CA Client Automation - 14.0

English

Configure the Scanner

Contents
cla140
Contents
Follow the steps to configure the scanner for inventory.
Modify Windows Firewall Settings
Modify firewall settings on FDCC-compliant Windows XP and Windows 7 computers to ensure that
CA Client Automation
 functions properly.
Follow these steps:
  1. Click
    Start
    ,
    Run
    , and provide 
    gpedit.msc
     at the Run prompt.
  2. In the
    Local Group Policy Editor
     window, locate the policies under
    Computer Configuration
    ,
    Administrative Templates
    ,
    Network
    ,
    Network Connections
    ,
    Windows Firewall
    , and
    Standard Profile
     path.
  3. Change the Windows Firewall: Do not allow exceptions policy setting to Disabled.
    • Change the Windows Firewall: Allow local port exceptions policy setting to Enabled. Add the following ports to the exception ports on the firewall:
      • TCP port 4105
      • UDP port 4104
      • TCP port 4728
    The internal communication mechanisms use the ports that are described here. Unless these ports are accessible,
    CA Client Automation
     cannot operate. Without access Agents are unable to contact their manager or report inventory or status. Also, control messages cannot be passed from Manager to the Agent. Communications over these ports is securely encrypted and managed by
    CA Client Automation
    .
Configure the Collection of Test Result Files
Typically, the FDCC inventory detection modules do not require any configuration, other than the configuration to collect test result files. The XCCDF and OVAL test result files are stored in a sub-directory under the working directory of CA Asset Management Agent. To collect these files after the scan and store the files centrally in the Domain Manager, configure the DCS inventory detection modules to enable the automatic collection of the result files.
To configure other parameters in the inventory detection module, see the description of each parameter in the section.
To configure the collection of test result files
  1. Navigate to
    Control Panel
    ,
    Configuration
    , and
    Inventory Detection Modules
    .
    The new DCS inventory detection modules appear with the other inventory detection modules.
  2. Double-click the inventory detection module that you want to configure.
    The
    Properties for
    Module Name
    dialog appears.
  3. Click the
    Launch
     button on the
    Configuration
     tab.
    The
    SCAP Configuration
     dialog appears with the default configuration.
  4. Select the following check boxes in the General tab:
    • Collect XCCDF Result File
    • Collect OVAL Result Files
    The OVAL test result files are often around 10 MB. If you do not have specific reasons for storing the files on the Domain Manager, you can collect only the XCCDF result files.
  5. Click OK.
    When the collect task runs again, the Engine collects the test result files and stores on the Domain Manager.
The result files are signed with a digital signature to prevent data tampering between the Agent and the Manager. If the Manager is unable to verify the signature, an event is raised and logged in the default event log.
 
Modify the Result File Location
When you configure the collection of SCAP result files from the Agent, the result files are stored under the
ITCM_installpath
\SCAP_Result_Files directory in the Domain Manager. If necessary, you can modify the result file location.
To modify the result file location, change the configuration policy setting
SCAP Result File Location
 under
Default Computer Policy
,
DSM
,
Manager
, and
Asset Management
. When the collect task runs next time, the Engine collects the test result files and stores in the directory specified.
Configure Hardware Inventory Collect Tasks to Collect DCS Inventory
To schedule the FDCC checklist scan and collect the test results, configure a hardware inventory collect task.
If you have multiple hardware inventory collect tasks, decide whether you want to schedule the checklist scan on all them or only on a selected few. For example, if you have grouped all your Windows Vista computers and created a specific collect task for the group, you can configure the collect task for WinVista, VistaFirewall, and IE7 checklists. However, even if you configure the checklists on all computers, the scanner scans only those computers that meet the OS requirement.
To configure the hardware inventory collect task
  1. In the DSM Explorer, navigate to
    Control Panel
    ,
    Configuration
    ,
    Collect Tasks
    , and
    Hardware Inventory
    .
    The existing hardware inventory collect tasks appear.
  2. Right-click the collect task that you want to configure and select
    Properties
    .
    The
    Properties for
    Collect Task Name
    dialog appears.
  3. Click the
    Detection Modules
     tab. Select the DCS inventory detection modules, and click
    OK
    .
    The changes are saved. When the collect task runs next time, the scan results for the configured checklists are collected.
(Optional) Create Inventory Detection Modules for SCAP Inventory
CA Client Automation
 automatically creates inventory detection modules for all the FDCC checklists that are placed under the SCAP_Checklists folder. When you copy a new version of an existing checklist to a new folder under SCAP_Checklists folder, the existing inventory detection module for the checklist is updated with the information from the latest version. In rare circumstances, you might use different versions of a checklist for scanning. In this case, manually create inventory detection modules for the versions that are not currently configured for use. For example, if an inventory detection module is configured to scan the highest version always, you can create inventory detection modules for any older checklist version.
To create inventory detection modules
  1. In the DSM Explorer, navigate to
    Control Panel
    ,
    Configuration
    ,
    Collection Modules
    , and
    Inventory Detection Modules
    .
    The existing detection modules appear in the right pane.
  2. Right-click
    Inventory Detection Modules
     folder and click
    New
     from the
    Context menu
    .
    The
    Create New Inventory Module
     dialog appears.
  3. In the
    General
     tab, specify the inventory module name. Specify a name that represents the checklist name.
  4. In the
    Configuration
     tab, specify the configuration for SCAP inventory detection. The sample configuration for FDCC IE7 checklist is as follows:
    [SCAP]
SCAPPath=FDCC-Major-Version-1.2.1.0\ie7
XCCDFFile=fdcc-ie7-xccdf.xml
XCCDFID=fdcc-ie-7
XCCDFVersion=v1.2.1.0
XCCDFVersionOptions=v1.2.1.0Profileoptions=`v1.2.1.0;Federal Desktop Core Configuration version 1.2.1.0; CPEDictionary=fdcc-ie7-cpe-dictionary.xml
CollectXCCDFResultFile=false
CollectOVALResultFiles=false
OvaldiPath=ovaldi-ca
InvComponent=$SCAP$FDCC IE7
  5. In the
    Platforms
     tab, select Windows 32 bit, click Win32 generic, and then provide 
    amiscap.exe
    in the text field next to the option button.
  6. Click
    OK
    .
    The inventory detection module for the configured checklist is created and appears under the
    Inventory Detection Modules
     folder. Configure one or more hardware inventories collect tasks to include the new inventory detection modules.