Hello everyone - I used CIS 4, stopped using it for a while then when 5.3 came out I decided to try it out again.
Unfortunately I’m having trouble using file groups with D+ rules. They worked fine for me with CIS 4, but not now. D+ flags them as unrecognized even though I have configured them as trusted as shown below in a D+ rule.
Move the application rule for Cygwin to a place somewhere above the All Applications rule. When the rule for Cygwin, or any other application, is underneath the All Application rule it will follow the default rule set by the All Applications rule. As a consequence even though Cygwin is set to be trusted CIS will not follow that; it will give Cygwin the default rule.
First I made sure they were not sandboxed. I moved them to trusted, added all cygwin programs to the Trusted Files list, then rebooted.
I started a cygwin cli and it ran fine. Then I removed the long list of items from the Trusted Files lists to confirm that the D+ ruleset would function properly. Then things got weird. The only thing D+ flagged was cygwin.bat, everything else worked fine. But running a second session after that, a long list of cygwin executables got sandboxed and became flagged as unrecognized.
BTW, it appears that the problem i’m seeing is not related to the group feature at all. A simple"Treat as Trusted" rule for a single executable also fails to work. For example, if I create a “treat as trusted” rule for /usr/bin/chmod.exe, that does not work either.
If I change the D+ rule to Treat as installer/updater, then D+ does automatically add the individual commands to the Trusted Files list and they work fine with that level of access.
I would really like to see “Treat as Trusted” work to avoid having a long list of programs appear in the “Trusted Files” list.
Are you running the cygwin related executables from a removable or network drive? Then CIS will forget the rules you made after a reboot. That is done because those type of devices are not continuously monitored and therefor unsafe.
If one program in a tree of programs gets sandboxed then all its sibling will get sandboxed as well. I see that cygwin.bat got sandboxed in one of your scenarios. If that gets sandboxed all other executables it will start will get sandboxed as well.
The problem with cygwin seems like it is the same as people have who test programs being ran from a compiler. The only workaround I know is to use the Installation or Updater policy.
Thanks for your help. I think we can close out this thread.
Now that I better understand how sandboxing works in CIS I am okay. It is confusing to have D+ policies that are called “Trusted” that have nothing to do with how the new trust system behaves with sandboxing enabled.
When sandboxing is enabled it seems that D+ rule base permissions don’t apply, with exception for the “installer or updater” setting. With sandboxing enabled, executables must either fall in the trusted list ( can do almost anything category ) or unrecognized/sandboxed list. Corrections to this observation are most welcome.
D+ has a nice feature to “always sandbox” something. I can imagine a use case for “never sandbox” and “never trust” so that D+ rules can be used if desired without completely turning off the sandbox, but those options might over-complicate things.
CIS 5 looks very nice.
It would be awesome if there were a way to add file groups to the Trusted Files list.