Tivoli® Security Compliance Manager
Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
Version 5.1 — Fix Pack 5.1.0-TIV-SCM-FP0009 — December 17, 2004
GI11-4617-00
���
Tivoli® Security Compliance Manager
Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
Version 5.1 — Fix Pack 5.1.0-TIV-SCM-FP0009 — December 17, 2004
GI11-4617-00
���
Note
Before using this information and the product it supports, read the information in “Notices,” on page 65.
First Edition (December 2004)
This edition applies to fix pack 5.1.0-TIV-SCM-FP0009 of version 5, release 1, modification 0 of IBM Tivoli Security
Compliance Manager (product number 5724-F82) and to all subsequent releases and modifications until otherwise
indicated in new editions.
© Copyright International Business Machines Corporation 2004. All rights reserved.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Chapter 1. Fix pack 5.1.0-TIV-SCM-FP0009 overview . . . . . . . . . . . . . . . . . 1
Chapter 2. Novell NetWare client component support . . . . . . . . . . . . . . . . 3
Before you install . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Installing the client component on a NetWare system . . . . . . . . . . . . . . . . . . . . . . 3
Changing the password used by the client . . . . . . . . . . . . . . . . . . . . . . . . . 5
Uninstalling the client component on a NetWare system . . . . . . . . . . . . . . . . . . . . . 5
jacclient command (NetWare systems) . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Chapter 3. Administration console changes . . . . . . . . . . . . . . . . . . . . 9
Administration console supported on Linux systems . . . . . . . . . . . . . . . . . . . . . . 9
Preference changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Client page changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Client types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Collectors page changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Users/Roles page changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Creating a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Setting the password for a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Modifying user information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Viewing the audit log for a user . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Viewing assigned user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Viewing the roles assigned to a user . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Removing a user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Creating a user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Changing the description of a user group . . . . . . . . . . . . . . . . . . . . . . . . 14
Changing the name of a user group . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Adding a user to a user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Adding a user to multiple user groups . . . . . . . . . . . . . . . . . . . . . . . . . 15
Assigning roles to a user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Removing a user from a user group . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Removing a user from multiple user groups . . . . . . . . . . . . . . . . . . . . . . . 15
Removing roles from a user group . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Removing a user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Creating a role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Changing the description of a role . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Changing the type of a role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Renaming a role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Adding permissions to a role . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Viewing permissions granted to a role . . . . . . . . . . . . . . . . . . . . . . . . . 17
Adding resources to a role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Inheriting permissions from a template . . . . . . . . . . . . . . . . . . . . . . . . . 18
Disinheriting permissions from a template . . . . . . . . . . . . . . . . . . . . . . . . 18
Removing permissions from a role . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Removing resources from a role . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Removing a role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Policies page changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Structure of both system and data tables viewable . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 4. Command changes . . . . . . . . . . . . . . . . . . . . . . . . . 21
Handling of special characters in options . . . . . . . . . . . . . . . . . . . . . . . . . 21
Environment variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
scmadduser command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
scmaddusergroup command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
scmaddusergrouprole command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
scmcreatesnapshot command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
© Copyright IBM Corp. 2004 iii
scmlistavailableroles command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
scmlistgroupclients command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
scmlistgrouppolicies command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
scmlistusergroups command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
scmregisterclient command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
scmremoveuser command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
scmremoveusergroup command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
scmremoveusergrouprole command . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
scmresetclient command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
scmrunpolicycollectors command . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
scmsetuserinfo command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
scmsuspendclient command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Chapter 5. Documentation updates . . . . . . . . . . . . . . . . . . . . . . . 49
Supported operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Uninstalling components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Obtaining IBM HTTP Server Version 1.x . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Updating clients from server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Column data types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Collector documentation updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
aix.any.SecPasswdV1.jar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
unix.any.AnonFtpPasswdV1.jar . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
unix.any.FileSearchV1.jar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
unix.any.UsersV1.jar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
unix.multi.NddV1.jar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
unix.multi.ShadowV1.jar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
win.any.NavV1.jar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
win.any.SnmpActiveV1.jar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Chapter 6. Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Appendix. Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Additional notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Notice for Apache Software Foundation . . . . . . . . . . . . . . . . . . . . . . . . . 67
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
iv IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
Chapter 1. Fix pack 5.1.0-TIV-SCM-FP0009 overview
Fix pack 5.1.0-TIV-SCM-FP0009 for IBM® Tivoli® Security Compliance Manager
Version 5.1 provides numerous enhancements.
The Novell NetWare operating system has been added as a supported platform for
the client component of Tivoli Security Compliance Manager. Collectors supporting
NetWare systems are available on the Tivoli Security Compliance Manager Utilities
Web page at:
http://www.ibm.com/support/docview.wss?uid=swg24007082
The administration console is now supported on some Linux™ systems. In
addition, many enhancements have been made to the administration console to
permit operations to be performed on multiple collectors at a time, and to provide
the ability to run all the collectors associated with a policy on a client or client
group. A snapshot can be created for a single client or client group as well.
Users and user groups can now be managed using new administration commands.
An enhanced Users/Roles page is available in the administration console that
permits actions to be taken on multiple objects at a time, and permits you to view
the user groups and roles associated with a particular user.
The data collection activity on a client or client group can be suspended using the
new scmsuspendclient command. Clients that are suspended are shown in the
administration console with different icons. The scmsuspendclient command also is
used to resume data collection.
A new environment variable, SCMRMI_TIMEOUT, is provided to adjust the
amount of time that administration commands wait for a response from the server.
Additional information has been added describing the handling of special
characters, such as an ampersand (&) or forward slash (/) in command options.
A new environment variable, SCMCLI_ERRORLOG, is provided to specify the
name of a file to contain error messages produced by the administration
commands. In addition, all administration commands now support an –errorlog
option.
Support for managing the client component of Tivoli Security Compliance Manager
using IBM Tivoli License Manager has been added. Refer to the Tivoli License
Manager documentation for information on license management.
© Copyright IBM Corp. 2004 1
2 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
Chapter 2. Novell NetWare client component support
Novell NetWare has been added as a supported platform for the client component.
The client component is supported on Novell NetWare versions 5.1, 6.0, and 6.5.
Before you install
Before installing the client on a NetWare system, you must install a suitable JRE
and copy the installation files to the system.
Java™ runtime environment required
Before installing the client component on a NetWare system, you must install a
suitable Java runtime environment (JRE). Install the Novell JVM 1.3.1 on the
NetWare system before installing Tivoli Security Compliance Manager.
NJCLv2 required
Tivoli Security Compliance Manager uses the NJCL Java classes to authenticate the
client with NDS. However, only NJCLV2 is supported; NJCL is not supported.
To configure the Novell JVM to use NJCLv2 instead of NJCL, do the following.
1. Locate the NJCLv2 files in the SYS:\JAVA\NJCLV2 directory.
2. Copy the files in the SYS:\JAVA\NJCLV2\LIB directory to the SYS:\JAVA\LIB
directory.
3. Copy the files in the SYS:\JAVA\NJCLV2\BIN directory to the SYS:\JAVA\BIN
directory.
4. Make a backup copy of the Java.CFG file.
5. Edit the Java.CFG file and change the NJCL entry from njcl.jar to njclv2.jar.
TCP/IP required
Tivoli Security Compliance Manager uses the TCP/IP protocol for its network
communications. Ensure that the NetWare systems have TCP/IP installed and
configured.
Files required for installation
The installation wizard for NetWare is packaged with fix pack
5.1.0-TIV-SCM-FP0009, or later, and consists of two files:
scmNWclient_win32.exe
scmNWclient.jar
Copy both files to the NetWare system where the client is to be installed.
Installing the client component on a NetWare system
The client component is installed using the InstallShield MultiPlatform wizard
provided.
© Copyright IBM Corp. 2004 3
Before installing the client, ensure that the Novell JVM 1.3.1 has been installed, that
the JVM has been configured to use NJCLv2, and that the NetWare installation
wizard files have been made available on the NetWare system.
The installation wizard is a Microsoft® Windows® application that you run on the
Windows system. The wizard must have access to the NetWare file system in order
to update system files and install the client component software. A Java runtime
environment (JRE) for Windows is installed with the client component to enable
the uninstallation program, as well as the problem determination tools, to run on
Windows. This JVM cannot be used under NetWare.
The installation panels are very similar to the ones shown in the IBM Tivoli Security
Compliance Manager Installation Guide: Client Component and IBM Tivoli Security
Compliance Manager Installation Guide: All Components documents and are not
reproduced in this document. The panels are displayed in the same sequence,
however several additional panels are added to permit the gathering of
NetWare-specific information.
If you are not familiar with installing the client component of Tivoli Security
Compliance Manager, read the information in the IBM Tivoli Security Compliance
Manager Installation Guide: Client Component document before proceeding.
1. Login to Microsoft Windows with a user that is a member of the
Administrators group.
2. Go to the directory where the files for the NetWare installation wizard are
located.
3. Start the installation wizard.
scmNWclient_win32.exe
4. Select the desired language from the language selection panel and click OK.
5. Read the information displayed in the Welcome panel and then click Next to
continue.
6. Read the license agreement and after agreeing to the conditions, click Next to
continue.
7. Specify the location where the Tivoli Security Compliance Manager files are to
be installed on the NetWare system. Specify the directory using the Windows
drive that is mapped to the NetWare volume along with the desired directory
path. For example, if you want to install the files in the \IBM\NW\SCM
directory on the SYS:\PUBLIC NetWare volume, then map a Windows drive
(such as S:) to the SYS: volume and specify the installation location as
S:\PUBLIC\IBM\NW\SCM.
8. A new NetWare volume information panel is displayed. In the NetWare
volume and path mapped by the S: drive field, specify the NetWare volume
name and path associated with the installation location specified in the
previous window, such as SYS:\PUBLIC. In the Location of autoexec.ncf file
field, specify the fully qualified directory path and file name for the
autoexec.ncf using the mapped Windows drive. For example, specify
s:\system\autoexec.ncf where S: is the Windows drive mapped to the desired
NetWare volume. Click Next to continue.
9. A new NetWare Configuration panel is displayed. In the User context field,
enter the Novell user context that the client and the collectors are to run with.
In the Password field, enter the password associated with the user context
specified. In the Location of the Novell Java classes field, verify that the
location for the NJCLv2 classes is correct. Typically, the classes are located in
the sys:\java\njclv2\lib\njclv2.jar file. Click Next to continue.
4 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
10. Complete the installation by following steps 8 through 12 in the, ″Installing
the Tivoli Security Compliance Manager client″ chapter of the installation
document. This information is in Chapter 2 of the IBM Tivoli Security
Compliance Manager Installation Guide: Client Component book, and in Chapter 3
of the IBM Tivoli Security Compliance Manager Installation Guide: All Components
book.
The installation program adds an entry to the autoexec.ncf file to start the Tivoli
Security Compliance Manager client each time the NetWare server is started. To
start the client immediately after the installation is complete, use the following
command on the NetWare server console:
NetWare_Install_Dir\client\jacclient start
Changing the password used by the client
Whenever the password associated with the user context used by the client
component is changed, you must modify the client.pref file to specify the new
password.
To change the password used by the client component to authenticate with NDS,
do the following.
1. Make a backup copy of the client.pref file located in the installation directory in
the client subdirectory.
2. Edit the client.pref file and locate the [netware user password] stanza.
3. Specify the new password as the value for the user_password key in that
stanza.
4. Save your changes.
5. Restart the client component.
NetWare_Install_Dir\client\jacclient restart
When the client component starts, the password is read, obfuscated (if it is in plain
text), and then written back to the file in obfuscated form.
Uninstalling the client component on a NetWare system
The client component is uninstalled in the same manner as other components.
However, the client component must be explicitly stopped and there is an
additional panel to complete in the uninstallation wizard.
The client component must be explicitly stopped on a NetWare system before
uninstalling the component. To stop the component:
NetWare_Install_Dir\client\jacclient stop
After stopping the client component, you use the uninstallation program to remove
the client component. The uninstallation wizard is a Microsoft Windows
application that you run on the Windows system. The wizard must have access to
the NetWare file system in order to update system files and remove the client
component software.
The uninstallation panels are very similar to the ones shown in the IBM Tivoli
Security Compliance Manager Installation Guide: Client Component and IBM Tivoli
Security Compliance Manager Installation Guide: All Components documents and are
not reproduced in this document. The panels are displayed in the same sequence,
however one additional panel is displayed to obtain NetWare-specific information.
Chapter 2. Novell NetWare client component support 5
If you are not familiar with uninstalling the client component of Tivoli Security
Compliance Manager, read the information in the IBM Tivoli Security Compliance
Manager Installation Guide: Client Component document before proceeding.
After step 6 of the procedure described in the ″Uninstalling Tivoli Security
Compliance Manager″ chapter of either the IBM Tivoli Security Compliance Manager
Installation Guide: Client Component or IBM Tivoli Security Compliance Manager
Installation Guide: All Components document, a new NetWare panel is displayed. In
the Location of autoexec.ncf file field, specify the fully qualified directory and file
name for the autoexec.ncf file using the mapped Windows drive. For example,
specify s:\system\autoexec.ncf where S: is the Windows drive mapped to the
desired NetWare volume. Click Next to continue.
