The Asset Compliance View serves as a starting point for identifying where you might have security issues and provides an overview of your IT assets in relation to policy template results. You can quickly determine which computers or managed groups are not in compliance with your company’s security standards, and whether the vulnerability of those computers poses a high, medium, or low risk.
Once you select a managed group to assess, the Asset Compliance View displays the group’s results on the following tabs:
Identifies the number of systems that are in compliance, in compliance with exceptions, or out of compliance for the selected policy templates.
Identifies the number of systems with high, medium, and low risk score results for the selected policy templates.
Displays asset compliance and risk score results over time for the selected policy templates.
Provides a table of each system’s risk and compliance status for the selected policy templates, plus access to detailed data per endpoint.
Categorizes system results by security check, policy template, and risk score.
The Asset Compliance View displays your assets according to their location in your user-defined managed groups. You must create managed groups and assign all relevant endpoints to those groups. Also, Secure Configuration Manager populates the graphs and tables only after you run policy templates.
If you assign endpoints of one system to separate managed groups, the Asset Compliance View displays the system’s total policy template results when you select any managed group containing an endpoint from that system. This total includes results from endpoints on this system not included in the managed group. That is, the Asset Compliance View displays results for endpoints that may not be in the selected managed group because those endpoints are part of a system included in the selected managed group. For example, you placed System A’s operating system endpoint into group Houston and System A’s SQL Server endpoint into group Dallas. If you choose to view results for Houston, the Asset Compliance View includes the results for the SQL Server endpoint because it is part of System A.
You can choose to display results from all policy templates or particular templates and specify the time frame for trending results. The Asset Compliance View displays results only for the most recent run of the selected policy template. For example, if you run the NetIQ Audit Settings policy template four times against the same managed group, Secure Configuration Manager displays results only for the fourth template run. For more information about selecting policy templates to view, see Section 5.4.1, Changing Asset Compliance View Settings.
The following table shows where you can learn more about Secure Configuration Manager features related to the Asset Compliance View.
|
If you want to ... |
See ... |
|---|---|
|
Learn about policy templates |
|
|
Learn about security checks |
|
|
Learn about exceptions for policy template results |
|
|
Compare the results of individual endpoints or security checks |
|
|
Learn more about endpoint risk scoring in security checks |
|
|
Create user-defined groups |
To display or hide the Asset Compliance View, click Compliance Overview on the View menu. You can also dock the Asset Compliance View as a tab at the base of the console display by clicking the thumbtack icon.
You can specify whether the Asset Compliance View includes results for particular policy templates or all policy templates. The Asset Compliance View reports results as unknown if you choose to view a policy template that has not been run against the selected managed group.
The Compliance, Risks, Systems, and Summary tabs display the most recent policy template results according to the data retention settings in the Core Services Configuration Utility. By default, Secure Configuration Manager retains results for 90 days. For more information about adjusting the data retention setting, see Section 5.7.2, Configuring Data Settings and the Help for the Core Services Configuration Utility. Also, the Asset Compliance View displays results for the most recent run of the selected policy template. For example, if you run the NetIQ Audit Settings policy template four times against the same managed group, Asset Compliance View displays results only from the fourth template run.
You can also specify the date range and interval (daily, weekly, or monthly) for the trending information. Secure Configuration Manager processes trending data daily at 3:00 a.m. However, the Asset Compliance View displays trend data only for a completed trend interval. That is, if you set the interval to monthly, results for the current month are not included in the trend because the current month is not complete. For more information, see Section 5.4.4, Viewing Trending Information.
On the Go menu, click Asset Overview Pane.
In the Asset Compliance View, click Settings.
Check the check box beside the policy templates whose results you want to view.
(Optional) To view trend data for a specific date rante, change the start and end dates.
(Optional) To change the trend interval, select Daily, Weekly, or Monthly.
Click OK.
