Note: To edit policies you must have the Policy Editor license. Contact your account representative if you want to add this feature.
You create a custom policy by editing copies of built-in configuration policies or other custom policies. A policy consists of rules that may be organized within groups or sub-groups. You edit a custom policy to fit the requirements of your environment by changing the values required for compliance.
You can create a custom policy and then periodically check the settings to improve scan results or adapt to changing organizational requirements.
For example, you need a different way to present vulnerability data to show compliance percentages to your auditors. You create a custom policy to track one vulnerability to measure the risks over time and show improvements. Or you show what percentage of computers are compliant for a specific vulnerability.
There are two policy types:
Policy Manager is a license-enabled scanning feature that performs checks for compliance with United States Government Configuration Baseline (USGCB) policies, Center for Internet Security (CIS) benchmarks, and Federal Desktop Core Configuration (FDCC) policies.
You can determine which policies are editable (custom) on the Policy Listing table on the Policies page. The Source column displays which policies are built-in and custom. The Copy, Edit and Delete buttons display for only custom policies for users with Manage Policies permission.
Policy — viewing the policy source column
You can edit policies during a scan without affecting your results. While you modify policies, manual or scheduled scans that are in process or paused scans that are resumed use the policy configuration settings in effect when the scan initially launched. Changes saved to a custom policy are applied during the next scheduled scan or a subsequent manual scan.
If your session times out when you try to save a policy, reestablish a session and then save your changes to the policy.
Note: To edit policies, you need Manage Policies permissions. Contact your administrator about your user permissions.
The following section demonstrates how to edit the different items in a custom policy. You can edit the following items:
To create an editable policy, complete these steps:
Policy — copying a built-in policy
The application creates a copy of the policy.
Policy — creating a custom policy
Policy Editor — editing custom policy name and description
The Policy Configuration panel displays the groups and rules in item order for the selected policy. By opening the groups, you drill down to an individual group or rule in a policy.
Policy — viewing the policy hierarchy
To view policy hierarchy for password rules, complete these steps:
Policy — clicking View to display the policy
Use the policy Find box to locate a specific rule. See Using policy find .
Policy — viewing the policy hierarchy
For example, your organization has specific requirements for password compliance. Select the Password Complexity rule to view the checks used during a scan to verify password compliance. If your organization policy does not enforce strong passwords then you can change the value to Disabled.
Use the policy find to quickly locate the policy item that you want to modify.
Policy — typing search criteria
For example, type IPv6 to locate all policy items with that criteria. Click the Up () and Down () arrows to display the next or previous instance of IPv6 found by the policy find.
To find an item in a policy, complete these steps:
For example, type password.
As you type, the application searches then highlights all matches in the policy hierarchy.
Policy — browsing find results
You modify the group Name and Description to change the description of items that you customized. The policy find uses this text to locate items in the policy hierarchy. See Using policy find .
Policy — editing group name or description
You select a group in the policy hierarchy to display the details. You can modify this text to identify which groups contain modified (custom) rules and add a description of what type of changes.
You can modify policy rules to get different scan results. You select a rule in the Policy Configuration hierarchy to see the list of editable checks and values related to that rule.
To edit a rule value, complete these steps:
The rule details display.
Policy — selecting a rule
(Optional) Customize the Name and Description for your organization. Text in the Name is used by policy find. See Using policy find .
Policy — modifying rule values
Refer to the guidelines about what value to apply to get the correct result.
For example, disable the Use FIPS compliant algorithms for encryption, hashing and signing rule by typing ‘0’ in the text box.
Policy — disabling a rule
For example, change the Behavior of the elevation prompt for administrators in Admin Approval Mode check by typing a value for the total seconds. The guidelines list the options for each value.
Policy — entering the value for a check option.
Note: To enable or disable policy rules, you need Manage Policies permissions. Contact your administrator about your user permissions.
You can enable or disable a group of rules or specific rules within a custom policy.
To enable or disable policy rules, complete these steps:
The Policy Configuration page displays. Green toggles indicate enabled rules and gray toggles indicate disabled rules.
Policy — enabling or disabling rules
Changes become effective in the next scan.
Note: At least one rule must be enabled to save a policy.
Notes about enabling or disabling rules:
Note: To delete policies, you need Manage Policies permissions. Contact your administrator about your user permissions.
You can remove custom policies that you no longer use. When you delete a policy, all scan data related to the policy is removed. The policy must be removed from scan templates and report configurations before deleting.
Click Delete for the custom policy that you want to remove.
If you try to delete a policy while running a scan, then a warning message displays indicating that the policy can not be deleted.
Note: To perform policy checks in scans, make sure that your Scan Engines are updated to the August 8, 2012 release.
You add custom policies to the scan templates to apply your modifications across your sites. The Policy Manager list contains the custom policies.
Policy — enabling a custom policy in the scan template
Click Custom Policies to display the custom policies. Select the custom policies to add.