Continue the uninstallation with step 7 in either the IBM Tivoli Security Compliance
Manager Installation Guide: Client Component or IBM Tivoli Security Compliance
Manager Installation Guide: All Components document.
jacclient command (NetWare systems)
Controls the client component on a NetWare system.
Syntax
jacclient { start [password] |
stop |
restart [password] |
status |
version }
Options
start [password]
Starts the client component. The password stored in the client.pref file is
used unless the optional password value is specified.
stop Stops the client component.
restart [password]
Stops and then starts the client component. The password stored in the
client.pref file is used to start the client component unless the optional
password value is specified.
status Displays the runtime status of the client component.
version
Displays the version of the client component.
Authorization
admin user
Location
Client installation directory.
Usage notes
Enter the command without arguments to display syntax information.
6 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
If the NDS authentication fails, the client component logs an error but continues
running. Collectors that do not require NDS authentication run as expected;
collectors requiring NDS authentication will fail.
Note: UNIX® and Linux systems use a similar jacclient command.
Examples
Start the client with the specified password:
NetWare_Install_Dir\client\jacclient start new45pwd
Stop the client:
NetWare_Install_Dir\client\jacclient stop
Restart the client using the password stored in the client.pref file:
NetWare_Install_Dir\client\jacclient restart
Display the status of the client:
NetWare_Install_Dir\client\jacclient status
Display the version number of the client:
NetWare_Install_Dir\client\jacclient version
Chapter 2. Novell NetWare client component support 7
8 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
Chapter 3. Administration console changes
A number of enhancements have been made to the administration console.
Administration console supported on Linux systems
The administration console is now supported on selected Linux systems.
To run the administration console on a Linux system, do the following.
1. Install the administration utilities component of Tivoli Security Compliance
Manager on the desired Linux system.
2. From a command shell, go to the directory where the administration utilities
are installed. By default, this is the /opt/IBM/SCM/admin directory.
3. Run the jacgui command.
Related information
“Supported operating systems” on page 49The list of supported operating systems in IBM Tivoli Security Compliance
Manager Installation Guide has been updated.
Preference changes
A new preference setting is provided to enable the enhanced Users/Roles page in
the administration console.
To enable the enhanced Users/Roles page, do the following.
1. Click File → Preferences in the administration console to open the Preferences
page.
2. Click Use enhanced users and groups interface.
3. Click Save to save your changes.
Related information
“Users/Roles page changes” on page 11Additional functions are available on the Users/Roles page.
Client page changes
Additional functions are now available on the Clients page.
Multiple collectors are now added with the same schedule
Multiple collectors added to a client or client group at the same time are now set
with the same schedule. Previously, when multiple collectors were added using
either the Clients → Collector → Add collector menu option or the pop-up menu,
you were prompted to set an individual schedule for each collector.
If needed, you can modify the schedule for each collector instance individually
later using the Edit collector schedule option from the pop-up menu.
© Copyright IBM Corp. 2004 9
Multiple collector schedules can be modified simultaneously
The Edit collector schedule option from the pop-up menu can now be used when
multiple collector instances are selected. This action results in the same schedule
being set for all of the selected collectors.
At least one collector instance selected must have a schedule that can be modified
in order for the Edit collector schedule option to be enabled. If a collector instance
was added to a client group, the schedule only can be modified for the client
group, not for each individual client. If multiple collector instances are selected,
but not all of them can be modified, a window is displayed to indicate which
instances can be changed.
Collected data is immediately available after collectors are manually run
After one or more collectors are run using the Run collector option, the data
collected is immediately sent to the server and stored in the database.
You no longer need to wait for the next client/server heartbeat or use the Actions
→ Soft reset request option to cause the collected data to be sent to the server and
stored in the database.
Policy-related changes
Two new options have been added to the Policies drop-down menu.
After selecting a client or client group in the left pane, right-click a policy. The new
Run policy collectors option causes all the collectors associated with the policy to
be run on the selected client or client group. The data collected is immediately sent
to the server and stored in the database.
Similarly, the new Create Snapshot option creates a policy snapshot for the
selected client or client group. Previously, snapshot creation could be done only
from the Policies page, and only for a client group, not a specific client.
Client connection checking enhanced
The Actions → Check client connection option can now be used on clients that are
shown as inactive. The connection checking has been enhanced to verify not only
that the server can contact the client, but also that the client can contact the server.
Icon changes when client is suspended
When data collection on a client changes is suspended using the scmsuspendclient
command, the icon changes to indicate that the client is suspended. The icon
returns to normal when data collection is resumed.
Client types
Clients are of one of three types. The icon preceding the alias of the client indicates
the type of the client. When the data collection on a client is suspended, the icon
changes. The client types and their associated icons are described in Table 1 on
page 11.
10 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
Table 1. Client types
Client type Icon
Icon when
suspended
Description
push client
A client that permits communication with the
server to be initiated by either the client or the
server.
pull client
A client that permits communication with the
server to be initiated by only the server.
DHCP push
client
A client that has a dynamic IP address that
permits communication with the server to be
initiated by either the client or the server.
Use this option for systems using DHCP, or for
systems that frequently change their host name
or IP address.
Collectors page changes
Additional functions are now available on the Collectors page.
Setting default collector schedules
You can set a default schedule for a registered collector by double-clicking the
graphical representation of the schedule in the right pane. A new option has been
added so that you also can right-click a collector in the left pane and click Set
default schedule.
A default schedule for multiple collectors can be set by selecting one or more of
them, or by selecting a folder containing them, doing a right-click and then click
Set default schedules. An attempt to set a schedule for a collector that is not
registered results in an error being displayed. Otherwise, you are prompted to
confirm the collectors to be changed.
Users/Roles page changes
Additional functions are available on the Users/Roles page.
Menu changes
The following menu options have been changed to use consistent terminology:
v Manage actions is now Manage permissions
v Manage objects is now Manage resources
Enhanced Users/Groups page added
The Users/Groups page has been enhanced to provide a view with separate panes
for Users and User Groups. Use the Preferences window to enable the enhanced
Users/Roles page. See “Preference changes” on page 9 for details.
The descriptions for the tasks related to users, user groups, and roles that are
affected by this change have been updated and included in this document.
Chapter 3. Administration console changes 11
Creating a user
To create a user:
1. Click the Users/Roles tab on the administration console.
2. Click the Users tab.
3. Click Create User.
4. Enter a user name in the User ID field. User names are not case sensitive.
5. Optional: Enter information in the other fields:
Full Name
Name of the user.
Employee Information
Information associated with the user.
Telephone Number
The telephone number of the user.
E-mail address
The e-mail address of the user.6. Click OK to create the user.
After creating the user, you must:
v Set the password for the user. The user cannot log in without a password.
v Add the user to a user group. Adding the user to a user group with one or more
roles assigned gives the user the ability to perform one or more functions in the
administration console. Related information
“Setting the password for a user”
“Adding a user to a user group” on page 14
“Adding a user to multiple user groups” on page 15
Setting the password for a user
To set a user’s password:
1. Click the Users/Roles tab on the administration console.
2. Click the Users tab.
3. Select the user name in the Users pane.
4. Click the Set password button in the User Information pane.
5. Enter the new password in both fields.
6. Click OK.
To change your own password, click File → Change Password from the menu bar.
No special permission is needed to change your own password.
Modifying user information
To modify the information associated with a user:
1. Click the Users/Roles tab on the administration console.
2. Click the Users tab.
3. Select the user to modify.
12 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
4. Click the User Information tab.
5. Modify the desired information in one or more fields:
Full Name
Name of the user.
Employee Information
Information associated with the user.
Telephone Number
The telephone number of the user.
E-mail The e-mail address of the user.
Comments
Additional information about the user.6. Click Save.
Viewing the audit log for a user
To display the audit log for a user:
1. Click the Users/Roles tab on the administration console.
2. Click the Users tab.
3. Select the desired user name.
4. Click the Show Audit Log button in the User Information pane. The audit log
is displayed in a separate window. Each entry consists of a time stamp and the
message logged to the server.
5. Click the Past week drop-down box to select a different range of time.
6. Click Close to close the window.
Viewing assigned user groups
To display the user groups that a user is a member of:
1. Click the Users/Roles tab on the administration console.
2. Click the Users tab.
3. Select the desired user name.
4. Click the User Groups tab.
The user groups associated with the user are displayed.
Viewing the roles assigned to a user
To display the roles assigned to a user:
1. Click the Users/Roles tab on the administration console.
2. Click the Users tab.
3. Select the desired user name.
4. Click the Roles tab. The roles associated with the user are displayed.
5. Optional: Right-click the name of a role and click Show role to view the
definition of the role, including the assigned resources and the permissions
granted.
Chapter 3. Administration console changes 13
Removing a user
To remove a user:
1. Click the Users/Roles tab on the administration console.
2. Click the Users tab.
3. Right-click the user name in the Users list.
4. Select Remove user from the menu.
5. Click Yes in the Remove User dialog box to confirm the action.
Creating a user group
To create a user group:
1. Click the Users/Roles tab on the administration console.
2. Click the User Groups tab.
3. Click Create User Group.
4. Specify a name for the user group and click OK.
5. Optional: In the Group Information pane, enter a description for the user
group and click Save.
6. Click the Roles tab.
7. Assign roles to the user group by selecting one or more roles in the Available
Roles pane.
8. Click the double arrow button (<<) to move the role to the Assigned Roles
pane. Changes to the assigned roles occur immediately.
Changing the description of a user group
To change the description of a user group:
1. Click the Users/Roles tab on the administration console.
2. Click the User Groups tab.
3. Select the user group to be modified.
4. Click the Group Information tab.
5. Change the text in the Description pane.
6. Click Save to save the change.
Changing the name of a user group
To change the name of a user group:
1. Click the Users/Roles tab on the administration console.
2. Click the User Groups tab.
3. Right-click the user group to be renamed and click Rename User Group.
4. Enter the new name for the user group and then click OK.
Adding a user to a user group
A user must be added to a user group in order to be granted any type of access. To
add a user to a user group:
1. Click the Users/Roles tab on the administration console.
2. Click the Users Groups tab.
14 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
3. Select the user group where you want to add a user.
4. Click the Users tab in the adjacent pane.
5. Click Add Users To User Group.
6. Select one or more users to add. Click OK.
Adding a user to multiple user groups
To add a user to multiple user groups at the same time:
1. Click the Users/Roles tab on the administration console.
2. Click the Users tab.
3. Select the user that you want to add to one or more user groups.
4. Click the User Groups tab in the adjacent pane.
5. Click Add User To User Groups.
6. Select one or more user groups. Click OK to add the user to the selected user
groups.
Assigning roles to a user group
To assign one or more roles to a user group:
1. Click the Users/Roles tab on the administration console.
2. Click the User Groups tab.
3. Select the user group to be modified.
4. Click the Roles tab in the adjacent pane.
5. Select one or more roles to be added to the user group from the Available
Roles pane.
6. Click the double arrow button (<<), located between the Assigned Roles and
Available Roles panes, to move the selected roles to the Assigned Roles pane.
Removing a user from a user group
To remove a user from a user group:
1. Click the Users/Roles tab on the administration console.
2. Click the Users Groups tab.
3. Select the desired user group.
4. Click the Users tab in the adjacent pane.
5. Select one or more users to remove.
6. Right-click on a selected user and click Remove Users From User Group. The
selected users are immediately removed from the user group.
Removing a user from multiple user groups
To remove a user from one or more user groups:
1. Click the Users/Roles tab on the administration console.
2. Click the Users tab.
3. Select the desired user.
4. Click the User Groups tab in the adjacent pane.
5. Select one or more user groups to remove.
Chapter 3. Administration console changes 15
6. Right-click on a selected group and click Remove User from User Group. The
selected user is immediately removed from the selected user groups.
Removing roles from a user group
To remove one or more roles from a user group:
1. Click the Users/Roles tab on the administration console.
2. Click the User Groups tab.
3. Select the user group to be modified.
4. Click the Roles tab in the adjacent pane.
5. Select one or more roles to be removed from the user group from the Assigned
Roles pane.
6. Click the double arrow button (>>), located between the Assigned Roles and
Available Roles panes, to remove the selected roles from the user group. The
roles are now shown in the Available Roles pane.
Removing a user group
To remove a user group:
1. Click the Users/Roles tab on the administration console.
2. Click the User Groups tab.
3. Right-click the user group to be removed and click Remove User Group.
4. Click Yes to remove the user group.
Creating a role
To create a role:
1. Click the Users/Roles tab on the administration console.
2. Click the Roles tab.
3. Click Create Role.
4. Enter the name of the role.
5. Click OK.
Changing the description of a role
To change the description of a role:
1. Click the Users/Roles tab on the administration console.
2. Click the Roles tab.
3. Click the role to be changed in the Roles pane.
4. Change the description for the role.
5. Click Save Role Information to save the change.
Changing the type of a role
To change the type of a role:
1. Click the Users/Roles tab on the administration console.
2. Click the Roles tab.
3. Click the role to be changed in the Roles pane.
16 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
4. Change the type of the role.
5. Click Save Role Information to save the change.
Renaming a role
To rename a role:
1. Click the Users/Roles tab on the administration console.
2. Click the Roles tab.
3. Right-click the role that is to be renamed and click Rename Role.
4. Enter the new name of the role.
5. Click OK.
Adding permissions to a role
To add permissions to a role:
1. Click the Users/Roles tab on the administration console.
2. Click the Roles tab.
3. Select the role to be changed in the Roles pane.
4. Click the resource category tab in the Role Definition pane for the permission
to be added. If the desired resource tab is not displayed, click Add Resource
Tabs to add it.
