HP IT Operations Compliance Community Edition

Similar documents
HP AutoPass License Server

HPE Security Fortify WebInspect Enterprise Software Version: Windows operating systems. Installation and Implementation Guide

HP Database and Middleware Automation

HP ALM Client MSI Generator

HPE IDOL Site Admin. Software Version: Installation Guide

Installation Guide. OMi Management Pack for Microsoft Skype for Business Server. Software Version: 1.00

HPE Enterprise Integration Module for SAP Solution Manager 7.1

HP Network Node Manager ispi Performance for Quality Assurance Software

HPE Network Virtualization

HP Service Test Management

Using the Server Automation Red Hat Importer

OMi Management Pack for Microsoft SQL Server. Software Version: For the Operations Manager i for Linux and Windows operating systems.

HP Automation Insight

HPE ComputeSensor. User Guide. Software Version: 3.02 Windows and Linux operating systems. Document Release Date: August 2017

IDOL Site Admin. Software Version Installation Guide

HPE StoreVirtual OS Update Guide

HP Operations Orchestration

Cloudera Manager Quick Start Guide

HPE Security ArcSight Connectors

HPE Security ArcSight Connectors

HP IDOL Site Admin. Software Version: Installation Guide

HPE Operations Bridge Reporter

HPE Security ArcSight Connectors

HP SM Service Catalog-PPM Center Project Proposal Integration Solution

HP Universal CMDB. Software Version: DDMI to Universal Discovery Migration Walkthrough Guide

HPE ALM Client MSI Generator

OMi Management Pack for Oracle Database. Software Version: Operations Manager i for Linux and Windows operating systems.

HP Operations Orchestration Software

HP Enterprise Integration Module for SAP Solution Manager

HP Business Availability Center

HPE Security ArcSight Connectors

HP ALM Synchronizer for Agile Manager

Installing SmartSense on HDP

HP Business Service Management

Forescout. eyeextend for IBM BigFix. Configuration Guide. Version 1.2

HP LeftHand SAN Solutions

HP Data Center Automation Appliance

HPE Operations Bridge Reporter

HP Management Integration Framework 1.7

HP UFT Connection Agent

HP ITSM Deployment Manager

HP Universal CMDB. Software Version: Content Pack (CP18) Discovery and Integrations Content Guide - Discovery Activities

HPE ControlPoint. Software Version: Support Matrix

Metasploit. Installation Guide Release 4.4

Universal CMDB. Software Version: Content Pack (CP20) Discovery and Integrations Content Guide - Discovery Activities

IBM BigFix Compliance PCI Add-on Version 9.5. Payment Card Industry Data Security Standard (PCI DSS) User's Guide IBM

HPE Security ArcSight Connectors

HP Helion Codar. Software Version: 1.00 Windows and Linux operating systems. Installation and Configuration Guide

Enterprise Integration Module for SAP Solution Manager 7.2

Installing and Configuring vcloud Connector

HP Project and Portfolio Management Center

HP Intelligent Management Center SOM Administrator Guide

VIRTUAL GPU LICENSE SERVER VERSION AND 5.1.0

HPE Storage Optimizer

Installing and Configuring vcloud Connector

Standardize Microsoft SQL Server Cluster Provisioning Using HP DMA

HPE Storage Optimizer Software Version: 5.4. Support Matrix

HP Service Manager. Software Version: 9.40 For the supported Windows and Unix operating systems. Knowledge Management help topics for printing

HPE 3PAR OS MU3 Patch 18 Upgrade Instructions

HP Operations Orchestration

HP Operations Orchestration Software

Micro Focus Security ArcSight Connectors. SmartConnector for McAfee Gateway Syslog. Configuration Guide

HPE Storage Optimizer Software Version: 5.4. Best Practices Guide

HPE 3PAR OS GA Patch 12

Bitnami Re:dash for Huawei Enterprise Cloud

IDOL Site Admin. Software Version: User Guide

ForeScout Extended Module for Advanced Compliance

HP Service Quality Manager Solution V3.2.1

HPE Security ArcSight Connectors

Dell EMC ME4 Series vsphere Client Plug-in

QuickSpecs. Aruba ClearPass OnGuard Software. Overview. Product overview. Key Features

Configuring Embedded LDAP Authentication

2016 OPSWAT, Inc. All rights reserved. OPSWAT, MetadefenderTM and the OPSWAT logo are trademarks of OPSWAT, Inc.All other trademarks, trade names,

HP QuickTest Professional

HP Operations Orchestration

Operations Orchestration. Software Version: Windows and Linux Operating Systems. Central User Guide

HPE Intelligent Management Center v7.3

Server Automation. Software Version: User Guide: Server Patching

HP Enterprise Collaboration

HPE Security ArcSight Connectors

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

HP ALM Lab Management

HPE StoreEver MSL6480 Tape Library CLI Utility Version 1.0 User Guide

Administrating TeamForge 6.1 on CentOS

HP Intelligent Management Center Remote Site Management User Guide

Intelligent Provisioning 1.64(B) Release Notes

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

HP Network Node Manager i Software Step-by-Step Guide to Scheduling Reports using Network Performance Server

HP Service Manager Integration Suite (SMIS)

HP BladeSystem c-class Virtual Connect Support Utility Version Release Notes

HPE Security Fortify Plugins for Eclipse

For the Windows, Oracle Enterprise Linux, Red Hat Enterprise Linux, and SUSE Linux Enterprise operating systems Software Version: 10.01, CP 12.

