[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [ISSForum] Tivoli introduced into RS environment...overflowing console and db

From: "Apers, Kim (ISS Brussels)" <KApers@xxxxxxx>

You can also call Tivoli to finetune to reduce the number of logins.

Yes, we can tune the signature with Fusion scripts to exclude the Tivoli
account but what if someone is using then that Tivoli account to login ?
Where is the due diligence (no audit trail)

Why not ask if the agent can use a normal account ?.

The contol of Tivoli is not in my hands. The "policy" for the login account used is global, meaning if they changed it just for me, it will affect 5000 servers that belong to someone else. Tivoli doesn't actually login with a password, it just masquerades as the admin account when it kicks off some processes. One half of it does not require an admin account. However, if we change the account, then it affect all other servers as stated above. The other half of the process the agent uses does require use of an admin account, so it wouldn't help much to only change that. We'd still be flooded. I'm working on a workaround at the moment. The due diligence requirement is the problem with filtering that login entirely. I have to have an audit trail. Considering that most of the logins are on localhost, that is also a problem. If a user logs in with remote desktop software, it appears as a localhost login as well. Tivoli came down as a mandate. I don't have a choice and it is a "standard" and requires the "standard install and configuration". I do not see how these two widely used programs can be used together (with full auditing) in a large environment. I think the multiple logins to kick off processes is pretty lame on IBM's part, however I've always thought that non-existance of good event filters in the policy of the Server/OS Sensor is just as lame. I do not understand why ISS has not recognized this need by now, considering everyone I discuss this with (as an possible product to use for IDS) also mentions the neglect of Server Sensor policy filtering.


Let the new MSN Premium Internet Software make the most of your high-speed experience. http://join.msn.com/?pgmarket=en-us&page=byoa/prem&ST=1

ISSForum mailing list

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo