How to Create and Apply a File Access Rule

File access rules allow the system administrator to limit the actions performed on a system file and by whom.

Rule Creation

To create a File Access rule, from the ZeroLock® Management Console (ZMC), go to Dashboard | Control Policies | Rules. Under the Actions drop-down menu select Add New Rule.
On selecting Add New Rule, the New Policy Rule screen will appear. Using the variety of features offered for this Rule Type, craft a rule that fits the exact File access control action you want ZeroLock® to monitor. Once the File Access Rule is properly configured, click the Create button.

Each field of the File Access Rule screen is described below:

Name	1	The name of the rule as it will appear on your *Rules* page when added to a policy.
Description	2	The description of the rule as it will be on your *Rules* page and when added to a policy. This is useful for explaining the purpose of the rule.
Rule Type	3	Select what type of rule to create (SSH-MFA, Hash, Canary, File Access, Network Access, or Program Execution). This can only be changed during initial rule creation. Once the rule is created, this is the only field that can no longer be edited.
Source Type	4	Select Process, Executable, or Command. Process - will trigger based on the name of the process (either child, parent process, or both, as defined in "Scope" below) running in memory. Executable - will trigger based on the program's filename running in directories such as /bin, /sbin, and others. Command - will trigger based on the full command line arguments used to launch a process.
Source Process/ Executable/ Command	5	Designate the Regex that matches the Process, Executable, or Command to be allowed or blocked from making a network connection.
File	6	The REGEX is used to identify the file the rule restricts or allows access to.
Operation	7	Designate whether the rule applies to the Process, Executable, or Command, making inbound or outbound connections, or both.
Block Operation	8	Designate whether or not the source Process, Executable, or Command will be Blocked or Allowed from making a connection. Checking the box Blocks, while leaving it unchecked Allows the connection.
Scope	9	Specifies if the rule applies to the Process, Executable, or Command when occurring as either a parent or child process.
*Alert Level	10	When this rule triggers, designate whether the alert on the Alerts page will be a Low, Medium, or High-level alert.
*Send Email Alerts	11	When this rule triggers, designate whether it will send an email alert to all Users assigned to the Endpoint Group of the endpoint that this rule triggered on. Email alerts can be configured on the System Configuration \| System Settings page.  Note: The SMTP server must be configured under *System Settings.* Emails will be sent to all ZMC users.
*Response Type	12	When this rule is triggered, it will designate the response actions *ZeroLock* will take. *Do Nothing* will simply trigger an alert on the *Alerts* page where an administrator can either release the alert or manually Kill & Remediate the triggering connection. Suspend will lock the triggering connection but not end it immediately, waiting for an administrator to choose to release the alert and allow the connection to continue or Kill & Remediate it. Kill will automatically end the connection, but any actions taken by the connection will remain in place. Finally, *Remediate* will end the connection and remediate any actions taken on the system by restoring the system to an unaltered state using the backup cache.
*Auto Quarantine	13	When this rule triggers, designate whether the endpoint will be automatically set to Quarantine until an administrator manually Unquarantines the endpoint on the Endpoints page.

Note: Fields with an * only appear when Block Operation is selected.

Add New Policy

Before implementing a rule on an endpoint, it must first be applied to a policy.

Navigate to the Control Policies | Policies page. Then select the Add New Policy button.
On the New Policy dialog box, enter a name and description. To add the new File access rule, click the Add Rules button.
Selecting the Add Rules button opens the Policy Rules screen from which you select the rule(s) you want for the policy.
Select the File Access rule, then click Add Selected, which returns you to the New Policy screen. Select Create to complete the new policy creation process.

Note: Instead of scrolling to the bottom of the entire list of rules, sorting by ‘File Type’ will only list the rules of that type.

Step_6_Create New Policy

Create a New Configuration Profile

The policy must be added to a Configuration Profile to apply the new File Access policy to an endpoint.

Navigate to the System Configuration | Config Profiles page, where you will click the Add New Profile tab.
On the next screen, enter a name and description for the configuration profile you are creating. Select File Access Policy from the default drop-down menu in the Default Control Policy box, then click CREATE.
The File Access Profile is now listed among the available profiles.

Apply to New Profile to an Endpoint

The final step is to apply this profile to an endpoint.

From Endpoints, select an endpoint to apply the Canary File policy. Then,
select Set Endpoint Config from the Actions drop-down menu.
Select Demo-File Access configuration from the Set Endpoint Configs drop-down menu, then SET CONFIGS.
On the Endpoints screen, the Endpoint #2 profile has changed to reflect the File Access profile.

Congratulations, you have successfully created and applied a File Access rule.