managing policies, modules, and templates About managing the policies checks in a module, or edit the name lists related to a check. You can also select word lists or templates to associate with a check. To edit a module Double-click each successive level in the Policies branch until you reach the security checks and related options for the relevant module and operating system. About managing the policies Creating a policy Symantec ESM lets you create, edit, and delete policies. You can create new policies to meet your specific needs. New policies can be original, or they can be based on a sample policy. You must have the Create Policy access rights to be able to duplicate an existing policy. To make a policy as read-only, to edit or to delete a read-only policy, you must have the Manage Read-only Policies access rights. To create a policy based on a sample policy 1 In the left pane of the ESM console, expand the directory tree until you can see the sample policies. 2 Right-click a sample policy, and then click Duplicate. 3 Specify a new name for the duplicate policy. Policy names can contain up to 29 characters and can include special characters. You cannot leave a policy name blank. 4 Click OK. 5 Open the new policy. 6 Do the following: Enable the checks that you want to include in the policy run. Disable the checks that you do not want to include. 7 Click OK.

135 Managing policies, modules, and templates About managing the policies 135 Renaming a policy To create an original policy 1 In the treeview pane, right-click the Policies node, and then click New Policy. 2 In the Create New Policy dialog box, enter a name for the new policy. Policy names can contain up to 29 characters and can include special characters. You cannot leave a policy name blank. 3 Check Add module(s) to this policy if you want to add modules to the policy that you create. 4 Click OK. 5 In the policy properties dialog box, select the modules that you want to add to the policy, and then click << to add modules to the policy. 6 Check Read Only if you want to make the policy read-only. You must have the Manage Read-only Policies right to be able to modify the permissions of a read-only policy. The Advanced Manager Rights includes the Manage read-only policies permission. 7 Click OK. Duplicating a policy To rename a created policy, your user account must have the Create New Policies access rights enabled in the Access to Policies dialog box. To rename a policy 1 Right-click the policy. 2 Click Rename. 3 In the New Policy Name dialog box, enter a new name for the policy. Policy names can contain up to 29 characters and can include special characters. You cannot leave a policy name blank. See Creating a policy on page 134. You can copy an existing policy on the manager and give the copy a new name. You can then edit the new policy to meet specific security objectives. To duplicate a policy, you must have the Create Policies access rights enabled for your Manager user account. You can use the drag and drop feature in the enterprise tree to copy a policy from one manager to another. Hence you ensure that all managers in the enterprise

136 136 Managing policies, modules, and templates About managing the policies use the same policies. As part of this operation, Symantec ESM copies any associated template and word files to the destination manager. Symantec ESM does not keep multiple copies of a policy with the same name on a manager. Instead, Symantec ESM checks for the policy name on the destination manager. If the policy name exists, a context menu prompts for a decision to overwrite the policy. If you select yes, Symantec ESM overwrites the policy on the destination manager. Symantec ESM policy names cannot be longer than 31 characters. To duplicate a policy on the same manager 1 Right-click the policy. 2 Click Duplicate. 3 In the New Policy Name box, type the new policy name. Policy names can contain up to 29 characters and can include special characters. You cannot leave a policy name blank. To duplicate a policy on a different manager Drag and drop the policy on the new manager. Backing up a policy You have the option of taking policy backups when you do the following: Make changes in the properties of an existing policy. Replicate an existing policy. When you take a backup of an existing policy, the default backup file name includes the following: Policy name Policy version Current time and date on the host computer You may type your own backup file name for the policy that you want to back up. You may choose to overwrite an existing backup file if the backup file has the same name. If you do not choose to overwrite an existing backup file, the policy replication fails in case of a file name conflict. You can take a back-up of a policy even if it is in the disabled state. When you take a back-up of a policy, the backup also includes the disabled templates. The backed up policies are stored at \Program Files\Enterprise Security Manager\Symantec ESM Enterprise Console\Policy Backup. The backed up file is stored as a compress file. Symantec recommends that you move the backed up

137 Managing policies, modules, and templates About managing the policies 137 policies from the default location and store them at a different location. You can also browse and save the backed up policies in another location. The policy version is incremental. When you take a backup of a policy for the first time, the version of the policy is displayed as 1. Note: You must have JRE version 1.5.0_15 or later for policy backup. For Windows operating systems, the file name that you want to back up must not contain any of the following special characters: Single forward slash Double backward slash Colon Asterisk Question mark Double quotation mark Less than Greater than Pipe Right brace / \\ : *? " < > } For UNIX operating systems, the file name that you want to back up must not contain any of the following special characters: Single forward slash Double backward slash Colon Asterisk Question mark Double quotation mark Less than Greater than / \\ : *? " < >

138 138 Managing policies, modules, and templates About managing the policies Pipe Semicolon Left brace Right brace Left square bracket Right square bracket ; { } [ ] Note: If you use an invalid special character in the file name, an underscore replaces the invalid character when you create the.zip and.xml files. To take a backup of a policy after changes in the properties 1 Right-click a policy and click Properties. 2 In the property page of the policy, make the required changes, and then click OK. 3 In the Update Policy Version dialog box, do one of the following: Click Overwrite the older version of the policy without backup, if you want to overwrite a policy with the same name. Click Take backup of the older version of policy if you want to take a backup of the policy. By default, the Backup file name text box displays the policy name, the policy version, the current date, and the timestamp. You can also manually type the backup file name. Click the ellipsis (...) to browse to the location where you want to save the backup file. 4 Click OK. To take a backup of a policy from the right-click menu option 1 Right-click a policy and click Backup from the menu that appears. 2 In the Backup Policy dialog box, click the ellipsis (...) to browse to the location where you want to save the backup file. 3 Click OK. See Replicating a policy on page 139. See About the Policy tool logs on page 286.

139 Managing policies, modules, and templates About managing the policies 139 Restoring a policy Replicating a policy You can restore a policy from the backup file if you delete or modify a policy from the ESM console. To restore a policy 1 Right-click Policies and select Restore Policy. 2 In the Restore Policy dialog box, click the browse icon to select the backup file of the policy that you want to restore. 3 Check Backup policy if policy name conflicts if you want to take a backup of an existing policy that has the same name as the policy that you want to restore. 4 In the Template/Word File Name Conflict section, do one of the following: Click Abort restore operation if you want to terminate the policy restore operation in case of a template or a word file conflict. Click Preserve existing file(s) if you want to preserve the existing word files or templates on the manager in case of a file name conflict. Click Overwrite the existing file(s) if you want to overwrite the existing word files or templates on the manager in case of a file name conflict. 5 Click OK. See About the Policy tool options on page 145. Policy replication lets you create an exact replica of an existing policy and execute the replicated policy on another manager. If a policy is marked as read-only, you must uncheck the read-only option in the policy dialog box to make the policy changes. Note: You must have the Manage read-only policies permission on the source manager and the target manager to be able to replicate read only policies. The Advanced Manager Rights includes the Manage read-only policies permission. You must have the Create All Policies rights on the target manager to be able to replicate a policy. If the policy already exists on that manager, the modify policy rights are also required. The policy version is incremental. When you replicate a policy for the first time, the version of the policy is displayed as 1. You may replicate a policy on the target

140 140 Managing policies, modules, and templates About managing the policies manager as read-only if you do not want the replications to be modified on any manager. Note: To successfully replicate a policy, the SU version of the source manager and the target manager must be the same. You can also replicate policies from a Windows source manager to a UNIX target manager. In such a scenario, you must register the Windows agent to the UNIX manager for a successful policy run. However, if you do not register the Windows agent to the UNIX manager and a policy run fails, the failure is not considered for compliance calculation. The same is true for a 32-bit source manager and a 64-bit target manager, or vice versa. After you replicate a policy, you must update the Policies node manually for the replicated policy to display on the target manager. Note: You must have JRE version 1.5.0_15 or later for policy replication. To replicate a policy 1 Right-click a policy and click Replicate from the menu that appears. 2 In the Replicate Policy panel, select the manager from the Available manager(s) list box and click >> to add the manager. The managers that you have selected appear in the Selected manager(s) list box. To select multiple managers, select a manager and then press the Shift key on your keyboard while you select the other managers. 3 In the Manager Logon panel, do one of the following: Check the Use credentials by which manager is connected to the ESM console check box if you want to use the existing credentials. If you check this option, the Access name and Password fields become unavailable. In the User name and Password fields, provide the credentials to use when you connect to the manager on which you replicate the policy. 4 In the Manager Logon panel, click OK, and then in the Replicate Policy panel, click Next. 5 In the Policy name conflicts section of the Replicate Policy panel, do one of the following:

141 Managing policies, modules, and templates About managing the policies 141 Click Overwrite the existing policy without backup if you want to overwrite an existing policy on the target manager in case of policy name conflicts. Click Take a backup to take a backup of the policy on the target manager in case of policy name conflicts. By default, the Backup file name text box displays the policy name, the policy version, the current datestamp, and the timestamp. You can also manually type the backup file name. You can enter your own backup file name in the text box. The backup file is stored at C:\Program Files\Symantec Security Manager\Symantec ESM Enterprise Console\Policy Backup\<target manager name>. You do not have an option to save the backup file at a location other than the default location. Check the Overwrite if a backup file by the same name already exists check box if you want to overwrite a backup file in case of file name conflicts. If the target manager contains a policy by the same name, then the policy contents are overwritten by the policy that you want to replicate. When you click the Take a backup option, Symantec ESM takes a backup of the existing policy on the target manager. The policy backup files are stored in the <INSTALLDIR>\Policy Backup\<MANAGERNAME>\ folder. If this location contains a backup file by the same name, then you may choose to overwrite the existing backup file. If you do not choose to overwrite the existing backup file, the replication process terminates with a file name conflict error. 6 In the Template/Word File Name Conflict section, do one of the following: Click Abort replication to terminate the policy replication process if the template or word files of the policy are already present on the target manager. Click Preserve old files to continue replication without overwriting the template or word files on the target manager. Click Overwrite the existing files to overwrite the template or word files of the policy that contains the same name on the target manager. 7 Click Finish. A message prompt displays the success or failure of the policy replication. In case of a policy replication failure, you can view the error log from the ESMConsole.log. To preserve the customized color coding, you should choose to overwrite existing templates on the target manager.

142 142 Managing policies, modules, and templates About the policy tool Maintaining the policies See About the Policy tool options on page 145. You can remove unused operating system entries from the module nodes within each policy. To remove unused operating system entries from policies 1 In the Symantec Enterprise Security Manager tree, right-click Policies. 2 Click Remove Unused OS s. 3 In the left pane, select the operating systems for which you would like to delete the entries. 4 Click OK. Updating the policy information You can update the information in the policies node of the enterprise tree. This section of the tree lists the security policies on a specific manager. This section also lists the modules and security checks that make up the policy. By updating the policies node information, you can ensure the following: Keep the console information current. Refresh the cache with any kind of edits that another user may have made. To update policy information 1 Right-click the Policies node. 2 Click Update. About the policy tool The ESM console loads the most current policy information from the manager. On large networks with many systems, the policy tool can standardize the settings of enabled security checks, templates, and word lists. The policy tool exports policies from a selected manager, then imports the policies to the other managers on the network. The policies that you import enable the same security checks, and contain the same template and word list settings as the policies of the source manager. The policy tool exports policies as XML formatted files. You can use a standard text editor to view the contents. Each element is tagged for identification. The file structure separates the modules in the policy and the checks in each module.

143 Managing policies, modules, and templates About the policy tool 143 Before using the policy tool The file also contains the policy version and edit level, enabled template entries, and name list types and values. The policy file that you export by using the policy tool contains the security checks that are in the policy, whether enabled or disabled. However, the file contains only templates and the word lists that are enabled in the source policy. The policy file that you import by using the policy tool overwrites the policy on the importing manager. Do the following before you use the policy tool: Access rights To export a policy, obtain access to an account on the manager that has the View access rights enabled for all policies and all templates. Operating system domains To import a policy, obtain access to an account on the manager that has the Create new policies and Create new templates access rights enabled. All the operating system domains of the manager that imports a policy must also be on the manager that exports the policy. For example, if the manager that imports a policy has Windows 2000 and HP-UX agent domains, then the manager that exports the policy must also have Windows 2000 and HP-UX agent domains. For example, if the manager that imports a policy has Windows domains, then the manager that exports the policy must also have Windows domains. The manager that imports the policy must have the OS domain of the manager that exports the policy. Otherwise, the policy tool terminates the import process. The manager that exports the policy and the manager that imports the policy must have the matching UNIX agent domain. Otherwise the policy tool disables the templates for a UNIX agent domain on the importing manager. You can enable the templates again with the Template Editor. Directory permissions To export a policy, obtain access to an account on the host computer with the Write permission that is enabled for the destination directory. By default, the Policy tool exports policies to the current directory.

144 144 Managing policies, modules, and templates About the policy tool Exported policies Before you export a policy, verify that at least one agent of each operating system type that is registered to the manager has installed the latest security update. Verifying the security update ensures that the exported policy contains current security checks, templates, and word lists. Then, verify that all the security checks in each module of the policy are set to match your company's security policy. Also, verify that all the templates and the word lists that the policy requires are enabled. Imported policies Before you import a policy, verify that the latest security update has been installed on the agents that are registered to the importing manager. Verifying the security update ensures that the agents can run all of the enabled security checks in the policy. About accessing the Policy tool To access the Policy tool, complete the following activities for your specific operating system: On Windows command prompt, change to the directory that contains the policy tool. The tool installs in the C:\Program Files\Symantec\Enterprise Security Manager\Symantec ESM Enterprise Utilities directory by default. On UNIX command prompt, change to the directory that contains the policy tool. The policy tool installs in the esm/bin/<platform> directory by default. About the Policy tool command line formatting Apply the following formatting rules when entering a Policy tool command: Capitalize policy names to match the case of the corresponding values that are stored on a manager. Type policytool as one word. Type the Policy tool options last in the command. To export a policy from a manager, use the following format: policytool export <manager_name> <user_name> <password> <file_name> <policy_name> [-gui] [-n] [-p] [-y] [-z] To import a policy to a manager, use the following format: policytool import <manager_name> <user_name> <password> <file_name> [-gui] [-n] [-p] [-y] [-z]

145 Managing policies, modules, and templates About the policy tool 145 About the Policy tool values The Policy tool uses the following values: manager_name user_name password file_name Name of the manager computer User account name on the manager User account password on the manager File or archive that contains the exported policy You can specify a path to make the Policy tool export or import a policy to a directory other than the current directory. policy_name Policy that the Policy tool exports Policy names are case sensitive. About the Policy tool options The following table lists the options of the Policy tool: -gui -n -p -y -z Use GUI components when reporting detected conflicts. Do not report any detected conflicts, and never overwrite the policy. Specify the TCP port number that is used to contact the manager (default value 5600). Do not report any detected conflicts, but always overwrite the policy. Specify the zip file format Lets the Policy tool export or import a policy, its enabled templates, and enabled word files as a set of packed files in an archive. -force -ignore -u Do not abort if the manager is missing checks. Ignore the files that are referenced by the policy that do not exist for import. Delete suppressions on the target manager that are not present on the source manager while overwriting the suppressions.

146 146 Managing policies, modules, and templates About the policy tool Use the -ignore option if you want to restore a policy, that contains templates or word files. The -ignore option is necessary when you have taken the backup of the policy by using the ESM Backup utility. Note: The -gui, -n, and -y options are mutually exclusive. About the Policy tool functions You can use the Policy tool to do the following: Display Help To display help for the Policy tool, you type the following command: policytool Export a policy To export the Phase 1 policy on the GS0100 manager, type the Security Officer account, the my1pass+ password, and the export file name at the command prompt as follows: policytool export gs0100 "Security Officer" my1pass+ phase1.xml "Phase 1" Note: Do not edit exported policy files. Importing edited policy files can cause a manager to report conflicts such as nonexistent or invalid modules, checks, templates, or word lists. Import a policy To import a policy, use the import format and type the required values and options in a Policy tool command. For example, to import the Phase 1 policy on the GS0200 manager, you type the Security Officer account, the my2pass+ password, and the import file name at the command prompt as follows: policytool import gs0200 Security Officer my2pass+ phase1.xml While importing a policy to a manager, the Policy tool checks for the policy name on the destination manager. If the Policy tool finds the policy name, the Policy tool prompts for a decision to overwrite the policy. If you type Yes, the Policy tool overwrites the policy on the manager. If you include the -y option in an import command, the Policy tool writes the policy on the destination manager without prompting for a decision. Symantec Enterprise Security Manager does not keep multiple copies of policies with the same name on a single manager. If different users import the same policy on the same manager, the last version of the policy overwrites all previous versions.

147 Managing policies, modules, and templates About the policy tool 147 Display conflicts using GUI components To display conflicts using GUI components while exporting or importing policies, you use the -gui option with an export or import Policy tool command. For example, to make GUI components report detected conflicts while exporting the policy in Example 2, you type the following: policytool export gs0100 "Security Officer" my1pass+ phase1.xml "Phase 1" -gui To import the policy in Example 3 using GUI components to display detected conflicts, you type the following: policytool import gs0200 "Security Officer" my2pass+ phase1.xml -gui Suppress conflicts To suppress conflict reporting while exporting or importing policies, use the -y or -n option in the Policy tool. For example, to suppress detected conflicts while exporting the Phase 1 policy in Example 2, add the following command to a batch file: policytool export gs0100 "Security Officer" my1pass+ phase1.xml "Phase 1" -y Or, policytool export gs0100 "Security Officer" my1pass+ phase1.xml "Phase 1" -n -y overwrites the conflicts and -n does not overwrite the conflicts while exporting. To import the policy while suppressing detected conflicts in the GS0200 manager, you type the following: policytool import gs0200 Security Officer my2pass+ phase1.xml -y Or, policytool import gs0200 Security Officer my2pass+ phase1.xml -n -y overwrites the conflicts and -n does not overwrite the conflicts while importing. Change directory The Policy tool exports policy files to the current directory by default. To export policy files to another directory on the computer, you specify the full path of the directory. For example, to export the policy in Example 2 to the C:\Export directory on the GS0100 manager, you type the following: policytool export gs0100 "Security Officer" my1pass+ "c:\export\phase1.xml" "Phase 1"

148 148 Managing policies, modules, and templates Performing policy runs To import the policy exported in this example to the C:\Import directory on the GS0200 manager, you type the following: policytool import gs0200 Security Officer my2pass+ c:\import\phase1.xml Zip files To minimize the demands on network resources and the size of the exported policy files, use the -z option with the export or import command. This option compresses the.xml file into a.zip file. For example, to export the policy in Example 2 as a zip file, you type the following: policytool export gs0100 "Security Officer" my1pass+ phase1.zip "Phase 1" -z To import the policy that is exported in this example to the GS0200 manager as a zip file, you type the following: policytool import gs0200 "Security Officer" my2pass+ phase1.zip -z Change TCP port To connect with a manager that is running on a different TCP port, you use the -p option followed by the TCP port number. For example, to export the policy in Example 2 using TCP port 3812, you type the following: policytool export gs0100 "Security Officer' my1pass+ phase1.xml "Phase 1" -p 3812 Performing policy runs You can specify multiple modules within a policy and limit the number of messages that each run reports. You can also schedule multiple policy runs, view the status of a policy run, stop a policy run, and delete a policy run. You can run policies on agents or on manager domains. Symantec Enterprise Security Manager compares the current state of the host computers to the policy's security standards. When the policy run completes, you can view the resulting security data in the chart and grid views of the ESM console. You can also display or print security reports, or export the security data to a database for custom reporting. You can do the following with the policy runs: Modify policy runs by specifying the modules and checks that are used to assess your agent computers

149 Managing policies, modules, and templates Performing policy runs 149 Limit the number of messages or suppress specific messages that a policy run generates Schedule policy runs to run at set intervals View the status of policy runs Stop a policy run Delete a policy run To run a policy, you must have the Run Policies access right enabled for domains and the Run access right enabled for policies in the manager account. When you initiate a policy run on an agent, the policy run request first tries to contact the agent by the registered agent name. Sometimes, the agent may not be contactable by the registered name, while the manager tries to execute the policy run by using the agent's registered name. In such a scenario, the policy run operation tries to contact the agent by using the Hostname, the FQDN, or the IP addresses. The iteration occurs exactly in the same sequence until the agent is contacted. During the next policy run, if the agent is unreachable by the registered name, the manager tries to contact the agent by the last contactable name. For example, you execute a policy run and the agent is contactable by using the FQDN. So, next time when you execute a policy run, the policy run operation tries to contact the agent by using the FQDN. If the policy run request cannot contact the agent by using the FQDN, then it searches for the agent by using the Hostname and the IP addresses. The iteration continues in the same sequence until the agent is contactable. The following new configuration parameter is added in manager.conf to enable/disable this feature on the manager: USE_AGENT_INFORMATION_DURING_POLICYRUN The default value of this parameter is 0 (disable) as this failover mechanism does have an impact on policy run time. To perform policy runs Do one of the following: Drag and drop a policy on an agent or domain. To run only one module, drag and drop the module on the agent or domain. Drag and drop the selected agent or domain on the policy. Use the Policy Run wizard. Right-click the policy and click Run on domain. To run a policy on the agents that are registered to a manager in a specified domain.

150 150 Managing policies, modules, and templates Performing policy runs Executing and scheduling a policy by using the Policy Run Wizard A policy run instructs the ESM agent to gather security data by executing the modules that the policy contains. You can then view the results of the policy run in the ESM console. The Policy Run Wizard lets you start or schedule a policy run. The wizard helps you ensure that the policy run contains the policies and modules that you want to be run on a specific agent or domain. You can specify the time of one-time or recurring policy runs. Scheduled policy runs can include all or only some modules in the policy. Recurring policy runs automatically start and report results at specific intervals. You can specify addresses of persons to notify when the policy run is complete, and you can the type of report to send. To create a policy run 1 Do one of the following: Access the Policy Run Wizard by clicking its icon on the toolbar. Alternatively, right-click a policy and click Policy Run Wizard. Right-click the Policy Runs node, and then click New. 2 Click the ESM manager that initiates the policy run, and then click Next. 3 Click the policy that you want to execute, and then click Next. 4 Click the modules that you want to include in the policy run, and click Next. 5 Click the domain on which you want to execute the policy run. You can only select one domain per policy run. 6 Click the agents on which you want to run the policy. 7 Type or select a maximum policy run message count, or check No message count limit. 8 Check Enable LiveUpdate for the agents in this policy run if you want to enable LiveUpdate. When you enable LiveUpdate, the selected agents are updated with the Security Update that you have installed on the computer.

151 Managing policies, modules, and templates Performing policy runs 151 To schedule a policy run 1 Specify the modules that you want to include in the policy run, and then click Schedule. 2 Specify a date for the policy run. On the calendar, click a date. You can also click the arrows to change the month. In the Start date field, you can also click a day of the week, a date, a month, or a year to select it. You can then click the up or down arrow at the end of the field. You can also click the large down arrow to display another calendar. 3 In the Start time field, click the hour, minutes, or AM/PM, and then click the arrow to adjust the time. 4 Do one of the following: To save the date and time for a one-time policy run without an notification, click OK > Finish. To specify notifications when the policy run is complete, click Notification. When you enable notifications, you have to update the mail.dat file with the required values to configure ESM for the SMTP server. The mail.dat file is located at Symantec\Enterprise Security Manager\ESM\config folder on the ESM manager computer. Following are the fields that the mail.dat file contains: Field SMTP_SERVER SMTP_FROM SMTP_PORT SMTP_CHARSET Description Lets you enter the SMTP server name. Lets you enter the account from which the notifications are sent. Lets you enter the port number of the SMTP server. The port number by default is 25. Lets you specify the character set for the SMTP server. 5 In the Notification panel, do the following: You can insert or remove rows by clicking Insert Row or Delete Row(s).

152 152 Managing policies, modules, and templates Performing policy runs 6 In the Notification panel, click OK. 7 In the Schedule panel, click OK. To schedule a recurring policy run 1 Schedule a policy run. 2 Specify a recurring interval by clicking Hourly, Daily, Weekly, Monthly, or Yearly. 3 Do one of the following: To save the recurring schedule without specifying notices, click OK > Finish. To send notices when policy runs are complete, click Notification. Repeat steps 5-7 About executing a single module You can run an individual module. Running a single module is helpful when you want to assess a single aspect of computer security. For example, you might want to ensure that each password on an agent computer contains at least eight characters. Rather than run an entire policy, you can run the Password Strength module with only the minimum password length check enabled. To execute a single module 1 On the enterprise tree, expand the policy that contains the module that you want to run. 2 Enable the security checks in the module that you want to run on the agent or domain. 3 On the enterprise tree, drag and drop the module on the agent or domain. About executing multiple modules If you want to run some but not all modules in a policy, use the Policy Run wizard to specify which modules to run. To execute multiple modules 1 Do one of the following: On the ESM toolbar, click Policy Run Wizard.

153 Managing policies, modules, and templates Performing policy runs 153 On the enterprise tree, right-click the Policy Runs node, and then click New. 2 Select a manager, and then click Next. 3 Select a policy, and then click Next. 4 Select the modules to include in the policy run, and then click Next. By default, all modules are selected. To select a range of modules, click the first item in the range, then hold down Shift while you click the last item. To select non sequential modules, hold down Ctrl as you click. 5 Select a domain, and then click Next. 6 Select one or more agents, and then click Next. 7 Do one of the following: To save the setting and run the policy with the default maximum number of messages, click Next > Finish. Change the maximum number of messages allowed. Schedule the policy run for a later time. Limiting the number of messages Depending on which modules and security checks you enable and the state of your network, a policy can generate a large number of messages. You can use the Policy Run wizard to specify a maximum number of messages that can be reported in a policy run. If Symantec Enterprise Security Manager reaches the message limit, the last message has a red severity rating. It informs you that the maximum number has been reached and that other messages have not been reported. To limit the number of messages reported in a policy run 1 Specify more than one module to run in a policy. 2 Do one of the following: Type a new value to change the Maximum policy run message count, and then click Next. The default value is 3000 messages. Check the No message count limit check box, and then click Next. 3 Do one of the following: Click Finish to start the policy run immediately. Click Schedule to start the policy run at another time.

