Creating Custom File ACL Checks

 

A file Access Control List (ACL) is a type of access control that is placed upon an individual data file. It determines what access operations can be performed on the file, and by whom. Within VMware vCenter Protect - Configuration Management, you can define a custom File ACL check that specifies what file access permissions certain users should have for a specific file. In general, a custom check is designed to handle the more simple file ACLs.  More advanced ACL settings are not currently supported.

 

File ACLs are typically associated with user groups or security principals. This makes for easier and wider-ranging management of ACLs, with the common user groups or security principals available for multiple machines. This approach is recommended within VMware vCenter Protect - Configuration Management. Use of machine-specific accounts may require scanning on a machine-by-machine basis in order to check for compliance.

 

During a scan, VMware vCenter Protect - Configuration Management will compare the ACL settings for the file on a scanned machine to the settings defined in the custom file ACL check. The file settings must be an exact match in order for the file to be in compliance with the custom check.

 

You must create a custom file ACL check for each data file you are interested in. You will typically only create custom file ACL checks for those files you deem important for your network security (for example, regedit.exe).

 

Note: Custom File ACL checks are not currently enforceable. Enforcement may be available in a future release of VMware vCenter Protect - Configuration Management. See Enforcement Overview for more information on enforcement.

  1. To create a new custom File ACL check from scratch, from the Custom Check Wizard click Create New Custom Check.

The following dialog is displayed:

CustomCheckWizardOS.gif

  1. Select the desired operating system levels and then click Next.

Tip: To determine the operating system being used on a particular machine, on the machine's desktop right-click My Computer and then select Properties. The operating system is listed on the General tab.

The General Properties dialog is displayed.

CustomCheckFileACL.gif

  1. Type a unique name for the custom check and a description.

  2. In the Type box select File ACL and then click Next.

The Specific Properties dialog is displayed. For example:

CustomCheckWizardSpecificPropertiesFileACL.gif

  1. In the File Path box, specify the full path name to the file for which you want to create a custom check.

If you don't know the exact location of the file, click Select File to locate the file.

Tip: You can specify standard Windows environment variables within the path name (for example: %windir%, %systemroot%, etc).

  1. Click Test Check.

This will show the current file permissions for users on the local machine. You can use this as a starting point on the next dialog (where you specify what permissions certain users should have for the file).

Note: The information displayed here is the same information you'll see if you right-click on the file within Windows Explorer and then select Properties > Security.

  1. Click Next.

The Operator and Value dialog is displayed.

CustomCheckWizardOperatorValueFileACL.gif

  1. Select an operator.

The only operator currently offered is = (equal to). This means that a scanned machine must be an exact match with all aspects of this check in order to be found in compliance with this check.

  1. Click Select ACL.

The Permissions dialog is displayed. For example:

PermissionsForFileACLs.gif

Select a user or user group and then specify the file permissions you want assigned to that user or group. Repeat this process for each desired user or group. Use the Add and Remove buttons to control which users and groups are shown in the list.

File ACLs are typically associated with user groups or security principals. This makes for easier and wider-ranging management of ACLs, with the common user groups or security principals available for multiple machines. This approach is recommended within VMware vCenter Protect - Configuration Management . Use of machine-specific accounts may require scanning on a machine-by-machine basis in order to check for compliance.

When you are finished, click OK. The Operator and Value dialog is re-displayed, but this time the Affected User box will contain a coded representation of the ACL you just specified. Only the ACLs associated with this dialog are implemented in VMware vCenter Protect - Configuration Management .

  1. On the Operator and Value dialog, click Next.

The following dialog is displayed.

CustomCheckWizardFinish.gif

 

  1. (Optional) If you want to export this custom check to an XML file to use it as the starting point for other custom checks, click Export to File.

For more information, see Exporting Custom Checks.

  1. Click Finish.

The custom check is displayed within the policy. For example:

SamplePolicyFileACL.gif