Browse Prior Art Database

Method to selectively apply policies to target systems

IP.com Disclosure Number: IPCOM000200005D
Publication Date: 2010-Sep-23
Document File: 3 page(s) / 46K

Publishing Venue

The IP.com Prior Art Database

Abstract

In a policy driven configuration management system it is sometimes difficult to target policies to systems that are able to execute them (applicability problem). Also when policies are selectively applied to target systems, when the characteristics of a target system change it is usually necessary some time before the system reacts to the change (latency problem). This article describes a solution to the applicability and latency problems.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 35% of the total text.

Page 01 of 3

Method to selectively apply policies to target systems

In a policy driven configuration management system, each target computer (or set of target computers) gets associated with a set of policies. A policy is basically composed of a condition to check and a remediation action that gets executed if the condition evaluation returned that the condition is false. To better understand the policy concept let's consider an example policy that installs software: the check condition verifies if the software is installed (for example querying the installation registry of the Microsoft Software Installation engine) and the remediation action installs the software. So if the software is not installed, the check condition evaluation returns false and thus the software installation command gets executed. Once a policy gets associated with a target system, the target system periodically evaluates the check condition and in case of failure performs the remediation: considering the example above, the first time the policy gets executed it basically install the software if it was not installed.

    A policy model based only on the compliance condition and a remediation action forces the Administrators of the System to know in advance to which computers a policy applies. Some examples:
1. A policy written for Windows XP computers could not be targeted to Linux computers;

2. A policy that requires a patch for application Abc should not be targeted to computers that do not have the base version of the software Abc

3. A policy that enforces a given service to be running and properly configured (e.g. AntiVirus) does not apply to computers that do not have the service installed.

    Usually Systems Management solutions operate running inventory scans to collect the information needed to know in advance the characteristics of the managed endpoints (e.g. hardware characteristics, installed software). Only at that time the Systems Administrators are able to send the right policies to the right computers. Only at that time the managed computers are fully protected because the Agent continuously processes the right policies.

This creates a latency problem: the administrator has to wait for the inventory scan execution and results upload, then he could send the policy to the right targets. The latency can also create undesired side effects: consider the case of a policy that applies only to Windows XP systems. When the system gets updated to Windows Vista, the agent continues to execute the policy, until the administrator receives a new inventory scan and decides to remove the policy from the target. This could create problems in case the policy was only intended for Windows XP and not for Windows Vista.

    There are cases where the applicability of the policy depends on characteristics of the target computer that are not detected by standard inventory scans, and that are subject to frequent changes. The process described above cannot be applied at all. Think at this exa...