154 154 Managing policies, modules, and templates Performing policy runs Scheduling a policy run You can specify the time of one-time or recurring policy runs. Scheduled policy runs can include all or only some modules in the policy. Recurring policy runs automatically start and report results at specific intervals. You can specify addresses of persons to notify when the policy run is complete, and you can the type of report to send. To schedule a policy run 1 Specify the modules that you want to include in the policy run. 2 Click Schedule. 3 Specify a date for the policy run. On the calendar, click a date. You can also click the arrows to change the month. In the Start date field, you can also click a day of the week, a date, a month, or a year to select it. You can then click the up or down arrow at the end of the field. You can also click the large down arrow to display another calendar. 4 In the Start time field, click the hour, minutes, or AM/PM, and then click the arrow to adjust the time. 5 Do one of the following: To save the date and time for a one-time policy run without an notification, click OK > Finish. To specify notifications when the policy run is complete, click Notification. To schedule recurring policy runs 1 Schedule a policy run. 2 Specify a recurring interval by clicking Hourly, Daily, Weekly, Monthly, or Yearly. 3 Do one of the following: To save the recurring schedule without specifying notices, click OK > Finish. To send notices when policy runs are complete, click Notification.

155 Managing policies, modules, and templates Performing policy runs 155 Editing a policy run schedule You can edit existing policy run schedules. You can edit the policy run time, the frequency, and the notification settings. Managing policies, modules, and templates. To edit a policy run schedule 1 In the Policy Runs node of the Symantec Enterprise Security Manager tree, right-click the number of the scheduled policy runs that you want to edit. 2 Click Edit Schedule. About manager pulling data 3 Edit the schedule using the same procedure that you would use to create a new schedule. When you execute a policy run on ESM agents, the manager sends the job request to the agents that you select. The connection with the manager is terminated when the agent starts the policy run with the parameters that you specify. At this stage, the status of the policy run is displayed as Running. When the agent completes the policy execution, the status of the policy run is displayed as Policy run complete. In case of multiple agents, the manager polls the agents in a sequential order. The manager fetches the data from the agents on which the policy run is complete, while it continues to poll the other agents. The manager waits for two minutes after it finishes with one polling cycle and resumes polling the agents to check for the policy run status. After the manager fetches the policy run result, the status of the policy run is displayed as Complete. On certain scenarios, when the number of agents is few, you may notice a lag of a few minutes before the status of the policy run changes from Running to Complete. This happens because the manager takes time to confirm the policy run status for each agent after it updates the manager database. The manager creates a Control Information File (CIF) connection to fetch the policy run result from the agents and fetches the data on the same CIF connection. As the agents do not open a new CIF connection, you do not have to change the firewall settings of your enterprise to allow incoming connections to the manager. This functionality ensures that you do not lose data even in the event of a technical breakdown. If your manager shuts down for any reason, the manager re-establishes communication with the agents when the manager service restarts. After the manager service restarts, the ESM manager starts data collection from where it lost the contact. Following are the fields related to Manager Pulling Data, which are present in manager.conf:

156 156 Managing policies, modules, and templates Performing policy runs AGENT_DATAFETCH_THREADS_COUNT Specifies the number of threads that an agent data fetch starts at a time. Minimum value is 1. The maximum that you can specify is 32. The default value is 1. AGENT_DATAFETCH_THREADS_TIMEOUT Specifies the time that each agent data fetch thread waits to fetch data from an agent. For example, if the timeout value is 200, then each thread waits for a maximum of 200 seconds. The thread timeout value represents the end to end wait time from the beginning of data fetch till the final data fetch from the thread. Minimum value is 180 seconds. The maximum that you can specify is 600 seconds. The default value is 300 seconds. About job throttling The manager.conf is located in <Install_dir\config\> on Windows computers and in /esm/config/> on UNIX computers. Job throttling enables the ESM manager to distribute policy run jobs to multiple agents at a time. The number of agents is a configurable value on manager, which you can specify in the manager.conf file. The manager.conf file is located in the config folder that exists in the directory where Symantec Enterprise Security Manager is installed. When you start a policy run on a domain, the Symantec Enterprise Security Manager manager checks the following parameters in the manager.conf file: AGENT_STARTERS Specifies the number of agents on which a manager initiates simultaneous policy runs. The value can be between 1 to 5 for both Windows and UNIX managers. The default value for both Windows and UNIX managers is 1. The recommended value that you should specify is 5.

157 Managing policies, modules, and templates Performing policy runs 157 AGENT_STARTER_TIMEOUT_SECONDS Specifies the duration for which the Symantec Enterprise Security Manager waits to get a response from the agent before it initiates the policy run. AGENT_STARTER_LIVEUPDATE_TIMEOUT _SECONDS The default value is 360. Specifies the duration for which the Symantec Enterprise Security Manager waits to get a response from the agent that can be updated using LiveUpdate. The default value is 600. The ESM manager reads and uses these parameters as follows: Simultaneously executes the policy run request on the number of agents that is specified in AGENT_STARTERS. Waits for the time that is specified in AGENT_STARTER_TIMEOUT_SECONDS to get a response from any of the agents. Executes the policy run request on the next agent after either a timeout or after the manager receives a response from any agent. Repeats this process until the manager contacts the specified agents to initiate the policy run. Job throttling shows considerable improvement in the time that is required to complete policy runs when a few agents are not contactable. We have observed that in a customer environment, usually 30% agents remain unreachable. The improvement is based on the comparison between policy run time, where AGENT_STARTER = 1 and AGENT_STARTER = 5. In our test, we have seen an improvement of 77% for Windows managers and 70% on Solaris managers for policy runs. You may observer a lower or higher rate of improvement depending on the following parameters: The number of unreachable agents The rate of frequency when the manager finds unreachable agents The time that the contactable agents take to complete the policy run More number of unreachable agents results in a higher percentage improvement. The percentage improvement shows better results if the unreachable agents are clustered together. The time that the agents take to complete a policy run inversely impacts the percentage improvement.

158 158 Managing policies, modules, and templates Performing policy runs If all the agents in your network are contactable by the manager, then the percentage improvement may be low. Sending completion notices by Managers can designate users to receive notices when policy runs are complete. notices help to ensure that security and system administrators receive timely security reports. To send completion notices by 1 On Windows operating systems, specify an SMTP server and port number in the esm\config\mail.dat file. Symantec ESM uses port 25 if you do not specify an alternate port number. Symantec ESM uses the domain of the recipient's address if you do not specify a server name. 2 On UNIX operating systems, configure the manager before trying to send notices. See the UNIX man pages for sendmail information. Table 4-2 lists supported UNIX-based mail utilities. Table 4-2 Supported UNIX-based utilities Operating system AIX HP-UX SGI IRIX TRU 64/OSF1 Red Hat Linux Solaris Utility mailx mailx mail mailx mailx mailx

159 Managing policies, modules, and templates Performing policy runs 159 To configure the manager on UNIX operating systems 1 Edit the sendmail.cf file to designate a valid relay host. For example, if the relay host computer name is mail.company.com, change the relay host entry to the following: # Smart relay host (may be null) DSmail.company.com 2 Create the /esm/config/mail.dat file, and add the appropriate code to specify the name and the port number of the SMTP server. For example, if the SMTP server is mail.mycompany.com, add the following lines of code to the file: SMTP_SERVER=mail.mycompany.com SMTP_PORT=25 (the default port number) 3 Do one of the following: On the manager's UNIX computer, restart the sendmail process. Use an option to force the sendmail process to read the revised sendmail.cf file. Sending notification messages Table 4-3 lists and describes the notification messages. Table 4-3 Notification messages Message Policy run status Agent summary Module summary Description Start and finish time of the policy run and its completion status Agent security level and rating. Agent security level and rating, and security level and rating of each module in the policy To specify an notification 1 Use the Policy Run wizard to create a new policy run. 2 When you create a policy run, on the last screen, click Notification. 3 Type an address in the Address field. The address field can contain up to 256 characters. 4 Check one or more messages to send to the recipient. 5 Do one of the following:

160 160 Managing policies, modules, and templates Performing policy runs Click OK. To add another recipient, click Insert Row, then repeat steps 3 and 4. When you are finished adding recipients, click OK. Click Finish. Viewing the status of a policy run You can check the current status of a policy run. Table 4-4 lists the status types that can be reported. Table 4-4 Policy run status Scheduled Started Submitted Queued Running Stop pending Stopped Policy run status identifiers Identifiers The manager has scheduled the policy run to start at a specific date and time. The manager is contacting agents to start the policy run. The manager has submitted the policy run to the agent. The agent has not yet started processing the module in the policy run. The agent is currently running the module in the policy. The manager has told the agent to stop running the policy, but the agent is waiting for the module to reach a safe stopping point. The policy run has stopped. Policy run complete Finalizing Complete Error The agent has completed the execution of the modules, and the manager is pulling the data. The manager is analyzing the raw reports and applying suppressions, calculating a level and rating for each module, and writing a record to the sumfinal database. The policy run is complete without errors. The policy run either stopped or contains errors. To view the status of a policy run 1 On the Policy Runs branch of the enterprise tree, do one of the following: Double-click the policy run ID.

161 Managing policies, modules, and templates Performing policy runs 161 Querying Policy Runs Right-click the policy run ID, and then click Properties. 2 Select an agent. 3 Click View modules. See Querying Policy Runs on page 161. Use the Query Policy Run dialog box to query the status of a policy run. The Query Policy Run dialog box provides the following: The name of the policy The start time of the policy run The domain that you select for the policy run You can check the status of each module in the policy, and the completion percentage for each agent on which the policy run is executed. You can click on an agent to get the most current information on its status. You can only query a policy run while it is running. When the policy run completes, the Query option is not available. To query a policy run 1 Right-click a policy run, then click Properties. 2 In the Properties for Policy Run dialog box, double-click the name of the agent in the Agents grid. Alternatively, click the name of the agent in the Agents grid and click View Modules. In the Query Policy Run dialog box, you see the following details about the status of the policy run on the selected agent: The policy Run ID The start time of the policy The policy that you executed The domain that contains the agent The agent on which you executed the policy run The agent name on which you executed the policy run The modules that were run on the agent The status of the policy run

162 162 Managing policies, modules, and templates Performing policy runs The Agent drop-down list displays all the agents that you select for the policy run. You can select another agent from the Agent drop-down list to view the status of the policy run on that agent. Viewing scheduled policy run information Scheduled policy run information includes the following: Policy run number Policy name and the number of modules included Domain name and the number of agents included Date and time of the initial policy run Recurrence pattern Date and time of the next policy run To view scheduled policy run information 1 On the enterprise tree, right-click Policy Runs, and then click View scheduled runs. 2 In the Schedule Viewer, double-click the policy run. Selecting agents randomly for a policy run You can use a feature on the ESM console to randomly select agents for policy runs. This feature lets you run policies on fewer agents in a particular domain. You can save time and resources while evaluating network security. The feature uses a property file to provide necessary information. The file lists the manager names, user names, passwords, port numbers, domains, policies, module lists, and the numbers of agents to randomly select. You can use any text editor to create the property file. You must name the file randpol.dat. Save the property file in the same folder with the randpol.exe program. The property file is a plain text, tab-delimited file. The module lists are comma-delimited lists. You can specify all instead of listing the modules in a policy. The property file has the following format: manager_name<tab>username<tab>password<tab>port<tab>domain<tab> policy<tab>module_list<tab>number_of_agents The following is an example:

163 Managing policies, modules, and templates Performing policy runs 163 manager1 esmuser my1pass All Agents Phase 1 account,network 50 manager2 esmuser2 my2pass Windows 2000 Agents Phase 1 all 20 manager5 esmuser5 my5pass Windows XP Agents Phase 2 all 40 To randomly select the agents for a policy run 1 In a text editor, create a property file. 2 Save the properties file with the name randpol.dat in the same folder with the randpol.exe file. 3 Change directories to the Program Files\Symantec\Enterprise Security Manager\ESM\ bin\ <operating system> folder. 4 Type the following: randpol.exe randpol.dat Stopping a policy run You can force a policy run that is in the process to stop, finalize, and exit with an error status. The Stop option terminates the security modules that are running on Windows, UNIX, Linux, and OpenVMS agents. On NetWare/NDS agents, the run completes the module checks that are already underway, but does not initiate any checks for the remaining modules. The Stop option tells the manager that controls the policy run to finalize the results of all completed policy runs. This option returns the results from the modules that have already finished. Modules that have not finished do not return results. The Stop option also contacts each agent and tries to stop any security checks or policy runs that are underway. If the agent can be reached, the run stops when the currently running module reaches a safe stopping point and the manager finalizes the report. If the agent cannot be reached, the portion of the report that is already complete is force-finalized. To stop a policy run On the Policy Runs branch of the enterprise tree, do one of the following : Double-click the policy run ID, and then click Stop job. Right-click the policy run ID, and then click Stop. Stopping policy runs at user-defined intervals You can use a feature on the ESM console to stop policy runs at user-defined intervals. This feature runs in the background until you stop it. You can define the duration of a policy run using one of the following options:

164 164 Managing policies, modules, and templates Performing policy runs Use the -e option to specify the time interval that must elapse before Symantec Enterprise Security Manager stops a policy run. Use the -t option to specify the time of day when all policy runs stop. For example, the e option 20:00:00 stops all policy runs that have been running for longer than 20 hours. The -t option 09:00:00 stops all policy runs at 9:00 A.M. A property file is required to provide the necessary information. This file contains the manager names, the user names, the passwords, and the port numbers that the feature needs to connect to the managers. You should create the property file as a text file. You must name the file,the jwatch.dat, and save the property file in the same folder with the jwatch program file. The property file is a plain text, tab-delimited file. The property file has the following format: manager_name<tab>username<tab>password<tab>port The following is an example: Manager1 esmuser1 my1pass Manager2 esmuser2 my2pass Manager5 esmuser5 my5pass To stop policy runs at user-defined intervals 1 In a text editor, create a property file, name it jwatch.dat, and save it in the same folder with the jwatch.exe file. 2 Change directories to the Program Files\Symantec\Symantec Enterprise Security Manager\ESM\bin\<operating system> folder. 3 Do one of the following: To specify a time of day, type the following: jwatch.exe -t hh:mm:ss. To specify a policy run duration, type the following: jwatch.exe -e hh:mm:ss The time specified with -t is the time of day in hours:minutes:seconds. The time specified with -e is the elapsed time in hours:minutes:seconds. The following is an example: jwatch.exe -e 12:00:00 or jwatch.exe -t 09:00:00. Use the 24-hour format. For example, use 23:00:00 for 11:00 P.M.

165 Managing policies, modules, and templates Performing policy runs 165 Deleting a policy run When you create a scheduled policy run, the policy run number is displayed in the enterprise tree under Policy Runs. The policy run number is displayed even if the policy has not been run.you can delete these policy runs as you would any completed policy run. You must stop a policy run or it must complete before you can delete a policy run that has already started. To delete a policy run 1 On the Policy Runs branch of the enterprise tree, right-click the policy run ID, and then click Delete. 2 Do one of the following: To delete the policy run and the related summary information, click Yes. To delete the policy run but retain the summary information, uncheck Delete associated summary data, and then click Yes. To delete multiple policy runs 1 On the console grid, select all the policy run IDs that you want to delete. 2 Right-click the selected IDs and click Delete. 3 Do one of the following: To delete the policy runs and the related summary information, click Yes. To delete the policy runs but retain the summary information, uncheck Delete associated summary data, and then click Yes. Note: If you delete multiple policy runs simultaneously, then the process of deleting their associated summary data might take time. Updating the policy run information You can update the information in the Policy Run node of the enterprise tree. The Policy Runs node lists the policy runs section of the tree lists the policy runs that have been executed. You can select a policy run and view the following information in the policy run grid: Policy run status Start and end time of the policy run Name of the policy

166 166 Managing policies, modules, and templates About managing templates Name of the domain on which the policy was executed By updating the Policy Runs node, you can ensure the following: Keep the console information current. Refresh the cache with any kind of edits that another user may have made. See Performing policy runs on page 148. About managing templates Creating a template A template is a file that contains module control directives and definitions of objects with their expected states. Symantec Enterprise Security Manager lets you create, edit, and delete templates. With each new security update, Symantec Enterprise Security Manager overwrites all of the templates that ship with the program. Consequently, you lose any changes that you have made to these templates. To avoid this problem, create and edit your own templates, or copy and edit the default templates. Changes that you make to sample templates are overwritten when you download the next Security Update. To avoid this problem, you should create and edit your own templates. Your new template is saved in the Templates branch of the ESM console with other template files that use the same file extension. To create a template 1 In the enterprise tree, right-click Templates, and then click New. 2 Select an available template type. 3 Type a name for the template without a file extension. Template names can contain up to 125 characters. You cannot include spaces in a template name or start the name with a hyphen (-). The following characters are not allowed in a template name:. # / : *? " < > ; { } [ ] You cannot leave a template name blank. Symantec Enterprise Security Manager provides the extension according to the template type that you select. 4 Click OK.

167 Managing policies, modules, and templates About managing templates 167 Editing the template rows Copying a template You can edit a template by using the Template Editor. You can add and delete rows, and specify the contents of row fields. To open a template in the Template Editor 1 In the enterprise tree, expand the Templates branch. 2 Double-click the template to open the Template Editor. The Template Editor organizes templates into rows and columns. Each row describes a single file, patch, or other item. The columns contain the information that Symantec Enterprise Security Manager matches with agent settings. To add a template row 1 In the Template Editor, open a template, and then click Add Row. 2 Specify row information, including any sublist information that is needed. 3 Click Save, and then click Close to exit the Template Editor. To remove one or more rows 1 In the Template Editor or Sublist Editor, click the left-most numbered option of the row that you want to remove. For a range of rows, hold down the Shift key while you click the first and last row numbers. For multiple non-sequential rows, hold down the Ctrl key while you click each row number. 2 Click Remove Rows. 3 Click Save, and then click Close. You can copy an existing template to the same manager using a new name, and then edit the template to meet your needs. On large templates, such as the File Attributes module templates, copying is faster than creating a new template. Templates require unique names that can have up to 38 characters and cannot contain any periods. You can also copy a template from one manager to another manager as long as both ESM managers are viewable from the same ESM console. You must have a 6.0 or later version of the ESM console installed to copy templates using the ESM console menu command.

168 168 Managing policies, modules, and templates About managing templates Editing a template To copy a template 1 In the enterprise tree, expand the Manager branch that contains the template. 2 Expand the Templates branch. 3 Right-click the template that you want to copy, and then click Copy. 4 In the Copy Template dialog box, type a unique name for the template. Template names can contain up to 125 characters. You cannot include spaces in a template name or start the name with a hyphen (-). The following characters are not allowed in a template name:. # / : *? " < > ; { } [ ] You cannot leave a template name blank. Do not specify an extension as Symantec Enterprise Security Manager provides the extension according to the template type that you copy. 5 Click OK. To copy a template from one manager to another manager 1 In the enterprise tree, expand the Manager branch that contains the template. 2 Expand the Templates branch. 3 Right-click the template that you want to copy, and then click copy to manager. 4 In the Select Manager dialog box, select the manager to which you want to copy the template. 5 Click OK. Use the Template Editor to do the following: Edit the contents of a string or numeric field String fields can store free-form text such as string fields in the Agent Name, File Name, and File Signature fields of the File Watch template. Numeric fields can store positive or negative integers or real numbers. The Severity field in the Patch template is an example of a numeric field. Check or uncheck a check box Some fields have check boxes that you can check to direct the module to examine specified items. For example, use the New and Removed check boxes in the File Watch template.

169 Managing policies, modules, and templates About managing templates 169 Select a context menu item Some fields have context menus that are displayed when you click a field. For example, Signature fields in File and File Watch templates display context menus when clicked. Edit a sublist Some fields contain sublists. Sublist fields display the number of items in the sublist. Examples include the OS/Rev columns in File templates and Integrated Command Engine ( ICE) templates. Editing sublists in a template The entries in the template sublist editor and the exact operations the template sublist editor can perform depend on the configuration of the module whose template you are editing. For example, in a File Attributes template you can edit the user/group, the object permission, or the inherit permission of an ACL. To edit a sublist in a template 1 Right-click the template that you want to edit, then click Properties. 2 In the Template Editor, click an entry in the ACL column. The Template Sublist Editor appears. 3 Click on a row and make the edits. Adding an item to a template The type of items that you can add to a template depends on the type of template that you are editing. For example, if you are editing a template for the File Attributes module, this dialog box lets you add a file to the template. But, if you are editing the template for the Registry module, this dialog box lets you add a registry key to the template. An item can also be a hierarchy item such as a directory or keys and subkeys in a registry. When you add an item to the template, new policy runs of the module using the template heck the item against its template entry and report any discrepancies. To add an item to a template 1 Double-click the template to open the Template Editor. 2 Click Add File. For adding an item to the template for the Registry module, click Add Key. 3 In the Agent Name box, type the name of the agent system where the item is located. 4 In the Item Name box, type the name of the item that you want to add to the template. Use the fully qualified path name; for example: C:\temp\letter.doc.

170 170 Managing policies, modules, and templates About managing templates Adding hierarchical items to a template The type of hierarchical item that you can add to a template depends on the type of template that you are editing. For example, if you are editing a template for the File Attributes module, this dialog lets you add a directory to the template. But, if you are editing a template for the Registry module, this dialog lets you add registry keys and subkeys to the template. After you add a hierarchical item to the template, new policy runs of the module using the template check the item against its template entry and report any discrepancies. To add a hierarchical item to a template 1 Double-click the template to open the Template Editor. 2 Click Add Folder. Click Add Key/Subkeys if it is the template for the Registry module. 3 In the Agent Name box, type the name of the agent system where the hierarchical item is located. 4 In the Item Name box, type the name of the hierarchical item that you want to add to the template. Use the fully qualified path name; for example: C:\ temp. 5 Under Items to include, do one of the following: Updating template information Click This item and all subordinates to add the hierarchical item and any subordinates. Click This item only (no subordinates) to add only the indicated hierarchical item. Click Include and then enter a level in the Subordinate level box. A level of 2 adds the hierarchical items from level 1 plus any subordinates under those items. Each higher number adds an additional subordinate level to the template. For example, a level of 3 adds the hierarchical items from level 2 plus any subordinates under those items. You can update the information in the Templates node of the enterprise tree. This section of the tree lists templates on a specific manager. Updating the Templates node information keeps the ESM console information current with any template edits implemented by another ESM console user who is connected to the same manager.

171 Managing policies, modules, and templates About managing security checks 171 Deleting a template To update template information 1 Right-click the Templates node. 2 Click Update. The ESM console loads the most current template information from the manager. From the ESM console, you can delete unwanted templates from a specific ESM manager. To delete a template 1 In the enterprise tree, expand the Manager branch that contains the relevant template. 2 Expand the Templates branch. 3 Right-click the template that you want to delete, and then click Delete. 4 Click Yes. Removing unused templates You can remove the templates that are specific to operating systems, which are no longer used on your network. This feature automatically determines which operating systems are no longer used in your enterprise and deletes the related templates. To remove unused templates 1 Right-click Templates in the Symantec Enterprise Security Manager tree. 2 Click Remove Unused Templates. About managing security checks Symantec Enterprise Security Manager lets you enable and disable security checks. Enabling and disabling security checks Only enabled security checks provide information when you run a module. To enable and disable security checks 1 In the enterprise tree, expand the Policies tree. 2 Expand a module branch.

172 172 Managing policies, modules, and templates Editing name lists 3 Do one of the following: Double-click the operating system icon. Right-click the operating system icon, and then click Properties. 4 Do one of the following: Check to enable. Uncheck to disable. About specifying options for security checks You can control the behavior of security checks with options. Some options contain text fields that you can use to specify parameters. For example, the minimum number of non-alphabetic characters that is required in a password. Other options are used to specify the entities that you want to examine as name lists. For example, in the Users to Check option of the Password Strength module, specify which users and security groups that all module security checks should examine or skip. This check is permanently enabled, as indicated by the circle in the box. Modules and their associated checks can vary by operating system. Some modules have versions that run on all supported computers, though the checks differ by operating system, while others are limited to specific computers. About validating the security checks Editing name lists Before you apply a new security check to your enterprise, create a demo policy and add the new check to it. Then verify the check on a test computer. By using a demo policy, you can obtain results without impacting the settings of policies that the Symantec Security Response team creates. You should delete the demo policy after you complete your tests. You can use name lists to specify the items that all or some security checks include or exclude in a module. Some name lists contain the following items: New, Delete, Move Up, and Move Down icon options List area

173 Managing policies, modules, and templates Editing name lists 173 Include and Exclude options Table 4-5 lists the types of name lists and their contents. Table 4-5 Type Users Groups Files/Folders Name list types Contents User account name such as user1 and user2 User account groups such as system operators and administrators (Windows 2000/XP) Files or folders such as C:\Program Files\Symantec\Enterprise Security Manager\ESM\bin Enabled/Disabled word files Enabled/Disabled files Key (word) Generic strings Word files containing word lists Template files Sets of keys or keywords Sets of generic character strings To access a name list In the left pane of the Module properties window, click an option or security check. The right pane displays name lists where you can specify the items that are to be included or excluded when you run all or some of the security checks in the module. To add an item to a name list 1 In the module properties window, click New. 2 Type the item name. You can use the asterisk (*) character as a wildcard character to represent a set of items. For example, \myapp\* specifies all files in the \myapp folder. 3 To add another item, click Enter, and then repeat steps 1 through 2. 4 Click Include or Exclude to indicate whether to examine or skip the listed items. 5 Click OK.

174 174 Managing policies, modules, and templates About Users and Groups name list precedence To remove an item from a name list 1 Click the item. 2 Click Delete. 3 Click OK. To move an item up or down in a name list 1 Click the item. 2 Click Move Up or Move Down. 3 Click OK. About Users and Groups name list precedence When a module or a security check contains User and Group name lists, the names in the Group list are processed first. Then, within each selected group, the names in the User list are processed. Table 4-6 summarizes the results that you receive from the name lists that include or exclude User or Group entries. Table 4-6 Single Users and Groups name list results When the check And the users list And the groups list Then the check reports Includes a user or group name list contains user entries is blank data for all reported users Includes a user or group name list is blank contains group entries data for all reported groups and users that are in the checks Excludes a user or group name list contains user entries is blank data for all groups and users except the reported users Excludes a user or group name list is blank contains group entries data for all groups except the reported groups and users that are in the checks Includes or excludes blank name lists is blank is blank data for all groups and users

175 Managing policies, modules, and templates About Users and Groups name list precedence 175 Some modules include the Users to Check options with name lists that more than one security check use. Some of the security checks that use the Users to Check name lists also use their own name lists. When a security check uses two Users and Groups name lists, the combined contents of the name lists are processed. Table 4-7 summarizes the checks and name lists for multiple users and groups. Table 4-7 Check option Multiple Users and Groups name lists Check name lists Check reports Includes Users/Groups entries Includes Users/Groups entries Includes Users/Groups entries Excludes Users/Groups entries that are included by Users to Check Data about all groups and their users, and all users, in both user lists No data about groups and users in the check name lists Excludes Users/Groups entries Include Users/Groups entries that are excluded by Users to Check No data about groups and users in Users to check name lists Excludes Users/Groups entries Includes or excludes blank name lists Excludes Users/Groups entries Include or Exclude blank name lists No data about groups and users that are in the name lists Data for all groups and users

176 176 Managing policies, modules, and templates About Users and Groups name list precedence

177 Chapter 5 Viewing security data This chapter includes the following topics: About viewing the summary and detailed data Retrieving summary data for regions and managers Updating summary data at the domain level About using the ESM console grid and chart Setting the chart graphics About obtaining information on the messages Filtering the security data Using the grid functions Customizing the chart appearance About viewing the summary and detailed data Policy runs report security compliance issues for analysis and correction. Symantec Enterprise Security Manager presents its findings in either a summary or detailed format. The summary data provides an overall picture of the organization's security. The detailed information provides information on specific security violations. Symantec Enterprise Security Manager helps focus your efforts on critical security issues through identification and presentation of compliance issues in multiple formats. You can access summary data in the summary branch of the enterprise tree. The summary branch displays information in named nodes. Figure 5-1 illustrates the nodes in the summary branch.

