6.3 Working with Policies

Change Guardian stores the policies in the Change Guardian policy repository. You can assign policies to assets or asset groups.

After creating a policy, you can perform various activities such as clone a policy, assign the policy to an asset, and schedule policy monitoring. While working with policies, ensure that you follow the order specified below:

  1. Submit a policy or make the policy available by cloning from a template

  2. Enable the policy

  3. Assign a policy revision to an asset or asset group

This section provides the following information:

6.3.1 Cloning a Change Guardian Policy

Cloning a policy allows you to create a policy based on an existing policy and then make changes as required. By default, Change Guardian uses the latest revision of the selected policy when creating a clone. You can also select a specific policy revision.

Cloning a Template

Policy templates provide examples of best configured policies that you can reuse. Applying a policy template from the platform template library clones the policy into your active policy area. Edit the criteria to specify the assets and files to be monitored.

To clone from a template:

  1. In Policy Editor, under the desired application, select the template you want to apply.

  2. Specify the required information, and click Submit.

  3. (Conditional) If you want to enable the policy immediately, select Enable this policy revision now.

    NOTE:For more information about enabling a policy, see Enabling a Change Guardian Policy Revision.

6.3.2 Creating Change Guardian Policy Sets

If you add a policy to a policy set that contains multiple asset types, the policy applies only to the applicable assets. For example, if you apply a UNIX policy to a policy set that contains Windows and UNIX assets, the policy applies to UNIX assets only.

Use the Policy Set Manager to add, edit, or clone policy sets. To open Policy Set Manager, click Change Guardian > Policy Set Manager.

6.3.3 Assigning Policies and Policy Sets

When you select an asset or asset group in Policy Editor, you can view the policies and policy sets assigned to it. You can assign additional policies and policy sets to an asset.

To assign a policy or policy set to an asset:

  1. Click Change Guardian > Policy Assignment.

  2. Select an asset or asset group, and click Assign Policies.

  3. Select a policy set or policy, and click Apply.

    NOTE:You cannot assign policies using Asset Groups for the following asset types: Azure AD, AWS for IAM, Dell EMC, Microsoft Exchange, Microsoft Office 365, and NetApp.

You can edit an existing policy or policy set from the way it was assigned. For example, if you want to add an event destination to a policy that was assigned using policy set, you can edit it in the policy set only. This also applies to group assignments.

6.3.4 Enabling a Change Guardian Policy Revision

When you change a policy, Change Guardian creates a new revision of that policy. Policy revisions allow you to keep and share work that is in progress. You can view all policy revisions and the version number of the currently enabled policy in Policy Editor. You can edit and enable a previous revision of a policy.

To enable an older revision:

  1. Select the desired policy under the application name.

  2. On the History tab, enable the required policy revision.

  3. Assign the policy to assets or asset groups.

NOTE:If you update the revision of a policy that is already assigned, Change Guardian automatically updates all associated assets with the new revision of that policy.

6.3.5 Exporting and Importing Change Guardian Policies

Change Guardian allows you to export a policy to a .xml file. You can import that policy as a new policy. You can also modify an imported policy to create a new policy with a similar definition. You can export one policy at a time, however, you can import multiple policies at a time.

To export a policy:

  1. In Policy Editor, navigate to the policy that you want to export.

  2. Right-click the policy, and select Export.

To import a policy:

  1. In Policy Editor, click Settings > Import Policies.

  2. Select the required.xml file, and click Open.

6.3.6 Assigning Event Destinations to Change Guardian Policies

When you create a policy, it automatically uses the default event destination. If you want to send event data to another destination, add an event destination to the policy or policy set. You can use the new event destination along with the default event destination or replace it. The updated event destination takes effect when the asset receives the updated policy information at the next heartbeat.

To assign event destinations to a policy:

  1. In Policy Editor, click Change Guardian > Policy Assignment.

  2. Select an asset or asset group, and click Assign Policies.

  3. Select a policy set or policy, and click Advanced.

  4. Select one or more event destinations to assign to the specified policy or policy set.

For information about creating event destinations, see Creating Event Destinations.

6.3.7 Scheduling Change Guardian Policy Monitoring

Change Guardian policies monitor assets and asset groups continuously. A monitoring schedule allows you to define specific times at which a policy or policy set monitors assets and asset groups. For example, you can suspend monitoring during scheduled maintenance times, which eliminates events generated as a result of the maintenance. When you assign a policy or policy set to an asset or asset group, you can attach a monitoring schedule.

To create a monitoring schedule, in Policy Editor, click Settings > Schedule Monitoring Time. You can set the following schedule during which you want to suspend monitoring: Mondays from 3-5 p.m. and Tuesdays from 4-6 p.m.