Use of this document and web site are governed by the Terms and Conditions of Use for InfoExpress's web site.SummaryIn order to create successful policy, it is important to understand how CyberGatekeeper applies and evaluates policies, and how to interpret the logged results.
Policy Processing- Policies are processed in alphabetical order, by policy name. InfoExpress recommends beginning policy names with a number indicating the desired order of processing, for the most predictable results.
- In order to prevent policies from "eclipsing" one another, be sure that policies with more specific requirements are listed before policies with more generic requirements.
- If all of the listed WHEN conditions for a policy match the target system (and processing has not stopped), that policy will be applied to the system.
- If the endpoint fails any hard requirements (REQUIRE/PROHIBIT), processing stops at the first failure. If a message is associated with that rule, it will be displayed to the user, and the remediation action will be run.
- If there are no REQUIRE/PROHIBIT failures, the message from the first DESIRE or NOT DESIRE failure (if any) will be displayed to the end user, and the associated remediation action run. DESIRE/NOT DESIRE tests are processed in order, starting with global policies in alphabetical order, followed by ordered policies in alphabetical order. Once a DESIRE/DESIRE NOT message is displayed, processing continues, but no additional messages will be displayed. Note that the first DESIRE/NOT DESIRE that contains a remediation message will be shown; if earlier soft failures are hit that do not contain a message, they will be processed but not displayed.
- If the end of the policy is reached without any hard failures (REQUIRE/PROHIBIT), that policy is considered PASSED. If this policy is a Global Policy then processing continues on to the next policy, checking the WHEN conditions, etc. If the policy in question is not a global policy, processing stops and the endpoint is considered a PASS (regardless of whether subsequent policies WHEN conditions match).
- Only one message will be displayed at any given time; once that condition has been met, processing restarts and the next message (if applicable) will be displayed.
Note that in CyberGatekeeper versions prior to 3.x, messages from all "failed" DESIRE rules are displayed. In this case, the Help URL used is the Help URL associated with the first message. In later versions of CyberGatekeeper, only the message from the first failed DESIRE rule is displayed. Global Policies are only available in CyberGatekeeper Policy Servers which are at least V5.1.
Policy Logging- Files and processes that are detected on the endpoint will be recorded in the logs.
- Files and processes that do not exist/are not running will not show up in the logs.
- Registry checks for keys that exist show up in the logs.
- Registry checks for keys that do not exist do not show up in the logs.
Note that the elements being checked for will show up in the logs if they exist - regardless of whether the test passes or fails.
Additional InformationUse of this document and web site are governed by the Terms and Conditions of Use for InfoExpress's web site.
