Authoring policies
Before you begin authoring policies, it is important to understand that you must write policies so that a resource that is being evaluated for compliance, does evaluate to be complaint. Do not write policies that check whether a resource is non-compliant. You cannot write a policy without a feed.
To be able to support any JSON files as resource feeds, the Policy Engine of BMC Helix Cloud Security is JSON-aware. In other words, the Policy Engine provides constructs for evaluating rule expressions based on any JSON objects. You can broadly classify the constructs that the Policy Engine supports into the following categories:
Types
The Policy Engine is type-aware. Typically, when a rule expression is evaluated, you must ensure correct types in LHS and RHS. Different types are represented differently, and to be able to write correct rule expressions, you must know these representations. The following table shows a list of types that you can use when working with any JSON feeds.
Type | Description | Example |
---|---|---|
Boolean | A binary value: TRUE/FALSE in uppercase | TRUE |
Integer | A numeric literal without a decimal point | 1,2,45 |
Decimal | A numeric literal with a decimal point | 11.23,2.34,45.00 |
String | Any string literal enclosed in double quotes | "GitHub", "Wiki" |
JSON path | A string literal that matches a regular expression "^\$([\w]+)(..?)(.(?:(?:min|max|avg|count)()))?$" | "$feed" , $feed.lastUpdated , $feed.store.books[*].price.min() |
JSON objects | A policy document does not support defining JSON objects. Therefore, JSON objects do not have any special representation. This type is hidden from a policy author but understanding its existence is important for policy authoring. |
|
List | A comma-separated list of any of the preceding types enclosed in square braces | [1,2,3] , ["NodeJS" , "Rocks"] |
Range | A pair of values enclosed in square braces. Note: This type is only supported for Integer and Decimal types. | [8.0 AND 9.0] |
Property Reference | ??reference_name?? represents a reference to any of the supported types except .Authoring policies vall_releases#JsonPathValue. |
|
RegEx | In-progress |
|
Date | In-progress |
|
Operators
Operators form the basic building blocks for constructing a rule expression. The results of a rule expression can be further combined with other operators to construct complex expressions consisting of many simple expressions. The following operators are supported when working with any JSON feeds:
Operator | Cardinality | Usage | Applicable types |
---|---|---|---|
assign | 2 | LHS assign "GitHub" | LHS is PropertReference and RHS can be any of the supported types. This operation assigns the effective(evaluated) value of the RHS to the property reference. We will discuss more about RHS evaluation when we discuss expression evaluation. |
equals | 2 | equals or = , LHS = "GitHub" or LHS equals "GitHub" | Any simple type (String, Boolean, Integer, Decimal) |
does not equal | 2 | does not equal or != , LHS != "GitHub" or LHS does not equal "GitHub" | Any simple type (String, Boolean, Integer, Decimal) |
starts with | 2 | LHS starts with "Git" | LHS and RHS must be of String type |
is substring of | 2 | LHS is substring of "GitHub rocks" | LHS and RHS must be of String type |
is not substring of | 2 | LHS is not substring of "GitHub rocks" | LHS and RHS must be of String type |
ends with | 2 | LHS ends with "rocks" | LHS and RHS must be of String type |
does not end with | 2 | LHS does not end with "rocks" | LHS and RHS must be of String tye |
is one of | 2 | LHS is one of ["GitHub, "Wiki"] | LHS must be any simple type (String, Boolean, Integer, Decimal) and RHS must be a List of the same type as LHS |
is not one of | 2 | LHS is not one of ["GitHub, "Wiki"] | LHS must be any simple type (String, Boolean, Integer, Decimal) and RHS must be a List of the same type as LHS |
contains | 2 | LHS contains "GitHub | LHS must be a List of any simple type (String, Boolean, Integer, Decimal) and RHS must be any simple type |
does not contain | 2 | LHS does not contain "GitHub" | LHS must be a List of any simple type (String, Boolean, Integer, Decimal) and RHS must be any simple type |
equals (case sensitive) | 2 | LHS equals (case sensitive) "GitHub" | LHS and RHS mst be of String type |
does not equal (case sensitive) | 2 | LHS does not equal (case sensitive) "GitHub" | LHS and RHS must be of String type |
is substring of (case sensitive) | 2 | LHS is substring of (case sensitive) "GitHub" | LHS and RHS must be of String type |
is not substring of (case sensitive) | 2 | LHS is not substring of (case sensitive) "GitHub" | LHS and RHS must be of String type |
contains (case sensitive) | 2 | LHS contains (case sensitive) "GitHub" | LHS must be a list of String type and RHS must be of String type |
does not contain (case sensitive) | 2 | LHS does not contain (case sensitive) "GitHub" | LHS must be a list of String type and RHS must be of String type |
starts with (case sensitive) | 2 | LHS starts with (case sensitive) "GitHub" | LHS and RHS must be of String type |
does not start with (case sensitive) | 2 | LHS does not start with (case sensitive) "GitHub" | LHS and RHS must be of String type |
ends with (case sensitive) | 2 | LHS ends with (case sensitive) "GitHub" | LHS and RHS must be of String type |
does not end with (case sensitive) | 2 | LHS does not end with (case sensitive) "GitHub" | LHS and RHS must be of String type |
is one of (case sensitive) | 2 | LHS is one of (case sensitive) ["GitHub","NodeJs", "Rocks" ] | LHS must be of String type and RHS must be a list of String type |
is not one of (case sensitive) | 2 | LHS is not one of (case sensitive) ["GitHub","NodeJs", "Rocks" ] | LHS must be of String type and RHS must be a list of String type |
equals (ignore extra white spaces) | 2 | LHS equals (ignore extra white spaces) " NodeJs Rocks" | LHS and RHS must be of String type. Ignore any additional spaces either on edges or within a string |
equals (case sensitive and ignore extra white spaces) | 2 | LHS equals (case sensitive and ignore extra white spaces) " NodeJs Rocks" | LHS and RHS must be of String type. Ignore any additional spaces either on edges or within a string. Case sensitive version of above |
less than | 2 | LHS less than 5 or LHS < 5 | LHS and RHS must be of Integer or Decimal type |
greater than | 2 | LHS greater than 5 or LHS > 5 | LHS and RHS must be of type Integer or Decimal type |
less than or equal to | 2 | LHS less than or equal to 5 or LHS <= 5 | LHS and RHS must be of Integer or Decimal type |
greater than or equal to | 2 | LHS greater than or equal to to 5 or LHS <= 5 | LHS and RHS must be of Integer or Decimal type |
between | 2 | LHS between [ 5 AND 10] , A range must have 'AND' as caps | LHS must be of Integer or Decimal type and RHS must be of Range type (the same type same as LHS) |
NOT | 1 | NOT (expression) Eg, NOT (LHS between [ 5 AND 10]) , This operator inverts the evaluation result of an expression(RHS) | RHS must be expression |
AND | N/* | expression AND expression Eg, LHS between [ 5 AND 10] AND LHS = "GitHub", This operator performs logical AND-ING of results of child expressions | Any expression |
OR | N/* | expression OR expression Eg, LHS between [ 5 AND 10] OR LHS = "GitHub", This operator performs logical OR-ING of results of child expressions | Any expression |
JsonPathValue
JsonPathValue is usually represented as "$feed.store.book[*].min()" and must exactly match the regular expression
Meta-character | Meaning | Required | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
\$ | Matches the character $ literally |
| ||||||||||||||
([\w]+) | This is the first capturing group that captures PropertyReference on which JSONPath is applied. This group includes the following meta-characters:
| Yes | ||||||||||||||
(\.*.*?) | This is the second capturing group that captures JSONPath, which is applied to the PropertyReference identified by the preceding match. This group includes the following meta-characters:
| No | ||||||||||||||
(\.(?:(?:min|max|avg|count)\(\)))? | This is the third capturing group that includes the Aggregation function to be applied to the result of applying JSONPath to PropertyReference. This group includes the following meta-characters:
Note: A repeated capturing group only captures the last iterations. | No |
Thus, a JsonPathValue is a triplet as shown in the following example:
Let us explore each one in detail:
PropertyReference
PropertyReference represents the name of the property reference on which the JSON path expression is applied. The property reference can be passed externally ($feed) or can hold the result of the assignment operation of an expression. You can create a valid PropertyReference in the following ways:
- Passed externally: In this case, you can refer to the PropertyReference by using $feed.
- Assignment operation: The evaluation of an assignment expression (??variable?? assign "$feed.*") creates a valid PropertyReference with the name variable. The same can be referred to in subsequent JsonPathValue expressions as $variable
- Loop variable reference: You can access loop variable references as PropertyReferences.
