McAfee Change Control Using Change Reconciliation and Ticket-based Enforcement

Similar documents
Firewall Enterprise epolicy Orchestrator

Release Notes for McAfee(R) Security for Microsoft Exchange(TM) Version 8.0 Copyright (C) 2013 McAfee, Inc. All Rights Reserved

McAfee SiteAdvisor Enterprise 3.5.0

Release Notes - McAfee Deep Defender 1.0

Release Notes for McAfee(R) Security for Lotus Domino(TM) Version 7.5 with Patch 2 Hotfix Copyright (C) 2013 McAfee, Inc. All Rights Reserved

Installation Guide. McAfee Web Gateway. for Riverbed Services Platform

Total Protection Service

Product Guide. McAfee Plugins for Microsoft Threat Management Gateway Software

McAfee Firewall Enterprise epolicy Orchestrator Extension

========================================================== Release date: December 03, This release was developed and tested with:

McAfee. Deployment and User Guide. epo 4 / Endpoint Encryption

McAfee epolicy Orchestrator 4.5 Hardware Sizing and Bandwidth Usage Guide

Release Notes for McAfee(R) VirusScan Enterprise for Linux Version Hotfix Copyright (C) 2013 McAfee, Inc. All Rights Reserved

McAfee Cloud Identity Manager

McAfee Cloud Identity Manager

McAfee Application Control Windows Installation Guide. (McAfee epolicy Orchestrator)

McAfee Cloud Identity Manager

McAfee Cloud Identity Manager

McAfee Cloud Identity Manager

McAfee Cloud Identity Manager

McAfee epolicy Orchestrator 4.5 Reporting Guide

McAfee Cloud Identity Manager

McAfee Content Security Reporter Installation Guide. (McAfee epolicy Orchestrator)

McAfee Rogue Database Detection For use with epolicy Orchestrator Software

Product Guide. McAfee Endpoint Upgrade Assistant 1.4.0

Product Guide. McAfee Endpoint Upgrade Assistant 1.5.0

McAfee Solidcore Platform Support Matrix Version (Nov 16, 2011)

McAfee Cloud Identity Manager

McAfee Management for Optimized Virtual Environments AntiVirus 4.5.0

Installation Guide. McAfee Endpoint Security for Servers 5.0.0

Installation Guide McAfee Firewall Enterprise (Sidewinder ) on Riverbed Services Platform

McAfee Cloud Identity Manager

McAfee Cloud Identity Manager

Installation Guide. McAfee epolicy Orchestrator software D R A F T

McAfee Client Proxy Product Guide. (McAfee epolicy Orchestrator)

McAfee File and Removable Media Protection Installation Guide

McAfee Application Control Windows Installation Guide

McAfee Client Proxy Installation Guide

McAfee MVISION Endpoint 1808 Installation Guide

McAfee MVISION Endpoint 1811 Installation Guide

Boot Attestation Service 3.0.0

McAfee Data Protection for Cloud 1.0.1

McAfee Client Proxy Product Guide. (McAfee epolicy Orchestrator)

McAfee Policy Auditor 6.2.2

McAfee Endpoint Upgrade Assistant Product Guide. (McAfee epolicy Orchestrator 5.9.0)

McAfee Endpoint Upgrade Assistant Product Guide. (McAfee epolicy Orchestrator)

McAfee Host Intrusion Prevention 8.0

McAfee Client Proxy Product Guide

Product Guide Revision A. McAfee Client Proxy 2.3.2

McAfee Boot Attestation Service 3.5.0

McAfee Application Control Linux Product Guide. (McAfee epolicy Orchestrator)

Migration Guide. McAfee File and Removable Media Protection 5.0.0

McAfee Endpoint Security Migration Guide. (McAfee epolicy Orchestrator)

McAfee Content Security Reporter 2.6.x Installation Guide

Data Loss Prevention Discover 11.0

Installation Guide. McAfee Web Gateway Cloud Service

McAfee Content Security Reporter Release Notes. (McAfee epolicy Orchestrator)

