Policies allow you to identify the monitoring target, and then add any combination of the following constraints:
Add filters to more precisely narrow the monitoring target and results
Define managed users for the activity
Define custom event severities
Assign event contexts to categorize policies
Specify event severity generated for events matching this policy
Each Change Guardian module includes several policy types for the respective platforms they support.
Policy sets You can combine multiple policies from one or more modules, to be able to organize and manage monitoring needs for a specific use case. You can include a policy in multiple policy sets, which reduces the total number of policies in the system.
NOTE:Event Severity is always calculated automatically for Security Agent for UNIX events, including events generated by policies configured with a custom severity.
Policy attributes provide granular details of a policy, such as the purpose, severity, and authorized users.
Event Severity When you create or edit a policy, you can specify a constant event severity level or allow Change Guardian to calculate the severity automatically. If you set Severity to Automatic, Change Guardian calculates the severity based on whether the user is authorized and if the action was successful. The following are examples:
Sev 5: Unauthorized user, successful action
Sev 4: Unauthorized user, failed action
Sev 3: Authorized user, failed action
Sev 2: Authorized user, successful action
Sev 0 or 1: System events
Managed User When you create or edit a policy, the Managed Events section allows you to specify the managed users for that policy. Managed users are allowed to make specific changes to the asset the policy monitors. When managed users make changes, the generated events appear as managed change events.
If you specify a user group as a managed user, as group membership changes, Change Guardian synchronizes policies with the new group members. For more information, see Configuring LDAP.
Event Context When you create or edit a policy, use the Event Context section to categorize the policy and specify its purpose. Generated events include the event contexts you specify. You can select one or more of the following default event contexts:
Risk Domain: Select a specific value, or create your own.
Risk: Select a specific value, or create your own.
Sensitivity: Select a specific value, or create your own.
Regulation/Policy: Select a specific value, or create your own.
Control/Classification: Create your own user-defined value.
Response Window: Create your own user-defined value.
You can also create new event contexts with user-defined values.
LDAP Settings Change Guardian uses LDAP to process each user group in a policy as a list of the group members. For example, if a policy monitors Group A, LDAP allows Change Guardian to monitor the activity performed by the individual users in Group A. If the policy returns an event, the name of the user performing the change is included in the event report.
You must configure LDAP settings for every grouped resource you intend to monitor. If you do not configure LDAP settings for a grouped resource, and you specify that grouped resource in a policy, the Policy Editor submits the policy to the Change Guardian server, but the policy cannot monitor the group members correctly. You can also browse Active Directory to select items for use in a policy.