Audit Policy Rule
An audit policy contains a set of rules that it applies to data representing
an object being audited. Each rule can return a boolean value (plus some optional
information).
To determine whether a policy has been violated, the audit policy evaluates
a logical operation on the results of each rule. If the audit policy has been
violated, a compliance violation object might result, with (typically) one
compliance violation object per policy, rule, or whatever was being audited.
For example, an audit policy with five rules might result in five violations.
Inputs:
None
You must specify the following for a custom Audit Policy rule:
|
AuthType
|
AuditPolicyRule
Note –
When you use the Audit Policy Wizard to create an Audit Policy
rule, the wizard uses the AuditPolicyRule authType by default.
If you use the Identity Manager IDE to create an Audit Policy rule,
be sure to specify the AuditPolicyRule authType.
|
|
SubType
|
-
SUBTYPE_AUDIT_POLICY_RULE (for an audit
policy rule)
-
SUBTYPE_AUDIT_POLICY_SOD_RULE (for an audit
policy SOD rule)
SOD (separation of
duties or segregation of duties) rules differ
from regular rules in that they are expected to produce a list element in
the rule output. A list element
is not required; but if one is not present, it causes
any corresponding violations to be ignored in SOD reporting.
|
|
Called
|
During an Audit Policy Evaluation
|
|
Returns
|
An audit policy rule must return an integer value, but the value can
be expressed as one of the following:
-
A pure integer:
-
An integer within a map of additional data:
<map>
<s>result</s>
<i>1</i>
...
</map>
|
If the audit policy returns a map, other elements can affect the resulting
compliance violation. These elements include:
-
resources element: Causes the
compliance violation to refer to two resources, resource one and resource two. These values must be real resource names because the
compliance violation contains actual object references (so the names are resolved
to IDs). (Default is no resource.)
<s>resources</s>
<list>
<s>resource one</s>
<s>resource two</s>
</list>
|
-
severity element: Causes the compliance
violation to have the specified severity. (Default is 1.)
-
priority element: Causes the compliance
violation to have the specified priority. (Default is 1.)
-
violation element: Prevents
the audit scanner from creating a rule violation— even if the audit
policy evaluates to true.
By default, if the
audit policy evaluates to true, it creates compliance violations
for each rule that returns a non-zero. Setting this element to zero allows
the rule to return true, but does not create a violation
for the rule.
<s>violation</s>
<i>0</i>
|
Note –
The Audit Policy Wizard only creates rules that reference a single
resource and return an integer value (not a map).
To use any of
the preceding map-related features, you must write the rule yourself. Some
very sophisticated audit policy rule examples are provided in sample/auditordemo.xml.
|
|
Predefined Rules
|
-
Compare Accounts to Roles:
Compares user accounts to accounts specified by roles. Any account not referenced
by a role is considered an error.
-
Compare Roles to Actual Resource Values:
Compares current resource attributes with those specified by current Roles.
Any differences are considered errors, and any resources or resource attributes
not specified by a role are ignored.
|
Note – The RULE_EVAL_COUNT value equals the number
of rules that were evaluated during a policy scan. Waveset calculates
this value as follows:
RULE_EVAL_COUNT = # of users scanned
x (# of rules in policy + 1)
The +1 is
included in the calculation because Waveset also counts the policy
rule, which is the rule that actually decides if a policy is violated.
The policy rule inspects the audit rule results, and performs the boolean
logic to come up with a policy result.
For example, if you have
Policy A with three rules and Policy B with two rules, and you scanned ten
users, the RULE_EVAL_COUNT value equals 70 because
10 users x (3 + 1 + 2 + 1 rules)