The following example illustrates the usage of loop variable references:
??book_tags?? assign "$loop_book.tags"
end
JSON path expressions
JSON path expressions are similar to XPath expressions in XML, except that JSON paths work on JSON objects. The Policy Engine is not responsible for evaluating JSON path expressions. It makes use of Json path - Jayway library for JSON path evaluations. As a policy author, you must understand what JSON path is for a given JsonPathValue expression. Also, as a policy author, you must understand the result of a JSON path evaluation. The following table lists some examples:
JsonPathValue expression | Evaluation |
---|---|
$feed | Evaluates JSON path $. on PropertyReference feed |
$feed.store.book | Evaluates JSON path $.store.book on PropertyReference feed |
$feed.store.book[*].price | Evaluates JSON path $.store.book[*].price on PropertyReference feed |
$feed.store.book[*].price.max() | Evaluates JSON path $.store.book[*].price on PropertyReference feed and the Policy Engine applies the aggregation function max() to the result |
Aggregation functions
The Policy Engine supports the following aggregation functions to be applied to the results of JSON path evaluations:
Aggregation function | Description |
---|---|
min() | Requires that result on which the function is applied is a list of Integer or Decimal values. Returns the minimum of all the values in the list. |
max() | Requires that result on which the function is applied is a list of Integer or Decimal values. Returns the maximum of all the values in the list. |
avg() | Requires that result on which the function is applied is a list of Integer or Decimal values. Returns the average of all the values in the list. |
count() | Requires that result on which the function is applied is a list of any type. Returns the number of items in the list. |
Expressions
Expressions are constructed by combining operands (of the supported types) and operators. In the Policy Engine, every expression evaluates to a Boolean result.
Rule expressions can be of the following types:
Simple Expressions
These type of expressions are the simplest and are the building blocks for more complex rule expressions.
Syntax |
<PropertyReference> <Operator> <Type> |
---|
Examples |
??variable?? assign "Github" ??average_price?? less than 20.00 ??book_count?? >= 3 |
n-nary expressions
These types of expressions are a combination of two or more expressions. Almost all rule expressions are expressed as n-nary expressions.
Syntax |
{{code language="none"}} <expression> <AND|OR> <expression> <AND|OR> <expression> ... {{/code}} |
---|
Examples |
??book_count?? assign "$feed.store.book.count()" AND ??book_count?? >= 3 ??var_store?? assign "$feed.store" AND ??var_store?? != null AND ??var_books?? assign "$var_store.book" AND ??var_authors?? assign "$var_books.[*].author" AND ??var_authors?? != null AND ??var_authors?? contains "NIGEL REES" AND ??var_authors?? does not contain "Alex" |
Conditional expressions
Conditional expressions enable conditional evaluation of expressions.
Syntax |
{{code language="none" source="string:{{code language=~"none~"~}~} if <expression> then <expression> else <expression> end {{/code~}~}"/}} {{/code}} ))) |((( **Example** ))) |=((( {{code language="text" theme="Confluence"}} ??book_tags?? assign "$loop_book.tags" AND ??book_price?? assign "$loop_book.price" AND if ??book_tags?? contains "fiction" then ??book_price?? >= 9.0 else if ??book_tags?? contains "oreilly" then ??book_price?? >= 11.0 else ??book_price?? between [2.0 AND 30.0] end end {{/code}} ))) {{export-ignore}} ,,[[Back to top>>doc:]],, {{/export-ignore}} === {{id name="Authoringpolicies-Foreachexpressions"/}}Foreach expressions === Foreach expressions enable repeated evaluation of rules for each item in a list. |((( **Syntax** ))) |=((( {{code language="none" source="string:{{code language=~"none~"~}~} {{code language=~"none~" source=~"string:{{code language=~~~"none~~~"~~}~~} foreach <loop_variable> IN #<PropertyReference># <expression> end {{/code~~}~~}~"/~}~} {{/code~}~}"/}} ))) |((( **Example** ))) |=((( {{code language="text" theme="Confluence"}} ??store_authors?? assign "$feed.store.book[*].author" AND foreach loop_author IN #store_authors# loop_author != "Sharad Sinha" end {{/code}} ))) {{export-ignore}} ,,[[Back to top>>doc:]],, {{/export-ignore}} ==== {{id name="Authoringpolicies-PolicyDocumentstructure"/}}Policy Document structure ==== A policy document is a YAML file, which contains rule expressions. |((( **Example policy document ** ))) |=((( {{code language="text" theme="Confluence"}} --- author: "BMC Software" dateOfCreation: "Thu Feb 18 02:47:49 PST 2016" name: "Book store Policy" rulesCount: 18 groups: - description: "" id: 1 name: "My book store Local Policies group0" rules: - description: "There must be atleast 3 books in store at all times" id: 1 name: "book store book count" refNumber: ~ ruleExpression: |- ??book_count?? assign "$feed.store.book.count()" AND ??book_count?? >= 3 - description: "average prices of books must be less than 20" id: 2 name: "book avg price " refNumber: ~ ruleExpression: |- ??average_price?? assign "$feed.store.book[*].price.avg()" AND ??average_price?? less than 20.00 {{/code}} ))) {{export-ignore}} ,,[[Back to top>>doc:]],, {{/export-ignore}} ==== {{id name="Authoringpolicies-PolicyAuthoring-Samples"/}}Policy Authoring - Samples ==== The following example demonstrates a JSON feed representing book store details. This sample contains constructs that are used for policy authoring. {{expand expanded="false" title="Click here to view."}} **Example** {{code language="text" theme="Confluence"}} { "name" : "my-book-store", "guid" : "0503bd2e-816f-42c4-8011-38c9dcb01e28", "type" : "store", "collectionStartTime": 1463661952595, "collectionEndTime": 1463662072595, "store": { "book": [ { "category": "reference", "author": "Nigel Rees", "title": "Sayings of the Century", "price": 8.95, "id" : 1, "review" : { "rating" : 5, "summary" : "Excellent" }, "tags" : ["oxford","reference"], "requiresRefresh" : false }, { "category": "fiction", "author": "Evelyn Waugh", "title": "Sword of Honour", "price": 12.99, "id" :2, "review" : { "rating" : 3, "summary" : "Good" }, "tags" : ["oreilly","fiction"], "requiresRefresh" : true }, { "category": "fiction", "author": "Herman Melville", "title": "Moby Dick", "isbn": "0-553-21311-3", "price": 8.99, "id" : 3, "review" : { "rating" : 4, "summary" : "Very Good" }, "tags" : ["fiction" , "Moby", "Dick"], "requiresRefresh" : true }, { "category": "fiction", "author": "J. R. R. Tolkien", "title": "The Lord of the Rings", "isbn": "0-395-19395-8", "price": 22.99, "id" : 4, "review" : { "rating" : 5, "summary" : "Excellent" }, "tags" : ["fiction" , "Excellent"], "requiresRefresh" : true } ] } } {{/code}} {{/expand}} The following example demonstrates the use of rule expressions: {{expand expanded="false" title="Click here to view."}} **Example** {{code language="text" theme="Confluence"}} --- author: "BMC Software" dateOfCreation: "Thu Feb 18 02:47:49 PST 2016" groups: - description: "" id: 1 name: "My book store Local Policies group0" rules: - description: "There must be atleast 3 books in store at all time" id: 1 name: "book store book count" refNumber: ~ ruleExpression: |- ??book_count?? assign "$feed.store.book.count()" AND ??book_count?? >= 3 - description: "average prices of books must be less than 20" id: 2 name: "book avg price " refNumber: ~ ruleExpression: |- ??average_price?? assign "$feed.store.book[*].price.avg()" AND ??average_price?? less than 20.00 - description: "there must be atleast 2 books with category 'fiction' at all times" id: 4 name: "there must be atleast 2 books with category 'fiction' at all times" refNumber: ~ ruleExpression: |- ??var_fiction_count?? assign "$feed.store.book[?(@.category == 'fiction')].count()" AND ??var_fiction_count?? >= 2 - description: "There are no banned books in my store" id: 5 name: "There are no banned books in my store" refNumber: ~ ruleExpression: |- ??banned_book_count?? assign "$feed.store.book[?(@.category == 'banned')].count()" AND ??banned_book_count?? = 0 - description: "All authours must be from a given list" id: 6 name: "All authours must be from a given list" refNumber: ~ ruleExpression: |- ??store_authors?? assign "$feed.store.book[*].author" AND foreach loop_author IN #store_authors# loop_author != "Sharad Sinha" end - description: "there must be a book with author 'Nigel Rees'" id: 7 name: "book nested attributes reference , there must be a book with author 'Nigel Rees' " refNumber: ~ ruleExpression: |- ??var_store?? assign "$feed.store" AND ??var_store?? != null AND ??var_books?? assign "$var_store.book" AND ??var_authors?? assign "$var_books.