178 178 Viewing security data Retrieving summary data for regions and managers Figure 5-1 Summary branch nodes The detailed data describes the specific security issues that exist on a host computer. You can access this data by expanding a module in the summary branch and clicking a policy run node. The information appears in grid format. The detailed information includes the following: Title or name of the security message. Security level of the message (red, yellow, or green). Item updates or corrections when available. Name of the non-compliant computer. Information that the check reports. Retrieving summary data for regions and managers You can retrieve the summary data for all managers in a created region and the default All Managers region. To retrieve summary data at the region level Right-click a region and then click Retrieve Summaries. To retrieve the most recent summary data from All Managers On the enterprise tree, right-click All Managers and then click Retrieve Summaries. Updating summary data at the domain level You can update the summary information for a specific ESM Manager at the domain level.

179 Viewing security data About using the ESM console grid and chart 179 The domain level of the tree displays the following: Domains on the ESM manager. Agents in the domains on the ESM manager. Policy run summary information for any policy runs on agents in the domains. Updating the domain level ensures that the current information (such as security level and ratings) is displayed in the Chart and Grid. To update the summary data of a domain 1 Right-click the Domains node. 2 Click Update. 3 Click Yes to update the summary data for the domain. About using the ESM console grid and chart To use Symantec Enterprise Security Manager, you must be able to interpret the information in the ESM console grid and chart. The ESM console displays security data in the following modes: Drill-down Summary Trend You can select the mode on the View menu or by clicking the associated icons on the toolbar. You can also select settings to filter summary information. The settings determine the information that the chart and the grid display. The following are the differences between the modes: Mode Drill-down Summary Trend Chart contents The chart shows the current security level and score of the objects that are immediately beneath the object that you select in the summary branch. The chart shows a count by security level of the objects that are immediately beneath the object that you select in the summary branch. The chart shows how the security level and score of the object that you select in the summary branch has changed over time.

180 180 Viewing security data About using the ESM console grid and chart Using the drill-down mode The drill-down chart displays the current level and score of the objects that are directly beneath the selected object in the summary branch. For example, if you select a policy in the summary branch, the drill-down chart displays the security level and score of the modules that are in that policy. You can expand the tree and access successively lower levels of information. You can access the information by clicking the nodes that are next to the objects in the summary branch. You can access the information also by clicking the colored portions of the chart or chart legend. Figure 5-2 illustrates a drill-down chart. This chart displays the results of a Phase 1 policy execution on an agent. Figure 5-2 Drill-down chart The drill-down chart lets you see which objects need the most attention. Red objects pose the greatest threat and should be addressed first, followed by yellow objects. Green objects generally require no action. In addition to red, yellow, and green security levels, the chart may contain black bars, which indicate the lack of data. This means that the related object has no summary data to contribute to the chart.

181 Viewing security data About using the ESM console grid and chart 181 The drill-down chart graphs the contents of the Level and Rating columns in the grid. These ratings indicate an object's conformity to a policy. Figure 5-3 illustrates the components of a drill-down chart. Figure 5-3 Components of the drill-down chart By default, the option to view the object data as a drill-down chart is disabled, since the chart may take several minutes to get generated. You can enable the option to view a drill-down chart from the View menu. You can also specify the minimum and the maximum datapoints that Symantec ESM considers while drawing a chart. To specify the drill-down datapoints 1 On the console task bar, click View > Drill-Down Datapoints... 2 On the Drill-down Chart Options window, check Show Drill-down Chart. 3 In the Specify minimum datapoints to ask for confirmation before drawing the chart text box, enter the minimum number of datapoints in an object that ESM should draw the chart for. If the number of datapoints is more than this value, ESM asks for a confirmation to proceed with the chart with the specified datapoints. 4 In the Specify maximum datapoints after which the chart will not be displayed text box, enter the maximum number of datapoints for drawing the chart. The console does not draw any drill-down chart if the number of datapoints exceeds the number that you specify.

182 182 Viewing security data About using the ESM console grid and chart To view object data 1 On either the console task bar, click View > Drill-down mode. The following warning message is displayed when Symantec ESM creates the chart for the first time: Drill-down charts for some objects may take time. Do you want to continue? 2 Click Yes to continue. Using the summary mode 3 Do the following to expand the tree and access the relevant object in the summary branch: Click the node icons next to the objects in the summary branch. Click the colored portions of the chart or chart legend. See Using the summary mode on page 182. See Using the trend mode on page 184. The summary chart shows a count by security level of the objects that are under the selected object in the summary branch. For example, if you select a policy, the summary chart displays a count by security level of the modules in that policy. The summary chart appears in pie chart format by default. You can select the toolbar icon, click the chart or legend, and change the display to drill-down mode. Figure 5-4 illustrates a summary chart. In this instance, the chart displays the results of a Phase 1 policy execution on an agent.

183 Viewing security data About using the ESM console grid and chart 183 Figure 5-4 Phase 1 policy summary chart To view summary data 1 On the console task bar, click View > Summary mode. 2 Do the following to expand the tree and access the objects in the summary branch: Click the nodes next to objects in the summary branch. Click the chart or the chart legend. In the summary mode, if you click the summary chart of an object, the drill-down chart for that object is displayed. This conversion does not change the mode that the ESM console is in. The ESM console continues to remain in the summary mode unless you select the drill-down mode from the View menu or the toolbar. When you click the summary chart of an object that has a large number of sub-items, the following message is displayed: Drill down chart of this object may take time. Do you want to continue? Symantec Enterprise Security Manager does not display this message if the ESM console is already in the drill-down mode even if the object that you click has a large number of sub-items. Symantec recommends that you keep the ESM console in the summary mode.

184 184 Viewing security data About using the ESM console grid and chart Using the trend mode See Using the drill-down mode on page 180. See Using the trend mode on page 184. The trend chart portrays changes in a selected object's security level and score over time. You can view changes in security level and score on a daily or a weekly basis. An explanation of each follows: Daily Symantec Enterprise Security Manager displays the security level and score of the last run that occurred before 11:59 PM each day. Weekly Symantec Enterprise Security Manager displays the security level and score of the latest run that occurred before 11:59 PM each Saturday. The grid and chart depict the data starting with the most recently available policy run. If the number of data points exceeds the available data, Symantec Enterprise Security Manager depicts what is available. Symantec ESM then repeats the oldest data point for each of the earlier periods. Figure 5-5 illustrates a trend chart. In this instance, the chart displays the results after a user enables the account lockout feature on the host computer.

185 Viewing security data About using the ESM console grid and chart 185 Figure 5-5 Trend chart To view trend data 1 On the console task bar, click View > Trend mode. 2 Click the node icons next to objects in the summary branch to expand the tree and access the wanted object in the summary branch. To configure the number of trend data points 1 On the console task bar, click View > Trend datapoints. 2 Click Daily or Weekly to specify the data point interval. 3 Type a number in the Number of datapoints text box, or use the up or down arrows to change the number of data points. See Using the summary mode on page 182. See Using the drill-down mode on page 180.

186 186 Viewing security data Setting the chart graphics Setting the chart graphics You can set the following options for the chart graphics: Show the chart legend. Display the chart in 2D graphics. Display the chart in 3D graphics. Display the chart as a pie chart. Display the chart as a bar chart. To show the chart legend On the console task bar, click View > Chart Options > Show Chart Legend. To display the chart in 2D graphics On the console task bar, click View > Chart Options > 2D Chart Graphics. To display the chart in 3D graphics On the console task bar, click View > Chart Options > 3D Chart Graphics. To display the chart as a pie chart On the console task bar, click View > Chart Options > Display as Pie Chart. To display the chart as a bar chart On the View menu, click View > Chart Options > Display as Bar Chart. About obtaining information on the messages Symantec Enterprise Security Manager lets you access detailed information about the messages that are reported during policy runs. Table 5-1 describes the information that you can access about messages. Table 5-1 Information title Description Message information Description Describes the message and the security violation that caused the message to be reported The information outlines the relevant security concepts that are associated with the message, and gives the cause and the implications of the security violation.

187 Viewing security data About obtaining information on the messages 187 Table 5-1 Information title Category Controls Message information (continued) Description Shows the message category. Provides the details about which checks reported the message. Suppressing the message Solutions Provides the message suppression information, including the procedure for suppressing the message in Symantec Enterprise Security Manager Provides the details on how to resolve the security violation This data includes information on the component of information security that relates to the check. The data also includes information on how to correct the security violation. The information may also provide URLS for downloading relevant patches. CVE ID (Common Vulnerability Exposure) Additional resources Affected products Vulnerabilities Displays the Common Vulnerability Exposure ID for the security issue that is related to the message Displays the locations where you can obtain additional information that are related to the security threat. Shows the software applications and the platforms that are affected by a reported vulnerability. Displays all vulnerabilities that are resolved by installing the patch or software that is associated with the vulnerability that caused the message to be reported. The message category includes the following: Change notification This category contains the messages that report changes to snapshots on Symantec ESM agent computers; specifically, additions, modifications, and deletions. ESM administrative information This category contains the messages that inform the user of actions that Symantec Enterprise Security Manager took. For example, messages regarding the creation of a snapshot or checks that were not performed fall into this category. Unexpected actions can indicate security risks.

188 188 Viewing security data About obtaining information on the messages ESM error This category contains the messages that inform users of Symantec Enterprise Security Manager policy configuration errors. The errors that the messages report can be corrected by adjusting Symantec Enterprise Security Manager policy configurations. ICE This category contains the messages that are derived from the Integrated Command Engine module. These messages are difficult to classify because the meaning of the messages can vary depending on the Integrated Command Engine scripts. Patch assessment This category contains the messages that report information on the state of operating system patches. These messages report the details whether a computer has all of the necessary patches. Policy compliance This category contains the messages that report whether a Symantec ESM agent host computer complies with a Symantec Enterprise Security Manager policy. The security levels that are associated with these messages rate the severity of the security risk to these computers. System error This category contains the messages that report errors on Symantec ESM agent host computers that prevent or invalidate a policy run. These can be regarded as audit errors. System information This category contains the messages that report the information that can be used to manually assess or audit a computer. These messages do not have a direct implication regarding the security state of the computer. Icons that appear in the upper-right corner show how each security problem affects the confidentiality, integrity, and availability of your information. To access information about messages 1 On the enterprise tree, expand the following: Manager > Domain > Agent > Policy > Module > Policy Run No > Message. 2 Click a policy run number. 3 In the message grid at the bottom of the screen, click a message line.

189 Viewing security data Filtering the security data 189 To print information about messages 1 Right-click in the pane of the ESM console. 2 Do one of the following: Click Open in default browser. Click Print. Filtering the security data Summary data filters let you choose the policies, modules, operating systems, and messages that Symantec Enterprise Security Manager includes in the grid, chart, or security reports. The filters do not affect the reports that the Reports tool produces. You can use filters to remove policies, modules, operating systems, and the messages that you do not want to display. The filters apply to the summary data in the enterprise tree from My ESM Enterprise to a selected manager. The filters may go down through the manager's domains to the modules in the summary branch. As a result, you can filter summary data at any level that Symantec Enterprise Security Manager reports. You can select filter properties using the Summary Data Filter dialog box as follows: The Policy tab lets you select a single policy. You can choose to always use the most recently run policy or select a different policy run. The Modules and Operating Systems tab lets you select specific modules and operating systems; for example, Windows, UNIX, NetWare, or OpenVMS. The Messages tab lets you enable long message text and suppressed messages displays. It also displays the message differences between the most recent policy run and a previous policy run. If you choose to show suppressed messages, the Level column in the grid indicates which messages are suppressed. If you choose to view policy run differences, the grid displays new, unchanged, and old messages in different typefaces. New messages appear in bold type, unchanged messages appear in normal type, and old messages appear in italics. You can select whether to show new, unchanged, and old messages. You must select either drill-down mode or summary mode to use the differences filter. The Differences box indicates that policy run differences are shown. The Suppressed box indicates that suppressed messages are shown.

190 190 Viewing security data Using the grid functions The Filter Applied box indicates that operating system, module, or policy filters are active. To create or edit a filter 1 On the console task bar, click the View/edit summary filter settings icon. 2 Select the policy, modules, operating systems, and messages for your filter on the corresponding tabs of the dialog box. Using the grid functions For help, select the tab, and then click Help. In the ESM console, when you select an object in the tree, Symantec Enterprise Security Manager displays details about that object in a grid. The grid lets you find and copy text in columns in the grid. The copy option lets you copy text from the grid to the clipboard on a Windows computer. The find option lets you conduct a sequential search of a column in the grid for occurrences of specific text. For example, you can search a list of security messages that results from a policy run for a specific user, computer, or other criteria. To copy text from the grid 1 Select the text in the grid that you want to copy. 2 Right-click the selected text, and then click Copy. 3 Paste the text into any open application. To find text in a column of the grid 1 In the grid, right-click the column that contains the text that you want to find, and then click Find text in column. 2 Type the text to search for in the Find what text box. 3 Click Up or Down to select a search direction. 4 Check Match case to match the case of the input text to the text in the grid. To delete a policy run from the grid Right-click a row from the grid and click Delete from the menu that appears.

191 Viewing security data Customizing the chart appearance 191 To delete multiple policy runs from the grid 1 Select a row from the grid, and then click each policy run that you want to delete while holding the Ctrl key in your keyboard. Alternatively, click a row, press the Shift key in your keyboard and then click the last row of policy run that you want to delete. 2 Right-click the selected policy runs, and then click Delete from the menu that appears. Customizing the chart appearance The ESM console retains the chart settings that you select when displaying graphical information. These settings are stored in your user environment. The settings enable each ESM console user to customize the appearance of the chart. You can enable or disable the chart options from the console by clicking View > Show Chart. If you do not click Show Chart, the chart options appear grayed out. Showing or hiding the chart legend You can increase the size of the chart when viewing a large volume of chart data by hiding the chart legend. Hiding the legend may be necessary when viewing charts with 100 or more items. To show or hide the chart legend Showing or hiding the series labels On the console task bar, click View > Chart options > Show chart legend either to hide or to display the chart legend. The ESM console uses series labels to display rating information in charts. You can hide the series labels in bar charts and trend charts when viewing a large volume of chart data. To show or hide chart series labels 1 On the console task bar, click View > Chart options > Show series labels. 2 Click Show series labels either to hide or to display series labels. Selecting 2D or 3D chart graphics The ESM console displays three-dimensional chart graphics by default, and can also show two-dimensional information.

192 192 Viewing security data Customizing the chart appearance To select 2D or 3D chart graphics 1 On the console task bar, click View > Show Chart. The available chart options become available only when you click Show Chart. 2 Click View > Chart options. 3 Do one of the following: Click 2D chart graphics to view charts in two dimensions. This option displays a large volume of chart data. Click 3D chart graphics to view charts in three dimensions. This option displays more attractive graphics when you view smaller amounts of chart data. Selecting pie or bar chart graphics In summary mode, the ESM console can display information in pie or bar chart graphics. If you view a large volume of information, the chart resolution may be insufficient to display all of the information. To select pie or bar chart graphics 1 On the View menu, click Chart options. 2 Do one of the following: Click Display as bar chart to view summary information as a bar chart. Click Display as pie chart to display summary information as a pie chart.

193 Chapter 6 Using the command-line interface This chapter includes the following topics: About the command-line interface conventions About running the batch files Running the CLI interactively About the command-line interface help About the Create command About the Delete command About the Grant/Revoke command About the Insert command About the Login command About the Logout command About the nexport agents command About the Ping command About the Query command About the Quit command About the Remove command About the Rename agent command

194 194 Using the command-line interface About the command-line interface conventions About the Run command About the Set command About the Show command About the Shutdown command (UNIX only) About the Sleep command About the Status command About the Stop command About the Update snapshot command About the Upgrade agent command About the Version command About the View command About the command-line interface conventions The command-line interface (CLI) lets you execute commands without using the ESM console. CLI supports most of the operations that you can perform from the ESM console. About the case-sensitive characters About the quotation marks Agent, policy, module, and domain names are case sensitive. You must type them to match the case of the corresponding values that are stored on the manager. For example, Phase 1 is not the same as phase 1 or PHASE 1. Command arguments that contain two or more words require quotation marks. For example, you must type the domain name, All Agents, as All Agents. About the short module names Many commands in the CLI require short module names. CLI command formats use the term [short_module_name] to indicate this requirement. For example, the Insert module command has the following format:

195 Using the command-line interface About the command-line interface conventions 195 insert module [policy_name] [short_module_name] Table 6-1 lists the module full names and short module names. Table 6-1 Module names Module name Account Information Account Integrity Active Directory Agent Information Backup Integrity Discovery Disk Quota Encrypted File System File Access File Attributes File Find File Information File Watch Integrated Command Engine Login Parameters Network Integrity Object Integrity OS Patches Password Strength Registry Response Startup Files Symantec Product Info Module short name acctinfo account ads agntinfo backup discover quota efs fileacc fileatt filefind fileinfo fwatch ice log network object patch password registry response startup sympinfo

196 196 Using the command-line interface About the command-line interface conventions Table 6-1 Module name System Auditing System Mail System Queues User Files Module names (continued) Module short name audit mailsys queues usrfiles About the brackets The CLI documentation formats use two types of brackets to indicate user-supplied data. The following table describes the significance of these brackets: Square brackets [ ] The square brackets [ ] indicate user-specified command options. You must precede command options with a dash (-). Information in square brackets is not required, but may be typed to use the options. For example, the Show policy command has the format: show policy [-sl] <policy_name> To list the modules but not the checks in the Phase 1 policy, type the following at the CLI prompt: show policy -s Phase 1 Angle brackets < > The angle brackets < > indicate user-supplied data such as policy, agent, or domain names that are specific to your network. For example, the Show policy command has the format: show policy [-sl] <policy_name>. To list all of the module checks in the Phase 1 policy, you type the following at the CLI prompt: show policy -l Phase 1 Note: You do not type the brackets; type only the data inside the brackets.

197 Using the command-line interface About running the batch files 197 About running the batch files You can run batch files with the CLI to semi-automate some Symantec ESM processes. Batch files must contain each CLI command that is needed to accomplish a task. For example, a batch file may contain the CLI commands that are needed for a policy run on specific agents in a domain. Batch files consist of ASCII text. You can create and edit them with any text editor. You should name them with an.esm extension (for example, phase1.esm) and save them in the directory that contains the esmc executable. Note: You cannot run batch files interactively with the command-line interface. To run a batch file, you must invoke the CLI from the operating system prompt. To run the command, use the following format: esmc [-ti] [-p <port>] [-m <manager>] [-U <users>] [-P <plain text password or encrypted password>] [-b <batch_file>] Note: You must provide the encrypted password within double quotes. The following table displays the options for this command: -t -p -m -U -P -b Use TCP as the network transport layer Specify the manager port number (the default is 5600) Specify the name of the manager (the default name is the computer that is running the CLI) Select the manager account (the default is ESM ) Select the manager password Specify the name of the batch file You can generate the encrypted password by using the EncrytionTool.exe. Creating a batch file that specifies a policy: an example This example shows how to create a batch file that runs the Phase 1 policy on agents in the Windows 2000 Agents domain. The batch file produces a Summary Security report.

198 198 Using the command-line interface About running the batch files Table 6-2 lists the computer specifications that are used in this example. Table 6-2 Variable Platform Manager name Domain Agent Computer specifications example Value Windows 2000 GS100 Windows 2000 agents GS101 Network transport layer Port User name Password Batch file name Policy name TCP 5600 ESM pass+24 phase1.esm Phase 1 The Run command initiates a policy run on the specified domain. The Sleep command makes the CLI wait for each policy run to complete before continuing. The View report command displays the resulting security information. To create a batch file 1 In a text editor, create the phase1.esm batch file. This file contains the following commands: run job "Phase 1" "Windows 2000 Agents" sleep -j 0 view report "Phase 1" GS101 account 0 2 In the file, type a separate view report command for each of the other modules in the policy. 3 Save the phase1.esm batch file in the directory that contains the esmc executable.

199 Using the command-line interface About running the batch files 199 To run the batch file 1 Access the operating system command prompt. 2 Change to the directory that contains the esmc executable and batch file. 3 Type esmc -t -p m GS100 -U ESM -P pass+24 -b phase1.esm to run the batch file. For example: C:\>cd "program files"\symantec\enterprise Security Manager\esm\bin\nt-ix86 C:\Program Files\Symantec\Enterprise Security Manager\ESM\bin\nt-ix86> esmc -t -p m GS100 -U ESM -P pass+24 -b phase1.esm run job "Phase 1" "Windows 2000 Agents" Job 47 submitted sleep -j 0 view report "Phase 1" GS101 account 0 Note: The command line interface logs on to the GS100 manager and runs the specified batch file. The CLI displays a Summary Security report for each module that is listed in the batch file. Creating a batch file that specifies name list entries: an example This example shows how to create a batch file that adds user names to the Users to Check name list in the Password Strength module for UNIX agents. Table 6-3 lists the computer specifications that are used in this example. Table 6-3 Computer specifications Variable Platform Manager name Network transport layer Port User name Value UNIX GS200 TCP 5600 ESM

200 200 Using the command-line interface About running the batch files Table 6-3 Variable Password Batch file name Policy name Computer specifications (continued) Value pass+75 namelst1.esm Phase 1 User names to be added short_module_name Module option (security check) Jack, Rob, Don, Justin password Users to check To create a batch file 1 In a text editor, create the namelst1.esm batch file. This file contains the following command: insert name -t U "Phase 1" password UNIX "Users to Check" Jack "Rob E" "Don C" Justin The Insert name command lets you add names to user or to group name lists for security checks in the modules of a policy. You must type a space between each name you want to add. 2 Save the namelst1.esm batch file in the directory that contains the esmc executable. To run the batch file 1 Access the operating system command prompt. 2 Change to the directory that contains the esmc executable and batch file. 3 Type the following command to run the batch file:./esmc -t -p m GS200 -U ESM -P pass+75 -b namelst1.esm The following is an example: bash# cd esm/bin/aix-rs6k bash#./esmc -t -p m GS200 -U ESM -P pass+75 -b namelst1.esm insert name -t U "Phase 1" password UNIX "Users to Check" Jack Rob Don Justin

201 Using the command-line interface About running the batch files 201 Creating a batch file to write a report to a file: an example This example shows how to create a batch file that writes an auditor's summary report to file. Table 6-4 lists the computer specifications that are used in this example. Table 6-4 Variable Platform Manager name Domain Computer specifications example Value Windows 2000 GS100 Windows 2000 agents Network transport layer Port User name Password Batch file name Policy name Output file name TCP 5600 ESM pass+24 phase1.esm Phase 1 audit1.rpt To create a batch file 1 Use a text editor to create the audit1.esm batch file. This file contains the following command: view audit -o audit1.rpt "Phase 1" "Windows 2000 Agents" The View Audit command lets you create a security audit report for selected computers on your network. The -o option specifies the name of the output report file. The report includes information about the security policy that is selected for the computers and indicates their level of compliance. 2 Save the audit1.esm batch file in the directory that contains the esmc executable.

202 202 Using the command-line interface Running the CLI interactively To run a batch file 1 Access the operating system command prompt. 2 Change to the directory that contains the esmc executable and batch file. 3 Type the following CLI command to run the batch file: esmc -t -p m GS100 -U ESM -P pass+24 -b audit1.esm The following is an example: C:\>cd "program files"\symantec\enterprise Security Manager\esm\bin\nt-ix86 C:\Program Files\Symantec\Enterprise Security Manager\ESM\bin\nt-ix86> esmc -t -p m GS100 -U ESM -P pass+24 -b audit1.esm view audit -o audit1.rpt "Phase 1" "Windows 2000 Agents" The CLI writes the audit report file to the directory that contains the esmc executable and batch file. Running the CLI interactively Use the esmc command to run the command line interface. To use the esmc command 1 From the command line, access the \ESM\bin\<platform> directory on computers with Windows operating systems or the /esm/bin/<platform> directory on computers with UNIX operating systems. 2 Type esmc to access the CLI prompt. 3 When using Windows operating systems, add the following to the path: <drive letter >:\Program Files\Symantec\Enterprise Security Manager\ESM\bin\<platform> Accessing a manager using the command-line interface CLI commands do not work until you connect the command-line interface to a manager. The Login command connects the CLI to a manager. Use the following format: login [-ti] [-p <port>] [-U <user_name>] [-P <password>] [-m <manager>]

203 Using the command-line interface About the command-line interface help 203 The login command has the following options: -t -p -U -P -m Use TCP as the network transport layer Specify the manager port number (the default is 5600). Select the manager account (the default is ESM ) Specify the manager account password Specify the name of the manager (the default is the name of the computer that executes the CLI) For example, to log on the GS100 manager by using the superuser account with a password of pass+24 and TCP as the network transport layer, type the following command: login -t -p U ESM -P pass+24 -m GS100 About navigating within the command-line interface The CLI features include command line recall and line editing. Table 6-5 lists the keys that are used with these functions. Table 6-5 Key Up arrow Down arrow Left arrow Right arrow Backspace Delete CLI keys and their functions Function Scrolls up through previous commands Scrolls back down to the esm> prompt Moves the cursor to the left Moves the cursor to the right Deletes the characters to the left of the cursor Deletes the characters under the cursor About the command-line interface help The CLI displays the following levels of help: First level

204 204 Using the command-line interface About the Create command To access the first level of the help menu, you type help at the esm> prompt. This menu contains the help topics available with this feature. It lists the commands that you can run from the CLI. Second level To access the second level of the help menu, you type help [topic] at the esm> prompt. This menu states the purpose of the command and lists the arguments that you can use with the command. Third level To access the third level of the help menu, you type help [topic] [subtopic] at the esm> prompt. This menu states the purpose of the command and its argument. It also lists the options that you can use with the argument. About the Create command The Create command lets you add new specified domains, agents, user access records, and policies. You can use the following arguments with the Create command: Access Agent Domain Policy Suppression About the Create access command The Create access command lets you set up an access record for a user. If you specify a password for the user account, Symantec ESM can use the Batch command to run the CLI in the non-interactive mode. Use the following format: create access [-p] [-n] [-f] [-d expiration_date] [-P password] [-D existing_user_name] user_name Symantec ESM passwords should have minimum six characters including at least one non-alphabetical character. User account passwords can contain up to 31 characters. The following options are available with this command: -p To give the account super-user privileges

205 Using the command-line interface About the Create command 205 -P -n To specify the user account password To set the password to never expire Use this option with the -p option. -d -D -f To specify the expiration date of the password in YYYY/MM/DD format To specify the access name of the user that you want to duplicate. Note: The duplicate user is active even when the specified user account is disabled or locked. To suppress error messages. For example, type the following to create a superuser account with all Symantec ESM privileges for the user Mike whose password never expires: create access -p -n -P mypass1 <Mike> -d 2008/12/30 Type the following to create a duplicate user account for Mike: create access -D <Mike> <Mike_duplicate> To create a duplicate a user account, your user account must have the "Manage user rights, view user audits" permissions. About the Create agent command The Create agent command lets you create an agent record in the manager database. You can also use this feature to add a proxy agent record. Use the following format: create agent [-o <operating_system>] [-t <computer_type>] [-P <platform>] [-p <protocol>] [-v value>] [-e <esmver>] [-a <proxy_agent_name>] [-b <directory_for_the_proxy_binaries>] [<agent_name>] The following options are available with this command: -o -t -P -p -v Specify the operating system of the agent (for example, UNIX) Specify the computer type (for example, Solaris) Specify the platform (for example, solaris-sparc) Specify the network transport layer that is used to contact the agent Specify the agent port number

206 206 Using the command-line interface About the Create command -e -a -b Specify the Symantec ESM version on the agent (the default is the Symantec ESM version on the current server) Specify the proxy agent that executes the security checks Specify the directories for the proxy binaries Table 6-6 lists the values you can use with the Create agent options. Table 6-6 Values for the Create agent option Computer description Operating system Computer type Platform Protocol Port Version Windows 2003 Windows Windows 2003 w3s-ix86 TCP x/6.5/6.0/ 9.0/9.0.x Windows XP Windows Windows XP wxp-ix86 TCP x/6.5/6.0/ 9.0/9.0.x Windows 2000 Windows Windows 2000 w2k-ix86 TCP x/6.5/ 6.0/ 9.0/9.0.x Windows Vista Windows Windows Vista wvista-ix86 TCP x/6.5/6.0/ 9.0/9.0.x Windows Server 2008 Windows Windows Server 2008 w8s-ix86 TCP x/6.5/6.0/ 9.0/9.0.x AIX UNIX AIX aix-rs6k TCP x/6.5/6.0/ 9.0/9.0.x HP-UX UNIX HP-UX hpux-hppa TCP x/6.5/6.0/ 9.0/9.0.x Red Hat Linux UNIX Linux lnx-x86 TCP x/6.5/6.0/ 9.0/9.0.x Red Hat Linux UNIX Linux on IBM z-series lnx-s390x TCP x/6.5/6.0/ 9.0/9.0.x Solaris UNIX SOLARIS solaris-sparc TCP x/6.5/6.0/ 9.0/9.0.x For example, to create a GS101 agent on a Windows 2000 computer using Symantec ESM, type the following command:

207 Using the command-line interface About the Create command 207 create agent -o WIN2000 -t WIN2000 -P w2k-ix86 -p TCP -v e 5.5"GS101" About the Create domain command The Create domain command creates an empty domain. Use the Insert agent command to add agents to the domain after it has been created. You also do the following by using the Create domain command: Provide description for the newly created domain. Duplicate the existing domain. Duplicate the access permissions of the existing domain on the duplicated domain. The users who have access permissions on the existing domain inherit the same set of permissions on the duplicated domain. To duplicate a domain, your user account must have the following access rights: Manager user rights, view user audits Create New Domains Modify Domains Note: You require the "Manager user rights, view user audits" permission only if you want to duplicate the access permissions of the source domain on the duplicated domain. Use the following format: create domain domain_name [domain_name...] For example, to create a new sales domain, type the following: create domain sales You can create multiple domains using the Create domain command. The following options are available with this command: Use the following format: create domain [-d description] [-D existing_domain_name [-p]] [-f] domain_name [ domain_name...]

208 208 Using the command-line interface About the Create command About the Create policy command The Create policy command creates an empty policy. Use the Insert module command to add modules to the policy after it has been created. Use the following format: create policy policy_name [policy_name...] For example, to create a new demo policy, type the following: create policy "demo" You can create multiple policies using the Create policy command. About the Create suppression command The Create suppression command creates a suppression for the specified agent. Use the following format: create suppression -f filename [-k msg_code][-n name][-i info][-a agent][-c comment][-x expiration] policy_name module_name os_type The following options are available with this command: -k Specify the code of the message to be suppressed By default, Symantec ESM suppresses all messages. -n Specify a name for the suppression The default value is *. -i Specify information for the message to be suppressed The default value is *. -a Specify the agent for whom the suppression is created The default value is *. -c Specify the user s comment for the suppression By default, the user s comment is blank. -x Specify the expiration date of the suppression You must specify the date in YYYY/MM/DD format. By default, the suppression does not have an expiration date.

209 Using the command-line interface About the Delete command 209 -f Specify a file name in which the suppression is stored Create this file in the Symantec\Enterprise Security Manager\ESM\system\<manager_name>\db\suppress directory. Specify the -k, -n, -i, -a, -c, and -x options in this file before using the Create suppression command. -u Update a similar suppression without deleting it first. For example, to create a suppression on policy phase1 for Windows 2000, type the following: create suppression -f abc.txt phase1 module1 Windows 2000 About the Delete command The Delete command lets you delete specified domains, agents, access records, policy runs, policies, or modules. You can use with the following arguments with the Delete command: Access Agent Domain Job Module Policy Suppression Template About the Delete access command The Delete access command deletes specified user access records from the access database. Use the following format: delete access [-f] <user_name> The following option is available with this command: -f Suppress the error messages For example, type the following command to delete the user MikeM:

210 210 Using the command-line interface About the Delete command delete access MikeM About the Delete agent command The Delete agent command deletes a specified agent from the agent database. Use the following format: delete agent [-f] <agent_name> The following options are available with this command: -f -a Suppress the error messages Delete the agent s reports and summary information For example, to delete the GS101 agent, type the following command: delete agent GS101 Note: Use this command only if the agent computer is no longer in the network. If you accidentally delete an agent from the database, run setup.exe to re-register the agent with the manager. About the Delete domain command The Delete domain command lets you delete a specified domain. Use the following format: delete domain domain_name [domain_name...] The following option is available with this command: -f Suppress the error messages For example, to delete the Windows 2000 Agents domain, type the following: delete domain "Windows 2000 Agents" You can specify multiple domains in the Delete domain command. About the Delete job command The Delete job command lets you delete specified policy runs. Policy runs are referred to as jobs in the CLI. Use the following format:

211 Using the command-line interface About the Delete command 211 delete job [-f] <job_id or %variable%> The following options are available with this command: -f -r -i Suppress the error messages Delete a job with its sumfinal records Specify a file that contains a list of jobs to be deleted The following conditions apply to this file: It should be a text file. A non-digit character should be used to separate the job IDs in the file. The recommended format for this file is comma-separated Values (CSV). Use the following format: delete job -i <file name> For example, to delete policy run 10, type the following command: delete job 10 For example, a job ID of 0 specifies the last policy run. To delete the last policy run, type the following command: delete job 0 For example, to delete a policy run using a variable, type the variable name instead of the job ID. You must enclose the variable name in % characters. For instance, if you want to delete job ID using the variable acctint, type the following command: delete job %acctint% About the Delete policy command The Delete policy command lets you delete a specified policy. Use the following format: delete policy policy_name [policy_name...] The following option is available with this command: -f Suppress the error messages For example, to delete the Phase 1 policy, type the following command: delete policy "Phase 1" You can specify multiple policies in the Delete policy command.

212 212 Using the command-line interface About the Delete command About the Delete module command The Delete module command lets you delete specified modules from the module database. If you delete a module from the module database, you need to re-register it if you want to use it in a policy. Note: You must have the Create Policies permission to be able to delete a module To remove a module from a policy, use the Remove module command. Use the following format: delete module module_name [module_name...] The following option is available with this command: -f Suppress the error messages For example, to delete the User Files module, type the following command: delete module "usrfiles" You can specify multiple modules in the Delete module command. About the Delete suppression command The Delete suppression command deletes the specified suppression. Use the following format: delete suppression -f filename [-k msg_code][-n name][-i info][-a agent] policy_name module_name os_type The following options are available with the Delete suppression command: -k Specify the code of the message present in the suppression to be deleted By default, Symantec ESM suppresses all messages. -n Specify a name for the suppression to be deleted The default value is *. -i Specify information for the message present in the suppression to be deleted The default value is *.

213 Using the command-line interface About the Grant/Revoke command 213 -a Specify the agent for whom the suppression is deleted The default value is *. -f Specify the name of the file that contains the suppression to be deleted The suppression files are located in the Symantec\Enterprise Security Manager\ESM\system\<manager_name>\db\suppress directory. Specify the -k, -n, -i, -a, -c, and -x options in this file before you use the Delete suppression command. For example, to delete a suppression from the abc.txt suppression file, type the following command: delete suppression -f abc.txt phase1 module1 Windows 2000 About the Delete template command The Delete template command lets you delete the templates that are present on the ESM manager. Use the following format: delete templates [-f] <template_name> <template_name> The following option is available with this command: -f Suppress error messages For example, if you want to delete a template by the name "fileatt.s52", type the following: delete template "fileatt.s52" You require the Modify template rights to use the Delete template command. About the Grant/Revoke command The Grant/Revoke command lets you grant permissions to or revoke existing permissions from a specified user. Use the following format to grant permissions: grant <permissions> <user name> object For example, to grant the Read and the Write permissions on the "All agents" and the "Sales" domain to "User1", type the following: grant -D rw User1 "All Agents" "Sales"

214 214 Using the command-line interface About the Grant/Revoke command Use the following format to revoke permissions: revoke <permissions> <user name> object For example, to revoke the Read and the Execute permissions from User1's on "All agents", type the following: revoke -D rx User1 "All Agents" The following options are available with the Grant/Revoke command: -D -P -T -A -a -f permissions user name Specify the name of the domain Specify the name of the policy name Specify the name of the template Advanced access rights Apply to all. Do not specify domain, policy, or template names. "Apply to all" takes precedence if you specify the object names. Suppress the error messages Specify the access permissions Specify the user name that you want to grant permissions to or revoke permissions from Specify the name of the domain, policy, or the template Following are the permissions that you can grant or revoke by using the Grant/Revoke command: r w x u c manage modpass View permission on a domain, policy, or template Modify permission on a domain, policy, or template Execute policies permission on a domain or policy Snapshot update permission on a domain Create permission on a domain, policy, or a template Note: You can use the "c" option only with the "-a" switch. Manager user rights, view user audits Modify own password

215 Using the command-line interface About the Grant/Revoke command 215 options upgrade regagent readonly mngreadonlypol Modify ESM options Perform remote upgrades Register agents with ESM manager Read-only account Can manage read only policies You can use the "?" sign in a command to view a list of available objects or permissions. For example, to view the list of Advanced rights that are granted to User1, type the following: grant -A? User1 Or, to view the list of domains on which User1 has the View and the Modify rights, type the following: grant -D rw user1? Similarly, to view the list of policies on which User1 has the View right, type the following: grant -P r User1 Granting permissions on a policy: an example To grant the Read, Write, and Execute to permissions to User1 for Phase 1 and Phase 2 policies, type the following command: grant -P rwx User1 "Phase 1" "Phase 2" Revoking permissions on a policy: an example To revoke the Execute to permission from User1 for Phase 1 and Phase 2 policies, type the following command: revoke -P x User1 "Phase 1" "Phase 2" Granting permissions on a template: an example To grant the Read and Write permissions to User1 on the "xp.fw" and "xp.mfw" templates, type the following command: grant -T rw User1 "xp.fw" "xp.mfw"

216 216 Using the command-line interface About the Insert command Revoking permissions on a template: an example To revoke the Write permission to User1 on the "xp.mfw" template, type the following command: revoke -T w User1 "xp.mfw" Granting permissions on domains: an example To grant permissions to User1 on all domains, type the following command: grant -a -D rwxcu User1 Revoking permissions on domains: an example To revoke permissions to User1 from all domains, type the following command: revoke -a -D rwxcu User1 Granting advanced rights to user: an example To grant the Advanced Access rights to User1, type the following command: grant -A manage User1 Revoking advanced rights to user: an example To revoke the Advanced Access rights to User1, type the following command: revoke -A manage User1 About the Insert command The Insert command lets you add specified agents into a domain and also lets you insert modules or names into a policy. You can use with the following arguments with the Insert command: Agent Module Name About the Insert agent command The Insert agent command lets you insert agents in the specified domain.use the following format:

217 Using the command-line interface About the Insert command 217 insert agent <domain_name> <agent_name> For example, to insert an agent named GS101 in the domain that is named sales, type the following: insert agent sales GS101 About the Insert module command The Insert module command lets you insert modules into the specified policy. Use the following format: insert module <policy_name> <short_module_name> For example, to include the File Attributes module in the Phase 1 policy, type the following: insert module "Phase 1" fileatt About the Insert name command The Insert name command lets you insert names into the name lists for individual security checks of a policy module. Use the following format: insert name [-t] <name_list_letter> [-f] <name_flag> <policy_name> <short_module_name> <osver_name> <security_check_name> <list name> One of the following letters follows the -t option to specify the type of name list for the name: S U G F W T K A a p Generic string User Group File or directory Dictionary word list file (for example, compu_d.wrd) Template file Restricted keyword Audit keywords (VMS only) Audit keywords with file access flags (VMS only) File with associated keywords (UNIX only)

218 218 Using the command-line interface About the Login command One of the following numbers follows the -f option to determine whether the check includes or excludes the name: 0 1 Include the name Exclude the name Security checks do not use name flags. You can use this option to extend Symantec ESM assessment and reporting capabilities in the custom modules that third-party developers provide. Each module has a short module name. Table 6-7 lists the short operating system version names that you use when specifying operating systems for modules. Table 6-7 OS version values OS version Windows XP Windows 2000 Windows Server 2003 Windows Vista Windows Server 2008 UNIX Names WINXP WIN2000 WIN2003 WINVISTA WIN2008 UNIX For example, To add the user name Smith to the Users To Check option in the User Files module of the Phase 3:c Strict policy on a Windows XP: insert name -t U "Phase 3:c Strict" usrfiles WINXP "Users To Check' Smith About the Login command The Login command lets you open a connection to a manager. Use the following format: login [-ti] [-p <port>] [-U <user_name>] [-P <password>] [-m <manager>]

219 Using the command-line interface About the Logout command 219 The following options are available with this command: -t -p -U -P -m Use TCP as the network transport layer The manager port number (the default is 5600) The manager account user name (the default is ESM ) The manager account password The name of the manager (the default is the computer that executes the CLI) About the Logout command The Logout command lets you close the connection to a manager. Use the following format: logout For example, to log off a manager, type the following: logout About the nexport agents command The nexport agents command lets you export an agent list to a comma-separated values (CSV) file. By default, this file is stored in the \<esm_mgr_install_dir>\export folder. The CSV file has the following format: exp_agents_yyyymmdd_hhmmss.csv YYYY, MM, and DD correspond to the current year, month, and date. HH, MM, and SS correspond to the hours, minutes, and seconds of the current system time. Use the following format for the nexport agents command: nexport agents [-z] [-p export_file] The following options are available with the nexport agents command: -z Use this option to create an extra field in the CSV file that contains the agent s LiveUpdate settings. You can use this option only with an Symantec ESM 9.0 or later manager.

220 220 Using the command-line interface About the Ping command -p Use this option to specify the path of a file to which you want to export the agent s list. You must specify the name and the extension of the file, and enclose the complete path in double quotes. Use the following format: -p "export_file.csv" The file that you specify here overrides the default file to which the agent s list is exported. See Exporting the Symantec ESM agent list on page 126. About the Ping command The Ping command lets you see whether a Windows or UNIX computer is running Symantec ESM. If the computer is only running Symantec ESM agent software, connection information is displayed from the agent record. Use the following format: ping [-t] [-p <port>] [<computer_name>] Use the following options to designate the correct transport layer: -t -p Use TCP as the network transport layer Specify the port number (TCP only) For example, to ping the GS0100 Windows-based computer using the defaults, type the following: ping GS0100 If the target computer is running Symantec ESM manager software, the CLI displays the following: GS0100 Enterprise Security Manager 9.0 (2008/08/09) SU 21 (WIN2000) For example, to ping the GS0300 UNIX computer that uses TCP port 5600, type the following: ping -t -p 5600 GS0300 If the computer you ping is running Symantec ESM manager software, the CLI displays the following: GS102 Enterprise Security Manager 9.0 (2008/08/30) (UNIX) SunOS 5.4 sun4m

221 Using the command-line interface About the Query command 221 About the Query command The Query command lets you query a policy run by job ID. The Query command gives the current status of a specified policy run. Use the following format: query job [<job_id or %variable%>] If you specify a variable for a policy run during the current CLI session, you can use either the variable or the job ID in the Query command. For example, to query a policy run designated as policy run 12, type the following: query job 12 A job ID of 0 specifies the last policy run that was started. To query the last policy run started, type the following: query job 0 For example, to query a policy run using a variable, type the variable name instead of the job ID. You must enclose the variable with % characters. Also, the value of the variable must equal the job ID. For example, to use the acctint variable, type the following: query job %acctint% About the Quit command The Quit command lets you exit the command line interface and return to the computer's prompt. Use the following format: quit For example, to quit the command line interface and return to the command prompt, type the following: quit About the Remove command The Remove command lets you remove the following: Agents from a domain Agent cache from a domain Modules from a policy Names from a name list in the module check of a policy

222 222 Using the command-line interface About the Remove command You can use the following arguments with the Remove command: Agent Agtcache Module Name About the Remove agent command The Remove agent command lets you remove a specified agent from a domain. Use the following format: remove agent <domain_name> <agent_name> For example, to remove the Sales agent from the Windows 2000 Agents domain, type the following: remove agent "Windows 2000 Agents" Sales About the Remove agtcache command The Remove agtcache command lets you remove the agent cache of all agents that are registered with the current connected manager. Use the following format: remove agtcache About the Remove module command The Remove module command lets you remove modules from the specified policy. Use the following format: remove module <policy_name> <short_module_name> For example, to remove the File Attributes module from the Phase 1 policy, type the following: remove module "Phase 1' fileatt About the Remove name command The Remove name command lets you remove names from a name list in the module check of a specified policy. Use the following format: remove name <policy_name> <short_module_name> <osver_name> <option_name> <list_name>

223 Using the command-line interface About the Rename agent command 223 To remove Smith from the Users to Check name list in the File Attributes module of the Phase 1 policy, type the following: remove name "Phase 1' fileatt WIN2000 "Users To Check" Smith About the Rename agent command The Rename agent command lets you change the name of an existing ESM agent. Use the following format: rename agent -f [ -s suffix -d domain old_name new_name ] The following options are available with this command: -f -s -d -l -u Force change (do not prompt to make sure they approve). Specify a DNS suffix (like.company.com) to add to a domain of agents. Specify the domain to add the suffix to (when specifying -s and -d don't specify old_name and new_name and vice versa) Make the resulting new names lowercase. Make any resulting new names uppercase. Note: The agent name must not contain more than 61 characters, else the agent rename fails, For example, to rename an existing agent by the name "Agent1" to "agent1", type the following: rename agent -f Agent1 agent1 If you want to use the suffix "domain.com" to the agent names in a domain by the name "Domain1", then type the following: rename agent -s.domain.com -d "Domain1" If you want to change the agent name "agent1.agentlab.com" to uppercase, then type the following: rename agent -u agent1.agentlab.com The agent name will be changed to "AGENT1.AGENTLAB.COM"

224 224 Using the command-line interface About the Run command Similarly, if you want to change the agent name "AGENT1.AGENTLAB.COM" to lowercase, then type the following: rename agent -l "AGENT1.AGENTLAB.COM" The agent name will be changed to "agent1.agentlab.com" About the Run command The Run command lets you run the modules in a policy on the agents in a domain. Use the following format: run job [<-v <variable>] [<-a <agent_name1>, <agent_name2>,...] [-m <short_module_name_1>, <short_module_name_2>,...] <policy_name> <domain_name> The following options are available with this command: -v Sets up a variable to store the job ID for later use with other CLI commands This process ensures that Symantec ESM uses the correct job ID when generating Security reports. -a -m -c Specifies a subset of agents within the domain Specifies a subset of modules within the policy Specify the maximum module message count For example, to run the Phase 1 policy on the Sales domain, type the following: run job "Phase 1' Sales For example, to run the Phase 1 policy on agents GS100 and GS101 in the Sales domain, type the following: run job -a GS100,GS101 'Phase 1' Sales For example, to run only the File Attributes module from the Phase 1 policy on the Sales domain, type the following: run job -m fileatt "Phase 1" Sales The -a and -m options can be used in the same command. For example, to run the File Attributes module from the Phase 1 policy on agents GS100 and GS101 in the Sales domain, type the following: run job -a GS100,GS101 -m fileatt 'Phase 1" Sales For example, to run the Phase 1 policy on the Sales domain using the acctint variable to store the job ID, type the following:

225 Using the command-line interface About the Set command 225 run job -v acctint 'Phase 1" Sales About the Set command The Set command lets you specify certain manager sumfinal database parameters, and the values of variables that are used in the current CLI session. You can use the following arguments with the Set command: Config Variable Access Luagent Password Proxy Dmnflag Agtdesc Dmndesc Option About the Set access command The Set access command lets you enable or disable a Symantec ESM account. You can also set the password expiration date for a user account by using the -x option with the Set access command. Note: You must be an ESM administrator or equivalent to an ESM administrator to set the password expiration date for a user account. Use the following format: set access [-ed] [-r password] [-x YYYY/MM/DD] account_name For example, type the following to disable the account "Test_user": set access -d Test_user Type the following to set the password expiration date for the user account "Test_user" to 12th December, 2009: set access -x 2009/12/12 Test_user

226 226 Using the command-line interface About the Set command Note: The password expiration date can be a date in the past or in the future. Type the following to reset the password of the test_user to the new password that is given. set access -r <password> Test_User Note: Resetting the password will expire the password, so the user must change it when he logs in. The following options are available with this command: -e -d -r -x Enable the account from a disabled or locked out state Disable the account Reset a password to be used only once. The user is prompted to change the password on the next logon. Set the expiry date for the user account password. Note: The -e, -d, -r, and -x options are mutually exclusive. You cannot use the -e, -d, -r, and -x options in the same command. About the Set agtdesc command The set agtdesc command lets you to set agent description of a specified agent. You must login to an ESM manager and must have the Register agent permission on the manager to execute the Set agtdesc command. The maximum length of the agent description is You can provide the -f option if you want to suppress error messages. Use the following format: set agtdesc [-f] <agent_name> <description_text> The following option is available with this command: -f To suppress error messages For example, to set description to an agent by the name ESM_Agent-01, you have to login to the respective manager and type the following: set agtdesc ESM_Agent-01 <description_text>

227 Using the command-line interface About the Set command 227 About the Set config command The Set config command lets you set the number of days that ESM retains policy runs, detail reports, and summary data in the Sumfinal database. Use the following format: set config <option_name> <value> Use the following options to configure the purge values for the manager Sumfinal database: job_days report_days sumfinal_days Number of days that the manager keeps policy runs (default 7 days) Number of days that the manager keeps detailed reports (default 1 day) Number of days that the manager keeps summary data (default 7 days) For example, to configure the manager Sumfinal database to retain policy runs for 14 days, type the following: set config job_days 14 The maximum number of days that you can specify for job_days, report_days, and sumfinal_days is About the Set dmnflag command The Set dmnflag command lets you enable or disable the cache setting for a domain. You can specify multiple domains with this command. Use the following format: set dmnflag -ed <[domain_name1, domain_name2...] For example, to enable the cache for domains X and Y, type the following: set dmnflag -e X, Y If you do not specify any domain names in the command, the cache gets enabled or disabled for all domains. About the Set dmndesc command The Set dmndesc command lets you set the description of a customized domain. You cannot set the description for a predefined domain, such as the All Agents domain by using the Set dmndesc command. You must have the Modify Domains

228 228 Using the command-line interface About the Set command permission to be able to execute the Set dmndesc command. The maximum length of the domain description is 254 characters. Use the following format: set dmndesc [-f] <domain_name> <description_text> The following option is available with this command: -f Suppress the error messages For example, to set the description for a domain by the name "Domain1", type the following: set dmndesc Domain1 <description_text> About the Set luagent command The Set luagent command lets you turn the LiveUpdate setting for an agent on or off. Use the following format: set luagent <agent_name> on/off For example, type the following to turn on the LiveUpdate setting for agent Sales: set luagent Sales on About the Set password command The Set password command lets you reset the password of a Symantec ESM account. Use the following format: set password <user_name> <password> For example, to reset the password of a user named Fred, type the following: set password Fred Pass123 About the Set proxy command The Set proxy command lets you set a proxy on an existing agent. Use the following format: set proxy -a <agent name> -n <new proxy> The following options are available with this command: -a -n Specify the agent name Specify the new proxy name

229 Using the command-line interface About the Set command 229 For example, to set a proxy on the agent Sales, type the following: set proxy -a Sales -n Sales123 About the Set variable command The Set variable command lets you create temporary variables for use in the command line interface and set their initial values. You can also use this command to change the values of CLI variables that were created earlier in the CLI session. CLI variables are not environment variables. You can use them only during the current CLI session. Use the following format: set variable <variable> <value> You can use this command to change the value of an existing CLI variable or set the value of a new variable. For example, to change the value of the useracct variable to 17, type the following: set variable useracct 17 Note: You can set up a CLI variable in the Run command to store the job ID. This process ensures that Symantec ESM uses the correct job ID while generating Security reports. About the Set option command The Set option command lets you set the options for a specified policy. Use the following format: set option [-ene] [-t value_title [-v string][-d num]] policy_name \\ module_name osver_name option_name [option_name...] The following options are available with this command: -e -c -n -E -t -v Enable the option in module Option is checkable Enable use of name list name list contains exclusions (default is inclusions) Title for ascii value (must also specify -v) Specifies an ascii value for the option (must also specify -t)

