Policy Manager
Copy link

If you work for a U.S. government agency, a vendor that transacts business with the government, or a company with strict configuration security policies, you may be running scans to verify that your assets comply with the following security standards:

  • United States Government Configuration Baseline (USGCB)
  • Center for Internet Security (CIS)
  • Federal Desktop Core Configuration (FDCC)

After running Policy Manager scans, you can view the following information:

  • The overall rate of compliance for assets in your environment.
  • Asset compliance on a per-policy and per-rule basis.
  • Methods for exporting policy scan data to CSV.

Distinguishing between Policy Manager and standard policies
Copy link

⚠️

Access required to view results

You can only view policy test results for assets to which you have access.

The Policy Manager includes the following checks:

  • USGCB 2.0 policies
  • USGCB 1.0 policies
  • Center for Internet Security
  • FDCC policies
  • Custom policies that are based on USGCB or FDCC policies or CIS benchmarks
  • Oracle policy
  • Lotus Domino policy
  • Windows Group policy
  • AS/400 policy
  • CIFS/SMB Account policy

Getting an overview of Policy Manager results
Copy link

Click the Policies tab on the Security Console menu. The “Policies” page contains a table of policies based on your level of access, along with the following metrics:

  • Total policy count (clickable tab)
  • Scanned policy count (clickable tab)
  • Number of policies with increased or decreased compliance
  • Overall compliance percentage
ℹ️

Apply filters to remove rows without data

Depending on your level of access, the total policy count view may be too long to browse comfortably. Click the Scanned Policies tab to filter out rows with no scan data.

The Policies table has the following columns:

  • Policy Name
  • Category
  • Source
  • Assets Passed
  • Assets Failed
  • Rule Compliance (percentage)
  • Compliance Trend (percentage)
⚠️

Policy compliance depends on Rule compliance

Each policy consists of specific rules, and each asset is tested against those rules. An asset must pass all rule checks to be considered compliant to that policy.

Viewing scanned assets
Copy link

In Policies > Scan Engine Policy, click the dropdown above the Policies table and select Scanned Assets. The Scanned Assets table contains similar information and functionality to the Policies table, but from the viewpoint of individual assets.

Viewing policy details
Copy link

You can view policy details in two ways:

  • Click any Policy Name to open the detail page for that policy. The screen will show a Policy Breakdown table and a Summary Information window.
  • Alternatively, click anywhere on a policy row to open the Summary Information drawer.
ℹ️

View results from asset details pages

Policy Manager check results are also viewable from asset detail pages. See Viewing the details about an asset for more information.

Policy Breakdown
Copy link

While both interfaces feature lists of individual policy rules and scanned assets, the Policy Breakdown table provides this information at the most granular level.

ℹ️

Summary Information details depend on selected rows

The Summary Information window displays different tabs depending on the type of row you select in the Policy Breakdown table.

Policy Groups
Copy link

Rules within a policy are often categorized by type for organizational and export purposes into Policy Groups. Expand any of these to show their individual rules. When a policy group is selected, the Summary Information window contains tabs for its policy rules and scanned assets.

ℹ️

Consider multi-layered groups when exportimg

Some policies contain multi-layered groups. Keep this in mind when selecting policy groups for export.

Policy Rules
Copy link

All policies contain individual rules. If you select a policy rule, the Summary Information window will feature the following tabs:

  • Rationale - This tab contains a brief summary on why the rule exists and what type of vulnerability it can proactively guard against.
  • Remediation - When data is available, this tab lists remediation steps to ensure compliance with the rule.
  • Scanned Assets - This tab shows the rule’s scanned assets, the operating system of each asset, and whether the asset passed or failed.
  • Policy Controls - When applicable, this tab lists policy controls for the selected rule.
⚠️

The Summary Information tab updates based on selected information

If you inspect a policy rule through the Scanned Assets dropdown, the Proof tab will replace the Scanned Assets tab described previously in the Summary Information window.

When an asset passes a rule check, the Proof tab details the reason for the pass.

Unscored and Not Applicable policy rules
Copy link

Not all policy rules will factor into your compliance score. See the following sections for details on how the Security Console handles these rules.

Unscored rules
Copy link

There may be rules within a policy that are considered “unscored”. While these rules are still counted towards your overall rule total, their outcome will not be factored into your compliance percentage.

ℹ️

Asterisks on unscored rules

Unscored rules are denoted with an asterisk (*) appended to the rule title.

Not applicable rules
Copy link

Not all policy rules will apply to your scanned assets, particularly if the rule only exists for a specific operating system that your target asset does not use. By default, policy scan results will only show the number of applicable assets for the rule in question.

However, rules that are deemed Not Applicable will count as passing and be included in your compliance score if the following conditions are met:

  • There must be at least one applicable rule in the same policy
  • The applicable rules must have a score of Pass or Fail
⚠️

Not Applicable rules are not included in rule or compliance results

Policies that do not contain any applicable rules are not factored into your rule count or compliance score at all.

You can view all assets that were scanned, regardless of applicability, from the Scanned Assets tab of the Summary Information drawer:

  1. In Policies > Scan Engine Policy, click Scanned Policies.
  2. Click the table row of the desired policy to open the Summary Information drawer.
  • Alternatively, navigate to the Policy Breakdown table by clicking on the policy name.
  1. In the Summary Information drawer, click the Scanned Assets tab.
  • The Scanned Assets tab is also available when individual policy groups and rules are selected.
  1. Adjust the filter from Applicable assets only to All assets.

Searching within a policy
Copy link

On the Policies table, check the box of one policy to enable the View Policy button.

Similarly to the Policy Breakdown table, the Policy Configuration screen shows policy groups and rules in directory form. Use the text field to match specific keywords to policy groups and rules. Highlight individual groups and rules to show additional details on the right side of the screen.

⚠️

Some fields are locked by default

The Description and Check parameter fields for built-in policies are locked by default. See Creating a custom policy for more information.

CSV exports
Copy link

The Policies page features widespread support for exporting data to CSV. Use the Export to CSV button to export any rows you specify to a CSV file.

ℹ️

All records will export by default

By default, the Export to CSV button will export all records if individual rows are not checked.

Export types
Copy link

The following areas support CSV exports:

  • Main Policies table
  • Scanned Policies filtered table (using the Scanned Policies tab)
  • Scanned Assets table (using the dropdown)
  • Scanned Assets tab (using the Summary Information window or drawer)
  • Policy Breakdown table (using the Policy Detail screen)