Defining compliance exceptions for a component

You can specify exceptions to compliance rules in a single component. When you define compliance rule exceptions, you group them. Each group can have a different expiration date.

To define compliance exceptions for a component

  1. On the Compliance Exceptions panel of a component, either click Add New Exception or select a condition and click Edit Selected Exception.
    Depending on which action you take, the Add Compliance Exception or the Edit Compliance Exception window opens.
  2. On the Generaltab, enter the following information:

    Name

    An identifying name for the compliance rule exception.

    Description

    (Optional) Descriptive text for the compliance rule exception.

    Reference Number

    An identifier needed to synchronize this exception with some external system.

    Duration

    Whether to limit how long the exception lasts.
    Either click Never expires if you do not want to limit the exception by time, or click Expires and pick the date when the exception should expire.

    Notes

    Additional information about the compliance rule exception.

  3. Click the Associated Compliance Rules tab.
  4. Click Add Compliance Rule. The Select Compliance Rules dialog box opens.
  5. Use the Select Compliance Rules dialog box to define compliance rule exceptions by doing the following:
    1. Select the compliance rule for which you want to grant an exception and move it to the Selected Compliance Rules list on the right.
      The All Compliance Rules list shows all compliance rules and compliance rule groups. To move a rule between lists, select the rule and click the left or right arrow. If necessary, expand compliance rule groups to select the appropriate compliance rules. To move all rules from the Selected Compliance Rules list, click the double-left arrow.
    2. If you do not want to limit this exception to particular system objects, click OK. Then click OK on the Add Compliance Exception dialog box. The procedure is complete.
      If you want to limit this exception on the specific target component, specify a path to a particular system object by clicking Edit Ignored Paths. The Edit Ignored Paths dialog box opens.
      1. On the Edit Ignored Paths dialog box, from Type, select the type of server object that should be ignored.
      2. For Path, enter the path to the server object. The path can include wildcards.
      3. Click the right-arrow to move the server object you have defined to the Detailed Exceptions list.
        For example, you can create a compliance rule stating that the configuration file /etc/passwd must exist and that the only entries allowed within it are Admin and SupportLevel2. If you want to create an exception for a specific component that allows the SupportLevel1 entry to appear as well within the file, use this dialog box to specify a type of Configuration File and enter the path /etc/passwd//SupportLevel1. During compliance analysis, if /etc/passwd on the target component contains the two entries Admin and SupportLevel1, the component is found to be compliant with the rule due to the defined exception.
      4. On the Edit Ignored Paths dialog box, click OK.
      5. On the Select Compliance Rules dialog box, click OK.
  6. On the Add Compliance Exception dialog box, click OK. The exception you defined is added to the Compliance Exceptions list. To add another exception, repeat this procedure.

Info

Following are examples of rules in the DISA Solaris 10x86 template that result as non-compliant if the Samba Server running on the system is not required. If the Samba Server is operationally required then these rules must be marked as an exception by the system administrator.

  • GEN006060

Was this page helpful? Yes No Submitting... Thank you

Comments