Secure Configuration Manager enables you to create temporary waivers, or exceptions, to prevent conditions from causing a violation in the reported results for a security check in a policy template. Typically, you create an exception when you do not want a particular violation to display in the report, or when you want to prevent a particular security check from running for an endpoint or a group of endpoints. For example, if a server in your environment is currently undergoing maintenance, you might want to create an exception to suspend monitoring that server with certain security checks.
Secure Configuration Manager applies exceptions consistently. If you create an exception for a security check within a policy template, Secure Configuration Manager applies that exception to all other runs of that policy template where the same violation is returned or the same security check runs for that endpoint or group of endpoints. Exceptions continue to affect the total risk score for an endpoint, even when the violation is excluded.
NOTE:You can also use a saved list to filter returned values from a security check run. For more information about using saved lists, see Excluding Values from a Run.
To create an exception in Secure Configuration Manager, you must base it on a report that contains the exception. This means you must create a report that includes the exception to be able to edit the exception. If you delete all reports that include a particular exception, you cannot edit the exception. To edit the exception, you must run a new report that includes the exception.
When you create an exception, you can assign a reason code to explain why you created the exception. For example, a reason code of Mitigated Risk means the risk is no longer present. You can also specify the reason code of Accept Risk, which indicates the risk is still present but acceptable. You can create your own reason codes to explain why you created the exception. For more information about reason codes for exceptions, see the Help.
Secure Configuration Manager also gives you the option to require approvals for exceptions before applying them to a security check in a policy template or to an endpoint or group of endpoints. This option facilitates a secure method of managing the exception review and approval process.
Refer to the following table when assigning permissions to console users who work with exceptions.
|
User activity |
Required permission |
|---|---|
|
Create an exception |
|
|
Apply an exception |
Apply Exception |
|
Approve or disapprove an exception |
Approve Exceptions |
|
Edit an exception |
|
|
Delete an exception |
Delete Exception |
For more information about assigning permissions, see Managing Permissions.
Regardless of whether you create and apply the exceptions in the Web console or Windows console, the assessment reports reflect the applied exceptions.
Secure Configuration Manager applies exceptions to security checks when the combination of the selected security check and the selected endpoint or group of endpoints occurs within the policy template.
When viewing an assessment report for a policy template run, you can select the security chcks that you want to exclude from the report. The exception removes all data returned by the security check for the selected endpoint or group.
For more information, see the Help in the Web console.
When you create an exception for a security check, you have the option to except all data returned by the security check for the selected endpoints or group of endpoints, or to except specific data returned by the security check.
You can create an exception from a security check in the Data View tree pane of the Report Viewer, or from any of the rows in the Data View right pane of the Report Viewer.
You can create exceptions for endpoints or groups of endpoints in both consoles.
You can create and apply exceptions for endpoints and groups in the following ways:
For individually run security checks
For security checks in a policy template run
For more information, see the Help in the Web console.
You can except an endpoint or group of endpoints across your environment, regardless of the policy template or security checks run for the endpoint. You can also create an exception for an endpoint for a specific policy template. When you create an exception in a completed report, you must start by selecting a single endpoint or the endpoint group. You can also except additional endpoints for which the report was run. For more information, see Creating an Exception.
Available only in the Windows console.
By default, Secure Configuration Manager allows you to apply exceptions to security check results or endpoints immediately. You can also require that exceptions receive approval before being applied to security check results, an endpoint, or a group of endpoints. This option gives you the flexibility to add an exception approval level to your change management workflow.
On the Core Services computer, start the Core Services Configuration Utility in the NetIQ Secure Configuration Manager program folder.
Click Exception Approvals.
Select True in the Enable Exception Approvals field.
Click OK to save the changes and close the Core Services Configuration Utility.
You can create exceptions in both the Web and Windows consoles.
When creating an exception, you can specify a reason for excepting that security check or endpoint. The Web console provides default reasons for the exception, or you can create your own. You can also specify the time frame during which the exception will be active.
For more information about creating an exception, see the Help in the Web console.
In addition to excepting a specific endpoint, a group of endpoints, or a security check, the Windows console enables you to create exceptions for a combination of row and column data in a security check. The information per column and row varies by security check and endpoint type. For example, you can except an endpoint whose account status is disabled for the Accounts That Have Never Logged In security check.
NOTE:If you create a check with a unique count, simple value, or single value scoring type and then apply exceptions for row or column data, such as one data point in the check, Secure Configuration Manager might return unexpected managed risk and excepted risk scores. For more information about scoring security check violations, see Understanding Risk Scoring.
To create an exception, your console user account needs the View Policy Template and New Exception permissions. For more information, see Managing Permissions.
Open the report for which you want to create an exception.
Click the Data View tab.
(Conditional) To except a security check, complete the following steps:
Expand Security Checks in the tree pane, and then expand the security check that you want to except from the report results.
Right-click any endpoint listed under the security check, and then click Create Exception.
(Conditional) To except an entire endpoint or a group of endpoints, complete the following steps:
Expand Target Endpoints or Target Groups in the tree pane.
Locate the endpoint or group of endpoints you want to except from the report results.
Right-click the endpoint or group of endpoints, and then click Create Exception.
NOTE:You can create an exception for either an individual endpoint or for a group of endpoints in a report. However, you cannot except both an endpoint and a group of endpoints in the same report at the same time.
(Conditional) To except only one datapoint for an endpoint in a security check, complete the following steps:
Expand Security Checks in the tree pane, and then select the security check.
In the right pane, right-click the data point corresponding to the appropriate row and column you want to except from the security check, and then click Create Exception.
(Conditional) To except multiple data points for an endpoint in a security check, complete the following steps:
Select Security Checks in the tree pane.
In the right pane, select the security check name or alias.
Right-click the check name or alias, and then click Create Exception.
On the Criteria tab, select where returned data matches ‘<returned data>’.
Select ‘<returned data>’, then click the columns and rows you want to except from the report results.
(Conditional) If you have enabled exception approvals in the Core Services Configuration Utility by performing the steps in Enabling Exception Approvals, select Needs Approval if you want the exception to be approved.
Follow the instructions in the wizard until you have finished creating the exception.
Available only in the Windows console.
If you enable exception approvals, exceptions must be approved before you can apply them.
If you have enabled exception approvals and have selected Needs Approval while creating the exception, a notification email is sent to users with the NetIQ Exception Approval Manager role. You will also receive an email notification, which specifies the status of the approval. When the approval status of the exception changes (for example, the exception is approved), you will receive another email notification specifying the change in the approval status.
You can apply approved exceptions to security check results, endpoints, or groups of endpoints. In the Windows console, after you apply exceptions, the report returns to the Pending jobs queue.
To apply exceptions, your console user account needs the Apply Exceptions permission. For more information, see Managing Permissions.
After you create exceptions in an assessment report, you can immediately apply the exceptions. The Web console generates the report again. In Assessment Reports, you can see that the Exceptions column indicates Applied for the re-generated report.
For more information, see the Help in the Web console.
(Conditional) If you are currently viewing a completed report, click Apply Exceptions on the toolbar and click OK on the confirmation message.
In the left pane, click Job Queues.
In the Job Queues tree pane, select Completed.
In the content pane, select the report to which you want to apply exceptions.
Right-click the report, and then click Apply Exceptions.
Click Yes.
Once Secure Configuration Manager applies all exceptions to the report, the report moves to the Completed jobs queue.
Available only in the Windows console.
As you update your inventory and security policies, you may need to revise the exceptions that you use when assessing your environment. To edit an exception, including all defined endpoints, endpoint groups, security checks, and policy templates, your console user account needs the View Policy Template and Edit Exception permissions. For more information, see Managing Permissions.
NOTE:
You can update exception scheduling options and approval status through the Exception Management > Exceptions node in the tree pane.
When you edit an approved exception, it must be approved again before you can apply it to a security check, an endpoint, or a group of endpoints. However, until the edited exception is approved again, Secure Configuration Manager continues to apply the original exception.
As you update your inventory and security policies, you may need to revise the exceptions that you use when assessing your environment. To delete an exception, your console user account needs the Delete Exception permission. For more information, see Managing Permissions.
NOTE:When you delete an exception, Secure Configuration Manager does not automatically update the reports to which the exception is already applied. You must rerun the policy template to see results without the exception applied.
You must be a console administrator to perform this task
You can review the status of all exceptions created in Secure Configuration Manager. For example, you might want to identify exceptions that await approval.
You can review currently applied exceptions, those in need of approval, and those that have been disapproved. Select Utilities > Exceptions. You can delete exceptions from this page.
For more information, see the Help in the Web console.
The Admin Reports wizard lets you run reports to list Secure Configuration Manager administrative data. For example, you can list all exceptions created in the product, then you can either print an administrative report, or export it to a file. To run administrative reports, your console user account needs the Admin Reports permission. For more information, see Managing Permissions.
On the Tools menu, click Admin Reports Wizard.
Select the Exceptions report.
Follow the instructions until you have run the administrative report.
(Optional) Print or export the report.
You must be a console administrator to perform this task.
You can enable managed groups to inherit its immediate parent group’s exceptions by performing the following steps:
Go to the Advanced tab in the Core Configuration Utility.
Set the value of the gladiator/exception/parent/enabled field to true.
Restart NetIQ Core Services.