Host groups reduce the administrative burden of managing a large number of agents. Grouping hosts together also lets you apply the same policy to a number of hosts. A group is the only element required to build agent kits.
You do not configure hosts with CSA MC as you do other CSA MC elements. When hosts across your network download and install agent kits, they
automatically and transparently register with CSA MC. Hosts inherit membership to the groups that were associated with the agent kit they installed. Successfully registered hosts appear in a linked list when you select Hosts from the Systems category in the menu bar. At registration time, hosts are also automatically put into their assigned group. You can change host groupings at any time.
Note Management Center for Cisco Security Agents ships with preconfigured groups you can use if they meet your initial needs. If you use a preconfigured group, you do not have to create your own group as detailed in the following pages.
To configure a group, do the following.
Step 1 Move the mouse over Systems in the menu bar and select Groups from the drop-down list that appears. The list of existing Groups is displayed in the right pane. Management Center for Cisco Security Agents ships with several
pre-configured groups.
Step 2 Click the New button to create a new group entry. (This group is empty until hosts install agents and register.)
Note If you have "All" designated as the operating system type for your administrator session, you are prompted to select whether this is a Windows or a UNIX group. See the “Administration by Operating System” section on page 2-5 for details. (You cannot combine UNIX and Windows hosts in the same group.)
Step 3 In the available group fields, enter the following information:
• Name This is a unique name for this group of hosts. Names are case insensitive, must start with an alphabetic character, can be up to 64 characters long and can include alphanumeric characters, spaces, hyphens -, and underscores _ . Generally, it’s a good idea to adopt a naming convention that lets you quickly recognize groups in the CSA MC group list view.
• Description This is a useful line of text that is displayed in the list view and helps you to identify this particular group. Optionally, expand the +Detailed field to enter a longer description.
Figure 3-1 Group Configuration Page
Step 4 Optionally, you can select the Test Mode checkbox for this group.
Caution In Test Mode, the Cisco Security Agent will not deny any action even if an associated policy says it should be denied. Instead, the agent will allow the action but log an event (if logging is selected for the rule). This helps you to understand the impact of deploying a policy on a host before enforcing it. For further information, see Chapter 4, “Building Policies.”
Step 5 Optionally, enable Verbose Logging Mode to change the event log timer to log all reoccurring events rather than suppressing duplicates. See Chapter 8, “Event Logging Alerts” for more information on the event log.
Step 6 Optionally, enable No user interaction (available on Windows groups only) to have no agent user interface or query pop-ups appear on end user systems. You may wish to do this if you do not want end users to have any interactions with CSA MC using a local agent UI (i.e. clearing the cache, polling, and self-protection and rule queries).
See page 3-7 for more details.
Caution When there is no agent UI present, there are no query user pop-up boxes displayed. The default is immediately taken on all query user rules and heuristics that are present in the assigned polices. This means that the default of Query User Allow or Query User Deny is taken on all query user "access control rules" and the default of Terminate or No is taken on all heuristics (Trojan detection, Network worm, etc.) unless specific application class exceptions are made for heuristic rules.
If an end user system already has an agent UI installed, when you select this No user interaction checkbox for the agent’s group and generate rules, the agent UI disappears when the new rules are downloaded.
Note To fully restrict end users from interacting with the agent, you could use the "No user interaction" capability in combination with the Agent service control rule (see the “Agent Service Control” section on page 4-24) and the Quiet software update capability (see the “Building Agent Kits” section on page 3-8).
Step 7 Optionally, you can change the default Polling interval from 600 seconds (10 minutes) to any value between 10 seconds and 86400 seconds. This controls how often agents in this group poll into CSA MC for policy updates. Shortening the polling time can be useful when you are trying out new policies. Otherwise, the default value is recommended. (If you have the same hosts in multiple groups, the group containing the shortest polling interval setting takes precedence for the hosts in question.)
Note If you change a group’s polling interval, that new interval time will not take effect until the host polls in again for new rules. Therefore, it may take as long as the previous polling interval setting before hosts begin polling in using the new setting.
Step 8 When all required information is entered, click the Save button to enter and save your group in the CSA MC database.
Once you attach (associate) policies to specific groups, the configuration view for the group displays a table listing all the rules, in order of precedence, that are applied to that group. From this table, you can navigate to those rules and policies.