Advanced policy management lets you see the difference between the access rules that should be deployed on an endpoint (as a result of policy deployment) and the actual rules that have been successfully deployed on the same endpoint. It also resolves property additions and changes made to policy objects. This lets you resolve problems associated with the deployment of your policies.
When the policy deviation calculator runs on an endpoint, it performs the following actions:
These are the rules that are specified for each of the deployed policies, as specified in the local RULESET object that is associated with the POLICY object for each deployed policy version.
Important! The deviation calculation does not check whether native rules are applied. It also ignores rules that remove objects (user or object attributes, user or resource authorization, or actual users or resources) from the database. For example, the calculation cannot verify whether the following rule is applied:
rr FILE /etc/passwd
Normally, the deviation calculator checks for deviations only on the local host. If you specify the -strict option, the deviation calculator also compares the policies associated with the local HNODE object to the policies associated with HNODE object on the DMS. It compares the following:
Log and error messages collected during the last deviation calculation.
List of policies and their deviations. You can get the contents of this file using the selang command get devcalc on the endpoint.
Note: CA ControlMinder also sends audit events which can be viewed using seaudit -a. For more information about the seaudit utility, see the Reference Guide.
Notifications are sent to the DMS through the DHs specified for the local CA ControlMinder database.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|