McAfee Endpoint Security

McAfee Investigator Product Guide

McAfee Change Control and McAfee Application Control 8.0.0

McAfee MVISION Mobile epo Extension Product Guide

McAfee Endpoint Upgrade Assistant 2.3.x Product Guide

McAfee Security-as-a-Service

Interface Reference. McAfee Application Control Windows Interface Reference Guide. Add Installer page. (McAfee epolicy Orchestrator)

McAfee Content Security Reporter 2.6.x Migration Guide

Migration Guide. McAfee Content Security Reporter 2.4.0

McAfee Endpoint Security for Linux Threat Prevention Interface Reference Guide

McAfee Change Control Linux Product Guide. (McAfee epolicy Orchestrator)

McAfee Application Control Windows Installation Guide. (Unmanaged)

McAfee Application Control and McAfee Change Control Linux Product Guide Linux

McAfee Agent 4.5 Product Guide

McAfee Security Connected Integrating epo and MFECC

McAfee Endpoint Security for Servers Product Guide. (McAfee epolicy Orchestrator)

McAfee MVISION Mobile Microsoft Intune Integration Guide

McAfee Endpoint Security Threat Prevention Installation Guide - macos

McAfee Drive Encryption Client Transfer Migration Guide. (McAfee epolicy Orchestrator)

McAfee Performance Optimizer 2.1.0

McAfee File and Removable Media Protection 6.0.0

Best Practices Guide. Amazon OpsWorks and Data Center Connector for AWS

Product Guide. McAfee Enterprise Mobility Management (McAfee EMM ) 9.6

McAfee MVISION Mobile Microsoft Intune Integration Guide

McAfee epo Deep Command 1.0.0

Product Guide. McAfee Performance Optimizer 2.2.0

McAfee Cloud Workload Security Suite Amazon Machine Image Installation Guide

McAfee Endpoint Security for Servers Product Guide

Installation Guide Revision B. McAfee Cloud Workload Security 5.0.0

McAfee VirusScan and McAfee epolicy Orchestrator Administration Course

Reference Guide Revision B. McAfee Cloud Workload Security 5.0.0

McAfee epolicy Orchestrator Software

McAfee Endpoint Security Threat Prevention Installation Guide - Linux

McAfee Agent Interface Reference Guide. (McAfee epolicy Orchestrator Cloud)

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

McAfee Application Control 6.2.0

Archiving Service. Exchange server setup (2010) Secure Gateway (SEG) Service Administrative Guides

McAfee Change Control and McAfee Application Control 6.1.4

McAfee File and Removable Media Protection Product Guide

Release Notes McAfee Change Control 8.0.0

McAfee MVISION Mobile MobileIron Integration Guide

McAfee MOVE AntiVirus Installation Guide. (McAfee epolicy Orchestrator)

Revision A. McAfee Data Loss Prevention Endpoint 11.1.x Installation Guide

Transcription:

6.0.0 Using Change Reconciliation and Ticket-based Enforcement

COPYRIGHT Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2

Contents Introduction................................................................................ 4 About this guide........................................................................... 4 Finding product documentation............................................................... 4 Installing and configuring the integration server...................................... 6 Installing the integration server............................................................... 6 Configuring the integration server............................................................. 7 Entering the change reconciliation license and enabling ticket-based enforcement...................... 7 Adding the integration server................................................................. 8 Uninstalling the integration server............................................................. 9 Using change reconciliation............................................................. 10 Prerequisites............................................................................. 11 Reconciliation best practices................................................................ 11 Understanding reconciliation events.......................................................... 12 Scheduling reconciliation................................................................... 13 Reviewing reconciliation logs................................................................ 14 Managing reconciliation results.............................................................. 15 Reviewing authorized or reconciled events.............................................. 16 Approving unauthorized events....................................................... 18 Working with unresolved events...................................................... 21 Using queries............................................................................. 23 Using ticket-based enforcement........................................................ 26 Using queries............................................................................. 27 3