The Compliance tab provides a starting point for determining how well your assets comply with your company’s security standards. You can also compare results on the Compliance and Risks tabs to evaluate the vulnerability of assets in your enterprise.
The Compliance Status chart summarizes the policy compliance of all IT assets in the selected managed group, while the Compliance Details graph displays the compliance results for the next lower level of the managed group. The next lower level can be more managed groups or individual endpoints, depending on the selected managed group. You can drill down to the endpoint level. For example, you have a managed group called Texas which includes managed groups for Houston, Dallas, and San Antonio and each of these managed groups includes many systems. If you select Texas, the Compliance Status chart summarizes the status of all systems in Texas and the Compliance Details graph displays compliance for the Houston, Dallas, and San Antonio groups. If you want to review more specific compliance results, select one of the lower level managed groups, such as Houston. The Compliance Details graph then displays details for the systems or groups within the Houston managed group. You can drill down to the endpoint level on the Compliance Details graph.
Secure Configuration Manager classifies compliance results as in compliance, in compliance with exceptions, out of compliance, or unknown compliance. Secure Configuration Manager defines these classifications as follows:
An in compliance score indicates the system’s risk score is lower than the out-of-compliance risk score range defined for each policy template.
An in compliance with exceptions score applies when an endpoint, group, or security check includes waivers to prevent conditions from causing a violation in the reported results.
If a system is out of compliance, its risk score is equal to or greater than the out-of-compliance risk score range defined for each policy template. For more information about out-of-compliance settings, see Section 5.7.2, Configuring Data Settings.
An unknown compliance score applies to systems that do not have data collected during the specified time period. Data may not be available because the policy template was not run for an endpoint, Secure Configuration Manager was unable to connect to the agent, or an endpoint returned errors.
The Compliance Status and Details charts display results per system, not endpoint. Therefore, if a system has multiple endpoints, such as an operating system and a database, and one of those endpoints fails a security check within the selected policy template, the system is labeled out of compliance. Similarly, if Secure Configuration Manager reports unknown results for one endpoint in a system, the Asset Compliance View labels the system’s results as unknown compliance. To determine exactly where an endpoint falls out of compliance or has unknown results, click the Systems tab. For more information, see Section 5.4.5, Viewing Systems Information.
If you run a policy template for a non-applicable endpoint, the Asset Compliance View ignores results for that endpoint. For example, you created a managed group including both SQL Server and UNIX endpoints. Secure Configuration Manager ignores the UNIX endpoints when running checks against the SQL Server endpoints in that managed group. The report indicates the checks do not apply to the UNIX endpoints.
For more information about security check and policy template results, see Section 4.1, Understanding Security Checks. Fore more information about evaluating asset compliance over time, see Section 5.4.4, Viewing Trending Information.
On the Go menu, click Asset Overview Pane.
In the left pane, click IT Assets.
In the IT Assets tree pane, expand Managed Groups > My Groups.
Under My Groups, select the group for which you want to view assets. You can drill down to an endpoint to obtain details about that particular system.
In the Asset Compliance View, click Settings.
Select the check box beside the policy templates whose results you want to view.
In the Asset Compliance View, click Compliance.
(Conditional) If you have run policy templates recently, click Refresh to update the displayed information.
(Optional) To determine the number of systems in or out of compliance for the selected group and policy templates, place your cursor over the appropriate section of the Compliance Status chart.
When you run a policy template, Secure Configuration Manager evaluates each selected endpoint for each applicable security check in the template, and assigns a risk score for each endpoint. With the Asset Compliance View, you can review risk score results for multiple policy templates run against multiple endpoints. The Risks tab helps you determine how many systems in the selected asset group constitute a high risk to your security. You can also compare these results with the number of non-compliant systems to evaluate the vulnerability of assets in your enterprise. For more information about risk scores, see Section 6.3, Understanding Risk Scoring.
The Risk Status chart summarizes the risk results of all computers in the selected managed group, while the Risk Details graph displays the risk results for the next lower level of the managed group. The next lower level can be more managed groups or individual endpoints, depending on the selected managed group. For example, you have a managed group called Texas which includes managed groups for Houston, Dallas, and San Antonio, and each of these managed groups includes many systems. If you select Texas, the Risk Status chart summarizes the status of all systems in Texas and the Risk Details graph displays risk status for Houston, Dallas, and San Antonio. If you want to review more specific risk results, select one of the lower level managed groups, such as Houston. The Risk Details graph then displays details for the systems or groups within the Houston managed group.
You can drill down to the endpoint level on the Risk Details graph. If you want to view the importance assigned to an endpoint in the selected managed group, you can select that endpoint on the pane above the Asset Compliance View in the console. Then, right-click the endpoint and select Properties. In addition, the Systems tab enables you to determine exactly where the endpoint falls out of compliance and poses a high risk. For more information, see Section 5.4.5, Viewing Systems Information.
The Risk Status and Details charts display results per system, not endpoint. Therefore, if a system has multiple endpoints, such as an operating system and a database, and one of those endpoints poses a high risk for the selected policy template, the system’s risk is labeled high to ensure that the system receives appropriate attention for its potential vulnerability. For example, if a system includes a SQL Server database with a high risk and a Windows operating system with a medium risk, the system’s managed risk is reported as high. Similarly, if Secure Configuration Manager reports unknown results for one endpoint in a system and no endpoint in the system is a high risk, the Asset Compliance View labels the system’s results as unknown. To determine exactly where an endpoint has a high risk or unknown results, click the Systems tab.
If you run a policy template against a non-applicable endpoint, the Asset Compliance View ignores results for that endpoint. For example, you created a managed group including both SQL Server and UNIX endpoints. Secure Configuration Manager ignores the UNIX endpoints when running checks against the SQL Server endpoints in that managed group. The report indicates the checks do not apply to the UNIX endpoints.
For more information about risk scores, see Section 6.3, Understanding Risk Scoring. For more information about evaluating risk score results over time, see Section 5.4.4, Viewing Trending Information.
On the Go menu, click Asset Overview Pane.
In the left pane, click IT Assets.
In the IT Assets tree pane, expand Managed Groups > My Groups.
Under My Groups, select the managed group for which you want to view assets.
In the Asset Compliance View, click Settings.
Select the check box beside the policy templates for which you want to view results.
In the Asset Compliance View, click Risks.
(Conditional) If you have recently run policy templates, click Refresh to update the displayed information.
(Optional) To determine the number of systems per risk type for the selected group and policy templates, place your cursor over the appropriate section of the Risks Status chart.
Secure Configuration Manager allows you to quickly review asset compliance and risk scoring results over time. The Trending tab in the Asset Compliance View displays the change in risk scores and policy template compliance for the computers in the selected asset group. The trend interval can be daily, weekly, or monthly. For more information about adjusting the trend interval or date range, see Section 5.4.1, Changing Asset Compliance View Settings.
Secure Configuration Manager calculates trend data only for a completed trend interval. For example, if you set the interval to monthly, results for the current month are not included in the trend because the current month is not complete. Also, Secure Configuration Manager does not display trend data for a managed group when you create the group. Instead, you must wait for one trend interval to pass after creating the group before you can see the data in the Asset Compliance View.
To help you identify trends per risk and compliance status, the Trending tab color-codes the results.
On the Go menu, click Asset Overview Pane.
In the left pane, click IT Assets.
In the IT Assets tree pane, expand Managed Groups > My Groups.
Under My Groups, select the group whose assets you want to view.
In the Asset Compliance View, click Settings.
Update the trend interval and date range. For more information, see Section 5.4.1, Changing Asset Compliance View Settings.
Select the check box beside the policy templates for which you want to view results.
In the Asset Compliance View, click Trending.
The Systems tab provides a table of each system’s risk and compliance status for each selected policy template. From the Systems table, you can drill down to security check results per endpoint to determine exactly how the endpoint falls out of compliance or poses a high risk. You can export the Systems table to a printer, email recipient, or file. You can also email policy template results for a specific endpoint.