5. Mark the check boxes for the permissions to be granted.
6. Repeat steps 4 and 5 to grant permissions in other resource categories.
7. Click Save Role Information to save the changes.
Viewing permissions granted to a role
To view the permissions granted to a role:
1. Click the Users/Roles tab on the administration console.
2. Click the Roles tab.
3. Select the role to be displayed in the Roles pane.
4. Click each of the displayed resource category tabs in the Role Definition pane
to view the permissions granted for each resource category. For a normal role,
the resources for which the permission is granted are displayed also.
Adding resources to a role
To add resources to a normal type role:
1. Click the Users/Roles tab on the administration console.
2. Click the Roles tab.
3. Select the role to be changed in the Roles list view.
4. Select the resource category tab associated with the resource to be added.
5. Click Add Resources. The Add Resources button is enabled only for normal
roles. Global and template roles cannot have roles associated with them.
6. Select one or more resources to add.
7. Click OK.
8. Click Save Role Information to save the changes.
Chapter 3. Administration console changes 17
Inheriting permissions from a template
To have a role inherit permissions from a template:
1. Click the Users/Roles tab on the administration console.
2. Click the Roles tab.
3. Right-click the role in the Roles pane that is to inherit from a template and
select Inherit permissions from template.
4. Select the template to inherit the permissions from and click OK.
5. Click Save Role Information to save the changes. Changing the roles in a
template automatically changes the roles that have inherited permissions from
the template.
Disinheriting permissions from a template
To remove from a role all of the permissions that are currently inherited from a
template:
1. Click the Users/Roles tab on the administration console.
2. Click the Roles tab.
3. Right-click the role in the Roles pane from which you want to disinherit a
template and select Disinherit template.
4. Click Yes in the Disinherit Template dialog box.
5. Click Save Role Information to save the changes.
Removing permissions from a role
To remove permissions from a role:
1. Click the Users/Roles tab on the administration console.
2. Click the Roles tab.
3. Select the role to be changed in the Roles pane.
4. Click the resource category tab in the Role Definition pane for the permission
to be removed.
5. Clear the check boxes for the permissions to be removed from the role.
6. Repeat steps 4 and 5 to remove permissions in other resource categories.
7. Click Save Role Information to save the changes.
Removing resources from a role
To remove objects from a role:
1. Click the Users/Roles tab on the administration console.
2. Click the Roles tab.
3. Select the role to be changed in the Roles list view.
4. Select the resource category tab associated with the resource to be removed.
5. Locate the resource to be removed. Right-click the resource and click Remove
Resource.
6. Click Save Role Information to save the changes.
18 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
Removing a role
To remove a role:
1. Click the Users/Roles tab on the administration console.
2. Click the Roles tab.
3. Right-click the role to be removed and then click Remove Role.
4. Click Yes to remove the role.
Policies page changes
Additional functions are now available on the Policies page.
Schedules of multiple collector instances can be changed simultaneously
Both the Collector and Compliance views of the Policies page have been changed
to permit the schedules of multiple collector instances to be changed at the same
time. Previously, you had to change the schedule for each collector instance
individually.
To change the schedule of multiple collector instances, do the following.
1. Click the Policies tab on the administration console.
2. If the desired policy is not displayed in the Policies pane, double-click the
Policies folder.
3. Select the policy.
4. Click the Collectors tab in the adjacent pane to switch to the Collectors view.
5. Select one or more collector instances.
6. Set the schedule.
7. Click OK.
8. Click Save Collector List to save the changes.
You can modify the schedule for each collector instance individually later, if
needed.
New informational severity for violations
A new severity level for compliance query violations, called Informational, has
been added. Informational violations, displayed using blue text, do not count
toward the violation count of a snapshot. If other compliance queries indicate a
Low (orange), Normal (red), or High (bold red) severity violation, those violations
are counted toward the violation count of the snapshot. Violations can still be
suppressed (yellow) based on specific conditions.
The Informational violation is intended for those administrators that want to
provide compliance queries that indicate that clients are in compliance with, rather
than in violation of, a specific condition within a policy.
Structure of both system and data tables viewable
The database table structure for both data tables and system tables can now be
directly viewed.
Chapter 3. Administration console changes 19
New Browse system tables option added
A new option has been added to the Tools menu of the administration console to
display the structure of the database tables used by Tivoli Security Compliance
Manager to manage its data collection.
Click Tools → Browse system tables to view the structure of the system database
tables.
Browse tables option changed to Browse data tables
The Browse tables option has been renamed Browse database tables to
differentiate the existing option from the new Browse system tables option.
To view the structure of the database tables that store the compliance data
gathered by the collectors, click Tools → Browse data tables.
20 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
Chapter 4. Command changes
Changes have been made to existing commands and new commands have been
added.
Timeout value increased and customizable
The amount of time that the administration console and the administration
commands wait for a response from the server has increased from 5 minutes to 30
minutes. A new environment variable, SCMRMI_TIMEOUT, is provided to
customize the value.
New -errorlog option provided on all commands
All existing and new administration commands have been updated to support a
new –errorlog command option. In addition, a new environment variable,
SCMCLI_ERRORLOG, is provided that sets the default path and file name for the
log file.
Changed commands
The scmcreatesnapshot command now permits you to create a snapshot for a
specific client. A new option is provided to control whether the results of a
snapshot are stored in the database.
The scmregisterclient command has a new –pull option that permits pull clients to
be registered. A new –clientport option also has been added. Multiple push and
pull clients can be registered using the new –list option.
New commands
The scmrunpolicycollectors command is provided to run all the collectors
associated with a policy on a specific client or client group.
The scmsuspendclient command is provided to suspend the data collection activity
on a client or client group. This command is subsequently used to resume a client
or client group that has had data collection suspended.
The scmresetclient command is provided to reset a client.
Users and user groups can now be managed using additional new administration
commands.
Handling of special characters in options
Enclose option values containing spaces in quotation marks. Some command shells
perform special processing when certain characters, such as an ampersand (&) or a
forward slash (/) are encountered in the command stream. Enclose options
containing special characters in quotation marks to ensure that they are processed
as expected by the command.
© Copyright IBM Corp. 2004 21
Note: On Windows systems, the quotation mark character must be preceded by a
backslash character (\).
For example, to add a group called Windows 2000 using the scmaddgroup
command:
UNIX and Linux
./scmaddgroup -u admin -s myserver.mycomp.com -group "Windows 2000"
Windows
scmaddgroup -u admin -s myserver.mycomp.com -group \"Windows 2000\"
Option values that are the same as command options must be enclosed in
quotation marks. For example, to create a group called -group:
scmaddgroup -u admin -pw mypw -s a4serv.mycomp.com -group \"-group\"
Environment variables
Environment variables can be used to provide default values for options on the
administration commands.
Use the following environment variables to provide default values for some
options on the administration commands:
SCMCLI_USER
The user ID to use to authenticate with the server. Used if the –user option
is not specified on the command.
SCMCLI_PASSWORD
The password corresponding to the specified user ID. Used if the
–password option is not specified on the command. If neither the
–password option is specified or the SCMCLI_PASSWORD environment
variable is set, the user is prompted to enter the password.
SCMCLI_SERVER
The host name of the server. Used if the –server option is not specified on
the command.
SCMCLI_PORT
The port number to use to communicate to the server. Used if the –port
option is not specified on the command. If neither the –port option is
specified nor the SCMCLI_PORT environment variable is set, 1955 is used
as the port number.
SCMCLI_ERRORLOG
The fully qualified name of the file to be used to record messages
generated by the administration commands. Used if the –errorlog option is
not specified on the command. If neither the –errorlog option is specified
nor the SCMCLI_ERRORLOG environment variable is set, messages are
written to the standard error output stream.
Note: The user running the administration command must have the
appropriate file and directory permissions to create and append data
to the file specified.
SCMRMI_TIMEOUT
The amount of time to wait, in seconds, for a response from the server. If
not specified, the default value is 1800 seconds (30 minutes).
22 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
Note: On Windows and Linux systems, setting this variable as a system
environment variable also changes the amount of time that the
administration console on that system waits for a response from the
server.
Options specified on the command override the setting of the corresponding
environment variable. The environment variables are used only if set.
scmadduser command
Defines a new user and assigns a user to a user group.
Syntax
scmadduser {-user|-u} user_ID [{-password|-pw} password]
{-server|-s} server_name [{-port|-p} port]
[{-errorlog|-e} file_name] {-adminuser|-a} admin_name
[{-newpassword|-npw} admin_pw] [{-usergroup|-ug} group_name] [-?]
Options
–user | –u user_ID
The user ID to use to authenticate with the server.
Required option unless the SCMCLI_USER environment variable is set.
–password | –pw password
The password corresponding to the specified user ID. If no password is
specified and the SCMCLI_PASSWORD environment variable is not set,
you are prompted for the password.
–server | –s server_name
The host name of the server that is the target of the command.
Required option unless the SCMCLI_SERVER environment variable is set.
–port | –p port
The port number to use to communicate with the server. If this option is
not specified and the SCMCLI_PORT environment variable is not set, 1955
is used.
–errorlog | –e file_name
Optional. The fully qualified name of the file where error messages
produced by the command are to be saved. The file is created if it does not
exist. Messages are appended to the end of the file and the file grows
without limit. If this option is not specified and the SCMCLI_ERRORLOG
environment variable is not set, error messages are written to the standard
error output stream.
–adminuser | –a admin_name
The name of the user to add. If the user specified does not exist, it is
created. User names are not case sensitive.
–newpassword | –npw admin_pw
Optional. The password to be set for the user, if the user is being created.
Passwords are case sensitive.
–usergroup | –ug group_name
Optional. The name of the user group that the user should be added to.
–? The usage statement for the command.
Chapter 4. Command changes 23
Notes
The scmadduser command can be used to:
v add a new user
v add a new user and assign that user to a user group
v add an existing user to a user group
In order for the user to login, the user must have a password. If the password is
not set when the user ID is created, use either the scmpasswordreset command or
the Users/Roles page of the administration console to set a password.
Authorization
You must have a valid administrator user ID and password on the server and must
have the required authority to perform the task.
Examples
v Add a new user called policyadmin:
scmadduser -u admin -pw p42q9b -s x4.mycompany.com -p 1955 –adminuser policyadmin
v Add a user called molly with a password and add that user to the existing
Managers user group:
scmadduser -u admin -server swest19.mycomp.com \
–a molly -newpassword y4q989z -ug Managers
v Add the existing molly user to the auditing user group:
scmadduser -u admin -server swest19.mycomp.com \
–adminuser molly -usergroup auditing
Note: If the user ID did not already exist, the user ID would automatically be
created without a password and then added to the user group.
Return values
The following values can be returned:
0 The command completed successfully.
-1 The command failed.
scmaddusergroup command
Defines a new user group.
Syntax
scmaddusergroup {-user|-u} user_ID [{-password|-pw} password]
{-server|-s} server_name [{-port|-p} port]
[{-errorlog|-e} file_name] {-usergroup|-ug} group_name [-?]
Options
–user | –u user_ID
The user ID to use to authenticate with the server.
Required option unless the SCMCLI_USER environment variable is set.
24 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
–password | –pw password
The password corresponding to the specified user ID. If no password is
specified and the SCMCLI_PASSWORD environment variable is not set,
you are prompted for the password.
–server | –s server_name
The host name of the server that is the target of the command.
Required option unless the SCMCLI_SERVER environment variable is set.
–port | –p port
The port number to use to communicate with the server. If this option is
not specified and the SCMCLI_PORT environment variable is not set, 1955
is used.
–errorlog | –e file_name
Optional. The fully qualified name of the file where error messages
produced by the command are to be saved. The file is created if it does not
exist. Messages are appended to the end of the file and the file grows
without limit. If this option is not specified and the SCMCLI_ERRORLOG
environment variable is not set, error messages are written to the standard
error output stream.
–usergroup | –ug group_name
The name of the user group to add.
–? The usage statement for the command.
Authorization
You must have a valid administrator user ID and password on the server and must
have the required authority to perform the task.
Example
Add a new user group called ISOAuditors:
scmaddusergroup -u admin -pw z42b94 -s itscm.mycompany.com –usergroup ISOAuditors
Return values
The following values can be returned:
0 The command completed successfully.
-1 The command failed.
scmaddusergrouprole command
Add a role to a user group.
Syntax
scmaddusergrouprole {-user|-u} user_ID [{-password|-pw} password]
{-server|-s} server_name [{-port|-p} port]
[{-errorlog}-e} file_name] {-usergroup|-ug} group_name
{-role|-r} role_name [-?]
Options
–user | –u user_ID
The user ID to use to authenticate with the server.
Chapter 4. Command changes 25
Required option unless the SCMCLI_USER environment variable is set.
–password | –pw password
The password corresponding to the specified user ID. If no password is
specified and the SCMCLI_PASSWORD environment variable is not set,
you are prompted for the password.
