B.3 Creating and Managing Baselines

Creating and managing baselines is an ongoing process. Review the following steps for working with baselines in your Secure Configuration Manager environment:

  1. Determine the criteria you are interested in monitoring on your target endpoints and use those criteria to define the necessary baseline criteria sets. You can create baseline criteria sets from scratch, or you can use existing security checks as the basis for a new baseline criteria set. For more information, see Defining Baseline Criteria or Creating Baseline Criteria Sets from Security Checks.

  2. Create one or more baseline collections. A baseline collection includes one or more baseline criteria sets. For more information, see Creating Baseline Collections.

  3. Establish baselines for your target endpoints using the baseline criteria sets and baseline collections. For more information, see Establishing a Baseline.

  4. Run the Compare Baseline security check on your target endpoints on a regular basis to report changes from the established baseline. You can set a schedule for the check by adding the check to a policy template. For more information, see Running a Baseline Comparison Check.

  5. Evaluate the data from the baseline comparison report. Depending on the results of the baseline comparison, do one of the following:

    1. (Conditional) If you approve the changes that have been made to your endpoints, you can update the established baseline. Re-establishing a baseline sets a new standard for future comparison. For more information, see Updating a Baseline.

    2. (Conditional) If you do not approve the changes that have been made to your endpoints, you can take the appropriate action according to your security policies to address those changes. For example, you can correct vulnerabilities by creating and running tasks on specific resources using Secure Configuration Manager, or you can use native tools.

  6. As you add or remove endpoints or make changes to asset groups in your environment, review your scheduled baseline checks to ensure that they are collecting data from all appropriate endpoints.

    NOTE:The baseline check resides on the agent. If you establish a baseline against an asset group and then add endpoints to that group, by default the Compare Baseline check continues to run against the original group because the check is not aware of changes to the group. If you make frequent changes to your asset groups, it is a good idea to run the Compare Baseline check against individual endpoints instead of asset groups.

You should run the List Baselines check on a regular basis to review the established baselines on your endpoints and make any necessary changes to your criteria sets. For more information, see Creating a List of Baselines for a Target Endpoint.

B.3.1 Working with Baseline Criteria

Baseline criteria are the building blocks for baseline collections. When creating baseline criteria sets, it is a good idea to experiment and run baseline criteria sets individually to ensure that they are collecting the appropriate information. However, in your production environment, adding criteria sets to a baseline collection is a more efficient approach. When you combine criteria sets in a collection, each criteria set represents a separate named baseline, but you can run a single report for multiple baselines at the same time.

Defining Baseline Criteria

The first step in the baseline process is to define the set of criteria or attributes you want to use to establish a baseline standard for your target endpoints. You select the platform and the object (for example, files or kernel parameters) that you want to check. Then you select the attributes to be displayed in the report, as well as the attributes to be used for correlation and comparison. An object is the logical representation of security data collected by agents. Attributes describe the quality of each object. For more information about objects and attributes, see Understanding How Agents Identify Data to Collect.

To define a baseline criteria set:

  1. In the left pane, click Baselines.

  2. In the Baselines pane, right-click Criteria, and then click New Baseline Criteria.

  3. Select the appropriate platform for the baseline criteria based on your target endpoints.

  4. Follow the instructions in the wizard to define the baseline criteria set.

    NOTE:Do not use the special characters ?>"|< in the baseline criteria set name. When you use one of these special characters, the completed baseline report displays an error rather than baseline data.

  5. Repeat Step 1 through Step 4 as needed to create additional baseline criteria sets.

Once you have defined a single baseline criteria set, you can establish a baseline. Or, you can create additional baseline criteria sets and then combine them in a baseline collection. For more information, see Creating Baseline Collections and Establishing a Baseline.

Creating Baseline Criteria Sets from Security Checks

In addition to creating baseline criteria sets from the Baselines section of the tree pane, you can create baseline criteria sets directly from security checks. This capability allows you to leverage the object types, attributes, and parameters already specified in security checks as the basis for a new baseline criteria set. Your baseline criteria set can match the security check precisely, or you can use it as a starting point, and make any necessary adjustments using the Baseline Criteria Set wizard.

