Symantec Security Expressions Server Server User Manual


 
Audit-On-Schedule
59
This option is available only if the server can access a Policy File Library.
7. If you want the policy to be available to use in audits, check the Make this policy
active box.
Clear the check box to make the policy unavailable to use in audits without deleting the
policy.
8. If you want to policy to be available to use in self-service audits, check the Available
for use in self-service audits box.
9. For Audit-On-Connect include the Link Type, Device Type, Posture Condition, Pass
Results Valid For and Fail Results Valid For settings.
10. Set Windows Group Access. Enter Windows groups, separated by a comma, that can use
this policy, remediate audit results generated using this policy, and view audit results for it. This
establishes which users can access this policy and its audit results due to their role. If a Windows
User Group isn't on the local computer, you'll need to enter the group in
domain\groupname
format.
In the Use Policy field, enter the Windows groups who should be able to modify
the policy.
In the Remediate field, enter the Windows groups who should be able to
remediate audit results generated using this policy.
In the View Audit Results field, enter the Windows groups who should be able to
view results from audits using the policy.
To grant all users access, type Everyone. To restrict all users, type None.
11. Click Update to revise the Policy settings in the database.
Any Audit-on-Connect or Audit-on-Schedule audits that are already based on this policy use the
new policy settings the next time they run.
Deleting Policies
Click the Delete hyperlink for the policy that you want to remove. When you delete a policy, you
remove it from the database. A warning appears to remind you that you are about to delete a
record from the database. Cancel the action or delete the record.
Configuring with Run-Time Policy Variables
Some policy files, such as the NSA Guidelines for Windows XP and Windows 2000, contain a
special rule named .CONFIGURE. The .CONFIGURE rule allows you to configure your policy files
and set global parameters for policy files at run time.
Certain information is unique and distinct between systems or groups of systems. A run-time
policy variable allows administrators to use a single policy file but allows identification of unique
rules that requires variable information. When a policy file uses a variable, your organization can
use one policy file for multiple conditions where variables differ between departments or Machine
Lists. For example, a variable might rename administrator accounts, change the members of an
administrator account, or define the groups to which certain policies apply.
To understand the run-time policy variable, note the following settings in the NSA Guidelines for
Windows XP and Windows 2000:
1. The name for the new rule must be .CONFIGURE.
2. The check type can be blank, or you can type CONFIGURE.