Whitelist Usage

During default usage of the appliance all remotely executed commands are hard coded and do not attempt to run anything outside of the scope of system information retrieval. However we do expose, through the signatures, the possibility running arbitrary commands. To ensure that only system commands that are safe within the scope of the clients security policy are executed we provide a whitelist system. This allows an appliance administrator to define a whitelist of acceptable commands that may be executed either against the internal commands or from signatures.

Commands are verified against a set of whitelist and blacklist regular expressions contained within ./conf/Whitelist/whitelist.txt

Different connector endpoints are grouped into categories within the file so that conflicts will not arise between different groups.

• Windows - Execution of remote Windows console commands. dir, type, reg etc.
• Unix - Execution of remote Unix commands via SSH. ls, cat, rm etc.
• Registry - Reading of Windows registry keys
• WMI - Remote queries of WMI classes.
• SMB - Retrieval of files from SMB shares.
• JDBC - Execution of SQL queries via JDBC connections.

Internally the verifier will first check if a command matches a whitelist entry. If a match is found the blacklist is then checked. This allows for a more general whitelist entry and then a more refined blacklist without an undue increase in the amount of entries in both lists.

Example Config

#Windows Commands
+windows:.*
-windows:del .*

#Unix Commands
+unix:.*
-unix:rm -rf.*

#Registry
+reg:.*

#WMI Commands
+wmi:.*

#SMB Paths
+smb:.*

#JDBC Commands
+jdbc:select.*
-jdbc:drop table.*