Creating and Using Deviation Profiles
It's not unusual to find that completely locking down a system to be fully compliant with the proscribed security policy breaks the usability of a machine. To account for needed local deviations from security policy Prime allows you to create what we call a Deviation Profile. This profile can then be automatically applied when doing future assessments and the final scoring and reports will account for your approved deviations from policy.
To create a deviation profile switch Prime to the Advanced interface, then select the target and benchmark you need to create deviation(s) for. This is best done by installing Prime directly on the machine to be profiled, but with the exception of a couple of rules can also be done remotely. The target needs to be a machine that is already configured to be as close to policy as is possible. To make it easier to get to this state you can use the remediation and undo abilities of Prime. And don't forget that you can right-click on individual rules in the Prime interface to remediate/undo a single rule at a time.
To create the deviation profile, start the Deviation Manager by clicking the Change button in the Deviations section at the top of the Prime main window or from under the Deviations menu. Use the Browse button to select a file name and location where you want the completed profile to be stored. Secutor deviation files can create multiple profiles, so it's OK to select an existing file. If you select an existing file the Select button will show you a list of existing profiles -- just click on one to select it. You will also need to add information for each item in the Identification portion of the Deviation Manager before you can create your profile. This information will be filled in if you are using an existing deviation file.
When you have completely filled in all fields the Profile Now button will become active. Simply click it to begin. Prime will then do a full assessment of the loaded benchmark and for every rule that does not pass you will be presented with an option to create a deviation for that rule along with justification text, POAM information, and when the deviation for the rule expires. If the failed rule is not one that should be deviated, click Skip to continue, or Skip All to complete the assessment with no further deviations.
To use the created deviation profile in the Advanced view, select the file and individual profile name using the Deviation Manager and click the Set as Current button on the bottom of the manager. Prime will remember that setting and always use that deviation profile until you use the Inactivate button in the Deviation Manager.
Rules that have a deviation associated with them will have their status icon painted with a yellow background when an assessment is run. It's important to note that the Secutor deviation system is not a simple rule waiver: it will record the settings from the machine where the deviation was created and use those as the new passing value. So, for example, if the original policy guideance requires 13-character minimum password length and the machine where the deviation profile was created has that set to 10 characters, a subsequent assessment of a machine with 13 characters will pass with no reservations (green check, clear background), a machine with 10 characters will pass due to the deviation (green check with yellow background) and a machine with 9 characters will fail despite the deviation (red X with yellow background).
The Multiview interface for Prime uses a Deviation Manager to create conditions when a pre-defined deviation profile will be applied during an assessment. The system will then automatically select the matching deviation for each assessment it performs. Refer to the User's Guide for more information.
Deviation Profiles can also be used in the Secutor Magnus enterprise management system. Magnus also uses a rule-based approach in its Deviation Manager to determine what deviation policy, if any, should be applied as each assessment occurs. Determination of profile applicability in Magnus is subject to a different rule set outlined in the Magnus User's Guide, which is available from the Help menu of the Magnus Navigator application. After using Prime to write a deviation profile to a file it will only exist on your machine, so must first use Magnus Navigator application to upload that file to the Magnus server.