We will here explain what is the computation made during generation to decide which mode to apply to a directive on a node, based on the current settings.
The short rule is: Override wins, then Audit wins
For a given directive on a given node at a given time, we have three different policy mode settings:
- The global mode, called G, which can be Audit or Enforce
- The node mode called N, which can be Global (if not overridden), Audit, or *Enforce
- The directive mode, called D, which can be Global (if not overridden), Audit, or *Enforce
The result is:
- If override is not allowed, the policy mode is always the global mode G.
-
If override is allowed:
- If N and D are set to use the Global default value (i.e. no override), the policy mode is the global mode G.
- If N uses the global value and D is overriden to Audit or Enforce, the D value is used.
- If D uses the global value and N is overriden to Audit or Enforce, the N value is used.
- If N and D are overriden to Audit or Enforce, the value is Audit if at least one of N or D is Audit, Enforce if both are in Enforce mode