You can create a baseline criteria set from any editable check, including those that are part of a policy template. However, you cannot create a baseline criteria set directly from a policy template.

NOTE:

  • You cannot name your baseline criteria set the same as the security check on which it is based. The name of the baseline criteria set must be unique.

  • Do not use the special characters ?>"|< in the baseline criteria set name. When you use one of these special characters, the completed baseline report displays an error rather than baseline data.

To create a baseline criteria set from a security check:

  1. In the left pane, click Security Knowledge.

  2. In the Security Knowledge tree pane, expand Security Checks > > NetIQ Checks.

  3. Select the appropriate platform and node.

  4. In the content pane, right-click the security check for which you want to create a baseline criteria set, then click Create Baseline Criteria.

  5. Follow the instructions in the wizard to create the baseline criteria set.

Once you complete the wizard, you can see your new baseline criteria set in the Baselines > Criteria section of the tree pane.

Modifying Baseline Criteria

After you define baseline criteria sets, you can modify them any time to meet the unique auditing requirements of your company assets.

You can also revise an existing baseline to match the current characteristics of a target endpoint. For more information, see Updating a Baseline.

To modify a baseline criteria set:

  1. In the left pane, click Baselines.

  2. In the Baselines pane, select Criteria.

  3. Select the appropriate platform and category for the criteria set.

  4. In the content pane, right-click the named criteria set you want to modify and then click Edit.

  5. Follow the instructions to edit the baseline criteria set.

Deleting Baseline Criteria

You can delete a baseline criteria set if you no longer need it, for example, if changes to your assets make a criteria set obsolete.

NOTE:If you want to delete a baseline criteria set that is part of a baseline collection, you must first edit the baseline collection to remove the unnecessary baseline criteria set. Once the baseline criteria set is no longer part of any collection, you can delete the baseline criteria set. For more information about editing the baseline collection, see Modifying Baseline Collections.

To delete a baseline criteria set:

  1. In the left pane, click Baselines.

  2. In the Baselines pane, select Criteria.

  3. Select the appropriate platform and category for the criteria set.

  4. In the content pane, right-click the baseline criteria set you want to delete, and then click Delete.

  5. Click Yes on the confirmation message.

Exporting Baseline Criteria

After you have created baseline criteria sets, you can export them as .bsl files. Exporting baseline criteria sets allows you to restore this data in case it is changed incorrectly. You can also import this data to a different Core Services computer.

To export a baseline criteria set:

  1. In the left pane, click Baselines.

  2. In the Baselines pane, select Criteria.

  3. Select the appropriate platform and category for the criteria set.

  4. In the content pane, right-click the baseline criteria set you want to export, and then click Export Baseline Criteria.

  5. Select a folder in which you want to save the exported baseline criteria set.

  6. Click Save.

Importing Baseline Criteria

You can import baseline criteria sets that you previously exported from the current Core Services computer, or from another Core Services computer. You can use this feature, for example, to restore a baseline criteria set that was changed incorrectly. If a baseline criteria file with the same name already exists, Secure Configuration Manager gives you the option to overwrite the existing file.

To import a baseline criteria set:

  1. In the left pane, click Baselines.

  2. In the Baselines pane, right-click Criteria, and then click Import Baseline Criteria.

  3. Select the baseline criteria (.bsl) files you want to import and click Open.

B.3.2 Working with Baseline Collections

Once you have defined one or more baseline criteria sets, you can create a baseline collection. Baseline collections are not required, but they offer the same benefits as working with policy templates. For example, you could use more than one instance of the same criteria set in a single baseline collection to check different parameters.

Creating Baseline Collections

You can create a baseline collection from a single set or multiple sets of baseline criteria.

To create a baseline collection:

  1. In the left pane, click Baselines.

  2. In the Baselines tree pane, right-click Collection, and then click New Baseline Collection.

  3. Follow the instructions in the wizard to build the baseline collection.

    NOTE:Do not use the special characters ?>"|< in the baseline name. When you use one of these special characters, the completed baseline report displays an error rather than baseline data.