230 230 Using the command-line interface About the Show command -d specifies a decimal value for the option (must also specify -t) For a simple check that looks like this in patch.m Set option -c -e "<AxStringCode Code= > File versions</axstringcode>" d To turn it on in a policy called Test on XP To turn it off leave the e out set option -c -e Test patch WINXP "<AxStringCode Code= > File versions</axstringcode>" set option -c Test patch WINXP "<AxStringCode Code= > File versions</axstringcode>" About the Show command The Show command lets you list specified agents, access, configuration, domains, policy runs, license, policies, summary, sumfinal, or configuration records. You can use the following arguments with the Show command: Access Agent Config crc Domain Dmnflag Job License Module Permission Policy Sumfinal Summary Status

231 Using the command-line interface About the Show command 231 Suppression Template Variable Version About the Show access command The Show access command lets you list the access records on the manager. You can also specify a user account and show the state of that account. Use the following format: show access [-sla] <user_name> The following options are available with this command: -s -l -a For a short listing (default if no list is specified) For a long listing (default if a list is specified) To show hidden access records (used internally by Symantec ESM) For example, to display the list of accounts on the manager, type the following: show access For example, to display the state of a specific account on the manager, type the following: show access -l REGISTER The screen displays the following account information: Number of Bad logins Password History Length Specifies the number of times a bad log on has been tried Specifies the number of password changes that users must provide for a manager account before they can reuse an old password This information helps prevent unauthorized users from using an old password to access the manager. Symantec ESM sets the Password History Length to 10 by default. About the Show agent command The Show agent command lets you list the agents that are registered to the manager. You can list information for all agents that are registered to the manager or for a specific agent. It lists the agent name, operating system, Symantec ESM

232 232 Using the command-line interface About the Show command version, network protocol, computer type, platform, the domains that the agent belongs to, and so on. You can also view the list of policy modules and application modules that are currently installed on the specified agent. Use the following format: show agent [-slmafd] <agent_name> The following options are available with this command: For example, to display a short list of the agents that are registered to the manager, type the following: show agent The format of display for application module names and their versions for the -a option has been changed as follows: Note: If a third party has used or parsed this information, then Symantec recommends that you use the latest format. About the Show config command The Show config command lets you display configuration records for the current manager. Use the following format: show [-sl] config The following options are available with this command: -s -l For a short list (default if no list is specified) For a long list (default if a list is specified) For example, to display the user configurations for the current manager, type the following: show config About the Show crc command The Show crc command lists the CRCs for agents, modules, and policies. Use the following format: show crc [-c] -a -m -p name... The following options are available with this command: -a Show CRCs of all agent names

233 Using the command-line interface About the Show command 233 -m -p -c Show CRCs of all module names Show CRCs of all policy names Show agent or policy CRCs with the same name About the Show domain command The Show domain command lets you list the domains in the manager. Use the following format: show domain [-sl] <domain_name> -s -l For a short list (default if no list is specified) For a long list (default if a list is specified) To display a list of the domains on the current manager, type the following: show domain For example, to display a list of the domains with the names of their agents, add the option -l to the format, type the following: show domain -l For example, to show the Windows 2000 Agents domain, type the following: show domain "Windows 2000 Agents" Because -l is the default when a single domain is specified, the domain and the names of its agents display. For example, To display a short list of a single domain with only the domain name and number of agents, use the option -s as follows: show domain -s "Windows 2000 Agents" About the Show dmnflag command The Show dmnflag command lets you check the cache status of a domain. Use the following format: show dmnflag [-sl] [domain_name] -s -l for a short list (default if no list is specified) for a long list (default if a list is specified)

234 234 Using the command-line interface About the Show command For example, to display the cache status of the Windows 2000 Agents domain with the names of its agents, type the following: show dmnflag -l "Windows 2000 Agents" About the Show job command The Show job command lets you display the status of a specified policy run. Use the following format: show job [-sl] <job_id or %variable%> The following options are available with this command: -s -l for a short list (default if no list is specified) for a long list (default if a list is specified) If you specify a variable for a policy run during a CLI session, you can use the variable or the job ID in the Show job command. For example, to display a list of all policy runs on the current manager, type the following: show job For example, to get information on policy run 24, type the following: show job 24 For example, to show the status of a policy run using a variable, type the variable name instead of the job ID. You must enclose the variable with % characters. Also, the value of the variable must equal the job ID. For example, to display the long list status of a policy run and use the acctint variable, type the following: show job -l %acctint% About the Show license command The Show license command displays license information for the manager. This command displays the following information: Type of the license that the manager uses Number of agents the manager is licensed to manage System ID Use the following format: show license

235 Using the command-line interface About the Show command 235 For example, to display license information for the manager, type the following: show license About the Show module command The Show module command lets you display the modules available on the manager. Use the following format: show module [-sl] <short_module_name> The following options are available with this command: -s -l For a short list (default if no list is specified) For a long list (default if a list is specified) For example, to see a list of the available modules, type the following: show module For example, to display a list of available options in a specific module, type the following: show module account About the Show permission command The Show permission command lets you list the users who have permissions to access the specified domains, policies, and templates. The Show command also lets you view the permissions that are granted to a list of users. Use the following format: show permission [-adptu] [list...] The following options are available with the Show permission command: -a -d -p -t -u -s No list should be specified (default) List permissions of all users The specified list is a list of domains The specified list is a list of policies The specified list is a list of templates The specified list is a list of users List the permissions in the short format

236 236 Using the command-line interface About the Show command For example, to view a list of users who have permissions on the All Agents domain, type the following: show permission -d "All Agents" To view the permissions that are granted to a user by the name "User1" in the short format, type the following: show permission -su User1 Note: You cannot use the -d, -p, -t, and -u options together in a command to view permissions for domains, policies, templates, and users. You can use only one option in a command. About the Show policy command The Show policy command lets you list specified policies. Use the following format: show policy [-sl] <policy_name> The following options are available with this command: -s -l for a short list (default if no list is specified) for a long list (default if a list is specified) For example, to display all the policies in the current manager, type the following command: show policy For example, to display only a specific policy in the current manager, you must add the policy name to the format. For example, to display the Phase 1 policy, type the following: show policy "Phase 1' Because the default for a single policy is a short list, the screen displays the policy and the modules in the policy. About the Show sumfinal command The Show Sumfinal command lets you display the sumfinal record for the specified policy. Use the following format: show sumfinal [-sl] [days] The following options are available with this command:

237 Using the command-line interface About the Show command 237 -s -l for a short list (default if no list is specified) for a long list (default if a list is specified) The days value specifies the number of days to show the records. The default is seven days. For example, to show the sumfinal records for one day, type the following: show sumfinal 1 About the Show summary command The Show summary command lets you display a report summary of the specified policy. Use the following format: show summary [-sl] <policy_name> -s -l for a short list (default if no list is specified) for a long list (default if a list is specified) For example, to show a report summary of the Demo policy, type the following: show summary "Demo" About the Show variable command The Show variable command lets you display the variables and their values. Because these variables are not environment variables, they are available only during the current CLI session. Use the following format: show variable For example, to display the variables and their values, type the following: show variable About the Show suppression command The Show suppression command displays the suppressions for the specified policies/modules/agents. Use the following format: show suppression [-p policy_name][-m module_name][-o operating_system_type][-k msg_code][-n name][-i info][-a agent][-c comment][-x expiration][e true false][-sl] The following options are available with this command:

238 238 Using the command-line interface About the Show command -p -m -o Specify the policy whose suppressions are required. Specify the module whose suppressions are required <short name>. Specify the operating system on which the suppression was created. The default operating system is UNIX. -k Specify the code of the message that was suppressed. By default, all the message codes are considered. -n Specify the name of the suppression. The default value is *. -i Specify the information of the message that was suppressed. The default value is *. -a Specify the agent on which the suppression was created. The default value is *. -c Specify the user s comment for the suppression. The default comment is blank. -x Specify the expiration date of the suppression. You must specify the date in YYYY/MM/DD format. -e Specify if the suppression is enabled. Use true if the suppression is enabled; else, use false. By default, both enabled and disabled suppressions are displayed. -s Display a short listing of the suppression. If you do not specify the policy or module or operating system for the suppression, a short listing of the suppression is displayed by default. -l Display a long listing of the suppression. If you specify the policy, module, and operating system for the suppression, a long listing of the suppression is displayed by default. About the Show status command The Show status command displays the connection status. Use the following format: show status

239 Using the command-line interface About the Shutdown command (UNIX only) 239 About the Show template command The Show Templates command displays the templates that are present on a specified ESM manager. Use the following format: Show templates [-slf] <Template1> <Template2> <Template3>... The following options are available with this command: -s -l -f To list template names only To list the complete information of the template To suppress error messages For example, to show a template named gpoevent.g3e type the following: show templates gpoevent.g3e Note: The template name is case-sensitive. You require the View template rights to use the Show template command. About the Show version command The Show version command displays the version of Symantec ESM that the command line interface and the current manager currently run. Use the following format: show version About the Shutdown command (UNIX only) The Shutdown command lets you turn the Symantec ESM servers off and remove the Symantec ESM semaphores on computers with UNIX operating systems. You must have access to an account with superuser privileges to run the Shutdown command. Use the following format: esmc shutdown Note: You cannot run the Shutdown command interactively with the command line interface. To run the Shutdown command, you must invoke the CLI from the UNIX operating system prompt.

240 240 Using the command-line interface About the Sleep command About the Sleep command The Sleep command lets you tell the CLI program to wait for a specified number of seconds. You can also use the command to make the CLI wait until the policy run finishes. This command is useful when running Symantec ESM batch files. Use the following format: sleep [-j <job_id or %variable%>] <num_seconds> The following option is available with this command: -j Makes the CLI wait for each policy run to complete before continuing You can specify the number of seconds in the interval between each check of the policy run database. This value is set to five seconds by default. You can also use a job ID of 0 (zero) to specify the last policy run that the CLI started. If you use a variable to store a job ID during a CLI session, use the variable or the job ID in the Sleep command. To make the program wait 10 seconds before it accepts another command, type the following: sleep 10 To make the CLI program wait for the last policy run to finish, type the following: sleep -j 0 To make the CLI program wait for a specific policy run to finish, you can use the job ID or the related variable name. You must enclose the variable name with % characters. Also, the value of the variable must equal the job ID. The following is an example: sleep -j %acctint% Note: You can set up a CLI variable in the Run command to store the job ID. This process ensures that Symantec ESM uses the correct job ID when generating Security reports. About the Status command The Status command lets you check the status of the agent's connection to the manager. Use the following format: status

241 Using the command-line interface About the Stop command 241 For example, to check the status of the connection, type the following: status The screen displays the following message if you are connected: connected to [manager name] using [TCP etc], user ESM If you are not connected, the screen displays the following message: no connection established About the Stop command The Stop command lets you stop a policy run. Use the following format: stop job <job_id or %variable%> If you specify a variable for a policy run during a CLI session, use the variable or the job ID in the Stop command. For example, to stop policy run 10, type the following: stop job 10 For example, to stop the last policy run started, type the following: stop job 0 A job ID of zero specifies the last policy run that was started. For example, to stop a policy that was initiated with a variable, type the variable name instead of the job ID as follows: stop job %acctint% You must enclose the variable with % characters. Also, the value of the variable must equal the job ID. About the Update snapshot command The Update snapshot command lets you update the snapshot. Use the following format: update snapshot [-a agent] [-m module] [-c message code] [-j job id] [-n name] [ -i information] -a -m -c Specify agent for job Specify module for job Specify the message code

242 242 Using the command-line interface About the Upgrade agent command -j -n -i Specify the job ID Specify the name Specify the information For example: update snapshot -a agent -m module -c "message code" -j "job id" -n name -i information See Symantec Enterprise Security Manager Checks Reference and Templates Reference 7.0.chm for information on ESM Message IDs and their corresponding details. Note: You can update only one agent at a time by using the update snapshot command. About the Upgrade agent command The Upgrade agent command lets you remotely upgrade an agent. Use the following format: upgrade agent <agent_name> For example, to remotely upgrade the agent named Sales, type the following: upgrade agent Sales Note: You can only upgrade one agent at a time by using the upgrade agent command. However, you can remotely upgrade all agents in a domain on the ESM console. About the Version command The Version command lets you display the version of Symantec ESM. Use the following format: version For example, to display the version of Symantec ESM on the current manager and interface, type the following: version

243 Using the command-line interface About the View command 243 About the View command The View command lets you view Security reports, auditor's summaries, custom, difference, domain, Policy reports, or summary reports. You can use the following arguments with the View command: Agent Audit Checks Custom Differences Domain Policy Report Summary The following options are available to all View command arguments: -h -f -t -I -c -P -w -n -o -F Do not output page headers Do not output page footers Do not output a title page Do not output an introduction Do not output a table of contents Do not paginate report Specify the width of the page Specify the length of the page Specify the output file (the default writes to standard output) Select a different format file for a report The.fmt file specifies the title, header, and footer sections of the report Note: These arguments do not apply to the View custom command. See About the View custom command on page 247.

244 244 Using the command-line interface About the View command Symantec ESM stores the default.fmt files at the following locations: Windows UNIX Program Files\Symantec\Enterprise Security Manager\ESM\format\ /esm/format You can relocate these files on the computers that run Windows and UNIX operating systems. You may customize the text of a.fmt file, but do not remove or reorder the sections of the file. You can modify sections of the report using the options available to all view command arguments. Additional options for specific arguments are listed with the applicable argument. Due to the volume of information in a report, you should temporarily change the command line display buffer to at least 2000 lines. 1 Right-click the title bar at the top of the command line display. 2 Click Properties > Layout > Screen Buffer Size. 3 Change the height to Set the -w <width> and -n <length> options to match the width and length of the display window. You may need to increase the height of the display to view an entire page of the report in the same screen. To view or change the display setting in Windows 1 Right-click the title bar at the top of the command line display. 2 Click Properties > Layout > Screen Buffer Size. 3 Change the height to 56. About the View agent command The View agent command lets you view security information from all the modules that are included in a policy run on the specified agent. The report contains information on how to correct the deviations from the security policy. The View agent command is equivalent to a series of View report commands for each available module. Use the following format with the view agent command: view agent [-sdtlhfticpx] [-w <width>] [-n <length>] [-o <output>] [-F <format>][<policy_ name>][<agent_ name>]

245 Using the command-line interface About the View command 245 You can use the following additional options with the View agent command: -s -d -T -l Do not show report summary Do not show report details Do not show long descriptive text for each message Use long report format The default is a shorter, speedier format. -X Output to Rich Text Format. The -X option functions only with managers on computers with Windows operating systems. -m Show message ID. For example, to view Phase 1 security information about the Sales agent, type the following: view agent "Phase 1" sales For example, to create a file containing this information in rich text format, type the following: view agent -X "Phase 1" sales Managers on computers with Windows operating systems write this information to the agent.rtf file in the \Symantec\Enterprise Security Manager\ESM\reports directory. In addition to these options, the View command has the options that are available to all View command arguments. About the View audit command The View audit command lets you view a security audit report for selected computers on the network. The report contains information about the specified security policy and indicates each computer's level of compliance. Use the following format: view audit [-ladpdslarshfticpx] [-w <width>] [-n <length>] [-o <output>] [-F <format>][<policy_name>][<domain_name>] You can use the following additional options with the View audit command: -l Do not show the level summary

246 246 Using the command-line interface About the View command -a -d -p -D -S -L -A -r -s -X Do not show the agent summary Do not show the domain summary Do not show the policy information for each module Do not show the disabled options in the policy information Do not show the suppress records for each module Do not show the level summary for each module Do not show the agent summary for each module Do not show the report summary for each module and agent Do not show the suppress records for the policy or domain Output to Rich Text Format The -X option functions only with managers on computers with Windows operating systems. -m Show message ID. For example, to view auditor's security information for the Phase 1 policy and the Windows 2000 Agents domain, type the following: view audit "Phase 1" "Windows 2000 Agents" For example, to create a file containing this information in rich text format, type the following: view audit -X "Phase 1" "Windows 2000 Agents" Managers on computers with Windows operating systems write this information to the audit.rtf file in the \Symantec\Enterprise Security Manager\ESM\reports directory. About the View checks command The View checks command lets you view the available security checks for a specific operating system and version. It also lists the security messages for each check. To show checks for an operating system, an agent of the same operating system type must be registered to the manager. Use the following format: view checks [-OmhfticP] [-w <width>] [-n <length>] [-o <output>] [-F <format>] <osver_name> You can use the following additional options with the View checks command:

247 Using the command-line interface About the View command 247 -O -m -h -f -t -I -c -P Do not output security options Do not output security messages Do not output page headers Do not output page footers Do not output a title page Do not output an introduction Do not output a table of contents Do not paginate report For example, to view the available checks for a Windows 2000 computer, type the following: view checks WIN2000 About the View custom command The View custom command lets you send an agent's policy run data to a user-defined delimited file instead of a Security report. This file requires a slightly different type of format file than other view commands. Note: It is recommended that you label the format files for the View custom command with a.vc file extension if you store them in the esm\format\<platform> folder or esm/format/<platform> directory with other format files. The following is a sample of the format file for the View custom command:.fill 32.code_base default # Change the classes from 0,1,2 to green,yellow,red.translate class 0 "Green".translate class 1 "Yellow".translate class 2 "Red" # define the format of messages.record # system.field "%agent%".field " " # policy.field "%policy%"

248 248 Using the command-line interface About the View command.field " " # module.field "%module%".field " " # timestamp.field "20%year%-%month%-%monthday% %hour%:%minute%".field " " # category.field "%class%".field " " # cat_desc.field "%title%".field " " # name.field "%name%".field " " # Information.field "%info%" #.field " " #.field "%description%".endrecord 10 # Terminate with LF Use the following format: view custom [-o output] [-f filter] <policy> <agent> <module> <job id> <format> You can use the following additional options with the View custom command: -o Specify -o an output file The default writes to standard output. -f Specify one or more message types to be filtered The default filter is NC, which matches the past behavior to produce the output; NC specifies Normal and Corrected). The other options that you can use with -f are U, P, L, T, R, and S. If you need a particular message from a report to appear in the output, use the first letter of that message in the filter. You specify the following additional parameters with the View custom command: policy Specify the name of the Symantec ESM policy that is run on the agent If the policy name contains spaces, enclose the policy name in quotation marks.

249 Using the command-line interface About the View command 249 agent module job id format Specify the name of the agent whose data you require Specify the short name of the Symantec ESM security module whose data you require Specify the Symantec ESM Policy Run ID. Use 0 to receive the latest policy run Specify the name of the file that specifies the format of the generated file The format files are located in the \ESM\format\ directory. If you select all' instead of a module name, Symantec ESM displays the data for all of the modules in the policy run. If you specify a module such as password', ESM displays the data that is produced only by the module. The format argument that is used with the View custom command specifies the format file to use when formatting the output data file. Symantec ESM looks for this file in the current directory first, then in the esm\format\<platform> directory. You may also specify the complete path name for the file. A job ID of 0 (zero) specifies the latest policy run. If you specify a variable in a policy run during a CLI session, you can use the variable or the job ID in the View custom command. To use the variable, type the variable name instead of the job ID. You must enclose the variable with % characters. Also, the value of the variable must equal the job ID. For example, to output the password data from the most recent Phase 1 policy run on agent GS100 using the custom.vc format file, type the following: view custom -o GS100.rpt "Phase 1" GS100 password 0 custom.vc For example, to output the data from all of the modules in the most recent Phase 1 policy run on agent GS100 using the custom.vc format file, type the following: view custom -o GS100.rpt "Phase 1" GS100 all 0 custom.vc For example, to use a variable that identifies a policy run in the current CLI session, type the variable name instead of the job ID. You must enclose the variable name with % characters. Also, the value of the variable must equal the job ID. For example, to output the data from all of the modules using the %second% variable to denote a specific Phase 1 policy run in the current CLI session on agent GS100 using the custom.vc format file, type the following: view custom -o GS100.rpt "Phase 1" GS100 all %second% custom.vc About the View differences command The View differences command lets you view the differences between two Security reports. Use the following format:

250 250 Using the command-line interface About the View command view differences [-sdthfticpnox][-w <width>] [-n <length>] [-o <output>][-f <format>] [-j <job_id or %variable%> [-j <job_id or %variable%>]] [-D <days> [-D <days>]] <policy_name> <agent_name> <short_module_name> You can use the following additional options with the View differences command: -s -d -T -N -O -j Do not show report summary Do not show report details Do not show long descriptive text for each message New information - show the items that occur in the newer policy run only Old information - show the items that occur in the older policy run only (the default is to show both old and new differences Job ID to use in comparison Specify 0 for the most current policy run; specify -1 for the first previous policy run. If only one job ID is specified, Symantec ESM compares that policy run with the most current policy run. If you specify a variable for a policy run during the current CLI session, you can use either the variable or the job ID in the View differences command. -X Output to Rich Text Format The -X option functions only with managers on computers with Windows operating systems. -m -D Show message ID. Compare the specified policy run with a policy run at least number of days' ago Policy runs may be specified with either the -D or -j options or a combination of both. For example, assume that you run a weekly Policy report on the GS100 agent using the Phase 1 policy. To view a report comparing the differences between the most current report (this week's) to last week's Policy report, type the following: view differences -j 0 -j -1 "Phase 1" GS100 all For example, when the security run is done weekly and you want to output the information in rich text format, you can type the following: view differences -X -j 0 -D 7 "Phase 1" GS100 all

251 Using the command-line interface About the View command 251 Managers on computers with Windows operating systems write this information to the diff.rtf file in the \Symantec\Enterprise Security Manager\ESM\reports directory. For example, type each variable instead of the job ID to use variables. You must enclose the variables with % characters. Also, the value of each variable must equal a job ID. For example, to view the differences between two reports that are run during the current CLI session, type the following: view differences -j %before% -j %after% "Phase 1" GS100 all For example, run the policy, Phase 1, remove the Password Strength module from the policy, run the policy again, and then run View differences. The View differences report compares the matching modules, and reports any differences found. Each module has a short module name. Using a module name of all' means that the CLI uses all of the modules for the policy and agent combinations. About the View domain command The View domain command lets you view specified domain information. Use the following format: View domain [-hfticpx][-w <width>][-n <length>] [-o <output>] [-F <format>] [<domain_name>] You can use the following additional option with the View domain command: -X Output to Rich Text Format The -X option functions only with managers on computers with Windows operating systems. For example, to view the Windows 2000 Agents domain, type the following: view domain "Windows 2000 Agents" When you want to output the information in rich text format, you can type the following: view domain -X "Windows 2000 Agents" Managers on computers with Windows operating systems write this information to the domain.rtf file in the \Symantec\Enterprise Security Manager\ESM\reports directory.

252 252 Using the command-line interface About the View command About the View policy command The View policy command lets you view a Policy report on the specified policy, its modules, and their security checks. Use the following format: view policy [-DSshfticPX] [-w <width>] [-n <length>] [-o <output>] [-F <format>] <policy_name> You can use the following additional options with the View policy command: -D -S -s -X Don't show disabled options in the policy information Don't show suppress records for each module Don't show suppress records for the policy or domain Output to Rich Text Format The -X option functions only with managers on computers with Windows operating systems. For example, to view the Phase 1 policy, type the following: view policy "Phase 1" If you want to output the information in rich text format, you can type the following: view policy -X "Phase 1' Managers on computers with Windows operating systems write this information to the policy.rtf file in the \Symantec\Enterprise Security Manager\ESM\reports directory. About the View report command The View report command lets you view a Security report. This report contains detailed information for a single security module that is run on a single agent. The report can be used to correct deviations from the security policy. Use the following format: view report [-sdtlhfticpx] [-x <file>] [-q <file>] [-w <width>] [-n <length>] [-o <output>] [-F <format>] <policy_name> <agent_name> <short_module_name> <job_id or %variable%> You can use the following additional options with the View report command: -x Output to a file in tab/double_quote format (suitable for reading by Microsoft Excel)

253 Using the command-line interface About the View command 253 -q -s -d -T -l -X Output to a file in comma/double_quote format (suitable for reading by Borland Quattro Pro using the import function) Do not show the report summary Do not show the report details Do not show the long descriptive text for each message Show the long descriptive text for each message Output in Rich Text Format The -X option functions only with managers on computers with Windows operating systems. -m Show message ID. For example, to view the Security report that results from running the Account Integrity module in the Phase 1 policy on the GS100 agent, type the following: view report "Phase 1" GS100 account 81 For example, to view a report using a variable, type the variable name instead of the job ID. You must enclose the variable with % characters. Also, the value of the variable must equal the job ID. For example, to view a report using the acctint variable, type the following: view report 'Phase 1' GS100 account %acctint% If you want to output the security report to a file containing information from the last complete policy run for the specified policy, agent, and module, type the following: view report -x "Phase 1" GS100 account 0 About the View summary command The View summary command lets you view policy run summary information for the specified policy and domain. It shows the security level and score for each module in the policy. Use the following format: view summary [-mihfticpx] [-w <width>] [-n <length>] [-o <output>] [-F <format>] <policy_name> <domain_name> You can use the following additional options with the View summary command: -m -I Do not show module information Do not show information from old policy runs

254 254 Using the command-line interface About the View command -X Output to Rich Text Format The -X option functions only with managers on computers with Windows operating systems. For example, to view summary information for policy Phase 1 on the All Agents domain, type the following: view summary "Phase 1' 'All Agents"

255 Chapter 7 Generating and viewing the reports This chapter includes the following topics: About the Symantec ESM reports Generating standard reports Saving a report Opening a report Printing a report ing a report Deleting a report Customizing a report About setting trend datapoints About the Symantec ESM reports Symantec ESM offers six standard reports that can be configured for content and audience. The six standard reports produce output in HTML format. These reports contain charts, tables, and hyperlinks that must be viewed in an HTML browser. You can also use the ESM console summary database information with third-party applications like Crystal Reports or Microsoft Access to create custom reports.

