[DeepGuard] Does DeepGuard's policy supports multiple users?

Options

Hi Dev team,


Good day. I have a question regarding monitoring file access in a scenario where there are two users, Alice and Bob, each with a folder "$HOME/protected".

If I want to monitor any program's read/write operations on this folder, how should I write the rule?

Should it be A or B:

A.

watch prefix "~/protected/" "any" rw

B.

watch prefix "/Users/Alice/protected/" "any" rw

watch prefix "/Users/Bob/protected/" "any" rw


Thank you for your assistance.

Best regards,

Accepted Answer

  • ArthurVal
    ArthurVal Posts: 241 F-Secure Employee
    Answer ✓
    Options

    Hi, @66f2e490!

    Yes. Sorry, I was not clear enough before.

    I would not say it is resolved at runtime but at the moment when rules are loaded by DeepGuard's background service. When DeepGuard performs "rule loading" operation, it enumerates over all existing users that it gets from OpenDirectory and resolves user specific information like home directory.

    This information is then used to analyse incoming events and show prompts.

    I believe it should be enough to reload the ruleset in the DeepGuard Configuration app for DeepGuard to notice a new user and rules to take effect. It will enumerate over all new users and apply rules again.

    1. setup a watch rule: watch prefix "~/protected/" "any" rwc
    2. create a new user in System Settings, here the new user is "Cindy"
    3. Open DeepGuard Configuration app and press Cmd + R key combination to reload the ruleset
    4. open Terminal, switch to root and run the command: $touch /Users/Cindy/protected/1


    One extra note. I was now trying to confirm my understanding of how this flow should work with the latest version of FS Protection and noticed a bug with how DeepGuard treats non-default rulesets. It is supposed to skip F-Secure cloud reputation services when "Classic" and "Strict" are in use. It does not seem to do that in a couple of most recent releases.

    This might collide with some prior expectations. We will address this situation in the next FS Protection release.

    Best regards, Arthur

    Mac R&D Team

Answers

  • 66f2e490
    66f2e490 Posts: 45 Contributor
    Options

    After checking https://help.f-secure.com/product.html?home/safe-mac/latest/en/task_A93F42DAFCAB4DE7A29CA857951D3E25-safe-mac-latest-en, it says:

    This means that any rules that DeepGuard applies to such apps have a system-wide effect.

    So I think this 1-line policy should be suitable for both Alice and Bob, or even more users in the future.

    watch prefix "~/protected/" "any" rw

  • ArthurVal
    ArthurVal Posts: 241 F-Secure Employee
    Options

    Hi, @66f2e490!

    Yes. That is correct. "~" sign will be expanded to the user name and will cover both users.

    Let's say that both users are logged in to the system. When an event matching the criteria is caught by DeepGuard, both users will the access prompt and will have a chance to make a decision that will be applied globally. So events for both paths "/Users/Alice/protected/" and "/Users/Bob/protected/" will trigger an access prompt.

    If there is a need to create a rule that is specific to a certain user path, I would advise to specify the user name in the path. So for example, a rule for path "/Users/Bob/protected/" will only get triggered for that path alone. An event for path "/Users/Alice/protected/" will not trigger that rule.

    But this will not prevent several logged-in users to receive an access prompt for an event with path "/Users/Bob/protected/". So the rules have global effect. In that sense it is currently not possible to create a rule that will show an access prompt only for one user. The rule effect can be narrowed down by specifying the full path.


    I hope that makes sense. 😃

    Best regards, Arthur

    Mac R&D Team

  • 66f2e490
    66f2e490 Posts: 45 Contributor
    Options

    Hi @ArthurVal , thank you for the detailed reply!


    So the "~" sign will be expanded to all existing user's $HOME in the runtime, right? According to my tests, DG will only expand "~" to a new user after a login / logout.


    Testing this case with the following process:

    (Login as Alice)

    1. setup a watch rule: watch prefix "~/protected/" "any" rwc
    2. create a new user in System Settings, here the new user is "Cindy"
    3. open Terminal, switch to root and run the command: $touch /Users/Cindy/protected/1

    At this time, DG does NOT expand the "~" sign to new user "Cindy". The file was created with no DG pop-up.

    But when I logout and login as Alice again, the command "$touch /Users/cindy/protected/1" will trigger the DG pop-up successfully.

    So I'm a little curious if I need to log out or reboot the system to let DeepGuard detect any new users, and then DG will further extend the "~" sign to all users?

    Best regards