Modifying Baseline Collections

After you create a baseline collection, you can modify it any time to meet the changing needs of your environment. For example, you may need to add baseline criteria sets to a collection you created for a group of assets after you install new software on those computers.

To modify a baseline collection:

  1. In the left pane, click Baselines.

  2. In the Baselines tree pane, select Collection.

  3. In the content pane, right-click the baseline collection you want to modify, and then click Edit.

  4. Follow the instructions in the wizard to modify the baseline collection.

Deleting Baseline Collections

You can delete a baseline collection if you no longer need it, for example, if changes in your environment have made the collection obsolete.

To delete a baseline collection:

  1. In the left pane, click Baselines.

  2. In the Baselines tree pane, select Collection.

  3. In the content pane, right-click the baseline collection you want to delete, and then click Delete.

  4. Click Yes on the confirmation message.

Exporting Baseline Collections

After you have created baseline collections, you can export them as .bcl files. Exporting baseline collections allows you to restore this data in case it is changed incorrectly. You can also import this data to a different Core Services computer.

To export a baseline collection:

  1. In the left pane, click Baselines.

  2. In the Baselines tree pane, select Collection.

  3. In the content pane, select the baseline collection you want to export, and then click Export Baseline Collection.

  4. Select a folder in which you want to save the exported baseline collection.

  5. Click Save.

Importing Baseline Collections

You can import baseline collections that you previously exported from the current Core Services computer, or from another Secure Configuration Manager Core Services computer. You can also use this feature to restore a baseline collection that was changed incorrectly. If a baseline collection file with the same name already exists, Secure Configuration Manager gives you the option to overwrite the existing file.

To import a baseline collection:

  1. In the left pane, click Baselines.

  2. In the Baselines tree pane, right-click Collection and then click Import Baseline Collection.

  3. Select the baseline collection (.bcl) files you want to import and click Open.

B.3.3 Establishing a Baseline

After creating a baseline criteria set or a baseline collection, you can establish a baseline for target endpoints. You can use either or both of the following methods as appropriate:

  • Add a single set or multiple sets of baseline criteria to a baseline collection and then establish the baseline using that baseline collection.

  • Create a baseline criteria set and then establish the baseline directly from that criteria set.

When you establish a baseline, ensure that you enter a unique and easily identifiable name for the baseline. If you do not enter a name, Secure Configuration Manager provides a default name using the name of the criteria set and the current date and time. In a large environment with multiple baselines, being able to easily identify your baselines simplifies management and reporting tasks.

NOTE:Do not use the special characters ?>"|< in the baseline name. When you use one of these special characters, the completed baseline report displays an error rather than baseline data.

It is also a good idea to note which endpoints you are using when you establish a baseline. Since baselines reside on the agents, when you run the Compare Baseline check, Secure Configuration Manager does not automatically populate the check with the endpoints you selected for the original baseline. However, you can generate a list of the baselines established on all your endpoints by running the List Baselines check if necessary.

To establish a baseline:

  1. (Conditional) To establish a baseline from a baseline collection, perform the following steps:

    1. In the left pane, click Baselines.

    2. In the Baselines tree pane, select Collection.

    3. In the content pane, right-click the collection you want to use and then click Establish Baseline.

    4. Follow the instructions in the wizard to establish the baseline.

  2. (Conditional) To establish a baseline from a single criteria set, perform the following steps:

    1. In the left pane, click Baselines.

    2. In the Baselines tree pane, select Criteria.

    3. Select the appropriate platform and category for the criteria set.

    4. In the content pane, right-click the criteria set you want to use and then click Establish Baseline.

    5. Follow the instructions in the wizard to establish the baseline.

  3. Review your asset groups and establish additional baselines as needed.

For more information about baseline collections, see the Baseline Collection wizard Help. For more information about baseline criteria, see the Baseline Criteria wizard Help.

B.3.4 Running a Baseline Comparison Check

Secure Configuration Manager provides a built-in, platform-independent security check called Compare Baseline. Running the Compare Baseline check generates a report on any changes on your target endpoints or asset groups against your established baselines. You can report on a single baseline or multiple baselines.

