[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [ISSForum] Tivoli introduced into RS environment...overflowing console and db
From: "Apers, Kim (ISS Brussels)" <KApers@xxxxxxx>
You can also call Tivoli to finetune to reduce the number of logins.
Yes, we can tune the signature with Fusion scripts to exclude the Tivoli
account but what if someone is using then that Tivoli account to login ?
Where is the due diligence (no audit trail)
Why not ask if the agent can use a normal account ?.
The contol of Tivoli is not in my hands. The "policy" for the login account
used is global, meaning if they changed it just for me, it will affect 5000
servers that belong to someone else. Tivoli doesn't actually login with a
password, it just masquerades as the admin account when it kicks off some
processes. One half of it does not require an admin account. However, if
we change the account, then it affect all other servers as stated above.
The other half of the process the agent uses does require use of an admin
account, so it wouldn't help much to only change that. We'd still be
flooded. I'm working on a workaround at the moment. The due diligence
requirement is the problem with filtering that login entirely. I have to
have an audit trail. Considering that most of the logins are on localhost,
that is also a problem. If a user logs in with remote desktop software, it
appears as a localhost login as well. Tivoli came down as a mandate. I
don't have a choice and it is a "standard" and requires the "standard
install and configuration". I do not see how these two widely used programs
can be used together (with full auditing) in a large environment. I think
the multiple logins to kick off processes is pretty lame on IBM's part,
however I've always thought that non-existance of good event filters in the
policy of the Server/OS Sensor is just as lame. I do not understand why ISS
has not recognized this need by now, considering everyone I discuss this
with (as an possible product to use for IDS) also mentions the neglect of
Server Sensor policy filtering.
Let the new MSN Premium Internet Software make the most of your high-speed
ISSForum mailing list
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo