The University Wiki Service has upgraded the Confluence Server software, from version 5.9.14 to 5.10.8. Please refer to the knowledge base article, KB0015891, for a high level summary of upgrade changes. Thank you!

Search

Page tree
Skip to end of metadata
Go to start of metadata


The Splunk Fleet Compliance Dashboards are broken down into three separate dashboards:

Fleet Compliance: Longitudinal

Enter one or more UT Dept Codes or one of the pre-built ‘Portfolios’ that is presented when you click on the box in the upper left corner of the dashboard. (See Portfolios below for a list of the UT Dept Codes in each Portfolio). Select your desired Reporting Date Range, and select 'Submit'. Each line in the graph represents the percentage of systems that are compliant with the compliance criteria listed on the right side of the graph. See Compliance Criteria Definitions below for the definitions of each metric, as well as the criteria used to determine compliance.

Note that compliance criteria are primarily based on information provided by LANrev: systems without an active agent will not report on compliance factors.

Selecting any point in time on any of the lines will take you to the more detailed Fleet Compliance: Drilldown by Date for the selected unit(s) and/or Portfolios for the date selected.

Fleet Compliance: Drilldown by Date

Enter one or more UT Dept Codes or one of the pre-built ‘Portfolios’ that is presented when you click on the box in the upper left corner of the dashboard. (See Portfolios below for a list of the UT Dept Codes in each Portfolio). Select your desired Reporting Date, and select 'Submit'. Pie charts are provided for each of the compliance criteria. See Compliance Criteria Definitions below for the definitions of each metric, as well as the criteria used to determine compliance.

Below the pie charts is a table of the systems included in the Pie Charts. These may be sorted on various criteria by selecting the Column name. The table may also be exported by hovering at the bottom right corner of the table, and selecting 'Export'.

Fleet Compliance: Individual

This dashboard is targeted for regular usage by Desktop Support staff to identify factors that can be immediately remediated (such as binding the system to the Austin Active Directory Domain, investigating CiscoAMP detections, or kickstarting Crashplan backups), or that should be referred for future remediation (such as Operating System upgrades or Encryption).

Enter a 6 digit UT Tag in the box at the upper left corner and hit Enter. The dashboard will provide detailed information on the compliance criteria for the system. Additionally, data on the system from CLAIM and LANrev is provided, as well as the currently installed software (from a limited set of applications that are patched via LANrev patch enrollment).

Portfolios

The following Portfolios are composed of the following unit codes:

Access

Access to the Splunk Fleet Compliance Dashboards is controlled by the Active Directory security group ATS-Splunk-FleetDashboard.

Data Sources

The three Compliance Dashboards all rely on datasets that are built on a nightly basis using the following data sources and keys:

  • All entries in CLAIM (the asset and inventory database managed by ATS which is updated manually and automatically with feeds from *DEFINE and the ATS' managed LANrev service), with the following criteria:
    • Assigned Unit field is populated with a 4 or 7 digit UT Dept Code

    • Type field is in list "Faculty Computer, Staff Computer, Research Labs"

    • Status field is in list "Active/In-Use, Loaner"

  • Additional data is pulled from the ATS managed LANrev server and matched based on the Serial Number field
  • Data is pulled from the UTBackup API and matched based on the Computer Name of the system
  • Data is pulled from the CiscoAMP console and matched based on the Computer Name of the system

Compliance Criteria Definitions

The Longitudinal dashboards contain several metrics:

MetricDefinitionTechnical Details
Non-Admin UsersIs the currently-logged in user a non-admin (or equivalent) on the system?

IF in LANrev

IF Current User Is Admin (UserisAdmin) = "1", then return "No",

ELSE return "Yes"

ELSE return "Unknown"


Generated by script on scripts.shared.utexas.edu at /home/bwh268/heatnewreverse.php

Splunk logic: eval customUserIsAdmin=if(CurrentUserIsAdmin==1,"No","Yes")

Firewall EnabledIs the OS-provided firewall enabled on the system?

IF in LANrev

IF Firewall Enabled (FirewallEnabled) = "1", then return "Yes",

ELSE return "No"

ELSE return "Unknown"


Generated by script on scripts.shared.utexas.edu at /home/bwh268/heatnewreverse.php

Splunk logic: eval customFirewallEnabled = if(FirewallEnabled==1,"Yes","No")

Domain UsersDoes the currently-logged in user have an OU Path in AAD?

IF in LANrev

IF AD User Organizational Unit Path (AD_UserOUPath) is "", then return "Local"

ELSE return "Domain"

ELSE return "Unknown"


Generated by script on scripts.shared.utexas.edu at /home/bwh268/heatnewreverse.php

Splunk logic: customLocalUser=case(ComputerInLanREV = "No", "Unknown", if(AD_UserOUPath != "","Domain","Local"))

Encrypted SystemsIs the system encrypted by one of the approved encryption methods?

IF in LANrev

IF Disk Encryption Status (DiskEncryptionStatus) is ""%fully encrypted%" then return "Yes"

ELSE return "No"

ELSE return "Unknown"


Generated by script on scripts.shared.utexas.edu at /home/bwh268/heatnewreverse.php

Splunk logic: eval encryptionCompliant = case(ComputerInLanREV = "No", "Unknown", DiskEncryptionStatus LIKE "%fully encrypted%","Yes", DiskEncryptionStatus LIKE "%", "No", 1=1, "No")

Recently Seen Systems

Does the system have a recent "Last Modified" date of less than 30 days in LanREV?