–server | –s server_name
The host name of the server that is the target of the command.
Required option unless the SCMCLI_SERVER environment variable is set.
–port | –p port
The port number to use to communicate with the server. If this option is
not specified and the SCMCLI_PORT environment variable is not set, 1955
is used.
–errorlog | –e file_name
Optional. The fully qualified name of the file where error messages
produced by the command are to be saved. The file is created if it does not
exist. Messages are appended to the end of the file and the file grows
without limit. If this option is not specified and the SCMCLI_ERRORLOG
environment variable is not set, error messages are written to the standard
error output stream.
–usergroup | –ug group_name
The name of the user group to which the specified role is to be added.
–role | –r role_name
The name of the role to be added to the specified user group.
–? The usage statement for the command.
Notes
If the user group or role specified contain spaces or special characters, enclose
them in quotation marks (″) to prevent the command processor from interpreting
them. On Windows systems, the quotation marks must be preceded by a backslash
character (\).
Authorization
You must have a valid administrator user ID and password on the server and must
have the required authority to perform the task.
Examples
v Add the Senior Admin Role to the FirewallAdmins user group on a Linux
system:
scmaddusergrouprole -u admin -pw z42b94 -s itscm.mycompany.com \
–usergroup FirewallAdmins -role "Senior Admin Role"
v Add the User Admin Role to the B982 user group on a Windows system:
scmaddusergrouprole -u admin -s itscm.myco.com –ug B982
-role \"User Admin Role\"
Return values
The following values can be returned:
0 The command completed successfully.
26 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
-1 The command failed.
scmcreatesnapshot command
Creates a policy snapshot and, optionally, writes the result of the snapshot to a file.
Syntax
scmcreatesnapshot {-user|-u} user_ID [{-password|-pw} password]
{-server|-s} server_name [{-port|-p} port]
[{-errorlog|-e} file_name] {-policy|-pol} policy_name
[ [{-group|-g} group_name] |
[ {-clientid|-c} client_ID] ]
[{-file|-f} policy_snapshot_file_name]
[{-text|-t}] [-nosave] [-?]
Options
–user | –u user_ID
The user ID to use to authenticate with the server.
Required option unless the SCMCLI_USER environment variable is set.
–password | –pw password
The password corresponding to the specified user ID. If no password is
specified and the SCMCLI_PASSWORD environment variable is not set,
you are prompted for the password.
–server | –s server_name
The host name of the server that is the target of the command.
Required option unless the SCMCLI_SERVER environment variable is set.
–port | –p port
The port number to use to communicate with the server. If this option is
not specified and the SCMCLI_PORT environment variable is not set, 1955
is used.
–errorlog | –e file_name
Optional. The fully qualified name of the file where error messages
produced by the command are to be saved. The file is created if it does not
exist. Messages are appended to the end of the file and the file grows
without limit. If this option is not specified and the SCMCLI_ERRORLOG
environment variable is not set, error messages are written to the standard
error output stream.
–policy | –pol policy_name
The name of the policy to use to create the snapshot. This option is
required.
–group | –g group_name
Optional. The name of the client group that the policy snapshot should be
restricted to. Cannot be specified with the –clientid parameter.
–clientid | –c client_ID
Optional. The ID of the client that the policy snapshot should be restricted
to. Cannot be specified with the –group parameter.
–file | –f policy_snapshot_file_name
Optional. The name of the file where the policy snapshot is saved. The
output is in HTML format unless the -text option is specified.
Chapter 4. Command changes 27
–text | –t
Optional. If specified, indicates that the output from the snapshot should
be saved in the file indicated by the -file parameter as plain text instead of
as HTML.
–nosave
Optional. If specified, the results of the snapshot are not saved in the
database.
Note: If this parameter is specified without the –file parameter, no
snapshot is taken.
–? The usage statement for the command.
Notes
The results of the snapshot are saved in the database by default. Use the –nosave
and –file parameters to write the results of the snapshot to a file but not save the
results in the database. If the –nosave parameter is specified without the –file
parameter, no snapshot is taken.
Attention: A snapshot is created regardless of whether any data has been
collected. Running a snapshot against a client group that does not have
the policy added does not generate an error, but does complete
indicating no violations.
Authorization
You must have a valid administrator user ID and password on the server and must
have the required authority to perform the task.
Examples
Create a snapshot of the policy and restrict the snapshot to the data collected by
clients in the AIXEast client group:
scmcreatesnapshot -u becky -pw qwerty4z -s s44srv.mycomp.com -p 1955
-policy AIX2004 -group AIXEast -file AIX2004_AIXEast_20040509_snapshot.html
Create a snapshot of the policy using all collected data:
scmcreatesnapshot -u rashid -pw q9y3y42b -s scmrules.mycomp.com
-policy Windows_2000
Create a snapshot of the policy on the client with an ID of 44. In addition, save the
results of the snapshot to a file and do not save the results in the database:
scmcreatesnapshot -u woj -pw big4fun -s itscm.mycomp.com
-p 1955 -policy Windows_XP -c 44 -f winxp.htm -nosave
Create a snapshot of a policy and save the results as plain text in a file:
scmcreatesnapshot -u biff -pw c4982hk -s scm.mycomp.com
-policy AIX_Policy -file aixpolicy.txt -text
Return values
The following values can be returned:
0 The command completed successfully.
-1 The command failed.
28 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
scmlistavailableroles command
Display the roles that can be assigned to a user group..
Syntax
scmlistavailableroles {-user|-u} user_ID [{-password|-pw} password]
{-server|-s} server_name [{-port|-p} port]
[{-errorlog|-e} file_name] [{-usergroup|-ug} group_name]
[-?]
Options
–user | –u user_ID
The user ID to use to authenticate with the server.
Required option unless the SCMCLI_USER environment variable is set.
–password | –pw password
The password corresponding to the specified user ID. If no password is
specified and the SCMCLI_PASSWORD environment variable is not set,
you are prompted for the password.
–server | –s server_name
The host name of the server that is the target of the command.
Required option unless the SCMCLI_SERVER environment variable is set.
–port | –p port
The port number to use to communicate with the server. If this option is
not specified and the SCMCLI_PORT environment variable is not set, 1955
is used.
–errorlog | –e file_name
Optional. The fully qualified name of the file where error messages
produced by the command are to be saved. The file is created if it does not
exist. Messages are appended to the end of the file and the file grows
without limit. If this option is not specified and the SCMCLI_ERRORLOG
environment variable is not set, error messages are written to the standard
error output stream.
–usergroup | –ug group_name
Optional. The name of the user group for which the available roles are to
be displayed. If this option is omitted, all available roles are displayed.
–? The usage statement for the command.
Authorization
You must have a valid administrator user ID and password on the server and must
have the required authority to perform the task.
Examples
v List all the available roles that can be assigned to user groups:
scmlistavailableroles -u useradmin -pw q8u4u4a -s sc.mycompany.com -p 1955
v List the available roles for the Managers user group:
scmlistavailableroles -u barney -pw ru88le -s scm.myco.com -ug Managers
Return values
The following values can be returned:
Chapter 4. Command changes 29
0 The command completed successfully.
-1 The command failed.
scmlistgroupclients command
Displays the clients defined to a specified client group or to all client groups.
Syntax
scmlistgroupclients {-user|-u} user_ID [{-password|-pw} password]
{-server|-s} server_name [{-port|-p} port]
[{-errorlog|-e} file_name] [{-group|-g} group_name] [-?]
Options
–user | –u user_ID
The user ID to use to authenticate with the server.
Required option unless the SCMCLI_USER environment variable is set.
–password | –pw password
The password corresponding to the specified user ID. If no password is
specified and the SCMCLI_PASSWORD environment variable is not set,
you are prompted for the password.
–server | –s server_name
The host name of the server that is the target of the command.
Required option unless the SCMCLI_SERVER environment variable is set.
–port | –p port
The port number to use to communicate with the server. If this option is
not specified and the SCMCLI_PORT environment variable is not set, 1955
is used.
–errorlog | –e file_name
Optional. The fully qualified name of the file where error messages
produced by the command are to be saved. The file is created if it does not
exist. Messages are appended to the end of the file and the file grows
without limit. If this option is not specified and the SCMCLI_ERRORLOG
environment variable is not set, error messages are written to the standard
error output stream.
–group | –g group_name
Optional. The name of the client group for which the clients are to be
displayed. If this option is omitted, clients of all client groups are
displayed.
–? The usage statement for the command.
Authorization
You must have a valid administrator user ID and password on the server and must
have the required authority to perform the task.
Examples
List all members of all client groups defined on server scmserver.mycompany.com:
scmlistgroupclients -u jaya -pw r7y4yy5 -s scmserver.mycompany.com -p 1955
List the members of the Windows client group:
30 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
scmlistgroupclients -u fuzzy -pw b7e4u8a -s itscm.mycompany.com -g Windows
Return values
The following values can be returned:
0 The command completed successfully.
-1 The command failed.
scmlistgrouppolicies command
Displays the policies defined to a specified client group or to all client groups.
Syntax
scmlistgrouppolicies {-user|-u} user_ID [{-password|-pw} password]
{-server|-s} server_name [{-port|-p} port]
[{-errorlog|-e} file_name] [{-group|-g} group_name] [-?]
Options
–user | –u user_ID
The user ID to use to authenticate with the server.
Required option unless the SCMCLI_USER environment variable is set.
–password | –pw password
The password corresponding to the specified user ID. If no password is
specified and the SCMCLI_PASSWORD environment variable is not set,
you are prompted for the password.
–server | –s server_name
The host name of the server that is the target of the command.
Required option unless the SCMCLI_SERVER environment variable is set.
–port | –p port
The port number to use to communicate with the server. If this option is
not specified and the SCMCLI_PORT environment variable is not set, 1955
is used.
–errorlog | –e file_name
Optional. The fully qualified name of the file where error messages
produced by the command are to be saved. The file is created if it does not
exist. Messages are appended to the end of the file and the file grows
without limit. If this option is not specified and the SCMCLI_ERRORLOG
environment variable is not set, error messages are written to the standard
error output stream.
–group | –g group_name
Optional. The name of the client group for which the policies are to be
displayed. If this option is omitted, policies for all client groups are
displayed.
–? The usage statement for the command.
Authorization
You must have a valid administrator user ID and password on the server and must
have the required authority to perform the task.
Chapter 4. Command changes 31
Examples
List all policies that are defined on server itscm.mycompany.com:
scmlistgrouppolicies -u mikey -pw oh62389p -s itscm.mycompany.com -p 1955
List the policies associated with the AIX® client group:
scmlistgrouppolicies -u zuddy -pw q04bGab -s tscm5.mycompany.com -g AIX
Return values
The following values can be returned:
0 The command completed successfully.
-1 The command failed.
scmlistusergroups command
Display the user groups defined on a server.
Syntax
scmlistusergroups {-user|-u} user_ID [{-password|-pw} password]
{-server|-s} server_name [{-port|-p} port]
[{-groupusers|-gu}] [{-grouproles|-gr}]
[{-errorlog|-e} file_name] [-?]
Options
–user | –u user_ID
The user ID to use to authenticate with the server.
Required option unless the SCMCLI_USER environment variable is set.
–password | –pw password
The password corresponding to the specified user ID. If no password is
specified and the SCMCLI_PASSWORD environment variable is not set,
you are prompted for the password.
–server | –s server_name
The host name of the server that is the target of the command.
Required option unless the SCMCLI_SERVER environment variable is set.
–port | –p port
The port number to use to communicate with the server. If this option is
not specified and the SCMCLI_PORT environment variable is not set, 1955
is used.
–errorlog | –e file_name
Optional. The fully qualified name of the file where error messages
produced by the command are to be saved. The file is created if it does not
exist. Messages are appended to the end of the file and the file grows
without limit. If this option is not specified and the SCMCLI_ERRORLOG
environment variable is not set, error messages are written to the standard
error output stream.
–groupusers | –gu
Optional. Indicates that the users in the user groups are to be displayed.
32 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
–grouproles | –gr
Optional. Indicates that the roles assigned to the user groups are to be
displayed.
–? The usage statement for the command.
Authorization
You must have a valid administrator user ID and password on the server and must
have the required authority to perform the task.
Examples
v List all the user groups assigned to the server:
scmlistusergroups -u useradmin -pw q8u4u4a -s sc.mycompany.com
v List all the user groups, including the users assigned to each user group:
scmlistusergroups -u barney -pw ru88le -s scm.myco.com -p 1955 -gu
v List all the user groups and the roles assigned to each user group:
scmlistusergroups -u admin -pw d1o2g3 -s itsc.mycompany.com -p 1955 -gr
v List all the user groups, including the users and roles assigned:
scmlistusergroups -u admin -pw f4u7k9u -s g0.myco.com -p 1955 -gu -gr
Return values
The following values can be returned:
0 The command completed successfully.
-1 The command failed.
scmregisterclient command
Registers one or more clients with a server.
Syntax
scmregisterclient {-user|-u} user_ID [{-password|-pw} password]
{-server|-s} server_name [{-port|-p} port]
[{-errorlog|-e} file_name]
{ {-client|-c} client_name[{,|:}alias]
[ client_name[{,|:}alias] ]...
