Sample custom policies
You can author customized policies and have BMC Helix Cloud Security evaluate the resource feed against these customized policies. You can then take further actions based on the evaluation results.
This page includes the following sample policies for custom purposes and their corresponding resource feed JSON files.
AppScan policy
IBM Security AppScan Enterprise enables organizations to mitigate application security risk, strengthen application security program management initiatives, and achieve regulatory compliance.
By using the detailed security reports from IBM Security AppScan Enterprise as the resource feed, you can create a customized policy that determines whether your applications are compliant with your organizational policies.
Click here to view a sample AppScan policy YAML file that checks the severity of issues for the Security Category Information Leakage.
author: BMC Software
dateOfCreation: 'Thu Oct 28 02:47:49 PST 2016'
description: APPSCAN results Analysis for Caas
exportedVariables:
- test-url
- security-category-name
- issue-severity
- issue-status
- weblink
- href
- content
- issue-type-name
- is-infrastructure
- issue-type-internal-name
groups:
- description: Analysis of results from Appscan Result for Information Leakage
id: 1
name: 'Verify severity of the issues for security Category Information Leakage'
rules:
- description: Verify severity of the issues for security Category Information Leakage
id: 1
name: Verify severity of the issues for security Category Information Leakage
refNumber: null
ruleExpression: >-
??test-url?? assign "$resource.test-url" AND
??issue-severity?? assign "$resource.issue-severity" AND
??issue-status?? assign "$resource.issue-status" AND
??weblink?? assign "$resource.issue-id.weblink" AND
??href?? assign "$resource.issue-id.href" AND
??content?? assign "$resource.issue-id.content" AND
??issue-type-name?? assign "$resource.issue-type-name" AND
??is-infrastructure?? assign "$resource.is-infrastructure" AND
??issue-type-internal-name?? assign "$resource.issue-type-internal-name" AND
??issue-severity?? does not equal "Critical"
name: AppscanSecurityIssues
originSpec:
nameExpression: $.ApplicationID
resourceSpec:
expression: '$.wf-security-issues.issue[*]'
nameExpression: $.test-url
typeExpression: Issues
selectionHint: APPSCAN
rulesCount: 1 Click here to view a sample blueprint JSON file that is evaluated against the preceding AppScan policy YAML.
{"PolicyName":"Security Issues",
"ApplicationID":"http://vl-aus-csm-bl03.bmc.com:8080/caas/",
"wf-security-issues":{"xmlns":"http://www.ibm.com/Rational/AppScanEnterprise",
"issue":[{"security-category-name":"Content Spoofing",
"source-file":"","security-entity-element":"",
"issue-severity":"Low","test-url":"http://vl-aus-csm-bl03.bmc.com:8080/caas/",
"issue-id":{"weblink":"https://phx-appscrnd-01.adprod.bmc.com/ase/Reports/
AboutThisIssue.aspx?fiid=5373&rid=40935&issue_id=3005013",
"href":"https://phx-appscrnd-01.adprod.bmc.com/ase/services/reports/40935/
issues/3005013","content":3005013},
"issue-type-name":"Insecure \"OPTIONS\" HTTP Method Enabled",
"api":"","issue-status":"New",
"is-infrastructure":"Infrastructure",
"issue-type-internal-name":"wf-security-check-attdiroptions"},{"security-category-name":
"Information Leakage","source-file":"","security-entity-element":"",
"issue-severity":"Low","test-url":"http://vl-aus-csm-bl03.bmc.com:8080/caas/content/js/
fusioncharts-xt-ol/js/themes/fusioncharts.theme.fint.js",
"issue-id":{"weblink":"https://phx-appscrnd-01.adprod.bmc.com/ase/Reports/
AboutThisIssue.aspx?fiid=5373&rid=40935&issue_id=3005014",
"href":"https://phx-appscrnd-01.adprod.bmc.com/ase/services/reports/40935/issues/3005014",
"content":3005014},"issue-type-name":"Missing \"Content-Security-Policy\" header",
"api":"","issue-status":"New","is-infrastructure":"Application","issue-type-internal-name":
"wf-security-check-contentsecuritypolicy"},{"security-category-name":"Information Leakage",
"source-file":"","security-entity-element":"","issue-severity":"Low",
"test-url":"http://vl-aus-csm-bl03.bmc.com:8080/caas/",
"issue-id":{"weblink":"https://phx-appscrnd-01.adprod.bmc.com/ase/Reports/
AboutThisIssue.aspx?fiid=5373&rid=40935&issue_id=3005016",
"href":"https://phx-appscrnd-01.adprod.bmc.com/ase/services/reports/40935/issues/3005016",
"content":3005016},"issue-type-name":"Missing \"Content-Security-Policy\" header",
"api":"","issue-status":"New","is-infrastructure":"Application",
"issue-type-internal-name":"wf-security-check-contentsecuritypolicy"},
{"security-category-name":"Information Leakage","source-file":"",
