Linux agent detection technology policy scenarios
If a policy uses both supported and unsupported detection technologies, the DLP Agent for Linux applies the DCM and IDM detection rules in exceptions and policies and does not provide any matches for unsupported detection technologies.
The follwing table outlines policy configurations that your organization may be using and states whether detection is applied on Linux endpoints for each.
Policy configuration | Detection applied on Linux endpoints | Description |
|---|---|---|
DCM rule OR EDM or VML rules | DCM rule is applied | If the policy uses keyword matching with EDM index matching (connected by OR expression), the documents that contain the keyword log incidents. However, if the document does not contain the keyword but matches the EDM index, no incident is logged. The EDM index is not applied. |
DCM rule AND EDM or VML rules | No rules are applied | If the policy uses keyword matching with EDM index exact matching (connected by AND expression), the documents that contain the keyword do not log incidents, even if the document matches the EDM index. The EDM index is not applied. |
Exception rule in a policy that contains DCM detection OR Exception rule in a policy that contains EDM, or VML rules | DCM exception is applied | If the policy uses an exception with keyword matching (for example, "sensitive") and uses EDM profile matching (connected by OR expression), the document that contains the "sensitive" keyword is excluded from being monitored. However, if the document does not contain the "sensitive" keyword but matches the EDM index, the document is not excluded from being monitored. In this scenario, only the DCM exception rule is applied. Documents that match the EDM index are not excluded from being monitored. |
Exception rule in a policy that contains DCM detection AND Exception rule in a policy that contains EDM or VML | No exceptions are applied | If the policy uses an exception with keyword matching (for example, "sensitive") and EDM profile matching (connected by AND expression), the document that contains the "sensitive" keyword is excluded from being monitored even if the document matches the EDM index. Documents that match the EDM index are not excluded from being monitored. |
DCM rule AND Exception rule in a policy that contains EDM or VML | DCM rule is applied | If the policy uses keyword matching (for example "sensitive") and uses an EDM profile exception (connected by AND expression), the documents that contain the keyword log incidents. However, the documents that match the EDM index are not excluded from being monitored. |