[*].author" AND ??var_authors?? != null AND ??var_authors?? contains "NIGEL REES" AND ??var_authors?? does not contain "Alex" - description: "Demonstrate nested for loops" id: 8 name: "Demonstrate nested for loops" refNumber: ~ ruleExpression: |- ??store_books?? assign "$feed.store.book" AND foreach loop_book IN #store_books# loop_book != null AND ??book_tags?? assign "$loop_book.tags" AND ??book_tags?? != null AND foreach loop_tag IN #book_tags# loop_tag != null AND loop_tag is one of ["oxford","reference","oreilly","fiction","fiction" , "Moby", "Dick", "Excellent"] AND loop_tag is not one of ["Alex" , "john", "fernando"] AND loop_tag is one of (case sensitive) ["oxford","reference","oreilly","fiction","Moby", "Dick","Excellent"] AND loop_tag is not one of (case sensitive) ["OXFORD","REFERENCE","OREILLY","FICTION","FICTION" , "MOBY", "DICK", "EXCELLENT"] end end - description: "Demonstrate misc string operations" id: 9 name: "Demonstrate misc string operations" refNumber: ~ ruleExpression: |- ??store_book_author?? assign "$feed.store.book[0].author" AND ??store_book_author?? assign "$feed.store.book[0].author" AND ??store_book_author?? starts with "NIGEL" AND ??store_book_author?? does not start with "ALEX" AND ??store_book_author?? ends with "REES" AND ??store_book_author?? does not end with "ALEX" AND ??store_book_author?? is substring of "NIGEL REES HAS COME BACK WITH A BANG" AND ??store_book_author?? is not substring of "HAS COME BACK WITH A BANG" AND ??store_book_author?? does not equal "ALEX" AND ??store_book_author?? equals "NIGEL REES" AND ??store_book_author?? = "NIGEL REES" AND ??store_book_author?? != "Alex" AND ??store_book_author?? is one of ["NIGEL REES" , "SHARAD SINHA"] AND ??store_book_author?? equals (ignore extra white spaces) " NIGEL REES " AND ??store_book_author?? starts with (case sensitive) "Nigel" AND ??store_book_author?? does not start with (case sensitive) "Alex" AND ??store_book_author?? equals (case sensitive) "Nigel Rees" AND ??store_book_author?? ends with (case sensitive) "Rees" AND ??store_book_author?? does not end with (case sensitive) "REES" AND ??store_book_author?? is substring of (case sensitive) "Nigel Rees has come back with a bang" AND ??store_book_author?? is not substring of (case sensitive) "NIGEL REES HAS COME BACK WITH A BANG" AND ??store_book_author?? does not equal (case sensitive) "NIGEL REES" AND ??store_book_author?? is one of (case sensitive) ["Nigel Rees" , "Sharad Sinha"] AND ??store_book_author?? equals (case sensitive and ignore extra white spaces) " Nigel Rees " - description: "Demonstrate 'contains' variations'" id: 10 name: "Demonstrate 'contains' variations'" refNumber: ~ ruleExpression: |- ??var_authors?? assign "$feed.store.book[*].author" AND ??var_authors?? contains "HERMAN MELVILLE" AND ??var_authors?? does not contain (case sensitive) "HERMAN MELVILLE" AND ??var_authors?? contains (case sensitive) "Nigel Rees" - description: "Demonstrate 'contains' in integer list variations" id: 11 name: "Demonstrate 'contains' in integer list variations" refNumber: ~ ruleExpression: |- ??var_ids?? assign "$feed.store.book[*].id" AND ??var_ids?? contains 2 AND ??var_ids?? does not contain 999 - description: "Demonstrate 'contains' in double list variations" id: 12 name: "Demonstrate 'contains' in double list variations" refNumber: ~ ruleExpression: |- ??var_ids?? assign "$feed.store.book[*].price" AND ??var_ids?? contains 12.99 AND ??var_ids?? does not contain 999.99 - description: "Demonstrate numeric operators on double values" id: 13 name: "Demonstrate numeric operators on double values" refNumber: ~ ruleExpression: |- ??var_price?? assign "$feed.store.book[0].price" AND ??var_price?? = 8.95 AND ??var_price?? equals 8.95 AND ??var_price?? != 9.0 AND ??var_price?? does not equal 9.0 AND ??var_price?? >= 8.95 AND ??var_price?? greater than or equal to 8.95 AND ??var_price?? > 8.00 AND ??var_price?? greater than 8.00 AND ??var_price?? < 10.00 AND ??var_price?? less