Using Audit and Quarantine

The features discussed in the Using Audit & Quarantine section require Nexus Repository Manager Pro and IQ Server with the following licenses: Repository and Firewall.

The Audit and Quarantine features provide a way to protect your development environment from risky or undesirable components. These features use IQ Server policy management to identify, and if desired, prevent a proxy repository from serving unwanted components.

Before activating Audit and Quarantine, there are several items you need to complete:

  • Both Nexus Repository Manager and IQ Server must be running and must have a working connection between the two systems. 
  • In Nexus Repository Manager, you need the following privileges to use Audit and Quarantine:
    • Add, edit, and delete privileges for capabilities, which allows you to configure, enable, and disable the Audit and Quarantine features.
    • Read privilege for repositories, which lets you view a results column in the Repositories tab.
  • For IQ Server, you must be assigned to a role in the root organization with permissions to view and edit IQ Elements. The built-in roles of Policy Administrator and Owner have these permissions. 
  • Also with regard to IQ Server, you should create a policy in the root organization that defines the rules or criteria to use when evaluating components of a proxy repository. The policy must be at the root organization level in the system hierarchy; policies at other levels are ignored by Audit and Quarantine.

Once these items are completed, you are ready to configure Audit and Quarantine and view audit results. Each of these actions is described below in more detail.

Configuring Audit and Quarantine

You configure the Audit and Quarantine features by adding them to Nexus Repository Manager as a plug-in capability.

To configure Audit and Quarantine:

  1. In Nexus Repository Manager, click Capabilities on the Administration menu.
  2. Click the New button on the Capabilities tab. The Create new capability dialog is displayed.
  3. In the Type list, choose IQ: Audit and Quarantine.
  4. Configure Settings as follows:
    1. Enabled - Make sure the check box is selected to activate the Audit feature. The check box is selected by default.
    2. Repository - Select a specific proxy repository to scan, for example, Central.
    3. Quarantine - Select the check box to quarantine any components that violate policy whenever you add new components to the selected proxy repository. This setting affects only components that are added to the repository after Quarantine is enabled. When a component is quarantined, the Nexus Repository Manager prevents it from being served from the proxy repository. The check box is deselected by default.
  5. Click Add to create the new capability for Audit and Quarantine.
  6. At this point, an audit of the selected repository is automatically started. Nexus Repository Manager contacts IQ Server and evaluates the components within the selected repository against any associated policy. The results are displayed in Repository Results, which is described in the next section.

    To successfully quarantine components when the Quarantine feature is enabled, the policy used to evaluate components must be configured to fail when policy violations occur at the proxy stage in the development lifecycle. If the policy is set to warn (rather than fail), the quarantining of components will not occur.

  7. After the IQ: Audit and Quarantine capability is added, it appears on the Capabilities tab in Nexus Repository Manager as shown in the figure below.

Disabling Audit and/or Quarantine

To disable Audit and/or Quarantine:

  1. In the Nexus Repository Manager interface, click Capabilities on the Administration menu.
  2. Click the IQ: Audit and Quarantine capability for a specific repository.
  3. Click the Settings tab and set the following attributes:
    1. Click the Enabled check box to deselect it and disable the Audit feature.

      When you disable the IQ: Audit and Quarantine capability, Quarantine is also disabled.

  4. Click the Quarantine check box to deselect it and disable only the Quarantine feature.

    When Quarantine is disabled, all quarantined components are made available for download from your proxy repository. This remains true, if you re-enable Quarantine. That is, any previously quarantined components are not quarantined again; only new components are evaluated for quarantine when you re-enable the Quarantine feature.

  5. Click Save to save your changes or click Discard to undo your changes.

Releasing a Component from Quarantine

When a component is quarantined due to a violation, it is not available for download from the proxy repository. You must first resolve the violation(s) that caused the quarantine before releasing the component and making it downloadable. Once the violations are resolved, you can proceed with releasing a component from quarantine.

To release a component from quarantine:

  1. In Nexus Repository Manager, select a repository that has been evaluated.
  2. Click the IQ Policy Violations count for a repository. This opens the Repository Results hosted on IQ Server.
  3. Click the Policy tab, and click the Quarantined filter.
  4. Click a quarantined component. This expands the row to display the Component Information Panel (CIP).
  5. Click the Policy tab, and then click the Release Quarantine button.
  6. In the confirmation box, click the Release button.

Once a component is released from quarantine, it cannot be put back into quarantine even if it has subsequent policy violations. If you want to re-quarantine a component, you must delete the component from its repository. The component will be quarantined again if, during an audit, it violates a policy that is set to Fail at the Proxy stage.

Re-enabling Audit and/or Quarantine

To re-enable Audit and/or Quarantine:

  1. In Nexus Repository Manager, click Capabilities on the Administration menu.
  2. Click the IQ: Audit and Quarantine capability for a specific repository.
  3. Click the Settings tab of the IQ: Audit and Quarantine capability and set the following attributes:
    1. Click the Enabled check box to enable the Audit feature.
    2. Click the Quarantine check box to enable to the Quarantine feature.

      Any previously quarantined components are not quarantined again even though they were quarantined in the past. Only new components are evaluated for quarantine when the Quarantine feature is re-enabled.

  4. Click Save to save your changes or click Discard to undo your changes.

Viewing Repository Results

Once the Audit and Quarantine features are enabled, whenever you add a component to a proxy repository (or delete one), Nexus Repository Manager contacts IQ Server to evaluate the components within the proxy repository against any associated policy. The IQ Policy Violations are summarized in Nexus Repository Manager and detailed in IQ Server.

In Nexus Repository Manager:

The results of an audit are summarized in the IQ Policy Violations column of the Repositories tab as shown in the figure below.

The IQ Policy Violations column includes the following items:

  • A count of components by their highest policy violation level.
  • A count of quarantined components.
  • A link to Repository Results on IQ Server

The IQ Policy Violations column will also alert you if there are any errors in the audit and quarantine process. If there is an error, for example if Nexus Repository Manager cannot communicate with IQ Server, a red exclamation mark will appear to the right of the Repository Results link along with text pertinent to the error that occurred. Additional information will be available in the Nexus Repository Manager logs.

If you have permissions to add capabilities in Nexus Repository Manager, then you can also access Repository Results from the Capabilities tab:

  1. In the Type list of capabilities, select IQ: Audit and Quarantine.
  2. Click the Status tab of the IQ: Audit and Quarantine capability.
  3. Click View Results.

Both methods open Repository Results in IQ Server. To learn more about the details displayed in the Repository Results, see IQ Server and Repository Results.