About Application Control rules

An Application Control rule is a set of settings that contain the conditions for triggering a rule and the actions of the Application Control component when a rule is triggered (allowing or blocking users when starting the application):

• The application belonging to the application category. An application category is a group of applications with common characteristics. For example, a category that includes executable files of installed applications, or a category of applications required for operation, which includes a standard set of applications used by the organization. Each category can only be used in one rule.

  Kaspersky Industrial CyberSecurity for Linux Nodes does not support KL categories of Kaspersky Security Center.

• Permission or prohibition for selected users and/or user groups to run applications. You can specify a user and/or user group that is allowed or not allowed to run applications of the specified category.
• Rule triggering condition. A condition is represented by the following correspondence: "condition type – condition criterion – condition value". Based on the rule triggering condition, Kaspersky Industrial CyberSecurity for Linux Nodes applies or does not apply the rule to the application. The rules use inclusive and exclusive conditions:
  • Inclusive conditions. Kaspersky Industrial CyberSecurity for Linux Nodes applies the rule to the application if the application meets at least one inclusive condition.
  • Exclusive conditions. Kaspersky Industrial CyberSecurity for Linux Nodes does not apply the rule to the application if the application meets at least one exclusive condition or does not meet any of the inclusive conditions.

  Rule triggering conditions are created using the following criteria:

  • Name of the application's executable file.
  • Name of the directory with the application's executable file.
  • Hash of the application's executable file. Only SHA256 is allowed.

  For each criterion used in the condition, a value must be specified.

  You can use masks to specify the names of files and directories.

  You can use the * character (any sequence of characters) or the ? character (any one character) as the file or directory name mask.

  You can put the * character to represent any set of characters (including an empty set) in a file or directory name that includes the / character. For example, /dir/*/file*/ or /dir/file*/.

  You can put a single ? character to represent any one character (including /) in the file or directory name.

  If the settings of the application being launched match the criteria specified in the inclusive condition, the rule is triggered. In this case, Kaspersky Industrial CyberSecurity for Linux Nodes performs the action specified in the rule. If application settings match the criteria specified in the exclusive condition, Kaspersky Industrial CyberSecurity for Linux Nodes does not control the application launch.

Application control rules can have one of the following operation statuses:

• Enabled: the rule is enabled, Kaspersky Industrial CyberSecurity for Linux Nodes applies this rule for Application Control.
• Disabled: the rule is disabled and is not used for the Application Control.
• Test: Kaspersky Industrial CyberSecurity for Linux Nodes allows launching applications that meet the rule criteria, but logs information about launches of these applications in the report.

The priority of the rule operation status is higher than the priority of the action specified in the rule.