Policies allow you to define desired configuration state. For a given node, you may want to ensure that particular roles and features are installed, certain environment variables are set and for configuration files to be consistent. Policies give you accountability for your configuration.

Creating a Policy

 

To create a policy from a node scan, right click on the item you want to add to the policy. In the right click menu, select “Add to Policy.” The next step is to select which node group the policy should validate. (Policies are always applied to node groups to ensure consistency in testing and avoid manual errors of policies missing from individual nodes.) After selecting the group you can choose to create a new policy or add to an existing policy on that group.

creating-a-policy-01

To make it easy to create policies quickly, you can add anything on the scan visualization to a policy: configuration items (the squares), types (for example, Packages or Files), or everything on the screen using the “root” element (the circle in the top left). The root is most useful in conjunction with the search bar, which can be used to filter the scan visualization. For example, you can search for items supporting a particular application or utility and add them all to a policy with the root.

You might want to validate items that are not part of the default scan. In that case, you need to add those items as scan options and then build the policy against those items.

Editing a Policy

When you create a policy from a scan all the items will be passing because the expected and actual values are identical. As you update your configuration state, however, you need your policies to change to current. When you click on an item you will see the policy in the flyout on the right. From there you can click “edit” and modify the policy checks. All checks created from node scans are exact matches by default but here you can change them to include, exclude, regular expression, or Xpath. You can also remove attribute checks from the policy. For example, you might want to check that a log file exists but remove the checksum test because it is always changing.

Exporting a Policy

You may want to export a policy to view its structure, make changes or import it elsewhere. To do this:

  1. Go to the Policies page of your UpGuard instance. You can do this by clicking Control in the top navigation bar, then clicking Policies

  2. Locate the Policy you want to export and click on the dropdown arrow next to the right of the policy name (next to the button that says View)

  3. Select Export and you’re good to go - your policy will export as .json

export-policy-1

Another way to export policies is to do so from the Policy view itself. For this method:

  1. Navigate to the policy of your choice and click into it

  2. At the top right, you will see a button that says Edit with a drop down arrow next to it. Click on that drop down arrow

  3. Select Export and you’re done! Your policy will export as .json

export-policy-2

Importing a Policy

Policies can be imported, either from Exporting a Policy, from our public repository of policies available here, or from our curated list of policies at the Policy Library. In the wild, policies are stored in JSON format.

To import a policy you first need to build a fresh policy. Navigate to Control > Policies, then click Build Policy.

control-policies-build-policy.png

Enter the name of the policy and (optionally) assign the policy to a node group. You can later assign this policy to multiple node groups. Here we’re importing a policy that checks for certain Windows hotfixes to patch the Meltdown vulnerability and we’re assigning it to the Windows node group to apply it to all Windows nodes.

build-custom-policy

Clicking Start Building will create a fresh skeleton of a policy. Next, click the policy drop down to select Import.

import-policy

Import the JSON file and click continue. This should import the checks for the JSON file into the newly created policy.

Creating an SSL Certificate Expiry Check

Attributes with time-based values (such as an SSL certificate expiry date) can be checked for in a policy so that warnings can be generated, alerting users that a certificate is about to expire.

  1. Navigate to the node detail page for your website node and expand the “Web” configuration section. Then expand “SSL” the section.

    cert-policy-08

  2. Right-click on the “Expires” configuration item with the date of your certificate’s expiration and click Add to Policy. Select the relevant node group and click New Policy. This check can also be added to an existing policy if present.

    cert-policy-10

  3. Give the policy a name.

    cert-policy-11

  4. Once added, click on the attribute (now a green circle) to open the policy check details panel. Then click on the “Value” attribute to expand the check type editor.

    cert-policy-13

  5. Change the “Type of check?” dropdown from Exact Match to Time Comparison. Under “Expected conditions for value” you can enter how far in the future you expect that date to be. If you want 30 days warning, set the operator to > and enter 30 days from now in the text field. Then click Add.

    cert-policy-14

  6. You will see the check added as seen in the red box.

    cert-policy-15

As long as the expiration is more than 30 days in the future, this check will pass. When you get within that window it will start to fail and you will be regularly alerted until the SSL certificate is updated.