When you run a security check or policy template, Secure Configuration Manager compares all the endpoints you specify to all the preferred security settings listed in the security checks. When running a policy template against a group of endpoints, Secure Configuration Manager checks each endpoint in the group for each security check in the policy template. Secure Configuration Manager runs only the security checks that apply to the endpoint type. For example, security checks related to Active Directory run only on Windows computers.
You can run security checks and policy templates at any time. If you want to gather data for a specific period of time, you can run reports from the database rather than from the agent computer. The database maintains results from previous runs of each security check and policy template. If you want to detect changes to systems in your enterprise and ensure that a positive trend for compliance with your organizational security policies, you can schedule policy templates to run on a regular basis. You can compare results for each run using the delta report function. For more information about gathering security check or policy template data from the database, see Section 4.3.1, Running Reports from the Database. For more information about delta reporting, see Section 5.3, Comparing Report Results. For more information about scheduling, see Section 4.3.2, Scheduling a Policy Template Run.
If you do not know which policy templates or security checks you want to run, you can initiate a search based on several criteria. For example, you can search for policy templates based on keywords in the name or description, or in the name, description, or explanation of the security checks in the template. You can also search for security checks based on keyword, platform, category, and other criteria.
The time it takes to run a security check or policy template varies, depending on the number of checks and endpoints you select. Ensure that the report is complete before you view the resulting report in the Completed jobs queue. You can print or distribute the completed report to present compliance status results or to use as a remediation checklist. For more information about completed reports, see Section 4.5, Viewing Report Results. For more information about distributing a copy of the report, see Section 4.4, Enabling Report Distribution.
To run a policy template, your console user account needs the Run Policy Template permission. To run a security check, your console user account must have the Run Security Checks permission. For more information, see Section 3.6, Managing Permissions.
Secure Configuration Manager provides the Run from Database option for creating an aggregated report about your assets. When you run a security check or policy template, Secure Configuration Manager compiles the results into a report. Each run against your endpoints adds a unique report to the Completed jobs queue and updates the database. The Run from Database option enables you to collect the results from multiple runs into one report. The database always provides the results for the most recent run of the selected policy template or security check during the time period you specify for the aggregated results.
Running reports from the database can be beneficial in certain circumstances. For example, you have a large environment with assets in Texas, New York, and Florida. You organized your assets into managed groups to represent the regional areas. Then you scheduled a CIS Benchmark policy template to run against each of the groups every Friday night at staggered times. This means you have a separate report for each group. However, management wants to review the status of the systems in Texas, Florida, and New York as a whole. You can use the Run from Database option to aggregate the policy template results into a single report.
In a different scenario, you run a policy template against a group of endpoints. The report lists some endpoints as failed, indicating that they might have been offline. You run the template again for the failed endpoints. You now have separate reports for the same policy template and the same group of endpoints. Once you are satisfied you have results for all endpoints, you can run the template against the database for an aggregated report.
NOTE:The Run from Database option applies only to multiple runs of the same security check or policy template. Each run must use identical parameter settings to ensure accurate reporting.
For more information about running reports from the database, see the Help in the Run Security Check and Run Policy Template wizards.
If you want Secure Configuration Manager to continuously assess your IT environment, you can regularly run a policy template against the same endpoint or group of endpoints. To schedule a policy template run, use the Schedule tab in the Run Policy Template wizard. When you schedule a run, you can instruct Secure Configuration Manager to include a delta report that compares the current results to a previous run. For more information about running a policy template, see Section 4.3, Running Security Checks and Policy Templates. For more information about delta reporting, see Section 5.3.2, Comparing Policy Template Results.
Once you have scheduled a policy template, you can update the schedule properties using the Schedule Jobs wizard. If you are a console administrator, you can also reassign the owner of a scheduled policy template. For more information about console roles, see Section 3.5, Managing Roles.
Many security checks in Secure Configuration Manager return a set of results containing multiple rows of data. When you run a policy template with many security checks, the resulting list of returned rows can be difficult to review. If you want to exclude some values from the returned results, use a saved list. Saved lists are lists of values that you can reuse in security checks as a filter or exclusion list. Saved lists can include values such as user names, file names, registry keys, ports, or services. For example, administrators often exclude user accounts such as SYS, SYSDBA, sa, and root from security checks. You can create a saved list that includes these user accounts, and use the saved list to filter the user accounts from the security check results. You can also have a list of values you want to include in checks, such as a specific list of files and directories.
NOTE:Saved lists do not support wildcard characters.
You can use any saved list you create in any security check that provides an Exclusion List or Inclusion List parameter. As you update your inventory and security policies, you can revise the saved lists used in your security checks. You cannot delete saved lists that are part of a security check. Refer to the following table when assigning permissions to console users who work with saved lists.
|
User activity |
Required permission |
|---|---|
|
Create a saved list |
New Saved List |
|
Edit a saved list |
Edit Saved List |
|
Delete a saved list |
Delete Saved List |
|
Import a saved list |
Import Saved List |
|
Export a saved list |
Export Saved List |
For more information about importing saved lists, see Importing Saved Lists. For more information about exporting a saved list, see Exporting Saved Lists. For more information about assigning permissions, see Section 3.6, Managing Permissions.
You can use saved lists to exclude or include values from existing security checks when you run those checks. If you have values in an exclusion or inclusion list that you entered in a previous version of Secure Configuration Manager, you can easily migrate those values to be part of a saved list.
In the left pane, click Security Knowledge.
In the Security Knowledge tree pane, expand Security Checks > NetIQ Checks.
Expand the platform folder and select the category folder that contains the check that you want to run.
In the content pane, right-click the security check that you want to run, and then click Run Security Check.
On the Parameters window, click Exclusion List or Inclusion List, depending on the check.
Type the name of the saved list or click the button at the end of the Exclusion List or Inclusion List line, and then select the saved list whose entries you want to exclude from or include in the security check.
Follow the instructions in the wizard to run the report.
You can import saved lists to use in Secure Configuration Manager. If a saved list with the same name already exists, Secure Configuration Manager gives you the option to overwrite the existing saved list. For example, your organization might have a technical security specification that includes a list of files to secure through appropriate file permissions. You can create a saved list by copying the list of files from the technical specification to a text file, and then importing the text file.
To import a saved list, your console user account needs the Import Saved List permission. For more information, see Section 3.6, Managing Permissions.
In the left pane, click Exception Management.
In the Exception Management tree pane, right-click Saved Lists, and then click Import.
Select the saved list file you want to import and click Open.
After you have created saved lists, you can export those saved lists as XML-formatted files with an .slt extension. For example, you can run a report of powerful users and export the list to a file. You can then create a saved list to use the powerful users in other queries as either an inclusion or exclusion list.
To export a saved list, your console user account needs the Export Saved List permission. For more information, see Section 3.6, Managing Permissions.
In the left pane, click Exception Management.
In the Exception Management tree pane, select Saved Lists.
Right-click the saved list that you want to export, and then click Export.
Enter a file name for the saved list and click Save.