Creates a new runtime security policy.
Parameter | Mandatory/Optional | Data Type | Description |
---|---|---|---|
name |
Optional | string |
Specify a name for the policy. |
description |
Optional | string |
Provide a description of your policy. |
policyMode
|
Mandatory |
string |
Use policyMode to specify the policy mode using a string value. Possible values: ACTIVE, INACTIVE, PERMISSIVE. Values are case sensitive. |
defaultNetworkAction |
Mandatory | string |
The default action when ruleType is NETWORK_OUTBOUND or NETWORK_INBOUND. Possible values: ALLOW or DENY. Values are case sensitive. |
defaultExecuteAction |
Mandatory | string |
The default action when ruleType is SYSCALL. Possible values: ALLOW or DENY. Values are case sensitive. |
defaultFileAction |
Mandatory | string |
The default action when ruleType is READ or WRITE. Possible values: ALLOW or DENY. Values are case sensitive. |
ignoredSyscalls |
Optional | string |
Define a list of system call names to ignore for this policy. No events will be created for ignored system calls even if there’s a policy rule match. Only valid system call names are allowed. Enter a list of values like this: ["sys_read", "sys_write"] |
rules |
Optional | - |
Policy rules defining controls for this policy specified within an array. See Rule Parameters below. |
Specify rules within an array. These rules will define control for the policy.
Parameter | Mandatory/Optional | Data Type | Description |
---|---|---|---|
name |
Mandatory | string |
Specify a name for the rule. |
inactive |
Optional | Boolean |
Specify whether the rule is inactive. Specify false (the default) if the rule is active. Specify true if the rule is not active. |
ruleType |
Mandatory | string |
Specify the type of rule. Possible values: READ, WRITE, NETWORK_OUTBOUND, NETWORK_INBOUND, SYSCALL. Values are case sensitive. |
ipAddress |
Mandatory when ruleType is NETWORK_OUTBOUND or NETWORK_INBOUND | string |
Specify the IP address this rule applies to. |
port |
Optional when ruleType is NETWORK_OUTBOUND or NETWORK_INBOUND | integer |
Specify the network protocol that this rule applies to. |
program |
Optional | string |
Specify the path to program that this rule applies to. Wildcards are allowed. The default value is "*". |
file |
Mandatory when ruleType is READ or WRITE | string |
Specify the path to the file that the rule applies to. |
syscall |
Mandatory when ruleType is SYSCALL | string |
The system call provided must be a valid system call name. |
arg1 |
Mandatory when ruleType is SYSCALL | string |
Variable argument. Usage differs depending on rule type. Used only in syscall rules. |
arg2 |
Optional | string |
Variable argument. Usage differs depending on rule type. Used only in syscall rules. |
arg3 |
Optional | string |
Variable argument. Usage differs depending on rule type. Used only in syscall rules. |
action |
Mandatory | string |
Specify the action that should be taken if this rule is matched. Possible values: ALLOW, DENY, MONITOR. Values are case sensitive. |
created |
Optional | string |
Timestamp for when object was created in the format ['YYYY'-'MM'-'DD'T'hh':'mm':'ss'.'sss'Z]. |
updated |
Optional | string |
Timestamp for when object was last updated in the format ['YYYY'-'MM'-'DD'T'hh':'mm':'ss'.'sss'Z]. |
API request
curl --location --request POST "<qualys_base_url>/csapi/v1.3/runtime/policies"
--header "Authorization: Bearer <token>"
--header "Content-Type: text/plain"
--data-raw "{
"name": "Prevent Shadow Access To User",
"created": "2020-11-10T08:14:22.509Z",
"updated": "2020-11-10T08:14:22.509Z",
"defaultNetworkAction": "ALLOW",
"defaultExecuteAction": "ALLOW",
"defaultFileAction": "ALLOW",
"rules": [
{
"id": "5faa4bdeeda7de00015142c0",
"name": "Deny access in cat /etc/shadow",
"created": "0001-01-01T00:00:00Z",
"updated": "0001-01-01T00:00:00Z",
"inactive": false,
"ruleType": "SYSCALL",
"program": "*/cat",
"action": "DENY",
"file": "/etc/shadow",
"port": 0,
"ipAddress": "",
"syscall": "sys_open",
"arg1": "/etc/shadow",
"arg2": "",
"arg3": ""
}
],
"ignoredSyscalls": [],
"policyMode": "ACTIVE",
"description": "Example policy denies access to /etc/shadow from program cat"
}"
Response
{
"id": "5fb5e21f5caea20001fd27ce",
"name": "Prevent Shadow Access To User",
"created": "2020-11-19T03:10:23.36Z",
"updated": "2020-11-19T03:10:23.36Z",
"defaultNetworkAction": "ALLOW",
"defaultExecuteAction": "ALLOW",
"defaultFileAction": "ALLOW",
"rules": [
{
"id": "5faa4bdeeda7de00015142c0",
"name": "Deny access in cat /etc/shadow",
"created": "0001-01-01T00:00:00Z",
"updated": "0001-01-01T00:00:00Z",
"inactive": false,
"ruleType": "SYSCALL",
"program": "*/cat",
"action": "DENY",
"file": "/etc/shadow",
"port": 0,
"ipAddress": "",
"syscall": "sys_open",
"arg1": "/etc/shadow",
"arg2": "",
"arg3": ""
}
],
"ignoredSyscalls": [],
"policyMode": "ACTIVE",
"description": "Example policy denies access to /etc/shadow from program cat"
}
Was this topic helpful?