256 256 Generating and viewing the reports Generating standard reports Generating standard reports A Symantec ESM report is an online or printed account of the information that is contained in the grid and chart. Symantec ESM offers the following standard report types to the security administrators: Security report Domain report The Security report presents noncompliant security-related information in summary and detailed formats. The Domain report lists all agents in the domain and following important information about each agent: Operating system Version Network protocol Network port Computer type Executive report Policy report Policy run report Template report The Executive report is a one-page summary that displays the enterprise s conformity to each security module. The Policy report provides information about individual policies, which includes the number of policies, modules, and security checks. The Policy Run report contains the start and the completion time, policy name, and domain name for all jobs that are run on the manager. The Template report lists the objects in the template. Symantec ESM reports contain the following sections: Title page Table of contents Introduction Report body You can customize a report by adding the organization s name and logo to the report s title page. Generating a Security report This report can list security-related data about objects in the enterprise tree from the summary branch through My ESM Enterprise.

257 Generating and viewing the reports Generating standard reports 257 Different policy runs can include different mixes of modules, enabled security checks, and template settings. The Security report identifies the policy run that provides the summary information for each security module. The report portrays policy run results in the same tabular and graphical formats as the grid and chart. In Symantec ESM, you can generate a report that is based on specific policies, modules, operating systems, and messages. You can also select which levels in the Symantec ESM tree to include or exclude from the report. Any filters that are employed filter information in reports as well as reports as the information that is displayed in the chart and grid. Therefore, you should interpret filtered reports in the context of the applied filter. You can create a Security report from the Report menu or from specific nodes in the enterprise tree. The nodes are the My ESM Enterprise node, the All Managers node and any node that is subordinate to the All Managers node. The body of the Security report has a section for the following: Selected node Node under the selected node Policy run summary nodes For example, if you generate the Security report from an agent node, then the body of the report has a section for the following: Agent Policy or policies Modules Policy run summary nodes Symantec ESM may take a long time to produce a report if you run a policy on a large number of agents. Turning off graphic generation can significantly reduce the time that is required to create the report. Also, the browser may have problems loading the file if the report.html file grows to many megabytes. After the report is generated, the ESM console launches the computer s default browser that displays the report in standard HTML format. The ESM console saves the report file automatically. You can print it for analysis and future reference. To generate a Security report 1 Do one of the following: Right-click a specific node from My ESM Enterprise down through the summary branch, and click Security report.

258 258 Generating and viewing the reports Generating standard reports Click a specific node from My ESM Enterprise down through the summary branch. Then on the Report menu, click Security. 2 Use the report options tabs to view or change the default report settings as follows: Click the summary tab, and then click the check boxes to select the levels from the summary branch that you want to include in the report. Each option represents a level in the summary branch. Dimmed options are not available because the report was created at a node under these levels. The text box at the top of the window displays the node from which the security report was initiated. Click the format tab, and then click the check boxes to change the default settings. Disable the Show title page option when you want a report without a title page. Disable the Show table of contents option if the Web browser does not support frames. The change causes the browser to open the report.html version of the report. When you disable this option, it increases the time that is required for the browser to load a report. The default setting allows the browser to initially load only the report s title page and table of contents. Disable the Show introduction option when you want a report without an introduction. For more information, click the Help option on the tab. Click the General tab, and then click the check boxes to change the default settings. Disable the Show summary chart option when you want a report without summary charts. Disable the Show drill-down chart option when you want a report without object charts. Click the Policy tab, and then click the check boxes to change the default settings. You can check boxes to show policy checks and suppression records from this screen Click the Messages tab, and then click the check boxes to change the default settings. You can check boxes to show long message text and suppressed messages, and you can show policy run message differences. When Symantec ESM finishes, it launches the computer s default Web browser and displays the report in standard HTML format.

259 Generating and viewing the reports Generating standard reports 259 Generating a Domain report The Domain report lists the agents in the selected domain. With this report, you can learn each agent s operating system, Symantec ESM version, network protocol, and proxy agent names. You can create a Domain report by right-clicking any named domain node. To generate the Domain report 1 Do one of the following: Generating a Policy report Right-click a domain on the summary branch, and click Domain report. Click a domain on the summary branch. On the Report menu, click Domain. 2 Click the check boxes to eliminate a title page, a table of contents, or an introduction page from the report. The Policy report provides information about individual policies, which includes the following: The number of policies The number of modules The number of enabled checks You can generate a Policy report from the Policies node or any node that is subordinate to the Policy node. Like the Security report, the Policy report lists information for the selected node plus the branches beneath the selected node. To generate a Policy report 1 Do one of the following: Right-click a specific node on the policies branch, and choose Policy report. Click a specific node on the policies branch. Then on the Report menu, click Policy. 2 Use the report options tabs to view or change the default report settings as follows: Click the Format tab. Click the check boxes to eliminate a title page, a table of contents, or an introduction page from the report.

260 260 Generating and viewing the reports Generating standard reports Click the Policy report tab. Click the check box to show disabled checks, policy suppressions, namelists for each check, and long descriptions for each check. Generating a Policy run report The Policy Run report lists all the jobs that have run on the manager and following information about each run: Status Start and finish time Policy name Domain name You can generate a Policy Run report from the Policy Runs node. To generate a Policy run report 1 Do one of the following: Generating a Template report On the enterprise tree, right-click a policy node and then click Policy Report. On the enterprise tree, click a policy node and then on the console task bar, click Report > Report Options. 2 In the Report Options dialog box, provide the necessary information and click OK. Templates define the baseline status of objects. The Template report contains a list of these objects and each object s security setting. Note: Some template files contain so much information that when you open a Template report, the computer may run out of virtual memory. You can create a Template report by right-clicking any named template node. To generate a Template report 1 Do one of the following: On the enterprise tree, right-click a node on the templates branch and then click Template report.

261 Generating and viewing the reports Saving a report 261 On the enterprise tree, right-click a node on the templates branch. Then on the Report menu, click Template. 2 Use the report options tabs to view or change the default report settings as follows: Click the Format tab, and then click the check boxes to eliminate a title page, a table of contents, or an introduction page from the report. Click the Template tab, and then click the check box to show template sublists. Generating an Executive report The Executive report lists the selected object s conformity to each security module. You can create an executive report from specific nodes in the enterprise tree. The nodes are the My ESM Enterprise node, the All Managers node and any node that is subordinate to the All Managers node. To generate an Executive report Saving a report Do one of the following: On the enterprise tree, right-click a node on the templates branch and then click Executive report. Click a node on the templates branch. Then on the Report menu, click Executive. Reports capture important information at key points in time. The ESM console automatically saves reports as you generate them. The ESM console names the report according to the following: The node on which the report was generated. The date that the report was generated. The time that the report was generated. Note: The reports use 24-hour time, 00:00-23:59. The ESM console stores the saved reports in a folder on the computer where the ESM console is installed. Use the report options dialog to choose a report repository location.

262 262 Generating and viewing the reports Opening a report Opening a report The reports folder contains a separate folder for each type of report. Symantec ESM lets you open saved reports. To open a report 1 Click Open from the Report menu. 2 Choose frames.html or report.html. The frames version uses a table of contents.ose the folder that contains the report. 3 Click Open. Printing a report ing a report Deleting a report After you generate a report with the ESM console, you can print it for further reference or analysis. Because Symantec ESM displays its Security reports in HTML format, you must have a Web browser on the computer to view or print a report. Refer to your browser s documentation for instructions on how to print a file. You may find that reports with complex tables print better in landscape mode. To print a single page from a report 1 Select the page in the Table of Contents. 2 Click the frame that displays the required page. 3 Click the print icon in the browser s toolbar. To print a complete report 1 Change the URL location to:file:///.../report.html then press Enter. 2 Click the print icon on the browser s toolbar. You can a report; but first, make sure to zip the entire report directory. Recipients should load Frames.html to view the report. Symantec ESM lets you delete saved reports when you no longer need them.

263 Generating and viewing the reports Customizing a report 263 To delete a saved report 1 On the console task bar, click Report > Delete. 2 In the Delete Reports dialog box, click the corresponding option to select a report type. Saved reports of that type display in the Created reports list box. 3 In the Existing Reports pane, select the report that you want to delete. 4 Click Delete. Customizing a report You can customize a report title page by adding the organization s name and logo. You can also specify a different location to save report files. To customize a report 1 On the console task bar, click Report > Report Options. 2 In the Report Options dialog box, type the name of the organization in the company name box. 3 Click... to navigate to the location where you have saved the organization s logo. The organization logo must be in a graphic format that can be displayed in an HTML file such as a.gif or.jpeg file. 4 In the Location for Report Files text box, specify a location for the report files. 5 Click OK to save and apply the specified changes to every report that Symantec ESM generates. About setting trend datapoints Use the Trend Datapoints dialog box to set the number of trend Data points that Symantec ESM uses in the trend analysis report. You can decide to represent days or weeks as data points. Each data point represents a security level or score at the end of the day (11:59 PM) or week (11:50 on Saturday). The Grid and Chart depict the number of data points starting with the most recently available data point. If the available data is less than the number of data points, Symantec ESM depicts what is available. ESM then and repeats the last data point for the remaining periods.

264 264 Generating and viewing the reports About setting trend datapoints To set trend datapoints 1 On the ESM console menu bar, click View > Trend Datapoints. 2 In the Trend Datapoints dialog box, in the Data Points area, do one of the following: Click Daily to set the data points to represent the security level or score at the end of every day. Click Weekly to set the data points to represent the security level or score at the end of every week. 3 In the Number of Dataponits box, type the number of data points that you want Symantec ESM to use when charting trend analysis. Alternatively, click the up or down arrow to enter a value. The value in the Number of Datapoints box is 10 by default.

265 Chapter 8 Conforming to the regulatory policies This chapter includes the following topics: Securing the network About suppressing a Security report item Correcting a Security report item Reversing corrections to a Security report item Updating templates Updating snapshots Securing the network To finally bring computers into conformance with your organization's security policy, you need to resolve the security problems that the policy runs identify. Symantec ESM installs with a set of default policies. You should start by running the Phase 1 security policy on your network resources. This policy consists of the modules that check the most significant and potentially problematic security areas of a computer. When you resolve the problems that the Phase 1 policy identifies, you can move on to the Phase 2 policy. This policy includes all of the available modules but only the key security checks in each module are enabled. After you resolve the problems that the Phase 2 policy identifies, continue with the Phase 3 policy. This policy has three levels. You can choose the level that

266 266 Conforming to the regulatory policies About suppressing a Security report item raises your network resources to the relaxed, moderate, or strict-level security environment. The ESM console provides functions to help you resolve the security problems that the policy run reports. The ESM console also lets you modify the checks in the modules to exclude specific items from reports. On occasions, your modifications may affect areas of the computer that should be reported. In these instances, you can use alternative functions to fine-tune your modifications. The following process outlines how to bring computers into conformance: Run an initial policy on agents in your network Select an agent computer that reports red level security problems. Select an agent reporting yellow level security problems. Proceed to a stronger security policy and repeat the process. Consider beginning with the computers that contain high-value information or are more susceptible to attack. The ESM console lists the reported security problems in the grid. Each problem has an assigned security level and score. Red messages indicate severe security problems. Yellow messages indicate moderate security problems. When you solve the red level problems on one computer, move on to another computer that reports red level problems. Continue this process until you solve all of the red level security problems on the network. After you solve the yellow level problems on one agent computer, move on to another computer that reports yellow level problems. Continue this process until you solve all of the yellow level security problems on the network. About suppressing a Security report item Symantec ESM security checks may report computers with the conditions that are tolerated within an organization's security policy. You can either temporarily or permanently suppress the messages instead of excluding important areas of a

267 Conforming to the regulatory policies About suppressing a Security report item 267 check from the Symantec ESM policy. You can do so on a case-by-case basis. All messages are suppressible. Suppressions do not correct security problems. They only prevent the messages that the agents report from appearing in future Security reports. You can suppress the messages by Title, Name, Information (text in the Information column of the grid), and agent. You can suppress specific messages or use wildcards to suppress all messages of a certain type. Note: Exercise caution while using suppressions, especially if you use wildcards to create suppressions. You may inadvertently mask security problems. You can view, edit, and delete message suppressions in the Policy branch of the enterprise tree. By default, suppressions expire after six months. Newly created suppressions become attributes of a policy. You can view suppressed items in the grid by expanding the policies branch and by selecting the Suppressions node. You can also include them in the Security report by choosing them as part of the filter. See Filtering the security data on page 189. For each suppression, the grid displays the agent, policy, module, and operating system for which the message is suppressed. The grid also displays the following: Message title Creator of the suppression Date of creation Date of expiration Date on which the suppression was last used State of suppression (Enabled or Disabled) Some suppressions do not work after you upgrade agents. This limitation applies only to module the upgrades that change the message text. Symantec ESM cannot suppress a message if the text in the message does not match the text that is used to create the suppression. In these instances, you can create a new suppression that is based on the new message. When you create a suppression, you use fields in the Create a suppression window to customize the suppression. These fields allow you to add wildcards, expiration dates, and comments to the suppressions. Wildcard check boxes let you suppress messages for multiple agent names, user accounts, or message text values. If you uncheck the wildcard check boxes, the suppression is valid for the specific agent, the user account, and the message text that are associated with the message.

268 268 Conforming to the regulatory policies About suppressing a Security report item Table 8-1 lists and explains each field in the Create a suppression window. Table 8-1 Field Create a suppression window field descriptions Description Enable Suppression Ignore Title Wildcard Name Wildcard Information Wildcard Agent Name Expiration Date Comment This check box lets you enable and disable suppressions. This field displays the title of the message that you selected in the ESM console grid. If you check the check box, the suppression can match any message title. If you uncheck the check box, the suppression must explicitly match the message title that is listed to the right of the check box. This field lets you specify the name of the user, account, or computer that the suppression must match. A Security report may list more than one user or account on a computer with the security violation. You can use a wildcard character to suppress the message for all user, account, or computer names. Note: Computer names in this field differ from agent names. Computer names indicate the computers that are assessed with proxy agents, or other agent-less assessment methods. This field lets you indicate the message text that the suppression must match. A Security report may list more than one occurrence of a security violation. You can use a wildcard character to suppress the message for all occurrences of the message text. This field lets you indicate the agent that has the suppression applied to it. A Security report may list more than one agent with the security violation. You can use a wildcard character to suppress the message for all agents. This field lets you set a date when the suppression expires. Use the drop-down arrow to see the calendar tool that lets you select the date. This field lets you add information about suppression details, reasons for the suppression, or other information. Use the asterisk (*) wildcard operator in place of multiple missing characters in the Wildcard Name, Wildcard Information, or Wildcard Agent Name fields. For example, an asterisk in the Wildcard Agent Name field applies the suppression to each agent in the domain. You can also use the question mark (?) wildcard operator in place of a single missing character. Agent names cannot be longer than 61 characters.

269 Conforming to the regulatory policies About suppressing a Security report item 269 Creating a suppression If you select the Wildcard Name, Wildcard Information, or Wildcard Agent Name check box, but do not type a wildcard character in the related text box, the suppression must explicitly match the value in the related field to suppress the message. Also, while using wildcards to create suppressions, Symantec ESM lets you create multiple suppressions of the same item using different options or wildcard characters. For example, if you select the message titled Inactive Account to create a suppression, to suppress all of the messages titled Inactive Account, from the GS1001 agent computer, do the following: Check the check boxes next to the Wildcard Name and Wildcard Information fields Place an asterisk (*) in the text fields that are adjacent to the text boxes. By placing a check and an asterisk in the Wildcard Agent Name fields, you activate the suppression for every agent on the manager. By typing GS*, you enable the suppression for every agent that begins with the string GS. Wildcard fields are case sensitive. Use the Create a Suppression dialog box to create a security message suppression. You can suppress a security message in case of the following conditions: You do not want to immediately correct the security condition that the security message reports. You do not want ESM to report a particular security condition in your enterprise. Symantec ESM does not figure the security score and level of suppressed security messages into the agent's total security score or level. Also, suppressions do not change the current report, but the future reports of the same policy. A suppression becomes an attribute of the policy and does not affect policy runs using other policies. For example, a suppressed message on a Phase 1 report does not affect a Phase 2 policy run. The ESM console displays new suppressions under the policy node in the Enterprise tree.

270 270 Conforming to the regulatory policies About suppressing a Security report item Editing a suppression To suppress a Security report item 1 Expand an agent from the summary branch, and select a policy run. 2 Select one or more messages in the grid. To select adjacent rows, drag across the row numbers. You can also select the first row number, and press the Shift key on your keyboard while you select the last row. To select non-adjacent rows, press the Ctrl key on your keyboard and select the required row numbers. You can only select multiple rows using the column with the row numbers. You cannot use suppression wildcards when selecting multiple message rows. 3 Right-click a highlighted row, and then click Suppress. The Create a Suppression dialog box provides several fields that you can use to set suppression options. The resulting suppression uses all of the criteria when matching messages from policy runs. 4 If you want to set the suppression criteria in a particular wildcard field, select the corresponding check box and edit the field. 5 In the Expiration Date text box, set the date on which the suppression expires. Select the part of the date you want to set and click the arrows to select the new date. If you want the expiration to be permanent, select No Expiration. 6 Enter the reason for creating the suppression, or other helpful information about the suppression in the Comment field. The suppression editor automatically lists the account that created the suppression, the date the suppression was made, and the date the suppression was used last. You can edit existing suppression wildcards, expirations, and comments. When you edit multiple suppressions, you can edit the expiration date and comment fields. To edit suppressions 1 In the enterprise tree, expand Policies, and then expand a named policy. 2 Expand a named module, and then expand an operating system node. 3 Click Suppressions. 4 In the grid, right-click the suppression message and click Edit.

271 Conforming to the regulatory policies About suppressing a Security report item Change any aspect of the suppression. See About suppressing a Security report item on page Click OK. To edit expiration dates and comments in multiple suppressions 1 In the enterprise tree, expand Policies, and then expand a named policy. 2 Expand a named module, and then expand an operating system node. 3 Click Suppressions. 4 In the grid in the lower pane, select the suppression messages that you want to edit, and then right-click one of the messages. 5 Do one of the following: Click Edit Comments. Click Edit Expirations. 6 Type your comments or edit the expiration date. 7 Click OK. Replicating a suppression See Deleting a suppression on page 274. The Replicate Suppressions feature lets you replicate the suppressions from the manager's node at the level of the manager, policy, module, and the operating system. You can also replicate the suppressions at the message level from the suppression grid. Use the Replicate Suppressions wizard to select a single suppression or multiple suppressions from an ESM manager and replicate the suppressions on the target manager. The wizard lets you do the following: Replicate the suppressions of a selected manager. Replicate the suppressions of a selected policy. Replicate the suppressions of a selected module. Replicate the suppressions of a selected operating system of the specific module. To be able to replicate suppressions, you must provide the credentials of the user account that you use to access the target manager. You can also select multiple target managers and use the same credentials for them.

272 272 Conforming to the regulatory policies About suppressing a Security report item To replicate suppressions from a manager's node 1 On the enterprise tree, right-click a manager and select Replicate Suppressions. 2 In the Welcome panel of the Replicate Suppressions wizard, click Next. 3 In the Select Suppressions panel, enumerate the manager's node and select the modules that contain the suppressions that you want to replicate. Alternatively, click Advanced to refine your criteria for suppression selection. In the Advanced Selection dialog box, do the following: Modules Operating systems Apply to all policies Lets you select the modules that contain the suppressions, which you want to replicate. Lets you select the operating systems that you want to select for the specified modules. Lets you select the operating system for all the modules that you specified in the Modules list box. The module and the OS selection is applied to all the policies on the selected manager. The module that you have selected and the operating system of all the policies of the manager are selected for replication. Note: If you do not select any modules, then all the modules are selected by default. If you do not select any operating system, then all the operating systems are selected by default. 4 In the Select Suppressions panel, click Next. 5 In the Select Managers panel, from the Available managers list, select the target managers on which you want to replicate the suppressions. You can select one or more managers. 6 Click > to add the managers to the Selected managers list. 7 In the Manager Logon dialog box, do one of the following: Check Use credentials by which the manager is connected to the ESM console.

273 Conforming to the regulatory policies About suppressing a Security report item 273 This option lets you use the credentials for the target manager that you use to access the manager from the console. Type the user name and password that you want to use to access the target manager. 8 In the Select Managers panel, click Next. 9 In the Suppressions Settings panel, do the following and then click Next: In the For existing suppression section, click one of the following options: Preserve the suppression on the target manager Overwrite the existing suppression on the target manager Lets you retain the suppression on the target manager if a suppression with the same message code, name, info, or agent exists on the target manager. Lets you overwrite the suppressions on the target manager if a suppression with the same message code, name, info, or agent exists on the target manager. In the For existing suppression file section, click one of the following options: Append the suppressions to the file Overwrite the existing suppression file on the target manager Lets you append the selected suppressions to the suppressions file on the target manager. Lets you overwrite the existing suppression file on the target manager. 10 Click Start to begin replication, and then click Finish when the replication operation completes successfully. To replicate suppressions from the message grid 1 On the enterprise tree, expand the policies node, and then click Suppressions. 2 On the message grid, right-click the suppressions and then select Replicate Suppressions. 3 Perform the steps 2 to 10

274 274 Conforming to the regulatory policies Correcting a Security report item Viewing a suppression You can view suppressions in the Symantec ESM Grid. Suppressions are attributes of the individual policy, so you must check each policy to determine if it has any suppression. To view a suppression Deleting a suppression 1 Expand the policies branch of the policy on which the suppression was created. 2 Expand the module that contains the suppression, and click Suppressions. A suppression is an attribute of a security policy. To remove a suppression, you must access the suppression from the policies node and delete it. Removing the suppression from a Security report message does not cause Symantec ESM to automatically re-evaluate a computer's security. To have Symantec ESM reevaluate a computer's security status, you must repeat the policy run. To delete a suppression 1 On the enterprise tree, expand policies, then expand <policy name> > <module name> > <operating system name> and select the suppressions node. Suppression records are visible in the grid. 2 Expand a named module, and then expand an operating system node 3 Click Suppressions. 4 Select one or more suppression messages in the grid. To select adjacent rows, drag across the row numbers, or select the first row number, hold down Shift, and select the last row number. To select non-adjacent rows, hold down Ctrl and select the required row numbers. You can only select multiple rows using the column with the row numbers. 5 Right-click on a highlighted row, and click Delete. See About suppressing a Security report item on page 266. Correcting a Security report item The correction tool lets you correct some security items directly from the ESM console. Not all report messages can be corrected from the ESM console. Corrections are made on the basis of the module and the operating system. The

275 Conforming to the regulatory policies Correcting a Security report item 275 checks on a UNIX platform may be correctable while the corresponding checks on a Windows NT platform may not. Evaluate each message in the Security report, considering the current computer configuration and how the computer may change. The current settings may be more appropriate than the setting that is defined in the security policy. If the current settings are more appropriate for the situation, update the policy or suppress the item from the report. See About suppressing a Security report item on page 266. Symantec ESM corrections modify the computer where the agent resides. To correct a reported item, you must have access to an account with privileges on the agent computer. These privileges include the following: Administrator on computers with Windows operating systems Superuser on computers with UNIX operating systems Supervisor on NetWare/NDS servers System on the computers that run OpenVMS operating systems Before you can make the correction, you must provide credentials to access the agent computer in the Agent Credentials dialog box. Use the following accounts while making corrections to computers in a domain or trusted domain: A domain account in the domain administrators group if entered in the form: domain_name\user name. A domain account in the local administrators or supervisors group if entered in the form: user name. A local account with administrator privileges on the local computer if entered in the form: user name. A 'C' in the Updateable/Correctable column of the grid indicates that an item is correctable. Symantec ESM logs on to the computer as the privileged user and tries to perform the correction. If Symantec ESM successfully makes the correction, the Correctable/Updateable value in the grid changes from Correctable to Corrected. If the correction is not successful, Symantec ESM reports an error message.

276 276 Conforming to the regulatory policies Reversing corrections to a Security report item To correct a Security report item 1 Expand the summary branch and select a policy run. Security messages should be visible in the grid. 2 Select one or more correctable messages in the grid. To select adjacent rows, drag across the row numbers, or select the first row number, hold down Shift, and select the last row number. To select non-adjacent rows, hold down Ctrl and select the required row numbers. You can only select multiple rows using the column with the row numbers. 3 Right-click on a highlighted row, and then click Correct. 4 Type the user name and password of an account with privileges on the Agent computer, and click OK. Reversing corrections to a Security report item The incorrect command changes the computer back to its original configuration before the correction; In effect, similar to the Undo command. Warning: After a report has been explicitly deleted or purged by policy runs, you can no longer reverse corrections from the ESM console. To reverse corrections to a Security report item 1 Select the security message or messages in the grid. To select adjacent rows, drag across the row numbers, or select the first row number, and hold down shift while you select the last row. To select non-adjacent rows, hold down Ctrl and select the required row numbers. You can only select multiple rows using the column with the row numbers. 2 Right-click on a highlighted row, and click Uncorrect. 3 Type the user name and password of an account with privileges on the Agent computer, and then click OK. Symantec ESM logs on to the computer as the privileged user and reverses the correction.

277 Conforming to the regulatory policies Updating templates 277 Updating templates Templates define the baseline state of computer entities (for example, files and OS patches). Each template is specific to an operating system and module. Symantec ESM stores the template files on the manager's computer because they are part of the security policies that are applied to multiple agents in a domain. When you update a template, Symantec ESM changes the template to reflect the computer's current configuration. To update a template Updating snapshots 1 Expand the summary branch and select an agent. Expand the agent, then expand a module name. Select a policy run from beneath a module name. Security messages display in the grid. 2 Select the required messages in the grid. To select adjacent rows, drag across the row numbers, or select the first row number, and hold down shift while you select the last row. To select non-adjacent rows, hold down Ctrl and select the required row numbers. You can only select multiple rows using the column with the row numbers. 3 Right-click a highlighted row, and click Update template. Snapshot files store information about the state of the computer. Essentially, snapshots are a picture of the computer at a point in time. During a policy run, Symantec ESM compares the current state of the computer to the one recorded in the snapshot. Symantec ESM then reports any changes as potential security problems. See About the snapshots on page 31.

278 278 Conforming to the regulatory policies Updating snapshots To update a snapshot 1 Expand the summary branch and select a policy run. Security messages are visible in the grid. 2 Select the required messages in the grid. To select adjacent rows, drag across the row numbers, or select the first row number, and hold down shift while you select the last row. To select non-adjacent rows, hold down Ctrl and select the required row numbers. You can only select multiple rows using the column with the row numbers. 3 Right-click a highlighted row, and click Update snapshot.

