Understanding CCS Data Storage

book

Article ID: 180961

calendar_today

Updated On:

Products

Control Compliance Suite Windows

Issue/Introduction

 

Resolution

 

This article contains the following topics:
 
 
The following table lists data that is stored in either ADAM or in the database, or both:

 

ADAM
  • Asset related objects
o   Asset, asset objects, asset reconciliation rules, site, tags
  • Standard
o   Predefined/customer standards, sections, checks, algorithms
  • Hierarchical dashboards
  • Dynamic dashboards
  • Licenses
  • Roles and Permissions
Database
·         Job results
ADAM and database
  • Data collection, evaluation. report
  • Entitlements
  • Exceptions
  • Policies
 
The following tasks will help understanding the objects and their locations:
You can create a query using ADSIEdit. To create a query, do the following:
 
1.       Right click on the DefaultNaming context > New > Query.
2.       Specify a name.
3.       Select the root by enumerating to Asset system container as follows:
(CN=Asset System,CN=Asset Management,CN=BusinessObjects,O=Symantec)
4.       Paste the following query:
(displayname=kanad\ngesx1vm01)
5.       Select sub tree option and execute the query.
On query completion, a result is generated.
6.       Double-click on the result, a Property dialog is launched.
7.       In the dialog box, copy the value that appears under the attribute "CN".
This value is the Asset GUID.
 
The following table lists the additional values that are present in the dialog box:
 

 

Value
Description
CN
cn: 72875e8c-9a57-4345-b2b1-edf36b60d98e
Asset GUID
objectGUID: b02daf3b-44aa-4c03-a2d5-8b225dee196a;
ObjectClass
 
It means that this object is an object of Windows machine. The object is derived from the Asset base.
objectClass (4): top; symc-LeafNode; symc-csm-AssetSystem-Asset-AssetBase; symc-csm-AssetSystem-Asset-Wnt-Machine;
CIA values of set on the asset
symc-csm-AssetSystem-Asset-AssetBase-Availability: 0;
symc-csm-AssetSystem-Asset-AssetBase-Confidentiality: 0;
symc-csm-AssetSystem-Asset-AssetBase-Integrity: 0;
Compliance and risk scores
symc-csm-AssetSystem-Asset-AssetBase-EvaluatedComplianceScores: SM:40.68;
symc-csm-AssetSystem-Asset-AssetBase-EvaluatedRiskScores: SM:6.9;
symc-csm-AssetSystem-Asset-AssetBase-MaxRiskScores: SM:10;
Site where this asset belongs
symc-csm-AssetSystem-Asset-AssetBase-Site: CN=fbaba418-8062-4996-bb71-a89840571113,CN=Sites,CN=Asset Management,CN=BusinessObjects,O=Symantec;
 
Asset primary and mandatory attributes of the asset
symc-csm-AssetSystem-Asset-Wnt-Machine-BDC: FALSE;
symc-csm-AssetSystem-Asset-Wnt-Machine-DomainWorkgroupName: KANAD;
symc-csm-AssetSystem-Asset-Wnt-Machine-HostMachineInDomain: TRUE;
symc-csm-AssetSystem-Asset-Wnt-Machine-HostName: NGESX1VM01;
symc-csm-AssetSystem-Asset-Wnt-Machine-HostNameDNS: ngesx1vm01.kanad.punetest.com;
symc-csm-AssetSystem-Asset-Wnt-Machine-IISVERSION: Version 6.0;
symc-csm-AssetSystem-Asset-Wnt-Machine-OSMajorVersionNumber: 5;
symc-csm-AssetSystem-Asset-Wnt-Machine-OSMinorVersionNumber: 2;
symc-csm-AssetSystem-Asset-Wnt-Machine-OSVersionType: Windows Enterprise Server 2003 with Terminal Services;
symc-csm-AssetSystem-Asset-Wnt-Machine-PDC: FALSE;
symc-csm-AssetSystem-Asset-Wnt-Machine-Server: TRUE;
symc-csm-AssetSystem-Asset-Wnt-Machine-TCPIPAddresses: 10.216.134.102;
symc-Node-TypeName: symc-csm-AssetSystem-Asset-Wnt-Machine;
 