Introduction McAfee Change Reconciliation creates a comprehensive list of the changes carried out on all monitored systems and correlates the events with change tickets. It maps changes in the system with respective tickets that a change management system (CMS) generates and flags ad-hoc changes. It helps in providing an evidence trail for the changes made, verifying that approved changes are deployed, and identifying unauthorized or unticketed changes. NOTE: If you are using reconciliation with Solidcore Extension (version 5.1.1 or older) and upgrade to Solidcore Extension 5.1.2, you cannot access the older reconciliation data. However, if you are using reconciliation with Solidcore Extension version 5.1.2 and upgrade to version 6.0.0, the older reconciliation data is migrated. Using ticket-based enforcement, you can ensure seamless system updates without manual intervention. Once integrated with a CMS, changes to a system are permitted only when a ticket is approved in the ticketing system. This enforces the change process and prevents unapproved changes. When a ticket is approved, the required systems are put in update mode. After the changes are made, the systems are removed from update mode. Contents About this guide Finding product documentation About this guide This guide describes how to implement change reconciliation and ticket-based enforcement with BMC Remedy Action Request System 7.5 or 7.6 and McAfee epolicy Orchestrator (McAfee epo) 4.5 or 4.6. To use this guide effectively, you must be familiar with BMC Remedy and McAfee epo. For more information, see the product documentation for BMC Remedy and McAfee epo. Finding product documentation McAfee provides the information you need during each phase of product implementation, from installing to using and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. 1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. 2 Under Self Service, access the type of information you need: 4

Introduction Finding product documentation To access user documentation 1 Click Product Documentation. 2 Select a Product, then select a Version. 3 Select a product document. To access the KnowledgeBase Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version. 5

Installing and configuring the integration server Before you can reconcile events or use ticket-based enforcement, you must install and configure the integration server. The integration server allows communication between McAfee epo and the ticketing system. To complete configuration, you must enter the required licenses, enable ticket-based enforcement (optionally), and add the integration server details to McAfee epo. Contents Installing the integration server Configuring the integration server Entering the change reconciliation license and enabling ticket-based enforcement Adding the integration server Uninstalling the integration server Installing the integration server Use this procedure to install the integration server. 1 Download the solidcoreintegrationserver.zip file from the McAfee download site. 2 Navigate to the McAfee epo server installation directory. By default, the McAfee epo server is installed in the C:\Program Files\McAfee directory on 32-bit systems and C:\Program Files (x86)\mcafee directory on 64-bit systems. 3 Unzip the zip file to install the integration server. The solidcoreintegrationserver directory is created in the installation directory. The solidcoreintegrationserver directory contains the following directories: Directory bin conf connector lib logs Description Contains the core binary files. Serves as the configuration store for the integration server. Contains the.properties file for the integration server. Contains the files for the connector. Contains the shared libraries. Stores the log files. NOTE: By default, the integration server listens for requests on port 1099. If port 1099 is being used in your setup, you can configure the integration server port. To edit the port setting, navigate to the <install directory>\solidcoreintegrationserver\conf directory and edit the value for the rmiserverport parameter in the integrationserver.properties file. 6

Installing and configuring the integration server Configuring the integration server 4 Open a command window. 5 Navigate to the <install directory>\solidcoreintegrationserver\bin directory. 6 Execute the Install-IntegrationServer.bat file. This installs the integration server. 7 Execute the Start-IntegrationServer.bat file. This starts the integration server. Configuring the integration server Preconfigured connectors are available to help you quickly configure and work with BMC Remedy versions 7.5 and 7.6. To configure the existing connector or use other change management systems, contact McAfee Support (https://mysupport.mcafee.com/ or +1(408)988-3832). A McAfee representative will help you configure and fine tune the connector. Use this procedure to complete the connector configuration. 1 Open a command window. 2 Navigate to the <install dir>\solidcoreintegrationserver\bin directory. 3 Execute the testconnector.bat file to check the configuration and connection to the ticketing system. testconnector.bat <int server host> <port> <tkt host> <user ID> <password> In the syntax: int server host - Represents the host name or IP address of the integration server. port - Denotes the port on which the integration server is listening. By default, port 1099 is used. tkt host - Represents the host name or IP address of the ticketing system server. user ID - Denotes a valid user name on the ticketing system. password - Represents the password for the ticketing system user. 4 Review the IS-Server.log (in the solidcoreintegrationserver\logs directory) and reconconnector.log (in the solidcoreintegrationserver\bin directory) files and fix any errors you encounter. The IS-Server.log file contains information on the integration server and connector operations and the reconconnector.log file contains information on the testconnector.bat operations. Entering the change reconciliation license and enabling ticket-based enforcement Use this procedure to provide valid license keys for Change Control and Reconciliation and enable ticket-based enforcement. 1 Select Menu Configuration Server Settings from the McAfee epo console. 2 Select Solidcore from the Settings Categories list. 3 Click Edit. The Edit Solidcore page appears. 7

Installing and configuring the integration server Adding the integration server 4 Enter the keys in the Change Control and Reconciliation fields. 5 Select Yes to enable ticket-based enforcement. 6 Enter the time interval (in seconds) between consecutive requests to poll the CMS. 7 Click Save. Adding the integration server Use this task to add the integration server as a registered server to McAfee epo. 1 Select Menu Configuration Registered Servers from the McAfee epo console. 2 Click New Server. 3 Select Solidcore Integration Server as the server type. 4 Enter a name for the registered server. 5 Click Next. 8

Installing and configuring the integration server Uninstalling the integration server The Details page appears. 6 Specify the host name and port for the integration server. 7 Enter the host name, user name, and password for the ticketing system. 8 Click Test connection. The application uses the specified details to connect to the integration server which in turn connects to the ticketing system. It also validates the user credentials and privileges for the ticketing system. 9 Click Save. Uninstalling the integration server Use this procedure to uninstall the integration server. 1 Open a command window. 2 Navigate to the <install directory>\solidcoreintegrationserver\bin directory. 3 Run the Uninstall-IntegrationServer.bat file. This uninstalls the integration server. 4 Close the command window after the file executes. 5 Delete the solidcoreintegrationserver directory. 9

McAfee Change Reconciliation validates changes based on the actual start time and actual end time. You can also choose to validate changes based on optional parameters, such as the identifying hostname or username. Based on the connector configuration, after reconciliation, the ticket is updated with detailed information about the change, including the hostname and name of the user who made the change. During reconciliation, a subset of the tickets in the CMS are considered. Only closed tickets with an end time value greater than the oldest unreconciled event in McAfee epo database are reconciled. You can configure the reconciliation condition and define a different reconciliation condition for each CMS. Also, during reconciliation selected Integrity Monitor, Change Control, and Application Control events are considered. Review the Understanding Reconciliation Events section for a complete list of events considered for reconciliation. Here are some features of change reconciliation: Correlates system changes with change approval and ticketing systems. Helps confirm that the approved changes have been deployed. Identifies unapproved and unticketed changes (for example, emergency and malicious changes). Groups related changes and helps in easily documenting emergency or undocumented changes. Appends reconciliation summary to the work log of the tickets in the ticketing system (if configured). The McAfee epo server works in conjunction with a CMS to provide change reconciliation. The following figure depicts the various components involved in change reconciliation. Figure 1: Components involved in change reconciliation Here is an overview of the tasks you must complete to implement and use change reconciliation: 1 Install the integration server (one-time task) 10

