Creating Policy Elements
Policy rule criteria consist of resource sets, user sets, signature sets, process sets, action, and effect, and are called policy elements. These elements should exist on the CipherTrust Manager before you can use them in security policies.
Although you can add policy elements when creating policies, it may be a better approach to have them created in advance. This document describes creation of policy elements separately, before creating policies.
A CipherTrust Manager administrator can create, modify, and delete resource sets, user sets, process sets, and signature sets on the CipherTrust Manager. Actions and effects are preconfigured on the CipherTrust Manager.
After you have created policy elements, you can use them in creating and configuring policies. Refer to Creating Policies for details.
Creating Resource Sets
A resource is a combination of a directory, a file, and patterns or special variables. A resource set is a named collection of directories, files, or both, that a user or process will be permitted or denied access to.
Use the Create Resource Set wizard to create resource sets.
Open the Transparent Encryption application.
Click Policies > Policy Elements.
On the Resource Sets tab, click Create Resource Set. The Create Resource Set wizard is displayed.
On the General Info screen:
Enter a unique Name for the set.
The name must start with a character. The maximum length can be 64 characters.
The name can contain alphanumeric characters, underscores (
_
), and dashes (-
).The name cannot contain the following special characters:
? : ; | ! @ # $ % ^ & * < = > + ( ) { } ~ , \ / [ ] ' "
Make sure that Directory is selected as the Resource Set Type.
The resource set type Classification is used by CipherTrust Intelligent Protection.
Provide a Description for the set.
Click Next. The Add Resources screens is displayed.
Specify the resource Directory.
Note
Resource sets must be relative to the guard path. Resource sets created using the absolute paths are not supported.
The path must end with a slash. For example, a Windows path must end with a
\
(backward slash). A Linux path must end with a/
(forward slash).
Specify a File or enter the asterisk (
*
). The asterisk acts as a wild card character.Note
An asterisk can be used to include all files of a specific extension in the resource set. For example, to include all text files under a resource directory, specify
*.txt
.
Later, a policy with desired permissions can be applied to the resource set. That policy will apply to all files of the specified extension under the specified resource directory.(Optional) Specify whether to include subfolders in the set. Turn on Include Sub Folders. By default, the subfolders are not included.
(Optional, Linux only) Turn on the HDFS File System toggle for an HDFS resource. When you turn on this toggle, ensure that Directory and File contain HDFS paths.
HDFS is applicable to Linux clients. By default, the HDFS File System toggle is turned off. Keep it turned off for a non-HDFS resource.
Note
To protect an HDFS resource, the CTE clients (NameNode and DataNodes in the HDFS cluster) must be configured for HDFS. Refer to the "Installing CTE on Hadoop" section in the CTE Agent for Linux Advanced Configuration document for details.
Note
For the list of supported HDFS systems, refer to the Compatibility Matrix for CTE Agent with Data Security Manager. The matrix also applies to the CTE clients registered with the CipherTrust Manager.
Click Next. The Confirmation screen is displayed.
The screen shows general information about the set and the selected sources.
Verify the resource set details.
If the details are incorrect or you want to modify them, click Back and update the details. To add another resource, click Add Another Resource, and specify the details, as described above.
Click Save. The resource set is created.
The newly created resource set appears on the Resource Sets tab.
Creating User Sets
A user set is a collection of users and user groups that you want to grant or deny access to GuardPoints. User sets are configured in policies. Policies can be applied to user sets, not to individual users.
Use the Create User Set wizard to create user sets. The wizard provides two options to add user sets. Specify a user set either by querying the registered client or by manually entering the members (individual members, groups, or group members). If needed, you can manually add AD users to a user set.
Creating User Sets by Browsing the Client
To create a user set:
Open the Transparent Encryption application.
Click Policies > Policy Elements.
Click the User Sets tab.
Click Create User Set. The Create User Set wizard is displayed.
On the General Info screen:
Enter a unique Name for the set.
The name must start with a character. The maximum length can be 64 characters.
The name can contain alphanumeric characters, underscores (
_
), and dashes (-
).The name cannot contain the following special characters:
? : ; | ! @ # $ % ^ & * < = > + ( ) { } ~ , \ / [ ] ' "
(Optional) Provide a Description for the set.
