Policies allow you to define desired configuration state. This feature allows a user to build a policy from scratch, using custom checks and attributes.

Building a Policy

To create a policy from scratch, navigate to the Policies page through the Control tab. Begin by clicking the “Build Policy” button on the Policies page. Enter the name of the policy and, optionally, the node group to which you want to apply it.

w800 w600

Sections

Policies are made up of sections and checks. Sections provide the organizing hierarchy for checks. After creating your first section, you can then add child sections or start adding checks. If you’re unsure about the organization of your final policy, don’t worry. You can drag and drop sections and checks to rearrange them later on. Creating sections just requires entering the name of the section. Sections can be edited or deleted later by clicking the edit icon next to the section name.

w800

Checks

Checks are where you start getting into the good stuff. First, you define what type of item you want to create a test for. The UpGuard search engine will suggest types that it has found on your node scans. After selecting a type, you will see a menu with the relevant information for that type of item. Again, the UpGuard search engine will suggest items it has detected on your systems. The “provider” field is optional. This can be used to define, for example, a specific package manager. If left empty then it will be treated as a wildcard and will check for the item with any provider.

w800

Attribute Checks

After defining the item to be checked, you can start creating tests for its attributes. Every item starts with a default check for whether it is Present. The default is true– meaning it should be there– and can be changed to false to blacklist the item. To create more specific checks, click “Add Attribute Check.” UpGuard search will suggest attributes and values that have been detected on your systems. You can also freely enter whatever values you want to create a check for something that is not on one of your systems.

w400

Background and Remediation

The “Remediation” field is a suggested field to leave instructions on what to do if the policy is failing. This field is just text for a human to read, not something that will be executed.

The “Background” field is also an optional text field where the policy author can explain the reason for the check. Filling out remediation and background allows future users to quickly resolve issues on their own.