"security-entity-element":"","issue-severity":"Low","test-url":
"http://vl-aus-csm-bl03.bmc.com:8080/caas/content/js/vendor.min.js",
"issue-id":{"weblink":"https://phx-appscrnd-01.adprod.bmc.com/ase/Reports/
AboutThisIssue.aspx?fiid=5373&rid=40935&issue_id=3074418",
"href":"https://phx-appscrnd-01.adprod.bmc.com/ase/services/reports/40935/issues/3074418",
"content":3074418},"issue-type-name":"Web Application Source Code Disclosure Pattern Found",
"api":"","issue-status":"New","is-infrastructure":"Application","issue-type-internal-name":
"wf-security-check-gd_sourcecodedisclosure"},{"security-category-name":"Information Leakage",
"source-file":"","security-entity-element":"","issue-severity":"Low",
"test-url":"http://vl-aus-csm-bl03.bmc.com:8080/caas/app/account/account.html",
"issue-id":{"weblink":"https://phx-appscrnd-01.adprod.bmc.com/ase/Reports/
AboutThisIssue.aspx?fiid=5373&rid=40935&issue_id=3172318",
"href":"https://phx-appscrnd-01.adprod.bmc.com/ase/services/reports/40935/issues/3172318",
"content":3172318},"issue-type-name":"Missing \"Content-Security-Policy\" header","api":"",
"issue-status":"New","is-infrastructure":"Application","issue-type-internal-name":
"wf-security-check-contentsecuritypolicy"},{"security-category-name":"Information Leakage",
"source-file":"","security-entity-element":"","issue-severity":"Low","test-url":
"http://vl-aus-csm-bl03.bmc.com:8080/examples/servlets/servlet/CookieExample",
"issue-id":{"weblink":"https://phx-appscrnd-01.adprod.bmc.com/ase/Reports/AboutThisIssue.aspx?fiid=5373&rid=40935&issue_id=3172319","href":"https://phx-appscrnd-01.adprod.bmc.com/ase/services/reports/40935/issues/3172319","content":3172319},"issue-type-name":"Apache Tomcat Cookie Handling Session ID Disclosure","api":"","issue-status":"New","is-infrastructure":"Infrastructure","issue-type-internal-name":"wf-security-check-apachetomcatcookiehandlingsessioniddisc"},{"security-category-name":"Information Leakage","source-file":"","security-entity-element":"","issue-severity":"Low","test-url":"http://vl-aus-csm-bl03.bmc.com:8080/caas/app/account/login/login.html","issue-id":{"weblink":"https://phx-appscrnd-01.adprod.bmc.com/ase/Reports/AboutThisIssue.aspx?fiid=5373&rid=40935&issue_id=3172321","href":"https://phx-appscrnd-01.adprod.bmc.com/ase/services/reports/40935/issues/3172321","content":3172321},"issue-type-name":"Autocomplete HTML Attribute Not Disabled for Password Field","api":"","issue-status":"New","is-infrastructure":"Application","issue-type-internal-name":"wf-security-check-gd_autocompleteinform"},{"security-category-name":"Information Leakage","source-file":"","security-entity-element":"","issue-severity":"Low","test-url":"http://vl-aus-csm-bl03.bmc.com:8080/caas/app/account/login/login.html","issue-id":{"weblink":"https://phx-appscrnd-01.adprod.bmc.com/ase/Reports/AboutThisIssue.aspx?fiid=5373&rid=40935&issue_id=3172322","href":"https://phx-appscrnd-01.adprod.bmc.com/ase/services/reports/40935/issues/3172322","content":3172322},"issue-type-name":"Missing \"Content-Security-Policy\" header","api":"","issue-status":"New","is-infrastructure":"Application","issue-type-internal-name":"wf-security-check-contentsecuritypolicy"},{"security-category-name":"Information Leakage","source-file":"","security-entity-element":"","issue-severity":"Information","test-url":"http://vl-aus-csm-bl03.bmc.com:8080/caas/content/js/vendor.min.js","issue-id":{"weblink":"https://phx-appscrnd-01.adprod.bmc.com/ase/Reports/AboutThisIssue.aspx?fiid=5373&rid=40935&issue_id=3074419","href":"https://phx-appscrnd-01.adprod.bmc.com/ase/services/reports/40935/issues/3074419","content":3074419},"issue-type-name":"Client-Side (JavaScript) Cookie References","api":"","issue-status":"New","is-infrastructure":"Application","issue-type-internal-name":"wf-security-check-attjscookie"},{"security-category-name":"Information Leakage","source-file":"","security-entity-element":"","issue-severity":"Information","test-url":"http://vl-aus-csm-bl03.bmc.com:8080/caas/content/js/app.min.js","issue-id":{"weblink":"https://phx-appscrnd-01.adprod.bmc.com/ase/Reports/AboutThisIssue.aspx?fiid=5373&rid=40935&issue_id=3081748","href":"https://phx-appscrnd-01.adprod.bmc.com/ase/services/reports/40935/issues/3081748","content":3081748},"issue-type-name":"Email Address Pattern Found","api":"","issue-status":"New","is-infrastructure":"Application","issue-type-internal-name":"wf-security-check-gd_emailaddress"},{"security-category-name":"Information