A policy defines a standard configuration that you can check against de-facto configurations. Policies are a powerful tool to check if your systems are actually configured they way they should be, no matter if it comes to cyber security patches, software versions, or hardware configuration.
Defining a policy
In order to define a policy, go to WORKFLOW/AUDITS. There you see the list of existing policies.
- In order to define a new policy from scratch, click on "Add".
- In order to define a new policy based on an existing policy, select the baseline that you want to use as a template and click on "Clone".
- In order to modify an existing policy, click on "Edit".
Thereafter, the add/edit policy dialog pops up.
You can use the following sections and fields to define your policy:
The name of the policy. You must assign a unique name to each policy.
Specify what this policy is about, such a a configuration standard for operator stations.
Apply to all devices
Check this box if you want to define a default policy that will apply to all devices. Note that for a default policy, it only makes sense to specify prohibited software.
Any comments that are helpful for other users to understand the policy and its implications.
Here you can define any specific hardware products that must be used for devices covered by this policy, such as specific computer models. If you specify more than one hardware product, a device is considered compliant with the policy if it uses any of these products.
The hardware modules that must be present for a device compliant with this policy, such as specific interface cards. A device will only be considered compliant if all modules are present.
Software products that are mandatory in order for a device to be compliant. For embedded devices, you can also specify firmware versions. If you specify multiple software/firmware products, all these products must be present in order for a device to be compliant.
Software products that must not be installed on a device. An example would be software that is known to be prone to security vulnerabilities, such as Adobe Flash Player.
Allows you to specify a reference system from which a default configuration is taken (see below).
Here you can attach any files that could be helpful, such as configuration guidance, software images, etc.
Using a reference system to define a policy
Sometimes you want to model a policy around an existing configuration. In this case you don't have to specify all the required software products etc. from scratch.
Instead, click on the Reference tab and select the device that shall act as the reference system. In the drop-down list that is opened after clicking the down arrow of the edit field, you can filter the device list by entering characters in the filter bar, as in the following example.
After having specified a reference system, hardware, modules, and required software will be set to the values of the reference system. You can still edit all list to remove or add items.
If the configuration of your reference system has changed and you want to see the changes reflected in the baseline, you need to click the "Refresh" button next to the reference system's ID.
Associating a policy with devices
In order for a policy to become effective for any device you must associate it with the target devices. In order to do this, go to INVENTORY/DEVICES and select the device(s) you want to associate with the policy. Remember that you can select multiple devices using Shift-Left Click and Control-Left Click. Then click on "Edit".
Note: This step is not necessary for default policies that automatically apply to all devices.
Global (default) policies
Rather than assigning a policy to a number of devices, you can define default policies that automatically apply to all devices, without the need for individual assignment.
In order to auto-assign a policy to all devices, click the checkbox "Apply to all devices".
To be fair, at this time a default policy only makes sense for checking for prohibited software, since it doesn't make sense to demand the presence of a particular software or hardware product for all devices. But it does make a lot of sense to implement a default policy that will fire on each device and detect unwanted stuff like Windows XP, Adobe Flash Player etc.
Policy compliance in device profiles
After you have associated a device with a policy, a new Compliance section will appear in the device profile that informs you about
- the name of the policy that is associated with the device
- if the device is compliant with the policy or not
- any reasons for non-compliance.
In the following example, it is indicated that the device is non-compliant because it is running the wrong firmware version.
You can launch the profile of a policy by selecting the policy in the policy list and then click on "Profile", or by clicking on the policy's name in a device profile.
The policy profile contains all the information that you have specified in the policy definition. It also shows you which devices have been associated with this policy, and their compliance with the policy. An orange "X" tells you that a device is non-compliant. In order to find out the reason for non-compliance, you click on the device ID of the device in order to launch the device profile.
Note: For default policies that apply to all devices, only non-compliant devices are listed.