File I/O Security Feature
Overview
File operations, such as opening for reading or writing, modifying file attributes (such as last modified dates, etc.), can be controlled using the ARMR filesystem rule.
Some high-level examples of rules are:
-
Log a warning upon writing to any file
-
Allow / deny creation of new files in certain directories
-
Disallow writing to, or modification of, JAR files
-
Protect arbitrary files or directories from modification (for example, based on file extension, such as .rules and .xml files)
When (Event)
To control read and write access to files using the ARMR filesystem rule, the user can specify either the read or write declaration, respectively.
| read | The user must specify either the read or the write declaration.A parameter must be supplied to the read or write declaration to determine the files and / or directories that the ARMR filesystem rule will control access to.Both Unix and Windows filesystem paths are supportedThis parameter takes the form of a list of one or more quoted-strings indicating specifically targeted files/directories.Each string represented in the parameter can be:- a single file or directory name - the agent will control access to any file or directory on the filesystem that matches the given name |
-
an absolute path to a specific file or directoryThe wildcard character (*) is supported anywhere in the file name or path:- only one wildcard character can be used with each path
-
the wildcard will only wildcard a single directory
-
the wildcard can be used to specify all files with a specific prefix
-
the wildcard character specified on its own represents all files and directories on the filesystem | | write | |
Then (Action)
There are three supported actions for the ARMR filesystem rule: protect, detect and allow.
| protect | All attempts to read from or write to a protected file are blocked. If configured, a log message is generated with details of the event. |
| detect | Monitoring mode: the application behaves as normal.A log message is generated with details of all attempts to read from or write to a protected file.A log message must be specified with this action. |
| allow | Can be used to allow access to specific files or directories under a parent directory that is covered by an ARMR filesystem rule in protect mode. |
As part of the action statement, the user may optionally specify the parameter stacktrace: “full”. When this parameter is specified, the stacktrace of the location of the attempted exploit is included in the security log entry.
Examples
All examples of the ARMR filesystem rule are given for both Unix and Windows style filesystem paths, where appropriate.
In the following example, we define an ARMR filesystem rule that protects all files in a specific directory from being read.
Unix
app("File read protect mod"):
requires(version: ARMR/2.5)
filesystem("Protect read access in specific directory"):
read("/tmp/*")
protect(message: "Unauthorized file read blocked", severity: 8)
endfilesystem
endapp
Windows
app("File read protect mod"):
requires(version: ARMR/2.5)
filesystem("Protect read access in specific directory"):
read("C:\Windows\*")
protect(message: "Unauthorized file read blocked", severity: 8)
endfilesystem
endapp
Logging
<10>1 2021-03-29T11:59:25.147+01:00 userX_system java 15891 - - CEF:0|ARMR:File read protect mod|File read protect mod|2.5|Protect read access in specific directory|Execute Rule|High|rt=Mar 29 2021 11:59:25.146 +0100 dvchost=userX_system procid=15891 appVersion=1 act=protect msg=Unauthorized file read blocked path=/tmp/somefile.txt
<10>1 2021-03-29T11:57:23.337+01:00 userX_system java 14223 - - CEF:0|ARMR:File read protect mod|File read protect mod|2.5|Protect read access in specific directory|Execute Rule|High|rt=Mar 29 2021 11:57:23.337 +0100 dvchost=userX_system procid=14223 appVersion=1 act=protect msg=Unauthorized file read blocked path=C:\\Windows\\somefile.txt
Further Examples
As above, with the stacktrace also logged
Unix
app("File read protect mod - with stacktrace"):
requires(version: ARMR/2.5)
filesystem("Protect read access in specific directory"):
read("/tmp/*")
protect(message: "Unauthorized file read blocked", severity: 8, stacktrace: "full")
endfilesystem
endapp
Windows
app("File read protect mod - with stacktrace"):
requires(version: ARMR/2.5)
filesystem("Protect read access in specific directory"):
read("C:\Windows\*")
protect(message: "Unauthorized file read blocked", severity: 8, stacktrace: "full")
endfilesystem
endapp
Logging
<10>1 2021-03-29T12:05:25.019+01:00 userX_system java 15891 - - CEF:0|ARMR:File read protect mod - with stacktrace|File read protect mod - with stacktrace|2.5|Protect read access in specific directory|Execute Rule|High|rt=Mar 29 2021 12:05:25.019 +0100 dvchost=userX_system procid=15891 appVersion=1 act=protect msg=Unauthorized file read blocked stacktrace=java.util.Scanner.<init>(Scanner.java:611)\ncom.waratek.spiracle.file.FileServlet.readFile(FileServlet.java:109)\ncom.waratek.spiracle.file.FileServlet.read(FileServlet.java:90)\ncom.waratek.spiracle.file.FileServlet.executeRequest(FileServlet.java:71)\ncom.waratek.spiracle.file.FileServlet.doPost(FileServlet.java:60)\njavax.servlet.http.HttpServlet.service(HttpServlet.java:650)\njavax.servlet.http.HttpServlet.service(HttpServlet.java:731)\nsun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source)\nsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\njava.lang.reflect.Method.invoke(Method.java:498)\norg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)\norg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)\norg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\nsun.reflect.GeneratedMethodAccessor46.invoke(Unknown Source)\nsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\njava.lang.reflect.Method.invoke(Method.java:498)\norg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)\norg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)\norg.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)\norg.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)\norg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)\norg.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)\norg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\norg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)\norg.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)\norg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:442)\norg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1082)\norg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:623)\norg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\njava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\njava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\norg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\njava.lang.Thread.run(Thread.java:748) path=/tmp/somefile.txt