Leakage","source-file":"","security-entity-element":"","issue-severity":"Information","test-url":"http://vl-aus-csm-bl03.bmc.com:8080/caas/content/js/vendor.min.js","issue-id":{"weblink":"https://phx-appscrnd-01.adprod.bmc.com/ase/Reports/AboutThisIssue.aspx?fiid=5373&rid=40935&issue_id=3081749","href":"https://phx-appscrnd-01.adprod.bmc.com/ase/services/reports/40935/issues/3081749","content":3081749},"issue-type-name":"Possible Server Path Disclosure Pattern Found","api":"","issue-status":"New","is-infrastructure":"Application","issue-type-internal-name":"wf-security-check-gd_pathdisclosure"},{"security-category-name":"Information Leakage","source-file":"","security-entity-element":"","issue-severity":"Information","test-url":"http://vl-aus-csm-bl03.bmc.com:8080/caas/app/account/login/login.html","issue-id":{"weblink":"https://phx-appscrnd-01.adprod.bmc.com/ase/Reports/AboutThisIssue.aspx?fiid=5373&rid=40935&issue_id=3172320","href":"https://phx-appscrnd-01.adprod.bmc.com/ase/services/reports/40935/issues/3172320","content":3172320},"issue-type-name":"HTML Comments Sensitive Information Disclosure","api":"","issue-status":"New","is-infrastructure":"Application","issue-type-internal-name":"wf-security-check-attsensitiveinhtmlcomments"}],"Page":1,"TotalPages":1}}
Nexus scan policy
The Nexus IQ Server allows you to identify vulnerabilities, policy-violating configurations, and malware that attackers could use to penetrate your network. It creates and stores policies, manages access, sets configuration items, and reviews the effect of your policies through a variety of reports.
After validating BMC Helix Cloud Security with the IQ Server, you can use the report as the resource feed, you can then create a customized policy that determines whether specified directories are compliant with your organizational policies.
Click here to view a sample blueprint policy YAML file that checks for security and license threats.
---
author: "BMC Software"
dateOfCreation: "Thu Feb 18 02:47:49 PST 2016"
exportedVariables:
- artifactId
- pathNames
- licenseThreatGroupName
- licenseThreatGroupLevel
- licenseThreatGroupCategory
- securityThreatSource
- securityThreatSeverity
- securityThreatStatus
- securityThreatUrl
groups:
-
description: "Verify Nexus Response"
id: 1
name: "Verify Security and License Threat"
rules:
-
description: "Verify License Threats for the Resource"
id: 1
name: "01 Verify License Threats for the Resource"
refNumber: ~
ruleExpression: |-
??artifactNode?? assign "$resource" AND
if NOT (#artifactNode#EXISTS)
then
??artifactNode?? assign null
else
??effectiveLicenseThreatsNode?? assign "$resource.licenseData.effectiveLicenseThreats" AND
if NOT (#effectiveLicenseThreatsNode# EXISTS)
then
??effectiveLicenseThreatsNode?? assign null
else
??artifactId?? assign "$resource.componentIdentifier.coordinates.artifactId" AND
??pathNames?? assign "$resource.pathnames[*]" AND
??effectiveLicenseThreatsNode?? assign "$resource.licenseData.effectiveLicenseThreats" AND
??licenseThreatGroupName?? assign "$resource.licenseData.effectiveLicenseThreats[*].licenseThreatGroupName" AND
??licenseThreatGroupLevel?? assign "$resource.licenseData.effectiveLicenseThreats[*].licenseThreatGroupLevel" AND
??licenseThreatGroupCategory?? assign "$resource.licenseData.effectiveLicenseThreats[*].licenseThreatGroupCategory" AND
??licenseThreatGroupCategory?? does not contain "critical" OR
??licenseThreatGroupCategory?? does not contain "severe"
end
end
-
id: 2
name: "02 Verify Security Threats for the Resource"
refNumber: ~
ruleExpression: |-
??artifactNode?? assign "$resource" AND
if NOT (#artifactNode#EXISTS)
then
??artifactNode?? assign null
else
??securityIssuesNode?? assign "$resource.securityData.securityIssues[*]" AND
if NOT ( #securityIssuesNode# EXISTS)
then
??securityIssuesNode?? assign null
else
??artifactId?? assign "$resource.componentIdentifier.coordinates.artifactId" AND
??pathNames?? assign "$resource.pathnames[*]" AND
??securityIssuesNode?? assign "$resource.securityData.securityIssues[*]" AND
foreach loop_SecurityIssueNode IN #securityIssuesNode#
??loop_IssueNode?? assign "$loop_SecurityIssueNode" AND
??securityThreatSource?? assign "$loop_IssueNode.source" AND
??securityThreatReference?? assign "$loop_IssueNode.reference" AND
??securityThreatSeverity?? assign "$loop_IssueNode.severity" AND
??securityThreatStatus?? assign "$loop_IssueNode.status" AND
??securityThreatUrl?? assign "$loop_IssueNode.url" AND
??securityThreatSeverity?? < 5.0
end
end
end
name: NexusPolicy
originSpec:
nameExpression: $.ScanPath
resourceSpec:
expression: "$.components[*]"
nameExpression: $.componentIdentifier.coordinates.artifactId
typeExpression: Artifact
selectionHint: Nexus Click here to view a sample blueprint JSON file that is evaluated against the preceding Nexus policy YAML.
