2011-10-06 11:23 AM
I followed the knowledge base on fpolicy, but not sure if im doing it correct. i am attempting to block an .ini file from writting to the homedirs of users. my question is, is fpolicy a built-in feature of ontap or does it require a third party app or server like virus scan to work.
any pointers will be great.
2011-10-17 01:20 PM
It does work - the basic Fpolicy can (at least could in previous DOT version) do what you're describing - block a file type by extention. Third party tools are required when you need to go beyond the basic file extention exclusions and do content review.
Here's an example that I used (maybe DOT7.2.x) - use at your own risk....
fpolicycreate mp3blocker screen
fpolicyext inc add mp3 blocker mp3(,mp4,avi,mpeg)
fpolicyoptions mp3blocker required on
fpolicymonitor set mp3blocker –p cifs,nfs create,rename
fpolicyenable mp3blocker –f
fpolicyvol inc (exc) add mp3blocker vol0,vol1,vol2
2011-10-20 04:48 AM
Easiest way would just be to test it. Using the example above which is designed to block *.mp3 files from being created or renamed on vol0, vol1 and vol2. To test, create a volume, apply the fpolicy to it and then attempt to create or rename a blocked file type on it.
One thing to note, in your case, if the home directories already contain the INI file that you're attempting to block, the 'create/rename' monitors won't help you (the file already exists and the programs could call it without renaming) - you'll need to restrict even being able to access ini files.