Symantec Security Expressions Server Exceptions Table Column Description, Adding Exceptions

Page 51

Audit-On-Connect

A Subject or Message may contain text such as "Latest SecurityExpressions audit located at %RESULTLINK%."

Exceptions

Exceptions

Exceptions prevent certain systems from ever getting audited, even if they fall within a scope. When a system connects to the network, the server software checks all scopes to see if the system falls within one. If it does, the server software then checks all exceptions to see if the system is listed in an exception. If it is, the system does not get audited.

To exclude the devices from an audit, you must add them to the Exceptions list through the Exceptions table. From the table you can Add, Edit or Delete the Exception.

Exceptions Table

Column	Description

Type	Type of device specification. May be a MAC address, a fully-qualified
	domain name, an IP address, or range of IP addresses.
Value	The value of Type. You may use the * wild card. You may also enter
	IP addresses and IP ranges if you selected Fully Qualified Domain
	Name as the type.
Expiration Date	Date when audits stop applying this exception. If Never, this
	exception does not expire.
Posture	Result returned when this device connects to the network.
Description	Exception or device description.

Adding Exceptions

To add new Exceptions:

1.Click Add New on the Exceptions page.

2.Select MAC address, Fully-Qualified Domain Name, or IP Address or Range as the Type.

3.Enter the Value.

A MAC address that includes a wild card would be 00-08-74-35-**-** (you can use either

-or : to parse a MAC address). A fully-qualified domain name that includes a wild card would be *.ids.symantec.com. If entering a range of IP addresses, use a hyphen between the lowest address and the highest address.

4.Select the Expiration Date from the calendar. This date indicates when audits stop applying this exception. If you want the Exception enforced indefinitely, select the Never check box.

5.Identify the Group Posture , such as Pass or Out of Scope, to return when the device connects to the network.

6.Optionally, type a short Description describing the exception or device.

7.Click Add.

Editing Exceptions

43

Image 51

Contents SecurityExpressions Server User Guide Page Table Of Contents Page Table Of Contents Page Vii Page Contacting Us Page Contacting Technical Support Technical SupportPage SecurityExpressions Console Other ProductsPage About SecurityExpressions Audit & Compliance Server OverviewPage How to Audit your Local Computer Self-Service AuditWhat is Self-Service Auditing? Self-Service Audit AgreementDisplays on the page. No detailed audit results appear Pages with Role Settings Configure ServersAbout Server Configuration Local Server SettingsSetup Viewing Audit ResultsDatabase Connection Windows 2000 Servers Secure ConnectionClick OK on the Default Web Site Properties window Credential Store UserCreating Credential Stores Site Preferences Enable Web ServicesSecurityExpressions Console Credential Stores Software RegistrationAccess Item Rights Global Machine List Access User RolesPolicy File Library Library SynchronizationCheck the Synchronize with a policy file library box How System Scores are Calculated About Policy FilesAgent & Service Configuration Default method for remote execution on WindowsTarget Options SSH Agent Authentication Database Cleanup Add Task Update TaskCancel PoliciesAgent Downloads Site PreferencesClick Use the Following Agreement Allow Remediation Page Policies Table What is Audit-on-Connect?Audit-On-Connect PoliciesPage Adding Policies Editing Policies Deleting Policies Configuring with Run-Time Policy VariablesPage Scopes ScopesAdd a New Scope Page Edit a Scope Scopes Table Supported Operators Deleting ScopesDNS Domain Name Scopes Expression ScopesSupported Functions Org Unit ScopesDetection Method Scopes Notifications Editing Notifications Creating New Command NotificationsCreating New Email Notifications Click Add NewClick Add New Creating New Command Notifications Notification Variables Deleting NotificationsAdding Exceptions ExceptionsExceptions Exceptions Table Column DescriptionConnection Monitors Specify Password and Encrypted PasswordConnection Monitors Deleting ExceptionsConfiguring Connection Monitors RemoveEnabling Connection Monitors IP Range Section Connection Monitor Configuration FileOptions DefaultProcessing the Configuration File Configuration File SyntaxActive Directory Active Directory Connection Monitor only Slow Links NetworkInitial Token Trace Route InformationNetwork Admissions Control Unmanaged SystemsRedirection Web HealthyQuarantined/Unknown Reaudit if quarantinedAudit on Connect Tracing Redirection Web Page BehaviorAudit on Connect Tracing Page Page Audit-On-Schedule What is Audit-on-Schedule?Page Adding Policies Editing Policies Deleting Policies Page Notifications Click Add New Click Add New Deleting Notifications My Machine Lists My Machine ListsEditing Machine Lists Adding Machine ListsScheduled Tasks Scheduled TasksDeleting Machine Lists Editing Global Machine ListsAdding Scheduled Tasks Basic SettingsSchedule Settings Hosts Not Connected Settings Credentials Settings Other Options SettingsEditing Scheduled Tasks Windows Group AccessSchedule Settings Notifications Other Options Settings Deleting Scheduled Tasks Page Adding a New Audit-On-Connect Report Profile View Audit-On-Connect ActivityBrowse Audit-On-Connect Activity Audit-On-Connect Activity Table Column DescriptionDeleting Report Profiles Editing Report ProfilesAudit-On-Connect Exceptions Report Audit-On-Connect Error Log ReportPage View Audit Results Browse Audit ResultsAdding a New Audit Results Report Profile Page Deleting Audit Report Results Profiles Scheduled Audits Log ReportAdding Custom Reports to the Server Application Editing Audit Report Results ProfilesPage Glossary Page Index ConfigureIP address 33, 44, 45 Rule weights