Configuring a Detection Policy for Linux Prevent Rules

This topic describes how to configure a detection policy when creating (or editing) a prevent type rule. Prevent rules can be configured on Linux operating systems only.

A detection policy comprises conditions that you can configure for your rule. When these conditions are met, an alert will be triggered. You can configure a detection policy for a prevent rule in the Detection Policy area of the Create Linux Prevent Rule page.

Before you begin, it is recommended that you read the topic Understanding the Logic for Defining Rule Conditions, which describes the expected behavior of the system when defining a detection policy.

To create a detection policy for a prevent rule

  • In the Alert & Prevent Rules tab, click the New Linux Prevent Rule button.

    The Create Linux Prevent Rule page opens in which you can define the conditions for your detection policy.

The following conditions enable you to configure a detection policy for triggering alerts:

Condition

Description

For details, see...

"Who?"

Who is the user on which the alert will be generated?

Defining the "Who?" Conditions

"Did What?"

What actions did the user do?

Note: The only "Did What?" condition that you can configure for a prevent rule is "Executed Command" (based on command name and/or arguments).

Executed Command

"On Which Computer?

Name of the computer on which the action occurred.

Defining the "On Which Computer" Conditions