Policy Manager for IBM WebSphere DataPower 7.2: Configuration Guide

HP ALM. Software Version: Tutorial

CounterACT Macintosh/Linux Property Scanner Plugin

HP Operations Orchestration

Linux Essentials Objectives Topics:

Business Process Testing

Version Installation Guide. 1 Bocada Installation Guide

MegaTrack. Quick Start Guide

Transcription:

HP IT Operations Compliance Community Edition Software Version: 00.14.1200 - Getting Started Guide Document Release Date: January 2015 Software Release Date: January 2015

Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Restricted Rights Legend Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice Copyright 2014-2015 Hewlett-Packard Development Company, L.P. Trademark Notices Adobe is a trademark of Adobe Systems Incorporated. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. UNIX is a registered trademark of The Open Group. Documentation Updates The title page of this document contains the following identifying information: Software Version number, which indicates the software version. Document Release Date, which changes each time the document is updated. Software Release Date, which indicates the release date of this version of the software. HP IT Operations Compliance Community Edition (00.14.1200) Page 2 of 36

Contents Chapter 1 About ITOC 5 Chapter 2 System Requirements and Supported Platforms 6 Supported Platforms 6 Supported Browsers 6 Chapter 3 Install ITOC In Your Environment 7 Prerequisites 7 Install and Configure PostgreSQL 7 Install PostgreSQL 7 Configure PostgreSQL 7 Create a Non-Root User and Configure the Install Directory 9 Patch Command 9 Download the ITOC Installer 9 Install ITOC 9 Start ITOC Components 13 Log In to ITOC 14 Chapter 4 Administration 16 Business Configuration 16 Compliance 17 Workflow 17 Business ID Prefix 18 Tuning Configuration 18 Chapter 5 HPLN Content 20 Compliance Control Library 20 Regulatory Policies 22 HP IT Operations Compliance Community Edition (00.14.1200) Page 3 of 36

Download Content from HPLN 23 Import Compliance Content 24 Log Files 25 Chapter 6 Set Up IT Resources 26 Installing Minions on Resources 26 Linux Installation 26 On the ITOC Server 27 On the Target Server 27 On the ITOC Server 27 Windows Installation 28 Prerequisites 28 On the ITOC Server 29 On the Target Server 29 On the ITOC Server 29 Ubuntu 12.04 LTS 29 On the Target Server 29 On the ITOC Server 30 Red Hat 5 30 On the Target Server 30 On the ITOC Server 30 Creating a Resource 31 Chapter 7 After ITOC Installation 32 Appendix A Configuring a Proxy Server for Additional Security 33 Example 33 HP IT Operations Compliance Community Edition (00.14.1200) Page 4 of 36

Chapter 1 About ITOC IT Operations Compliance (HP ITOC) allows IT Operations users to track resource compliance agains corporate and regulatory policies, making your environment compliant and therefore secure. ITOC measures compliance and remediates noncompliance in a reliable and repeatable manner. ITOC users can assess and audit the resources in their organizations. They can create customized policies and use Statements of Applicability (SoAs) to apply policy rules to IT resources. They can see if their service level objective (SLO) requirements are being met. They can remediate compliance failures. ITOC users can remediate IT resources that are not in compliance. ITOC provides the detailed information users need to identify non-compliant IT resources, discover why IT resources are not in compliance, and run remediation to fix the problem and bring an IT resource back into compliance. They can find out: If and why exceptions exist. Why a failure occurred and how to fix it. ITOC users can organize compliance information in various ways, according to their needs. They can see aggregated information such as: Whether a policy is compliant with all applicable business services. Whether a business service is compliant with all applicable policies. HP IT Operations Compliance Community Edition (00.14.1200) Page 5 of 36

System Requirements and Chapter 2 Supported Platforms Supported Platforms ITOC has been tested and can be installed on these OS platforms: Platform Red Hat 6 CentOS 6.4 Oracle Enterprise Linux (OEL) 6.2 Device x64 x64 x64 Supported Browsers Internet Explorer 10 Internet Explorer 11 Firefox Chrome HP IT Operations Compliance Community Edition (00.14.1200) Page 6 of 36