You can run baseline comparison checks as needed, or you can create a regular schedule by adding them to a policy template. For more information about scheduling a baseline comparison check, see Scheduling a Baseline Comparison Check.

NOTE:When running a baseline comparison check, you must enter the Baseline Name parameter in the proper text case for the check to recognize the existing baseline.

To run a baseline comparison:

  1. (Conditional) To report on a single baseline immediately, run the Compare Baseline check as an individual security check:

    1. In the left pane, click Baselines.

    2. In the Baselines tree pane, select Management.

    3. In the content pane, right-click Compare Baseline and then click Run Security Checks.

    4. Follow the instructions in the wizard to select the established baseline and the endpoints against which you want to run the baseline comparison.

  2. (Conditional) To report on multiple baselines, add multiple instances of the Compare Baseline check to a policy template and then run the policy template. For more information about using policy templates, see Understanding Policy Templates.

B.3.5 Scheduling a Baseline Comparison Check

To run a baseline comparison check on a regular schedule, you must perform two steps: add the baseline comparison check as a policy template, and then set the scheduling parameters using the Run Policy Template wizard.

To schedule a Baseline Comparison check:

  1. In the left pane, click Security Knowledge.

  2. In the Security Knowledge pane, right-click Policy Templates and then click New Policy Template.

  3. Select Baseline Management from the options list.

  4. In the Available Checks pane, expand Common > Baseline Management.

  5. Select Compare Baseline and click > to add the security check to the Selected Checks pane, and then click Next.

  6. Follow the remaining instructions to complete the Policy Template wizard.

  7. In the left pane, select Security Knowledge.

  8. In the Security Knowledge pane, expand Policy Templates > My Templates.

  9. Right-click the appropriate baseline comparison template, and then click Run Policy Template.

  10. Follow the instructions in the wizard.

  11. In the Schedule window, select Enable Schedule, and then specify the scheduling parameters.

  12. (Optional) To have the baseline comparison run on a recurring basis, click Recurring.

    1. Click Schedule Recurrence to define how often you want to run the baseline comparison.

    2. In the Recurrence Job Schedule window, specify the frequency and duration for which the baseline comparison will run.

  13. Follow the remaining instructions in the Run Policy Template wizard.

B.3.6 Deleting a Baseline

When you no longer need a baseline, you can delete that baseline.

To delete a baseline:

  1. In the left pane, click Baselines.

  2. In the Baselines pane, select Management.

  3. In the content pane, right-click Remove Baseline and then click Run Security Checks.

  4. Follow the instructions to delete the baseline.

B.3.7 Updating a Baseline

Once you have established a baseline, you may need to update it to set a new standard for your target endpoints using the target endpoints’ current characteristics. When you update a baseline, you re-establish the baseline with the same criteria sets. For example, you originally established a baseline for Endpoint A with four active user accounts, but that endpoint now supports eight user accounts. Rather than having Endpoint A regularly fail the established baseline, you can update the baseline for Endpoint A so that eight user accounts become the standard for the baseline.

You can also edit the baseline’s criteria. For more information, see Modifying Baseline Criteria.

To update an established baseline:

  1. In the left pane, click Baselines.

  2. In the Baselines tree pane, select Management.

  3. In the content pane, right-click Update Baseline and then click Run Security Checks.

  4. Using the same baseline criteria sets or collections, establish a new baseline on the same target endpoints. For more information, see Establishing a Baseline.

B.3.8 Creating a List of Baselines for a Target Endpoint

In a large or complex environment, you may have several baselines for a single endpoint. Secure Configuration Manager provides the List Baselines check you can run to generate a list of all established baselines for a target endpoint. You can also use this check to report on baselines for multiple endpoints.

To create a list of all baselines for a target endpoint:

  1. In the left pane, click Baselines.

  2. In the Baselines tree pane, select Management.

  3. In the content pane, right-click List Baselines and then click Run Security Checks.

  4. Follow the instructions to select the target endpoints and run the report.