File access rules allow the system administrator to limit the actions performed on a system file and by whom.
- To create a File Access rule, from the ZeroLock™ Management Console (ZMC) go to Dashboard | Control Policies | Rules. Under the Actions drop down menu select Add New Rule.
- On selecting Add New Rule the New Policy Rule screen appears. Using the variety of features offered for this Rule Type, craft a rule that fits the exact File access control action you want ZeroLock™ to monitor. Once the File Access Rule is properly configured, click the Create button.
Each field of the File Access Rule screen is described below:
Name 1 The name of the rule as it will appear on your Rules page as well as when adding to a policy. Description 2 The description of the rule as it will appear on your Rules page as well as when adding to a policy, useful for explaining the purpose of the rule. Rule Type 3 Selecting what type of rule to create (SSH-MFA, Hash, Canary, File Access, Network Access, or Program Execution). This can only be changed during initial rule creation. Once the rule is created, this is the only field that can no longer be edited. Source Type 4
Select between Process, Executable, or Command.
Process will trigger based on the name of the process (either child, parent process, or both, as defined in "Scope" below) that is running in memory.
Executable will trigger based on the actual program's filename running in directories such as /bin, /sbin, and others.
Command will trigger based on the name of the shell command used to launch and process or executable.
5 Designate the Regex that matches on the Process, Executable, or Command that is going to be either allowed or blocked from making a network connection. File 6 The REGEX used to identify the file that the rule restricts or allows access to. Operation 7 Designate whether the rule will apply to the Process, Executable, or Command making inbound connections, outbound connections, or both. Block Operation 8 Designate whether or not the source Process, Executable, or Command will be Blocked or Allowed from making a connection. Checking the box Blocks, while leaving it unchecked Allows the connection. Scope 9 Specifies if the rule applies to the Process, Executable, or Command that is occurring as a parent process, a child of another process, or either. *Alert Level 10 When this rule triggers, designate whether the alert that appears on the Alerts page will be a Low, Medium, or High level alert. *Send Email Alerts 11 When this rule triggers, designate whether it will send an email alert to all Users that are assigned to the Endpoint Group of the endpoint that this rule triggered on. Email alerts can be configured on the System Configuration | System Settings page. *Response Type 12
When this rule triggers, designate what response actions ZeroLock will take.
Do Nothing will simply trigger an alert on the Alerts page where an administrator can either Release the alert or choose to manually Kill & Remediate the triggering connection.
Suspend will lock the triggering connection but not end it immediately, waiting for an administrator to choose to Release the alert and allow the connection to continue or to Kill & Remediate it.
Kill will automatically end the connection, but any actions taken by the connection will remain in place.
Finally, Remediate will both end the connection and remediate any actions taken on the system by restoring the system to an unaltered state using the backup cache.
*Auto Quarantine 13 When this rule triggers, designate whether the endpoint will be automatically set to Quarantine until administrator manually Unquarantines the endpoint on the Endpoints page.
Add New Policy
Once the rule is created it must be applied to a policy.
- Navigate to the Control Policies | Policies page. Then select the Add New Policy button.
- On the New Policy pop-up menu, give your new policy a name and description. To add the new File access rule, click the Add Rules button.
- Selecting the Add Rules button opens the Policy Rules screen from which you select the rule(s) you want for the policy you’re creating.
Create a New Configuration Profile
In order to apply the new File Access policy to an endpoint, the policy must be added to a configuration profile.
- Navigate to the System Configuration | Config Profiles page where you will click the Add New Profile tab.
- On the next screen, enter a name and description for the configuration profile you are creating. In the Default Control Policy box select File Access Policy from the default drop-down menu. Lastly, click Create.
- The File Access Profile is now listed among the available profiles.
Apply to New Profile to an EndpointThe final step is to apply this profile to an endpoint.
- Go to Endpoints and select an endpoint that you want to apply the Canary File policy to. Then, from the Actions drop-down menu, select Set Endpoint Config.
- On the Set Endpoint Configs pop-up menu, select the created configuration profile from the drop-down menu. Then hit the Set Configs button.
- Now, when you go back to the Endpoints screen, you see the profile for Endpoint #2 has changed to reflect the File Access profile.