Endpoint Administration Guide for UNIX › Auditing Events › Warning Mode

Warning Mode

Warning Mode is a property that you can apply to a resource, and an option that you can apply to a class. If Warning mode is applied to a resource or a class and an access violates an access rule, CA ControlMinder writes an audit log entry with the return code W, but permits the access to the resource. If a class is in Warning mode, all the resources in that class are in Warning mode.

Warning Mode only has an effect if CA ControlMinder is in Full Enforcement mode Full Enforcement mode is the normal operation mode for CA ControlMinder. In this mode, CA ControlMinder intercepts events and enforces the access rules written to the database..

Note: Full Enforcement mode is the only mode CA ControlMinder for UNIX supports. CA ControlMinder for Windows also supports Audit Only mode Audit Only mode records all intercepted events without checking or enforcing access rules..

You can use Warning mode when you introduce or modify an access policy. If you do this, you can examine the audit log to preview the results of your intended policy before you put that policy into effect. You can display the audit log by using the seaudit command.

If a class has the property warning, you can put the class into Warning mode. If a resource group or class is in Warning mode, when an access rule is violated, CA ControlMinder allows the access and writes an entry in the audit log that references the resource (not the resource group or class).

The Warning mode settings on a resource and on a class are independent: if you put a resource into Warning mode, it remains in Warning mode, even if it belongs to a class and you remove Warning mode from that class.

Note: You can only put resources or classes into Warning mode if they have the property warning; not all resources or classes have this property.

More information:

Audit Only Mode

Put a Resource into Warning Mode

You put a resource into Warning mode to monitor the effects of access rules, without needing to enforce these rules.

Note: As well as putting individual resources into Warning mode, you can put a class into Warning mode.

To put a resource into Warning mode

1. In CA ControlMinder Endpoint Management edit the resource you want to put into Warning mode.

   The appropriate Modify page appears.

2. Click the Audit tab.

   The Audit Modes page for the resource appears.

3. Select Warning Mode, and click Save.

   The resource you modified is now in Warning mode.

Note: In Warning mode, CA ControlMinder always writes warning records to the audit log when access is permitted but access rules are violated: you do not need to set the audit property on the resource for this to happen.

Use the sereport utility (report number 6) to see all resources in Warning mode.

Example: Put a File into Warning Mode

The following selang example puts the file c:\myfile into Warning mode:

chres FIlE c:\myfile warning

Example: Clear Warning Mode from a File

The following selang example takes the file c:\myfile out of Warning mode:

chres FIlE c:\myfile warning-

Warning mode is now not active for the myfile, so CA ControlMinder enforces the access rules for myfile.

Example: Put a Terminal into Warning Mode

The following selang example puts the terminal myterminal into warning mode:

chres terminal myterminal warning

CA ControlMinder permits access by any authorized user from the terminal myterminal, but logs an audit record for any user that normally would be denied access from that terminal.