The policy deviation calculation writes a data file that contains a list of policies and their deviations. This data file is stored in ACInstallDir/data/devcalc/deviation.dat
Note: The list of policies included in the data file depends on the policies that a deviation is calculated for (by default, all the policies and all policy versions on the endpoint).
Important! The deviation calculation does not check whether native rules are applied. It also ignores rules that remove objects (user or object attributes, user or resource authorization, or actual users or resources) from the database. For example, the calculation cannot verify whether the following rule is applied:
rr FILE /etc/passwd
The deviation status is sent (whether a deviation exists or not) to the DMS but the actual deviation is stored locally. When a report is created, the actual deviation results can be retrieved from this file and added to the report.
The following lines can appear in the policy deviation data file:
Displays a time stamp for the deviation calculation. A date line is always the first line in the deviation report.
Format: DATE, DDD MMM DD hh:mm:ss YYYY
Specifies that the deviation calculation was run with the -strict option.
Format: STRICT, DMS@hostname, policy_name#xx, [1|0]
[1|0] signifies whether a deviation was found (1) between the policies associated with the local HNODE object and the ones associated with the HNODE object on DMS@hostname (the first available DMS), or not (0).
Starts a policy block, which defines the deviation for this policy version.
Format: POLICYSTART, policy_name#xx
Describes a deviation that was found for a policy. The name of the policy for which the deviation applies to is the nearest policy line above this line.
There are eight types of deviations, four showing missing elements and four showing added elements, which are described in the following table:
Deviation Type |
Format |
---|---|
Class not found |
DIFF, -(class_name), (*), (*), (*) |
Object not found |
DIFF, (class_name), -(object_name), (*), (*) |
Object added |
DIFF, (class_name), +(object_name), (*), (*) |
Property not found |
DIFF, (class_name), (object_name), -(property_name), (*) |
Property added |
DIFF, (class_name), (object_name), +(property_name), (*) |
Property value missing |
DIFF, (class_name), (object_name), (property_name), -(expected_value) |
Property value added |
DIFF, (class_name), (object_name), (property_name), +(value) |
Note: When the deviation calculator detects a missing class, it also creates a deviation line for all missing objects, properties, and values.
Ends a policy block which defines the deviation for this policy.
Format: POLICYEND, policy_name#xx, [1|0]
[1|0] signifies whether a deviation was found (1) or not (0).
Describes a warning.
Format: WARNING, "warning_text"
Example: Deviation data file
The following example shows an excerpt from a deviation data file:
Date, Sun Mar 19 08:30:00 2006 WARNING, "failed to retrieve DH host name, deviation will be stored locally" POLICYSTART, iis8#02 DIFF, (USER), (iispers), (*), (*) POLICYEND, iis8#02, 1
Copyright © 2013 CA Technologies.
All rights reserved.
|
|