Cisco Systems DOC-78-17916 Setting Up Exception Rules

2-13

Installing Management Center for Cisco Security Agents 5.2

78-17916-01

Chapter 2 Deployment Planning

Policy Tuning and Troubleshooting

Setting Up Exception Rules

In some cases, you need two or more different rules to completely specify the

desired actions to a specific event. For example, you could have one rule that

denies all applications from writing to the //blizzard/webdocs directory and

another rule that allows the WebGuru application with authenticated user

webmaster to write to the //blizzard/webdocs directory. The second rule allowing

write access for WebGuru is considered an exception rule because it overrides a

small part of the overall deny rule for the //blizzard/webdocs/ directory. The MC

manipulates the precedence of exception rules so that they are evaluated before

the rules that they override.

Although you can create exception rules with the MC rule pages, the easiest way

to create exception rules is using the Event Management Wizard from the event

log. The wizard tailors its behavior to the event from which you launch it. You

can use the wizard to create two general types of exception rules:

• Exception rules that under certain conditions allow an event that was denied

• Exception rules that stop logging similar events

To launch the wizard:

1. Select Events -> Event Log.

2. Click on the Wizard link at the bottom of the desired event’s description.

The wizard asks you questions about the following:

• Whether the exception rule applies to the user/state conditions of the

triggering rule or the user/state conditions of the specific event where you

launched the wizard. If you want the exception to apply to all users, you

typically want the user/state conditions of the triggering rule (the default). If

you want to create an exception rule only for the user specified in the event,

you need to explicitly select the specific user state conditions radio button

• Whether the description of the proposed exception rule looks correct. Keep

in mind that if you need to make some small changes to the rule, such as the

applications specified, you can do so later. After the wizard finishes, you can

still modify the exception rule further before saving it.

• Whether you want to put this new exception rule in a separate exception rule

module (the default) or modify the rule module that triggered the event. In

most cases, you want to put this in a separate exception rule module so you

can preserve the supplied rule modules.