Home > Articles > Cisco Network Technology > General Networking > Creating Custom Policies for the Cisco Security Agent

Creating Custom Policies for the Cisco Security Agent

Chapter Description

Creating your own policies is a major part of operating a successful CSA deployment. To accomplish this, you must thoroughly understand the components available to you and the methods of research available. Understanding the rule types and the events caused by those rules helps you move forward in your deployment and perform day-to-day support. A solid grasp of the fundamentals and advanced components not only makes you an effective administrator but also an efficient one. This chapter will help you get started with this.

Using Dynamic Application Classes

Dynamic application classes are a key component in the CSA architecture. Learning to use these effectively allows you to complete complex tasks using a limited number of rules rather than a great number of static rules. After you understand how to use this type of control, you will use it often and continue to become a more effective and efficient CSA administrator.

An example of dynamic application classes follows. The example tunes an item many corporations use to simplify their environments. Many companies use mass deployment software distribution products to install software, software updates, and patches to their systems automatically. Because the software deployment mechanism is trusted, no CSA administrator wants to tune the policy for every software installation and update. Instead, you can build a rule module that makes use of a dynamic application class to provide the capabilities needed to all the installers that are started by the trusted deployment mechanism.

For this example, assume the software distribution mechanism is named AUTO-INSTALLER.EXE and is pre-installed on every system. The following steps walk you through a high-level approach that enables you to create your own policy that allows your enterprise software distribution system to function.

  1. Create an application class named AUTO-INSTALLER.EXE that includes your application as shown in Figure 9-12.
    ah160912.jpg

    Figure 9-12 AUTO-INSTALLER.EXE Application Class

  2. Create another application class named Processes Started by AUTO-INSTALLER.EXE and Children.
    • This is a dynamic application class that includes processes started by AUTO-INSTALLER.EXE and their child processes as well. You select only When Dynamically Defined by Policy Rules to make this a dynamic application class. Do not select This process and all its descendants. You can see the configuration of this in Figure 9-13.
      ah160913.jpg

      Figure 9-13 Dynamic Application Class

  3. Create a policy named Installation Policy and a rule module named Installation Rule Module that you can associate to the policy.
  4. Create the following rules in the rule module.
    1. Add an Application Control rule that has an action of Add New Process to Application Class and select Our Dynamic Application Class from the dropdown list. Select the Allow checkbox to list the type of matching action. Select AUTO-INSTALLER.EXE and Processes Started by AUTO-INSTALLER.EXE and Children as the application classes to monitor. Finally, select All applications under attempt to run. This is shown in Figure 9-14.

      ah160914.jpg

      Figure 9-14 Tagging Child Processes

      This rule can be interpreted as, "When AUTO-INSTALLER.EXE, processes started by AUTO-INSTALLER.EXE, and all subsequent processes start any allowed application, add the new process (as a child) to the dynamic application class."

      If you turn on logging for this rule, you can see the process tree of who starts whom. You might not want to do this in a production environment due to the load it can create on the CSA MC, but it can be useful at times.

    2. Clone the Application Control Rule described previously by selecting the rule from the rule module and pressing the Copy button to copy a clone to the same rule module. Edit the new rule and change the action associated to the new rule to Allow and also the description as shown in Figure 9-15.

      ah160915.jpg

      Figure 9-15 Allow the Installers to Execute Applications

      This rule allows the installation program and any software package, patch, or update to start any programs required to complete the installation. This also allows the installer to start the patches and other installers in the first place.

    3. Add a File Access Control rule to allow AUTO-INSTALLER.EXE and the contents of the dynamic application class to Read File, Write File, and Write Directory on all files. This allows the installer to write to all locations required, which includes writing DLLs and services. It is important to test your installers before allowing your mass distribution system to install the software. Remember, you assume that anything installed by your installation and distribution program is trusted 100 percent. This rule is displayed in Figure 9-16.
      ah160916.jpg

      Figure 9-16 Allow the Installers to Write Files

    4. Add a Registry Access Control rule to allow the same two application classes to write to all registry locations.
    5. Add a System API Control rule that allows whatever temporary security controls you want to provide to the installers. Common installer System API rule violations could include: trapping keystrokes, accessing memory of other applications, injecting code into other applications, and accessing functions in data or stack.

Remember, this policy does not weaken the entire system, but just provides these specific installation applications the temporary rights they need to complete an installation without causing the CSA administrator the headache of providing updated policy every time a new installation occurs. The key to everything in the previous example is the dynamic application class and the amount of intelligence and control it provides you. Mastering this concept ensures a successful deployment. The list of rules we added, as seen in Figure 9-17, might not be a complete configuration for every installation application on the market, but should provide you a start in creating your own policy.

ah160917.jpg

Figure 9-17 List of Rules from the Installation Policy