Global Policies

The Rules Config tab within the Deployment Firewall page is used to customize rules at a global level. The pre-defined deployment firewall rules that are listed can be customized as per your requirement using this tab. The severity, action and status of the rule can be changed as needed. The changes made in the rules are reflected across all the applications connected to SSD.

To View the Rules:

Navigate to Policies tab. The Rules Config details page is displayed. The top panel displays the various stages such as Source, Build, Artifact and Deploy.

Each stage has a colour bar as shown below. Blue color indicates the number of enabled rules with Alert action, red colour indicates the number of enabled rules with Prevent action, and grey colour indicates the number of disabled rules.

Hovering over each stage displays a popup with the respective count for Active and Prevent, Active and Alert and Disabled as shown below:

The following details of the rules are displayed after the panel:

Rule : Displays the name of the rule.
Tag : Displays the related tags for the rule. The tags indicate to which security framework the rules are complied with. You can also add user-defined tags.
Stage : Displays the stage for which the rule is created.
Category : Displays the category of the rule.
Severity : Displays the severity or impact of the rule namely Major, Critical or Normal.
Action : Displays whether the rule displayed is set as an Alert or Prevent. If the action is set to alert, when the rule fails an alert is generated but the deployment succeeds. Similarly, if the action is set to prevent, when the rule fails the deployment will be blocked and an alert will be generated.
Description : Displays the description of the rule.
Status : Displays whether the rule is enabled or disabled. You can Enable or Disable the rule for the selected application by clicking the Status radio button. If the rule is enabled, the status button is green in colour.

To Customize the Rules:

The displayed rules can be customized as per your requirement. The Severity and Status field for an individual rule or a set of rules can be customized.

To customize individual rules

Select the rule for which you wish to change the severity or status field.
Click the Severity drop down to change the severity of the rule and Action drop down to change the rule to be an alert or prevent.

Click Save Changes to save the modifications. A popup appears.
Choose New Applications to apply this change for the newly added applications. ( The changes will reflect to the applications that are added after the modifications are saved only).
Choose Both Existing and New Applications to apply this change to existing applications as well as newly added applications.

Click Save Changes. The changes to the rules are saved.

To customize a set of rules

Click Bulk Edit.

Select the rules you need to modify.
Click the Update Action drop down to change the action of the rule.

Click the Update Status drop down to change the status of the rules. Select Enable All to enable the selected rules and Disable All to disable the selected rules.

Click Save Changes to save the modifications. A popup appears.
Choose New Applications to apply this change for the newly added applications. ( The changes will reflect to the applications that are added after the modifications are saved only).
Choose Both Existing and New Applications to apply this change to existing applications as well as newly added applications.

Click Save Changes. The changes to the rules are saved.

To Add Tags:

You can add your customized tags to the Tags column.

Select the rule for which you want to add tags.
Click near the already available tags as the arrow indicates in the image below:

A popup to add tags is displayed. Add the required tag in the Add a Tag column.

A message as shown in the image below appears once you add a tag.

Press Enter. The tag gets added and a message (Successfully saved) is displayed as shown below:

To delete the added tags, click on the space near the tags. The popup appears listing the available tags.
Click on the 'x' mark provided near the added tags.

The tag gets deleted and a message (Successfully unassigned) is displayed as shown below:

Only user defined tags can be deleted.

The Severity and Action of the rules can only be changed at the global level. Enabling or disabling individual rules for specific applications and environments can be done at each application level. Refer Application Policies for more details.

Smart Search

The smart search option available in this page, helps you to search the available Rules based on Action, Severity, Stage, Status, Policy and Tags.

The following example shows how to search for rules based on Tags.

Select Tags from the search drop down. The various tags that are available are displayed. Select the checkbox near the tag for which you want to filter the assigned rules.

The rules associated with the selected tags are displayed.

Sync Policies

The Sync Policies option is a feature added to the page. This option allows users to create user-defined rules. To create user rules, you need to integrate Custom Policy Source in SSD, as shown below:

To Integrate Custom Policy Source

To Integrate Custom Policy Source:

Navigate to Config > Integrations.
In the Others panel, click on Custom Policy Source.

The Custom Policy Source integration page is displayed.
Enter the Repo URL & Path and Token value of your custom policy source account.

Click Save. The tool is integrated.
You can edit the entered values by clicking the Edit option as shown below:

Enter the new Repo URL & Path and Token value and click Update.

The new values get updated.

To Create Rules:

Go to your Github path that was added to the SSD secret. Create the required rule with the following fields as given below:

Rule name: The name of the created rule.
Rule Severity: The severity of the rule, namely: Low, Medium, and High.
Rule Action: The rule type, Alert or Prevent.
Rule Description: A description of the created rule.
Variables: The set of system defined values used to validate the policy. For example: github_repo_visibility
Rule Stage: The stage in which the rule needs to be applied, namely: Source, Build, Artifact and Deploy, .
Rule: The rule script, ( a rego-based script).

Rego is a query language used for defining policy that is easy to read and write. See Policy Language for more details.

The rule gets added. You can create any number of rules.

A sample user defined policy or rule is given below. This rule indicates that the github repository should not be publicly visible and also public repositories should not be allowed.

ruleName: Github Repo Visibility Validation Policy
ruleSeverity: Medium
ruleAction: Alert
ruleDescription: Github Repository must not be publically visible
variables: github_repo_visibility
ruleStage: Source
rule: |
    package opsmx
    
    deny[msg] {
          checkvisibility := inpu.github_repo_visibility
          checkvisibility == "public"
          msg + "Public repositories are not allowed"
          
    }

To Access the User-Defined Rules:

The created rules need to be synced in order to be applied in the deployment stages. Follow the steps provided below to sync the created rules:

Navigate to Deployment Firewall > Rules Config.
Click the Sync Policies option present at the top right corner of the Rules Config page.

The Sync Policies page is displayed with the list of policies created by the user.

Click Sync. The user-defined rules get synced and gets added to the rule list.

If there are any errors in the values added to the fields, the rules cannot be synced and shows sync error as shown below:

A tag named User Defined Policies is added to the Tags column once the user defined rules are synced. You can search for the rules using this tag option.

The user-defined rules can only be edited in the source git repository. Sync the rules to update the changes.

PreviousManage Policies NextApplication Policies

Last updated 23 days ago