An Ordered Ruleset is one of the seven (7) rule types in the ZeroLock environment. It is a list of rules evaluated from top to bottom, with rules at the top resolving actions before moving on to rules farther down.
Like with a firewall, if an action matches a lockdown rule at the top of the list, it will take the actions specified for that rule and NOT evaluate any rules following. If it does not match, it will pass to the next rule in line until there is a match. If no rules match, the action is allowed.
For a full list of rule types see Control Policy and Lockdown Rule Types.
The ZeroLock Management Console (ZMC) includes a set of default Lockdown rules to ensure security. The “ESXi Recommended Rules” ordered ruleset is included to assist in defending against many known exploits. The ruleset consists of existing lockdown rules in a specific order.
This ESXi Recommended Rules set is automatically added to the database when the ZMC is installed and is protected so it cannot be changed but can be duplicated. Duplication allows the creating and modifying an Ordered ruleset based on your organization’s specific requirements. The rules listed in an Ordered ruleset act as links to the original lockdown rules, so changes made to an associated lockdown rule will affect all Ordered rulesets that lockdown rules are linked to.
Effective with server v3.2.4, the Duplicate Ruleset Rules checkbox has been added to the New Policy Rule page. When selected, an ordered ruleset is made. With the checkbox selected, instead of only making a copy of the Ordered ruleset with links to the rules, the duplication process creates new rules. This option should only be done when most of the rules require modification in the new Ordered ruleset.
In the exercise below, you want to create an ordered ruleset to permit email alerts but you don’t want to modify the original default rules listed.
- Create an Ordered Ruleset #201 and populate it with 5 rules.
- Rule 41 – MITRE T1036 Attempt to rename program file.
- Rule 62 – Attempt to use Kubernetes nodeports from inside a container.
- Rule 68 – Block Netcat process
- Rule 130 – Anti-Tampering
- Rule 132 – Detect Busybox
- Without modifying the base rules listed, the only editing you can do within Policy Rule 201 is to add more rules, re-order, or delete rules.
- To modify the five (5) rules without impacting the default rules and other rulesets that may be using those rules, make a duplicate using the Duplicate Ruleset Rules checkbox. By checking the box, all the rules contained within the Ordered Ruleset Policy Rule #201 are duplicated creating new rules. The new rules are also added to the list of available Policy Rules.
- Once you select CREATE, an Ordered Ruleset is created with the rules it duplicated, numbered, named with the Policy Rule’s name and ‘copy’ (Email Alert Ruleset #1 Copy) appended to them and placed in the Policy Rules list.
- You can now modify the ‘new’ rules individually or as a group. To modify a single rule, go to the list of Policy Rules, select the rule to be modified, in this case, it’s rule 202, then select EDIT.
- On the edit screen, select the checkbox for allowing email alerts. You may want to update a rule name to differentiate it from the original rule.
- Rules may also be updated as a group. To modify multiple rules at once, go to the Policy Rules list and select the rules to be modified. Unlike for an individual rule, no edit option is visible. To edit multiple rules, select MODIFY RULE from the ACTIONS drop-down menu.
- Selecting Modify Rule opens the Modify Policy Rule screen. On this, you see the rules that will be affected by any change.
- The SETTING drop-down menu offers three (3) options below Alert Level: Send Email Alerts, Response Type, and Auto Quarantine. For this exercise select Send Email Alerts.
Be sure to select the checkbox which activates this setting. Lastly, select Submit.
- Your changes can be verified by returning to the Ordered Ruleset 207 and hovering over a rule. Across from Send Email Alerts, the value is now TRUE.
Congratulations, you have just successfully updated rules within an Ordered Ruleset.