CSA - Rules/Tasks to move computers to specific group
I'm trying to set up some more advanced rules and tasks in CSA, and one of my goals was to make a rule/task to move a host to a group "Rootkit detected computers" when it detects an unauthorized rootkit. Can't really find any way to make this in a rule, and I can't find any tasks that are based off of events or event sets.
Any ideas? We're on CSA 5.0 v187, and we should be upgrading to 5.2 within the next week.
Re: CSA - Rules/Tasks to move computers to specific group
I've tried to do the same thing with admins enabling/disabling the client for 'troubleshooting'. A task has to move a system record from one existing group to another. So if the system doesn't already exist in that group, then it can't be moved. The only other thing I could come up with is to monitor for a security posture low/medium/high. Monitor for a dynamic process on boot for any rootkit and set the system to high security level. Assign the rule module for network lockdown on the system state of high security. Also to notify you, monitor for the untrusted rootkit detected rule to be triggered and an email will be sent to you for follow up.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...