Creating Policy Elements
Policy rule criteria consist of resource sets, user sets, signature sets, process sets, action, and effect, and are called policy elements. These elements should exist on the CipherTrust Manager before you can use them in security policies. This section describes steps to create policy elements using the CTE API.
Click the following tabs for details on policy elements.
Creating User Sets
The
namefield is mandatory for creating a user set.Any number of users can be added to a single user set.
Add users by specifying
uname,gname,uid, orgid.
The following sample creates a user set, UserSet1 having two users, user1 and user2.
API
/v1/transparent-encryption/usersets
Sample
{
"name": UserSet1,
"users": [
{
"gid": 1001,
"gname": "user1",
"os_domain": "Linux",
"uid": 1001,
"uname": "user1"
},
{
"gid": 1002,
"gname": "user2",
"os_domain": "Linux",
"uid": 1002,
"uname": "user2"
}
]
}
Creating Resource Sets
The
namefield is mandatory for creating a resource set.The
typefield determines the type of the resource set. The type can beDirectoryorClassification. The default type isDirectory.Any number of resources can be added to a single resource set.
Add resources by specifying paths using
directoryand/orfilefields. ForDirectorytype resource sets, you can specify whether to include subdirectories by usinginclude_subfolders. Set totrueto include subdirectories, set tofalseto exclude.Set
hdfstotruefor an HDFS path.
The following samples create two resource sets, ResourceSet1 and ResourceSetHDFS1 of the type Directory having two resources.
API
/v1/transparent-encryption/resourcesets
Sample
{
"name": "ResourceSet1",
"resources": [
{
"directory": "/home/test-user/dir1/,
"file": *.txt,
"include_subfolders": true
},
{
"directory": "/home/test-user/dir2/,
"file": *.bin,
"include_subfolders": true
}
],
"type": "Directory"
}
Sample (HDFS)
{
"name": "ResourceSetHDFS1",
"resources": [
{
"directory": "/home/test-user/dir3/,
"file": *.txt,
"include_subfolders": true,
"hdfs": true
},
{
"directory": "/home/test-user/dir4/,
"file": *.bin,
"include_subfolders": true,
"hdfs": true
}
],
"type": "Directory"
}
Creating Signature Sets
The
namefield is mandatory for creating a signature set.Any number of sources can be added to a single signature set.
The following sample creates a signature set, SignatureSet1 having a source_list of two processes, /usr/bin and /usr/sbin.
API
/v1/transparent-encryption/signaturesets
Sample
{
"name": "SignatureSet1",
"source_list": [
"/usr/bin",
"/usr/sbin"
]
}
Creating Process Sets
The
namefield is mandatory for creating a process set.Any number of processes can be added to a single process set.
Add processes by specifying their details using
signature,directory, and/orfile.
The following sample creates a process set, ProcessSet1 having two processes with their signature, directory, and process file name.
API
/v1/transparent-encryption/processsets
Sample
{
"name": "ProcessSet1",
"processes": [
{
"signature": "SignatureSet1",
"directory": "/home/testUser",
"file": "*"
},
{
"signature": "SignatureSet2",
"directory": "/home/kyloTest",
"file": "kylo.bin"
}
]
}
