Working with Ordered Rulesets

An Ordered Ruleset is one of the seven (7) rule types in the ZeroLock environment.

It is a list of rules evaluated from top to bottom, with rules at the top resolving actions before moving on to rules farther down.

Like with a firewall, if an action matches a lockdown rule at the top of the list, it will take the actions specified for that rule and NOT evaluate any rules following. If it does not match, it will pass to the next rule in line until there is a match. If no rules match, the action is allowed.

For a full list of rule types see Control Policy and Lockdown Rule Types.

The ZeroLock Management Console (ZMC) includes a set of default Lockdown rules to ensure security.  The “ESXi Recommended Rules” ordered ruleset is included to assist in defending against many known exploits. The ruleset consists of existing lockdown rules in a specific order.

This ESXi Recommended Rules set is automatically added to the database when the ZMC is installed and is protected so it cannot be changed but can be duplicated. Duplication allows the creating and modifying an Ordered ruleset based on your organization’s specific requirements. The rules listed in an Ordered ruleset act as links to the original lockdown rules, so changes made to an associated lockdown rule will affect all Ordered rulesets that lockdown rules are linked to.

However, on selection of an Ordered Ruleset, there is a Duplicate option which, once selected, brings up the New Policy Rule page. On that page, there is an option for Duplicate Ruleset Rules. When selected, an ordered ruleset is made. With the checkbox selected, instead of only making a copy of the Ordered ruleset with links to the rules, the duplication process creates new rules. This option should only be done when most of the rules require modification in the new Ordered ruleset.

In the exercise below, you want to create an ordered ruleset to permit email alerts but you don’t want to modify the original default rules listed.

  1. Create an Ordered Ruleset and populate it with 5 rules.
    1. Rule 41 – MITRE T1036 Attempt to rename program file.
    2. Rule 66 – Attempt to use Kubernetes nodeports from inside a container.
    3. Rule 73 – Block Netcat process
    4. Rule 135 – Anti-Tampering
    5. Rule 137 – Detect Busybox

      Image_1_ Create Ordered Ruleset_v4.1.3


  2. Without modifying the base rules listed, the only editing you can do within Policy Rule 166 is to add more rules, re-order, or delete rules.
  3. To modify the five (5) rules without impacting the default rules and other rulesets that may be using those rules, make a duplicate ruleset. Select the ruleset you want to duplicate then click Duplicate on the top right of the Details page.

    Image_2_ Details Page with Duplicate_v4.1.3
  4. On the New Policy Rule screen, select the checkbox next to ‘Duplicate Ruleset Rules’. When CREATE is selected, all the rules contained within the Ordered Ruleset Policy Rule #166 are duplicated, creating new rules with new numbers. The new rules are also added to the list of available Policy Rules.Image_3_Duplicate Ruleset Rules_v4.1.3
  5. Once you select CREATE, an Ordered Ruleset is created with the rules duplicated, re-numbered, named with the Policy Rule’s name with ‘copy’ (Email Alert Ruleset #1 Copy) appended to them and placed in the Policy Rules list.
    Image_4_Ordered Ruleset Copy_v4.1.3
  6. You can now modify the ‘new’ rules individually or as a group. To modify a single rule, go to the list of Policy Rules, select the rule to be modified, in this case, it’s rule 167, then select EDIT.Image_5_Modify New Rule_v4.1.3-1
  7. On the edit screen, select the checkbox that allows email alerts. You may want to update the name of the rule to differentiate it from the original rule.
    Image_6_Edit Rule 167_v4.1.3-1
  8. Rules may also be updated as a group. To modify multiple rules at once, go to the Policy Rules list and select the rules to be modified. Unlike for an individual rule, no edit option is visible. To edit multiple rules, select MODIFY RULE from the ACTIONS drop-down menu.
    Image_7_Group Modify_v4.1.3
  9. Selecting Modify Rule opens the Modify Policy Rule On this screen, you see the rules that will be affected by any change. Be sure to select the checkbox which activates this setting. Lastly, select Submit.
    Image_8_Modify Policy Rule Group Selected_v4.1.3-1

  10. The SETTING drop-down menu offers three (3) options below Alert Level: Send Email Alerts, Response Type, and Auto Quarantine. For this exercise select Send Email Alerts
    Image_9_Send Email Alerts Submit_v4.1.3
  11. Selecting the Send Email Alerts checkbox activates this setting, then select SUBMIT.
    Image_10_Send Email Alerts checkbox_v4.1.3
  12. Your changes can be verified by hovering over the rules of Ordered Ruleset 172. Across from Send Email Alerts, the value is now TRUE.

Congratulations, you have just successfully updated rules within an Ordered Ruleset.