XYGATE Compliance PRO (XSW) Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

161

162

163

164

165

166

167

168

169

170

X XYGATE

Compliance PRO

™

Reference Manual

Chapter 7. System Policy Analyzer

XYPRO Technology Corporation 147 Proprietary and Confidential

Update All Statuses

This is the default update option. The new Dataset from the newly selected Collection

will be compared to existing Failed and Policy Exclusion Items. Any Failed or Policy

Exclusion item that does not match against an item in the newly applied Dataset will be

moved to the Resolved Items list.

Update Statuses for Matching Nodes Only

If current Failed and Excluded items are from a Node that is not contained in the newly

applied Collection/Dataset, these items will be ignored.

Delete Existing Items and Create a New Base Line

Use great caution in selecting this option. All previously Failed, Policy Exclusion, and

Resolved items along with all their associated Notes will be removed. The items in the

Dataset from the new Collection you have selected will become your baseline Security

Policy items.

Issues to Consider before Changing to a Different Collection

You are allowed a fair amount of flexibility during the data collection process. You do

not have to collect information for every Entity from every Node every time. You are

also able to merge Collections from separately collected Nodes.

When a Security Rule/Query is applied to a Dataset you have only the current data

that is being applied to the rule. The predicate is applied to the data and a set of

results is returned. For example, if information from $DISK1 and $DISK2 is not

collected, any files that might have matched the Security Rule will be omitted.

Security Policies retain information from the Datasets that have previously been

applied. As a result, changing the list of Nodes or Entities being applied to a Security

Policy can have undesirable results. Assume that a Security Policy has been tracking

LICENSED files on <NODEA> & <NODEB>. The licensed file list has been monitored

for some time. For some reason a Dataset is applied from a Collection that has

specified <NODEA> only. The result would be that all the licensed files that are

marked as failures today from <NODEB> would be closed. A policy assumes that if the

data is not in the newly applied collection that it has been “fixed.” The same thing could

happen if a new Collection omitted $SYSTEM from the nodes that were collected, and

a Dataset from that Collection was applied to a policy that has a lot of $SYSTEM

items.

Selecting a Collection with additional nodes might add new records into the Security

Policy that were not there before. This may be a more desirable result.

Note: There is no UNDO key.