Version: 2.2

ARMR Process Rule

Overview

The ARMR process rule can be used to control the access that an application has for executing external processes on the server. This is useful to prevent unauthorized attempts at process forking.

When (Event)

To control access to executables using the ARMR process rule the user must specify the execute declaration.

execute A parameter must be supplied to the execute declaration to determine the executable(s) that the ARMR process rule will control access to.Both Unix and Windows filesystem paths are supportedThis parameter takes the form of a list of one or more quoted-strings indicating specifically targeted executables.Each string represented in the parameter can be:- a single executable or directory name - the agent will control access to any executable or directory on the filesystem that matches the given name


execute	A parameter must be supplied to the `execute` declaration to determine the executable(s) that the ARMR `process` rule will control access to.Both Unix and Windows filesystem paths are supportedThis parameter takes the form of a list of one or more quoted-strings indicating specifically targeted executables.Each string represented in the parameter can be:- a single executable or directory name - the agent will control access to any executable or directory on the filesystem that matches the given name

an absolute path to a specific executable or directoryThe wildcard character (*) is supported anywhere in the executable name or path:- only one wildcard character can be used with each path
the wildcard will only wildcard a single directory
the wildcard can be used to specify all executables with a specific prefix
the wildcard character specified on its own represents all executables and directories on the filesystem |

Then (Action)

There are three supported actions for the ARMR process rule: protect, detect and allow.


protect	All attempts to fork a process are blocked. If configured, a log message is generated with details of the event.
detect	Monitoring mode: the application behaves as normal.A log message is generated with details of all attempts to fork a process.A log message must be specified with this action.
allow	Can be used to allow access to execute specific processes which are a subset of protected executables covered by an ARMR `process` rule in `protect` mode.

Examples

All examples of the ARMR process rule are given for both Unix and Windows style filesystem paths, where appropriate.

In the following example, we define an ARMR process rule that prevents forking of all processes inside a specific directory.

Unix

app("Process forking mod"):
  requires(version: ARMR/2.2)
  process("Protect executable in a specific directory"):
    execute("/tmp/*")
    protect(message: "denying attempt to execute processes inside specific directory", severity: 10)
  endprocess
endapp

Windows

app("Process forking mod"):
  requires(version: ARMR/2.2)
  process("Protect executable in a specific directory"):
    execute("C:\Windows\*")
    protect(message: "denying attempt to execute processes inside specific directory", severity: 10)
  endprocess
endapp

Logging

Unix

<9>1 2020-07-06T16:25:33.140+01:00 l-qa02 java 28545 - - CEF:0|ARMR:Process forking mod|Process forking mod|2.2|Protect executable in a specific directory|Execute Rule|Very-High|rt=Jul 06 2020 16:25:33.139 +0100 dvchost=l-qa02 procid=28545 outcome=success act=protect msg=denying attempt to execute processes inside specific directory path=/tmp/myscript.sh commandLine=myscript.sh scriptArg

Windows

<9>1 2020-07-06T16:35:54.140+01:00 win-02 java 28545 - - CEF:0|ARMR:Process forking mod|Process forking mod|2.2|Protect executable in a specific directory|Execute Rule|Very-High|rt=Jul 06 2020 16:35:54.139 +0100 dvchost=win-02 procid=28545 outcome=success act=protect msg=denying attempt to execute processes inside specific directory path=C:\\Windows\\myscript.bat commandLine=myscript.bat scriptArg

Further Examples

Prevent forking a specific process

Unix

app("Process forking mod 2"):
  requires(version: ARMR/2.2)
  process("Prevent forking a specific process"):
    execute("/tmp/myscript.sh")
    protect(message: "denying attempt to execute specific process", severity: High)
  endprocess
endapp

Windows

app("Process forking mod 2"):
  requires(version: ARMR/2.2)
  process("Prevent forking a specific process"):
    execute("C:\Windows\myscript.bat")
    protect(message: "denying attempt to execute specific process", severity: High)
  endprocess
endapp

Detect forking any process with a specific name

Unix

app("Process forking mod 3"):
  requires(version: ARMR/2.2)
  process("Detect all attempts to execute myscript.sh"):
    execute("myscript.sh")
    detect(message: "myscript.sh file executed", severity: Low)
  endprocess
endapp

Windows

app("Process forking mod 3"):
  requires(version: ARMR/2.2)
  process("Detect all attempts to execute myscript.bat"):
    execute("myscript.bat")
    detect(message: "myscript.bat file executed", severity: Low)
  endprocess
endapp

Prevent forking all processes, except allow specific process

Unix

app("Process forking mod 4"):
  requires(version: ARMR/2.2)

  process("Prevent all process forking"):
    execute("*")
    protect(message: "denying attempt to execute any external process", severity: 7)
  endprocess

  process("Allow forking of specific process"):
    execute("/tmp/myscript.sh")
    allow(message: "allowing specific exectuable", severity: 3)
  endprocess

endapp

Windows

app("Process forking mod 4"):
  requires(version: ARMR/2.2)

  process("Prevent all process forking"):
    execute("*")
    protect(message: "denying attempt to execute any external process", severity: 7)
  endprocess

  process("Allow forking of specific process"):
    execute("C:\Windows\myscript.bat")
    allow(message: "allowing specific exectuable", severity: 3)
  endprocess

endapp

Overview​

When (Event)​

Then (Action)​

Examples​

Logging​

Further Examples​

Overview

When (Event)

Then (Action)

Examples

Logging

Further Examples