279 Chapter 9 Using the Symantec ESM utilities This chapter includes the following topics: About the Symantec ESM utilities conventions About using the Policy tool About the Assign New Permission utility About the Change Agent Case utility About using the Database Conversion tool View security data in the drill-down mode About the Symantec ESM utilities conventions Symantec ESM utilities let you do the following: Copy policies between managers. Transfer security information from managers to an external database. Produce a wide range of reports from external databases. These utilities run only from the Windows or UNIX command line. Important guidelines regarding the syntax and the command conventions that apply to the Symantec ESM utilities are provided here.

280 280 Using the Symantec ESM utilities About using the Policy tool About the case-sensitive entries About the quotation marks About the brackets Some input data is case sensitive. You must type this data to match the case of the corresponding values that are stored on a manager or an external relational database. For example, Phase 1 is not the same as phase 1 or PHASE 1. Command arguments require quotation marks if they contain two or more words that are separated by spaces. For example, type the policy name, Phase 1, as Phase 1. For consistency, you may enclose all command arguments in quotation marks, including single word arguments. Command formats use two types of brackets. These brackets indicate user-supplied command options or data. Do not type the brackets. Type only the data inside the brackets. Use the following brackets: Square brackets [ ] Angle brackets < > These brackets indicate that the user-supplied command option is not required. Precede these command options with a dash (-). For example, the Policy tool command options can include: [-gui], [-n], [-p], [-y], or [-z]. These brackets indicate user-supplied data that is network specific. For example, Policy tool command data can include: <manager_name>, <user_name>, or <password>. About using the Policy tool On large networks with many systems, the Policy tool provides an efficient way to standardize the settings of enabled security checks, templates, and word lists. The Policy tool exports policies from a selected manager and then imports the policies to the other managers on the network. The policies that you import enable the same security checks and contain the same template and wordlist settings as the policies on the source manager. The Policy tool exports policies as XML formatted files. Use a standard text editor to view the contents. Each element is tagged for identification. The file structure separates the modules in the policy and the checks in each module. The state of each check is identified. Policy version and edit level, enabled template entries, and name list types and values are also listed.

281 Using the Symantec ESM utilities About using the Policy tool 281 The policy file that the policy tool exports contains the security checks that are in the policy, whether enabled or disabled. However, it contains only templates and wordlists that are enabled in the source policy. The policy file that the policy tool imports overwrites the policy file on the manager on which you import the file. Prerequisites for using the Policy tool Complete the following prerequisites: Access rights Operating system domains To export a policy, obtain access to an account on the manager that has View access rights for all policies and all templates. To import a policy, obtain access to an account on the manager that has the Create new policies and Create new templates access rights enabled. The OS domains of the manager that imports a policy must also be on the manager that exports the policy. For example, if the manager that imports a policy has HP-UX agent domains, then the manager that exports the policy must have HP-UX agent domains. The Policy tool reports an error and terminates the import process if the manager that imports the policy does not have the same OS domain as the manager that exports the policy. For example, the Policy tool reports an error if the manager that imports the policy has HP-UX agent domain, while the manager that exports the policy does not have the same agent domain. The Policy tool disables the templates for a UNIX agent domain on the importing manager, if the manager that exports the policy does not have the matching UNIX agent domain. You can enable the templates again with the template editor. For example, if the manager that imports a policy has the Solaris UNIX agent domain and the manager that exports the policy has the HP-UX and AIX UNIX agent domains, the Policy tool disables the Solaris templates on the importing manager. Directory permissions To export a policy, obtain access to an account on the host computer with the Write permission enabled for the destination directory. By default, the Policy tool exports policies to the current directory. Exported policies Before you export a policy, verify that at least one agent of each OS type that is registered to the manager has installed the latest security update. The verification ensures that the exported policy contains current security checks, templates, and word lists. Then verify that all of the security checks in each module of the policy are set to match your company s security policy. Also, verify that the required templates and wordlists are enabled.

282 282 Using the Symantec ESM utilities About using the Policy tool Imported policies Before you import a policy, verify that the latest security update has been installed on the agents that are registered to the importing manager. The verification ensures that the agents can run all of the enabled security checks in the policy. About accessing the policy tool Do the following to access the policy tool: On Windows On UNIX At the command prompt, change to the directory that contains the Policy tool. The tool installs in the C:\Program Files\Symantec\Enterprise Security Manager\Symantec ESM Enterprise Utilities directory by default. At the command prompt, change to the directory that contains the Policy tool. The Policy tool installs in the esm/bin directory by default. About formatting the Policy tool Apply the following formatting rules when you enter a Policy tool command: Capitalize policy names to match the case of the corresponding values that are stored on a manager. Type policytool as one word. Type Policy tool options last in the command. To export a policy from a manager, use the following format: policytool export <manager_name> <user_name> <password> <file_name> <policy_name> [-gui] [-n] [-p] [-y] [-z] To import a policy to a manager, use the following format: policytool import <manager_name> <user_name> <password> <file_name> [-gui] [-n] [-p] [-y] [-z] About the values for the Policy tool The following are the definitions for the values that are used with the Policy tool: manager_name user_name password Name of the manager computer. User account name on the manager. User account password on the manager.

283 Using the Symantec ESM utilities About using the Policy tool 283 file_name The file or the archive that contains the exported policy. You can specify a path to make the Policy tool export or import a policy to a directory other than the current directory. policy_name Policy that the Policy tool exports. Policy names are case-sensitive. About the options for the Policy tool The following options are associated with the Policy tool: -gui -n -p -y -z Use GUI components while reporting detected conflicts Do not report any detected conflicts and never overwrite the policy Specify the TCP port number that is used to contact the manager (default 5600) Do not report any detected conflicts but always overwrite the policy Specify zip file format The -z option lets the Policy tool export or import a policy, its enabled templates, and enabled word files as a set of packed files in an archive. -c -force -ignore -u Do not put timestamp while importing suppressed messages. Do not abort if the manager is missing some checks Ignore the files that are referenced by the policy and do not exist for import Delete the suppression on the target manager that are not present on the source manager while overwriting the suppressions. Note: The -gui, -n, and -y options are mutually exclusive. Examples of using the Policy tool The following examples are provided for using the Policy tool: Displaying help Exporting a policy Importing a policy Using GUI components

284 284 Using the Symantec ESM utilities About using the Policy tool Suppressing conflicts Using another directory Using an archive Using a different TCP port Displaying help To display help for the Policy tool, type a Policy tool command without any options at the command prompt: policytool Exporting a policy To export a policy, use the export format and type the required values and options in a Policy tool command. For example, to export the Phase 1 policy on the GS0100 manager, type the Security Officer account, its my1pass+ password, and the export file name at the command prompt by typing the following: policytool export gs0100 "Security Officer" my1pass+ phase1.xml "Phase 1" Note: Do not edit exported policy files. Importing the edited policy files can cause a manager to report conflicts such as non-existent or invalid modules, checks, templates, or word lists. Importing a policy To import a policy, use the import format and type the required values and options in a Policy tool command. For example, to import the Phase 1 policy on the GS0200 manager, type the following: policytool import gs0200 "Security Officer" my2pass+ phase1.xml When you import a policy to a manager, the Policy tool checks for the policy name on the destination manager. If the Policy tool finds the policy name, the Policy tool prompts for a decision to overwrite the policy. If you type Yes, the Policy tool overwrites the policy on the manager.

285 Using the Symantec ESM utilities About using the Policy tool 285 If you include the -y option in an import command, the Policy tool writes the policy on the destination manager without prompting for a decision. Symantec ESM does not keep multiple copies of policies with the same name on a single manager. If different users import the same policy on the same manager, the last version of the policy overwrites all previous versions. Using the GUI components To display conflicts by using GUI components while you export or import the policies, use the -gui option with an export or an import Policy tool command. For example, to have GUI components report detected conflicts while exporting the policy in Example 2, type the following: policytool export gs0100 "Security Officer" my1pass+ phase1.xml "Phase 1' -gui To import the policy in Example 3 using GUI components to display detected conflicts, type the following: policytool import gs0200 "Security Officer" my2pass+ phase1.xml -gui Suppressing conflicts To suppress conflict reporting while you export or import the policies, use the -y option in the Policy tool. For example, to suppress detected conflicts while exporting the Phase 1 policy, add the following command to a batch file: policytool export gs0100 "Security Officer" my1pass+ phase1.xml 'Phase 1" -y To import the policy in Example 3 while suppressing detected conflicts in the GS0200 manager, type the following: policytool import gs0200 "Security Officer" my2pass+ phase1.xml -y Using another directory The Policy tool exports policy files to the current directory by default. To export policy files to another directory on the computer, specify the full path of the directory. For example, to export the policy in Example 2 to the C:\Export directory on the GS0100 manager, type the following: policytool export gs0100 'Security Officer' my1pass+ "c:\export\phase1.xml" "Phase 1"

286 286 Using the Symantec ESM utilities About using the Policy tool To import the policy that is exported in this example to the C:\Import directory on the GS0200 manager, type the following: policytool import gs0200 "Security Officer" my2pass+ "c:\import\phase1.xml" Using an archive To minimize the demands on network resources and the size of the exported policy files on the computer, use the -z option with the export or the import command. This option compresses the.xml file into a.zip file. For example, to export the policy in Example 2 as a zip file, type the following: policytool export gs0100 "Security Officer" my1pass+ phase1.zip "Phase 1" -z To import the policy that is exported in this example to the GS0200 manager as a zip file, type the following: policytool import gs0200 "Security Officer" my2pass+ phase1.zip -z Using a different TCP port To connect to a manager on a Windows computer through a different TCP port, use the -p option followed by the TCP port number. For example, to export the policy in Example 2 using TCP port 3812, type the following: policytool export gs0100 "Security Officer" my1pass+ phase1.xml "Phase 1" -p 3812 To import the policy that is exported in this example to the GS0200 manager using TCP port 3812, type the following: policytool import gs0200 "Security Officer" my2pass+ phase1.xml -p 3812 About the Policy tool logs You can modify the logging level of the ESM Policy tool by editing the parameters of the logging.properties file. For Windows, the logging.properties file is located under the Utilities folder if you have installed Utilities or under the Console folder, if you have installed Console. For UNIX, the logging.properties file is located in the /esm/bin folder.

287 Using the Symantec ESM utilities About the Assign New Permission utility 287 The log level is set to ALL for log file and INFO for console. You can have detailed logs by modifying the ESM specific logging.properties file and setting the required logging level. The different log levels are: SEVERE WARNING INFO CONFIG FINE FINER FINEST where Severe is the highest level and Finest is the lowest level. To modify the log levels, you can do either of the following: For files - edit the java.util.logging.filehandler.level For console - edit the java.util.logging.consolehandler.level The log file will be generated at the following locations: UNIX The log file will be generated at the #esm/bin/ location. Windows If you use the policy tool from the utility, then the log will be generated in ESMPolicyTool.log under Symantec ESM Enterprise Utilities folder and it will refer to the logging.properties file from the same folder. If you use the policy backup, policy replication or replicate policy feature of the console, then the log will be generated in ESMPolicyTool.log under Symantec ESM Enterprise Console directory and it will refer the logging.properties file under same folder. About the Assign New Permission utility The Assign New Permission utility is a command-line utility. Use the utility to assign the "Manage read-only policies" permission to the ESM superuser account on the ESM or earlier managers on Windows or Solaris. To mark a policy as read-only, to modify an existing read-only policy or to initiate a policy replication operation, you must have the "Manage read-only policies" permission. For an ESM 10.0 manager, the "Manage read-only policies" permission is assigned to the ESM superuser by default during the installation or upgrade.

288 288 Using the Symantec ESM utilities About the Assign New Permission utility However, the ESM superuser account on the managers that have a version earlier than 10.0 do not have the "Manage read-only policies" permission by default. From the ESM console or CLI, you can modify the permissions of all ESM users except the ESM superuser. You can use the Assign New Permission utility to assign the "Manage read-only policies" permission to the superuser account on an ESM or earlier manager. The manager on which you want to assign the "Manager read-only policies" permission to the super user can be on a local or a remote computer. This is a windows utility and can be deployed on any of the Windows machine (even if none of the ESM component is installed on that machine, you can run this utility). Specify the password of the ESM super user account within double quotation marks. Using the Assign New Permission utility You can assign the "Manage read-only policies" permission to the superuser account on an ESM manager that is installed on Windows or Solaris platforms. Run the AssignNewPerm.exe to assign new permissions. Note: You can use the utility to assign the "Manage read-only policies" permission to the superuser account only on an ESM or earlier manager. Use the following format: [-ti] [-m manager] [-p port] [-P password] The following options are available with the Assign New Permission utility: -t -i -m Use TCP as the network transport layer. TCP is used as the network transport layer by default. Use IPX as the network transport layer. Specify the name of the manager to connect to. By default, it is the local computer. -p Specify the port number. By default, the port number is P Specify the superuser password within double quotation marks.

289 Using the Symantec ESM utilities About the Change Agent Case utility 289 For example, type the following command to assign the "Manage read-only policies" permission on an ESM SP2 manager with the IP address : AssignNewPerm.exe -t -m p P "ESM123" About the Change Agent Case utility In your environment, it is probable that you have agents that follow various naming conventions, which may lead to an inconsistency in the reports. The Change Agent Case utility lets you change the names of the agents that are registered to a specified manager to uppercase or lowercase alphabets. The Change Agent Case utility supports ESM 10.0 or later managers. Note: Only a user with Write permissions on all domains can use the Change Agent Case utility. The Change Agent Case utility is present at the following location on the manager: <install dir>\bin\<platform>\ For Windows platforms, the utility name is ChangeAgentCase.exe. For UNIX platforms, the utility name is ChangeAgentCase. Using the Change Agent Case utility The Change Agent Case utility lets you change the names of the agents that are registered to a specified manager to uppercase or lowercase alphabets. Run the ChangeAgentCase to rename the agents that are registered to a specified manager. Use the following format: [-p port] [-U user name] [-P password] [-C agent case] -f [back up of CDB] The following options are available with the Change Agent Case utility: -U -p Specify a user name that has Write permission on all domains. Specify the port number that you want the agent to use to communicate to the manager. By default, the port number is P Specify the superuser password within double quotation marks.

290 290 Using the Symantec ESM utilities About using the Database Conversion tool -C Specify the value for uppercase or lowercase alphabets for the agent name. Type a 0 for lowercase and a 1 for uppercase. -f Do not take any backup of the CDB files. By default, the utility takes a backup of the CDB files. Note: The command changes the agent case for all the registered agents at the same time. For new agent registrations, you need to configure the following parameter in the manager.conf file: AGENT_CASE_SENSITIVITY Specifies the case for agent name. By default, the value for case-sensitivity is 0, which signifies lower case. You can enter a 1 to specify upper case and a 2 to specify no case-sensitivity. The parameter for case-sensitivity is supported only on ESM 10.0 or later agents. For ESM or earlier agents, use the Rename Agent command. See About the Rename agent command on page 223. Note: You must update the domain that contains the agent after you rename the agent. Otherwise, you may see multiple entries of the agent in the Available Agent(s) list when you move the agent by using the Move Agent(s) wizard. You can see multiple entries of the agent if the agent is registered by using the Fully Qualified Domain Name (FQDN) or the Hostname. About using the Database Conversion tool The Database Conversion tool lets you transfer security data from the proprietary database of one or more managers to an external database. You can transfer security data to databases such as Microsoft Access, MSSQL, or ORACLE. The transfer includes information about the following: Agents Domains

291 Using the Symantec ESM utilities About using the Database Conversion tool 291 Managers Policy run messages Message suppressions Message corrections Policy run reports To ensure that the external relational database contains current information, you can automate the data transfer process by scheduling the Database Conversion tool to run periodically. Accessing the external database Provide the Database Conversion tool with access to the external relational database by doing one of the following: While installing the Symantec ESM utilities on a Windows operating system, choose the setup options that install the default database and related ODBC drivers. This installs a default.mdb native file format. After you install the utilities on a Windows operating system that has an ORACLE client, do the following to provide access to the ORACLE database: Use the ODBC Data Source Administrator to set up a data source name (DSN) for the ORACLE database. Change to the \ESM Utilities\ORACLE directory and use an SQL tool to run the create.sql script. This script creates the required database schema tables and procedures for the ORACLE database. After you install the utilities on a Windows operating system that has an MSSQL client, you can set up access to the MSSQL database by doing the following: Use the ODBC Data Source Administrator to set up a DSN for the MSSQL database. Change to the \ESM Utilities\MSSQL directory and use an SQL tool to run the create.sql script. This script creates the required database schema tables and procedures for the MSSQL database. After you install the Symantec ESM utilities on a UNIX operating system that has an ORACLE client, you can set up access to the ORACLE database by doing the following: Get an ORACLE JDBC driver from ORACLE by accessing their Web site at Use the conversion tool arguments, jdbc.driver,

292 292 Using the Symantec ESM utilities About using the Database Conversion tool and jdbc.url instead of the jdbc.datasource argument. See the ORACLE JDBC driver documentation for information about the driver and URL. Change to the /ESM Utilities/ORACLE directory and run the use an SQL tool to create.sql script. This script creates the required database schema tables and procedures for the ORACLE database. Note: When you communicate with a database on another host computer, configure the external relational database driver to encrypt communications to protect user names and passwords. About the database file structure The schema in Figure 9-1 depicts the relationships among the tables in the external relational database. Figure 9-1 External relational database tables The ID fields define the relationships in the database tables. For example, the value in the managerid field corresponds to a specific manager record in the manager table. The tables and keys in the database are set up to enable logical relationship queries. Table 9-1 lists the tables in the external relational database.

293 Using the Symantec ESM utilities About using the Database Conversion tool 293 Table 9-1 Table name ESMAgent ESMCheck External relational database tables Summary of stored data Agent properties including name and operating system. Security check properties including name, name list type, and description. ESMCheckNameValue ESMCheckValue ESMDomain ESMDomainAgent ESMJobRun ESMJobRunCheckResult ESMManager ESMMessage ESMOSVer ESMPolicy ESMPolicyCheck ESMPolicyCheckState ESMSuppression Relation table for the PolicyCheckStateID/NameValue one to many relationship Relation table for the PolicyCheckStateID/ValueTitle one to one relationship Domain properties including name and manager Relation table for the Domain/Agent many to many relationship Policy run properties including start time, finish time, status, and maximum errors Policy run results for each enabled check Manager name Module message properties including title, level, update, and message text Operating system description Policy name Policy check properties including module name and operating system Policy check enabled or disabled Suppression properties including creator name and date, expiration date, enabled or disabled, and last used date About the ESMAgent table The ESMAgent table lists the properties of the agents. The OSVerID field relates the agents to their host operating systems.

294 294 Using the Symantec ESM utilities About using the Database Conversion tool Table 9-2 Field name RecID Agent Name OSInfo OSVerId ESMAgent table Type <auto-number> <text> <text> <text> Description Record ID Agent host computer name Agent host operating system RecID in ESMOSVer table About the ESMCheck table The ESMCheck table lists the properties of the Symantec ESM security checks. Table 9-3 Field name RecID Check Name NameListType Description ESMCheck table Type <auto-number> <text> <text> <text> Description Record ID Check name Type of the namelist that the check uses. The namelist includes the following: User File Key String Template Word None Text that describes the purpose of the check About the ESMCheckNameValue table The ESMCheckNameValue table lists the name list values that the security checks use. Table 9-4 ESMCheckNameValue table Field name PolicyCheck-StateID Type <auto-number> Description Record ID

295 Using the Symantec ESM utilities About using the Database Conversion tool 295 Table 9-4 ESMCheckNameValue table (continued) Field name Name Value Enabled Enabled Type <text> <number> <number> Description Name list values Enabled values including: 0 Disabled or 1 Enabled Included values including: 0 Excluded or 1 Included About the ESMCheckValue table The ESMCheckValue table lists the variable values that the security checks use. Table 9-5 Field name ESMCheckValue table Type Description PolicyCheck-StateID ValueTitle CheckValue <auto-number> <text> <number> Record ID Title of the variable in the check Current setting of the variable that is in the check About the ESMDomain table The ESMDomain table lists the Symantec ESM domain names. The managerid field relates the domains to their managers. Table 9-6 Field name ESMDomain table Type Description PolicyCheck-StateID Domain Name Manager Id <auto-number> <text> <number> Record ID Domain Name RecID in ESMManager table About the ESMDomainAgent table The ESMDomainAgent table relates entries in the ESMAgent table to entries in the ESMDomain table. This relationship allows a single agent record to be associated with many domain records.

296 296 Using the Symantec ESM utilities About using the Database Conversion tool Table 9-7 Field name Agent Id Domain Id ESMDomainAgent table Type <number> <number> Description RecID from ESMAgent table RecID from ESMDomain table About the ESMID table The ESMID table lists the database tables and the last record ID that is in each table. Table 9-8 Field name Table Name LastId ESMID table Type <text> <number> Description The database table name Last record ID from the table About the ESMJobRun table The ESMJobRun table lists the properties of the policy runs. Table 9-9 Field name RecID StartTime FinishTime Status MaxErrors ResultMessage JobID DomainID PolicyID ESMJobRun table Type <auto-number> <number> <number> <text> <number> <text> <number> <number> <number> Description Record ID Start date and time of policy run Finish date and time of policy run Status of policy run including error, running, complete, or partial Maximum number of error messages that a policy run can report Policy run message text JobRunID from ESMJobRunCheckResult table RecID from ESMDomain table RecID from ESMPolicy table

297 Using the Symantec ESM utilities About using the Database Conversion tool 297 About the ESMJobRunCheckResults table The ESMJobRunCheckResults table lists the messages from the policy runs on the agents. Table 9-10 ESMJoESMJobRunCheckResults table Field name AgentID JobRunID PolicyCheckID MessageID ResultState NameValue Information Type <number> <number> <number> <number> <text> <text> <text> Description RecID from ESMAgent table RecID from ESMJobRun table RecID from ESMPolicyCheck table RecID from ESMMessage table Status of the policy run; either scheduled, error, running, or complete Source of the policy run message; either agent, module, or check name Policy run date and time, or the message text that describes the problem or the policy infraction About the ESMManager table The ESMManager table lists the names of the manager host systems. Table 9-11 Field name Record ID ManagerName ESMManager table Type <auto-number> <text> Description Record ID Manager host computer name About the ESMMessage table The ESMMessage table lists the properties of the Symantec ESM messages. Table 9-12 Field name RecID Title ESMMessage table Type <number> <text> Description Number that is based on the message sequence in the.m file Message title

298 298 Using the Symantec ESM utilities About using the Database Conversion tool Table 9-12 ESMMessage table (continued) Field name MsgLevel UpdateCorrect FullText Type <number> <text> <text> Description Message level; either 0 Green, 1 Yellow, or 2 Red Actions in messages that change host systems, snapshots, or templates; either correctable, updateable, or none Explains the problem or the policy infraction, why the infraction is a security risk, and the actions that are required to implement a remedy About the ESMOSVer table The ESMOSVer table lists the type of operating system on which the agent is installed. Table 9-13 Field name Record ID Description ESMOSVer table Type <auto-number> <text> Description Record ID Operating system type About the ESMPolicy table The ESMPolicy table lists the properties of the policies. Table 9-14 Field name RecID PolicyName ManagerID ESMPolicy table Type <auto-number> <text> <number> Description Record ID Policy title RecID in ESMManager table About the ESMPolicyCheck table The ESMPolicyCheck table lists the properties of the modules in the policies.

299 Using the Symantec ESM utilities About using the Database Conversion tool 299 Table 9-15 Field name RecID PolicyID ESMPolicyCheck table Type <auto-number> <text> Description Record ID RecID from ESMPolicy table ModuleShort-Name ModuleName OSVerID <text> <text> <text> Abbreviated module name Module name RecID in ESMOSVer table About the ESMPolicyCheckState table The ESMPolicyCheckState table relates entries in the ESMCheck table to entries in the ESMPolicyCheck table. The CheckID field relates the security checks to their modules and policies. Table 9-16 ESMPolicyCheckState table Field name RecID CheckID PolicyCheckID Enabled Type <auto-number> <text> <text> <text> Description Record ID RecID from ESMCheck table RecID from ESMPolicyCheck table Check states; either 0 Disabled or 1 Enabled About the ESMSuppression table The ESMSuppression table stores the properties of the Symantec ESM suppressions. The PolicyCheckID and Message ID fields relate the suppressions to their policies and messages. Table 9-17 Field name PolicyCheckID MessageID IgnoreMessage ESMSuppression table Type <text> <text> <number> Description RecID from ESMPolicyCheck table RecID from ESMMessage table Suppression must explicitly match wildcard states: 0 Disabled or 1 Enabled

300 300 Using the Symantec ESM utilities About using the Database Conversion tool Table 9-17 ESMSuppression table (continued) Field name Agent-Expression Name-Expression Creator Name Expiration Date CreationDate LastUsed Enabled InfoExpression Annotation Type <text> <text> <text> <number> <number> <number> <number> <text> <text> Description Suppression matches wildcard agent name Suppression matches wildcard agent name and module name Manager account that is used to create a suppression Date and time of suppression expiration Date and time of suppression creation Date and time of last suppression use Suppression states; either 0 Disabled or 1Enabled Text of the security message that an agent reports. Suppression comments Prerequisites for using the Database Conversion tool Complete the following prerequisites: Access rights To convert a Symantec ESM manager database:, do the following: Obtain access to an account on the manager that has the View access rights for all domains, all policies, and all templates. Obtain access to an account with privileges to modify the external relational database. JDBC Driver Classes If you use JDBC to connect to an ORACLE database, verify that the JDBC driver classes are in the classpath.

