Enterprise Cloud Security and Governance

上QQ阅读APP看书，第一时间看更新

Application control

Application control is yet another good feature that can be used in the production environment. Application control basically allows only certain trusted software/scripts to be run on the servers and rest all other software and scripts will be blocked, even if you are running it as a root user.

Let's look at one of the good parts of this approach. Assume that you have whitelisted a script named test.sh, which has the following contents:

We have whitelisted this specific script and user. With the appropriate permission, we will be able to execute the script:

If the script is modified (which is typical in case of web-based attacks to include custom vector) as a part of application control, even though the script is allowed but modified, then the application control feature will block the executing of the script even when it runs as a part of the root user.

In order to demonstrate the preceding point, I have added a small dot on the second line:

Now, since the contents of the file are modified, which can be considered as a malicious action (without proper whitelisting ), if we try and run the script, the action will be blocked:

Similarly, when we try to start some software that is not whitelisted, we will not be allowed to do it, even though we are trying it with the root user:

All the actions that have been blocked are logged and will be visible in the central Deep Security manager dashboard. This dashboard will also help us understand if there are some scripts that tried to execute it but got blocked and the security engineer will be alerted:

This concludes the section on application control, and we can now move on to yet another more important module called IPS functionality.