prevention_policy_linux

This resource allows you to manage prevention policies for Linux hosts. Prevention policies allow you to manage what activity will trigger detections and preventions on your hosts.

API Scopes

The following API scopes are required:

Prevention policies: READ
Prevention policies: WRITE

Example Usage

terraform {
  required_providers {
    crowdstrike = {
      source = "registry.terraform.io/crowdstrike/crowdstrike"
    }
  }
}

provider "crowdstrike" {
  cloud = "us-2"
}


resource "crowdstrike_prevention_policy_linux" "example" {
  name            = "example_prevention_policy"
  enabled         = true
  description     = "made with terraform"
  host_groups     = []
  ioa_rule_groups = []
  cloud_anti_malware = {
    "detection"  = "MODERATE"
    "prevention" = "CAUTIOUS"
  }
  sensor_anti_malware = {
    "detection"  = "MODERATE"
    "prevention" = "CAUTIOUS"
  }
  quarantine                                   = true
  custom_blocking                              = true
  prevent_suspicious_processes                 = true
  script_based_execution_monitoring            = true
  upload_unknown_executables                   = true
  upload_unknown_detection_related_executables = true
  drift_prevention                             = true
  email_protocol_visibility                    = true
  filesystem_visibility                        = true
  ftp_visibility                               = true
  http_visibility                              = true
  network_visibility                           = true
  tls_visibility                               = true
  sensor_tampering_protection                  = true
  on_write_script_file_visibility              = true
  memory_visibility                            = true
  extended_command_line_visibility             = true
  dbus_visibility                              = true
  enhance_php_visibility                       = true
  enhance_environment_variable_visibility      = true
  suspicious_file_analysis                     = true
  cloud_data_protection_visibility             = true
  ssh_visibility                               = true
  enhance_systemd_visibility                   = true
  php_script_optimization                      = true
}

output "prevention_policy_linux" {
  value = crowdstrike_prevention_policy_linux.example
}

Schema

Required

host_groups (Set of String) Host Group ids to attach to the prevention policy.
ioa_rule_groups (Set of String) IOA Rule Group to attach to the prevention policy.
name (String) Name of the prevention policy.

Optional

cloud_anti_malware (Attributes) Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts. (see below for nested schema)
cloud_data_protection_visibility (Boolean) Whether to enable the setting. Allows the sensor to monitor and analyze data flows for protection against data breaches and leaks, and to improve data-related detections.
custom_blocking (Boolean) Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to “Block” or “Block, hide detection”.
dbus_visibility (Boolean) Whether to enable the setting. Allows the sensor to monitor local D-Bus traffic for malicious patterns and improved detections.
description (String) Description of the prevention policy.
drift_prevention (Boolean) Whether to enable the setting. Block new processes originating from files written in a container. This prevents a container from drifting from its immutable runtime state.
email_protocol_visibility (Boolean) Whether to enable the setting. Allows the sensor to monitor SMTP, IMAP, and POP3 traffic for malicious patterns and improved detections.
enabled (Boolean) Enable the prevention policy.
enhance_environment_variable_visibility (Boolean) Whether to enable the setting. Allows the sensor to monitor an extended set of changes to environment variables in order to enhance visibility.
enhance_php_visibility (Boolean) Whether to enable the setting. Allows the sensor to monitor activities performed by PHP scripts to provide additional telemetry and improved detections.
enhance_systemd_visibility (Boolean) Whether to enable the setting. This enhancement enables visibility into modifications to systemd services and timers.
extended_command_line_visibility (Boolean) Whether to enable the setting. Allows the sensor to monitor full CLI commands that include pipes and redirects. This is applicable only for User mode.
filesystem_visibility (Boolean) Whether to enable the setting. Allows the sensor to monitor filesystem activity for additional telemetry and improved detections.
ftp_visibility (Boolean) Whether to enable the setting. Allows the sensor to monitor unencrypted FTP traffic for malicious patterns and improved detections.
http_visibility (Boolean) Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic for malicious patterns and improved detections.
memory_visibility (Boolean) Whether to enable the setting. When enabled, the sensor will inspect memory-related operations: mmap, mprotect, ptrace and reading/writing remote process memory and produce events.
network_visibility (Boolean) Whether to enable the setting. Allows the sensor to monitor network activity for additional telemetry and improved detections.
on_write_script_file_visibility (Boolean) Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
php_script_optimization (Boolean) Whether to enable the setting. Mitigates high volume PHP script execution to only the first time it’s seen by the server.
prevent_suspicious_processes (Boolean) Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
quarantine (Boolean) Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions.
retrospective_detections (Boolean) Whether to enable the setting. Use of tagged binaries to automatically create detections for behaviors which occurred within a lookback period.
script_based_execution_monitoring (Boolean) Whether to enable the setting. Provides visibility into suspicious scripts, including shell and other scripting languages.
sensor_anti_malware (Attributes) For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware. (see below for nested schema)
sensor_tampering_protection (Boolean) Whether to enable the setting. Block attempts to tamper with the sensor by protecting critical components and resources. If disabled, the sensor still creates detections for tampering attempts but will not prevent the activity from occurring. Disabling is not recommended.
ssh_visibility (Boolean) Whether to enable the setting. Enable monitoring of activities performed by SSH servers.
suspicious_file_analysis (Boolean) Whether to enable the setting. Upload suspicious files for advanced threat analysis with QuickScan Pro.
tls_visibility (Boolean) Whether to enable the setting. Allows the sensor to monitor TLS traffic for malicious patterns and improved detections.
upload_unknown_detection_related_executables (Boolean) Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
upload_unknown_executables (Boolean) Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.

Read-Only

id (String) Identifier for the prevention policy.
last_updated (String) Timestamp of the last Terraform update of the resource.

Nested Schema for `cloud_anti_malware`

Required:

detection (String) Machine learning level for detection.
prevention (String) Machine learning level for prevention.

Nested Schema for `sensor_anti_malware`