{
"components": [{
"proprietary": false,
"matchState": "exact",
"licenseData": {
"overriddenLicenses": [],
"declaredLicenses": [{
"licenseName": "Apache-2.0",
"licenseId": "Apache-2.0"
}],
"effectiveLicenseThreats": [{
"licenseThreatGroupLevel": 0,
"licenseThreatGroupCategory": "no-threat",
"licenseThreatGroupName": "Liberal"
}, {
"licenseThreatGroupLevel": 5,
"licenseThreatGroupCategory": "severe",
"licenseThreatGroupName": "Sonatype Special Licenses"
}],
"observedLicenses": [{
"licenseName": "No Source License",
"licenseId": "No-Source-License"
}],
"status": "Open"
},
"pathnames": ["target\/custom-collector.zip\/lib\/jackson-core-2.7.0.jar", "target\/custom-collector\/lib\/jackson-core-2.7.0.jar", "target\/lib\/jackson-core-2.7.0.jar"],
"componentIdentifier": {
"format": "maven",
"coordinates": {
"extension": "jar",
"groupId": "com.fasterxml.jackson.core",
"classifier": "",
"artifactId": "jackson-core",
"version": "2.7.0"
}
},
"hash": "05f2bfd0866bcacbcc7c",
"securityData": {
"securityIssues": []
}
}, {
"proprietary": false,
"matchState": "exact",
"licenseData": {
"overriddenLicenses": [],
"declaredLicenses": [{
"licenseName": "Apache-2.0",
"licenseId": "Apache-2.0"
}],
"effectiveLicenseThreats": [{
"licenseThreatGroupLevel": 0,
"licenseThreatGroupCategory": "no-threat",
"licenseThreatGroupName": "Liberal"
}],
"observedLicenses": [{
"licenseName": "Apache-2.0",
"licenseId": "Apache-2.0"
}],
"status": "Open"
},
"pathnames": ["target\/custom-collector.zip\/lib\/commons-lang-2.6.jar", "target\/custom-collector\/lib\/commons-lang-2.6.jar", "target\/lib\/commons-lang-2.6.jar"],
"componentIdentifier": {
"format": "maven",
"coordinates": {
"extension": "jar",
"groupId": "commons-lang",
"classifier": "",
"artifactId": "commons-lang",
"version": "2.6"
}
},
"hash": "0ce1edb914c94ebc388f",
"securityData": {
"securityIssues": []
}
}, {
"proprietary": false,
"matchState": "exact",
"licenseData": {
"overriddenLicenses": [],
"declaredLicenses": [{
"licenseName": "Apache-2.0",
"licenseId": "Apache-2.0"
}],
"effectiveLicenseThreats": [{
"licenseThreatGroupLevel": 0,
"licenseThreatGroupCategory": "no-threat",
"licenseThreatGroupName": "Liberal"
}, {
"licenseThreatGroupLevel": 5,
"licenseThreatGroupCategory": "severe",
"licenseThreatGroupName": "Sonatype Special Licenses"
}],
"observedLicenses": [{
"licenseName": "No Source License",
"licenseId": "No-Source-License"
}],
"status": "Open"
},
"pathnames": ["target\/custom-collector.zip\/lib\/jackson-annotations-2.7.0.jar", "target\/custom-collector\/lib\/jackson-annotations-2.7.0.jar", "target\/lib\/jackson-annotations-2.7.0.jar"],
"componentIdentifier": {
"format": "maven",
"coordinates": {
"extension": "jar",
"groupId": "com.fasterxml.jackson.core",
"classifier": "",
"artifactId": "jackson-annotations",
"version": "2.7.0"
}
},
"hash": "19f42c154ffc689f40a7",
"securityData": {
"securityIssues": []
}
}, {
"proprietary": false,
"matchState": "exact",
"licenseData": {
"overriddenLicenses": [],
"declaredLicenses": [{
"licenseName": "Apache-2.0",
"licenseId": "Apache-2.0"
}],
"effectiveLicenseThreats": [{
"licenseThreatGroupLevel": 0,
"licenseThreatGroupCategory": "no-threat",
"licenseThreatGroupName": "Liberal"
}, {
"licenseThreatGroupLevel": 5,
"licenseThreatGroupCategory": "severe",
"licenseThreatGroupName": "Sonatype Special Licenses"
}],
"observedLicenses": [{
"licenseName": "No Source License",
"licenseId": "No-Source-License"
}],
"status": "Open"
},
"pathnames": ["target\/custom-collector.zip\/lib\/jackson-xml-databind-0.6.2.jar", "target\/custom-collector\/lib\/jackson-xml-databind-0.6.2.jar", "target\/lib\/jackson-xml-databind-0.6.2.jar"],
"componentIdentifier": {
"format": "maven",
"coordinates": {
"extension": "jar",
