Tải bản đầy đủ - 0 (trang)
Chapter 5. Understanding Application Classes and Variables

Chapter 5. Understanding Application Classes and Variables

Tải bản đầy đủ - 0trang

UsingApplicationClasses

ApplicationclassesareveryimportantcomponentsintheCSAManagement

Console(MC)managementarchitecture.Applicationclassesaregroupsof

applications(executables)thatarecommoninfunction.Thissectionreviews

howCSArulesworksothatyoumaybetterunderstandhowapplicationclasses

areappliedandhowtheyrelatetorules.

WhenyoudefineaCSArule,mostlikelyyouarecreatingitsothatyoucandeny

orallowanactionthatmightattempttotakeplace.Youalsodefinehowand

wherethatruleshouldbeapplied.Insomecases,youmightwantaparticular

ruletoapplytoeveryprocessrunningontheendpoint.Anexampleofthisisa

rulethatdeniesanendpointtheabilitytousetheTelnet(TCP/23)protocolno

matterwhatapplicationisattemptingthisspecificnetworkconnectivity.

However,whencreatingtherule,youmightmoregranularlydecidetoallow

Telnetfromtheendpoint,butonlyfromaspecificsetofcapableapplications.To

takethatastepfurther,youmightalsowanttomonitortheapplicationand

subprocessesstartedbythatspecificapplication.Applicationclassesenterthe

equationatthispoint.Bydefininganapplicationclass,whichincludesthe

specificallyallowedTelnetclients(orexecutables),youcanthenapplytherule

toonlythoseapplicationsandsubprocesses.

Donotworryifyoudonotfullygrasptheconceptofusingapplicationclasses

justyet.Itisaveryimportantconcept,andtheupcomingsectionsillustrate

applicationclassusagebyexample.



PurposeofCSAMCBuilt-InApplicationClasses

TheCSAMCincludessomebuilt-inapplicationclassestogetyoustarted.These

applicationclassesinitiallyservetwopurposes:

FunctionalThebuilt-inapplicationclassesarefullyfunctionalandinmost

casesarebeingusedbymanyofthepredefinedrulesandpoliciesthatcome

preconfiguredontheCSAMC.



TutorialAlthoughthemainpurposeofthebuilt-inapplicationclassesisfor

youtodeployefficient,fullyfunctionalpredefinedpoliciesquickly,they

canalsoserveasatutorialforthosewhowanttocreatetheirown

applicationclasses.

Toacquaintyouwithapplicationclasses,thissectionfirstlooksatsomeofthe

built-inclassestodiscoverthebasicsettingsandconfiguration.Toseealistof

built-inapplicationclasses,youneedtogettotheApplicationClasses

ConfigurationscreenbychoosingConfiguration>Applications>Application

Classes[Windows].(SeeFigure5-1.)

Figure5-1.ApplicationClassesMenuSelectionLocation

[Viewfullsizeimage]



NOTE

ThisbookusesWindowsforthemajorityofexamplestosimplifythe

learningprocess.



ConfiguringApplicationClasses

TheApplicationClassesConfigurationscreenliststhecurrentlydefined

applicationclasses,whichyoucansorttoshowall,Windows-specific,orUNIXspecificapplicationclassesbychangingtheselectioninthedrop-downselection

boxintheupper-leftcornerofthescreen.

Youcanperformothertasksfromthisscreen,too,suchascreateanew

applicationclass,deleteanapplicationclass,cloneanapplicationclasstocreate

asimilarapplicationclass,orjustcomparetwoapplicationclassesbyclicking

therespectivebuttonsatthelower-leftcornerofthewebpage.Figure5-2shows

thedrop-downselectionfieldandtheactionbuttons.

Figure5-2.ApplicationClassesOverviewPage

[Viewfullsizeimage]



Toviewtheconfigurationofanalreadycreatedapplicationclass,usethescroll

baruntilyoulocatetheapplicationclassyouwanttovieworedit,andthenclick

thenameoftheapplicationclass.

Forexample,choosetheCommandShellapplicationclasstoviewabasic

configuration.Figure5-3showstheConfigurationpageoftheCommandShell

applicationclass.

Figure5-3.ExampleApplicationClassConfiguration:Part1

[Viewfullsizeimage]



Youhaveonlyafewtunableparametersandclickablelinksavailablewhen

configuringanapplicationclass.Thefollowinglistdescribesthisspecific

applicationclasspagefromthetoptothebottomoftheConfigurationpage:

ViewChangeHistoryClickthislinktoviewthechangesmadetothis

applicationclass.Thechangesaretrackedaspartofthelocalauditprocess.

NameEnteranamethatisrecognizableanddescriptivetoeasethe

configurationofrules.

