This is a work in progress of conversion of our existing Best Practices and Signature Creation document.
Firstly, it's important to note that User Defined Rules (UDR) controls are not intended for remediation actions. They are primarily used for custom regex and find commands. A crucial aspect of any remediation process is its reversibility, and the current version of the tool lacks the ability to interpret arbitrary commands to generate a rollback file.
UDR controls provide the highest level of configurability among our signature types. Unlike other control types with limitations on piping and redirection, you can combine up to 3 distinct actions by using the <Applied> field along with 'echo' or 'stat' {SIG_WHERE}, even including a pipe in the <Where> field.
Here is a list of potential commands that can be executed, although they may not necessarily align with UDR controls:
"find", "sed", "grep", "cat", "tr", "awk", "stat", "echo", "which', 'ps', 'gawk', 'test', 'uniq', 'lsmod', 'systemctl', 'authconfig.py', ‘semanage’, ‘yum’, ‘df’, ‘ip’, ‘iptables’, ‘xtables-multi’, ‘firewall-cmd’