Create a New Security Policy
Click here to see this page in full context


Create a New Security Policy

Creates a new runtime security policy.

POST/csapi/v1.3/runtime/policies

Input ParametersInput Parameters

Parameter Mandatory/Optional Data Type Description

name

 Optional string

Specify a name for the policy.

description

 Optional string

Provide a description of your policy.

policyMode

 

 Mandatory

string

Use policyMode to specify the policy mode using a string value. Possible values: ACTIVE, INACTIVE, PERMISSIVE. Values are case sensitive.

defaultNetworkAction

 Mandatory string

The default action when ruleType is NETWORK_OUTBOUND or NETWORK_INBOUND. Possible values: ALLOW or DENY. Values are case sensitive.

defaultExecuteAction

 Mandatory string

The default action when ruleType is SYSCALL. Possible values: ALLOW or DENY. Values are case sensitive.

defaultFileAction

 Mandatory string

The default action when ruleType is READ or WRITE. Possible values: ALLOW or DENY. Values are case sensitive.

ignoredSyscalls

 Optional string

Define a list of system call names to ignore for this policy. No events will be created for ignored system calls even if there’s a policy rule match. Only valid system call names are allowed. Enter a list of values like this: ["sys_read", "sys_write"]

rules

 Optional  -

Policy rules defining controls for this policy specified within an array. See Rule Parameters below.

Rule Parameters

Specify rules within an array. These rules will define control for the policy.

Parameter Mandatory/Optional Data Type Description

name

 Mandatory string

Specify a name for the rule.

inactive

 Optional Boolean

Specify whether the rule is inactive. Specify false (the default) if the rule is active. Specify true if the rule is not active.

ruleType

 Mandatory string

Specify the type of rule. Possible values: READ, WRITE, NETWORK_OUTBOUND, NETWORK_INBOUND, SYSCALL. Values are case sensitive.

ipAddress

 Mandatory when ruleType is NETWORK_OUTBOUND or NETWORK_INBOUND string

Specify the IP address this rule applies to.

port

 Optional when ruleType is NETWORK_OUTBOUND or NETWORK_INBOUND integer

Specify the network protocol that this rule applies to.

program

 Optional string

Specify the path to program that this rule applies to. Wildcards are allowed. The default value is "*".

file

 Mandatory when ruleType is READ or WRITE string

Specify the path to the file that the rule applies to.

syscall

 Mandatory when ruleType is SYSCALL string

The system call provided must be a valid system call name.

arg1

 Mandatory when ruleType is SYSCALL string

Variable argument. Usage differs depending on rule type. Used only in syscall rules.

arg2

 Optional string

Variable argument. Usage differs depending on rule type. Used only in syscall rules.

arg3

 Optional string

Variable argument. Usage differs depending on rule type. Used only in syscall rules.

action

 Mandatory string

Specify the action that should be taken if this rule is matched. Possible values: ALLOW, DENY, MONITOR. Values are case sensitive.

created

 Optional string

Timestamp for when object was created in the format ['YYYY'-'MM'-'DD'T'hh':'mm':'ss'.'sss'Z].

updated

 Optional string

Timestamp for when object was last updated in the format ['YYYY'-'MM'-'DD'T'hh':'mm':'ss'.'sss'Z].

SampleSample

API request

    curl --location --request POST "<qualys_base_url>/csapi/v1.3/runtime/policies"
--header "Authorization: Bearer <token>"
--header "Content-Type: text/plain"
--data-raw "{
    "name": "Prevent Shadow Access To User",
    "created": "2020-11-10T08:14:22.509Z",
    "updated": "2020-11-10T08:14:22.509Z",
    "defaultNetworkAction": "ALLOW",
    "defaultExecuteAction": "ALLOW",
    "defaultFileAction": "ALLOW",
    "rules": [
        {
            "id": "5faa4bdeeda7de00015142c0",
            "name": "Deny access in cat /etc/shadow",
            "created": "0001-01-01T00:00:00Z",
            "updated": "0001-01-01T00:00:00Z",
            "inactive": false,
            "ruleType": "SYSCALL",
            "program": "*/cat",
            "action": "DENY",
            "file": "/etc/shadow",
            "port": 0,
            "ipAddress": "",
            "syscall": "sys_open",
            "arg1": "/etc/shadow",
            "arg2": "",
            "arg3": ""
        }
    ],
    "ignoredSyscalls": [],
    "policyMode": "ACTIVE",
    "description": "Example policy denies access to /etc/shadow from program cat"
}"

Response

    {
    "id": "5fb5e21f5caea20001fd27ce",
    "name": "Prevent Shadow Access To User",
    "created": "2020-11-19T03:10:23.36Z",
    "updated": "2020-11-19T03:10:23.36Z",
    "defaultNetworkAction": "ALLOW",
    "defaultExecuteAction": "ALLOW",
    "defaultFileAction": "ALLOW",
    "rules": [
        {
            "id": "5faa4bdeeda7de00015142c0",
            "name": "Deny access in cat /etc/shadow",
            "created": "0001-01-01T00:00:00Z",
            "updated": "0001-01-01T00:00:00Z",
            "inactive": false,
            "ruleType": "SYSCALL",
            "program": "*/cat",
            "action": "DENY",
            "file": "/etc/shadow",
            "port": 0,
            "ipAddress": "",
            "syscall": "sys_open",
            "arg1": "/etc/shadow",
            "arg2": "",
            "arg3": ""
        }
    ],
    "ignoredSyscalls": [],
    "policyMode": "ACTIVE",
    "description": "Example policy denies access to /etc/shadow from program cat"
}

 

 

Was this topic helpful?

success Thank you! We're glad to hear that this topic was useful.
success We appreciate your feedback. We'll work to make this topic better for you in the future.