Secure Configuration Manager enables you to create temporary waivers, or exceptions, to prevent conditions from causing a violation in the reported results for a security check in a policy template. Typically, you create an exception when you do not want a particular violation to display in the report, or when you want to prevent a particular security check from running for an endpoint or a group of endpoints. For example, if a server in your environment is currently undergoing maintenance, you might want to create an exception to suspend monitoring that server with certain security checks.
Secure Configuration Manager applies exceptions consistently. If you create an exception for a security check within a policy template, Secure Configuration Manager applies that exception to all other runs of that policy template where the same violation is returned or the same security check runs for that endpoint or group of endpoints. Exceptions continue to affect the total risk score for an endpoint, even when the violation is excluded.
NOTE: You can also use a saved list to filter returned values from a security check run. For more information about using saved lists, see Section 4.3.3, Excluding Values from a Run.
To create an exception in Secure Configuration Manager, you must base it on a report that contains the exception. This means you must create a report that includes the exception to be able to edit the exception. If you delete all reports that include a particular exception, you cannot edit the exception. To edit the exception, you must run a new report that includes the exception.
When you create an exception, you can assign a reason code to explain why you created the exception. For example, a reason code of Mitigated Risk means the risk is no longer present. You can also specify the reason code of Accept Risk, which indicates the risk is still present but acceptable. You can create your own reason codes to explain why you created the exception. For more information about reason codes for exceptions, see the Help.
Secure Configuration Manager also gives you the option to require approvals for exceptions before applying them to a security check in a policy template or to an endpoint or group of endpoints. This option facilitates a secure method of managing the exception review and approval process.
Refer to the following table when assigning permissions to console users who work with exceptions.
|
User activity |
Required permission |
|---|---|
|
Create an exception |
|
|
Apply an exception |
Apply Exception |
|
Approve or disapprove an exception |
Approve Exceptions |
|
Edit an exception |
|
|
Delete an exception |
Delete Exception |
For more information about assigning permissions, see Section 3.6, Managing Permissions.
Secure Configuration Manager applies exceptions to security checks when the combination of the selected security check and the selected endpoint or group of endpoints occurs within the policy template. You can create an exception from a security check in the Data View tree pane of the Report Viewer, or from any of the rows in the Data View right pane of the Report Viewer.
When you create an exception for a security check, you have the option to except all data returned by the security check for the selected endpoints or group of endpoints, or to except specific data returned by the security check.
You can create exceptions for endpoints or groups of endpoints in several ways. Secure Configuration Manager can except an endpoint or group of endpoints across your environment, regardless of the policy template or security checks run for the endpoint. You can also create an exception for an endpoint for a specific policy template. When you create an exception in a completed report, you must start by selecting a single endpoint or the endpoint group. You can also except additional endpoints for which the report was run. For more information, see Section 5.2.3, Creating an Exception.
In addition to excepting a specific endpoint, a group of endpoints, or a security check, you can create exceptions for a combination of row and column data in a security check. The information per column and row varies by security check and endpoint type. For example, you can except an endpoint whose account status is disabled for the Accounts That Have Never Logged In security check.
NOTE:If you create a check with a unique count, simple value, or single value scoring type and then apply exceptions for row or column data, such as one data point in the check, Secure Configuration Manager might return unexpected managed risk and excepted risk scores. For more information about scoring security check violations, see Section 6.3, Understanding Risk Scoring.
To create an exception, your console user account needs the View Policy Template and New Exception permissions. For more information, see Section 3.6, Managing Permissions.
To create an exception:
Open the report for which you want to create an exception.
Click the Data View tab.
(Conditional) To except a security check, complete the following steps:
Expand Security Checks in the tree pane, and then expand the security check that you want to except from the report results.
Right-click any endpoint listed under the security check, and then click Create Exception.
(Conditional) To except an entire endpoint or a group of endpoints, complete the following steps:
Expand Target Endpoints or Target Groups in the tree pane.
Locate the endpoint or group of endpoints you want to except from the report results.
Right-click the endpoint or group of endpoints, and then click Create Exception.
NOTE:You can create an exception for either an individual endpoint or for a group of endpoints in a report. However, you cannot except both an endpoint and a group of endpoints in the same report at the same time.
(Conditional) To except only one datapoint for an endpoint in a security check, complete the following steps:
Expand Security Checks in the tree pane, and then select the security check.
In the right pane, right-click the data point corresponding to the appropriate row and column you want to except from the security check, and then click Create Exception.
(Conditional) To except multiple data points for an endpoint in a security check, complete the following steps:
Select Security Checks in the tree pane.
In the right pane, select the security check name or alias.
Right-click the check name or alias, and then click Create Exception.
On the Criteria tab, select where returned data matches ‘<returned data>’.
Select ‘<returned data>’, then click the columns and rows you want to except from the report results.
Follow the instructions in the wizard until you have finished creating the exception.
By default, Secure Configuration Manager allows you to apply exceptions to security check results or endpoints immediately. You can also require that exceptions receive approval before being applied to security check results, an endpoint, or a group of endpoints. This option gives you the flexibility to add an exception approval level to your change management workflow.
If you enable exception approvals, exceptions must be approved before you can apply them. To approve or disapprove exceptions, your console user account needs the Approve Exceptions permission. For more information about permissions, see Section 3.6, Managing Permissions.
To enable exception approvals:
On the Core Services computer, start the Core Services Configuration Utility in the NetIQ Secure Configuration Manager program folder.
On the Exception Approvals tab, select True in the Enable Exception Approvals field.
Click OK to save the changes and close the Core Services Configuration Utility.
You can apply approved exceptions to security check results, endpoints, or groups of endpoints. When you apply exceptions, the report returns to the Pending jobs queue. Once Secure Configuration Manager applies all exceptions to the report, the report moves to the Completed jobs queue.
To apply exceptions, your console user account needs the Apply Exceptions permission. For more information, see Section 3.6, Managing Permissions.
To apply exceptions:
(Conditional) If you are currently viewing a completed report, click Apply Exceptions on the toolbar and click OK on the confirmation message.
In the left pane, click Job Queues.
In the Job Queues tree pane, select Completed.
In the content pane, select the report to which you want to apply exceptions.
Right-click the report, and then click Apply Exceptions.
Click Yes.
As you update your inventory and security policies, you may need to revise the exceptions that you use when assessing your environment. To edit an exception, including all defined endpoints, endpoint groups, security checks, and policy templates, your console user account needs the View Policy Template and Edit Exception permissions. For more information, see Section 3.6, Managing Permissions.
NOTE:
You can update exception scheduling options and approval status through the Exception Management > Exceptions node in the tree pane.
When you edit an approved exception, it must be approved again before you can apply it to a security check, an endpoint, or a group of endpoints. However, until the edited exception is approved again, Secure Configuration Manager continues to apply the original exception.
As you update your inventory and security policies, you may need to revise the exceptions that you use when assessing your environment. To delete an exception, your console user account needs the Delete Exception permission. For more information, see Section 3.6, Managing Permissions.
NOTE:When you delete an exception, Secure Configuration Manager does not automatically update the reports to which the exception is already applied. You must rerun the policy template to see results without the exception applied.
The Admin Reports wizard lets you run reports to list Secure Configuration Manager administrative data. For example, you can list all exceptions created in the product, then you can either print an administrative report, or export it to a file. To run administrative reports, your console user account needs the Admin Reports permission. For more information, see Section 3.6, Managing Permissions.
To list exceptions:
On the Tools menu, click Admin Reports Wizard.
Select the Exceptions report.
Follow the instructions until you have run the administrative report.
(Optional) Print or export the report.