Skip to main content
Version: 2.9

Interaction Between Valid ARMR Rule Directives

The API Protect directives api() and input(), introduced in ARMR 2.9, provide an additional protection mechanism for API requests on top of the existing protection that the supported rule otherwise provides. For example, for the Filesystem rule, the api() and input() directives can be specified in addition to the primary read() and write() selectors for this rule. It is therefore possible to specify multiple ARMR rules which are almost identical except for the presence of the API Protect directives.

ARMR Rules without API Protect directives

These ARMR rules are, by default, also applicable for API requests.

ARMR Rules with input() API Protect directive

Case 1

When:

  • only a single DNS, Filesystem, Process or Socket rule exists,

  • and they either: do or do not have the input() directive.

Then:

  • rule applicability is straightforward and the ARMR rule primary selector for the rule is considered by the Agent as before,

  • and the input() directive is applied, if specified.

Case 2

Although not always the case, it is likely that this scenario will be the result of using a wildcard in the ARMR rule primary selector.

When:

  • two or more rules match the combination of both primary selector and input() directive

Then, the effective rule is chosen as follows:

  • For Process, Filesystem and DNS:

    • The rule with the higher priority action is taken (in order from highest to lowest this is: PROTECT, DETECT),

    • If rules have the same action, then the rule with the highest logging severity is applied,

    • A rule that specifies the ALLOW action will be chosen over a rule that specifies the input() directive,

    • Otherwise, with the same action and logging severity, the first rule defined in the Policy is used.

  • For Socket:

    • The rule with the higher priority action is taken (in order from highest to lowest this is: ALLOW, PROTECT, DETECT),

    • Otherwise, if actions are the same, the first rule defined in the Policy is used.

ARMR Rules with api() API Protect directive

When the api() directive is specified, the rule selection is performed as follows:

  1. An operation is matched against primary selectors of all rules in the given Policy.

  2. Preference is given to the rule with the most specific selector (i.e. non-wildcard or longer matching sequence).

    1. Note there is no attempt made to select the most specific value provided in the api() directive. The value provided in the api() directive is simply the additional condition for when the rule is applicable.

  3. Once the rule is selected: if the current API request path matches the api() directive then the rule is applied, otherwise the rule is not applied and the operation behaves as it otherwise would.