This is a work in progress of conversion of our existing Best Practices and Signature Creation document.
Firstly, it's important to note that User Defined Rules (UDR) controls are not intended for remediation actions. They are primarily should never perform a remediation action. Therefore, they’re nearly exclusively used for custom regex and find commands. A crucial aspect of One of the requirements for any remediation process is its reversibility, and the current version of the tool lacks the ability to interpret arbitrary commands to generate a rollback filewe perform is that we can roll it back, and the tool is not currently able to parse arbitrary commands to build a rollback file for them.
UDR controls provide are the highest level most configurable of configurability among our signature types. Unlike Whereas other control types with limitations on are fairly limited in terms of piping and other redirection, you can combine up to 3 distinct actions by with the advantage of using the <Applied> field along with 'echo' or 'stat' in combination with ‘echo’ or ‘stat’ {SIG_WHERE}, even you can chain together as many as 3 separate actions (including a pipe in the <Where> field).
Here is Here’s a list collection of potential possible commands that can be executedrun, although they may though not necessarily align with UDR within udr controls:
"find", "sed", "grep", "cat", "tr", "awk", "stat", "echo", "which'", '"ps'", '"gawk'", '"test'", '"uniq'", '"lsmod'", '"systemctl'", '"authconfig.py'", ‘semanage’, ‘yum’, ‘df’, ‘ip’, ‘iptables’, ‘xtables-multi’, ‘firewall-cmd’"semanage", "yum", "df", "ip", "iptables", "xtables-multi", "firewall-cmd"