Linking events to policies

The most important part of a security configuration is binding events to security policies, hereinafter also referred to as "event configuration".

There are two ways to bind events to policies: using matrix binding rules and through entity configuration. This article examines only matrix binding rules.

Declaration of entities (entity statement)

All entities included in a solution must be declared using the entity statement:

/* Declaration of the "services.core" and "einit" entities. */

entity services.core;

entity einit;

/* Declaration of all other entities included in the solution. */

...

About the request, response, security and execute statements

The following type of statement is used for event configuration:

<Event type> [Event attributes] {<List of called policies> [match statements]}

In this case:

  1. Event type is either request, response, security or execute.
  2. Event attributes are separated by a comma. The permissible attributes depend on the event type – see below. The names of entities, components, interfaces and methods in attributes are indicated identically to how they are described in edl, cdl and idl files.

    Please note that the kernel is presented as a separate entity named services.core for Kaspersky Security System.

  3. Policies being called are indicated in the format <instance name>.<policy name> [<configuration>] [(<arguments>)];.

    The policy configuration and arguments are optional.

    • A configuration is presented as a JSON value. To make the JSON expression more compact, quotation marks can be omitted if this will not lead to ambiguity.
    • Arguments are indicated in parentheses, separated by a comma and in the format message.<name>, where <name> is the argument name according to the IDL description. In addition to arguments of the called method, the src and dst attributes denoting the handles of entities can be passed to the policy. The entities indicated by the src and dst attributes depend on the event type – see below.

    A list of called policies is not required as long as there is at least one match substatement.

  4. Match statements let you create "embedded bindings" that inherit attributes of the parent binding statement.

Entity start event (execute statement)

An entity start event is configured using the execute statement. You can also indicate the src (name of the entity initiating the startup) and dst (name of the started entity) attributes, for example:

/* Two policies will be called when the "server" entity is started: request_state.allow and request_state.restart.

The first policy returns an "allowed" decision only if the "request_state" instance has the "ready_to_start" state.

The second policy switches the request_state instance to its original state and returns an "allowed" decision. */

execute dst=server {

request_state.allow [ready_to_start];

request_state.restart;

}

If at least one of the policies bound to an event returned the "deny" decision, the states of instances will not be changed.

In the example above, if the request_state instance has a state other than ready_to_start, startup of the server entity will be denied, and the state of the request_state instance will not be changed despite the request_state.restart policy being called.

If the src and dst attributes are not indicated, the execute statement configures the startup of all entities in the solution:

/* Configuration of startup of all entities (startup of all entities is allowed). */

execute { grant; }

In subsequent configuration examples, the list of policies contains a single grant policy for simplicity.

Request forwarding event (request statement)

The request forwarding event is configured using the request statement. For example:

/* Configuration of all requests. */

request { grant; }

The src and dst attributes are used to configure a request from a specific client to a specific server:

/* Configuration of all requests from the client entity. */

request src=client { grant; }

/* Configuration of all requests to the "server" entity. */

request dst=server { grant; }

The src and dst attributes can be used together:

/* Configuration of requests from the "client" entity to the "server" entity. */

request src=client, dst=server { grant; }

The endpoint attribute is used to configure a request to a specific interface implementation:

/* Configuration of requests for calling methods of the "ping_impl" interface implementation of the "ping_comp" component instance. */

request endpoint=ping_comp.ping_impl { grant; }

If you need to define a called method of a specific interface implementation, use the method attribute together with the endpoint attribute:

/* Configuration of requests for calling the Ping method of the "ping_impl" interface implementation of the "ping_comp" component instance. */

request endpoint=ping_comp.ping_impl, method=Ping { grant; }

To configure a query to any implementation of a specific interface, use the interface attribute – only together with the method attribute:

/* Configuration of requests for calling the Ping method of any "IPing" interface implementations from the "ping" package. */

request interface=ping.IPing, method=Ping { grant; }

Response forwarding event (response statement)

A response forwarding event is configured similarly to a request forwarding event.

The response statement is used. The dst attribute designates the client entity and the src attribute designates the server entity. For example:

/* Configuration of responses from the "server" entity to the "client" entity when calling the "Ping" method of the "ping_impl" interface implementation of the "ping_comp" component instance. */

response src=server, dst=client, endpoint=ping_comp.ping_impl, method=Ping { grant; }

Security interface query event (security statement)

A query via the security interface is configured by using the security statement. The src attribute must contain the name of the entity that calls the method, and the method attribute must contain the name of the security interface method:

/* When the "sdcard" entity calls the "Register" method of the security interface, an "allowed" decision is always returned. */

security src=sdcard, method=Register { grant; }

A security interface method call differs from other types of configured events in that the entity queries the Kaspersky Security System instead of the kernel. For this reason, the entity receives the "grant" or "deny" decision.

Embedded bindings (match statement)

Match statements let you create "embedded bindings" that inherit attributes of the parent binding statement.

For example:

/* Configuration of requests from the "client" entity to the "server" entity. */

request src=client, dst=server {

/* Configuration of requests from the "client" entity to specific methods of the "server" entity. */

match endpoint=ping_comp.ping_impl, method=Ping { grant; }

match endpoint=ping_comp.ping_impl, method=Pong { grant; }

}

See also "Matrix binding rules (<match-entry>)".

Page top