Exceptions | Symantec Security Expressions Server instruction

Audit-On-Connect

A Subject or Message may contain text such as "Latest SecurityExpressions audit located at %RESULTLINK%."

Exceptions

Exceptions

Exceptions prevent certain systems from ever getting audited, even if they fall within a scope. When a system connects to the network, the server software checks all scopes to see if the system falls within one. If it does, the server software then checks all exceptions to see if the system is listed in an exception. If it is, the system does not get audited.

To exclude the devices from an audit, you must add them to the Exceptions list through the Exceptions table. From the table you can Add, Edit or Delete the Exception.

Exceptions Table

Column	Description

Type	Type of device specification. May be a MAC address, a fully-qualified
	domain name, an IP address, or range of IP addresses.
Value	The value of Type. You may use the * wild card. You may also enter
	IP addresses and IP ranges if you selected Fully Qualified Domain
	Name as the type.
Expiration Date	Date when audits stop applying this exception. If Never, this
	exception does not expire.
Posture	Result returned when this device connects to the network.
Description	Exception or device description.

Adding Exceptions

To add new Exceptions:

1.Click Add New on the Exceptions page.

2.Select MAC address, Fully-Qualified Domain Name, or IP Address or Range as the Type.

3.Enter the Value.

A MAC address that includes a wild card would be 00-08-74-35-**-** (you can use either

-or : to parse a MAC address). A fully-qualified domain name that includes a wild card would be *.ids.symantec.com. If entering a range of IP addresses, use a hyphen between the lowest address and the highest address.

4.Select the Expiration Date from the calendar. This date indicates when audits stop applying this exception. If you want the Exception enforced indefinitely, select the Never check box.

5.Identify the Group Posture , such as Pass or Out of Scope, to return when the device connects to the network.

6.Optionally, type a short Description describing the exception or device.

7.Click Add.

Editing Exceptions

43

Image 51

Symantec Security Expressions Server manual Exceptions Table Column Description, Adding Exceptions, Editing Exceptions

Contents

SecurityExpressions Server User Guide Page Table Of Contents Page Table Of Contents Page Vii Page Contacting Us Page Contacting Technical Support Technical SupportPage SecurityExpressions Console Other ProductsPage About SecurityExpressions Audit & Compliance Server OverviewPage How to Audit your Local Computer Self-Service AuditWhat is Self-Service Auditing? Self-Service Audit Agreement Displays on the page. No detailed audit results appear Pages with Role Settings Configure ServersAbout Server Configuration Local Server Settings Setup Viewing Audit ResultsDatabase Connection Windows 2000 Servers Secure Connection Click OK on the Default Web Site Properties window Credential Store UserCreating Credential Stores Site Preferences Enable Web ServicesSecurityExpressions Console Credential Stores Software Registration Access Item Rights Global Machine List Access User Roles Policy File Library Library SynchronizationCheck the Synchronize with a policy file library box How System Scores are Calculated About Policy Files Agent & Service Configuration Default method for remote execution on WindowsTarget Options SSH Agent Authentication Database Cleanup Add Task Update TaskCancel Policies Agent Downloads Site PreferencesClick Use the Following Agreement Allow Remediation Page Policies Table What is Audit-on-Connect?Audit-On-Connect PoliciesPage Adding Policies Editing Policies Deleting Policies Configuring with Run-Time Policy VariablesPage Scopes ScopesAdd a New Scope Page Edit a Scope Scopes Table Supported Operators Deleting ScopesDNS Domain Name Scopes Expression Scopes Supported Functions Org Unit ScopesDetection Method Scopes Notifications Editing Notifications Creating New Command NotificationsCreating New Email Notifications Click Add New Click Add New Creating New Command Notifications Notification Variables Deleting Notifications Adding Exceptions ExceptionsExceptions Exceptions Table Column Description Connection Monitors Specify Password and Encrypted PasswordConnection Monitors Deleting Exceptions Configuring Connection Monitors RemoveEnabling Connection Monitors IP Range Section Connection Monitor Configuration File Options Default Processing the Configuration File Configuration File SyntaxActive Directory Active Directory Connection Monitor only Slow Links Network Initial Token Trace Route InformationNetwork Admissions Control Unmanaged Systems Redirection Web HealthyQuarantined/Unknown Reaudit if quarantined Audit on Connect Tracing Redirection Web Page BehaviorAudit on Connect Tracing Page Page Audit-On-Schedule What is Audit-on-Schedule?Page Adding Policies Editing Policies Deleting Policies Page Notifications Click Add New Click Add New Deleting Notifications My Machine Lists My Machine Lists Editing Machine Lists Adding Machine Lists Scheduled Tasks Scheduled TasksDeleting Machine Lists Editing Global Machine Lists Adding Scheduled Tasks Basic Settings Schedule Settings Hosts Not Connected Settings Credentials Settings Other Options Settings Editing Scheduled Tasks Windows Group Access Schedule Settings Notifications Other Options Settings Deleting Scheduled Tasks Page Adding a New Audit-On-Connect Report Profile View Audit-On-Connect ActivityBrowse Audit-On-Connect Activity Audit-On-Connect Activity Table Column Description Deleting Report Profiles Editing Report Profiles Audit-On-Connect Exceptions Report Audit-On-Connect Error Log ReportPage View Audit Results Browse Audit ResultsAdding a New Audit Results Report Profile Page Deleting Audit Report Results Profiles Scheduled Audits Log ReportAdding Custom Reports to the Server Application Editing Audit Report Results ProfilesPage Glossary Page Index Configure IP address 33, 44, 45 Rule weights