An Application Process Object allows you to identify a software application, so that an Object can be used in a policy.
The example below defines the git version control system using ssh as a transport mechanism. The application identification process context includes the hierarchy, enabling access to be granted for ssh in the context of a git operation, which blocking it for other purposes (command line ssh).
The object structure also supports the concept of an Application Process Object Group, enabling multiple software applications to be grouped together for policy definition convenience (e.g. applying one policy for multiple versions of a software application).
Creating an Application Process Object or Object Group
To create an Application Process Object, navigate to Access Policy Management > Application Process Objects, and click "Add Object".
Give your Application Process Object a name which is easy to remember. You may also use the Description field to provide more context about what this Application Process Object is intended to represent.
The Application Interlock Process Ordering section allows you to define the order of execution and hierarchy of the process tree:
In addition to the executable path, which is required, you may also optionally specify the sha256sum of the binary package at that location.
The "Enforce Strict Order" option, when unchecked, specifies that the applications in the tree must be called in order, but allows other processes to appear before or between the specified applications. You will typically want to leave this box unchecked.
When checked, the entire process tree is matched against the tree in this section. For example, on Linux, the process tree typically starts with the user login and execution of the user's shell - so an application launched from command line would have a different process tree if the user logs in using ssh or VNC.
The Enforce Strict Order level of checking can be a useful for a high security environment, as it can be used to differentiate between a valid user action on the target machine versus an action triggered by a hacker root kit.
Click Save. You may now use this Application Process Object or Object Group in an Access Policy or a Chamber Policy.
Please sign in to leave a comment.