IF in LANrev

IF Last Modified (last_modified) < 30 then return "Yes"

ELSE return "No"

ELSE return "Unknown"


Generated by script on scripts.shared.utexas.edu at /home/bwh268/heatnewreverse.php

Splunk logic: count(eval(dayssince<30)) AS "Recently Seen Systems"

Compliant Operating SystemDoes the Operating System match one of the compliant versions supported by ATS?

IF in LANrev

IF OS Version (ComputerOSVersion) matches "macOS 10.12%", "OS X 10.11%", "OS X 10.10%", "OS X 10.9%", "Windows 8.1%", "Windows 10%", or "Windows 7%" then return "Yes"

ELSE return "No"

ELSE return "Unknown"


Generated by script on scripts.shared.utexas.edu at /home/bwh268/heatnewreverse.php

Splunk logic: eval operatingSystemCompliant = case(ComputerOSVersion LIKE "macOS 10.12%", "Yes", ComputerOSVersion LIKE "OS X 10.11%", "Yes", ComputerOSVersion LIKE "OS X 10.10%", "Yes", ComputerOSVersion LIKE "OS X 10.9%", "Yes", ComputerOSVersion LIKE "Windows 8.1%", "Yes", ComputerOSVersion LIKE "Windows 10%", "Yes", ComputerOSVersion LIKE "Windows 7%", "Yes", ComputerOSVersion LIKE "%", "No")

Security SettingsDoes the system receive security policies (ie, University Warning Banner, 15 minute screensaver, disable file sharing, etc)?

IF in LANrev

IF OS Platform (ComputerOSPlatform) matches "macOS" and Exceptions matches "NONE" then return "Yes"

ELSE IF Exceptions is not "NONE" and is not NULL, then return "YesWithExceptions"

ELSE return "No"

IF OS Platform (ComputerOSPlatform) matches "Windows%" and AD Computer Organizational Unit Path (CSV Name for AD Path) matches "austin.utexas.edu\Departments\ITSM\%" or "austin.utexas.edu\Departments\ITS\ITS Departments\%" then return "Yes"

ELSE return "No"

ELSE return "Unknown"

OS and Application Patch ManagementDoes the system receive OS version and application patches?

IF in LANrev

IF OS Platform (ComputerOSPlatform) matches "macOS" and Patch Enrollment (CSV Name for Patch Enrollment) equals "Yes" then return "Yes"

IF OS Platform (ComputerOSPlatform) matches "Windows%" and AD Computer Organizational Unit Path (CSV Name for AD Path) matches "austin.utexas.edu\Departments\ITSM\%" or "austin.utexas.edu\Departments\ITS\ITS Departments\%" then return "Yes"

ELSE return "No"

ELSE return "Unknown"

Recent Backup ActivityHas the system completed a backup in UTBackup in the last 42 days?

IF ComputerName EXISTS in Crashplan

IF crashplanDaysSinceActivity < 15 return "0-14 Days"

IF crashplanDaysSinceActivity > 14 AND < 29 return "15-28 Days"

IF crashplanDaysSinceActivity > 28 AND < 42 return "29-41 Days"

ELSE return "42+ Days"

ELSE return "Unknown"


Generated by script on scripts.shared.utexas.edu at /home/bwh268/utbackup.php

Splunk logic: eval crashplanDaysSinceActivity= if(lastActivity!="NULL",round((_time - newtime)/86000),9999) |  eval crashplanRecentActivity= case( crashplanDaysSinceActivity < 15, "0-14 Days", (crashplanDaysSinceActivity > 14 AND crashplanDaysSinceActivity<29), "15-28 Days", (crashplanDaysSinceActivity>28 AND crashplanDaysSinceActivity<42) , "29-41 Days", 1=1, "42+ Days")

ciscoAMP InstalledIs any version of the ciscoAMP or FireAMP anti-virus program installed?

IF in LanREV

IF installedSoftwareName="Cisco AMP for Endpoints*" OR "FireAMP Connector" OR "com.sourcefire.amp.agent" return "Yes"

ELSE return "No"

ELSE return "Unknown"


Splunk logic:  (installedSoftwareName="Cisco AMP for Endpoints*" OR installedSoftwareName="FireAMP Connector" OR installedSoftwareName="com.sourcefire.amp.agent")

Dataset Generation - Technical Process

The Fleet Compliance: Longitudinal and Fleet Compliance: Drilldown by Date dashboards pull data from the "csv-compliance2" sourcetype. This is a custom sourcetype with CSV source data being shipped nightly from a Report, WeeklyComplianceRept - LanREV Devices. This report is scheduled to run nightly at 19:00 hours and export the results to a CSV file stored on the Splunk search head. Splunk automatically imports this CSV once it is created. 

The WeeklyComplianceRept - LanREV Devices report uses data from multiple sources. This data is generated nightly from scripts stored in /home/bwh268 on scripts.shared.utexas.edu and is shipped to Splunk upon creation. The report must be manually updated when new OS versions are released in order to maintain the compliant OS version metric.

The Fleet Compliance: Individual dashboard uses data from multiple sourcetypes and sources, as well as on-demand data from CLAIM. The data for the sourcetypes and sources are the same scripts used in the WeeklyComplianceRept - LanREV Devices report. The data from CLAIM is a database lookup configured through the DB Connect v2 app on the Splunk search head. This app interfaces directly with the CLAIM database to pull data based on UT Tag.

  • No labels