Understanding the vGW Series Enforcer Profiles Tab

This topic describes the vGW Series Introspection module’s Enforcer Profiles tab. It explains how to use the Enforcer Profiles screen to create profiles that allow you to compare VMs to Gold Images. It covers the information that you select or specify to create or modify a profile.

You use the Image Enforcer to compare VMs to VM templates or to active VMs whose configurations are valid and desirable and that are elevated to the status of Gold Images. Based on the outcome of the comparison scan, you can take actions such as quarantining VMs that deviate from the Gold Image, or adding or removing applications from a VM to bring it into conformance.

When VMs are quarantined, they are added to the Quarantine Policy Group. When you select a quarantined VM that is in the group, the Main module dashboard is displayed, showing compliance status for the VM, its top talkers, and IDS alerts for it.

You can select the Main module Quarantine tab to take action on the VM. The Main module Quarantine tab displays information about VMs that have been quarantined as a result of AntiVirus, Compliance, or Image Enforcer scans. Using it, you can view the time that the VM was quarantined, when it was removed from quarantine, and the reason that it was quarantined.

Before you read this topic, read Understanding the vGW Security Design VM Introspection Image Enforcer Feature.

This topic includes the following sections:

About the Enforcer Profiles Screen

When you select the Introspection module Enforcer Profiles tab, the Enforcer Profiles screen is displayed. Information shown in this screen reflects the profiles that you have already configured, if any. You add a new Enforcer Profile from this screen.

Figure 72: vGW Series Introspection Module Enforcer Profiles Tab

vGW Series Introspection Module Enforcer Profiles Tab

When you add a new profile, you give it a name that then appears in the profiles list. For each profile, the list shows the Gold Image that you selected for it and the VMs compared against it.

The Add Enforcer Profile Pane

To add a new profile, click Add beneath the Enforcer Profiles pane. The Add Enforcer Profile pane appears. You use this pane to configure Enforcer profiles that cover parameters for a comparison scan. In this pane, you select the Gold Image to use for the comparison; you can specify match criteria to define the comparison; and you can specify actions to take after the scan completes. You can specify conditions that exempt VMs from certain requirements, and you can specify whether the vGW Security Design VM should quarantine a non-complaint VM.

Figure 73: Adding a vGW Series Introspection Module Image Enforcer Profile

Adding a vGW Series Introspection Module Image Enforcer
Profile

Table 7: Add Enforcer Profile: Selecting the Gold Image and VMs to Be Compared Against It

Field

Specifies

Name

A name for the profile that infers its contents.

Description

A description of the profile that indicates what it is used for.

Gold Image

The VM template or VM to use as the Gold Image for this comparison. You use the Gold Image selection list to select either an existing template or VM.

Using the option button at the bottom of the selection list, you can choose to see all Gold Image candidates or only templates or VMs.

Note: After you elevate a template or VM to the status of a Gold Image, it is moved to the Gold Images group in the Monitoring Group section of the VM tree.

VM Groups

The VM groups or VMs whose configurations you want to compare against the selected Gold Image.

Use the arrow buttons to include or remove a VM group or VM from the profile.

Table 8: Edit Enforcer Profile Options

Option

If you select this check box, you specify that

Apps matching previous scan are acceptable

If a VM was previously scanned against the profile’s Gold Image and matched it, but it no longer does, the VM is allowed.

In this case, a Gold Image might have been updated and re-scanned. Because it takes time to update the VMs specified in the Enforcer Profile group, they are allowed as matching during the transition.

VMs can deviate from 100% match

A VM compared against the profile’s Gold Image is allowed to deviate from it in any of the ways that you specify by selecting options identified in Table 9.

Ignore differences in inspected registry keys

You permit differences in registry key application settings from those of the Gold Image.

Table 9: VM Gold Image Allowed Deviations

Option

If you select this checkbox, you specify that:

Removal of apps is acceptable

vGW Series is permitted to remove from the VM an application that does not exist on the Gold Image.

Additions of known apps is acceptable

If an application is part of a Gold Image, it is classified as known.

App version mismatch is acceptable

The VM can contain an older or more recent version of an application than the one that exists on the Gold Image.

Hot fixes are excluded

Hot fixes are exempted from the comparison and are allowed on the VM.

Caution: Although you select the “App version mismatch is acceptable” option to allow a VM to contain an older or more recent version of an application than the one that exists on the Gold Image, the option might not take effect. For example, an application might have a version number as part of its program name on the MS Windows control panel. In this case, the version number might not be recognized and vGW Series would not allow the deviation. The actions that you specify in the Actions section of the Add Enforcer pane would be enacted on the VM.

Table 10 identifies the actions that you can direct vGW Series to take following a comparison scan.

Table 10: Actions

option button

If you select this check box, you direct vGW Series to . . .

Rescan immediately when template is changed

Automatically run the comparison of the VM against the Gold Image again whenever a template that is used as a Gold Image is changed by being converted to a VM, modified, and then converted back to a template.

Create compliance rule to track state of VMs

Automatically define a compliance rule derived from the Gold Image configuration and take the actions that you select in Table 11.

Table 11: Compliance Rule Specifications

Alert On Deviation

Notify you when the VM deviates from the Gold Image.

Quarantine VMs which are out of compliance

Quarantine VMs whose configurations do not conform with that of the Gold Image, taking into account the allowances that you specify as options described in Table 9.

Related Documentation