Creating and Editing Linux Prevent Rules

You can create prevent rules on Linux operating systems only. Unix systems Solaris, AIX, and HP-UX are not supported.

ITM On-Prem (ObserveIT) can prevent unauthorized Linux commands from being executed based on flexible prevent rules that you can define. For example, if you attempt to run commands that manipulate sensitive protection policy files, the commands will be blocked from execution, preventing your access to the protection policy files. You can also define rules that will detect and prevent SFTP commands sent from remote servers with intent to bypass security controls. Supported SFTP commands include: MKDIR, RMDIR, LS, RM, GET, PUT, LN, RENAME, CHOWN, CHMOD.

Prevent rules are configured by ITM On-Prem (ObserveIT) administrators to define the conditions under which an alert will be triggered. As opposed to alert rules for which you can warn the user about any out-of-policy behavior, prevent rules are designed to prevent the user from continuing with their current activity. When a prevent type rule is triggered, your current activity will be blocked and you will receive the standard operating system Permissions denied message together with a text message (if configured). You cannot acknowledge the message, explain your actions, nor view a security related policy.

When creating (or editing) a prevent rule, you can configure a detection policy that answers the following questions:

  • Who?: Who was logged in to the session when the alert was triggered?

  • Did what?: What was the user doing when the alert was triggered?

  • On which computer?: On which computer was the user logged in?

After defining a detection policy, the only action you can apply to the user if an alert is triggered is to "Prevent Execution" of the activity they were trying to perform. You can choose to display a message to the user, but the user cannot acknowledge the message, explain their actions, nor view the company policy. You can also change from Commands-only to Standard recording mode.

The ITM On-Prem (ObserveIT) installation package includes an extensive library of prevention rules that can be applied on Linux operating systems. You can use these "System" rules to match the security needs of your organization.

Creating and editing prevention rules is done from the Alert & Prevent Rules page in the ITM On-Prem Web Console. You can navigate to this page via Configuration > Alert & Prevent Rules.

The following steps are required to define a prevention rule:

  1. Specify the prevent rule details. For details, see Defining Rule Details.

  2. Configure a detection policy for the rule that will trigger the alert. For details, see Configuring a Detection Policy for Prevent Rules.

  3. Specify the action to take. The only action you can apply to the end user for a prevent rule is to "Prevent Execution". For details, see Configure the Prevent Execution Action.

  4. When you have finished creating your rule, click Save to save your settings.

The newly configured Linux prevent type rule is displayed in the Alert & Prevent Rules page. See Viewing Rules.

Lists cannot be used for configuring and operating prevention rules; prevention rules configuration is based on specific content (Items) only.

Example

Following is an example of a prevent rule, that will trigger a high risk level alert if a non Admin user attempts to run the su command to switch identity even with root permissions. The su command will be blocked from execution, disabling the user from changing the identity. Security administrators will be able to view a recording of the user activities in standard mode (all commands and terminal output).

The following topics describe how to: