Documentation
|
Support
Creating Remediation Scripts for Forcepoint DLP
> Introducing remediation scripts
Introducing remediation scripts
Creating Remediation Scripts | Forcepoint DLP | v8.4.x, v8.5.x, v8.6.x
Remediation scripts extend discovery and DLP functionality by allowing administrators configure how the system responds to specific types of incidents.
Each script can be run by a policy engine, endpoint agent, or management server when an incident is triggered.
Configure remediation scripts in the Data Security module of the Forcepoint Security Manager. Remediation scripts are considered resources, so they are managed from the
Main > Policy Management > Resources > Remediation Scripts
page (see
Remediation scripts
in the Forcepoint DLP Administrator Help).
Remediation scripts can be supplied with optional credentials, based on the operating system in which they run:
Windows Server Policy Engine
Linux Server Policy Engine
Windows Endpoint
Linux Endpoint
With supplied credentials
Impersonate the supplied credentials
Not supported
Impersonate the supplied credentials
Not supported
Without supplied credentials
Impersonate the user running the policy engine
Effective UID of root
LocalSystem
Not supported
Remediation script limitations
Remediation scripts are run after a response has been returned to the agent (Content Gateway, endpoint agent, protector, and so on). This means that remediation scripts cannot be used to alter data in motion.
Remediation scripts do not have access to forensic information (the data the caused the incident).
When there are several action plans configured for the same incident (in other words, when the incident matches multiple rules), all of the configured scripts are run in random order.
On endpoint machines, scripts are run as the local system account. If impersonation is used, the endpoint installation folder is blocked for writing by anti-tampering protections.
Remediation scripts cannot access the desktop. This means that:
1.
The script cannot be used to display messages to the user or open desktop applications.
2.
If scripting languages or executables generate popup windows (wscript echo, for example) the popups will be hidden and the script will hang.
There is no built-in mechanism to stop scripts that are in a hung state.
Creating Remediation Scripts for Forcepoint DLP
> Introducing remediation scripts
Copyright 2018 Forcepoint. All rights reserved.