Understanding what the correct baseline configuration is for your IT system components is a keystone of security best practice. Compliance mandates, in particular, NERC CIP, require baselines of installed software, updates, and open ports to be captured and reported against.
Determining the optimum configuration state for an IT device will comprise both its:
Functional Requirements (Which applications does this system support? Which software packages does it need? What does the filesystem structure look like? What are the configuration settings needed for it to deliver its services?)
Security Posture (What is the hardened build for this system? What are the minimum services, ports, and functions required, and what can we disable as a result? What are the configuration settings needed to mitigate vulnerabilities known to affect this device?)
Change Tracker Gen 7 automates both functions using built-in templates and audit reports, combined with an intelligent discovery process to assign these to devices.
Each device resides within a group and each group has a range of Device Configuration Templates and Scheduled Reports (See previous Top Tip ‘Functional Specific Group – Inherited Monitoring and Reporting Templates’
The Compliance Report conveys one definition of a baseline. We typically use CIS Benchmark reports to assess whether a device is within compliance of their Secure Configuration best practice, so the report itself encapsulates what the ideal configuration looks like from the point of view of security and scores the device against this. In other words, the baseline defined in the Compliance Report is pre-defined and ‘hard wired’ (although any rules and settings within the report can be edited or added to fit your own hardened build standard – talk to [email protected] for guidance)
By contrast, the Device Configuration Template establishes a baseline dynamically by taking a snapshot of the device configuration when enabled. This baseline can comprise any mixture of file attributes/file hash values, Windows registry, and security policy settings, installed software and updates, service and process lists, config file contents, user accounts and open port lists.
For direct host monitoring where an agent is being used, this baseline of initial states is held locally by the NNT Agent and is used to evaluate and report changes as they occur. For agentless monitoring, the baselines are held by the NNT Proxy Agent. In both instances, storing the baseline local to the monitoring agent distributes processing and storage resources and maximizes performance by performing differencing locally. In the case of the direct host monitoring agent, this also allows Live Tracking of changes for real-time detection.
This means that the baseline in this scenario is a point-in-time starting state for a device, with any drift over time recorded step-by-step as a sequence of change events.
New Baseline Reports – Centralized collation of Baseline states
With Change Tracker Gen7 and the new Gen 7 Agent, a third baseline perspective is now available, providing a hybrid of the two baseline options described previously.
Now any device being monitored can have its current configured state captured and used to dynamically generate a Baseline Report. The Baseline Report is of huge value because:
- Can be used as a ‘hard copy’ record of a device baseline state
- Can be used as a ‘Gold Standard’ baseline from which any configuration drift over time for the device can be exposed
- Can be used to determine configuration differences between a ‘Gold Standard’ device and other similar devices
Any tracker or trackers specified in a Device Configuration Template can be enabled to issue Baseline Events. Just check the ‘Send Baseline Events’ box as below
Once enabled, this will allow a Baseline Report to be generated for the device for any tracker or mixture of trackers.
Running a Baseline Report
Using Baseline Reports is then a simple case of running the report either Ad Hoc or Scheduled just like any other Compliance Report with results sortable by Pass/Fail as usual.
And you can use the Compare Results function to see exactly what has changed from one report result to another-