Rule Modules and Policy Hierarchy

Rule modules are collections of various types of rules grouped together to perform a collective task. By grouping rules this way, you can easily deploy the security protection or policy controls they enforce as a single component tied to another layer of grouping called a policy. Figure 2-2 displays a CSA MC view of the Operating System—Base Protection-Windows policy configuration.

Figure 2-2 Policy Configuration View

Figure 2-2 Policy Configuration View

Policies as a grouping mechanism within CSA contain various rule modules that are related to accomplish a certain task or group of security tasks. For example, the desktop policy that is contained within the base CSA MC installation includes several rule modules that in turn contain several rules. Each rule accomplishes the task of protecting desktop systems. When each rule module's rules within the policy are combined, they are ordered according to a specific priority and are enforced just as a typical access control list with higher precedence rules overriding lower precedence rules.

Rule Precedence

As rules are combined into rule modules, and in turn into policies, there is the possibility that there will be conflicting rules in the combined set. The following actions are in order of precedence with the entries at the top taking precedence over lower actions.

1 High Priority Terminate Process

2 High Priority Deny

3 Allow

4 Query User (Terminate)

5 Query User (Deny)

6 Query User (Allow)

7 Terminate Process

8 Deny

9 Default Action Allow

10 Add Process to Application Class

11 Remove Process from Application Class

12 Monitor

Was this article helpful?

0 0

Post a comment