301 Using the Symantec ESM utilities About using the Database Conversion tool 301 Vendor information If you use an external relational database other than ODBC, get the following information from the vendor of the destination database: JDBC driver Driver class name URL convention For more information, see the documentation that the the JDBC driver vendor provides, together with the information about the jdbc.driver and jdbc.url. Windows ODBC data source administrator If you use an ODBC compliant external relational database, use the ODBC Data Source Administrator to choose the ODBC driver and the ESMSchema.mdb database during the installation of the Symantec ESM utilities. See the Symantec Enterprise Security Manager Installation Guide for more information. Accessing the Database Conversion tool Access the Database Conversion tool as follows: On Windows On UNIX At the command prompt, change to the directory that contains the Database Conversion tool. The tool installs in the C:\Program Files\Symantec\Enterprise Security Manager\Symantec ESM Enterprise Utilities directory by default. At the command prompt, change to the directory that contains the Database Conversion tool. The tool installs in the esm/bin directory by default. Formatting the Database Conversion tool Apply these formatting rules when entering a Database Conversion tool command: Use the same formats on Windows or UNIX systems. Type dbconvert as one word. To convert a Symantec ESM manager database, use the following format: dbconvert [-propfile=<file_name>] [-D<property>= <value>] A -D option must precede each property entry. To access help for a Database Conversion tool command, use the following format:

302 302 Using the Symantec ESM utilities About using the Database Conversion tool dbconvert [-help] About the options for the Database Conversion tool The following options are associated with the database conversion tool: -propfile -D -help Specifies a property file that contains the required parameters and values. Specifies a single parameter and value. List formats and other information. Creating a property file for the Database Conversion tool Property files let you type Database Conversion tool commands with a minimum of time and effort. You can create several property files. However, you can include only one property file in each Database Conversion tool command. To override a value in a property file, include a -D option and specify the appropriate parameter and value in the Database Conversion tool command. If you restrict access to a property file, no one else can use the file. Note: Do not use quotes in property file entries. For example, if you type esm.managers= gs0100 gs0200, the Database Conversion tool does not connect with managers gs0100 and gs0200. Instead, it attempts to connect with manager gs0100 gs0200. Also, do not use quotes when specifying user names and passwords. The following are the sample property files: ODBC compliant database This sample property file contains the parameters and values that are needed to export data from managers GS0100 and GS0200 to the ESMReports ODBC database. The following is the format: esm.managers=gs0100 gs0200 gs0100.user=security officer gs0100.password=my1pass+ gs0200.user=security officer gs0200.password=my2pass+ jdbc.datasource=esmreports

303 Using the Symantec ESM utilities About using the Database Conversion tool 303 ORACLE This sample property file contains the parameters and values that are needed to export data from managers GS0300 and GS0400 to an ORACLE database. The following is the format: esm.managers=gs0300 gs0400 gs0300.user=security officer gs0300.password=my3pass+ gs0400.user=security officer gs0400.password=my4pass+ jdbc.driver=oracle.jdbc.driver.oracledriver jdbc.user=user1453 jdbc.password=secret7 Note: You can use either plain text password or encrypted password in the property file for the Database Conversion tool. To create a Database Conversion tool property file 1 Use any text editor to create the ASCII plain-text property file. 2 Type one parameter and its value per line in the file. 3 Save the property file in the directory that contains the Database Conversion tool. 4 Use any text file extension (for example, property.txt). Using an encrypted password for the Database Conversion tool You can use encrypted passwords for the Database Conversion tool. You must use the property encryption.enable. You can pass the encryption.enable property as a command-line to DBConvert. For example: DBConvert -Dencryption.enable=true You can also pass the encryption.enable property in a property file. When the encryption.enable is in a property file, you can add the property in the same command-line. For example: encryption.enable=true

304 304 Using the Symantec ESM utilities About using the Database Conversion tool To display the help for the DBConvert encryption feature, use the help command-line argument and the encryption.enable property. For example: DBConvert -Dencryption.enable=true -help If you use a JVM that was provided with the ESM SP2 utilities with version 1.5.0_09, then make sure that the following files exist: <Your Symantec ESM Enterprise Utilities>\_jvm\lib\ext\sunjce_provider.jar <Your Symantec ESM Enterprise Utilities>\_jvm\lib\security\java.security <Your Symantec ESM Enterprise Utilities>_jvm\lib\security\local_policy.jar <Your Symantec ESM Enterprise Utilities>>\_jvm\lib\security\US_export_policy.jar If you use your own JVM with the version 1.4.x, 1.5.x, or 1.6.x, then you must have the following files: <Your run time jre installed directory>\lib\ext\sunjce_provider.jar <Your run time jre installed directory>\lib\security\java.security <Your run time jre installed directory>\lib\security\local_policy.jar <Your run time jre installed directory>\lib\security\us_export_policy.jar

305 Using the Symantec ESM utilities About using the Database Conversion tool 305 To use an encrypted password for the Database Conversion tool 1 Create an authorization file by using the command-line option -create_authorization. For example, DBConvert -Dencryption.enable=true -create_authorization The Database Conversion tool displays the following options that you can use: 1 Create a new authorization file. See Creating a new authorization file on page Modify an authorization file. See Modifying an authorization file on page Display an existing authorization file. See Displaying an existing authorization file on page Exit. 2 Use the authorization file for the Database Conversion tool to connect to the managers. To use the database connections that were stored in the authorization file, enter the following command: DBConvert -Dencryption.enable=true -authorization=<authorization-file> -propf ile=<property-file> -D<some-otherproperty> From the mentioned command, you can specify the encryption.enable property or any other property in the property file. Creating a new authorization file 1 Enter the name of the manager from which you want to copy the database information. 2 Enter the user name to connect to the specified manager. 3 Enter and confirm the password for the user name that you have specified. 4 Repeat 1-3 if you want to specify another manager. If you do not want to specify another manager, then press Enter. 5 Enter the user name for the JDBC connection.

306 306 Using the Symantec ESM utilities About using the Database Conversion tool 6 Enter and confirm the password for the JDBC connection. 7 Enter the authorization file name to save the properties. Modifying an authorization file 1 Enter the name of the authorization file that you want to modify. 2 Enter the name of the manager from which you want to copy the database information. 3 Enter the user name to connect to the specified manager. 4 Enter and confirm the password for the user name that you have specified. 5 Repeat 1-4 if you want to specify another manager. If you do not want to specify another manager, then press Enter. 6 Enter the user name for the JDBC connection. 7 Enter and confirm the password for the JDBC connection. 8 Type Y if you want to save the changes. Displaying an existing authorization file Enter the name of the authorization file that you want to view. About the parameters for the Database Conversion tool The Database Conversion tool uses specific parameters and values to access managers, extract their information, and convert the results for an external relational database. Type all parameters, both mandatory and optional, and their related values on the same line at the command prompt. Table 9-18 lists the Database Conversion tool parameters and their related values. Table 9-18 Database Conversion tool parameters and values Parameter names esm.managers (Mandatory entry, one per Database Conversion tool command) <manager_name>.user (Mandatory entry, one per manager) Parameter values This value specifies the name of a manager. To include more than one manager, separate the manager names with spaces. This value specifies a user account with rights to read information on the manager. If you include more than one manager, you must type a separate user account entry for each manager.

307 Using the Symantec ESM utilities About using the Database Conversion tool 307 Table 9-18 Database Conversion tool parameters and values (continued) Parameter names <manager name>. password (Mandatory entry, one per manager) jdbc.datasource (Mandatory when using the Windows ODBC Data Source Administrator; one entry per Database Conversion tool command) jdbc.driver (Mandatory when not using the Windows ODBC Data Source Administrator; one entry per Database Conversion tool command) jdbc.url (Mandatory when not using the Windows ODBC Data Source Administrator; one entry per Database Conversion tool command) jdbc.user (Mandatory for a password enabled database; one entry per Database Conversion tool command) Parameter values This value specifies the password of the user account on a specified manager. If you include more than one manager, you must type a user account entry for each manager. This value specifies the data source name. For example, if you use the Windows ODBC Data Source Administrator to select the ESMReports database, type ESMReports. If you do not use the Windows ODBC Data Source Administrator to select the Reports database, download the JDBC driver for the destination database from the vendor s Web site. For example, if you use ORACLE, access find the JDBC driver, and download it to the host computer. Save the driver in the same directory with the dbconvert.jar file. In the vendor documentation, find the class name for the downloaded driver. This is a case-sensitive value of this parameter. This parameter specifies the location of the destination database for the Database Conversion tool. If you are not using the Windows ODBC Data Source Administrator, see the database vendor s Web site documentation. For example, when using ORACLE, go to In the documentation for the JDBC driver, find the URL convention that locates the database. Follow the convention exactly. This is a case-sensitive value of this parameter. This value specifies the name of the user account with rights to modify the destination database.

308 308 Using the Symantec ESM utilities About using the Database Conversion tool Table 9-18 Database Conversion tool parameters and values (continued) Parameter names jdbc.password (Mandatory for a password enabled database; one entry per Database Conversion tool command.) dbconvert.rawreports (Optional entry; one per Database Conversion tool command.) Parameter values This value specifies the password of the user account on the destination database. This value is set to true by default. If true, the Database Conversion tool exports the raw report details for each policy run including the file and associated properties, permissions, and other miscellaneous data. If false, the Database Conversion tool disables raw report functionality. dbconvert.jobsummary count (Optional entry; dbconvert.jobsummary, dbconvert.jobnumber, and dbconvert.allrecent- jobs are mutually exclusive) dbconvert.jobnumber (Optional entry; dbconvert.jobsummary, dbconvert.jobnumber, and dbconvert.allrecent- jobs are mutually exclusive) dbconvert.allrecentjobs (Optional entry; dbconvert.jobsummary, dbconvert.jobnumber, and dbconvert.allrecent- jobs are mutually exclusive) This value specifies the number of summary jobs for the Database Conversion tool to export. Type a positive integer to select that number of current summary jobs. For example, type 10 to export the 10 most recent summary jobs. The Database Conversion tool can export a single policy run. Type 0 for the most current policy run. Type -1 for the first previous policy run, -2 for the second previous policy run, and so forth. Type a positive integer to select a specific policy run. For example, type 81 to specify policy run number 81. This value is set to false by default. If true, the Database Conversion tool exports all policy runs that occurred subsequent to the last database conversion. <manager name>.port (Optional entry; one per Database Conversion tool command - the default is 5600.) This value specifies the TCP port number that is used to contact the manager. If you select more than one manager, and the managers use different port numbers, you must specify the TCP port number for each manager. Separate TCP port numbers with spaces.

309 Using the Symantec ESM utilities About using the Database Conversion tool 309 Table 9-18 Database Conversion tool parameters and values (continued) Parameter names dbconvert.since Parameter values If present, this property lets you configure the date from which policies runs are to be converted. The expected date format is mm/dd/yyyy. For example: dbconvert.since=02/18/2009 dbconvert.policies This value is set to true by default. If true, policy details are converted. If false, policy conversion phase is disabled. dbconvert.suppressions This value is set to true by default. If true, suppressions are converted. If false, suppression conversion functionality is disabled. dbconvert.refreshmessages This value is set to false by default. If true, old messages are updated. If false, only new messages are added. dbconvert.rawreports.any This value is set to false by default. If true, raw report details are converted for each policy run from those agents that are available, even if the overall status of the policy run had failed. If false, raw report for failed policy run is disabled. Examples of using the Database Conversion tool The following examples are provided for the using the Database Conversion tool: Displaying help Converting to an ODBC database Converting to an ORACLE database Converting two manager databases Using a property file

310 310 Using the Symantec ESM utilities About using the Database Conversion tool Overriding a property file Limiting policy runs Scheduling periodic updates Displaying help To display help for the Database Conversion tool, type the following Database Conversion tool command: dbconvert -help Note: The Database Conversion tool prompts for the user password even if you do not specify the password at the command prompt or in the property file. Converting to an ODBC database To convert the data in a manager database to an ODBC compliant database using -D options, type the options, properties, and values using a Database Conversion tool command. For example, to convert the data in the GS0100 manager database, type the following: dbconvert -Desm.managers=gs0100 -Dgs0100.user="Security Officer" -Dgs0100.password=my1pass+ -Djdbc.datasource=esmreports Converting to an ORACLE database To convert the data in a manager database to an ORACLE database using -D options, type the options, properties, and values using a Database Conversion tool command. For example, to convert the data in the GS0100 manager database, type the following: Security Officer account The native ORACLE JDBC database driver my1pass+ password JDBC URL user1453 JDBC account secret7 JDBC password The following is an example:

311 Using the Symantec ESM utilities About using the Database Conversion tool 311 dbconvert -Desm.managers=gs0100 -Dgs0100.user="Security Officer" -Dgs0100.password=my1pass+ -Djdbc.driver=oracle.jdbc.driver.OracleDriver -Djdbc.user=user1453 -Djdbc.password=secret7 Converting two manager databases To convert the data in two manager databases to an ORACLE database using a single Database Conversion tool command, type the options, properties, and values for each manager using a Database Conversion tool command. For example, to convert the data in the GS0100 and GS0200 manager databases, type the following: Security Officer accounts my1pass+ and my2pass+ passwords The native ORACLE JDBC database driver JDBC URL user1453 JDBC account secret7 JDBC password The following is an example: dbconvert -Desm.managers="gs0100 gs0200" -Dgs0100.user="Security Officer" -Dgs0100.password=my1pass+ -Dgs0200.user="Security Officer" -Dgs0200.password=my2pass+ -Djdbc.driver=oracle.jdbc.driver.OracleDriver -Djdbc.url=jdbc:oracle:thin:@GS0500:1521:REPORTS -Djdbc.user=user1453 -Djdbc.password=secret7 Using a property file You can use the property file to convert the data in two manager databases to an ORACLE database. To convert the data in two manager databases to an ORACLE database using a property file 1 Create the property file using any ASCII text processor. Type the options, properties, and values for each manager in the file. 2 Type a -propfile option to identify the property file in a Database Conversion tool command at the command prompt.

312 312 Using the Symantec ESM utilities About using the Database Conversion tool For example, to create a property file containing the data that is required to convert the GS0300 and GS0400 manager databases to an ORACLE database, type the following in the text file: Security Officer accounts Their my3pass+ and my4pass+ passwords The native ORACLE JDBC database driver JDBC URL, user1453 JDBC account, secret7 JDBC password The following is an example: esm.managers=gs0300 gs0400 gs0300.user=security officer gs0300.password=my3pass+ gs0400.user=security officer gs0400.password=my4pass+ jdbc.driver=oracle.jdbc.driver.oracledriver jdbc.url=jdbc:oracle:thin:@gs0500:1521:reports jdbc.user=user1453 jdbc.password=secret7 Save the property file as property1.txt in the C:\Program Files\Symantec\Enterprise Security Manager\Symantec ESM Enterprise Utilities directory. Then convert the data in the GS0300 and GS0400 manager databases by typing the following: dbconvert -propfile=property1.txt Note: The Oracle jdbc driver that came with classes12.zip has been deprecated with Oracle 11g. The driver that comes with the Oracle jdbc drivers such as ojdbc5.jar or ojdbc6.jar, uses a different class. You need to replace the jdbc.driver property with jdbc.driver=oracle.jdbc.oracledriver. Overriding a property file To convert the data in only one of the manager databases that is specified in a property file, type a Database Conversion tool command that contains a -propfile option together with an overriding -D option.

313 Using the Symantec ESM utilities About using the Database Conversion tool 313 For example, to create a property file containing the values that are required to convert the GS0300 and GS0400 manager databases to an ODBC compliant database, type the following using a properties text file: Security Officer accounts Their my3pass+ and my4pass+ passwords ESMReports user data source The following is an example: esm.managers=gs0300 gs0400 gs0300.user=security officer gs0300.password=my3pass+ gs0400.user=security officer gs0400.password=my4pass+ jdbc.datasource=esmreports Save the property file as property2.txt in the C:\Program Files\Symantec\Enterprise Security Manager\Symantec ESM Enterprise Utilities directory. You can convert only the data in the GS0300 manager database by typing the following: dbconvert -propfile=property2.txt -Desm.managers=gs0 Limiting policy runs You can reduce the workload of the ORACLE database by converting only policy runs that occurred subsequent to the last manager database conversion. For example, if the ORACLE database has not been updated with the last three policy runs on manager GS0300 and the last five policy runs on manager GS0400, you can convert these policy runs by adding the following property to the property file: dbconvert.allrecentjobs=true Save the revised property file as property3.txt in the C:\Program Files\Symantec\Enterprise Security Manager\Symantec ESM Enterprise Utilities directory. Then convert the eight policy runs in the GS0300 and GS0400 manager databases without checking all of the other policy runs by typing the following: dbconvert -propfile=property3.txt

314 314 Using the Symantec ESM utilities View security data in the drill-down mode Scheduling periodic updates To ensure that the external relational database contains current information from the managers, automate the data conversion process by scheduling the Database Conversion tool to run periodically. Use the following process to schedule the Database Conversion tool to run periodically: On UNIX For example, to run the Database Conversion tool at 2:00 a.m. each day using the property file in Example 5, create the myscript crontab file by typing the following: On Windows #Run at 2 AM every morning 02***/esm/myscript 02***/esm/bin/dbconvert -propfile /esm/property1.txt 2>&1 > /esm/dbconvert.log Cron runs the crontab file automatically at the specified time. To run the Database Conversion tool at 12:00 a.m. each day using the property file, create a batch file and run it with the Windows AT command. The batch file only updates the database for the gs0300 manager. To create the batch file, type the following: SET PATH=%PATH%;"c:\Program Files\Symantec\Enterprise Security Manager\Symantec ESM Enterprise Utilities";"C:\Program Files\JavaSoft\JRE\ 1.3.0_02\bin" cd "\Program Files\Symantec\Enterprise Security Manager\Symantec ESM Enterprise Utilities" dbconvert -propfile=property2.txt -Desm.managers=gs0300 Save the batch file as dbconvt1.bat in the ESM Utilities directory. To run the batch file, type the following AT command : at 00:00 /every: M, T, W, Th, F, S, Su, "c:\program Files\Symantec\Enterprise Security Manager\Symantec ESM Enterprise Utilities\dbconvt1" View security data in the drill-down mode In the drill-down mode, the chart displays the security level and rating of the objects directly below the selected object. For example, if the agent is selected in the tree, the chart depicts the security level and rating for the policies below that agent. You can click on the chart to drill down to the next level. For example, clicking on the manager drill-down chart displays the domains drill-down chart.

315 Using the Symantec ESM utilities View security data in the drill-down mode 315 In the drill-down mode, the chart helps you see which objects need the most attention. As a rule of thumb, red objects pose the greatest threat and should be addressed first. You can then correct the yellow objects. See Using the drill-down mode on page 180.

316 316 Using the Symantec ESM utilities View security data in the drill-down mode

317 Appendix A Finalizer log file This appendix includes the following topics: About the Finalizer log file About the Finalizer log file The Finalizer log file provides summary information about policy runs. Third-party developers can use the log file as a source of agent, module, and policy information for integration into other frameworks. The manager creates and updates the Finalizer log file each time a policy run completes. Two record types are contained in the log file: agent records and module records. Agent records contain policy name, agent name, security score, and security level information. One or more module records follow each agent record. Module records contain the policy name, agent name, long module name, short module name, score, level, and the job ID. The following are examples of log file records: AGENT~Phase 1~spiff~380~2 MODULE~Phase 1~spiff~Account Integrity~100~1~6 MODULE~Phase 1~spiff~Object Integrity~100~1~6

318 318 Finalizer log file About the Finalizer log file

319 Appendix B Format file syntax for View custom command This appendix includes the following topics: Syntax rules Symantec ESM keywords Format file structure General directives Header definition directives Record definition directives Footer definition directives Syntax rules The following Syntax rules apply to the format file for the View custom command: a # indicates that the remainder of the line is a comment a. in the first column indicates a directive Blank lines are ignored Keywords are enclosed by leading and trailing % characters A width control may be optionally specified using a :. The sign following the width control character indicates the type of truncation. If the string is longer than the specified width, a positive truncates the end of the field and a negative truncates the beginning of the field.

320 320 Format file syntax for View custom command Symantec ESM keywords Note: It is recommended that you label the format files for the View custom command with a.vc file extension if you store them in the esm\format\<platform> folder or esm/format/<platform> directory with other format files. Symantec ESM keywords You can use the following keywords in a format file. Table B-1 Keyword adjusted_code agent am_pm century class code description esm_version hour info minute module month monthday name os platform policy record_count Format file keywords Description Code minus user-specified code base Agent that ran the policy AM/PM indicator Two digits that represent the current century (19-20) One digit that represent the message severity (0-4) Symantec ESM message code Long description of the message Version of Symantec ESM that supplies the report Two digits that represent the hour (00-23) Symantec ESM informational field Two digits that represent the minute (00-59) Module that is related to the message Two digits that represent the month (01-12) Two digits that represent the day of the month (01-31) Symantec ESM name field Operating system of agent Platform that ran the policy Policy that is related to the message Count of processed message records

321 Format file syntax for View custom command Format file structure 321 Table B-1 Keyword title weekday year Format file keywords (continued) Description Symantec ESM message title One digit that represent the day of week, starting with Sunday (1-7) Two digits that represent the year (00-99) Format file structure General directives Format files consist of ASCII text. You can create and edit the contents of a format file using a text editor. Limit individual lines of text to no more than 128 characters. Some lines of text start with directives. For example, the words that have a preceding period. Directives must be lower case. Directives are usually state significant; that is, they require other directives to precede and follow them. Usually, data fields follow the directives. You can separate these data fields with white space. You should always enclose the fields that contain spaces in quotation marks. Format files are structured in four sections: General Directives, Header Definition, Record Definition, and Footer Definition. The following information describes general directives:.fill <ASCII decimal value> This directive specifies the padding character that is used in a field having a specified length. For example, to pad a field with spaces, use the following:.fill 32.equate <identifier> <value> This directive sets an identifier to a specific value. The identifier in the directive can be used with the keyword indicator %. The value in this directive may include other keywords. For example:.equate time %hour%:%minute%.equate date %month%/%monthday%/%year%

322 322 Format file syntax for View custom command Header definition directives.translate < keyword> <Symantec ESM value> <target value> This directive converts a Symantec ESM keyword value to a new value in the target format. For example:.translate class 0 Green.translate class 1 Yellow.code_base <module> <value> This directive specifies the operating system base value for the format file. You can obtain this value from the.base directive in the <module>.m file. This file is in the platform specific Symantec ESM register directory. Note that <module> is any short module name. If you need to use a message code that is four digits or smaller, define a code_base and subtract it from the code. You can assign the result using the adjusted_code keyword. For example, you can set the default value for all unspecified modules by substituting the word default for the <module>..code_base default code_base patch Header definition directives The following information describes Symantec ESM header definitions:.header [length] This directive starts the header definition. If a length is specified and positive, it is a fixed length header. Otherwise, the header is assumed to be a variable length. If the header is defined, it is the first thing written to the output file..field delimiter <delimiter(s)> A field delimiter is required for variable length headers and is optional for fixed length headers. Field delimiters are concatenated to the end of each field in the header. A field delimiter can be a single number that represent the decimal value of an ASCII character. A field delimiter can also be a space-separated list of no more than eight numbers. For example, to limit a header to nine characters that are followed by a comment, use the following:.field delimiter 9 # Tab

323 Format file syntax for View custom command Record definition directives 323 field [length] <string> Field length is only required in a fixed length header. Fields can be defined only between.header,.record, or.footer directives. If the string includes spaces, it must be enclosed in double quotes. Keywords and their length specifiers may be included as explained above. An unprintable character may be included in a field's value by entering its ASCII decimal value after a \'. For example, to limit a field to six characters, add the prefix EM, and truncate the contents to the first four characters, use the following:.field 6 EM%adjusted_code:4%.endheader [delimiter(s)] This directive ends the header definition. The optional delimiter list is concatenated to the end of the header. Record definition directives The following information describes Symantec ESM record definitions:.record [length] This directive starts the record definition. The record definition section specifies how Symantec ESM message records are translated and written to the output file. The syntax is the same as the.header directive..field delimiter <delimiter(s)> See the rules for this directive in the header definition..field [length] <string> See the rules for this directive in the header definition..endrecord [delimiter(s)] This directive ends the record definition. The optional delimiter list is concatenated to the end of the record. Footer definition directives The following information describes Symantec ESM footer definitions:.footer [length] This directive starts the footer definition. The syntax is the same as the.header directive. If the footer is defined, it is the last thing written to the output file.

324 324 Format file syntax for View custom command Footer definition directives.field delimiter <delimiter(s)> See the rules for this directive in the header definition..field [length] <string> See the rules for this directive in the header definition..endfooter [delimiter(s)] This directive ends the footer definition. The optional delimiter list is concatenated to the end of the footer.

325 Appendix C Symantec ESM summary databases This appendix includes the following topics: About the summary databases Manager sumfinal database Local summary database Managing the manager sumfinal database Synchronizing and purging the local summary database Querying the local summary database About the summary databases Symantec ESM stores policy run summary data and module message details in two databases: the manager sumfinal database on the manager computer and the local summary database on the ESM console computer. Manager sumfinal database The manager sumfinal database contains the summary data and module message details that the agents report during policy runs. This database is a component of the manager. It is a cross-platform proprietary database. By default, Symantec ESM keeps the policy run data in the manager sumfinal database for 90 days. You can change the retention period by clicking the Options tab in the Manager Properties dialog box.

326 326 Symantec ESM summary databases Local summary database You cannot directly access the data in a manager sumfinal database. Instead, you must upload the information to your local summary database in the ESM console. Local summary database The local summary database lets you query the managers, agents, and policies. The local summary database reports how the managers, the agents, and the policies relate to the summary data. The local summary database also reports module message details in the policy runs. By combining this query function with the dynamic reporting capabilities available in the Integrated Command Engine (ICE) module, you can effectively resolve new vulnerabilities. For example, assume that you receive an advisory that describes a vulnerability in a network resource. Then you can quickly edit the scripts and templates in the ICE module to search for occurrences of this vulnerability. You can narrow the search by running a query on the local summary database. The local summary database is a component of the ESM console. When the ESM console creates a user account, it also creates a local summary database file for the account. Use the Discretionary Access Control List (ACL) in Windows to secure this local summary database file. See the Windows help for information on accessing the ACL. Only the user who is logged on to the ESM console account should have full control over the file. The local summary database is a Microsoft Access relational database in.mdb native file format. You can access this database with Microsoft Access or use it as an ODBC data source. If you have compatible third-party software, you can also use the local summary database to produce custom reports. To ensure that the local summary database contains current summary information for reporting or analysis, you must manually synchronize the local summary database with the manager sumfinal databases in the network. Using the enterprise tree, you can choose to upload manager sumfinal database information from a single manager, all of the managers in a region, or all of the managers that are connected to the ESM console. See Synchronizing and purging the local summary database on page 337. When analysis or reporting requires module message details, you can use a separate function in the ESM console to upload this information from a single manager, from all of the managers in a region, or from all of the managers that are connected to the ESM console. Note: Managers with a large number of registered agents can take a significant period of time to complete a module message details upload.

327 Symantec ESM summary databases Local summary database 327 Local summary database file structure The ID fields define the relationships in the database tables. For example, managerid defines a relationship with a manager. This field contains a value in the ID field that corresponds to a specific manager record in the managers table. The following database schema shows the relationships among the tables. Figure C-1 Local database schema Note: In the following tables, field data types are enclosed in <angle brackets>. The following table describes the local summary database tables. Table C-1 Table Name Agents AgentTrend DatabaseInfo Local summary database tables Description Agents for which summary data has been received Agent level and score data points Microsoft Access.mdb file identity