To find the check result on a given standard and asset, do the following:
 
1.       Get the standard GUID by executing the following query:
Scope: CN=Predefined,CN=Standards,CN=BusinessObjects,O=Symantec
Search query: (displayname=CIS Windows Server 2003 Legacy Security Settings for Domain Member Servers v2.0)
 
The query output is as follows:
cn: dd1094a5-a123-4a35-b804-6545ec13ae76;
displayName: CIS Windows Server 2003 Legacy Security Settings for Domain Member Servers v2.0;
symc-Standard-Description: <p>The <b>Center for Internet Security (CIS)</b> publishes a configuration benchmark for Windows Server 2003 domain member servers that defines <b>Consensus Baseline Security Settings</b> for various operating system components. <b>CIS</b> considers these recommended configurations safe for administrators of any security skill level to implement.
<br/>
<p>The <b>CIS Windows Server 2003 Legacy Security Settings for Domain Member Servers v2.0</b> includes legacy recommendations for Windows Server 2003 systems that consists of four major categories:</p>
<ul>
<li>Additional Security Protection</li>
<li>Auditing and Account Policies</li>
<li>Microsoft Service Packs and Security Updates</li>
<li>Security Settings</li>
</ul>
To harden Windows Server 2003 security for domain member servers, networks should at a minimum comply with the legacy recommendations published by <b>CIS</b>.<br><br>
Technical Standard - CIS Windows Server 2003 Legacy for Domain Member Servers v2.0<br />Copyright &#169; 2008 Symantec Corporation. All Rights Reserved.;
symc-Standard-Overview: The CIS Windows Server 2003 Legacy Security Settings for Domain Member Servers v2.0 contains a set of baseline configuration parameters for Microsoft Windows Server 2003 systems.;
symc-Standard-References: <reference><name>The Center for Internet Security</name><url>http://www.cisecurity.org</url></reference>;
symc-Standard-TargetTypeIDs: 52a93b0b-e74f-41a0-8689-b80a0dd852a9;
symc-Standard-Version: 2.13.0;
 
2.       Get the check ID by executing the following query:
Scope: CN=Predefined,CN=Standards,CN=BusinessObjects,O=Symantec
Search query: (&(objectclass=symc-Check)(displayname=1.1.1 Latest Service Pack Installed?)(symc-Check-StandardID=DD1094A5-A123-4A35-B804-6545EC13AE76))
                The query output is as follows:
dc1b23b3-83e2-4040-885a-52ee0e11fc4b
 
3.       Take the asset GUID, which is the objectID from ADAM and standard ID.
 
4.       On the production SQL database, execute the following query:
select * from dbo.R_AssetStandardSummary where assetID = 'b02daf3b-44aa-4c03-a2d5-8b225dee196a' and StandardID='DD1094A5-A123-4A35-B804-6545EC13AE76' order by entrydate desc
 
5.       Copy the check ID, standard ID, and targetID from the previous searches and form a SQL query on production database by executing the following query:
select * from dbo.R_CheckResults where checkid ='dc1b23b3-83e2-4040-885a-52ee0e11fc4b' and StandardID='DD1094A5-A123-4A35-B804-6545EC13AE76' and targetid ='4464DA54-3B81-4F19-874C-82F6F10C12D0'
 
To find a check result on a given standard and asset from the reporting database, do the following:
 
1.       Connect to CSM_Reports database and do the following:
 

 

To get the Asset ID
select * from Dashboard.vAsset where assetname = 'kanad\ngesx1vm01’
 
To get the standard ID
select * from dbo.ivStandardName where StandardName = 'CIS Windows Server 2003 Legacy Security Settings for Domain Member Servers v2.0'
 
