create_fam_rule

This command creates a FAM rule. Each rule defines a set of conditions, and an action that is taken by Guardium® when the rule matches.

This API is available in Guardium V10.1.4 and later.

REST API syntax

This API is available as a REST service with the POST method. Call this API as follows:
POST https://[Guardium hostname or IP address]:8443/restAPI/famPolicyRule

GuardAPI syntax

create_fam_rule parameter=value

Parameters

Parameter Value type Description
actionName String Required. The action taken when the rule criteria are met. Valid values:
  • Alert and audit: Send an alert directly generated from the sniffer with specific behavior, and log the event.
  • Audit only: Log the event in GDM tables
  • Block, log violation, and audit: Block access to the object, log a policy violation, and log the event. A blocking action requires an alert configuration as well.
  • Ignore: No action taken.
  • Log as violation and audit: Log this as a policy violation and log the event.
alertReceiver String Recipient of the alert: any user of the appliance, for example admin.
classDestination String Name of the custom class to be invoked. For valid values, call create_fam_rule from the command line with --help=true.
command String The command name to be matched. If not specified, all file system commands are counted as a match. For valid values, call create_fam_rule from the command line with --help=true.
commandGroup String Name of the group of commands to be matched. Either commandGroup or commandGroupId must be specified.
commandGroupId Integer ID of the group of commands to be matched. Either commandGroup or commandGroupId must be specified.
filePath String File path to be monitored, or excluded from monitoring. See notfilePath. Either filePath or filePathGroup must be specified.
filePathGroup String Group of file paths to be monitored, or excluded from monitoring. See notfilePath. Either filePath or filePathGroup must be specified.
includeSubDirectory String Required. Whether or not files in subdirectories are included or not. Valid values:
  • yes: include files in all subdirectories
  • no: do not include files in subdirectories
messageTemplate String Message template name. For valid values, call create_fam_rule from the command line with --help=true.
notfilePath String Required. Valid values:
  • yes: apply this rule to all files except those in the specified path, either filePath or filePathGroup
  • no: apply this rule to all files in the specified path, either filePath or filePathGroup
notificationType String Notification type. Valid values:
  • MAIL
  • SNMP
  • CUSTOM
  • SYSLOG
notOSUser String Required. Valid values:
  • yes: evaluate this FAM rule for all users except the specified osUser or osUserGroup.
  • no: evaluate this FAM rule for all users.
osUser String The OS user to whom this rule applies. If osUser or osUserGroup are unspecified, then the rule applies to all users (except root).
osUserGroup String The group of OS user names to whom this rule applies. If osUser or osUserGroup are unspecified, then the rule applies to all users (except root).
policyName String Required. Name of policy to which this rule is added. For valid values, call create_fam_rule from the command line with --help=true.
removableMedia String Required. Include removable media when evaluating criteria. Valid values:
  • yes
  • no
ruleName String Required. A unique rule name.
serverHost String Host name to monitor. Use x.x.x.x to monitor all servers. Either serverHost or serverHostGroup must be specified.
serverHostGroup String Guardium group of server hostnames to monitor. Either serverHost or serverHostGroup must be specified.

Examples

grdapi create_fam_rule policyName=policy1 ruleName=rule1 serverHost="x.x.x.x" filePath="/famtest/*" command="DELETE" actionName="Alert and Audit" notificationType="SYSLOG"