Network and Storage Protocols

Fpolicy- does it work?

joeycitrix
3,064 Views

I followed the knowledge base on fpolicy, but not sure if im doing it correct. i am attempting to block an .ini file from writting to the homedirs of users. my question is, is fpolicy a built-in feature of ontap or does it require a third party app or server like virus scan to work.

any pointers will be great.

thanks

3 REPLIES 3

j_haley
3,065 Views

It does work - the basic Fpolicy can (at least could in previous DOT version) do what you're describing - block a file type by extention. Third party tools are required when you need to go beyond the basic file extention exclusions and do content review.

Here's an example that I used (maybe DOT7.2.x) - use at your own risk....

fpolicycreate mp3blocker screen

fpolicyext inc add mp3 blocker mp3(,mp4,avi,mpeg)

fpolicyoptions mp3blocker required on

fpolicymonitor set mp3blocker –p cifs,nfs create,rename

fpolicyenable mp3blocker –f

fpolicyvol inc (exc) add mp3blocker vol0,vol1,vol2

joeycitrix
3,064 Views

thanks..is there a way to know if the fpolicy is working or not?

j_haley
3,064 Views

Easiest way would just be to test it. Using the example above which is designed to block *.mp3 files from being created or renamed on vol0, vol1 and vol2. To test, create a volume, apply the fpolicy to it and then attempt to create or rename a blocked file type on it.

One thing to note, in your case, if the home directories already contain the INI file that you're attempting to block, the 'create/rename' monitors won't help you (the file already exists and the programs could call it without renaming) - you'll need to restrict even being able to access ini files.

Public