Use Case for Wildcard Policies
In this guide we are going to demonstrate the use of wildcards policy checks. Policy checks by
default usually refer to specific CI items, for example
Packages > Yum > apache, but you
can also match all packages or all files within a scan.
Here we are going to work through the use case of making sure no files picked up in a scan contain a particular password we’ve recently seen leaked.
Confirming Node Scans Options
To ensure that the correct files are collected up during a node scan, make sure the correct File and Directory scan option paths are set correctly and that the Contents option for each scan option is selected.
For more information, please visit our guide on File and Directory Scan Options.
Building the Policy
To build a new policy navigate to Control Policies then click Build Policy.
Give the policy a descriptive name and optionally assign the policy to a node group. Here we’re assigning the policy to the All Nodes node group as we want to check across all nodes where files are scanned. Click Start Building to create a fresh policy skeleton.
You will be brought to the policy builder interface with your new policy loaded. Start by creating a Section with a descriptive title.
You will be brought the the interface for building a custom policy. Start by giving the Section a descriptive title and then clicking Done to create the section.
Under that newly created section, click the ‘+’ button directly nested underneath the title.
For the Type of addition, select Check. For the Type of check,
select other. For the CI path section, type
files then press Enter,
* then press Enter, then type
* then press Enter. This will match
all CI items collected under a node scan from the Files section. Click Done
to create the check. Below we’ve also edited the Description field to be
more descriptive than the default.
The right panel should appear with the different types of checks you can execute on each matched file. By default, we’ve created a Present checks that confirms that the file exists. This type of attribute check can be useful when matching specific files, but when using wildcards you only collect files in the scan, so by definition this check would always pass here.
You can remove the Present check by clicking the edit button to the right of the check:
then scrolling down past the check details to the red trash can. Clicking this will ask to confirm removal of the check - clicking Yes will remove the check.
To add a check for the leaked password, click Add Attribute Check. For the Attribute Name
raw which is an alias for the raw content of the file collected during a scan. For the Type of check?
select Excludes and then in the Expected field type the leaked password you want to
confirm does not exist.
You can optionally add a set of Remediation steps and some context in the Background fields, respectively. Click Add to create the check.
Applying the Policy to a Node Group
In this example, we already assigned the policy to the All Nodes node group, but if you are creating a policy for another context and want to assign the newly created policy to another node group, click Add Node Group in the Node Groups panel on the left side.
Viewing the Policy Results
You can view the policy results applied to the most recent node scan for a particular node by navigating to that node via Discover > Monitored then clicking on the name of the node to view it’s most recent scan. The files section should be highlighed in either green or red squares depending on whether each file passes of fails the new check.
Even though you can view the application of this policy to a node's most recent scan, the results will not be populated into a Policy Result on the Policy Report page until then next scan is executed on a node. That is, policies are applied to nodes after each scan is run. This application generates timestamped policy results associated with that scan, which are available on the Policy Report page.
For other types of checks, please view our guide on Policy Checks.
For more information on interacting with policies via the API, please view our guide on Policies API.