Policies allow you to define desired configuration state. By using the Policy Builder, a user can create a policy that monitors all the files retrieved from defined directories.

Use Case for Wildcard Policies

In this guide we are going to demonstrate the use of wildcards policy checks. Policy checks by default usually refer to specific CI items, for example Packages > Yum > apache, but you can also match all packages or all files within a scan.

Here we are going to work through the use case of making sure no files picked up in a scan contain a particular password we’ve recently seen leaked.

Confirming Node Scans Options

To ensure that the correct files are collected up during a node scan, make sure the correct File and Directory scan option paths are set correctly and that the Contents option for each scan option is selected.

For more information, please visit our guide on File and Directory Scan Options.

Building the Policy

To build a new policy navigate to Control Policies then click Build Policy.

w500

Give the policy a descriptive name and optionally assign the policy to a node group. Here we’re assigning the policy to the All Nodes node group as we want to check across all nodes where files are scanned. Click Start Building to create a fresh policy skeleton.

w500

You will be brought to the policy builder interface with your new policy loaded. Start by creating a Section with a descriptive title.

You will be brought the the interface for building a custom policy. Start by giving the Section a descriptive title and then clicking Done to create the section.

Under that newly created section, click the ‘+’ button directly nested underneath the title.

w200

For the Type of addition, select Check. For the Type of check, select other. For the CI path section, type files then press Enter, then type * then press Enter, then type * then press Enter. This will match all CI items collected under a node scan from the Files section. Click Done to create the check. Below we’ve also edited the Description field to be more descriptive than the default.

w700

The right panel should appear with the different types of checks you can execute on each matched file. By default, we’ve created a Present checks that confirms that the file exists. This type of attribute check can be useful when matching specific files, but when using wildcards you only collect files in the scan, so by definition this check would always pass here.

You can remove the Present check by clicking the edit button to the right of the check:

w400

then scrolling down past the check details to the red trash can. Clicking this will ask to confirm removal of the check - clicking Yes will remove the check.

w400

To add a check for the leaked password, click Add Attribute Check. For the Attribute Name use raw which is an alias for the raw content of the file collected during a scan. For the Type of check? select Excludes and then in the Expected field type the leaked password you want to confirm does not exist.

You can optionally add a set of Remediation steps and some context in the Background fields, respectively. Click Add to create the check.

w500

Applying the Policy to a Node Group

In this example, we already assigned the policy to the All Nodes node group, but if you are creating a policy for another context and want to assign the newly created policy to another node group, click Add Node Group in the Node Groups panel on the left side.

Viewing the Policy Results

You can view the policy results applied to the most recent node scan for a particular node by navigating to that node via Discover > Monitored then clicking on the name of the node to view it’s most recent scan. The files section should be highlighed in either green or red squares depending on whether each file passes of fails the new check.

What Next?

For other types of checks, please view our guide on Policy Checks.

For more information on interacting with policies via the API, please view our guide on Policies API.