This is a work in progress of conversion of our existing Best Practices and Signature Creation document.
User Defined Rules (UDR) controls should never perform a remediation action. Therefore, they’re nearly exclusively used for custom regex and find commands. One of the requirements for any remediation we perform is that we can roll it back, and the tool is not currently able to parse arbitrary commands to build a rollback file for them.
UDR controls are the most configurable of our signature types. Whereas other control types are fairly limited in terms of piping and other redirection, with the advantage of using the <Applied> field in combination with ‘echo’ or ‘stat’ {SIG_WHERE}, you can chain together as many as 3 separate actions (including a pipe in the <Where> field).
Here’s a collection of possible commands that can be run, though not necessarily within udr controls:
"find", "sed", "grep", "cat", "tr", "awk", "stat", "echo", "which", "ps", "gawk", "test", "uniq", "lsmod", "systemctl", "authconfig.py", "semanage", "yum", "df", "ip", "iptables", "xtables-multi", "firewall-cmd"