"groupId": "com.fasterxml",
"classifier": "",
"artifactId": "jackson-xml-databind",
"version": "0.6.2"
}
},
"hash": "1e414fc8615f8b1aef8c",
"securityData": {
"securityIssues": [{
"reference": "CVE-2016-3720",
"severity": 7.5,
"source": "cve",
"threatCategory": "critical",
"url": "http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2016-3720",
"status": "Open"
}]
}
}, {
"proprietary": false,
"matchState": "exact",
"licenseData": {
"overriddenLicenses": [],
"declaredLicenses": [{
"licenseName": "Apache-2.0",
"licenseId": "Apache-2.0"
}],
"effectiveLicenseThreats": [{
"licenseThreatGroupLevel": 0,
"licenseThreatGroupCategory": "no-threat",
"licenseThreatGroupName": "Liberal"
}],
"observedLicenses": [{
"licenseName": "Apache-2.0",
"licenseId": "Apache-2.0"
}],
"status": "Open"
},
"pathnames": ["target\/custom-collector.zip\/lib\/commons-configuration-1.10.jar", "target\/custom-collector\/lib\/commons-configuration-1.10.jar", "target\/lib\/commons-configuration-1.10.jar"],
"componentIdentifier": {
"format": "maven",
"coordinates": {
"extension": "jar",
"groupId": "commons-configuration",
"classifier": "",
"artifactId": "commons-configuration",
"version": "1.10"
}
},
"hash": "2b36e4adfb66d966c5ae",
"securityData": {
"securityIssues": []
}
}, {
"proprietary": false,
"matchState": "exact",
"licenseData": {
"overriddenLicenses": [],
"declaredLicenses": [{
"licenseName": "Not Declared",
"licenseId": "Not-Declared"
}],
"effectiveLicenseThreats": [{
"licenseThreatGroupLevel": 5,
"licenseThreatGroupCategory": "severe",
"licenseThreatGroupName": "Sonatype Special Licenses"
}],
"observedLicenses": [{
"licenseName": "Not Provided",
"licenseId": "UNSPECIFIED"
}],
"status": "Open"
},
"pathnames": ["target\/custom-collector.zip\/lib\/commons-codec-1.2.jar", "target\/custom-collector\/lib\/commons-codec-1.2.jar", "target\/lib\/commons-codec-1.2.jar"],
"componentIdentifier": {
"format": "maven",
"coordinates": {
"extension": "jar",
"groupId": "commons-codec",
"classifier": "",
"artifactId": "commons-codec",
"version": "1.2"
}
},
"hash": "397f4731a9f9b6eb1907",
"securityData": {
"securityIssues": []
}
}, {
"proprietary": false,
"matchState": "exact",
"licenseData": {
"overriddenLicenses": [],
"declaredLicenses": [{
"licenseName": "Apache-2.0",
"licenseId": "Apache-2.0"
}, {
"licenseName": "LGPL-2.1",
"licenseId": "LGPL-2.1"
}],
"effectiveLicenseThreats": [{
"licenseThreatGroupLevel": 0,
"licenseThreatGroupCategory": "no-threat",
"licenseThreatGroupName": "Liberal"
}, {
"licenseThreatGroupLevel": 2,
"licenseThreatGroupCategory": "moderate",
"licenseThreatGroupName": "Weak Copyleft"
}, {
"licenseThreatGroupLevel": 5,
"licenseThreatGroupCategory": "severe",
"licenseThreatGroupName": "Sonatype Special Licenses"
}],
"observedLicenses": [{
"licenseName": "No Source License",
"licenseId": "No-Source-License"
}],
"status": "Open"
},
"pathnames": ["target\/custom-collector.zip\/lib\/jackson-xc-1.9.2.jar", "target\/custom-collector\/lib\/jackson-xc-1.9.2.jar", "target\/lib\/jackson-xc-1.9.2.jar"],
"componentIdentifier": {
"format": "maven",
"coordinates": {
"extension": "jar",
"groupId": "org.codehaus.jackson",
"classifier": "",
"artifactId": "jackson-xc",
"version": "1.9.2"
}
},
"hash": "437c991a8eb2c8b69ef1",
"securityData": {
"securityIssues": []
}
}, {
"proprietary": false,
"matchState": "exact",
"licenseData": {
"overriddenLicenses": [],
"declaredLicenses": [{
"licenseName": "Apache-2.0",
"licenseId": "Apache-2.0"
}],
"effectiveLicenseThreats": [{
"licenseThreatGroupLevel": 0,
"licenseThreatGroupCategory": "no-threat",
"licenseThreatGroupName": "Liberal"
}],
"observedLicenses": [{
"licenseName": "Apache-2.0",
"licenseId": "Apache-2.0"
}],
"status": "Open"
},