than 10.00 AND ??var_price?? <= 8.95 AND ??var_price?? less than or equal to 8.95 AND ??var_price?? between [8.0 AND 9.0] - description: "Demonstrate numeric operators on integer values" id: 14 name: "Demonstrate numeric operators on double values" refNumber: ~ ruleExpression: |- ??var_price?? assign "$feed.store.book[0].review.rating" AND ??var_price?? = 5 AND ??var_price?? equals 5 AND ??var_price?? != 5.0 AND ??var_price?? does not equal 5.0 AND ??var_price?? >= 5 AND ??var_price?? greater than or equal to 5 AND ??var_price?? > 2 AND ??var_price?? greater than 2 AND ??var_price?? < 10 AND ??var_price?? less than 10 AND ??var_price?? <= 5 AND ??var_price?? less than or equal to 5 AND ??var_price?? between [2 AND 10] - description: "Demonstrate operations on boolean values" id: 15 name: "Demonstrate operations on boolean values, Cautions boolean values must be in CAPS" refNumber: ~ ruleExpression: |- ??var_requiresRefresh?? assign "$feed.store.book[0].requiresRefresh" AND ??var_requiresRefresh?? = FALSE AND ??var_requiresRefresh?? != TRUE AND ??var_requiresRefresh?? != 5 AND ??var_requiresRefresh?? equals FALSE - description: "Demonstrate conditional evaluations with basic if else expressions" id: 16 name: "Demonstrate conditional evaluations" refNumber: ~ ruleExpression: |- ??store_books?? assign "$feed.store.book" AND foreach loop_book IN #store_books# ??book_tags?? assign "$loop_book.tags" AND ??book_price?? assign "$loop_book.price" AND if ??book_tags?? contains "fiction" then ??book_price?? >= 9.0 else ??book_price?? between [2.0 AND 30.0] end end - description: "Demonstrate conditional evaluations with if else ladder" id: 17 name: "Demonstrate conditional evaluations" refNumber: ~ ruleExpression: |- ??store_books?? assign "$feed.store.book" AND foreach loop_book IN #store_books# ??book_tags?? assign "$loop_book.tags" AND ??book_price?? assign "$loop_book.price" AND if ??book_tags?? contains "fiction" then ??book_price?? >= 9.0 else if ??book_tags?? contains "oreilly" then ??book_price?? >= 11.0 else ??book_price?? between [2.0 AND 30.0] end end end - description: "Demonstrate 'NOT' usage'" id: 18 name: "Demonstrate 'contains' variations'" refNumber: ~ ruleExpression: |- ??var_authors?? assign "$feed.store.book[*].author" AND NOT (??var_authors?? contains (case sensitive) "HERMAN MELVILLE") AND ??var_authors?? contains (case sensitive) "Nigel Rees" name: "Book store Policy" rulesCount: 18 {{/code}} {{/expand}} \\ {{export-ignore}} ,,[[Back to top>>doc:]],, {{/export-ignore}} == {{id name="Authoringpolicies-MatchingResourcestoPolicies"/}}Matching Resources to Policies == {{excerpt-include 0="More-Products.Cloud-Security.BMC-Helix-Cloud-Security.PathPol._libraries._excerptLib.WebHome" name="product_name" nopanel="true"/}} supports "//**any data any policy**//". * Any data: Implies any JSON document as a resource feed, which might contain data for multiple resources. * Any policy: Implies that you can author any policies that test different aspects of the incoming feed. Support for "//**any data any policy**//" results in the following key challenges: {{toc depth="3" start="3"/}} === {{id name="Authoringpolicies-Matchinganincomingfeedwithappropriatepolicies"/}}Matching an incoming feed with appropriate policies === {{excerpt-include 0="More-Products.Cloud-Security.BMC-Helix-Cloud-Security.PathPol._libraries._excerptLib.WebHome" name="product_name" nopanel="true"/}} uses special hint fields in the Policy and Resource feed. These fields are captured as a part of the metadata section of both the documents. As shown in the following excerpts, {{excerpt-include 0="More-Products.Cloud-Security.BMC-Helix-Cloud-Security.PathPol._libraries._excerptLib.WebHome" name="product_name" nopanel="true"/}} uses the **selectionHint** attribute in the Policy and Resource feed document to match feeds with policies. {{expand expanded="false" title="Click here to view the structure of the reference policy document."}} {{code language="text" theme="Confluence"}} --- author: "BMC Software" dateOfCreation: "Thu Feb 18 02:47:49 PST 2016" name: "cfn policy" selectionHint: cfn , aws lambda , s3 groups: - description: "cfn rules" id: 1 name: "cfn rules" rules: - description: "check memorysize" id: 112 refNumber: ~ ruleExpression: |- ??all_resource?? assign "$feed.Resources.