McAfee HISCDE-AB-IA Product Guide - Page 129
Note 3, Advanced details, For example, if you have a zone named app_zone whose root is /zones/app
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 129 highlights
Appendix A - Writing Custom Signatures and Exceptions Non-Windows custom signatures Note 3 The directive unixfile:link has a different meaning when combined with section files and section source: • Combined with section files, it means that creating a link to the file in the section files is monitored. • Combined with section source, it means that no link can be created with the name as specified in the section source. Note 4 The directive unixfile:rename has a different meaning when combined with section files and section source: • Combined with section files, it means that renaming of the file in the section files is monitored. • Combined with section source, it means that no file can be renamed to the file in the section source. Note 5 By default, all zones are protected by the signature. To restrict protection to a particular zone, add a zone section in the signature and include the name of the zone. For example, if you have a zone named "app_zone" whose root is /zones/app, then the rule: Rule { ... file { Include "/tmp/test.log" } zone { Include "app_zone" } ... } would apply only to the file in the zone "app_zone" and not in the global zone. Note that in this release, web server protection cannot be restricted to a particular zone. Advanced details Some or all of the following parameters appear in the Advanced Details tab of security events for the class UNIX_file. The values of these parameters can help you understand why a signature is triggered. GUI name files source file permission source permission new permission Explanation Names of the file that was accessed or attempted to be accessed. Only applicable when operation is the creation of a symbolic link between files: name of the new link; or when operation is the renaming of a file: new name of the file. Permissions of the file. Only applicable when operation is the creation of a symbolic link between files: permissions of the target file (the file to which the link points). Solaris only. Only applicable when creating a new file or when doing a chmod operation: permissions of the new file. Solaris only. McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 129