"pathnames": ["target\/custom-collector.zip\/lib\/commons-logging-1.1.1.jar", "target\/custom-collector\/lib\/commons-logging-1.1.1.jar", "target\/lib\/commons-logging-1.1.1.jar"],
"componentIdentifier": {
"format": "maven",
"coordinates": {
"extension": "jar",
"groupId": "commons-logging",
"classifier": "",
"artifactId": "commons-logging",
"version": "1.1.1"
}
},
"hash": "5043bfebc3db072ed80f",
"securityData": {
"securityIssues": []
}
}, {
"proprietary": false,
"matchState": "exact",
"licenseData": {
"overriddenLicenses": [],
"declaredLicenses": [{
"licenseName": "Apache-2.0",
"licenseId": "Apache-2.0"
}],
"effectiveLicenseThreats": [{
"licenseThreatGroupLevel": 0,
"licenseThreatGroupCategory": "no-threat",
"licenseThreatGroupName": "Liberal"
}, {
"licenseThreatGroupLevel": 5,
"licenseThreatGroupCategory": "severe",
"licenseThreatGroupName": "Sonatype Special Licenses"
}],
"observedLicenses": [{
"licenseName": "No Source License",
"licenseId": "No-Source-License"
}],
"status": "Open"
},
"pathnames": ["target\/custom-collector.zip\/lib\/jackson-databind-2.7.0.jar", "target\/custom-collector\/lib\/jackson-databind-2.7.0.jar", "target\/lib\/jackson-databind-2.7.0.jar"],
"componentIdentifier": {
"format": "maven",
"coordinates": {
"extension": "jar",
"groupId": "com.fasterxml.jackson.core",
"classifier": "",
"artifactId": "jackson-databind",
"version": "2.7.0"
}
},
"hash": "7d3430de9f2b600b074b",
"securityData": {
"securityIssues": []
}
}, {
"proprietary": false,
"matchState": "exact",
"licenseData": {
"overriddenLicenses": [],
"declaredLicenses": [{
"licenseName": "Apache-2.0",
"licenseId": "Apache-2.0"
}],
"effectiveLicenseThreats": [{
"licenseThreatGroupLevel": 0,
"licenseThreatGroupCategory": "no-threat",
"licenseThreatGroupName": "Liberal"
}, {
"licenseThreatGroupLevel": 6,
"licenseThreatGroupCategory": "severe",
"licenseThreatGroupName": "Non Standard"
}],
"observedLicenses": [{
"licenseName": "Non-Standard",
"licenseId": "UNKNOWN"
}],
"status": "Open"
},
"pathnames": ["target\/custom-collector.zip\/lib\/jackson-core-asl-1.9.2.jar", "target\/custom-collector\/lib\/jackson-core-asl-1.9.2.jar", "target\/lib\/jackson-core-asl-1.9.2.jar"],
"componentIdentifier": {
"format": "maven",
"coordinates": {
"extension": "jar",
"groupId": "org.codehaus.jackson",
"classifier": "",
"artifactId": "jackson-core-asl",
"version": "1.9.2"
}
},
"hash": "8493982bba1727106d76",
"securityData": {
"securityIssues": []
}
}, {
"proprietary": false,
"matchState": "exact",
"licenseData": {
"overriddenLicenses": [],
"declaredLicenses": [{
"licenseName": "Apache-2.0",
"licenseId": "Apache-2.0"
}],
"effectiveLicenseThreats": [{
"licenseThreatGroupLevel": 0,
"licenseThreatGroupCategory": "no-threat",
"licenseThreatGroupName": "Liberal"
}, {
"licenseThreatGroupLevel": 6,
"licenseThreatGroupCategory": "severe",
"licenseThreatGroupName": "Non Standard"
}],
"observedLicenses": [{
"licenseName": "Non-Standard",
"licenseId": "UNKNOWN"
}],
"status": "Open"
},
"pathnames": ["target\/custom-collector.zip\/lib\/jackson-mapper-asl-1.9.2.jar", "target\/custom-collector\/lib\/jackson-mapper-asl-1.9.2.jar", "target\/lib\/jackson-mapper-asl-1.9.2.jar"],
"componentIdentifier": {
"format": "maven",
"coordinates": {
"extension": "jar",
"groupId": "org.codehaus.jackson",
"classifier": "",
"artifactId": "jackson-mapper-asl",
"version": "1.9.2"
}
},
"hash": "95400a7922ce75383866",
"securityData": {
"securityIssues": []
}
}, {
"proprietary": false,
"matchState": "exact",
"licenseData": {
"overriddenLicenses": [],
"declaredLicenses": [{
"licenseName": "CPL-1.0",
"licenseId": "CPL-1.0"
}],
"effectiveLicenseThreats": [{
"licenseThreatGroupLevel": 2,
"licenseThreatGroupCategory": "moderate",
"licenseThreatGroupName": "Weak Copyleft"