<10>1 2021-03-29T12:55:25.034+01:00 userX_system java 14222 - - CEF:0|ARMR:File read protect mod - with stacktrace|File read protect mod - with stacktrace|2.5|Protect read access in specific directory|Execute Rule|High|rt=Mar 29 2021 12:55:25.034 +0100 dvchost=userX_system procid=14222 appVersion=1 act=protect msg=Unauthorized file read blocked stacktrace=java.util.Scanner.<init>(Scanner.java:611)\ncom.waratek.spiracle.file.FileServlet.readFile(FileServlet.java:109)\ncom.waratek.spiracle.file.FileServlet.read(FileServlet.java:90)\ncom.waratek.spiracle.file.FileServlet.executeRequest(FileServlet.java:71)\ncom.waratek.spiracle.file.FileServlet.doPost(FileServlet.java:60)\njavax.servlet.http.HttpServlet.service(HttpServlet.java:650)\njavax.servlet.http.HttpServlet.service(HttpServlet.java:731)\nsun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source)\nsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\njava.lang.reflect.Method.invoke(Method.java:498)\norg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)\norg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)\norg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)\nsun.reflect.GeneratedMethodAccessor46.invoke(Unknown Source)\nsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\njava.lang.reflect.Method.invoke(Method.java:498)\norg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)\norg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)\norg.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)\norg.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)\norg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)\norg.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)\norg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)\norg.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)\norg.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)\norg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:442)\norg.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1082)\norg.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:623)\norg.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)\njava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\njava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\norg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\njava.lang.Thread.run(Thread.java:748) path=C:\\Windows\\somefile.txt
Prevent reading any file
app("File read protect mod - wildcard all"):
requires(version: ARMR/2.5)
filesystem("Protect all read access"):
read("*")
protect(message: "Unauthorized file read blocked", severity: 8)
endfilesystem
endapp
Prevent writing to any file
app("File write protect mod - wildcard all"):
requires(version: ARMR/2.5)
filesystem("Protect all write access"):
write("*")
protect(message: "Unauthorized file write blocked", severity: 8)
endfilesystem
endapp
Prevent reading specific files
Unix
app("File read protect mod - specific files"):
requires(version: ARMR/2.5)
filesystem("Protect read access to specific files"):
read(paths: ["/tmp/somefile.txt", "/tmp/somefile2.txt"])
protect(message: "Unauthorized file read blocked", severity: 8)
endfilesystem
endapp
Windows
app("File read protect mod - specific files"):
requires(version: ARMR/2.5)
filesystem("Protect read access to specific files"):
read(paths: ["C:\Windows\somefile.txt", "C:\Windows\somefile2.txt"])
protect(message: "Unauthorized file read blocked", severity: 8)
endfilesystem
endapp
Detect attempts to write to a particular directory
Unix
app("File write detect mod - particular directory"):
requires(version: ARMR/2.5)
filesystem("Detect write operations"):
write("/tmp/")
detect(message: "Unauthorized file write detected", severity: 5)
endfilesystem
endapp
Windows
app("File write detect mod - particular directory"):
requires(version: ARMR/2.5)
filesystem("Detect write operations"):
write("C:\Windows\")
detect(message: "Unauthorized file write detected", severity: 5)
endfilesystem
endapp
Detect reading of any file with a specific name
app("File read detect mod - specific filename"):
requires(version: ARMR/2.5)
filesystem("Detect read of a file with a specific name"):
read("somefile.txt")
detect(message: "Unauthorized file read detected", severity: 5)
endfilesystem
endapp
Prevent writing to any file where the filename ends with a specific string
app("File write protect mod - file extension"):
requires(version: ARMR/2.5)
filesystem("Protect write access to .txt files"):
write("*.txt")
protect(message: "Unauthorized file write blocked", severity: 8)
endfilesystem
endapp
Prevent reading any file of a given name under a particular directory
Unix
app("File read protect mod"):
requires(version: ARMR/2.5)
filesystem("Protect read access"):
read("/tmp/*/somefile.txt")
protect(message: "Unauthorized file read blocked", severity: Medium)
endfilesystem
endapp
Windows
app("File read protect mod"):
requires(version: ARMR/2.5)
filesystem("Protect read access"):
read("C:\Windows\*\somefile.txt")
protect(message: "Unauthorized file read blocked", severity: Medium)
endfilesystem
endapp
Prevent reading of all files in a directory, but allow reading of a specific file in this directory
Unix
app("File read controls"):
requires(version: ARMR/2.5)
filesystem("Protect read access to files in /tmp"):
read("/tmp/")
protect(message: "Unauthorized file read blocked", severity: High)
endfilesystem
filesystem("Allow read access to /tmp/somefile.txt"):
read("/tmp/somefile.txt")
allow(message: "Read access to /tmp/somefile.txt allowed", severity: Medium)
endfilesystem
endapp
Windows
app("File read controls"):
requires(version: ARMR/2.5)
filesystem("Protect read access to files in C:\Windows"):
read("C:\Windows\")
protect(message: "Unauthorized file read blocked", severity: High)
endfilesystem
filesystem("Allow read access to C:\Windows\somefile.txt"):
read("C:\Windows\somefile.txt")
allow(message: "Read access to C:\Windows\somefile.txt allowed", severity: Medium)
endfilesystem
endapp