Prerequisites 2 Enter the license key in McAfee epo (one-time task) 3 Configure and test the connector (one-time task) 4 Add the integration server to McAfee epo as a registered server (one-time task) 5 Run or schedule reconciliation (as needed) 6 Manage reconciliation results and run queries in McAfee epo (as needed) Contents Prerequisites Reconciliation best practices Understanding reconciliation events Scheduling reconciliation Reviewing reconciliation logs Using queries Prerequisites Before you can configure and use change reconciliation, you must: Ensure that McAfee epo 4.5 or 4.6 is installed and running. For more information on installing McAfee epo 4.5 or 4.6, refer to the epolicy Orchestrator 4.5 Installation Guide or epolicy Orchestrator 4.6 Installation Guide, respectively. Ensure that the Solidcore Extension version 6.0.0 is installed on the McAfee epo. Procure valid licenses for Change Control and Reconciliation. Ensure that a change management or ticketing system is installed. You can integrate McAfee epo with BMC Remedy Action Request System 7.5 or 7.6. To configure McAfee epo with other change management systems, contact McAfee Support (https://mysupport.mcafee.com/ or +1(408)988-3832). Reconciliation best practices Consider the following to ensure optimum performance levels for the reconciliation cycle. Schedule reconciliation at regular intervals. If you do not reconcile events regularly, the backlog of reconcilable events may become unmanageable. Take into account business requirements and volume of daily events to determine the reconciliation frequency. This is important even if you do not intend to use the results in a production operation right away. Configure filtering using Integrity Monitoring policy to monitor only critical registry entries and operating system and application files. Exclude unimportant files and registry entries to reduce the number of events generated. Consider that while the quality of filtering determines the number of events captured, the content to be filtered is determined by the user. Review reconciliation results and document or dismiss the un-reconciled events at regular intervals. This helps keep the un-reconciled events to a manageable number. 11

Understanding reconciliation events Follow the internal workflow and processing requirements as they relate to the CMS (that is, move change management tickets to the appropriate status in a timely manner) so that the reconciliation process is able to match events to CMS tickets accurately and timely. Understanding reconciliation events During reconciliation only selected Change Control and Application Control events are considered. Here are the various events that are considered during reconciliation. Type Change Control Events Event List ACL_MODIFIED ACL_MODIFIED_UPDATE FILE_ATTR_CLEAR FILE_ATTR_CLEAR_UPDATE FILE_ATTR_MODIFIED FILE_ATTR_MODIFIED_UPDATE FILE_ATTR_SET FILE_ATTR_SET_UPDATE FILE_CREATED FILE_CREATED_UPDATE FILE_DELETED FILE_DELETED_UPDATE FILE_MODIFIED FILE_MODIFIED_UPDATE FILE_RENAMED FILE_RENAMED_UPDATE OWNER_MODIFIED OWNER_MODIFIED_UPDATE STREAM_CREATED STREAM_DELETED STREAM_MODIFIED STREAM_ATTR_MODIFIED STREAM_CREATED_UPDATE STREAM_DELETED_UPDATE STREAM_MODIFIED_UPDATE STREAM_ATTR_MODIFIED_UPDATE STREAM_ATTR_SET STREAM_ATTR_CLEAR STREAM_ATTR_SET_UPDATE STREAM_ATTR_CLEAR_UPDATE REG_KEY_CREATED REG_KEY_CREATED_UPDATE REG_KEY_DELETED REG_KEY_DELETED_UPDATE REG_VALUE_DELETED REG_VALUE_DELETED_UPDATE REG_VALUE_MODIFIED REG_VALUE_MODIFIED_UPDATE 12

Scheduling reconciliation Type Application Control Events Common Events (Change Control and Application Control) Event List USER_ACCOUNT_CREATED USER_ACCOUNT_DELETED USER_ACCOUNT_MODIFIED FILE_RESOLIDIFIED FILE_SOLIDIFIED FILE_UNSOLIDIFIED PKG_MODIFICATION_ALLOWED_UPDATE ACTX_ALLOW_INSTALL BEGIN_UPDATE BOOTING_DISABLED BOOTING_DISABLED_SAFEMODE COMMAND_EXECUTED DISABLED_DEFERRED ENABLED_DEFERRED UPDATE_MODE_DEFERRED END_UPDATE BOOTING_DISABLED_INTERNAL_ERROR Scheduling reconciliation Use this procedure to schedule or run reconciliation. 1 Select Menu Automation Server Tasks from the McAfee epo console. 2 Click New Task. The Server Task Builder page opens. 3 Enter the task name and description, and set Schedule status to Enabled. 4 Click Next. The Actions page appears. 5 Select Solidcore: Run Reconciliation from the Actions drop-down menu and click Next. 13

Reviewing reconciliation logs The Schedule page appears. 6 Schedule the task as needed and click Next. The Summary page appears. 7 Review and verify the details and click Save. If you need to generate reports on reconciled data, schedule or run queries after running reconciliation. Reviewing reconciliation logs Use this procedure to review the reconciliation logs. 1 Select Menu Risk & Compliance Change Control Reconciliation from the McAfee epo console. The Reconciliation Summary page appears. 2 Select Reconciliation Cycle Logs. 14

Managing reconciliation results The Reconciliation Cycle Logs page appears. The page includes one entry for each executed reconciliation cycle. 3 Specify the time window for which to view reconciliation logs by selecting a value for the Filter field. You can filter and view logs for the last week, month, quarter, or year. You can also choose not to filter the results and view all available logs by selecting the All option. 4 Click an entry to review the details. 5 Click Close. Managing reconciliation results After reconciliation is complete, you can view and manage reconciliation results from McAfee epo. The results can be grouped into the following categories: Event Category Reconciled events Description Events that match corresponding tickets in the change management system. If configured during connector configuration, the work logs of the reconciled tickets are updated with the reconciliation summary, including the name of the user who made the change, configuration item and hostname that changed, and time window during which the changes were made. One event can be mapped to only one ticket, whereas; one ticket may be associated with one or more events. 15

Managing reconciliation results Event Category Description The following figure displays updated change summary for an existing ticket. Unauthorized events Events that cannot be matched to any tickets in the change management system. To manage unauthorized events, review the unauthorized events and dismiss the events or create tickets in the change management system to associate with the events. NOTE: If an unauthorized event is not associated with a ticket within 20 days, its status is changed to Unauthorized Permanent. Once marked Unauthorized Permanent, the event appears in the unauthorized event list but is not considered for future reconciliation cycles. You can configure the time interval (20 days) after which events are marked Unauthorized Permanent. Unresolved events Events that match multiple tickets in the change management system. To manage unresolved events, select one ticket from the list of tickets matched with unresolved events. NOTE: The reconciliation summary is not updated after you purge the existing events. Contents Reviewing authorized or reconciled events Approving unauthorized events Working with unresolved events Reviewing authorized or reconciled events Use this task to review reconciled tickets and details of events matched with the tickets. 1 Select Menu Risk & Compliance Change Control Reconciliation from the McAfee epo console. 16

Managing reconciliation results The Reconciliation Summary page appears. 2 Select Reconciled Tickets. 17

Managing reconciliation results The Reconciled Tickets summary page appears. Reconciled tickets are tickets that are associated with the appropriate events after reconciliation. The page includes one entry for each reconciled ticket. 3 Specify the time window for which to view reconciled tickets by selecting a value for the Filter field. You can filter and view reconciled tickets for the last week, month, quarter, or year. You can also choose not to filter the results and view all available tickets by selecting the All option. 4 Select View Changes for a ticket. The Reconciled Changes page displays all events matched with the ticket. 5 Click a row to review details. 6 Click Close. Approving unauthorized events Use this procedure to approve unauthorized events by creating corresponding tickets in the change management system. 18

Managing reconciliation results 1 Select Menu Risk & Compliance Change Control Reconciliation from the McAfee epo console. The Reconciliation Summary page appears. 2 Select Systems with Unauthorized Changes. 19