}, {
"licenseThreatGroupLevel": 5,
"licenseThreatGroupCategory": "severe",
"licenseThreatGroupName": "Sonatype Special Licenses"
}],
"observedLicenses": [{
"licenseName": "No Source License",
"licenseId": "No-Source-License"
}],
"status": "Open"
},
"pathnames": ["target\/custom-collector.zip\/lib\/junit-3.8.1.jar", "target\/custom-collector\/lib\/junit-3.8.1.jar", "target\/lib\/junit-3.8.1.jar"],
"componentIdentifier": {
"format": "maven",
"coordinates": {
"extension": "jar",
"groupId": "junit",
"classifier": "",
"artifactId": "junit",
"version": "3.8.1"
}
},
"hash": "99129f16442844f6a4a1",
"securityData": {
"securityIssues": []
}
}, {
"proprietary": false,
"matchState": "exact",
"licenseData": {
"overriddenLicenses": [],
"declaredLicenses": [{
"licenseName": "Apache-2.0",
"licenseId": "Apache-2.0"
}],
"effectiveLicenseThreats": [{
"licenseThreatGroupLevel": 0,
"licenseThreatGroupCategory": "no-threat",
"licenseThreatGroupName": "Liberal"
}],
"observedLicenses": [{
"licenseName": "Apache-2.0",
"licenseId": "Apache-2.0"
}],
"status": "Open"
},
"pathnames": ["target\/custom-collector.zip\/lib\/commons-cli-1.3.jar", "target\/custom-collector\/lib\/commons-cli-1.3.jar", "target\/lib\/commons-cli-1.3.jar"],
"componentIdentifier": {
"format": "maven",
"coordinates": {
"extension": "jar",
"groupId": "commons-cli",
"classifier": "",
"artifactId": "commons-cli",
"version": "1.3"
}
},
"hash": "a48653b6bcd06b5e61ed",
"securityData": {
"securityIssues": []
}
}, {
"proprietary": false,
"matchState": "exact",
"licenseData": {
"overriddenLicenses": [],
"declaredLicenses": [{
"licenseName": "CDDL-1.0",
"licenseId": "CDDL-1.0"
}, {
"licenseName": "GPL-2.0",
"licenseId": "GPL-2.0"
}],
"effectiveLicenseThreats": [{
"licenseThreatGroupLevel": 2,
"licenseThreatGroupCategory": "moderate",
"licenseThreatGroupName": "Weak Copyleft"
}, {
"licenseThreatGroupLevel": 9,
"licenseThreatGroupCategory": "critical",
"licenseThreatGroupName": "Copyleft"
}, {
"licenseThreatGroupLevel": 5,
"licenseThreatGroupCategory": "severe",
"licenseThreatGroupName": "Sonatype Special Licenses"
}],
"observedLicenses": [{
"licenseName": "No Source License",
"licenseId": "No-Source-License"
}],
"status": "Open"
},
"pathnames": ["target\/custom-collector.zip\/lib\/stax-api-1.0-2.jar", "target\/custom-collector\/lib\/stax-api-1.0-2.jar", "target\/lib\/stax-api-1.0-2.jar"],
"componentIdentifier": {
"format": "maven",
"coordinates": {
"extension": "jar",
"groupId": "javax.xml.stream",
"classifier": "",
"artifactId": "stax-api",
"version": "1.0-2"
}
},
"hash": "d6337b0de8b25e53e81b",
"securityData": {
"securityIssues": []
}
}, {
"proprietary": false,
"matchState": "exact",
"licenseData": {
"overriddenLicenses": [],
"declaredLicenses": [{
"licenseName": "BSD-2-Clause",
"licenseId": "BSD-2-Clause"
}],
"effectiveLicenseThreats": [{
"licenseThreatGroupLevel": 0,
"licenseThreatGroupCategory": "no-threat",
"licenseThreatGroupName": "Liberal"
}, {
"licenseThreatGroupLevel": 6,
"licenseThreatGroupCategory": "severe",
"licenseThreatGroupName": "Non Standard"
}],
"observedLicenses": [{
"licenseName": "Non-Standard",
"licenseId": "UNKNOWN"
}],
"status": "Open"
},
"pathnames": ["target\/custom-collector.zip\/lib\/stax2-api-3.1.0.jar", "target\/custom-collector\/lib\/stax2-api-3.1.0.jar", "target\/lib\/stax2-api-3.1.0.jar"],
"componentIdentifier": {
"format": "maven",
"coordinates": {
"extension": "jar",
"groupId": "org.codehaus.woodstox",
"classifier": "",
"artifactId": "stax2-api",
"version": "3.1.0"
}
},
"hash": "e2bc096b64420aeeb7f2",
"securityData": {
"securityIssues": []
}
}, {
"proprietary": false,
"matchState": "unknown",
"licenseData": null,