DescriptionandDetailedDescriptionTypeabriefdescriptionofthe

purposefortheapplicationclassintheDescriptionfieldandenteramuch

moredescriptiveanalysisofthepurposeforthisobjectintheDetailed

window.

OperatingSystemChangethedrop-downchoicetobemorespecifictothe

particularWindowsoperatingsystem,suchasNT,2000,XP,or2003.

(BecausethisexampleisforaWindowsenvironment,theTargetdefaultsto

AllWindows.)

DisplayOnlyinShowAllModeIfyourapplicationclasslistisgetting

unmanageablylong,youcanusethischeckboxalongwiththeAdmin

PreferencespagethatisdiscussedinChapter14,"CSAMCAdministration

andMaintenance,"tohidethisapplicationclassfromtheSelectionwindow,

whichnarrowstheoptionswhenyouarechoosingclasses.

AddProcesstoApplicationClassDefinewhichprocessesarepartofthe

applicationclass.Youhavetwooptions:

WhenCreatedfromOneoftheFollowingExecutablesEnterthe

informationregardingwhatspecificexecutablesyouwanttoincludein

thegrouping.YoualsocancheckInsertFileSettoincludeanalready

groupedlistingfromafilesetvariable.

WhenDynamicallyDefinedbyPolicyRulesCheckthisoptionto

createadynamicapplicationclassthatwillbecreatedbyapplication

behaviorratherthanexecutablenameorfilesetdefinition.



Tip

Occasionally,youmightwanttogroupapplicationsorprocesses

bytheirexhibitedbehaviorsuchasspecificfile,registry,or

networkaccessratherthanbyexplicitprocessname.Grouping

likethisprovesespeciallyhelpfulwhenattemptingtocontrol

behaviorofanyapplicationthatmatchesyourapplicationclass

behaviordefinitionwithouttheupfrontknowledgeofevery

applicationthatcouldbehaveinsuchaway.



RemoveProcessfromApplicationClassClickthecheckboxandspecify

atimeinsecondsifyouwantthemonitoredprocesstoberemovedfromthe

applicationclassafterapredeterminedamountoftime.Yourarelyhavea

reasontoselectthisoption.Youmighthaveaprocessthatneedstemporary

accesstoprotectedsystemresourcesforacertaintimeperiod.Youcould

usethisoptiontotemporarilygivetheapplicationextraaccess,without

permittingtheprocesstocontinuewiththeexcessiverightsovertoolonga

timeframe.Aprocesswithexcessaccesstoasystemmightbeeventually

compromisedandcouldprovideotherprocessesproxyaccesstonormally

protectedresources.

ThisApplicationClassIncludesApplicationscommonlyspawn

subprocessestocompletetasks.Becausethesesubprocessescouldbethe

applicationyouwanttodeny,youcandynamicallyincludethoseprocesses

intheapplicationclasswhiletheyareactive.Youhavethreepossible

choicesunderthisheading:

OnlyThisProcessCheckthisoptionifyouwanttheapplicationclass

toincludeonlythisprocessandneverdynamicallyaddsubprocessesto

theapplicationclass.

ThisProcessandAllofItsDescendentsCheckthisoptionto

dynamicallyincludespawnedsubprocesses.Aroguemaliciousprocess

commonlylaunchesotherprocessesthatmightattemptcertain



undesirableactions.Checkingthisoptionensuresthattherootprocess

andanythingspawnedbyitarealsoaddedtotheapplicationclassand

controlledwiththesamerules.

OnlyDescendentsofThisProcessCheckthisoptiontoincludeonly

subprocessesandneverthelistedrootapplicationprocessitself.Most

commonly,youusethisselectioninanexceptionrulesuchthatyou

applyaruletothesubprocessesandnotthemainapplication.

ShowReferenceListClickthislinktoshowtherulesthatareusingthis

applicationclass.Thisoptionprovesveryhelpfulwhenattemptingto

troubleshootanapplicationclass,becausethelinksprovidedareclickable

andbringyoudirectlytotheruleConfigurationpageyouselectwithoutthe

needtosearchfortheruleontheRulespage.

YoucanseefromthepredefinedCommandShellapplicationclassexample

configurationthatthisclassisWindowsspecificandenablesyoutoapplyrules

totheprocessesrelatedtoyourspecificallynamedcommandshells.This

particularapplicationclassisusedinseveralpredefinedmodulesandseveral

rulesthatarelistedbynumberandareclickablelinks.(Youcandisplaythis

informationbyclickingShowReferenceList,asmentionedearlier.)