Click Next. The Add Users screen is displayed.
On the Add Users screen:
Click Create User. By default, the Manually Add Users tab is active.
Click the Browse to Add Users tab.
This tab allows you to browse the client for members. To add members manually, refer to Creating User Sets by Adding Members Manually.
Select a Connection Type. You can select either Agent or LDAP.
If Agent is selected as Connection Type.
Click Select. The list of registered clients is displayed.
Select the desired client. Members, groups, or group members of this client will be added to the set.
Click Select. The IP address or hostname of the selected client is displayed next to the Select button. The User Type and Member Choice fields are also displayed.
Select the desired User Type. The options are:
System: Select to add system users to the user set.
From the Member Choice drop-down list, select members. The options are:
Users: Users of the client.
Groups: User groups of the client.
Group Members: Group members of the client. When you select this option, the Select Groups field appears. This is a mandatory field. Select a group from the drop-down list. Search will retrieve members of the selected group.
Click Apply. The search result based on the specified criteria is displayed on the right. A set of sample system users/groups is displayed below.
The search can display only the first 100 results. Refine your search by entering the exact name.
Select the desired members from the list.
LDAP: Select to add LDAP users to the user set.
From the Member Choice drop-down list, select members. The options are:
Users: Users of the client.
Groups: User groups of the client.
Group Members: Group members of the client. When you select this option, the Select Groups field appears. This is a mandatory field. Select a group from the drop-down list. Search will retrieve members of the selected group.
Click Apply. The LDAP Credentials dialog box is displayed.
Specify LDAP credentials to browse LDAP users and groups.
Domain: User-friendly network address that can be resolved through the Domain Name System (DNS).
Username: Name of the LDAP user for LDAP authentication.
Password: Password of the LDAP user for LDAP authentication.
Click Submit. The search result based on the specified criteria is displayed on the right. A set of sample LDAP users/groups is displayed below.
The search can display only the first 100 results. Refine your search by entering the exact name.
If the specified LDAP credentials are incorrect or you want to change them, click Edit Credentials and specify the updated details.
Select the desired members from the list.
Click Create.
If LDAP is selected as Connection Type.
Select LDAP Connection from the drop-down list.
From the Member Choice drop-down list, select members. The options are:
Users: Users of the client.
Groups: User groups of the client.
Group Members: Group members of the client. When you select this option, the Select Groups field appears, which lists the Common Name (CN) of the groups. This is a mandatory field. Select a group from the drop-down list.
(Optional) Enter an LDAP Query to filter members meeting specific criteria.
For example, if you select Users in the Member Choice drop-down list, enter
(&(objectClass=posixAccount)(uidNumber=2001))
in the LDAP Query field, and click Apply, the search results will only display users with the UID number 2001.Max Number of Entries to Return: Number of records to return in the search results. Enter a number from 1 to 10000. For example, if you enter 100, 100 members will be displayed in the search results on the right.
Click Apply. Search will retrieve members based on the specified search critieria.
Select the desired users/groups.
Click Create.
To add more users, click Create User. You can add System and LDAP users and groups simultaneously.
If you want to remove users from the set, identify the user and click Remove.
Click Next. The Confirmation screen shows general information about the set and the selected members.
Verify the set details.
If the details are incorrect or you want to modify them, click Back and update the details.
Click Save. The user set is created.
The newly created set appears on the User Sets tab.
Creating User Sets by Adding Members Manually
This method is useful when you already know the names of users and groups that should be added to a user set. Also, use this method to add AD users and groups to the user set.
Using Variables
You can also use the variables |uname|
(user name) and |gname|
(group name) when addng members manually. On the UNIX systems, |uid|
and |gid|
can also be used.
When the security rule is applied, the variable is replaced by the actual user name or user group name. For example, if Directory is set to /opt/local/|gname|
, when you later make /opt/local
the GuardPoint, only the members of the group engineering
in Users are allowed access to /opt/local/engineering
. |uname|
and |gname|
act like macros.
