Controls

Common UDC Fields

Enter a control statement

This is basically the control name - it's how you'll identify the control in policies, reports and on the controls list.

Select a category

Select the category (and sub-category) this control belongs to. Keep in mind that you (and other users) will be able to search for this control by its category.

Set control criticality

You'll see the criticality in policies and reports whenever control details appear. You can change the criticality level at any time, and overwrite it at the policy level.

Enter comments

This is a place where you can enter notes about the control.

Rationale

Enter a rationale statement describing how the control should be implemented for each technology.

Default Values

Entering default values is a time saver. We'll copy your default values to each technology that you select in the Technologies list below so you don't have to.

Ignore errors

When errors occur during control evaluation the status for the control instance is Error. Select this option to mark them as Passed instead.

Ignore "item not found" error

A UDC control returns error code 2 "item not found" in cases where the latest scan did not find data required for control evaluation  (e.g. file, registry key, or setting within a file or registry key). Enable this option to return the status Passed or Failed instead of Error when error code 2 "item not found" is returned. You'll choose the status you'd like to return in the policy's control settings.

Tip - If you select this option, the Ignore errors setting is not applied to controls that return the "item not found" error. Those controls will be evaluated according to your policy and status will be set to Passed or Failed.

Select technologies

This is where you set the expected control value for each technology. If you entered default values above then we've copied those values here to save you time. Feel free to overwrite the values, as needed.

Add control references

Add references to internal policies, documents and web sites. For each reference, enter a description, a URL (starting with http://, https:// or ftp://) or both.

 

File/Directory Integrity Checks (Windows and Unix)

Use scan data as expected value

Select this option and we'll set the expected value for you based on the actual value returned by the scan. To update the value automatically you must also enable the "Auto Update expected value" in your compliance profile.

Select the digest hash type

This is the algorithm that will be used to compute the file/directory digest.

Include permission monitor

Select this option to consider permission changes when calculating the file/directory digest.

File System Object Types

Only file object type is supported for this control.

 

Unix Directory Search UDC

Tell us where to search

Point us at the directory you want to search. Be as specific as you can to reduce the search time (there is a search time limit). Then make additional settings that tell us how many levels we should search within the directory, and what to do when we come across other file systems and symbolic links.

File/Directory Name

Use these fields to find files and directories based on the name. You'll notice that * is used by default for the File Name Include and Directory Name Include, meaning that all files will be a match.

File Permissions

For each permission, tell us if the permission should be set on the file (Yes) or not (No). Select Any if either setting is fine. Then select Match All to only return files that match all of your permission settings. Select Match Some to return files that match at least one of your permission settings. Select Exclude to return files excluding the files that have at least one your specified permission settings.

File System Object Types

Select each file system object type you want to include in the search. You can include all types or limit the search to only select types.

File Owner

Identify the users and groups that you want to match. You can identify users and groups either by name or ID.

Set search limits

Each time we look for this control we'll consider the search time limit and the match limit. If we hit either limit we'll stop the search.

Control Data Type and Description

The actual value returned for this control is a String List, meaning we'll return a list of matches in the scan results.

 

Windows Directory Search UDC

Tell us where to search

Point us at the directory you want to search. Be as specific as you can to reduce the search time (there is a search time limit). Then tell us how many levels we should search within the directory.

File System Object Types

Tell us whether you want to search directories, files or both.

Create a list of principals

Want to search for files/directories based on what users can access? Create a list of principals (groups and users) to include in the search and then go to the Permissions section to tell us the permissions you want to match.

Select permissions

Choose All to only return files that match all of the selected permissions. Choose Any to return files that match at least one of the permissions.