Chapter 3 Install ITOC In Your Environment This section describes how to install ITOC in your environment. Prerequisites PostgreSQL must be installed and configured on the server on which ITOC will be installed. You must have a non-root user with permission to the install directory. The patch command must be installed on your system. Install and Configure PostgreSQL PostgreSQL 9.1.3+ must be installed and configured on your server before you install ITOC. Install PostgreSQL For general PostgreSQL installation instructions, see: http://www.postgresql.org/docs/9.3/static/index.html For installation instructions for a specific platform, see: https://wiki.postgresql.org/wiki/yum_installation Configure PostgreSQL After you have installed PostgreSQL, use PostgreSQL documentation or work with a Database administrator to configure a database, user, and password. This section shows an example of typical configuration steps. 1. As root user, set up the database. 2. Configure the database as necessary: a. Initialize the Postgres database: #service postgresql-9.3 initdb HP IT Operations Compliance Community Edition (00.14.1200) Page 7 of 36

b. Start service: #service postgresql-9.3 start c. Check the status: #service postgresql-9.3 status d. Assure that Postgres will start when the server is rebooted: #chkconfig postgresql-9.3 on e. As required to allow encrypted password access, modify the pg_hba.conffile: #sed -i 's/ ident/ md5/g' <postgres install path>/9.3/data/pg_hba.conf For example: #sed -i 's/ ident/ md5/g' /var/lib/pgsql/9.3/data/pg_ hba.conf f. As required to allow remote access: #echo "listen_addresses = '*'" >> /var/lib/pgsql/9.3/data/postgresql.conf #echo "# IPv4 remote connections:" >> /var/lib/pgsql/9.3/data/pg_hba.conf #echo "host all all 0.0.0.0/0 md5" >> /var/lib/pgsql/9.3/data/pg_hba.conf 3. Create a Postgres database, user role, and password: #echo "CREATE ROLE <user role> WITH LOGIN PASSWORD <password>;" sudo -u postgres psql For example: #echo "CREATE ROLE itoc WITH LOGIN PASSWORD itoc;" sudo u postgres psql #su postgres -c "createdb <DB name> --owner <DB Owner>" For example: #su postgres -c "createdb itoc --owner itoc" 4. Restart the Postgres service: #service postgresql-9.3 restart Stopping postgresql-9.3 service:[ OK ] Starting postgresql-9.3 service: [ OK ] HP IT Operations Compliance Community Edition (00.14.1200) Page 8 of 36

Create a Non-Root User and Configure the Install Directory ITOC must be installed by a non-root user with write permission to the install directory. 1. Create a non-root user for installation, and set the password. For example: #useradd <username> #passwd <password> 2. Create the install directory: #mkdir -p <install_directory> For example: #mkdir -p /opt/hp/itoc 3. Configure permissions for the user on the install directory to allow access for the non-root user created in step 1. #chown <username> <install_directory> #chgrp <username> <install_directory> For example: #chown itoc /opt/hp/itoc #chgrp itoc /opt/hp/itoc Patch Command Verify the patch command is installed on your system. Download the ITOC Installer After you download the ITOC installer, copy and extract the <itoc installer>.zip to /tmp on the ITOC server. Install ITOC 1. Log in as the new non-root user. 2. Unzip {installer}.zip. HP IT Operations Compliance Community Edition (00.14.1200) Page 9 of 36

For example: $unzip /tmp/h7v16-15900.zip 3. Run the ITOC installer: $/tmp/ocm-installer-0.1.0.bin 4. The installer runs through an interview to capture install parameters (see the following example). Enter the values specified in the installer interview, or accept the defaults by pressing Enter: Preparing to install... Extracting the JRE from the installer archive... Unpacking the JRE... Extracting the installation resources from the installer archive... Configuring the installer for this system's environment... Launching installer... ========================================================== HP IT Operations Compliance Community Edition (created with InstallAnywhere) --------------------------------------------------------- Preparing CONSOLE Mode Installation... ========================================================== Introduction ------------ This installation wizard will guide you through the installation of HP IT Operations Compliance Community Edition 00.14.1200. It is strongly recommended that you quit all programs before continuing with this installation. You may cancel the installation at any point by pressing CTRL+C. PRESS <ENTER> TO CONTINUE: ========================================================== License Agreement -----------------... 5. Press Y to accept the terms of the license agreement: DO YOU ACCEPT THE TERMS OF THIS LICENSE AGREEMENT? (Y/N): Y 6. Enter the number for the install set of your choice, or press Enter to accept the default: ========================================================== Install Options --------------- HP IT Operations Compliance Community Edition (00.14.1200) Page 10 of 36

Please choose the Install Set to be installed by this installer. ->1- HP ITOC ENTER THE NUMBER FOR THE INSTALL SET, OR PRESS <ENTER> TO ACCEPT THE DEFAULT : 7. Press Enter to accept the default, or enter an alternate existing absolute path. Then press Y to confirm your choice: ========================================================== Choose Install Folder --------------------- Please choose a destination folder for this installation. Where would you like to install? Default Install Folder: /opt/hp/itoc ENTER AN ABSOLUTE PATH, OR PRESS <ENTER> TO ACCEPT THE DEFAULT : /opt/hp/itoc INSTALL FOLDER IS: /opt/hp/itoc IS THIS CORRECT? (Y/N): Y 8. Enter the number for the JRE of your choice, or press Enter to accept the default: ========================================================== Select JRE ---------- Select one of the following JRE options to be used by HP ITOC Open JRE: Use the OpenJDK JRE that is bundled with HP ITOC 00.14.1200 Oracle JRE: Use the Oracle JRE that is already installed on the system. ->1- Open JRE 2- Oracle JRE ENTER THE NUMBER FOR YOUR CHOICE, OR PRESS <ENTER> TO ACCEPT THE DEFAULT:: 2 9. Accept the Oracle JRE home directory default, or provide an alternative home directory (see below): ========================================================== Oracle JRE Home --------------- Please provide home directory of Oracle JRE JRE HOME (Default: ): /usr/java/jdk1.7.0_71/jre 10. Press Enter to select Postgres database: ========================================================== Database Type ------------- Choose a database type to be used by HP ITOC HP IT Operations Compliance Community Edition (00.14.1200) Page 11 of 36

Enter the database type (only Postgres is supported) (Default: Postgres): ========================================================== Advanced Database Configuration ------------------------------- Provide detailed information for database setup or enter the database parameters that would point to an existing HP ITOC database. For more information about these fields, refer to the HP IT Operations Compliance Installation Guide. Enter the Database Hostname (Default: 127.0.0.1): Enter the Database Port (Default: 5432): Enter the ITOC Database Name (Default: itoc): itoc Enter the Database Username (Default: itoc): itoc 11. Enter the password created in Configure PostgreSQL and hostname: ========================================================== ITOC Database User Password --------------------------- Enter the ITOC database user password: ========================================================== Enter the ITOC Server hostname ------------------------------ Enter the fully-qualified domain name of this system. This name is used to generate the SSL certificate and configure HP ITOC. WARNING: If you enter an IP address, after installation completes, you must manually generate a self-signed certificate using the fully-qualified domain name of the system on which you installed HP ITOC. For more information, refer to the "HP IT Operations Compliance Configuration Guide." Fully Qualified Hostname (Default: itoc.yoursite.com): 12. Enter the installer user password (this is the password of the UNIX user that was just created and to which you are currently logged in): Installation User Password -------------------------- Please Enter the Password: ========================================================== 13. Create your user-defined ITOC Admin User password, which is the password for the new itocadmin account within ITOC itself. This password must have 6 or more characters: ========================================================== ITOC Admin User Password Re-Prompt HP IT Operations Compliance Community Edition (00.14.1200) Page 12 of 36

---------------------------------- Please Re-Enter the Password: ========================================================== Pre-Installation Summary ------------------------ Please Review the Following Before Continuing: Install Folder: /opt/hp/itoc Product Name HP IT Operations Compliance Community Edition 00.14.1200 ITOC Database PostgreSQL (itoc:itoc@127.0.0.1:5432) Disk Space Information (for Installation Target): Required: 658,116,909 Bytes Available: 47,000,420,352 Bytes PRESS <ENTER> TO CONTINUE: ========================================================== Installing... ========================================================== Installation Complete --------------------- Congratulations. HP IT Operations Compliance Community Edition has been successfully installed to: /opt/hp/itoc Follow the document guide for starting services. PRESS <ENTER> TO EXIT THE INSTALLER Caution: Depending on the level of your security requirements, it is recommended that the installation or upgrade team encrypt or move installation logs files to a secure server and, if necessary, encrypt, move to a secure server, and/or purge sensitive information from the installer logs and property files. Remember that certain installer logs and property files are needed for installations and the log files are useful for troubleshooting, so removing them completely is not recommended. The location is <install_location>/_ocm_1_0_0_installation/ Start ITOC Components Tip: Create init.d scripts as root user to execute the ITOC startup scripts (from /opt/hp/itoc/scripts/scripts) to automatically start ITOC service on system restart. HP IT Operations Compliance Community Edition (00.14.1200) Page 13 of 36

1. To start, stop, or check the status of ITOC: $<itoc_install_directory>/scripts/itoc <start stop status> For example: $/opt/hp/itoc/scripts/itoc start 2. To start, stop, or check the status of the ITOC portal: $<itoc_install_directory>/scripts/portal <start stop status> For example: $/opt/hp/itoc/scripts/portal start Note: After you perform these steps, wait a few minutes for all services to start. Log In to ITOC Note: The ITOC hostname must be resolvable from your Windows client server. 1. From your browser, log into ITOC: http://<itoc_hostname>:9000 Note: Although this URL is HTTP, the communication is secure. To access the application through an HTTPS URL, you can configure a proxy server. For more information, see Configuring a Proxy Server for Additional Security. 2. Accept the certificate that appears in the Security warning. To use your own signed certificate, see Configuring a Proxy Server for Additional Security. 3. The ITOC login screen appears. Enter itocadmin username and the password you created HP IT Operations Compliance Community Edition (00.14.1200) Page 14 of 36

during the installation. HP IT Operations Compliance Community Edition (00.14.1200) Page 15 of 36

Chapter 4 Administration This section describes how to set up the ITOC business configuration and tuning configuration. For more information about ITOC administration, see the HP IT Operations Compliance Community Edition User Guide. Business Configuration To view and edit business configuration details: 1. Log into ITOC and click the Administration tab. 2. Click the Business Configuration tab to view details. 3. Click Actions to Edit Business Configuration. The Edit Business Configuration form appears (see below). HP IT Operations Compliance Community Edition (00.14.1200) Page 16 of 36

Compliance Compliance Threshold: The value can be a number from 1 through 100. It is the minimum percentage of compliance to be considered compliant overall. The default is 100. Workflow Set the workflow per business entity. Auto-Approval means that no approval is required, and submit takes the entity from draft to production. Approval Required means that the named approver must approve object before going into production. HP IT Operations Compliance Community Edition (00.14.1200) Page 17 of 36

Business Services: Default is Auto-Approval. Controls: Default is Approval Required. Policies: Default is Approval Required. Statements of Applicability: Default is Approval Required. Business ID Prefix Per business entity, define the starting characters for the ID to distinguish different entity types from each other. The user can change the prefix of the auto-generated ID for each object type. The allowable prefix length is 1 to 50 characters. Tuning Configuration To view details about and configure the tuning configuration: 1. Click the Tuning Configuration tab to view details. Under Tuning, view the Compliance Concurrency (the default is 75) and the Log Level (the default is ERROR). 2. Click Actions to Edit Tuning Configuration. The Edit Tuning Configuration form appears. HP IT Operations Compliance Community Edition (00.14.1200) Page 18 of 36

1. Compliance Concurrency - Number of concurrent threads used during Scan Compliance and Remediate job execution. The user can modify the compliance concurrency to any value from 1 through 255. 2. Log Level: Set the log level to control the logging granularity in the <install directory>/serverlog/itoc-server.log. The default is ERROR. Available levels are ALL, OFF, DEBUG, ERROR, INFO, TRACE, and WARN. HP IT Operations Compliance Community Edition (00.14.1200) Page 19 of 36

Chapter 5 HPLN Content This section describes how to import ITOC content from HP Live Network (HPLN). IT organizations are increasingly required to cut costs while maintaining a secure and compliant infrastructure. The Security and Compliance Service for HP IT Operations Compliance (HP ITOC) is a subscription service that delivers up-to-date compliance policies to immediately identify security configuration issues in your environment. The policies include built-in remediation wherever applicable, so you can fix compliance issues quickly without expending a lot of resources. If you have a content subscription to HPLN, you can be kept up-to-date on the latest industry compliance standards, based on the needs of your data center. For example, subscription services give you an access to regularly updated security best practices, such as the Center for Internet Security (CIS), Payment Card Industry (PCI), and so on. It also enables access to additional free non-subscription content, such as Center for Internet Security (CIS) for the HP ITOC Community Edition. For information about subscribing to HPLN subscription services, go to https://hpln.hp.com/group/hp-it-operations-compliance. As part of the HP ITOC Community Edition, the following content is available to download over HPLN to assist organizations with managing compliance: Compliance Control Library for the HP IT Operations Compliance Community Edition CIS Operating System Benchmark Policies for the HP IT Operations Compliance Community Edition Compliance Control Library The Compliance Control Library includes an array of user-customizable controls to audit and remediate commonly used objects on OS platforms and database servers, such as local security settings on Windows or RPMs on Linux. For example, users can define different audits to ensure that a subset of Windows managed servers has a minimum password length of 8 characters, while a different set of servers has a minimum password length of 10. Where possible, controls have remediation enabled to allow users to bring managed servers into custom-defined compliance. Controls specific to OS platform and database servers are delivered in separate bundles. The following control libraries are currently available as free non-subscription content for HP IT Operations Compliance Community Edition. HP IT Operations Compliance Community Edition (00.14.1200) Page 20 of 36

Name Control Library for Microsoft Windows Control Library for UNIX Control Library for Oracle 10g/11g Description Includes an array of user-customizable controls to audit and remediate commonly used objects on Microsoft Windows OS platforms. Includes an array of user-customizable controls to audit and remediate commonly used objects on Linux OS platforms. Includes an array of user-customizable controls to audit commonly used objects on Oracle 10g and 11g database servers. The following OS platforms and databases are supported by the HP-provided control libraries: CentOS 5 CentOS 6 CentOS 7 Microsoft Windows Server 2012 R2 Microsoft Windows Server 2012 Microsoft Windows Server 2008 R2 Red Hat Enterprise Linux Server 5 Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux Server 7 SUSE Linux Enterprise Server 10 SUSE Linux Enterprise Server 11 Ubuntu 12.04 LTS Server Oracle 10g Oracle 11g Note: Oracle 10g and Oracle 11g are supported on RHEL 6 and SLES 11 only. HP IT Operations Compliance Community Edition (00.14.1200) Page 21 of 36

Regulatory Policies The out-of-the-box (OOTB) regulatory policies provide predefined values for audit and remediation according to guidelines such as CIS, PCI, or SOX. The following policies are currently available as free non-subscription content for HP ITOC Community Edition implemented according to CIS guidelines. Name CIS Microsoft Windows Server 2012 version 1.0.0 CIS Red Hat Enterprise Linux 6 Benchmark version 1.3.0 CIS Red Hat Enterprise Linux 5 Benchmark version 2.1.0 CIS SUSE Linux Enterprise Server 11, version 1.0.0 CIS Ubuntu 12.04 LTS Server Benchmark version 1.0.0 CIS Security Configuration Benchmark for Oracle Database Server 11g, version 1.0.1 CIS Benchmark for Oracle 9i/10g, version 2.01 Description CIS Microsoft Windows Server 2012 Benchmark v1.0.0 provides prescriptive guidance for establishing a secure configuration posture for CIS Microsoft Windows Server 2012. CIS Red Hat Enterprise Linux 6 Benchmark provides prescriptive guidance for establishing a secure configuration posture for RHEL versions 6.x running on x86 and x64 platforms. CIS Red Hat Enterprise Linux 5 Benchmark provides prescriptive guidance for establishing a secure configuration posture for RHEL versions 5.x running on x86 and x64 platforms. CIS SUSE Linux Enterprise Server 11 Benchmark provides prescriptive guidance for establishing a secure configuration posture for SUSE Linux Enterprise Server (SLES) version 11 running on x86 and x64 platforms. CIS Ubuntu 12.04 LTS Server Benchmark provides prescriptive guidance for establishing a secure configuration posture for Ubuntu 12.04 LTS Server. CIS Security Configuration Benchmark for Oracle Database Server 11g provides prescriptive guidance to secure Oracle database from conventional OOTB threats. CIS Security Configuration Benchmark for Oracle Database Server 10g provides prescriptive guidance to secure Oracle database from conventional OOTB threats. HP IT Operations Compliance Community Edition (00.14.1200) Page 22 of 36

Note: For all benchmark policies, the corresponding compliance control library is a prerequisite. Please import the respective control library before importing any benchmark policy. Note: All rules in a policy are set with audit, remediation parameter values as recommended by the benchmark document. There are some rules for which the benchmark suggests to set the value that is consistent with the security and operational requirements of an organization. Such requirements in OOTB policies and the values provided in the audit and remediation parameters are intended as an example only or as a default value set as per the benchmark recommendation. Please edit rules to include the specific values that are consistent with the security and operational requirements of your organization. Please refer the CIS benchmark document for requirements that need specific values to be configured. Download Content from HPLN The compliance content delivered for HP IT Operations Compliance is available for download from HPLN with a valid subscription. Your HP Passport login credentials are required for viewing HP ITOC product-related information and downloading the required compliance content offerings on HPLN. For information about subscribing to HPLN subscription services, contact your sales representative. HP ITOC product-related information is located at: https://hpln.hp.com/group/hp-it-operations-compliance To download the compliance content packs offered: 1. Expand the Featured Content section in the right hand side of product landing page, and click on the content offering you want. HP IT Operations Compliance Community Edition (00.14.1200) Page 23 of 36

2. Click on the Download button for the required Content Pack: Compliance Control Library Content Packs can be downloaded from: https://hpln.hp.com/contentoffering/compliance-control-library CIS Benchmark Policy Content Packs can be downloaded from: https://hpln.hp.com/contentoffering/center-internet-security-cis-benchmarkpolicies 3. Copy to your ITOC server; for example, to /tmp. Import Compliance Content Note: Having the Compliance Control Library is a prerequisite for importing any Compliance Regulatory Policy mentioned. 1. Log into ITOC server as the root or non-root user. 2. Import the Control Library: $<itoc_install_directory>/importer/controlimporter <controlbundlefile> <itocuser> <itocpassword> For example: HP IT Operations Compliance Community Edition (00.14.1200) Page 24 of 36

$/opt/hp/itoc/importer/controlimporter /tmp/hpitoc-wincontrollibrary.zip itocadmin hpitoc 3. Run the controls importer once for each control package desired. 4. Import Policies: $<itoc_install_directory>/importer/policyimporter <policyzipfile> <itocuser> <itocuserpassword> For example: $/opt/hp/itoc/importer/policyimporter /tmp/hpitoc-ciswin2k12-3449-20141125.zip itocadmin hpitoc 5. Run the Policy Importer once for each policy package desired. Log Files The Control and Policy Import log files are located here: $<itoc_install_directory>/importer/log ControlImporter.log - Control Import log file PolicyImporter.log Policy Import log file HP IT Operations Compliance Community Edition (00.14.1200) Page 25 of 36

Chapter 6 Set Up IT Resources This section describes how to set up and configure IT Resources. For further information about Resources, see the HP IT Operations Compliance Community Edition User Guide. Installing Minions on Resources This section describes installing a Salt minion on your IT Resources. ITOC provides packaged minion, or agent, installers for the following target resources: Platform CentOS 6 RHEL 6 x64 OEL 6 SLES 11 SP2 x64 Ubuntu 14.04 LTS Windows Server 2012 R2 x64 Windows Server 2012 Minion Installer.zip RHEL6_minion-1.4.1.zip RHEL6_minion-1.4.1.zip RHEL6_minion-1.4.1.zip SLES11_minion- 2014.1.10.166.1.zip Ubuntu14041LTS_minion- 2014.1.11.zip Win64_minion- 2014.1.10.zip Win64_minion- 2014.1.10.zip This section also provides instructions for installing Ubuntu and RHEL 5. Linux Installation Use this procedure to install minions on these platforms: CentOS 6 OEL 6 RHEL 6 x64 HP IT Operations Compliance Community Edition (00.14.1200) Page 26 of 36

