Previous Topic: View Deployment Audit InformationNext Topic: Deviation Calculation Trigger


How Policy Deviation Calculations Work

Advanced policy management lets you see the difference between the access rules that should be deployed on an endpoint (as a result of policy deployment) and the actual rules that have been successfully deployed on the same endpoint. It also resolves property additions and changes made to policy objects. This lets you resolve problems associated with the deployment of your policies.

When the policy deviation calculator runs on an endpoint, it performs the following actions:

  1. Retrieves from the local host the list of rules that should be deployed on the endpoint.

    These are the rules that are specified for each of the deployed policies, as specified in the local RULESET object that is associated with the POLICY object for each deployed policy version.

  2. Checks that each of these rules is applied to the endpoint.

    Important! The deviation calculation does not check whether native rules are applied. It also ignores rules that remove objects (user or object attributes, user or resource authorization, or actual users or resources) from the database. For example, the calculation cannot verify whether the following rule is applied:
    rr FILE /etc/passwd

  3. (Optional) Compares between the local policy objects and the ones on the DMS.

    Normally, the deviation calculator checks for deviations only on the local host. If you specify the -strict option, the deviation calculator also compares the policies associated with the local HNODE object to the policies associated with HNODE object on the DMS. It compares the following:

    1. List of policies associated with the HNODE object representing the local host
    2. Policy state of each POLICY object associated with the HNODE object
    3. Policy signature of each POLICY object associated with the HNODE object
  4. Outputs the following two files:

    Note: CA ControlMinder also sends audit events which can be viewed using seaudit -a. For more information about the seaudit utility, see the Reference Guide.

  5. Notifies the DMS of any deviations found.

    Notifications are sent to the DMS through the DHs specified for the local CA ControlMinder database.