[{-clientport|-cp} client_port] [{-pull | -push}] |
-list spreadsheet_file_name } [-?]
Options
–user | –u user_ID
The user ID to use to authenticate with the server.
Required option unless the SCMCLI_USER environment variable is set.
–password | –pw password
The password corresponding to the specified user ID. If no password is
specified and the SCMCLI_PASSWORD environment variable is not set,
you are prompted for the password.
–server | –s server_name
The host name of the server that is the target of the command.
Required option unless the SCMCLI_SERVER environment variable is set.
Chapter 4. Command changes 33
–port | –p port
The port number to use to communicate with the server. If this option is
not specified and the SCMCLI_PORT environment variable is not set, 1955
is used.
–errorlog | –e file_name
Optional. The fully qualified name of the file where error messages
produced by the command are to be saved. The file is created if it does not
exist. Messages are appended to the end of the file and the file grows
without limit. If this option is not specified and the SCMCLI_ERRORLOG
environment variable is not set, error messages are written to the standard
error output stream.
–client | –c client_name [ {,|:}alias] [client_name{,|:}alias]...
The clients to be registered. The client_name is the host name or IP address
of the client to be registered and the alias is the optional client alias. The
client_name and the alias can be up to 100 characters in length. If alias is not
specified, client_name is used.
This option is required if the –list option is not specified. If the –list option
is specified, this option is ignored.
–clientport | –cp client_port
The port number used by the client to communicate with the server. If this
option is not specified, 1950 is used.
This option is ignored if the –list option is specified.
–push Optional. Indicates that the clients are to be registered as push clients. If
neither this option nor the –pull option is specified, clients are registered
as push clients.
This option is ignored if the –list option is specified.
–pull Optional. Indicates that the clients are to be registered as pull clients. If
neither this option nor the –push option is specified, clients are registered
as push clients.
This option is ignored if the –list option is specified.
–list spreadsheet_file_name
The fully qualified name of a file containing information on the clients to
be registered. If the spreadsheet file specified is a tab-delimited text file,
the file extension must be .txt. If the spreadsheet file is a comma-separated
value (CSV) file, the file extension must be .csv. The first row of the file is
treated as a comment. Each subsequent row in the file describes a client to
be registered.
This option is required if the –client option is not specified.
–? The usage statement for the command.
Notes
When registering a pull client that has an IP address that changes but a host name
that remains constant, specify the client with an IP address of 0.0.0.0, such as
-client 0.0.0.0:host_name
This setting results in the server performing a DNS lookup using the host name to
obtain the IP address of the client.
34 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
The spreadsheet specified using the –list option is either a tab-delimited or
comma-separated value (CSV) file. The first line of the file is treated as a comment.
Each subsequent line contains the following values:
Client type
The type of client. Valid values are push and pull.
Fully qualified host name
The host name of the client system to be registered.
This field maps to the alias value on the –client option and can be up to
100 characters in length.
IP address
The IP address of the client system to be registered.
This field maps to the client_name value on the –client option and can be
up to 100 characters in length.
If a client has a host name that does not change but an IP address that
might change, specify the IP address as 0.0.0.0. This setting results in the
server performing a DNS lookup using the host name to obtain the IP
address of the client.
Port number
The port number used by the client to communicate with the server. If this
option is not specified, 1950 is used.
Comment
The rest of the line, up to a maximum of 250 characters, is stored as a
comment and is displayed in the Client Information pane of the
administration console.
Figure 1 shows a comma-separated value file that defines several clients. Because
the first client does not specify a port number, the default port of 1950 is used.
A sample spreadsheet file is provided that can be modified and exported to a
tab-delimited or comma-separated value (CSV) file for use with the –list option.
The sample file is called $SCM_HOME/admin/ClientInformation.xls. Use a
spreadsheet application, such as Lotus® SmartSuite® or Microsoft Excel, to view
and update the file.
Note: If the file is a comma-separated value (CSV) file, the file extension must be
.csv. A tab-delimited value file must have a file extension of .txt.
Authorization
You must have a valid administrator user ID and password on the server and must
have the required authority to perform the task.
Examples
v Register a push client to a server:
First line in the file is a comment
push,liza.myco.com,192.168.11.115,,Liza Fharley
pull,joe.myco.com,192.168.11.4,1960,Joseph Zabra
pull,snow.myco.com,192.168.11.122,1950,Rashid Snow
push,mchess.myco.com,192.168.11.5,1950,Max Chess
Figure 1. Sample CSV file for the scmregisterclient command
Chapter 4. Command changes 35
scmregisterclient -u a_user -pw password -s scmserver.myco.com -p 1955
-client amail422.dev.myco.com -push
v Register three push clients with aliases on a UNIX system:
scmregisterclient -u a_user -pw password -s scmserver.myco.com -p 1955
-client jclam.myco.com,Jaya pcoole.nyco.com,Jose rhuen.myco.com,Rachel
v Register two push clients (with aliases with spaces in them) on a Windows
system:
scmregisterclient -u a_user -pw password -s scmserver.myco.com -p 1955
-client \"zsmith.myco.com:Zachary Smith\" \"pdogh.myco.com:Pratish Dogh\"
v Register a pull client with an alias and using client port 2000:
scmregisterclient -u a_user -pw a_password -s server.myco.com -p 1955
–client theone.myco.com5:theOne –pull –clientport 2000
v Register two pull clients with aliases and using client port 2004:
scmregisterclient -u a_user -pw a_password -s server.myco.com -p 1955
–client test.myco.com:Tester nway.myco.com:NoWay –pull –cp 2004
v Register several clients using a tab-delimited value file:
scmregisterclient -u wiley -pw acme11bugs -s scm.myco.com \
–list /var/client_spreadsheet.txt
v Register several clients using a comma-separated value file:
scmregisterclient -u admin -pw 94hGh9b -s scm.myco.com \
–list /var/client_spreadsheet.csv
Return values
The following values can be returned:
0 The command completed successfully.
-1 The command failed.
scmremoveuser command
Removes a user or removes a user from a user group.
Syntax
scmremoveuser {-user|-u} user_ID [{-password|-pw} password]
{-server|-s} server_name [{-port|-p} port]
[{-errorlog|-e} file_name] {-adminuser|-a} admin_name
[{-usergroup|-ug} group_name] [-?]
Options
–user | –u user_ID
The user ID to use to authenticate with the server.
Required option unless the SCMCLI_USER environment variable is set.
–password | –pw password
The password corresponding to the specified user ID. If no password is
specified and the SCMCLI_PASSWORD environment variable is not set,
you are prompted for the password.
–server | –s server_name
The host name of the server that is the target of the command.
Required option unless the SCMCLI_SERVER environment variable is set.
36 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
–port | –p port
The port number to use to communicate with the server. If this option is
not specified and the SCMCLI_PORT environment variable is not set, 1955
is used.
–errorlog | –e file_name
Optional. The fully qualified name of the file where error messages
produced by the command are to be saved. The file is created if it does not
exist. Messages are appended to the end of the file and the file grows
without limit. If this option is not specified and the SCMCLI_ERRORLOG
environment variable is not set, error messages are written to the standard
error output stream.
–adminuser | –a admin_name
The name of the user to be processed. User names are not case sensitive. If
the –usergroup option is not specified, the user is removed from the server.
Otherwise, the user is removed from the specified user group.
–usergroup | –ug group_name
Optional. The name of the user group from which the user should be
removed.
–? The usage statement for the command.
Notes
The scmremoveuser command can be used to:
v remove a user
v remove a user from a specific user group
Removing a user removes that user from any user groups that it was a member of
and any authorization keys that the user created are also deleted.
Authorization
You must have a valid administrator user ID and password on the server and must
have the required authority to perform the task.
Examples
v Remove a user called policyadmin:
scmremoveuser -u admin -s x4.mycompany.com –adminuser policyadmin
v Remove the user molly from the Managers user group:
scmremoveuser -u admin -server swest19.mycomp.com \
-p 1955 –a molly -ug Managers
Return values
The following values can be returned:
0 The command completed successfully.
-1 The command failed.
scmremoveusergroup command
Removes a user group.
Chapter 4. Command changes 37
Syntax
scmremoveusergroup {-user|-u} user_ID [{-password|-pw} password]
{-server|-s} server_name [{-port|-p} port]
[{-errorlog|-e} file_name] {-usergroup|-ug} group_name [-?]
Options
–user | –u user_ID
The user ID to use to authenticate with the server.
Required option unless the SCMCLI_USER environment variable is set.
–password | –pw password
The password corresponding to the specified user ID. If no password is
specified and the SCMCLI_PASSWORD environment variable is not set,
you are prompted for the password.
–server | –s server_name
The host name of the server that is the target of the command.
Required option unless the SCMCLI_SERVER environment variable is set.
–port | –p port
The port number to use to communicate with the server. If this option is
not specified and the SCMCLI_PORT environment variable is not set, 1955
is used.
–errorlog | –e file_name
Optional. The fully qualified name of the file where error messages
produced by the command are to be saved. The file is created if it does not
exist. Messages are appended to the end of the file and the file grows
without limit. If this option is not specified and the SCMCLI_ERRORLOG
environment variable is not set, error messages are written to the standard
error output stream.
–usergroup | –ug group_name
The name of the user group to remove.
–? The usage statement for the command.
Authorization
You must have a valid administrator user ID and password on the server and must
have the required authority to perform the task.
Examples
Remove a user group called WebMasters:
scmremoveusergroup -u admin -pw 98qg74gh4 -s s4.mycompany.com –ug WebMasters
Return values
The following values can be returned:
0 The command completed successfully.
-1 The command failed.
scmremoveusergrouprole command
Remove a role from a user group.
38 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
Syntax
scmremoveusergrouprole {-user|-u} user_ID [{-password|-pw} password]
{-server|-s} server_name [{-port|-p} port]
[{-errorlog|-e} file_name] {-usergroup|-ug} group_name
{-role|-r} role_name [-?]
Options
–user | –u user_ID
The user ID to use to authenticate with the server.
Required option unless the SCMCLI_USER environment variable is set.
–password | –pw password
The password corresponding to the specified user ID. If no password is
specified and the SCMCLI_PASSWORD environment variable is not set,
you are prompted for the password.
–server | –s server_name
The host name of the server that is the target of the command.
Required option unless the SCMCLI_SERVER environment variable is set.
–port | –p port
The port number to use to communicate with the server. If this option is
not specified and the SCMCLI_PORT environment variable is not set, 1955
is used.
–errorlog | –e file_name
Optional. The fully qualified name of the file where error messages
produced by the command are to be saved. The file is created if it does not
exist. Messages are appended to the end of the file and the file grows
without limit. If this option is not specified and the SCMCLI_ERRORLOG
environment variable is not set, error messages are written to the standard
error output stream.
–usergroup | –ug group_name
The name of the user group to which the specified role is to be removed.
–role | –r role_name
The name of the role to be removed from the specified user group.
–? The usage statement for the command.
Notes
If the user group or role specified contain spaces or special characters, enclose
them in quotation marks (″) to prevent the command processor from interpreting
them. On Windows systems, the quotation marks must be preceded by a backslash
character (\).
Authorization
You must have a valid administrator user ID and password on the server and must
have the required authority to perform the task.
Examples
v Remove the Senior Admin Role to the FirewallAdmins user group on a Linux
system:
scmremoveusergrouprole -u admin -pw z42b94 -s itscm.mycompany.com \
–usergroup FirewallAdmins -role "Senior Admin Role"
Chapter 4. Command changes 39
v Remove the User Admin Role to the B982 user group on a Windows system:
scmremoveusergrouprole -u admin -s a4.myco.com –ug B982
-role \"User Admin Role\"
Return values
The following values can be returned:
0 The command completed successfully.
-1 The command failed.
scmresetclient command
Resets a client.
Syntax
scmresetclient {-user|-u} user_ID [{-password|-pw} password]
{-server|-s} server_name [{-port|-p} port]
[{-errorlog|-e} file_name]
{-clientid|-c} client_ID [{-hard|-ha}] [-?]
Options
–user | –u user_ID
The user ID to use to authenticate with the server.
Required option unless the SCMCLI_USER environment variable is set.
–password | –pw password
The password corresponding to the specified user ID. If no password is
specified and the SCMCLI_PASSWORD environment variable is not set,
you are prompted for the password.
–server | –s server_name
The host name of the server that is the target of the command.
Required option unless the SCMCLI_SERVER environment variable is set.
–port | –p port
The port number to use to communicate with the server. If this option is
not specified and the SCMCLI_PORT environment variable is not set, 1955
is used.
–errorlog | –e file_name
Optional. The fully qualified name of the file where error messages
produced by the command are to be saved. The file is created if it does not
exist. Messages are appended to the end of the file and the file grows
without limit. If this option is not specified and the SCMCLI_ERRORLOG
environment variable is not set, error messages are written to the standard
error output stream.
–clientid | –c client_ID [group_name]...
The numeric ID of the client to be reset. This option is required.
–hard | –ha
Optional. If specified, indicates that a hard reset request is to be sent to the
client specified. Otherwise, a soft reset request is sent.
–? The usage statement for the command.
40 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
Authorization
You must have a valid administrator user ID and password on the server and must
have the required authority to perform the task.