Managing reconciliation results All the systems with unauthorized events are listed. Also, for each system, the Unauthorized Changes field indicates the number of unauthorized changes. 3 Specify the time window for which to view the systems with unauthorized changes by selecting a value for the Filter field. You can filter and view the systems with unauthorized changes for the last week, month, quarter, or year. You can also choose not to filter the results and view all systems with unauthorized changes by selecting the All option. 4 Click the link for the number of unauthorized changes for a system. The Unauthorized Changes page lists all unauthorized events for the selected system. 5 Select one or more events and perform one of the following actions: 20

Managing reconciliation results Document the events To associate a ticket with the selected events: 1 Click Actions Document. The Document Changes dialog box appears. 2 Enter the ticket summary and description. 3 Click OK. A ticket is successfully created for the reconciliation records. Based on your connector configuration, a corresponding ticket may or may not be created in the ticketing system. Dismiss the events To ignore the selected events and not consider them for future reconciliation cycles: 1 Click Actions Dismiss Changes. The Dismiss Changes message appears. 2 Click Yes. 6 Click Close. Working with unresolved events Use this procedure to manage unresolved events by associating them with the appropriate tickets in the change management system. 1 Select Menu Risk & Compliance Change Control Reconciliation from the McAfee epo console. 21

Managing reconciliation results The Reconciliation Summary page appears. 2 Select Systems with changes matching to multiple Tickets. All the systems with unresolved events are listed. 3 Select View Changes for a system. 22

Using queries The Changes that match multiple Tickets page lists all unresolved events for the selected system. 4 Select one or more events. 5 Click Actions Resolve changes. The Resolve changes dialog box appears. All tickets that can be mapped to the selected events are listed. 6 Select the ticket to associate with the events. 7 Click OK. The selected events are matched with the specified ticket. Also, based on the connector configuration, the ticketing system is updated. 8 Click Close. Using queries From the McAfee epo console, you can run queries based on reconciliation data. Queries are configurable objects that retrieve and display data from the database. The results of queries are displayed in charts and tables. For more information on queries, refer to McAfee Change Control and Application Control Product Guide and McAfee epolicy Orchestrator Product Guide.The following reconciliation-related queries are available in McAfee epo: 23

Using queries Query Solidcore: Change Events grouped by Reconciliation Status in the Last 1 Month Solidcore: Change Events grouped by Reconciliation Status in the Last 7 Days Description Displays a pie chart of events that occurred in the last one month. The chart sorts events based on the reconciliation status. Reconciled changes are shown as authorized and un-reconciled events are shown as unauthorized. Displays a pie chart of events that occurred in the last seven days. The chart sorts events based on the reconciliation status. Reconciled changes are shown as authorized and un-reconciled events are shown as unauthorized. Solidcore: Reconciled Change Events grouped by Tickets in the Last 1 Month Solidcore: Reconciled Change Events grouped by Tickets in the Last 7 Days Lists change tickets against which events have been reconciled in the last one month. Lists change tickets against which events have been reconciled in the last seven days. Solidcore: Ticket Manifest Deviation (All Change Events per Object like File or Registry) Solidcore: Ticket Manifest Deviation (Only Unique Change Events per Object like File or Registry) Compares all change events for an object associated with a Production ticket with the all change events for the same object associated with a Staging ticket. For example, all file modified events for a file on the Staging server are considered and compared with all file modified events for the same file on the Production server. Compares only unique change events for an object associated with a Production ticket with all the unique change events for the same object associated with a Staging ticket. For example, multiple file modified events for a file on the Staging server are combined and considered as a single file modified event and compared to a single file modified event (multiple events are again combined) for the same file on the Production server. Use this procedure to run a query. 1 Select Menu Reporting from the McAfee epo console. 2 Perform one of these tasks. From the McAfee epo 4.6 console, select Queries & Reports. From the McAfee epo 4.5 console, select Queries. 3 Select Solidcore in the groups list. 4 Select a query. 5 Perform on of the following tasks: Click Edit if you are running one of the Ticket Manifest Deviation queries. The Query Builder wizard appears. Click Next two times to navigate to the Filter page of the wizard. Specify the Production Server Ticket value and click Run. NOTE: If you choose to save an edited Ticket Manifest Deviation query, ensure that you save the query with a different name. Click Run to run any other report. The query results page appears. Drill down into the report and take actions on items, as needed. The reports generated for the Ticket Manifest Deviation queries organize the results into the following categories: Changes In Manifest: Lists the ticket-specific changes present on both the Production server and Staging server. Changes Not From Manifest: Lists the ticket-specific changes that are present on the Staging server but not present on the Production server. Changes Not In manifest: Lists the ticket-specific changes that are present on the Production server but not on the Staging server. 24

Using queries 6 Click Close when finished. 25

Using ticket-based enforcement While Application Control prevents execution of unauthorized or new binaries on a system, Change Control prevents modification of protected files by any unauthorized user or binary. Only when an Update window is open on a protected system can new binaries be executed and protected files modified. Ticket-based enforcement integrates Application Control and Change Control with an existing change management system. Based on tickets created in the ticketing system, Update windows are opened on the needed protected systems thus streamlining and automating the change management process. Implementing ticket-based enforcement reduces system outages and improves uptime by allowing only approved changes to be made to the systems. It helps in simplifying compliance reporting. To configure ticket-based enforcement with BMC Remedy versions 7.5 and 7.6 or other change management systems, contact McAfee Support (https://mysupport.mcafee.com/ or +1(408)988-3832). After you configure ticket-based enforcement, the application periodically checks the ticketing system for: Work-in-progress tickets - For a ticket in Implementation in progress status, the one or more endpoints referenced in the ticket are unlocked (put into Update mode) to allow changes to be made to the endpoints. The ticket work log is updated to list all endpoints that are put in Update mode. Completed tickets - For a ticket in Closed status or with an elapsed scheduled end date, the one or more endpoints referenced in the ticket are locked (put into Enabled mode) to ensure no further changes are allowed to the endpoints. The ticket work log is updated to list all endpoints that are put in Enabled mode. Review the Menu Automation Solidcore Client Task Log page to view the result of each client task related to ticket-based enforcement. NOTE: By default, the afore-mentioned tickets are considered for ticket-based enforcement. When configuring the connector, you can specify the tickets that are considered for ticket-based enforcement. 26

Using ticket-based enforcement Using queries The McAfee epo server works in conjunction with a CMS to provide ticket-based enforcement. The following figure depicts the various components involved in ticket-based enforcement. Figure 2: Components involved in ticket-based enforcement Here is an overview of the tasks you must complete to implement and use ticket-based enforcement: 1 Install the integration server (one-time task) 2 Enter the license key in McAfee epo (one-time task) 3 Enable ticket-based enforcement (one-time task) 4 Configure and test the connector (one-time task) 5 Add the integration server to McAfee epo as a registered server (one-time task) 6 Use ticket-based enforcement (as needed) 7 Run queries in McAfee epo (as needed) Contents Using queries Using queries From the McAfee epo console, you can run queries based on enforcement data. Queries are configurable objects that retrieve and display data from the database. The results of queries are displayed in charts and tables. The following ticket-based enforcement queries are available in McAfee epo: Query Solidcore: History of Update Windows opened by TBE Solidcore: Systems in Update Window due to TBE Description Lists all systems that were in the update window in the past due to ticket-based enforcement. Lists all systems that are currently in the update window due to ticket-based enforcement. Use this procedure to run a query. 1 Select Menu Reporting from the McAfee epo console. 2 Perform one of these tasks. 27

Using ticket-based enforcement Using queries From the McAfee epo 4.6 console, select Queries & Reports. From the McAfee epo 4.5 console, select Queries. 3 Select Solidcore in the groups list. 4 Select a query. 5 Click Run. The query results page appears. Drill down into the report and take actions on items, as needed. NOTE: The data used to generate the ticket-based enforcement reports is based on the actions taken at the McAfee epo console. The reports may not reflect the current end-point status in case of any issues, such as if hosts are down or network is down or slow. 6 Click Close when finished. 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback