|
|
|
By default, the sample policy scripts set Warning mode for all policy rules. When you deploy the policy it is active but does not enforce its rules. After you familiarize yourself with the policy and customize it as required, you should be ready to enable the policy so that policy rules are enforced.
Note: This procedure explains how to enable policy enforcement for a single policy. For more information about how to enable policy enforcement for multiple policies after you perform system maintenance, see the Endpoint Administration Guide for your operating system.
To enable sample policy enforcement
When you run a rule that sets warning- for a resource or accessor, CA ControlMinder removes Warning mode from the resource or accessor.
Policy enforcement is enabled.
Example: Enable Windows Sample Policy Enforcement
The following snippet is from the sample JBoss policy for Windows. The policy is enabled because "warning" is changed to "warning-".
# Protect JBoss files
# -------------------
# Protect JBoss files in the application directory.
# These rules apply protection to files that are not protected by other rules.
editfile ("<!JBOSS_HOME>\*") owner(nobody) defaccess(NONE) warning- comment ("AC Sample - JBoss base dir")
authorize FILE ("<!JBOSS_HOME>\*") id(ROL_JBOSS_ADMIN) access(ALL) via(pgm("<!JBOSS_HOME>\bin\*"))
authorize FILE ("<!JBOSS_HOME>\*") id(jboss_pgm) access(READ,CHDIR) via(pgm("<!JBOSS_HOME>\bin\*", "<!JBOSS_JAVA_PGM>"))
| Copyright © 2013 CA. All rights reserved. |
|