Previous Topic: Find Out Which Classes Are in Warning ModeNext Topic: Monitoring Access Control Activity


How to Perform System Maintenance

At certain times you may need to perform system maintenance to upgrade the system, install a new application, and so on. During system maintenance you should set CA ControlMinder rules in Warning mode. Once you are comfortable that the maintenance did not affect user access to resources that they require, you should turn off Warning mode and CA ControlMinder will start enforcing the associated rules.

To use Warning mode when you perform system maintenance, do the following:

  1. Set the appropriate classes to Warning mode before you start the maintenance, using the following selang rule:
    setoptions class(NAME) flags(W)
    
  2. Perform the maintenance.
  3. Run the seretrust utility after you perform the maintenance.

    The seretrust utility generates the selang commands required to retrust programs and secure files defined in the database.

  4. Run the selang command to retrust the programs defined in the database.
  5. Remove the Warning mode from the classes to enable policy enforcement, using the following selang rule:
    setoptions class(NAME) flags-(W)
    
  6. Review CA ControlMinder audit log files.

    The audit log contains warnings for the resources that were affected by the maintenance.

Note: For more information about the seretrust utility, see the Reference Guide.

More information:

seretrust Utility—Generate Commands to Retrust Programs and Secure Files