I distributed an invalid policy to multiple hosts using Policy Manager Console. How can I troublesho

This discussion has a more recent version.
Customer_CareCustomer_Care Posts: 548 F-Secure Employee

Issue:

 I distributed an invalid policy to multiple hosts using Policy Manager Console. How can I troubleshoot this or identify what settings was changed and to which hosts it was distributed?

Resolution:

To locate this information, you can use available logfiles from the server running Policy Manager.

  • fspms-domain-tree-audit.log
Below is an example of this this logfile:
10.10.2019 13:21:59,139 INFO [audit.domainTree] - User 'admin' deleted host with identity 79fee1c5-e85b-4a90-b462-09354abb56fd (id=3)
10.10.2019 13:22:06,519 INFO [audit.domainTree] - User 'admin' moved host with identity b8a4bb94-2a9a-4830-b45b-8e45a531279c (id=36) to domain CS 14 hosts (id=4)
22.10.2019 14:14:12,929 INFO [audit.domainTree] - User 'admin' deleted host with identity f4ef246e-61c2-4ac1-949b-f0d3d3be4aa3 (id=35)
28.10.2019 10:54:20,208 INFO [audit.domainTree] - User 'admin' added domain test domain (id=39) to domain Root (id=1)

This logfile allows us to understand host- and domain.operations (including the root-domain). Operations include the following: add, remove, rename, move.
In our example, the last line, the user ADMIN added a new sub-domain "test domain" with id=39.

Another file we are interested in called:
  • fspms-policy-audit.log
Below is an example of this this logfile:
23.10.2019 12:22:02,929 INFO [audit.policy] - type="lockedOnClient", domainId="36", OID="1.3.6.1.4.1.2213.12.1.111.2.100.100.60", oldValue="false", newValue="true"
23.10.2019 12:22:02,929 INFO [audit.policy] - type="lockedOnClient", domainId="36", OID="1.3.6.1.4.1.2213.12.1.111.2.100.100.61", oldValue="false", newValue="true"
23.10.2019 12:22:52,528 INFO [audit.policy] - User="admin" applied the following policy changes:
23.10.2019 12:22:52,528 INFO [audit.policy] - type="setting", domainId="36", OID="1.3.6.1.4.1.2213.12.1.111.2.100.100.61", oldValue="null", newValue="c:\test\printfile_release.exe"
23.10.2019 12:23:19,545 INFO [audit.policy] - User="admin" applied the following policy changes:
23.10.2019 12:23:19,545 INFO [audit.policy] - type="setting", domainId="36", OID="1.3.6.1.4.1.2213.12.1.111.2.100.100.61", oldValue="c:\test\printfile_release.exe", newValue=""
23.10.2019 12:34:32,557 INFO [audit.policy] - User="admin" applied the following policy changes:

This logfile provides an audit trail for setting changes meaning (what setting was changed and how).

The sub-domain in Policy Manager Console is reflected by DomainId. The actual settings is referred to by the OID:
 
23.10.2019 12:22:52,528 INFO [audit.policy] - type="setting", domainId="36", OID="1.3.6.1.4.1.2213.12.1.111.2.100.100.61", oldValue="null", newValue="c:\test\printfile_release.exe"

How do we find the setting 1.3.6.1.4.1.2213.12.1.111.2.100.100.61 in Policy Manager Console?
This is perhaps the trickiest part, because we do not have a list of settings available. However, you can find the settings by using Policy Manager.

The part of the address that identifies the F-Secure company in the OID is 1.3.6.1.4.1.2213. The latter part identifies the application and the specific setting in the application. Here we have 

12.1.111.2.100.100.61

See screenshot capture1.pnn: by selecting "F-Secure Anti-Virus" in Policy Manager Console, you can se that the application is "F-Secure Anti-virus" -> "Object identifier" = 1.3.6.1.4.1.2213.12
User-added image

When we go further inside the settings in "F-Secure Anti-Virus", we can locate the relevant setting here:

- F-Secure Anti-virus 
  -> Settings
    -> Settings for real-time protection
       -> Scanning options
          -> File scanning 
             -> Inclusions and exclusions
                -> Excluded processes.

To give you an example using syntax we saw in fspms-policy-audit.log:
23.10.2019 12:22:52,528 INFO [audit.policy] - User="admin" applied the following policy changes:
23.10.2019 12:22:52,528 INFO [audit.policy] - type="setting", domainId="39", OID="1.3.6.1.4.1.2213.12.1.111.2.100.100.61", oldValue="null", newValue="c:\test\printfile_release.exe"

Based on the information we learned, this entry translates to: Policy Manager Console User=Admin, applied the process exlusion "c:\test\printfile_release.exe" exclusion for domain "test domain" (DomainID was available in fspsm-domain-tree-audit.log) .

User-added image

Article no: 000017432

Sign In or Register to comment.