Policy pushdown
This topic describes the policy pushdown process of mapping policies to an IBM Security Guardium S-TAP for IMS collection profile.
When the IBM Security Guardium S-TAP for IMS agent starts, it establishes a dedicated connection to the Guardium appliance for the reading of installed policies. Immediately after the connection is established, any installed policies are pushed down to the IBM Security Guardium S-TAP for IMS agent by the Guardium appliance. The Guardium appliance pushes down a full policy to all connected IBM Security Guardium S-TAP for IMS agents each time a policy is installed or uninstalled from the Guardium appliance.
Upon receipt of a policy, the IBM Security Guardium
S-TAP for IMS agent compares the
applicable rules with the existing collections, and performs a differential
install.
- Differential install
- A differential install of the policy indicates that only policies that have been modified since the last install are acted upon.
The following processing occurs in the IBM Security Guardium
S-TAP for IMS agent upon receipt
of a policy:
- The new policy is compared to the currently active policy if the
new policy contains one or more rules.
- If the policies are identical, no further processing is required.
- If the new policy does not apply to this subsystem, processing
continues without any changes.
- If there is an active policy, the collection continues using it.
- If no policy is active, none is started.