Adding a Command to Policy Group
2 min
once the application policy group is created, it will become visible in the application catalog using the button highlighted in red below, you can modify the group's settings, add new commands, or delete the policy group entirely when add a new application is clicked on the screen shown above, the following information must be completed in the pop up window to add the command to the policy group in this example, the chown command is designated as the target for the policy the command matcher type can be set to either exactly or startswith in this instance, "exactly" is selected, meaning the policy will trigger only if the executed command matches "chown" precisely if "startswith" were chosen, the policy would apply to any command beginning with "chown " for the parameter field, the value "pamuser" is provided with the contains matcher type this ensures the policy is applied if the string "pamuser" appears anywhere within the full command string (command plus its parameters) matcher type can also be exactly regarding the command path , both exactly and startswith matcher types are available this setting verifies the directory from which the command is executed in this example, the policy triggers if the “ chown” command originates from a directory within /usr/bin/ alternatively, the full path to the command could be specified using the "exactly" matcher type the working directory refers to the directory where the end user is currently located when executing the command available matcher types include exactly and startswith in this example, the policy will only be enforced if the user runs the chown command while working inside /home/pamuser note that only the command entry (along with its matcher type) is mandatory; the other configurations are optional these fields function with and logic; if any of the specified rules do not match the executed command, the policy will not be applied after adding the details for the command, you must also specify how any potential subprocesses should be handled in the second step if the chown command in our example has a subprocess, the policy selected here—either block or allow—will be applied initially, a general policy for handling subprocesses is defined when creating the policy group this general policy applies to all commands within the group by default however, if a specific subprocess policy is defined during the individual command addition (step 2), it will override the group level policy and take precedence the priority of policy groups is managed using the up and down arrows located within the red box shown in the screen below a specific command may exist in multiple policy groups simultaneously in such cases, the agent determines which policy to enforce based on the priority order of the groups the command itself is the primary factor in this comparison; the parameters, command path, or working directory do not influence the priority determination if the same command is found in different groups, the agent applies the policy from the group with the highest priority (the one positioned further up the list) you can easily adjust these priority levels by moving the policy groups up or down using the arrow buttons