 The query output is as follows:
DD1094A5-A123-4A35-B804-6545EC13AE76
 
2.       Get the check ID for the given check and standard name by executing the following query:
SELECT     dbo.ivCheckName.CheckName, dbo.ivStandardName.StandardName, dbo.vStandardChecks.CheckID
FROM         dbo.vStandardChecks INNER JOIN
                      dbo.ivCheckName ON dbo.vStandardChecks.CheckID = dbo.ivCheckName.CheckID INNER JOIN
                      dbo.ivStandardName ON dbo.vStandardChecks.StandardID = dbo.ivStandardName.StandardID
WHERE (dbo.ivCheckName.CheckName = '1.1.1 Latest Service Pack Installed?') AND
(dbo.ivStandardName.StandardName = 'CIS Windows Server 2003 Legacy Security Settings for Domain Member Servers v2.0')
 
3.       Get the result on ivStandardcheckresult table by executing the following query:
select * from dbo.ivStandardCheckResult 
where standardid = 'DD1094A5-A123-4A35-B804-6545EC13AE76' AND
checkid = 'DC1B23B3-83E2-4040-885A-52EE0E11FC4B' AND
AssetID = 'B02DAF3B-44AA-4C03-A2D5-8B225DEE196A' AND
isCurrentValue = 1
 
 When the sync job triggers, the extraction process creates XML fragments that gets stored in the following shunted* tables:

 

ShuntedResultSTR
Contains temporary XML fragments for assets, checks, and results data.
ShuntedResultSTRD
Contains temporary XML fragments of assets, checks, and results details data.
ShuntedResultSTRE
Contains temporary XML fragments of evidence data.
ShuntedXMLEntity
Contains standards, checks, assets, and objects against which evaluations can be performed.
ShuntedXMLRelationship
Contains temporary XML fragments relationship of entities such as asset - asset group, asset to container and so on.
 
select count(1) from dbo.ShuntedResultSTR
select count(1) from dbo.ShuntedResultSTRD
select count(1) from dbo.ShuntedResultSTRE
select count(1) from dbo.ShuntedXMLEntity
select count(1) from dbo.ShuntedXMLRelationship
 
 
select count(1) from dbo.HierarchyRelationshipBuffer
 
All errors in sync are logged in ImportError table
select * from dbo.ImportError order by Execdt desc
 
Logs
select * from dbo.LoadBatchLog order by eventdt desc
 

 

F14F2032-AE57-4B93-A769-31422A792FBD
NULL
NULL
Start
2012-02-02 15:08:26.980
Lot of log entries for a sync operation resides between these 2 lines.
 
 
 
 
F14F2032-AE57-4B93-A769-31422A792FBD
NULL
NULL
end
2012-02-02 15:11:28.740
 
This is an example where we have used a CSV file for MBSA (Microsoft Baseline Security Analyzer).
 

 

In production database
(CSM_DB)
 
After you have configured a connector, run the following query:
select * from dbo.ThirdPartySystem
select * from DataIntegration.ConnectorConfiguration
 
You will notice that with 10.5.1 out of the box, the following EDI systems are registered:
·         CCS Response Assessment Module
·         CCS Vulnerability Manager
·         Data Loss Prevention
On configuring MBSA, an entry is created in the ThirdPatrySystem table and a corresponding configuration is created in  the DataIntegration.ConnectorConfiguration table.
In reporting database
(CSM_Reports)
 
On executing the following queries, you will get definition of data system schemas and UDM representation of the incoming data:
select * from dbo.Source
select * from dbo.SourceEntity
select * from dbo.SourceEntityAttribute where UDMEntityName = 'MBSAschemaSubject'
OR UDMEntityName = 'MBSAschemaTest'
 
After the data is imported, data is populated in the following tables and dynamic views:
 
Tables:
select * from dbo.ExtendedResultsMBSAschemaSubjectMBSAschemaTest
select * from dbo.ExtendedEntityMBSAschemaSubject
select * from dbo.ExtendedEntityMBSAschemaTest
 
Dynamic views:
DynamicViewMBSAschema
DynamicViewMBSAschemaSubject
DynamicViewMBSAschemaTest
 

CSV File Sample

Attachments

mbsa-all-data.csv get_app