Cisco Systems DOC-78-17916 Disabling Specific Rules

2-11

Installing Management Center for Cisco Security Agents 5.2

78-17916-01

Chapter 2 Deployment Planning

Policy Tuning and Troubleshooting

If one of the rule modules within a policy is not behaving as expected, you

can place it in test mode while still keeping the remaining rule modules in live

mode. To do this, select the Test M o de checkbox on any Configuration ->

Rule Modules -> <platform> Rule Modules -> <module name> page.

Note When running your pilot, explain to participants the difference between test mode

and live mode, clearly label whether agent kits are for test mode or live mode, and

tell participants which kits to download and use during various phases of the pilot.

Test mode is not intended to be used indefinitely because the area under test is

completely vulnerable from a security standpoint. Groups and rule modules in test

mode should move to live mode in a timely fashion. Once the pilot is over, you

need to carefully control which hosts if any are in test mode. You can remove the

test mode kits to ensure they do not get downloaded during deployment and

periodically monitor the Systems - test mode group to ensure that all pilot

participants have migrated to live mode agent kits. Y ou want to av oid the situation

where a security hole exists after deployment because some groups or rule

modules were inadvertently left in test mode.

Disabling Specific Rules

When you examine the event log with the Events -> Event Log menu, the

description of each event references the rule number. If you find a consistent

pattern of false positives with the same specific rule number, you can disable that

rule if desired. There are two different approaches to disabling rules:

• You can disable the rule temporarily. At a later time, you can go back and

modify the rule, set up a query with a cached response, or set up an exception

rule.

• You can disable the rule permanently if the rule protects a resource that you

don’t need protected as part of your security policy.

The easiest way to disable a rule is by clicking on the rule number at the bottom

of the event description in the event log. On the rule page, you click on the

Enabled checkbox to uncheck it and disable the rule. Once you generate the rules,

this rule will be disabled.