Previous Topic: policydeploy -restore Function—Restore All PoliciesNext Topic: policydeploy -upgrade Function—Upgrade or Downgrade a Policy Version


policydeploy -store Function—Store a Policy

This function stores the specified policy on the DMS nodes specified by the command or in the local CA ControlMinder database. Unless you use the -silent option, you need to confirm this action at the prompt.

If no previous version of the specified policy is stored on the DMS, version 1 of the policy is created (name#01). If a previous version of this policy exists, a new version of the policy is created (name#last_version+1). The policy version you store is automatically finalized. When you need to update a policy, you must store a new version of the policy that contains the required modified policy deployment and undeployment rules.

This function has the following format:

policydeploy -store name -ds file1 [-uds file2] [-dms list] [-desc description] [-prereq list] [-silent]
-desc description

(Optional) Defines the business description for the policy.

-dms list

(Optional) Specifies a comma-separated list of DMS nodes to use. When you deploy or undeploy a policy, these are the DMS nodes to which the action is reported. When you store a policy, these are the DMS nodes where the policy is stored.

If you do not specify DMS nodes with this option, the utility uses the list of DMS nodes specified in the local CA ControlMinder database. To specify a list of DMS nodes in the database, you need to issue the following selang command after you create a new DMS using dmsmgr:

so dms+(new_dms_name)

Note: You need to issue the same command if you did not specify the DMS node during installation, or if you want to replace or add the registered DMS on the endpoint. However, when you specify to create an advanced policy management server during installation, the DMS is added to the database and you do not need to manually run the above command.

-ds file1

Specifies the path name of the file containing the deployment rules. These are the commands necessary to construct the policy. When you use the -getrules option, the utility creates this file.

Important! Policy deployment does not support commands that set user passwords. Do not include such commands in your deployment script file. Native selang commands are supported but do not appear in deviation reports.

-prereq list

(Optional) Defines a comma-separated list of policies that must be deployed before you can deploy this policy.

Important! If a prerequisite policy is not deployed when you try to deploy a dependent policy, the deployment task's status is changed to Pending Prerequisite and the deployment resumes when all prerequisite policies are deployed. Similarly, if you try to undeploy a policy that is a prerequisite to another deployed policy, the deployment task's status is changed to Pending Dependents and the deployment resumes when all dependent policies are undeployed.

-silent

(Optional) Suppress the confirmation prompt for the requested action.

-store name

Stores the specified policy on the specified DMS nodes or in the local CA ControlMinder database.

Note: Policy names cannot include the # (hash) character which is reserved for denoting policy version numbers and is added automatically.

-uds file2

Defines the path name of the file containing the rules required to undeploy the policy. These are the commands necessary to undeploy the policy. When you use the -getrules option, the utility creates this file.

When CA ControlMinder undeploys a policy, if there is no policy undeployment script stored, CA ControlMinder calculates the commands required to remove the policy.

Example: Store an IIS 5 Protection Policy

The following example shows you how to store a policy for securing Internet Information Services (IIS) 5 web servers. This is the first time we store this policy on the DMS.

Note: The selang commands in this example are for resources on a Windows operating system but the same procedure also applies on UNIX.

  1. Save a file named IIS5.selang with the following IIS script:
    # IIS5 deployment script
    eu inet_pers owner(nobody)
    er FILE c:\InetPub\wwwroot\* defaccess(none) owner(nobody)
    authorize FILE c:\InetPub\wwwroot\* uid(inet_pers) access(all)
    er FILE c:\InetPub\wwwroot\scripts defaccess(none) owner(nobody)
    er FILE *.asp defaccess(none) owner(nobody)
    authorize FILE *.asp uid(inet_pers) via(pgm(inetinfo.exe)) access(read, execute)
    

    These are the commands necessary to deploy an IIS 5 protection policy.

  2. Save a file named IIS5_rm.selang with the following script:
    # IIS5 undeployment script
    ru inet_pers
    rr FILE c:\InetPub\wwwroot\* 
    rr FILE c:\InetPub\wwwroot\scripts 
    rr FILE *.asp
    

    These are the commands necessary to undeploy the IIS 5 protection policy we created in Step 1.

  3. Open a command prompt window and run the policydeploy utility:
    policydeploy -store IIS5 -ds IIS5.selang -uds IIS5_rm.selang -desc "IIS5 web server security policy" -silent
    

    This stores on the DMS the policy IIS5 (GPOLICY object) and the first version of the policy (IIS5#01 POLICY object) with the scripts defined in IIS5.selang and IIS5_rm.selang.