By default, the sample policy scripts set Warning mode for all policy rules. When you deploy the policy it is active but does not enforce the rules. After you familiarize yourself with the policy and customize it as required, you are ready to enable the policy so that policy rules are enforced.
Note: This procedure explains how to enable policy enforcement for a single policy. For more information about how to enable policy enforcement for multiple policies following system maintenance, see the Endpoint Administration Guide for your operating system.
To enable sample policy enforcement
When you run a rule that sets warning- for a resource or accessor, CA ControlMinder removes Warning mode from the resource or accessor.
Policy enforcement is enabled.
Example: Enable Windows Sample Policy Enforcement
The following excerpt is from the sample JBoss policy for Windows. The policy is enabled because "warning" is changed to "warning-".
# Protect JBoss files # ------------------- # Protect JBoss files in the application directory. # These rules apply protection to files that are not protected by other rules. editfile ("<!JBOSS_HOME>\*") owner(nobody) defaccess(NONE) warning- comment ("AC Sample - JBoss base dir") authorize FILE ("<!JBOSS_HOME>\*") id(ROL_JBOSS_ADMIN) access(ALL) via(pgm("<!JBOSS_HOME>\bin\*")) authorize FILE ("<!JBOSS_HOME>\*") id(jboss_pgm) access(READ,CHDIR) via(pgm("<!JBOSS_HOME>\bin\*", "<!JBOSS_JAVA_PGM>"))
Copyright © 2013 CA Technologies.
All rights reserved.
|
|