Policies allow you to define desired configuration state. For a given node, you may want to ensure that particular roles and features are installed, certain environment variables are set and for configuration files to be consistent. Policies give you accountability for your configuration.

Creating a Policy

 

To create a policy from a node scan, right click on the item you want to add to the policy. In the right click menu, select “Add to Policy.” The next step is to select which node group the policy should validate. (Policies are always applied to node groups to ensure consistency in testing and avoid manual errors of policies missing from individual nodes.) After selecting the group you can choose to create a new policy or add to an existing policy on that group.

creating-a-policy-01

To make it easy to create policies quickly, you can add anything on the scan visualization to a policy: configuration items (the squares), types (for example, Packages or Files), or everything on the screen using the “root” element (the circle in the top left). The root is most useful in conjunction with the search bar, which can be used to filter the scan visualization. For example, you can search for items supporting a particular application or utility and add them all to a policy with the root.

You might want to validate items that are not part of the default scan. In that case, you need to add those items as scan options and then build the policy against those items.

Editing a Policy

When you create a policy from a scan all the items will be passing because the expected and actual values are identical. As you update your configuration state, however, you need your policies to change to current. When you click on an item you will see the policy in the flyout on the right. From there you can click “edit” and modify the policy checks. All checks created from node scans are exact matches by default but here you can change them to include, exclude, regular expression, or Xpath. You can also remove attribute checks from the policy. For example, you might want to check that a log file exists but remove the checksum test because it is always changing.

Creating an SSL Certificate Expiry Check

Attributes with time-based values (such as an SSL certificate expiry date) can be checked for in a policy so that warnings can be generated, alerting users that a certificate is about to expire.

  1. Navigate to the node detail page for your website node and expand the “Web” configuration section. Then expand “SSL” the section.

    cert-policy-08

  2. Right-click on the “Expires” configuration item with the date of your certificate’s expiration and click Add to Policy. Select the relevant node group and click New Policy. This check can also be added to an existing policy if present.

    cert-policy-10

  3. Give the policy a name.

    cert-policy-11

  4. Once added, click on the attribute (now a green circle) to open the policy check details panel. Then click on the “Value” attribute to expand the check type editor.

    cert-policy-13

  5. Change the “Type of check?” dropdown from Exact Match to Time Comparison. Under “Expected conditions for value” you can enter how far in the future you expect that date to be. If you want 30 days warning, set the operator to > and enter 30 days from now in the text field. Then click Add.

    cert-policy-14

  6. You will see the check added as seen in the red box.

    cert-policy-15

As long as the expiration is more than 30 days in the future, this check will pass. When you get within that window it will start to fail and you will be regularly alerted until the SSL certificate is updated.