Skip to main content
Version: 2.2

File I/O Security Feature

Overview

File operations, such as opening for reading or writing, modifying file attributes (such as last modified dates, etc.), can be controlled using the ARMR filesystem rule.

Some high-level examples of rules are:

  • Log a warning upon writing to any file

  • Allow / deny creation of new files in certain directories

  • Disallow writing to, or modification of, JAR files

  • Protect arbitrary files or directories from modification (for example, based on file extension, such as .rules and .xml files)

When (Event)

To control read and write access to files using the ARMR filesystem rule, the user can specify either the read or write declaration, respectively.

readThe user must specify either the read or the write declaration.A parameter must be supplied to the read or write declaration to determine the files and / or directories that the ARMR filesystem rule will control access to.Both Unix and Windows filesystem paths are supportedThis parameter takes the form of a list of one or more quoted-strings indicating specifically targeted files/directories.Each string represented in the parameter can be:- a single file or directory name - the agent will control access to any file or directory on the filesystem that matches the given name

  • an absolute path to a specific file or directoryThe wildcard character (*) is supported anywhere in the file name or path:- only one wildcard character can be used with each path

  • the wildcard will only wildcard a single directory

  • the wildcard can be used to specify all files with a specific prefix

  • the wildcard character specified on its own represents all files and directories on the filesystem | | write | |

Then (Action)

There are three supported actions for the ARMR filesystem rule: protect, detect and allow.

protectAll attempts to read from or write to a protected file are blocked. If configured, a log message is generated with details of the event.
detectMonitoring mode: the application behaves as normal.A log message is generated with details of all attempts to read from or write to a protected file.A log message must be specified with this action.
allowCan be used to allow access to specific files or directories under a parent directory that is covered by an ARMR filesystem rule in protect mode.

Examples

All examples of the ARMR filesystem rule are given for both Unix and Windows style filesystem paths, where appropriate.

In the following example, we define an ARMR filesystem rule that protects all files in a specific directory from being read.

Unix

app("File read protect mod"):
  requires(version: ARMR/2.2)
  filesystem("Protect read access in specific directory"):
    read("/tmp/*")
    protect(message: "Unauthorized file read blocked", severity: 8)
  endfilesystem
endapp

Windows

app("File read protect mod"):
  requires(version: ARMR/2.2)
  filesystem("Protect read access in specific directory"):
    read("C:\Windows\*")
    protect(message: "Unauthorized file read blocked", severity: 8)
  endfilesystem
endapp

Logging

<10>1 2020-07-03T16:17:27.281+01:00 l-qa02 java 27060 - - CEF:0|ARMR:File read protect mod|File read protect mod|2.2|Protect read access in specific directory|Execute Rule|High|rt=Jul 03 2020 16:17:27.281 +0100 dvchost=l-qa02 procid=27060 outcome=success act=protect msg=Unauthorized file read blocked path=/tmp/somefile.txt
<14>1 2020-07-03T21:10:30.041Z win-02 java 4196 - - CEF:0|ARMR:File read protect mod|File read protect mod|2.2|Protect read access in specific directory|Execute Rule|High|rt=Jul 03 2020 21:10:30.039 +0000 dvchost=win-02 procid=4196 outcome=success act=protect msg=Unauthorized file read blocked path=C:\\Windows\\somefile.txt

Further Examples

Prevent reading any file

app("File read protect mod - wildcard all"):
  requires(version: ARMR/2.2)
  filesystem("Protect all read access"):
    read("*")
    protect(message: "Unauthorized file read blocked", severity: 8)
  endfilesystem
endapp

Prevent writing to any file

app("File write protect mod - wildcard all"):
  requires(version: ARMR/2.2)
  filesystem("Protect all write access"):
    write("*")
    protect(message: "Unauthorized file write blocked", severity: 8)
  endfilesystem
endapp

Prevent reading specific files

Unix

app("File read protect mod - specific files"):
  requires(version: ARMR/2.2)
  filesystem("Protect read access to specific files"):
    read(paths: ["/tmp/somefile.txt", "/tmp/somefile2.txt"])
    protect(message: "Unauthorized file read blocked", severity: 8)
  endfilesystem
endapp

Windows

app("File read protect mod - specific files"):
  requires(version: ARMR/2.2)
  filesystem("Protect read access to specific files"):
    read(paths: ["C:\Windows\somefile.txt", "C:\Windows\somefile2.txt"])
    protect(message: "Unauthorized file read blocked", severity: 8)
  endfilesystem
endapp

Detect attempts to write to a particular directory

Unix

app("File write detect mod - particular directory"):
  requires(version: ARMR/2.2)
  filesystem("Detect write operations"):
    write("/tmp/")
    detect(message: "Unauthorized file write detected", severity: 5)
  endfilesystem
endapp

Windows

app("File write detect mod - particular directory"):
  requires(version: ARMR/2.2)
  filesystem("Detect write operations"):
    write("C:\Windows\")
    detect(message: "Unauthorized file write detected", severity: 5)
  endfilesystem
endapp

Detect reading of any file with a specific name

app("File read detect mod - specific filename"):
  requires(version: ARMR/2.2)
  filesystem("Detect read of a file with a specific name"):
    read("somefile.txt")
    detect(message: "Unauthorized file read detected", severity: 5)
  endfilesystem
endapp

Prevent writing to any file where the filename ends with a specific string

app("File write protect mod - file extension"):
  requires(version: ARMR/2.2)
  filesystem("Protect write access to .txt files"):
    write("*.txt")
    protect(message: "Unauthorized file write blocked", severity: 8)
  endfilesystem
endapp

Prevent reading any file of a given name under a particular directory

Unix

app("File read protect mod"):
  requires(version: ARMR/2.2)
  filesystem("Protect read access"):
    read("/tmp/*/somefile.txt")
    protect(message: "Unauthorized file read blocked", severity: Medium)
  endfilesystem
endapp

Windows

app("File read protect mod"):
  requires(version: ARMR/2.2)
  filesystem("Protect read access"):
    read("C:\Windows\*\somefile.txt")
    protect(message: "Unauthorized file read blocked", severity: Medium)
  endfilesystem
endapp

Prevent reading of all files in a directory, but allow reading of a specific file in this directory

Unix

app("File read controls"):
  requires(version: ARMR/2.2)

  filesystem("Protect read access to files in /tmp"):
    read("/tmp/")
    protect(message: "Unauthorized file read blocked", severity: High)
  endfilesystem

  filesystem("Allow read access to /tmp/somefile.txt"):
    read("/tmp/somefile.txt")
    allow(message: "Read access to /tmp/somefile.txt allowed", severity: Medium)
  endfilesystem

endapp

Windows

app("File read controls"):
  requires(version: ARMR/2.2)

  filesystem("Protect read access to files in C:\Windows"):
    read("C:\Windows\")
    protect(message: "Unauthorized file read blocked", severity: High)
  endfilesystem

  filesystem("Allow read access to C:\Windows\somefile.txt"):
    read("C:\Windows\somefile.txt")
    allow(message: "Read access to C:\Windows\somefile.txt allowed", severity: Medium)
  endfilesystem

endapp