*" AND ??all_lambda?? assign "$all_resource.[?(@.Type == 'AWS::Lambda::Function')]" {{/code}} {{/expand}} {{expand expanded="false" title="Click here to view the structure of the reference resource feed document."}} {{code language="text" theme="Confluence"}} { "Description": "BMC CaaS policy engine template", "selectionHint" : "cfn , aws lambda" "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "PolicyEngineLambdaExecutionRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { ... Rest of the document {{/code}} {{/expand}} \\ {{export-ignore}} ,,[[Back to top>>doc:]],, {{/export-ignore}} === {{id name="Authoringpolicies-DynamicallyidentifyingresourceswithinaJSONfeed"/}}Dynamically identifying resources within a JSON feed === When supporting any arbitrary JSON as a resource feed, it is difficult to ascertain whether a specific section within a JSON document must be treated as a resource or whether the entire JSON document must be treated as a single resource. {{export-ignore}} ,,[[Back to top>>doc:]],, {{/export-ignore}} ==== {{id name="Authoringpolicies-Resourcematchingcriteria"/}}Resource matching criteria ==== The **resource matching criteria **mechanism enables a policy author to define which sections of a feed should constitute a resource, which must be applied to the policy. Occasionally, the resource matching criteria might not map to any JSON node in the feed and would therefore result in no policy being evaluated against the feed. The resource policy document can contain the following attributes: |=((( Spec Type )))|=((( Spec Attribute )))|=((( Description )))|=((( Required ))) |(% rowspan="4" %)((( (% class="code" %) ((( originSpec ))) (% class="code" %) ((( ))) (% class="code" %) ((( ))) (% class="code" %) ((( ))) )))|((( )))|((( A source/origin or a resource. You can have multiple origins in a given resource feed document. Examples: * A dependency checker feed can have projects as origin * A cfn feed can have a project or a microservice as origin Although an origin can be modeled as a resource, currently, origin is a textual attribute of a resource that is used mainly for the purpose of reporting. {{code language="none"}}originSpe{{/code}}c is expressed using the following attributes: * {{code language="none"}}expression{{/code}} * {{code language="none"}}nameExpression{{/code}} * {{code language="none"}}typeExpression{{/code}} )))|((( No ))) |((( (% class="code" %) ((( expression ))) )))|((( A JSON path expression that corresponds to a JSON node within a JSON feed. When you write an expression, the {{code language="none"}}expression{{/code}} attribute must evaluate to a valid JSON node. Otherwise, the policy on which the origin field is defined is not evaluated against the incoming resource feed. In other words, evaluation is skipped for the incoming resource feed. )))|((( Yes ))) |((( (% class="code" %) ((( nameExpression ))) )))|((( A JSON path expression that represents the name of the origin object. When you write a name expression, the {{code language="none"}}namExpression{{/code}} must evaluate to a string type. If you do not specify a value for this attribute or if the value is null, {{code language="none"}}expression{{/code}} is used as the name. )))|((( No ))) |((( (% class="code" %) ((( typeExpression ))) )))|((( A JSON path expression that represents the type of the origin object. When you write a type expression, the {{code language="none"}}typeExpression{{/code}} must evaluate to a string type. The type of an origin is not important because its value is not currently used. Therefore, you may not specify the type in the policy or leave it blank. )))|((( No ))) |(% rowspan="4" %)((( (% class="code" %) ((( resourceSpec ))) (% class="code" %) ((( ))) (% class="code" %) ((( ))) (% class="code" %) ((( ))) )))|((( )))|((( An identifier for a resource within a JSON node as represented by {{code language="none"}}originSpec{{/code}}. Like {{code language="none"}}originSpec{{/code}}, {{code language="none"}}resourceSpec{{/code}} have the following properties: * Can only be defined at the policy document level * If not specified, the entireresource feed is treated as a single origin {{code language="none"}}resourceSpec{{/code}} is expressed using the following attributes: * {{code language="none"}}expression{{/code}} * {{code language="none"}}nameExpression{{/code}} * {{code language="none"}}typeExpression{{/code}} )))|((( No ))) |((( (% class="code" %) ((( expression ))) )))|((( A JSON path expression that corresponds to a JSON node within a resource feed. When you write an expression, the {{code language="none"}}expression{{/code}} attribute must evaluate to a valid JSON node. Otherwise, policy evaluation is skipped for the incoming resource feed. )))|((( Yes ))) |((( (% class="code" %) ((( nameExpression ))) )))|((( A JSON path expression that represents the name of the resource object. When you write a name expression, the {{code language="none"}}nameExpression{{/code}} must evaluate to a string type. If you do not specify a value for this attribute or if the value is null, {{code language="none"}}expression{{/code}} is used as the resource name. You can specify a fixed string as a {{code language="none"}}nameExpression{{/code}}; the fixed string is used as is for the name of the resource. However, this type of expression is not recommended for a single resource per resource feed. )))|((( No ))) |((( (% class="code" %) ((( typeExpression ))) )))|((( A JSON path expression that represents the type of the resource object. When you write a type expression, the {{code language="none"}}typeExpression{{/code}} must evaluate to a string type. If you do not specify a value for this attribute, {{code language="none"}}typeEpression{{/code}} is set to null. You can specify a fixed string as a {{code language="none"}}typeExpression{{/code}}; the fixed string is used as is for the type of the resource. )))|((( No ))) \\ {{expand expanded="false" title="Click here to view a sample policy document."}} {{code language="text" theme="Confluence"}} --- author: "BMC Software" dateOfCreation: "Thu Feb 18 02:47:49 PST 2016" name: "cfn policy" originSpec: expression: $.*.Resources nameExpression: $.name typeExpression: "$.[@.Type='AWS Lambda']" resourceSpec: expression: $.*.Resources nameExpression: $.name typeExpression: "$.[@.Type='AWS Lambda']" selectionHint: "cfn , aws lambda , s3" groups: - description: "cfn rules" id: 1 name: "cfn rules" rules: - description: "check memorysize" id: 112 refNumber: ~ ruleExpression: "??all_resource?? assign \"$feed.Resources.*\" AND\n\ ??all_lambda?? assign \"$all_resource.[?(@.Type == 'AWS::Lambda::Function')]\" " {{/code}} {{/expand}} \\ {{export-ignore}} ,,[[Back to top>>doc:]],, {{/export-ignore}} \\ {{success}} **Recommendations for policy authoring** Although you can author policies for any number of resources and any resource types for a given resource feed, BMC recommends that you create **separate policies for each resource type**. This improves the readability of the report results and also allows greater flexibility when you perform various aggregations on the results. {{/success}} == {{id name="Authoringpolicies-Policyseverity"/}}Policy severity == The severity level across all CIS policies are standardized with a minimum (low) severity of **4**, and a maximum (high) severity of **9**. A critical severity cannot exceed a value of **10**. These levels are common across the following policies: (% class="alternate" %) * Out of the Box (OOTB) Policies * AWS CIS Policies * CIS Windows 2012 Policies * CIS AWS Three-tier Web Policies * CIS Docker Policies * Beta Policies * CIS Azure Policies {{info title="Example"}} {{code language="none"}} severity: { {{/code}} {{code language="none"}} low: { {{/code}} {{code language="none"}} min: 0, {{/code}} {{code language="none"}} max: 3 {{/code}} {{code language="none"}} }, {{/code}} {{code language="none"}} medium: { {{/code}} {{code language="none"}} min: 4, {{/code}} {{code language="none"}} max: 6 {{/code}} {{code language="none"}} }, {{/code}} {{code language="none"}} high: { {{/code}} {{code language="none"}} min: 7, {{/code}} {{code language="none"}} max: 9 {{/code}} {{code language="none"}} }, {{/code}} {{code language="none"}} critical: { {{/code}} {{code language="none"}} min: 10 {{/code}} {{code language="none"}} } {{/code}} {{code language="none"}} } {{/code}} {{/info}} |
---|