Similarly, if you want to define a policy to protect all of the user directories under /home
, you don't need to enumerate /home/user1
, /home/user2
, /home/user3
, and so on. You only need to define /home/|uname|
. When the agent evaluates the policy, it replaces |uname|
with the actual user. So, when user1
logs on, the agent evaluates the policy with /home/user1
. They can't access /home/user2
.
To create a user set:
Open the Transparent Encryption application.
Click Policies > Policy Elements.
Click the User Sets tab.
Click Create User Set. The Create User Set wizard is displayed.
On the General Info screen:
Enter a unique Name for the set.
The name must start with a character. The maximum length can be 64 characters.
The name can contain alphanumeric characters, underscores (
_
), and dashes (-
).The name cannot contain the following special characters:
? : ; | ! @ # $ % ^ & * < = > + ( ) { } ~ , \ / [ ] ' "
(Optional) Provide a Description for the set.
Click Next. The Add Users screen is displayed.
Click Create User.
To browse the client for adding members manually, click the Browse to Add Users tab. This tab allows you to browse the client for members. Refer to Creating User Sets by Browsing the Client for details.
On the Manually Add Users tab, specify the following details, as appropriate:
Element Description uname Login name of the user. UID (AIX/Linux only) ID of the user. gname Comma-separated list of group names. GID (AIX/Linux only) Group ID of the user. Specify only the primary group ID. OS domain (Windows only) Network domain of the user. Multiple domain names, separated by commas, can be entered. Specify the string localhost
to configure a generic domain.Click Create.
To add more users, click Create User. You can add different types of users and groups simultaneously.
If you want to remove users from the set, identify the user and click Remove next to the user.
Click Next. The Confirmation screen shows general information about the set and the selected members.
Verify the set details.
If the details are incorrect or you want to modify them, click Back and update the details.
Click Save. The user set is created.
The newly created set appears on the User Sets tab.
Creating Signature Sets
A signature set is a collection of hashes of processes and executables that you want to grant or deny access to GuardPoints. A signature set can be configured in a policy as part of a process set to verify the integrity of a process before it is allowed access to guarded data. Policies are applied to signature sets, not to individual signatures.
To create a signature set:
Open the Transparent Encryption application.
Click Policies > Policy Elements.
Click the Signature Sets tab.
Click Create Signature Set. The General Info screen of the Create Signature Set wizard is displayed.
General Info
Enter a unique Name for the set.
The name must start with a character. The maximum length can be 64 characters.
The name can contain alphanumeric characters, underscores (
_
), and dashes (-
).The name cannot contain the following special characters:
? : ; | ! @ # $ % ^ & * < = > + ( ) { } ~ , \ / [ ] ' "
Select Application as the Type. The signature set will have signatures of the running applications.
(Optional) Provide a Description for the set.
Enable or disable Add Signatures.
Click Next. The Add Sources screen is displayed. On this screen, you can add files to be signed, as described below.
Add Sources
Specify path of the directory or file to be signed. If a directory is specified, all files in the directory and its subdirectories are signed.
The CipherTrust Manager provides an option to add multiple sources. A maximum of 200 sources can be added at once.
Click Add Source.
Click Select Client. The list of registered clients is displayed.
Select the desired client.
Click Select. The selected client appears next to the Change Client button (previously Select Client).
If needed, change the client by clicking Change Client.
Specify the path to be signed by either typing manually or using the browser.
To jump to a specific directory, enter the directory path in the Start Directory field and click Apply. The browser shows the subdirectories and files, as shown below.
You cannot browse above the Start Directory. Enter a start point that is higher in the directory hierarchy than all the directories and files that you want to select, or you will have to re-enter start points to locate and select the desired files. The default is the top-level, either slash (Linux) or backslash (Windows).
Alternatively, if you know the directory path, you can enter it manually in the Path field.
Click Add Source. The selected source is displayed in the SELECTED SOURCES list.
Optionally, you can add a new source by clicking Add Source. To remove a source, click Remove to the right of the source. A signature set must contain at least one source.
Click Add. The selected source is displayed in the Source Directory list.
Optionally, you can add a new source by clicking Add Source. To remove a source, click the overflow icon () corresponding to the source and click Remove.
Click Next. The Add Signatures screen is displayed. On this screen, you can manually add signatures or upload a CSV file containing signatures.
Add Signatures
The CipherTrust Manager provides options to add signatures to a signature set manually, and to upload the signatures to a signature set through CSV.
Click the desired tab to view the instructions.
Click Create Signature. The Create Manually tab is displayed.
Under Signature 1, enter the following details:
Program: Full path of the file.
Signature: Signature of the file.
To add multiple signatures, click + Add More Signatures. To remove a signature, click X.
Click Add. The signatures are added to the signature set. The list of programs and their signatures are displayed.
Optionally, you can add more signature(s) by clicking Create Signature, and repeating step 2 and 3. To remove a signature, click the overflow icon () corresponding to the signature and click Remove.
Click Next. The Confirmation screen is displayed. The screen shows the General Info, Sources and Signatures details of the signature set.
Click Create Signature. The Create Manually tab is displayed.
Click the Upload tab.
Next to Upload CSV, click Browse.
Select and upload the CSV file. The Upload CSV field shows the uploaded file.
Click Add. The signatures from the CSV file are added. The name of the file is displayed.
Optionally, you can change the file by clicking Create Signature, and repeating step 2 and 3. To remove the file, click the overflow icon () corresponding to the uploaded CSV file and click Remove.
Click Next. The Confirmation screen is displayed. The screen shows the General Info, Sources and Signatures details of the signature set.
Confirmation
Verify the set details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Save.
The newly created set appears on the Signature Sets tab. By default, the signature set has the status UNSIGNED
.
It is recommended that the signature set is signed before you apply policies to processes. This ensures that a tampered with or compromised process executable is not granted permissions to access protected GuardPoints. Refer to Signing Files in a Signature Set for details.
Creating Signature Sets for Container Images
A signature set is a collection of file names and their signatures. A signature is a hash of a process or an executable file. Through signature sets, a signature can be used to verify the integrity of the process before it is allowed access to the guarded data.
You can enter the full path of files and their signatures manually or use the browser to upload YAML files containing the list of files and their signatures.
To create a signature set for CTE for Container Images:
Open the Transparent Encryption application.
Click Policies > Policy Elements.
Click the Signature Sets tab.
Click Create Signature Set. The General Info screen of the Create Signature Set wizard is displayed.
General Info
Enter a unique Name for the set.
The name must start with a character. The maximum length can be 64 characters.
The name can contain alphanumeric characters, underscores (
_
), and dashes (-
).The name cannot contain the following special characters:
? : ; | ! @ # $ % ^ & * < = > + ( ) { } ~ , \ / [ ] ' "
Select Container Image as the Type. The signature set will have the signatures of containers.
(Optional) Provide a Description for the set.
Enable or disable Add Signatures.
Click Next. The Add Sources screen is displayed. On this screen, you can add source paths or upload the YAML file containing the source paths, as described below.
Add Sources
Specify path of the directory or file to be signed. If a directory is specified, all files in the directory and its subdirectories are signed.
The CipherTrust Manager provides an option to add multiple sources. A maximum of 200 sources can be added at once.
Click the desired tab to view the instructions.
Click Add Source. The Create Manually tab is displayed.
In the Enter Source field, add source for the container images to be trusted.
Click Add. The sources are added to the signature set. The list of Source Directory is displayed.
Optionally, you can add more sources by clicking Add Source, and repeating step 2 and 3. To remove a source, click the overflow icon () corresponding to the source and click Remove.
Click Next. The Add Signatures screen is displayed. On this screen, you can manually add signatures or upload the list of signatures.
Click Add Source. The Create Manually tab is displayed.
Click the Browse tab.
Next to Upload YAML, click Browse.
Select and upload the YAML file that contains the source for the container images to be trusted. The Upload YAML field shows the uploaded file.
Click Add. The sources from the YAML file are added. The name of the file is displayed.
Optionally, you can change the file by clicking Add Source, and repeating step 2 and 3. To remove a signature, click the overflow icon () corresponding to the source and click Remove.
Click Next. The Add Signatures screen is displayed. On this screen, you can manually add signatures or upload the list of signatures.
Note
The Add Signatures tabs is displayed if you selected Add Signatures on the General Info screen.
Add Signatures
The CipherTrust Manager provides options to add signatures to a signature set manually, and to upload the signatures to a signature set through CSV.
