Inclusion and exclusion rule types

Audit and Remediation provides the following types of inclusion and exclusion rules configuring a file rule:

  • A file-type rule applies to the file name path and contains neither a “/” or a “\”.
  • A relative-type rule applies to the relative path and can contain a “/” for UNIX and a “\” for Windows, and is not fully qualified.
  • An absolute-type rule applies to the absolute path. In UNIX, an absolute path begins with a “/”. In Windows, an absolute path begins with a volume letter that is followed by “:\” and is fully qualified, such as “C:\”, “d:\”, “f:\”, and so on. If you use a “/” (forward slash) for Windows paths, Audit and Remediation will convert it to a “\” (backslash) to use it as a valid path.
  • Environment variable and custom attribute parameterization for filenames and path. For more information, see Parameterizing filenames for SA/custom attributes.

Audit and Remediation processes all exclusion rules first. After all exclusion rules are applied, then the inclusion rules are applied. The default for include is to include all objects in the file system. In many cases, inclusion rules might not even be processed because, combined with the exclusion rules (which occur first), they might become a moot point.

You can also use the asterisk (*) and the question mark (?) as valid wildcards in inclusion and exclusion rules. The wildcard character is a placeholder for matching a path, or one or more characters.

Depending on the type of inclusion and exclusion rule, the rule is applied only to the relevant subset of the absolute path of the file. In Audit and Remediation, there is one top level for each snapshot or audit. Each file that you compare against the inclusion and exclusion rules has an absolute path. In the following figure, the absolute path is /usr/home/abc/defg. A snapshot or an audit looks down the /usr/home/abc/defg absolute path and sees abc/defg as the relative path and defg as the file name. In this example, the inclusion and exclusion rules apply in the following manner:

  • A file-type rule applies to the file name path defg.
  • A relative-type rule applies to the relative path abc/defg.
  • An absolute-type rule applies to the absolute path /usr/home/abc/defg. See the following figure for an illustration of how Audit and Remediation applies the inclusion and exclusion rules to a relative subset of the path of the file.

How Inclusion and Exclusion Rules Apply

To best explain how these rules are applied, the following examples are provided.

A sample file system structure used in Example: Including all .txt files in a snapshot or audit and Example: Including last temp.txt file and exclude all else is as follows:

/dir1/dir2/a

/dir1/dir2/b

/dir1/dir2/names.txt

/dir1/dir2/temp.txt

/dir1/dir2/version1.exe

/dir1/dir2/subdir/version2.exe

Example: Including all .txt files in a snapshot or audit

If you want to include all files with the .txt extension in your snapshot or audit, your inclusion and exclusion rules would be:

  • /dir1/dir2
  • include *.txt (This is a file-type rule.)
  • exclude * (This is a file-type rule.)

The following steps explain how Audit and Remediation iterates through the file structure and applies any corresponding inclusion and exclusion rules:

  1. The * causes /dir1/dir2/a to be excluded. Then *.txt is applied against the file portion of /dir1/dir2/a (a) and there is no match. The file is not included.
  2. The * causes /dir1/dir2/b to be excluded. Then *.txt is applied against the file portion of /dir1/dir2/b (b) and there is no match. The file is not included.
  3. The * matches names.txt, but *.txt matches names.txt as well, which causes the file to be excluded.
  4. Same as step 3.
  5. Compare a to *, which is a match; compare a to a, which is a match. The file is included.
  6. Compare b to *, which is a match; compare b to a which is not a match. The file is excluded.

These step numbers correspond to the paths in the sample file structure, with the numbering starting with the top-level path.

Example: Including last temp.txt file and exclude all else

If you want to include the last temp.txt file and exclude everything else in your snapshot or audit, your inclusion and exclusion rules would be:

  • /dir1/dir2
  • exclude * (This is a file-type rule.)
  • include dir3/temp.txt (This is a relative-type rule.)

The following steps explain how Audit and Remediation iterates through the file structure and applies any corresponding inclusion and exclusion rules:

  1. The * causes /dir1/dir2/a to be excluded. Then *.txt is applied against the file portion of /dir1/dir2/a (a) and there is no match. The file is not included.
  2. The * causes /dir1/dir2/b to be excluded. Then *.txt is applied against the file portion of /dir1/dir2/b (b) and there is no match. The file is not included.
  3. The * matches names.txt, but *.txt matches names.txt as well, which causes the file to be included.
  4. Same as step 3.
  5. dir3/temp.txt is dir3/temp.txt is compared against the relative portion of /dir1/dir2/dir3/temp.txt and there is a match.
  6. Compare a to *, which is a match; compare a to subdir/version2.exe, which is not a match. The file is excluded.

These step numbers correspond to the paths in the sample file structure, with the numbering starting with the top-level path.