SLES 11 SP2 x64 Ubuntu 14.04 LTS On the ITOC Server 1. Copy the <minion_install>.zip and minion installer script to the target server. For example: $scp <itoc_install_directory>/salt/srv/salt/rhel6_minion- 1.4.1.zip <target_server>:/tmp/ $scp <itoc_install_directory>/salt/srv/salt/minion_easy_ install.sh <target_server>:/tmp/ On the Target Server 1. Run the minion installer script: $/tmp/minion_easy_install.sh The minion will be installed and started. Next step: Accept the minion key on the ITOC server. On the ITOC Server 1. Export the Python and Library paths: export SALT_HOME=<install_directory>/salt export PYTHONPATH=${SALT_HOME}/usr/lib64/python2.6/site-packages:${SALT_HOME}/usr/lib/python2.6/site-packages export LD_LIBRARY_PATH=${SALT_HOME}/usr/lib64:${SALT_HOME} /usr/lib Note: You can add the environment variables to the shell login or shell profile initialization dot scripts of the ITOC user to make it easier to execute list or accept key commands. 2. List the available keys: $<itoc_install_directory>/salt/usr/bin/salt-key -L Accepted Keys: itoc.yoursite.com Unaccepted Keys: target01.itoc.yoursite.com Rejected Keys: HP IT Operations Compliance Community Edition (00.14.1200) Page 27 of 36

3. Accept the minion with: $<itoc_install_directory>/salt/usr/bin/salt-key -A The following keys are going to be accepted: Unaccepted Keys: target01.itoc.yoursite.com Proceed? [n/y] Y Key for minion target01.itoc.yoursite.com accepted. Note: You can accept all minion keys at once. Install the minions on multiple target servers as needed for your environment, then accept all minion keys. 4. Test the connection: $<itoc_install_directory>/salt/usr/bin/salt "target01.itoc.yoursite.com" test.ping target01.itoc.yoursite.com: True Windows Installation You can install ITOC on: Windows Server 2012 R2 x64 Windows Server 2012 Prerequisites Python must be installed at C:\Python27 on the ITOC server. If Python is installed elsewhere on your server, you can change the default value of the Windows Python location property called ocm.rex.salt.minion.windows.pythonloc located in the <itoc_install_location>/wildfly-8.1.0.fin- al/standalone/deployments/ocm.war/web-inf/- classes/application.properties file. pywin32 must also be installed on the Windows target resource. The c:\tmp directory must exist on the Windows target resource. HP IT Operations Compliance Community Edition (00.14.1200) Page 28 of 36

On the ITOC Server Copy Win64_minion-2014.1.10.zip to the target server: $scp <itoc_install_directory>/salt/srv/salt/win64_minion- 2014.1.10.zip <target_server>:/temp/ $scp <itoc_install_directory>/salt/srv/salt/minion_easy_ install.sh <target_server>:/temp/ On the Target Server 1. Unzip Win64_minion-2014.1.10.zip: unzip C:\Temp\Win64_minion-2014.1.10.zip 2. Run /minionpkg/install_minion.bat: C:\Temp\install_minion.bat The minion is installed and started. On the ITOC Server Accept the minion keys on the ITOC server. Next: Perform the steps in On the ITOC Server. Ubuntu 12.04 LTS On the Target Server 1. Add the Salt repository: $add-apt-repository ppa:saltstack/salt If add-apt-repository is not found, install the following packages: $apt-get install python-software-properties $apt-get install software-properties-common 2. Install the Salt minion package: $apt-get install salt-minion 3. Configure the master hostname and port: $vi /etc/salt/minion $master: <master FQDN> HP IT Operations Compliance Community Edition (00.14.1200) Page 29 of 36

$master_port: 7778 4. Restart the minion service: $service minion restart On the ITOC Server Accept the minion keys on the ITOC server. Next: Perform the steps in On the ITOC Server. Red Hat 5 If Python 2.4 and 2.6 both are installed on the ITOC server, perform these steps to use Python 2.6 as required by ITOC: 1. Move /usr/bin/python to /usr/bin/python-2.4: $mv /usr/bin/python /usr/bin/python-2.4 2. Create a soft link to Python 2.6: $ln s /usr/bin/python2.6 /usr/bin/python On the Target Server 1. Install the EPEL package: $rpm -Uvh http://mirror.pnl.gov/epel/5/i386/epel-release-5-4.noarch.rpm 2. Install the Salt minion using YUM: $yum install salt-minion 3. Modify the Salt minion configuration file to refer to the master server FQDN: $vim /etc/salt/minion $master: <master FQDN> $master_port: 7778 4. Start the Salt minion service: $/etc/init.d/salt-minion start On the ITOC Server Accept the minion keys on the ITOC server. HP IT Operations Compliance Community Edition (00.14.1200) Page 30 of 36

