IBM Proventia Network Enterprise User Manual - page 77
Policy Inheritance with Enterprise Scanner Policies
77
IBM Proventia Network Enterprise Scanner User Guide, Version 1.3
Policy Inheritance with Enterprise Scanner Policies
Introduction
The inheritance properties of policies enable you to set up your scanning environment in a
hierarchical group structure. Even if you understand policy inheritance with other IBM
ISS agents, you should understand the slight variations with Enterprise Scanner policies.
For the best results, read the documentation before you set up a group structure and
define policies.
General inheritance
behavior
In general, inheritance works as follows:
●
When you define a policy for a group in your group structure, the policy
automatically applies to the group’s subgroups unless a subgroup already has its own
version of the policy. Then, that subgroup retains its version of the policy.
●
You can break the inheritance at any level in the group structure by redefining
(overriding) the policy for a subgroup. When you define a policy for a subgroup, the
changes apply to its subgroups.
●
If you have defined a policy for a subgroup, and you want to apply that policy to
groups above the subgroup, you can promote the policy to a higher group.
Inheritance with
Enterprise Scanner
policies
As you plan your Site grouping structure for vulnerability management, keep these points
in mind:
●
Most asset policies follow the general rules of inheritance.
●
Many agent policies apply only to a single agent or scanning network interface.
●
Some asset and some agent policies have specialized inheritance characteristics. These
differences are described in more detail in later topics.
Inheritance
indicators
Policies for a group appear in a Policy tab in the SiteProtector Console. When you select a
group on the left pane of the SiteProtector Console, policies applicable to the group
appear on the right pane. The inheritance indicators of the policies appear in the
Inheriting From column as follows:
Initially blank or
inherited from
default?
The initial inheritance indicators for agent policies may be blank or Inheriting from the
factory defaults
depending on whether you override the SiteProtector system group
settings when you register your agent with the SiteProtector system:
●
If you override the settings, the agent’s settings are applied to the SiteProtector system
policies, so the Inheriting From column is blank.
●
If you do not override the settings, the column follows the inheritance described in
Table 24, above; however, you must configure the unconfigured policies.
If the Inheriting
From Value is…
Then, …
blank
the policy is defined for the asset or agent group selected on the left pane.
Inheriting from the
factory defaults
you have chosen to override the policy with one that is defined higher in the
group structure, but a higher-level policy is not defined.
a_group_name
the policy is inherited from the referenced group.
Table 24: Group policy inheritance indicators