In addition to setting access rules for accessors and resources, you can specify Windows events that you want to write to the audit log. You can specify such audit policies for the entire organization, on a group basis, on a profile group basis, or on a user-by-user basis.
Example: Set an Audit Policy for All Members of a Profile Group
The following example shows you how you can set an audit policy for all users that are part of profile group:
newgrp profileGroup audit(failure) owner(nobody)
newusr user1 profile(profileGroup) owner(nobody)
chusr user1 audit-
You can now check whether this setting is effective:
runas /user:user1 cmd.exe
secons -whoami
This command displays the information that is used for authorization and is held in the ACEE for user1.
ACEE audit mode is: Failure; Originated from Profile group definition
This message confirms that the audit policy is derived from the profile group the user is attached to.
Example: Set a Audit Policy for Group Members
In this example, a fictional company named Forward Inc wants to use CA ControlMinder to protect all files in the /production directory. The /production directory has full access permissions in the native environment.
Forward Inc wants to deny and audit any attempts to access the /production directory. However, Forward Inc permits read access to the /production directory for developers. This access is not audited. An attempt by a developer to write to the /production directory is denied and audited.
Developers can request full access to the /production directory. Forward Inc audits any activity that a user with full access performs in the /production directory.
The following process describes the steps Forward Inc takes to implement the previous scenario:
authorize FILE /production/* access(none) uid(*)
This rule sets the default access as none.
editres FILE /production/* audit(failure)
This rule audits any failed attempt to access the /production directory.
authorize FILE /production/* access(read) xgid(Developers)
This rule permits members of the Developers group to have read access to the /production directory.
Note: The rule you set in Step 4 helps ensure that CA ControlMinder audits any failed access attempt by any user, including members of the Development group.
authorize FILE /production/* access(all) xgid(Dev_Access_All)
This rule permits members of the Dev_Access_All group to have full access to the /production directory.
chxgrp Dev_Access_All audit(all)
This rule audits every action a member of the Dev_Access_All group performs.
The user has full access to the /production directory, and CA ControlMinder audits every action the user performs.
Note: The user must start a new logon session for the change in group membership to take effect.
The user now has read access to the /production directory. CA ControlMinder denies and audits any other access attempt on the /production directory by the user.
Note: The user must start a new logon session for the change in group membership to take effect.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|