Notes
A soft reset request is sent to the client unless the –hard option is specified. If the
–hard option is specified, a hard reset request is sent. This command performs the
same function as the Clients → Actions → Soft reset request and Clients → Actions
→ Hard reset request options in the administration console.
Regardless of whether the administration console or the scmresetclient command is
used, no further operations can be directed to the client until the reset operation
completes. The time required for the operation to complete depends on the number
of policies and collectors assigned to the client, as well as the amount of network
traffic to the server. In general, a hard reset request takes longer than a soft reset
request.
Examples
v Reset the client with an ID of 15:
scmresetclient -u scmadmin -pw p42q9b -s x4.mycompany.com -p 1955 –clientid 15
v Send a hard reset request to the client with an ID of 4:
scmresetclient -u scmadmin -s scms1.mycompany.com –clientid 4 -hard
Return values
The following values can be returned:
0 The command completed successfully.
-1 The command failed.
scmrunpolicycollectors command
Runs all the collectors in the specified policy on a specific client or client group.
Syntax
scmrunpolicycollectors {-user|-u} user_ID [{-password|-pw} password]
{-server|-s} server_name [{-port|-p} port]
[{-errorlog|-e} file_name] {-policy|-pol} policy_name
{ {-clientid|-c} client_ID | {-group|-g} group_name }
[-wait] [-?]
Options
–user | –u user_ID
The user ID to use to authenticate with the server.
Required option unless the SCMCLI_USER environment variable is set.
–password | –pw password
The password corresponding to the specified user ID. If no password is
specified and the SCMCLI_PASSWORD environment variable is not set,
you are prompted for the password.
–server | –s server_name
The host name of the server that is the target of the command.
Chapter 4. Command changes 41
Required option unless the SCMCLI_SERVER environment variable is set.
–port | –p port
The port number to use to communicate with the server. If this option is
not specified and the SCMCLI_PORT environment variable is not set, 1955
is used.
–errorlog | –e file_name
Optional. The fully qualified name of the file where error messages
produced by the command are to be saved. The file is created if it does not
exist. Messages are appended to the end of the file and the file grows
without limit. If this option is not specified and the SCMCLI_ERRORLOG
environment variable is not set, error messages are written to the standard
error output stream.
–policy | –pol policy_name
The name of the policy containing the collectors that are to be run. This
option is required.
–clientid | –c client_ID
The numeric ID of the client where the collectors associated with the
specified policy are to be run. Either this option or the –group option is
required.
–group | –g group_name
The name of the client group where the collectors associated with the
specified policy are to be run. Either this option or the –clientid option is
required.
–wait Optional. If specified, the command does not return until the data
associated with running the collectors has been stored in the database.
–? The usage statement for the command.
Authorization
You must have a valid administrator user ID and password on the server and must
have the required authority to perform the task.
Notes
This command is used to run all the collectors associated with a policy on the
specified client. Before running this command, ensure that the client is a member
of the specified client group, and the policy is assigned to that client group. By
default, the command returns after scheduling the collectors to be run on the
specified client or client group. Use the –wait option to cause the command to wait
until the data has been collected and stored in the database tables.
After correcting compliance issues on a client, use this command, with the –wait
option, to collect updated security compliance data for the client. After the
command completes, a snapshot can be taken to verify whether or not all issues
have been resolved.
Examples
Run all the collectors defined in the HPUX04 policy on the client with an ID of 5
and do not return until the data collected has been stored in the database tables:
scmrunpolicycollectors -u admin -pw pd4qr3yt29s -s jcas.mycom.com
-p 1955 –policy HPUX04 -clientid 5 -wait
42 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
Run all the collectors defined in the WIN2003 policy on all the clients in the
Workstation client group:
scmrunpolicycollectors -u clyde -pw ba1942xz -s scm.mycomp.com
-p 1955 –policy WIN2003 -group Workstation
Return values
The following values can be returned:
0 The command completed successfully.
-1 The command failed.
scmsetuserinfo command
Set or change information about a user.
Syntax
scmsetuserinfo {-user|-u} user_ID [{-password|-pw} password]
{-server|-s} server_name [{-port|-p} port]
[{-errorlog|-e} file_name]
{-adminuser|-a} admin_name [{-fullname|-fn} full_name]
[{-phone|-ph} phone_number] [{-email|-em} email_address]
[{-empinfo|-ei} employee_info] [{-usercomment|-uc} comment_text]
[-?]
Options
–user | –u user_ID
The user ID to use to authenticate with the server.
Required option unless the SCMCLI_USER environment variable is set.
–password | –pw password
The password corresponding to the specified user ID. If no password is
specified and the SCMCLI_PASSWORD environment variable is not set,
you are prompted for the password.
–server | –s server_name
The host name of the server that is the target of the command.
Required option unless the SCMCLI_SERVER environment variable is set.
–port | –p port
The port number to use to communicate with the server. If this option is
not specified and the SCMCLI_PORT environment variable is not set, 1955
is used.
–errorlog | –e file_name
Optional. The fully qualified name of the file where error messages
produced by the command are to be saved. The file is created if it does not
exist. Messages are appended to the end of the file and the file grows
without limit. If this option is not specified and the SCMCLI_ERRORLOG
environment variable is not set, error messages are written to the standard
error output stream.
–adminuser | –a admin_name
The name of the user to be processed. User names are not case sensitive.
–fullname | –fn full_name
Optional. The full name of the user.
Chapter 4. Command changes 43
–phone | –ph phone_number
Optional. The telephone number of the user.
–email | –em email_address
Optional. The e-mail address of the user.
–empinfo | –ei employee_info
Optional. The employee information associated with the user.
–usercomment | –uc comment_text
Optional. The comment text associated with the user.
–? The usage statement for the command.
Notes
Use the scmpasswordreset command or the Users/Roles page of the administration
console to change a user’s password.
Enclose options with spaces or special characters, such as an ampersand (&) or a
greater-than sign (>), in quotation marks (″) to prevent the command processor
from interpreting them. On Windows systems, the quotation marks must be
preceded by a backslash character (\).
Authorization
You must have a valid administrator user ID and password on the server and must
have the required authority to perform the task.
Examples
v Update the e-mail address and telephone number of user scmadmin from a
UNIX system:
scmsetuserinfo -u admin -server x4.mycompany.com –adminuser scmadmin \
-em "[email protected]" -ph "+1-512-555-1212"
v Update the comment for user loni from a Microsoft Windows system:
scmsetuserinfo -u admin -s zx.myco.com –a loni -uc \"Manager of Tahiti Site\"
Return values
The following values can be returned:
0 The command completed successfully.
-1 The command failed.
scmsuspendclient command
Suspends or resumes data collection activity on a specific client or client group.
Syntax
scmsuspendclient {-user|-u} user_ID [{-password|-pw} password]
{-server|-s} server_name [{-port|-p} port]
[{-errorlog|-e} file_name]
{ {-clientid|-c} client_ID | {-group|-g} group_name }
[ [-suspend [-begin yyyy/mm/dd[:hh:mm]]
[ [-until yyyy/mm/dd[:hh:mm]] |
[-length duration_in_minutes] ] ]
| [-resume] ] [-?]
44 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
Options
–user | –u user_ID
The user ID to use to authenticate with the server.
Required option unless the SCMCLI_USER environment variable is set.
–password | –pw password
The password corresponding to the specified user ID. If no password is
specified and the SCMCLI_PASSWORD environment variable is not set,
you are prompted for the password.
–server | –s server_name
The host name of the server that is the target of the command.
Required option unless the SCMCLI_SERVER environment variable is set.
–port | –p port
The port number to use to communicate with the server. If this option is
not specified and the SCMCLI_PORT environment variable is not set, 1955
is used.
–errorlog | –e file_name
Optional. The fully qualified name of the file where error messages
produced by the command are to be saved. The file is created if it does not
exist. Messages are appended to the end of the file and the file grows
without limit. If this option is not specified and the SCMCLI_ERRORLOG
environment variable is not set, error messages are written to the standard
error output stream.
–clientid | –c client_ID
The numeric ID of the client that is to be suspended or resumed. Either
this option or the –group option is required.
–group | –g group_name
The name of the client group that is to be suspended or resumed. Either
this option or the –clientid option is required.
–suspend
Optional. Causes the data collection on the specified client or client group
to be suspended. The start and end times of the suspension are specified
using the –begin, –length, and –until options. Cannot be specified with the
–resume option.
–begin yyyy/mm/dd[:hh:mm]
Optional. Indicates the date, and optionally the time, when the data
collection on the affected clients is to be suspended. If time is omitted, then
midnight (00:00) is assumed. If this option is not specified, data collection
is suspended immediately.
–until yyyy/mm/dd[:hh:mm]
Optional. Indicates the date, and optionally the time, when the data
collection on the affected clients is to resume. If time is omitted, then
midnight (00:00) is assumed. If neither this option nor the –length option is
specified, data collection is suspended until explicitly resumed using the
scmsuspendclient command with the –resume option.
–length duration_in_minutes
Optional. Indicates the length of time, in minutes, that the affected clients
are to be suspended. After the time elapses, the affected clients are
resumed.
Chapter 4. Command changes 45
–resume
Optional. If specified, resumes the data collection on the specified client or
client group. Cannot be specified with the –suspend option.
–? The usage statement for the command.
Authorization
You must have a valid administrator user ID and password on the server and must
have the required authority to perform the task.
Notes
If neither the –suspend or the –resume option is specified, the default action is to
suspend the specified client or client group.
Only one suspend and resume request can be scheduled at a time for a client. If a
client is currently active and is scheduled to be suspended, making another
suspend request replaces the one that is currently scheduled. After a client has
been suspended, other requests to suspend the client are rejected. Similarly, if a
client is currently suspended and is scheduled to be resumed, another resume
request replaces the one that is currently scheduled.
Examples
Suspend the data collection on a particular client immediately. The client remains
suspended until resumed.
scmsuspendclient -u admin -pw pd4qr3yt29s -s jcas.mycom.com
-p 1955 –clientid 55 -suspend
Resume the data collection on the specified client.
scmsuspendclient -u admin -pw pd4qr3yt29s -s jcas.mycom.com
-p 1955 –clientid 55 -resume
Suspend the data collection on a client starting on April 1, 2005 at midnight:
scmsuspendclient -u clyde -pw bonnie1 -s scm.mycomp.com
-clientid 41 -suspend -begin 2005/04/01
Suspend the data collection on all clients in client group WindowsXP for 30
minutes, starting immediately:
scmsuspendclient -u bonnie -pw clyde1 -s scm.mycomp.com
-group WindowsXP -suspend -length 30
Suspend the data collection on all clients in client group Accounts until 8:00 a.m.
on January 3, 2005:
scmsuspendclient -u bonnie -pw clyde1 -s scm.mycomp.com
-group Accounts -suspend -until 2005/01/03:08:00
Suspend the data collection on all clients in client group Tax2004 from 4:30 p.m.
until 6:30 p.m. on Friday, April 15, 2005:
scmsuspendclient -u bonnie -pw clyde1 -s scm.mycomp.com
-group Tax2004 -suspend -begin 2005/04/15:16:30 -length 120
Return values
The following values can be returned:
46 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
0 The command completed successfully.
-1 The command failed.
Chapter 4. Command changes 47
48 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
Chapter 5. Documentation updates
Several problems in the documentation have been corrected.
Supported operating systems
The list of supported operating systems in IBM Tivoli Security Compliance Manager
Installation Guide has been updated.
The tables reflect the addition of Microsoft Windows 2003 and Novell NetWare as
supported platforms.
The following tables list the supported operating systems for the Tivoli Security
Compliance Manager server, client, collectors, and administration utilities. No
specific patch or maintenance level is required for any operating system. However,
keeping installed systems at the most current patch or maintenance level helps to
ensure that known security vulnerabilities in the operating system are corrected.
Table 2. Server
Operating system Level
IBM AIX 5.1
IBM AIX 5.2
IBM AIX 5.3
Microsoft Windows 2000 Server
Microsoft Windows 2003 Server Standard Edition and Enterprise
Edition
Sun Solaris Operating Environment 2.8
Sun Solaris Operating Environment 2.9
SUSE Linux Enterprise Server 8
Table 3. Clients, collectors, and proxy relay
Operating system Level
IBM AIX 5.1
IBM AIX 5.2
IBM AIX 5.3
HP-UX 11.0
HP-UX 11i
Novell NetWare 5.1
Novell NetWare 6.0
Novell NetWare 6.5
Red Hat Linux for Intel® IA32 and xSeries® 6.2
Red Hat Linux for Intel IA32 and xSeries 7.0
Red Hat Linux for Intel IA32 and xSeries 7.1
Red Hat Linux for Intel IA32 and xSeries 7.2
Red Hat Linux for Intel IA32 and xSeries 7.3
© Copyright IBM Corp. 2004 49
Table 3. Clients, collectors, and proxy relay (continued)
Operating system Level
Red Hat Linux for Intel IA32 and xSeries 8.0
Red Hat Linux for Intel IA32 and xSeries 9.0
Sun Solaris Operating Environment 2.6
Sun Solaris Operating Environment 2.7
Sun Solaris Operating Environment 2.8
Sun Solaris Operating Environment 2.9
Microsoft Windows NT® 4.0 Server
Microsoft Windows NT 4.0 Workstation
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Professional
Microsoft Windows XP Professional
Microsoft Windows 2003 Server Standard Edition and
Enterprise Edition
Red Hat Enterprise Linux for Intel IA32 and xSeries 2.1
Red Hat Enterprise Linux Advanced Server for Intel IA32
and xSeries
3.0 (see note below)
Red Hat Enterprise Linux for zSeries® 3.0
Red Hat Enterprise Linux for iSeries™ or pSeries® 3.0
Red Hat Enterprise Linux for zSeries 7.2
Red Hat Enterprise Linux Advanced Server 2.1
SUSE LINUX 7.0
SUSE LINUX Enterprise Server 8
SUSE LINUX Enterprise Server for zSeries 8
SUSE LINUX Enterprise Server for iSeries or pSeries 8
Note: The Red Hat Enterprise Linux Advanced Server 3.0 platform can only be
installed using the console mode on Japanese language systems.
Table 4. Administration console
Operating system Level
Microsoft Windows 2000 Professional
Microsoft Windows XP Professional
Microsoft Windows 2003 Server Standard Edition
and Enterprise Edition
Red Hat Enterprise Linux Advanced Server for Intel IA32 and
xSeries
3.0
SUSE LINUX Enterprise Server (xSeries) 8
Table 5. Administration command line interface
Operating system Level
IBM AIX 5.1
50 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
Table 5. Administration command line interface (continued)
Operating system Level
IBM AIX 5.2
IBM AIX 5.3
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows XP Professional
Microsoft Windows 2003 Server Standard Edition
and Enterprise Edition
Sun Solaris Operating Environment 2.8
Sun Solaris Operating Environment 2.9
HP-UX 11
HP-UX 11i
SUSE LINUX Enterprise Server 8
Red Hat Linux for Intel IA32 and xSeries 9
Red Hat Enterprise Linux Advanced Server for Intel IA32 and
xSeries
3.0
Red Hat Enterprise Linux for iSeries or pSeries 3.0
SUSE LINUX Enterprise Server for iSeries or pSeries 8
Uninstalling components
Additional information on uninstalling IBM Tivoli Security Compliance Manager
components on Microsoft Windows systems is provided.
On Microsoft Windows systems, do not use the Add/Remove Programs option
from the Control Panel to uninstall components of Tivoli Security Compliance
Manager. That option does not completely remove the product from the system,
and might leave one or more components listed as Windows services. Instead, use
the procedure described in the section entitled ″Uninstalling Tivoli Security
Compliance Manager″ in the IBM Tivoli Security Compliance Manager Installation
Guide.
Obtaining IBM HTTP Server Version 1.x
Information on obtaining IBM HTTP Server for use with the IBM Tivoli Security
Compliance Manager Operational Reports.
In the ″Operational Reports″ section of the IBM Tivoli Security Compliance Manager
Release Notes, the procedure mentions that the IBM HTTP Server Version 1.x is
required but that it is not provided. To obtain IBM HTTP Server Version 1.x, go to:
http://www.ibm.com/software/webservers/httpservers/download.html
Select IBM HTTP Server version 1.3.28.1 for Windows. Version 2.x can not be used
with IBM Tivoli Security Compliance Manager.
Chapter 5. Documentation updates 51
Updating clients from server
An additional step might be needed before updating clients automatically from a
server running on a UNIX or Linux system.
The client software running on client systems can be updated automatically from
the server using the Server page of the administration console. On UNIX and
Linux systems, if a client update JAR file is already in use, you must ensure that
the permissions on the file permit the server to replace the file. If the file
ownership or permissions are not set correctly, an error might occur when you
attempt to replace the JAR file from the administration console.
This problem usually occurs after installing an interim fix or patch, where the JAR
file might have been installed by the root user with file permissions of 755. To
correct the problem, change the owner of the file to be the scmsrver user ID in the
scmsrver group. Alternately, the permissions on the JAR file can be set to 777, but
this permits any user to change the file. After correcting the problem, click Update
client code again to replace the file.
Column data types
Each column in a collector table contains data that is mapped from a Java data
type to a DB2® data type.
The size of a column must be sufficient to store the largest data item that could be
collected. Otherwise, the collected data might be truncated. Tivoli Security
Compliance Manager does not impose any restriction on the total amount of data
that can be collected in a table.
The following SQL data types are supported by Tivoli Security Compliance
Manager:
SMALLINT
INTEGER
BIGINT
REAL
FLOAT
DOUBLE
CHAR
VARCHAR
DATE
TIME
TIMESTAMP
“Column data types” summarizes the mappings of Java data types to DB2 data
types in DB2 Universal Database™ for Linux, UNIX, and Windows systems. When
more than one data type is listed, the first data type is the recommended data
type.
Table 6. Mappings of Java data types to DB2 data types for updating DB2 tables
Java data type SQL data type
short, boolean, byte (see Note) SMALLINT
int, java.lang.Integer INTEGER
52 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
Table 6. Mappings of Java data types to DB2 data types for updating DB2
tables (continued)
Java data type SQL data type
long, java.lang.Long BIGINT
float, java.lang.Float REAL, FLOAT
double, java.lang.Double DOUBLE
java.lang.String CHAR(n)
where n <= 254
java.lang.String VARCHAR(n)
where n <= 32672
java.sql.Date DATE
java.sql.Time TIME
java.sql.Timestamp TIMESTAMP
Note: DB2 has no exact equivalent for the Java boolean or byte data types, but the
best fit is SMALLINT.
By convention, Tivoli Security Compliance Manager uses a value of 1 for
true and a value of 0 for false.
Collector documentation updates
The documentation for the following existing collectors has been updated to
provide additional and corrected information.
aix.any.SecPasswdV1.jar
Collects password information, such as user name, flags, and the date that the
password was last updated, from the /etc/security/passwd file.
Tables
AIX_SECPASSWD_V1
Table 7. Column information for AIX_SECPASSWD_V1
Column Name Description Type (size)
USERNAME The name of the user. VARCHAR (30)
ALLOW_ADMIN A Boolean flag indicating that only the root user can change the
password information.
SMALLINT
ALLOW_ADMCHG A Boolean flag indicating that a member of the security group or
the root user last changed the password.
SMALLINT
ALLOW_NOCHECK A Boolean flag indicating that none of the system password
restrictions defined in the /etc/security/user file are enforced for
this password.
SMALLINT
LASTUPDATE The time (in seconds) since the epoch (00:00:00 GMT, January 1,
1970) when the password was last changed
TIMESTAMP
PASSWD_EXISTS A Boolean flag indicating whether the password exists. Returns 1
(true) if the password is active or locked; otherwise, returns 0
(false) if the password does not exist.
SMALLINT
Chapter 5. Documentation updates 53
Table 7. Column information for AIX_SECPASSWD_V1 (continued)
Column Name Description Type (size)
PASSWD_LOCKED A Boolean flag Indicating whether the password is locked.
Returns 0 (false) if the password does not exist or is active.
SMALLINT
Parameters
None.
Notes
If the /etc/security/passwd file does not exist, message HCVHC0011W is logged
on the client and the collector returns empty headers.
Error messages
v HCVHC0000E
v HCVHC0001E
v HCVHC0002E
v HCVHC0011W
unix.any.AnonFtpPasswdV1.jar
Collects the user and password fields present in the password file used by
anonymous FTP.
Tables
UNIX_ANONFTP_PASS_V1
Table 8. Column information for UNIX_ANONFTP_PASS_V1
Column Name Description Type (size)
USER_NAME The name of the user. VARCHAR (32)
IS_PASSWD_EMPTY A Boolean flag indicating if the password field is
empty. If the entry is an encrypted password, it
indicates if the password entry matches an encrypted
blank password.
SMALLINT
IS_ACCOUNT_ACTIVE A Boolean flag indicating whether or not the account
is active. If the account is locked, then 0 (False) is
returned..
SMALLINT
IS_PASSWD_ENCRYPT_USERNAME A Boolean flag indicating that an encrypted password
entry is the same as the user name. If an encrypted
password does not exist in the file, null is returned.
SMALLINT
IS_MD5 A Boolean flag indicating whether the password is
MD5 encrypted.
SMALLINT
54 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
Parameters
Table 9. Parameter information for unix.any.AnonFtpPasswdV1.jar
Parameter Name Description Required Default Value
ANONFTP_PASSWD_FILE Location of the anonymous FTP password file
relative to the anonymous FTP user’s home
directory.
No /etc/passwd
SCAN_REMOTE A Boolean flag indicating that files on remote file
systems are to be processed.
No 0 (False)
Notes
If the ANONFTP_PASSWORD_FILE parameter is not specified, the /etc/passwd
file is used. If the password file does not exist or is empty, message HCVHC0029W
is logged on the client and the collector returns empty headers.
Error messages
v HCVHC0000E
v HCVHC0001E
v HCVHC0002E
v HCVHC0003E
v HCVHC0009E
v HCVHC0010E
v HCVHC0011W
v HCVHC0028W
v HCVHC0029W
v HCVUA0020E
v HCVUA0021E
v HCVUU0005W
v HCVUU0006E
unix.any.FileSearchV1.jar
Searches the specified file for a specific string, and returns the name of the file and
the lines with the matching string.
Tables
UNIX_FILE_SEARCH_V1
Table 10. Column information for UNIX_FILE_SEARCH_V1
Column Name Description Type (size)
FILENAME The name of the file. VARCHAR (256)
SEARCHSTRING The search string used or null if FILENAME does
not exist.
VARCHAR (128)
LINE The line containing the matching string. VARCHAR (512)
Chapter 5. Documentation updates 55
Parameters
Table 11. Parameter information for unix.any.FileSearchV1.jar
Parameter Name Description Required Default
Value
FILENAME The fully qualified name of a file to search.
Wildcards are not permitted. Blanks are
respected for this parameter variable.
Yes None.
SEARCHSTRING The string to search for in the specified file.
Wildcards can be used and blanks are
respected for this parameter value
Yes None.
IGNORECASE A Boolean value indicating whether case
should be ignored while performing the
search.
No 1 (true)
COMMENT_DELIM The beginning character of a comment line. No None.
LINE_CONT_DELIM The delimiter for line continuation. No None.
Notes
Searches the specified file for a string, and returns the name of the file and the
lines with the matching string. If the search string occurs on more than one line in
the file, each occurrence is returned in a separate row. Only one file can be
specified. To search multiple files, use multiple instances of this collector.
Error messages
v HCVHC0000E
v HCVHC0004E
v HCVHC0005E
v HCVHC0008E
v HCVHC0022W
v HCVHC0023W
v HCVHC0030E
v HCVUA0070E
v HCVUA0071E
unix.any.UsersV1.jar
Returns user ID information.
Tables
UNIX_USERS_V1
Table 12. Column information for UNIX_USERS_V1
Column Name Description Type (size)
USERNAME User ID or logon name. VARCHAR (32)
IS_ACCOUNT_ACTIVE A Boolean value indicating whether the user’s account
is locked.
SMALLINT
IS_PASSWD_EMPTY A Boolean value indicating whether the user’s
password field in the /etc/passwd file is empty or is
the encrypted empty string .
SMALLINT
56 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
Table 12. Column information for UNIX_USERS_V1 (continued)
Column Name Description Type (size)
IS_PASSWD_ENCRYPT_USERNAME A Boolean value indicating whether the password is
the same as the user name.
SMALLINT
IS_MD5 A Boolean value indicating whether the user’s
password is MD5 encrypted
SMALLINT
UID Unique numeric ID for the user. INTEGER
GID Principal group ID of user. INTEGER
GECOS General information associated about the user that is
not used by the system, such as an office location or
phone number.
VARCHAR (200)
HOME Fully qualified path name to the home directory of the
user.
VARCHAR (200)
SHELL Initial program or shell that is executed after a user
invokes the login or su command.
VARCHAR (200)
Parameters
Table 13. Parameter information for unix.any.UsersV1.jar
Parameter Name Description Required Default Value
SCAN_REMOTE A Boolean flag indicating whether or not the data for remote
users is to be collected. Specify 1 (true) to collect remote user
data.
No 0 (false)
Notes
Collects user information from the /etc/passwd file. If the file does not exist, then
message HCVHC0011W is logged on the client and the collector returns empty
headers.
Error messages
v HCVHC0000E
v HCVHC0001E
v HCVHC0002E
v HCVHC0010E
v HCVHC0011W
v HCVHC0028W
v HCVHC0029W
v HCVHC0030E
v HCVUA0190W
v HCVUA0191E
v HCVUU0005W
v HCVUU0006E
unix.multi.NddV1.jar
This collector reports the configuration parameters of TCP/IP drivers.
Chapter 5. Documentation updates 57
Supported platforms
HP-UX, and Sun Solaris Operating Environment
Tables
UNIX_NDD_V1
Table 14. Column information for UNIX_NDD_V1
Column Name Description Type (size)
DRIVER The name of the driver. VARCHAR (60)
ATTRIBUTE The name of the setting. VARCHAR (128)
INTEGER_VALUE The configuration value of the setting. INTEGER
Parameters
Table 15. Parameter information for unix.multi.NddV1.jar
Parameter Name Description Required Default
Value
DRIVER_NAME The name of the TCP/IP driver. Yes None.
DRIVER_ATTRIBUTE The configuration setting for the driver
specified as first parameter.
Yes None.
Notes
If an attribute for a device has multiple integer values, then multiple rows are
returned. Only one driver name can be specified. To gather data about multiple
drivers, use multiple instances of this collector.
Error messages
v HCVHC0000E
v HCVHC0004E
v HCVHC0005E
v HCVHC0006E
v HCVHC0007E
v HCVHC0010E
v HCVUM0031E
v HCVUM0032E
v HCVUM0033E
v HCVUM0035E
v HCVUM0036E
v HCVUM0037W
unix.multi.ShadowV1.jar
Collects password parameter information from the /etc/shadow file.
Supported platforms
HP-UX, Linux, and Sun Solaris Operating Environment
58 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
Tables
UNIX_SHADOW_V1
Table 16. Column information for UNIX_SHADOW_V1
Column Name Description Type (size)
USERNAME The user name. VARCHAR (32)
LASTCHG The date of the last password change. DATE
MINAGE The minimum number of days that are required
between password changes.
INTEGER
MAXAGE The maximum number of days that the password is
valid.
INTEGER
WARNDAYS The number of days before a password is set to expire
that the user receives a message.
INTEGER
INACTIVE The number of days of inactivity allowed for the user. INTEGER
EXPIRE The date after which the login can no longer be used.
A value of null indicates that the password does not
expire.
DATE
FLAG Currently not used. VARCHAR (10)
IS_ACCOUNT_ACTIVE A Boolean flag indicating whether the account is
active.
SMALLINT
IS_PASSWD_EMPTY A Boolean flag indicating whether the password is
null or empty.
SMALLINT
IS_PASSWD_ENCRYPT_USERNAME A Boolean flag indicating whether the password is the
same as the user name.
SMALLINT
IS_MD5 A Boolean flag indicating whether the password is
MD5 encrypted.
SMALLINT
Parameters
None.
Notes
Collects password parameter information from the /etc/shadow file. If the file
does not exist, message HCVHC0011W is logged on the client and the collector
returns empty headers. If the file exists but does not contain any valid data,
message HCVHC0028W is logged on the client and the collector returns empty
headers.
On Linux systems, the password is set to two exclamation points (!!) if no
password is set. If the account is locked, the encrypted password in the file is
preceded with a single exclamation point. Accounts without a password cannot be
locked.
On Sun Solaris Operating Environment systems, an account with no password is
represented by the characters ″NP″. An account that is locked is represented by the
characters ″LK″.
The collector interprets the conditions where !!, NP, or LK is set as meaning that
the user account is not active and setting IS_ACCOUNT_ACTIVE to 0 (false).
Chapter 5. Documentation updates 59
Most HP-UX systems do not support the use of the /etc/shadow file. However, if
a patch has been applied adding the function, and the pwconv command has been
run, the file might be present.
Error messages
v HCVHC0000E
v HCVHC0001E
v HCVHC0002E
v HCVHC0011W
v HCVHC0028W
v HCVHC0029W
win.any.NavV1.jar
Collects information about Norton and Symantec AntiVirus Corporate Edition
software running on Windows systems. This information replaces the description
in the IBM Tivoli Security Compliance Manager Collector and Message Reference.
Tables
WIN_NAV_V1
Table 17. Column information for WIN_NAV_V1
Column Name Description Type (size)
NAV_CLIENT_VERSION The version of the Norton AntiVirus client. VARCHAR (50)
LIVE_UPDATE_TIME The time when virus definition Live Update occurs in
hh:mm format. If no Live Update is scheduled or if the
information is not available, null is returned.
VARCHAR (5)
LIVE_UPDATE_DAY_OF_WEEK The day of the week when the virus definitions are
updated, in the range 0 to 6, where 0 represents
Sunday. If no live update is scheduled or if the
information is not available, null is returned.
INTEGER
LIVE_UPDATE_DATE_OF_MONTH The day of the month when the Live Update is
performed. If no live update is scheduled or if the
information is not available, null is returned.
INTEGER
LAST_VIRUS_DEFN_UPDATE The time and date of the virus definition file. If the
information is not available, null is returned.
TIMESTAMP
LAST_SCAN_DATE The time and date of the last virus scan. If the
information is not available, null is returned.
TIMESTAMP
Parameters
None.
Notes
The values returned for each column are obtained from Windows registry keys.
Unless otherwise noted, the specified keys are used for all versions of the Norton
AntiVirus software.
Field Registry Keys
NAV_CLIENT_VERSION
InstallDir value of
60 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Norton AntiVirus
NT\Install and from
KEY_LOCAL_MACHINE\SOFTWARE\INTEL\DLLUsage\VP6
LIVE_UPDATE_TIME, LIVE_UPDATE_DAY_OF_WEEK,
LIVE_UPDATE_DATE_OF_MONTH
Type value of HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\
LANDesk\VirusProtect6\CurrentVersion\PatternManager\Schedule
LAST_VIRUS_DEFN_UPDATE
Version 5.x
SystemTime value of
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Norton
Antivirus\Virus Defs\LastUpdate
All other versions
PatternFileDate value of
HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\
LANDesk\VirusProtect6\CurrentVersion
LAST_SCAN_DATE
Version 5.x
SystemTime value of
HKEY_LOCAL_MACHINE\Software\Symantec\Norton
Antivirus\LastScan
All other versions
TimeOfLastScan value of
HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\
LANDesk\VirusProtect6\CurrentVersion
The weekly update information is not available on Microsoft Windows NT 4.0
systems. This collector returns null in the LAST_VIRUS_DEFN_UPDATE and
LAST_SCAN_DATE fields either when the registry key does not exist or the value
for the field does not exist in the registry key.
The collector can obtain information from supported versions of Norton AntiVirus
Corporate Edition software up to Version 7.x, and Version 8.x of the Symantec
AntiVirus Corporation Edition software.
Error messages
v HCVHC0000E
v HCVHC0012E
v HCVHC0013E
v HCVHC0016E
v HCVHC0017E
v HCVHC0025E
v HCVWA0100W
v HCVWA0101W
v HCVWA0102W
v HCVWU0003E
v HCVWU0004E
v HCVWU0005E
v HCVWU0006E
Chapter 5. Documentation updates 61
v HCVWU0007E
v HCVWU0008E
v HCVWU0009E
win.any.SnmpActiveV1.jar
Returns indication of the existence of public and private SNMP Registry subkeys.
This information replaces the description in the IBM Tivoli Security Compliance
Manager Collector and Message Reference.
Tables
WIN_SNMP_V1
Table 18. Column information for WIN_SNMP_V1
Column Name Description Type (size)
PUBLIC_EXIST A Boolean flag indicating that the SNMP Public key
exists.
SMALLINT
PRIVATE_EXIST A Boolean flag indicating that the SNMP Private key
exists.
SMALLINT
Parameters
None.
Notes
The collector examines the
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SNMP\\
Parameters\\ValidCommunities registry key to obtain Simple Network
Management Protocol (SNMP) community information. If the registry key does not
exist, no SNMP communities exist and an empty row of headers is returned. If the
registry key exists, the fields are set based on the type of communities defined.
Error messages
v HCVHC0000E
v HCVWA0170W
62 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
Chapter 6. Troubleshooting
Additional information on diagnosing problems with IBM Tivoli Security
Compliance Manager.
Server and client connectivity
Connectivity between the server and a client can be tested from the Clients page of
the administration console. To verify that the server can communicate with the
client and that the client can communicate with the server, select the client and
then click Actions → Check client connection. This option is available for any
client registered on the server. The response from this operation can be used to
help diagnose connectivity problems. See Table 19 for possible responses and
suggested actions.
Table 19. Check client connection responses
Response from operation Meaning and corrective actions
Client id nnn response indicates it is suspended. The client has been suspended using the
scmsuspendclient command. Retry the operation after
the client has been resumed.
Client id nnn response indicates it cannot connect
to the server.
The server was able to contact the client, but the client
cannot communicate with the server. Verify that the port
and server names in the client.pref file are correct. Verify
that network connectivity exists between the client and
the server, and that any firewalls between the client and
server are properly configured to permit network
communication on the specified ports.
Client id nnn response indicates it cannot connect
to the server. The client encountered the following
error when attempting to connect to the server:
exception-message
The server was able to communicate with the client, but
an exception occurred when the client attempted to
communicate with the server. Review the error and trace
logs on the client and the server to determine the cause
of the exception and correct the problem.
AccountingServer (ID=nnn) -
com.ibm.jac.JACException: Error connecting to
client: Connection refused: connect
The server was able to communicate with the client
system, but the client is not running. Start the client and
try the operation again.
AccountingServer (ID=nnn) -
com.ibm.jac.JACException: Error connecting to
client: Operation timed out: connect
The server was unable to communicate with the client
system. Verify that the correct host name and IP address
are specified for the client. Verify that the client type and
port number are correct on the server. Verify that the
server name and port number in the client.pref file on
the client are correct. Verify that any firewalls between
the server and the client are properly configured to
permit network communication on the specified ports.
© Copyright IBM Corp. 2004 63
64 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
Appendix. Notices
This information was developed for products and services offered in the U.S.A.
IBM may not offer the products, services, or features discussed in this document in
other countries. Consult your local IBM representative for information on the
products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM
product, program, or service may be used. Any functionally equivalent product,
program, or service that does not infringe any IBM intellectual property right may
be used instead. However, it is the user’s responsibility to evaluate and verify the
operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
500 Columbus Avenue
Thornwood, NY 10594
U.S.A
For license inquiries regarding double-byte (DBCS) information, contact the IBM
Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106, Japan
The following paragraph does not apply to the United Kingdom or any other
country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS
PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or
implied warranties in certain transactions, therefore, this statement may not apply
to you.
This information could include technical inaccuracies or typographical errors.
Changes are periodically made to the information herein; these changes will be
incorporated in new editions of the publication. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this
publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this IBM
product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
© Copyright IBM Corp. 2004 65
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758
USA
Such information may be available, subject to appropriate terms and conditions,
including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Customers are responsible for ensuring their own compliance with various laws
such as the Graham-Leach-Bliley Act, the Sarbanes-Oxley Act, and the Health
Insurance Portability and Accountability Act. It is the customer’s sole responsibility
to obtain advice of competent legal counsel as to the identification and
interpretation of any relevant laws that may affect the customer’s business and any
actions the customer may need to take to comply with such laws. IBM does not
provide legal, accounting or auditing advice, or represent or warrant that its
products or services will ensure that customer is in compliance with any law.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments may
vary significantly. Some measurements may have been made on development-level
systems and there is no guarantee that these measurements will be the same on
generally available systems. Furthermore, some measurement may have been
estimated through extrapolation. Actual results may vary. Users of this document
should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available sources.
IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
All statements regarding IBM’s future direction or intent are subject to change or
withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business
operations. To illustrate them as completely as possible, the examples include the
names of individuals, companies, brands, and products. All of these names are
fictitious and any similarity to the names and addresses used by an actual business
enterprise is entirely coincidental.
If you are viewing this information softcopy, the photographs and color
illustrations may not appear.
66 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
Additional notices
THIRD PARTY LICENSE TERMS AND CONDITIONS, NOTICES AND
INFORMATION
The license agreement for this product refers you to this file for details concerning
terms and conditions applicable to third party software code included in this
product, and for certain notices and other information IBM must provide to you
under its license to certain software code. The relevant terms and conditions,
notices and other information are provided or referenced below. Please note that
any non-English version of the licenses below is unofficial and is provided to you
for your convenience only. The English version of the licenses below, provided as
part of the English version of this file, is the official version.
Notwithstanding the terms and conditions of any other agreement you may have
with IBM or any of its related or affiliated entities (collectively “IBM”), the third
party software code identified below are “Excluded Components” and are subject
to the following terms and conditions:
(a) the Excluded Components are provided on an “AS IS” basis;
(b) IBM DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES
AND CONDITIONS WITH RESPECT TO THE EXCLUDED COMPONENTS,
INCLUDING, BUT NOT LIMITED TO, THE WARRANTY OF
NON-INFRINGEMENT OR INTERFERENCE AND THE IMPLIED WARRANTIES
AND CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE;
(c) IBM will not be liable to you or indemnify you for any claims related to the
Excluded Components; and
(d) IBM will not be liable for any direct, indirect, incidental, special, exemplary,
punitive or consequential damages with respect to the Excluded Components.
Notice for Apache Software Foundation
This product includes software developed by the Apache Software Foundation
(http://www.apache.org/).
Trademarks
The following terms are trademarks or registered trademarks of International
Business Machines Corporation in the United States, other countries, or both:
AIX
DB2
DB2 Universal Database
IBM
IBM logo
Lotus
SmartSuite
Tivoli
Tivoli logo
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
Microsoft Corporation in the United States, other countries, or both.
Appendix. Notices 67
Intel, Intel Inside (logos), MMX and Pentium are trademarks of Intel Corporation
in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Sun Microsystems, Inc. in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or
both.
UNIX is a registered trademark of The Open Group in the United States and other
countries.
Other company, product, and service names may be trademarks or service marks
of others.
68 IBM Tivoli Security Compliance Manager: Fix Pack 5.1.0-TIV-SCM-FP0009 Release Notes
����
Printed in USA
GI11-4617-00
Top Related