Next: Perform the steps in On the ITOC Server. Creating a Resource Note: Ensure that the FQDN used in the minion configuration is resolvable through DNS or by the local /etc/hosts file. 1. Log in to ITOC. 2. Navigate to the Resources section, and click Actions. Select New Resource. 3. The New Resource screen appears. Name (required) - Enter a Name for the resource. Resource Type - Use the dropdown list to select a resource type. Depending on the resource type you select, different resource attributes are available to specify. HP IT Operations Compliance Community Edition (00.14.1200) Page 31 of 36

Chapter 7 After ITOC Installation Once you have installed ITOC in your environment, you are ready to: Set up users and roles, modifying their responsibilities and permissions to suit your environment. Create and modifying business services, allowing you to share IT resources. Review imported policies and modify rule parameters to match your organization s criteria and environment. Create and modify SoAs for policies and business services. Run compliance scan and remediation jobs and view results. See the HP IT Operations Compliance Community Edition User Guide for further information. HP IT Operations Compliance Community Edition (00.14.1200) Page 32 of 36

Appendix A Configuring a Proxy Server for Additional Security ITOC has a user interface (JavaScript/HTML/CSS) server running on HTTP port 9000 and the rest API server running on HTTPS port 7771. All communications between the UI Javascript application on the web browser and API server occur through HTTPS and are secure. The API server uses a self-signed certificate created during product install that need to be accepted once as trusted certificate on the web browser. This certificate could be replaced by a signed certificate provided by the user. You can also configure a proxy server with your own signed certificate so that all requests go to this proxy through HTTPS before going to the UI and API servers behind it. Example The following example describes how to configure the proxy server, HAProxy, with ITOC. See http://www.haproxy.org for HAProxy documentation and configuration details. In this example, /opt/hp/itoc is the ITOC install location, with HAProxy installed and configured at /opt/hp/itoc/haproxy. The example shows installing from source. You can also download and install the binary package directly, and skip the build steps shown in the example. 1. Install dependencies are: #yum install gcc #yum install openssl-devel 2. Install HAProxy from source: #wget http://www.haproxy.org/download/1.5/src/haproxy- 1.5.9.tar.gz #tar -xzvf haproxy-1.5.9.tar.gz #cd haproxy-1.5.9 #mkdir /opt/hp/itoc/haproxy #make TARGET=linux26 USE_OPENSSL=1 #make PREFIX=/opt/hp/itoc/haproxy install HP IT Operations Compliance Community Edition (00.14.1200) Page 33 of 36

3. Create a self-signed certificate to use for HTTPS. Alternatively, you can use your own certificate instead of the self-signed certificate generated during the install. #mkdir /opt/hp/itoc/haproxy/etc #mkdir /opt/hp/itoc/haproxy/etc/ssl #cd /opt/hp/itoc/haproxy/etc/ssl #openssl genrsa -out proxy.key 1024 #openssl req -new -key proxy.key -out proxy.csr #openssl x509 -req -days 365 -in proxy.csr -signkey proxy.key -out proxy.crt #cat proxy.crt proxy.key tee proxy.pem #ls /opt/hp/itoc/haproxy/etc/ssl proxy.crt proxy.csr proxy.key proxy.pem 4. Configure the proxy with ITOC ports. This step uses the proxy.pem created for HTTPS in step 3. Add proxy rules to redirect all traffic to the UI server port. #vi /opt/hp/itoc/haproxy/etc/proxy.cfg defaults log 127.0.0.1 local0 option tcplog frontend http-in bind *:80 reqadd X-Forwarded-Proto:\ http default_backend ui frontend https-in bind *:443 ssl crt /opt/hp/itoc/haproxy/etc/ssl/proxy.pem reqadd X-Forwarded-Proto:\ https default_backend ui HP IT Operations Compliance Community Edition (00.14.1200) Page 34 of 36

backend ui # mode http option forwardfor server srv1 localhost:9000 5. Validate the configuration: # /opt/hp/itoc/haproxy/sbin/haproxy -c -f /opt/hp/itoc/haproxy/etc/proxy.cfg 6. Run the proxy server. You will be redirected to the ITOC UI server. # /opt/hp/itoc/haproxy/sbin/haproxy -f /opt/hp/itoc/haproxy/etc/proxy.cfg HP IT Operations Compliance Community Edition (00.14.1200) Page 35 of 36

Send Documentation Feedback If you have comments about HP ITOC or this document, contact HP. If an email client is configured on this system, click the link above and an email window opens with the following information in the subject line: Feedback on Getting Started Guide (IT Operations Compliance Community Edition 00.14.1200) Just add your feedback to the email and click send. If no email client is available, copy the information above to a new message in a web mail client, and send your feedback to itopscompliance@hp.com. We appreciate your feedback! HP IT Operations Compliance Community Edition (00.14.1200) Page 36 of 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback