CSA Rule Modules

< Day Day Up >

Rule modules group rules or sets of rules that serve a similar purpose. After you group the rules, you can apply the rule module where necessary to specific policies. The CSA product includes several rule modules that serve functional purposes, but you can also create additional rule modules that apply to your specific environment and user base.

The CSA architecture provides two types of rules for application: enforcement and detection. Enforcement rules either allow or deny actions from occurring. Detection rules monitor rules that do not enforce compliance or rules that tag processes to application classes and do not take enforcement actions themselves.

Working with Rule Modules

The CSA MC separates rule modules into two groups: UNIX and Windows. To access the predefined rule module list, which is also the page where you would begin to create your own new modules, choose Configuration > Rule Modules [UNIX] or Rule Modules [Windows]. Figure 4-33 shows the Windows Rule Modules screen.

Figure 4-33. Windows Rule Module Screen

From this page, you can perform the following actions, which are discussed in the next few sections:

Open and view a rule module Click the rule module name.
View the rules in a specific rule module Choose the link on the number of rules listed next to the rule module name.
Sort the view Display a specific operating system rule module using the drop-down box in the upper-left corner of the screen.
Create a new rule module Click the New button.
Delete rule module(s) Choose the appropriate check box(es) and click Delete.
Clone a rule module Check the check box next to the rule module you want to clone and click the Clone button. This is handy when creating a similar rule module for a different operating system. The rules in the original module are also cloned, so you can edit the newly cloned module and rules without fear of impacting the original rule module.
Compare two rule modules Check the two check boxes of the modules you want to compare, and then click the Compare button to view the similarities and differences.

Comparing Rule Modules

On occasion, you might want to compare two rule modules to find the similarities or differences between them. After choosing the two rule modules you want to compare and clicking the Compare button, a comparison page displays, as shown in Figure 4-34. This page presents a great deal of information, including all configuration parameters associated with the rule modules and all rules (including rule details) for the rule modules. The differences between the two modules display in red to help aid in picking out the differences. Similar rules are placed side by side, and rules with no similar counterpart are left blank on the opposite side of the comparison page.

Figure 4-34. Rule Module Comparison Page

Also, notice that check boxes appear near the "uncommon" rules on the comparison screen. You can check the box next to the rule you want to copy and then click the Copy button at the bottom of the screen to copy the rule to the other module, a different module, or a new module. You can also click the Delete button to remove a rule from a policy from this view.

Creating a Rule Module

More often than not, you will need to create your own rule modules to serve a purpose that is not accommodated by the built-in modules. To create a new rule module and view the settings available at the rule module level, perform the following steps, which correspond to Figure 4-35:

Step 1.	Click the New button on the Rule Modules page.
Step 2.	Enter the name and description for the rule module.
Step 3.	Choose the operating systems that can use the module. The options here are located in the drop-down box and include the operating systems available for selection, which could be granular or wide in approach.
Step 4.	Choose whether the rule module should be placed in Test Mode. In CSA version 4.5, you can now place the individual rule modules in Test Mode while leaving all other mechanisms on the agent in an Enforcement Mode. This is a great way to test out new application controls without impacting the already baselined usability of the other agent-protective mechanisms.
Step 5.	Choose the state conditions that should apply to this rule module. You can have rule modules that only apply based on user and system states.
Step 6.	Click Save or Delete as appropriate for the task at hand.

Figure 4-35. Viewing and Creating a Rule Module

At the top of the specific rule module page, you see the following quick links options:

Modify Policy Associations Displays the policy that the rule module is attached on the right side of the screen and the available policies on the left side of the screen, as shown in Figure 4-36.
Figure 4-36. Modifying the Attached Policy Information
Modify Rules Displays the rules attached to the policy in the prioritized order and are separated by enforcement and detection rules. You can add rules to the module by clicking the Add Rule link and choosing the rule you want to create. You can also check the check box adjacent to a rule you want to enable, disable, or delete (corresponding to the buttons on the bottom of the page) from the rule module. In addition, you can use the Copy feature on the page to copy a rule or rules to another policy easily and quickly. (See Figure 4-37.)
Figure 4-37. Modifying the Rules in the Rule Module
Explain Rules Displays a verbose readable version of the rule module and associated rules. The rules are divided into sections so that you can quickly locate the type of information you are attempting to find. (See Figure 4-38.)
Figure 4-38. Explain Rules
View Change History Displays a filtered view of the audit trail, which represents all the changes made to this rule module. (See Figure 4-39.)
Figure 4-39. Viewing the Rule Module Change History
Consistency Check Displays whether the rule module contains any operating system rule-specific conflicts. In version 4.5, a consistency checking feature will verify that the rule module for a specific operating system is not attempting to use any rules or variables that do not apply to that operating system, such as Windows directory paths versus UNIX directory paths. (See Figure 4-40.)
Figure 4-40. Performing the Consistency Check

Using CSA Predefined Rule Modules

Several rule modules that come installed with the CSA MC server can aid in the deployment and testing of the product. Some of the rule modules included are as follows:

E-Mail Protection
Apache Web Server
Cisco VPN Client
CiscoWorks Base Security
CiscoWorks CSA MC SQL Server
SendMail
Samba
Data Theft Prevention
DHCP Server
DNS Server
Microsoft Office

This is only a sample of the rule modules included with the product. To view the included rule modules on your installation, choose Configuration > Rule Modules [UNIX] or Rule Modules [Windows] > All.

Figure 4-41 shows the predefined rule modules.

Figure 4-41. Predefined Rule Modules

NOTE

This book does not attempt to explain the predefined rule modules and policies shown in Figure 4-41. These policies change over time, and the best method available for those wanting to better understand those modules is to investigate the locally installed modules and policies personally.

To view the rule modules and better understand their function, click the name and then choose Modify Rules or Explain Rules from the quick links menu.

< Day Day Up >

Working with Rule Modules

Figure 4-33. Windows Rule Module Screen

Comparing Rule Modules

Figure 4-34. Rule Module Comparison Page

Creating a Rule Module

Figure 4-35. Viewing and Creating a Rule Module

Figure 4-36. Modifying the Attached Policy Information

Figure 4-37. Modifying the Rules in the Rule Module

Figure 4-38. Explain Rules

Figure 4-39. Viewing the Rule Module Change History

Figure 4-40. Performing the Consistency Check

Using CSA Predefined Rule Modules

Figure 4-41. Predefined Rule Modules