Working With A Policy

 

When an existing policy is selected in the Policy & Compliance list, its details are displayed in the right-side of the window.  For example, here are the details of a policy called Sample Policy.

 

WorkingWithPolicy.gif

 

The details for every policy share the following common elements:

 

Tip: To view the policy checks currently included in the policy you are viewing, select Policy Checks. All checks currently in the policy are displayed in the upper-right pane. To view all available checks regardless of whether they are contained in the policy, select one of the groups/frameworks described above.

For details on modifying a policy definition, see Configuring A Policy.

BeginScanButton.gif

 

The Begin Scan button is used to begin a scan of the machine group specified in the Scan Machine Group box.

 

ScanMachineGroupBox.gif

 

The Scan Machine Group box enables you to select the machine group you want to scan.

SelectPatchGroupBox.gif

Enables you to select the group of patches you want the program to use when evaluating the Patch Management: Percent Patches Deployed policy check. This check is available within the following policy frameworks:

  • Category: Best Practices: Malicious Code Protection

  • NIST 800-53: CM-1 Configuration Management Policy and Procedures, CM-3 Configuration Change Control, SI-2 Flaw Remediation, and SI-3 Malicious Code Protection

  • PCI DSS 1.1, 1.2, and 2.0: 2.2.3 Configure system security parameters to prevent misuse, and 6.3.1 Testing of all security patches and system and software configuration changes before deployment.

If the Patch Management: Percent Patches Deployed policy check is not used in the new policy, the Patch Groups option is simply ignored.

The selectable patch groups are defined within VMware vCenter Protect , a patch management product. If the VMware vCenter Protect database is unavailable then no patch groups will be selectable. See Configuring Access to the Protect database for information on defining the path to the VMware vCenter Protect database.

The default value is (all). This means that all patches are used when determining a value for the Patch Management: Percent Patches Deployed policy check (as opposed to requiring just the patches specified within a patch group).

Compliance information pertaining to the specified patch group is displayed in the scan results.

 

SelectSignatureGroupBox.gif

Note: This option does not apply if you are using VMware vCenter Protect 7.0 or later.

Enables you to select the group of signatures you want the program to use when evaluating the Spyware Management: Percent Signatures Remediated policy check. This check is available within the following policy frameworks:

  • Category: Best Practices: Malicious Code Protection

  • NIST 800-53: SI-3 Malicious Code Protection

  • PCI DSS 1.1, 1.2, and 2.0: 2.2.3 Configure system security parameters to prevent misuse

If the Spyware Management: Percent Signatures Remediated policy check is not used in the new policy, the Signature Groups option is simply ignored.

The selectable signature groups are defined within VMware vCenter Protect, a spyware management product. If the VMware vCenter Protect database is unavailable then no signature groups will be selectable. See Configuring Access to the Protect database for information on defining the path to the VMware vCenter Protect database.

The default value is (all). This means that all signatures are used when determining a value for the Spyware Management: Percent Signatures Remediated policy check (as opposed to requiring just the signatures specified within a signature group).

Compliance information pertaining to the specified signature group is displayed in the scan results.

 

AddEditComment.gif

The Add/Edit Comment link enabled you to provide a description that explains the purpose of the policy.

 

Tip: You can also right-click a policy check in the top right-hand pane to access these menu items.

Add Selected Checks

Adds the selected policy checks to the policy. You can also double-click a policy check to add it to the policy.

 

Remove Selected Checks

Removes the selected policy checks from the policy. You can also double-click a policy check to remove it from the policy.

Select All

Selects all of the policy checks in the upper-right pane.

 

Unselect All

Clears all of the policy checks in the upper-right pane.

 

Delete Policy

Deletes the policy.

Export Policy

Exports the policy to an XML file.

Export Policy Changes

Exports to an XML file the changes that have been made to a policy. See Exporting Policy Changes for more details.

Add Custom Check

Launches the Custom Check Wizard, which enables you to create your own custom policy checks. See Creating Custom Checks for more details.

Edit Custom Check

Launches the Custom Check Wizard, which enables you to edit the selected custom policy check. See Creating Custom Checks for more details.