The Systems tab provides a sortable table of the systems, endpoints, templates, and security checks associated with the selected managed group and policy templates. The table includes the risk and compliance status per endpoint. With this view, you can identify the endpoints with high risks scores or that failed security checks. Once you identify problem systems, you can develop a plan to mitigate their misconfigurations.
To help you quickly identify whether a system complies with the selected policy templates, the Systems table uses color to indicate compliance (green), compliance with exceptions (yellow), non-compliance (red), and unknown status (gray). The table identifies each system, endpoint, and policy template by name. It also specifies the risk and compliance status for each endpoint-policy template combination. Total risk indicates the exposure score of the endpoint multiplied by the asset importance ranking. The Managed risk indicates the total risk score for an endpoint based on how well the endpoint matches expected security settings
You can organize the table by dragging a column header to the top of the table. For example, if you want to view all computers according to their compliance status, you can drag the Compliance header to the space above the table.
Also, you can export the Systems table to a printer, email recipient, or file. For more information, see Section 5.4.7, Distributing Asset Compliance Information.
On the Go menu, click Asset Overview Pane.
In the left pane, click IT Assets.
In the IT Assets tree pane, expand Managed Groups > My Groups.
Under My Groups, select the group whose assets you want to view.
In the Asset Compliance View, click Settings.
Select the check box beside the policy templates for which you want to view results.
In the Asset Compliance View, click Systems.
(Conditional) If you have run policy templates recently, click Refresh to update the displayed information.
(Optional) To distribute the Systems table to a printer, email recipient, or file, click Print. For more information, see Section 5.4.7, Distributing Asset Compliance Information.
From the Systems table, you can select a specific endpoint to evaluate results for all security checks in the selected policy template. The detailed data identifies the endpoint and policy template and provides a list of security checks included in the policy template. You can select a security check in the left pane to display such details as the expected and actual values, the managed and total risk scores, and the threat factor.
On the Go menu, click Asset Overview Pane.
In the left pane, click IT Assets.
In the IT Assets tree pane, expand Managed Groups > My Groups.
Under My Groups, select the group whose assets you want to view.
In the Asset Compliance View, click Settings.
Select the check box beside the policy templates for which you want to view results.
In the Asset Compliance View, click Systems.
(Conditional) If you have run policy templates recently, click Refresh to update the displayed information.
Double-click the endpoint for which you want to view details.
To quickly act upon misconfigurations found in the Asset Compliance View, you can send an email about an endpoint’s compliance status. The email text contains the endpoint name, policy template name, and the endpoint’s compliance status for the selected template.
NOTE:To send asset compliance information to an email recipient, ensure that you have specified a mail server for Secure Configuration Manager to use to send email. You can specify a mail server using the Core Services Configuration Utility.
On the Go menu, click Asset Overview Pane.
In the left pane, click IT Assets.
In the IT Assets tree pane, expand Managed Groups > My Groups.
Under My Groups, select the group whose assets you want to view.
In the Asset Compliance View, click Settings.
Select the check box beside the policy templates for which you want to view results.
In the Asset Compliance View, click Systems.
Right-click the endpoint whose policy template status you want to send to an email recipient, and then click Email.
Enter the recipient’s email address, and then click Send.
The Asset Compliance View includes a numerical assessment for groups of systems so you can determine how many systems meet your secure configuration policies. The Summary tab enables you to determine the quantity of systems in the selected managed group that:
Passed or failed the security checks in the selected policy templates
Pose a high security risk
Do or do not comply with the selected policy templates
To help you quickly identify a system’s status for the selected policy templates, the summary table rows are color-coded. The table below shows the colors associated with the status of security checks, policy template compliance, and risk scores.
|
Row Color |
Indicates |
|---|---|
|
Green |
Passed, in compliance, or low risk |
|
Yellow |
Passed with exceptions, in compliance with exceptions, or medium risk |
|
Red |
Failed, out of compliance, or high risk |
|
Gray |
Unknown status |
The Summary table displays cumulative values for the selected policy templates. Secure Configuration Manager calculates the Policy Compliance values by counting the total number of systems per compliance status for all selected policy templates. For example, you ran a policy template on 100 systems. Of those systems, 12 are in compliance, 40 are out of compliance, 28 are in compliance with exceptions, and 20 are unknown. Similarly, Security Risks values equal the total number of systems per risk status for all the selected policy templates. Secure Configuration Manager calculates the Failed Checks value as expressed in the following equation:
Failed Checks = Number of systems * Number of checks
For example, you ran a policy template on 100 systems and 20 of those systems failed two checks each for a total of 40 failed checks. The Failed Systems and Check Count is 100 * 40 = 4,000. Secure Configuration Manager applies the equation for each type of check result: passed, passed with exceptions, failed, and unknown.
All endpoints, such as an operating system and a database, on one computer qualify as one system and are scored as one unit. If the database endpoint fails a security check while the operating system endpoint passes the same check, the system is counted as failed or out of compliance. Similarly, if one of the endpoints scores a high risk value, the system is considered a high risk. For more information about compliance results in the Asset Compliance View, see Section 5.4.2, Viewing Compliance Information. For more information about risk results in the Asset Compliance View, see Section 5.4.3, Viewing Risks Information.
You can export the Summary table to a printer, email recipient, or file. For more information about printing, emailing, or exporting the Summary data, see Section 5.4.7, Distributing Asset Compliance Information.
Enable the Asset Compliance View tab.
In the left pane, click IT Assets.
In the IT Assets tree pane, expand Managed Groups > My Groups.
Under My Groups, select the group for which you want to view.
In the Asset Compliance View, click Settings.
Select the box beside the policy templates for which you want to view results.
In the Asset Compliance View, click Summary.
(Conditional) If you have run policy templates recently, click Refresh to update the displayed information.
(Optional) To distribute the Summary table to a printer, email recipient, or file, click Print. For more information, see Section 5.4.7, Distributing Asset Compliance Information.
Secure Configuration Manager allows you to export the Systems and Summary tables to a printer, email recipient, or file that you can then distribute to your organization.
NOTE:
To distribute asset compliance information, you must install the Secure Configuration Manager console on the same drive where you installed Core Services.
To distribute asset compliance information in Excel format, Microsoft Excel must be installed on the Core Services computer. For more information, see the Installation Guide for NetIQ Secure Configuration Manager.
To send asset compliance information to an email recipient, ensure that you have specified a mail server for Secure Configuration Manager to use to send email. You can specify a mail server using the Core Services Configuration Utility.
Enable the Asset Compliance View tab.
In the left pane, click IT Assets.
In the IT Assets tree pane, expand Managed Groups > My Groups.
Under My Groups, select the managed group for which you want to distribute information.
In the Asset Compliance View, click Settings.
Select the box beside the policy templates for which you want to view results.
In the Asset Compliance View, click Summary or Systems, depending on which table you want to distribute.
(Conditional) If you have run policy templates recently, click Refresh to update the Asset Compliance View information.
Click Print to display a preview of the data.
(Optional) To export the data to a file, complete the following steps:
On the Preview File menu, click the arrow beside Export Document, and then select the appropriate file format. For example, select PDF File.
Complete the export options associated with your chosen file format, and then click OK.
Choose a file name, and then click Save.
Specify whether you want to open the file.
(Optional) To send the data to an email recipient, complete the following steps:
On the Preview File menu, click the arrow beside Send via E-Mail, and then select the appropriate file format. For example, select RTF File.
Complete the export options associated with your chosen file format, and then click OK.
Choose a file name, and then click Save.
Follow the steps in the email wizard.
(Optional) To print the data, click Print on the Preview File menu.