Click the desired tab to view the instructions.
Click Create Signature. The Create Manually tab is displayed.
Under Signature 1, enter the following details:
Program: Full path of the file.
Signature: Signature of the file.
To add multiple signatures, click + Add More Signatures. To remove a signature, click X.
Click Add. The signatures are added to the signature set. The list of programs and their signatures are displayed.
Optionally, you can add more signature(s) by clicking Create Signature, and repeating step 2 and 3. To remove a signature, click the overflow icon () corresponding to the signature and click Remove.
Click Next. The Confirmation screen is displayed. The screen shows the General Info, Sources and Signatures details of the signature set.
Click Create Signature. The Create Manually tab is displayed.
Click the Upload tab.
Next to Upload CSV, click Browse.
Select and upload the CSV file. The Upload CSV field shows the uploaded file.
Click Add. The signatures from the CSV file are added. The name of the file is displayed.
Optionally, you can change the file by clicking Create Signature, and repeating step 2 and 3. To remove the file, click the overflow icon () corresponding to the uploaded CSV file and click Remove.
Click Next. The Confirmation screen is displayed. The screen shows the General Info, Sources and Signatures details of the signature set.
Confirmation
Verify the set details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Save.
The newly created set appears on the Signature Sets tab. By default, the signature set has the status UNSIGNED
.
Creating Process Sets
A process set is a collection of processes (executables) that you want to grant or deny access to GuardPoints. Like user sets, process sets can be configured in policies. Policies can be applied to process sets, not to individual processes.
Optionally, file signing can be configured to check the authenticity and integrity of executables and applications before they are allowed to access GuardPoint data. A signature set must already exist before you can configure file signing in a policy for a process set.
Use the Create Process Set wizard to create process sets.
To create a process set:
Open the Transparent Encryption application.
Click Policies > Policy Elements.
Click the Process Sets tab.
Click Create Process Set. The Create Process Set wizard is displayed.
On the General Info screen:
Enter a unique Name for the set.
The name must start with a character. The maximum length can be 64 characters.
The name can contain alphanumeric characters, underscores (
_
), and dashes (-
).The name cannot contain the following special characters:
? : ; | ! @ # $ % ^ & * < = > + ( ) { } ~ , \ / [ ] ' "
Provide a Description for the set.
Click Next. The Add Processes screen is displayed.
On the Add Processes screen:
Click Create Process.
Click Select next to the Directory field. The Browse Path dialog box is displayed.
Click Select Client. The list of registered clients is displayed.
Select the desired client and click Add. The selected client appears next to the Change Client button. Click this button to change the client. The dialog box shows the fileystem of the selected client.
Select the directory and file(s). The selected path automatically appears in the Search Local Path field.
Alternatively, specify the process name (with its path) in the Search Local Path field. Use
/
(forward slashes) to specify the path. A directory path must end with/
.You can also Add Full Directory or select multiple files of a single directory individually. Select a file and click Add Path.
The selected directory and process appear in the Selected Directory and Selected Files fields. If a process is not selected, the Selected Files field shows an (
*
) asterisk. The asterisk acts as a wild card character.Click Add.
Alternatively, you can update or specify the directory and process in the Directory and File fields. Use
/
(forward slashes) to specify the path. A directory path must end with/
.Link the desired signature set to the process set.
Click Select next to the Signature field. The list of Application type signature sets is displayed.
The signature sets of the Container Image type are not displayed. They are used by the CTE for Kubernetes policies.
Optionally, you can create a new signature set by clicking Create Signature Set, and link it with the process set. Refer to Creating Signature Sets for details.
Select the desired signature set.
Click Add.
The selected signature set appears in the Signature field.
Click Add. The Confirmation screen shows general information about the set.
Verify the set details.
If the details are incorrect or you want to modify them, click Back and update the details. To add another process, click Create Process, and specify the details, as described above.
To remove a process, click the overflow icon () corresponding to the desired process and click Remove.
Click Next.
Review the process set details.
Click Save. The process set is created.
The newly created set appears on the Process Sets tab.
After you have created policy elements, you can use them in creating and configuring policies. Refer to Creating Policies for details.