Previous Topic: start dbexport Command—Initiate Database ExportNext Topic: start_transaction Command—Start Recording Dual Control Transactions


start devcalc Command—Initiate Policy Deviation Calculation

Valid in the AC environment

The start devcalc command initiates policy deviation calculation and sends deviation status. The deviation data is stored in a local policy deviation data file (deviation.dat) and policy deviation status is sent to a DMS through one or more set DHs. To retrieve the actual deviation data, you need to run the get devcalc command.

Note: You do not need to run the deviation calculator manually. If you use advanced policy management, the policyfetcher does this for you regularly. If you have enterprise reporting enabled, the Report Agent also does this regularly. For more information about policy deviation calculation, see the Enterprise Administration Guide.

To run the start devcalc command you must have terminal access rights to the computer and execute access to DEVCALC sub-administration class.

This command has the following format:

start devcalc [params("-pn name#xx -strict -nonotify -precise")] 
-nonotify

(Optional) Specifies that devcalc does not send deviation status to the DMS through the DH.

Note: The deviation calculation command policyfetcher runs is defined in the devcalc_command configuration setting and, by default, uses this option to avoid sending deviation status twice.

-pn name#xx

(Optional) Defines a comma-separated list of POLICY objects (policy version) the deviation calculator should calculate differences for. If no policy is specified, the deviation calculator calculates differences for all policies deployed on the local host.

-strict

(Optional) Compares between the policies associated with the local HNODE object and the ones associated with the HNODE object on the first available DMS.

Normally, the deviation calculator checks for deviations only on the local host. If this option is specified, the deviation calculator also compares the local policies to the policies on the first available DMS in the list. It compares the:

  1. List of policies associated with the HNODE object representing the local host.
  2. Policy state of each POLICY object associated with the HNODE object.
  3. Policy signature of each POLICY object associated with the HNODE object.

Use this option when you need to validate the result of the deviation calculation.

Note: If you have a large number of endpoints running the deviation calculation simultaneously, the DMS will be heavily loaded. We recommend that you configure your endpoints to use a DMS list or divide your hierarchy into smaller hierarchies and use this option within those smaller hierarchies.

-precise

(Optional) Specifies that the deviation report also displays added objects, properties, and values that exist in the endpoint database and are not found in the policy. By default, the report only displays missing and mismatched items. Use this option when you would like to view the contents on the endpoint database and compare it to the deployed policy.

Example: Start a Policy Deviation Calculation for a Specific Policy

The following example shows how you can use the start devcalc command to calculate policy deviations for the second version of a policy called myPolicy and send the deviation status to the DMS list specified in the local CA ControlMinder database:

AC> start devcalc params("-pn myPolicy#02")