Previous Topic: Policy Deviation Log and Error FileNext Topic: Deviations Showing Missing Elements

Enterprise Administration GuideManaging Policies CentrallyHow Policy Deviation Calculations WorkPolicy Deviation Data File

Policy Deviation Data File

The policy deviation calculation writes a data file that contains a list of policies and their deviations. This data file is stored in ACInstallDir/data/devcalc/deviation.dat

Note: The list of policies included in the data file depends on the policies that a deviation is calculated for (by default, all the policies and all policy versions on the endpoint).

Important! The deviation calculation does not check whether native rules are applied. It also ignores rules that remove objects (user or object attributes, user or resource authorization, or actual users or resources) from the database. For example, the calculation cannot verify whether the following rule is applied:
rr FILE /etc/passwd

The deviation status is sent (whether a deviation exists or not) to the DMS but the actual deviation is stored locally. When a report is created, the actual deviation results can be retrieved from this file and added to the report.

The following lines can appear in the policy deviation data file:

Date

Displays a time stamp for the deviation calculation. A date line is always the first line in the deviation report.

Format: DATE, DDD MMM DD hh:mm:ss YYYY

Strict

Specifies that the deviation calculation was run with the -strict option.

Format: STRICT, DMS@hostname, policy_name#xx, [1|0]

[1|0] signifies whether a deviation was found (1) between the policies associated with the local HNODE object and the ones associated with the HNODE object on DMS@hostname (the first available DMS), or not (0).

Policy Start

Starts a policy block, which defines the deviation for this policy version.

Format: POLICYSTART, policy_name#xx

Difference

Describes a deviation that was found for a policy. The name of the policy for which the deviation applies to is the nearest policy line above this line.

There are eight types of deviations, four showing missing elements and four showing added elements, which are described in the following table:

Deviation Type

Format

Class not found

DIFF, -(class_name), (*), (*), (*)

Object not found

DIFF, (class_name), -(object_name), (*), (*)

Object added

DIFF, (class_name), +(object_name), (*), (*)

Property not found

DIFF, (class_name), (object_name), -(property_name), (*)

Property added

DIFF, (class_name), (object_name), +(property_name), (*)

Property value missing

DIFF, (class_name), (object_name), (property_name), -(expected_value)

Property value added

DIFF, (class_name), (object_name), (property_name), +(value)

Note: When the deviation calculator detects a missing class, it also creates a deviation line for all missing objects, properties, and values.

Policy End

Ends a policy block which defines the deviation for this policy.

Format: POLICYEND, policy_name#xx, [1|0]

[1|0] signifies whether a deviation was found (1) or not (0).

Warning

Describes a warning.

Format: WARNING, "warning_text"

Example: Deviation data file

The following example shows an excerpt from a deviation data file:

Date, Sun Mar 19 08:30:00 2006
WARNING, "failed to retrieve DH host name, deviation will be stored locally"
POLICYSTART, iis8#02
DIFF, (USER), (iispers), (*), (*)
POLICYEND, iis8#02, 1