cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 10
Report Inappropriate Content
Message 1 of 6

Strategies for ENS/ENSL policy separate assignment Windows/Linux

Jump to solution

We have Windows Server, Windows Workstations, and Red Hat Enterprise Linux systems.     To maintain separate policies for the operating systems, and because our system tree structure does not separate Linux and Windows, but separates by site and function, we have assigned policies by system tag generated by OS.

What is the common way to do this?    Is it correct that Policy assignments by tag are honored over policy assignments by system tree.   To temporarily modify a policy for a single system, does a second policy assignment rule overrule the first?  What is the best way to accomplish that?     

We do not use ENS FW on Linux.   Exclusion files and paths are different for Windows and Linux.  

Thank you

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 6

Re: Strategies for ENS/ENSL policy separate assignment Windows/Linux

Jump to solution

Yes, that sounds workable, but one question.  Are the servers scattered throughout the system tree, or can it be organized to not rely on policy assignment rules?  In your situation, if they are scattered around, then your workaround might be the best approach.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

5 Replies
Highlighted
Level 10
Report Inappropriate Content
Message 2 of 6

Re: Strategies for ENS/ENSL policy separate assignment Windows/Linux

Jump to solution

I will repost in the Endpoint Security Group -

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 6

Re: Strategies for ENS/ENSL policy separate assignment Windows/Linux

Jump to solution

Policy assignment rules always take precedence over a system tree assignment, whether it is assigned at a group or individual system.

Please also clarify exactly what you mean by this...

to temporarily modify a policy for a single system, does a second policy assignment rule overrule the first?  What is the best way to accomplish that? 

You want to avoid having policy assignment rules that a system might match criteria for more than one rule assignment.  You might not get the desired policy assigned.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted
Level 10
Report Inappropriate Content
Message 4 of 6

Re: Strategies for ENS/ENSL policy separate assignment Windows/Linux

Jump to solution

Thanks for the reply.    Here is the scenario I need to protect for 

Let's say RHEL-1 is a system that has the Linux_OS tag which is dynamically assigned.    Therefore, the virus scanning options policy it receives is based on an assignment rule to "Linux_OS".    Now, if we need to modify the options policy to temporarily disable on-access scanning as a test, I would need to remove the tag, Linux_OS, before making an assignment to that system.     I would also need to make sure the dynamically assigned tag is not evaluated on each ASCI.    Once the test is complete, I would remote the test policy and replace the Linux_OS tag.  

The problem with that description, however, is that removing the Linux_OS tag removes all policies assigned to that tag.    We just want to swap in a different options policy.    Typically this was done by moving the system to a test branch in the system tree, or if there were several systems in a branch, we could break inheritance and swap in the test policy.     

So, I most likely need two more manual assigned tags for Test_OAS and Test_FW that each have all of the policies assigned to Linux_OS with the exception of the Options for OAS or options for FW.   That seems to be most similar to the system tree test branch idea.    

Does that sound workable?  Or is there a better method?

 

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 6

Re: Strategies for ENS/ENSL policy separate assignment Windows/Linux

Jump to solution

Yes, that sounds workable, but one question.  Are the servers scattered throughout the system tree, or can it be organized to not rely on policy assignment rules?  In your situation, if they are scattered around, then your workaround might be the best approach.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

Highlighted
Level 10
Report Inappropriate Content
Message 6 of 6

Re: Strategies for ENS/ENSL policy separate assignment Windows/Linux

Jump to solution

Yes -  They are scattered.   The tree is for the enterprise and is then organized by sites.   Each site is organized by functional area, where some branches include both Windows and Linux systems.   We have various services segregated.  

We may be at a point where a system tree reshuffle is required to segregate Linux systems in their own branch, however, in the virtual system  we have seen systems reverted and falling into Lost and Found.  In that case, their branch assigned on-access rules  are then incorrect.  Then a different job is required to sort the tree by tag.   

Thank you for reviewing my thoughts and I will discuss with our team to see what is going to be best for us.

 

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community