To get to this page: Select Controls from the left menu. Go to New > Control. Click Get Started for the File/Directory Permission control type. (Or click edit for any control of this type you want to change.)
The File/Directory Permission control type checks permissions that are set on a Windows file or folder for different user groups and individual users. In order to maximize space, the compliance module assigns each permission a letter (A,B,C,D,...) and uses the letter instead of the full permission name. You must use the same mapping when setting the default expected value for the control. See File/Directory Permissions for a table that maps each permission to the letter it represents.
In the General Information section, provide basic information for the control, including a control statement and category. See General Information for details.
In the Scan Parameters section, specify the scan parameters that the scanning engine will use to gather data for the control. The scan parameters combined make up a single data point. You must also enter a description for the data point, which will appear in compliance policies and reports
File/Directory path. Enter the full directory path to the file on your Unix system that will be checked.
Data Type. (View only) The data type of the value returned by the scanning engine. For a file/directory permission control this is set to "String List" by default.
Description. Enter a description for the custom control which will appear in compliance policies and reports.
Click Add to add parameters and close the Scan Parameters window. You will notice the Edit Parameters button is available. Click this button to edit parameters before saving the control.
See also:
Add/Edit Scan Parameters in a New Control
Update the Data Point Description in an Existing Control
In the Control Technologies section, identify the technologies applicable to the control. For each technology, provide a rationale statement, select a cardinality, select an operator, and set the default control value.
Enter a rationale statement describing how the control should be implemented for each technology.
Select a cardinality. Several cardinality options appear as shown in the table below. X represents the value returned by the scanning engine and Y represents the expected value defined for the control.
cardinality |
you are compliant when |
contains |
X contains all of Y |
does not contain |
X does not contain any of Y |
matches |
all strings in X match all strings in Y (listed in any order) |
intersects |
any string in X matches any string in Y |
is contained in |
all strings in X are contained in Y |
Select the Lock Cardinality option to lock the cardinality. When locked, users cannot change the cardinality in the Policy Editor.
Select an operator. Select the operator "regular expression list" if you are specifying the default value as a list of regular expressions that you want to compare the results to. Select the operator "string list" if you are specifying the default value as a list of string values that you want to compare the results to.
Select the Lock Operator option to lock the operator. When locked, users cannot change the operator in the Policy Editor.
Enter the default expected value for each technology. The compliance module assigns each permission a letter (A,B,C,D,...) and uses the letter instead of the full permission name. You must use the same mapping when setting the default value for the control. When entering a list of permissions for a user or user group, separate each permission with a colon (:). For example, if the Users group has Read permissions on a file, then you would enter Users:B:F:I:M. When entering permissions for multiple users or user groups, enter each user/group on a separate line. See File/Directory Permissions for a table that maps each permission to the letter it represents.
Select the Lock Value option to lock the default value. When locked, users cannot change the default value in the Policy Editor.
Regular Expression: See Regular Expression Symbols for standard symbols and their meanings. The compliance module implements Perl Compatible Regular Expressions (PCRE) following the PCRE standard. For information on this standard, go to http://www.pcre.org/. For information on building proper regular expressions for controls using this standard, go to http://perldoc.perl.org/perlre.html. Note that users should escape special characters in PCRE regular expressions for string matching to occur correctly:
( ) [ ] | ^ $ -
For example, to match the string "(cs" you must enter "\(cs" (add backslash before the special character).
In the References section, add or remove references to internal policies and documents. See References for details.