tCell offers the Local Files feature, which protects the file system from application-level attacks. This runtime application self-protection (RASP) feature provides coverage for, among other things, Local File Inclusion (LFI) attacks, where an attacker can read or write files in a way that was not intended. An example is when files are accessed through directory traversal (
../../..). When a RASP feature such as this is combined with Web Application Firewall (WAF) functionality, like tCell’s WebApp Firewall feature, deeper protection is provided for your system.
This help document will provide an overview of Local Files, the things you should consider when creating policies, and walk you through the process of enabling the feature.
Enabling Local Files will enable you to detect and block applications from writing in unauthorized directories. Local Files works similar to other tCell features - configure an agent to collect application data to create a baseline for expected behavior and then define a policy for permitted activities in your directories.
Before activating Local Files, let’s take a closer look at:
Local Files only works for application server agents and relies on language-specific controls. For example, an agent can equip relevant file classes in Java to monitor and control what the application does with the file system.
The policy tells the agent which directories can be accessed by the application. Like most tCell policies, this policy is an allowlist, so you define the directories where the application can read and write. Directory allowlists also include sub-directories. Access to files that are not in allowlisted directories will result in an event collected by tCell.
Upon application startup, agents will send file access events to tCell. After assessing these events to determine what should be reported and blocked, you can define policies to monitor application behavior.
When an application starts with an agent for the first time, the agent will send a summary of all accessed directories and suggest a policy based on that profile. After a policy is defined, any read or write operation that violates the policy will result in an event that gets sent to tCell. You can inspect these events and update the policy accordingly. To keep the allowlist short, the system will occasionally suggest parent directories (in the Trimmed Paths section) instead of individual sub-directories.
Enable Local Files
To enable the local files feature, do the following:
- Install the agent for your desired application.
- Start the application.
- If you want to observe the application’s read and write access, leave the tCell Local Files policy in Report Only mode.
- After reviewing the application's read and write access to your system, build a read and write access policy.
- After a few days, observe if there are any violations that indicate that the policy needs to be updated.
- When all normal after operations are encapsulated in the policy, turn on Block and Report mode.
Note - Report Only Mode
If you don’t want to block violations, you can keep Report Only mode (Step 3) indefinitely. The benefit is that you can respond to compromises, while ensuring that you don’t block legitimate business operations.
However, one disadvantage of Report Only mode is that you can only stop further compromise by enabling Block and Report mode.
Create a Policy
tCell’s Local Files feature helps security teams protect the file system from unauthorized read and write access. You can create policies to define what access or activities are allowed or not allowed.
The granularity, or level of detail, of the policy are based on:
- The directory
- The type of access: read or write
The policy is a type of allowlist. You will allowlist directories where activities are allowed. Directories in the policy include subdirectories in order to keep policies concise and manageable. For example, policies that permit writing to the
/tmp folder will also apply to the subdirectories such as
Read or Write Access
For every directory in the policy, you can define whether write operations, read operations, or both, are allowed.
In the Local Files dashboard, you will see a short list of directories that the system has identified as candidates to make policies in the Trimmed Paths section. As a user, you can accept and save these directories to create a policy. If you want to see the full list, you can view the All Paths tab, or customize further in the policy page.
Update and Maintain Your Policy
After making a policy, any read or write operation that is not allowed will result in events for each violation.
These violations can be viewed through the dashboard and analyzed using the event viewer. From these two views, you can determine if the read or write accesses are valid and acceptable. If violations are valid, you can go to the configuration page to add them to your policy.
To configure your policy:
- Click on Local Files in the left navigation to go to the "Local Files" dashboard.
- Check the box next to any suggested path you want to allowlist. You can select multiple paths.
- Click the Allowlist button.
- Deploy policy.
Report Only and Block Modes
By default, Report Only mode is enabled so you can see policy violations and update the policy as-needed, while minimizing any impact to the application. After stakeholders are comfortable that the policy represents what an application should or should not do, you can enable Block and Report mode. This means that any attempt to access files that violate the allowlist will be blocked by tCell, and an event will be sent to tCell that contain the details of the incident.
Here are some known limitations of the Local File Inclusion feature.
.NET and .NET Core Agents
The Local Files feature may conflict with some monitoring tools on the .NET and .NET core platform. If you're running any of these tools along with .NET or .NET Core agents, you need to uninstall or disable them before installing or configuring the optional profiler for the tCell Agent on that platform. You can use command injection to uninstall or disable .NET Applications.
The Node agent does not have access to HTTP request information during Local Files instrumentation. You can only filter by the following properties that are not associated with the HTTP request:
- Rule Id
- File Path
- Dir Type
- File Type
- Path Style
- File Exists?