Nowthatyouknowthespecificrulesandmodulesthatthisexamplerelatesto,

takealookatanexampleofhowtoapplyit.Inthisexample,Rule121,as

showninFigure5-4,isarulewithintheRequiredWindowsSystemmodulethat

usestheCommandShellapplicationclass.YoucantranslateRule121toreadas

follows:Allowanddonotlogwhendesktopinterfaceapplicationsattempttorun

applicationsintheCommandShellapplicationclass.Youcanseethatthegoalof

theruleistoallowdesktopapplicationstolaunchcommandshellsonyour

protectedendpoints.

Figure5-4.Rule121UsingtheExampleApplicationClass

[Viewfullsizeimage]



Built-InApplicationClasses

Youcanusebuilt-inapplicationclasseswhendefiningrules,butyoucannotedit

themintheapplicationclassConfigurationpage.Theseapplicationclassesare

alsopredefinedontheCSAMCatinstallationtime,butdifferinthattheyarenot

configurablebutcanstillbeusedinyourrules.Theyserveveryspecialpurposes

anduseunderlyingcodetoprovideclassificationratherthantheCSAMC

variablesotherapplicationclassesuse.Built-inapplicationclassesdisplay

differentlyfromotherapplicationclassesinthattheyaresurroundedbybrackets

(forexample,),asshowninFigure5-5.

Figure5-5.Built-InApplicationClasses

[Viewfullsizeimage]



NOTE

Therearetwotypesofbuilt-inapplicationclasses:editableand

noneditable.Editablebuilt-inapplicationclassesareidentifiedbythe

asteriskinthenameaftertheopeningbracket,whereasnoneditable

built-inapplicationclassesareinbracketsbutdonotincludethe

asteriskinthename.



Configurablebuilt-inapplicationclassesarealsosurroundedbybrackets,but

includealeadingasteriskinthename(forexample,<*SuspectedVirus

Applications>).Youcanconfigurethesebuilt-inapplicationclasses,butyoucan

usethemonlywitharulethatdictateswhatcausesprocessestobecome

classifiedasoneoftheseparticularapplicationtypes.Youcanedittheclasses

withasterisks(*);however,youshoulddosoonlyifabsolutelynecessary.Builtinapplicationclassesthatdonothavetheasteriskinfrontoftheirnamehavea

specialpurpose;therefore,youcannoteditthem.



NOTE

Youcanfindacompletelistofthebuilt-inapplicationclassesand

theirdescriptionsintheCSAMConlineHelpdocumentsviathe

Helplinkattheupper-rightcornerofallCSAMCwebpages.



Hereisalistofsomeofthebuilt-inapplicationclasses:

FirstTimeApplicationExecuteIncludesexecutablesthefirsttimethey

arerunonasystemsincetheinstallationoftheCSA

NetworkApplicationsIncludesanyprocessthatconnectsasaclientor

serveraccessingthenetwork.

ProcessesCreatedbyNetworkApplicationsIncludesanyprocessstarted

byanetworkapplication

ProcessesMonitoringtheKeyboardIncludesallprocessesthatmonitor

keystrokes

Thefollowinglistincludesafewofthebuilt-inconfigurableapplicationclasses:

InstallationApplicationsIncludesprocessesthatareinstallingsoftwareon

theprotectedagentmachine

ProcessesCopyingUntrustedContentIncludesprocessesthatcopy

executablesthatshouldnotbetrustedandhavearrivedonthesystemas

downloadedcontent

ProcessesExecutingUntrustedContentIncludeseverydownloaded

executableorrunningprocessthatinterpretsdownloadedcontent



IntroducingStaticandDynamicApplicationClasses



ApplicationclassesareextremelyimportanttoCSAsuccessandpast

performance.Withinapplicationclasses,youcanexplicitlyidentifycertain

processesbyname;suchprocessesarecalledstaticapplicationclasses.Youcan

alsocreateanapplicationclasswhosemembersdynamicallychangeovertimeas

certainprocessesexhibitspecificbehaviors.Thenextfewsectionsexamine

thesetwoapplicationclasstypes.

CreatingaStaticApplicationClass

Staticapplicationclassesrelatetoapplicationsyouknowarerunninginyour

environmentthatyouwanttocontrolthroughCSArules.Youcancreatean

applicationclassbyfollowingthesesteps:

Step1. ChooseConfiguration>Applications>ApplicationClasses

[Windows]fromthenavigationbar.

Step2. ClickNewatthebottomofthepage.

Step3. Createaname.TheexampleshowninFigure5-6usesTestTelnet

ApplicationClass.Thenameshouldalwaysbefairlydescriptiveto

makefutureconfigurationandmanagementtaskseasier.



Figure5-6.StaticApplicationClass

[Viewfullsizeimage]



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 5. Understanding Application Classes and Variables

Tải bản đầy đủ ngay(0 tr)

×