"pathnames": ["target\/custom-collector.zip\/lib\/api-client-1.0.1.jar", "target\/custom-collector\/lib\/api-client-1.0.1.jar", "target\/lib\/api-client-1.0.1.jar"],
"componentIdentifier": null,
"hash": "cb53dc4f4c13e5aef05d",
"securityData": null
}, {
"proprietary": false,
"matchState": "unknown",
"licenseData": null,
"pathnames": ["target\/custom-collector.zip\/lib\/collector.jar", "target\/custom-collector\/lib\/collector.jar", "target\/lib\/collector.jar"],
"componentIdentifier": null,
"hash": "b870f887644cdc5252ea",
"securityData": null
}, {
"proprietary": false,
"matchState": "unknown",
"licenseData": null,
"pathnames": ["target\/custom-collector.zip\/lib\/compass-sdk-1.0.1.jar", "target\/custom-collector\/lib\/compass-sdk-1.0.1.jar", "target\/lib\/compass-sdk-1.0.1.jar"],
"componentIdentifier": null,
"hash": "7007a7f6976f2165f066",
"securityData": null
}, {
"proprietary": false,
"matchState": "unknown",
"licenseData": null,
"pathnames": ["target\/custom-collector.zip"],
"componentIdentifier": null,
"hash": "d4744dd9d39508c125fa",
"securityData": null
}],
"matchSummary": {
"totalComponentCount": 19,
"knownComponentCount": 15
},
"ScanPath": "Custom-collector"
}AWS CFN policy
As an AWS customer, you could create custom templates that check a variety of requirements for on-premises deployments, and then leverage BMC Helix Cloud Security to verify that a specific template is indeed compliant with your organizational policies.
Some of the rules in the CFN template sample in this section evaluate whether:
- The InstanceType is "t2 micro"
- The IP address assigned is via DHCP and not static
- The Loadbalancer SSL Certificate on the Production Stack if SSL, is active
Once you establish that the template has passed all the necessary rules specified in your policy, you could go ahead with provisioning in AWS.
Click here to view a sample blueprint policy YAML file that checks if the network tag is "gold".
---
author: "BMC Software"
dateOfCreation: "Thu Feb 18 02:47:49 PST 2016"
name: AWS CFN CaaS Portal
resourceSpec:
expression: $
nameExpression: $.Description
typeExpression: CFN Template
selectionHint: CFN_PORTAL
groups:
-
description: "CFN DEV Properties Group"
id: 111
name: "111 Verify CFN Dev Properties"
rules:
-
description: "11 Verify if IP address assigned is via DHCP and not not static"
id: 11
name: "11 Verify InstanceType is t2 micro Dev Stack"
ruleExpression: |-
??InstanceType?? assign "$resource.dev.InstanceType" AND
??InstanceType?? equals "t2.micro"
-
description: "12 Verify if IP address assigned is via DHCP and not not static"
id: 12
name: "12 Verify XMS Dev Stack"
ruleExpression: |-
??Xms?? assign "$resource.dev.Xms" AND
??Xms?? equals "256m"
-
description: "13 Verify ASGMinSize Dev Stack"
id: 13
name: "13 Verify ASGMinSize Dev Stack"
ruleExpression: |-
??ASGMinSize?? assign "$resource.dev.ASGMinSize" AND
??ASGMinSize?? equals "1"
-
description: "14 Verify ASGMaxSize Dev Stack"
id: 14
name: "14 Verify ASGMaxSize Dev Stack"
ruleExpression: |-
??ASGMaxSize?? assign "$resource.dev.ASGMaxSize" AND
??ASGMaxSize?? equals "1"
-
description: "221 CFN DEV Properties Group on Prod Stack"
id: 221
name: "221 Verify CFN Prod Properties on Prod Stack"
rules:
-
description: "21 Verify if IP address assigned is via DHCP and not static"
id: 21
name: "21 Verify InstanceType is t2 micro on Prod Stack"
ruleExpression: |-
??InstanceType?? assign "$resource.prod.InstanceType" AND
??InstanceType?? equals "t2.medium"
-
description: "22 Verify if IP address assigned is via DHCP and not not static"
id: 22
name: "22 Verify XMS on Prod Stack"
ruleExpression: |-
??Xms?? assign "$resource.prod.Xms" AND
??Xms?? equals "256m"
-
description: "23 Verify ASGMinSize on Prod Stack"
id: 23
name: "23 Verify ASGMinSize on Prod Stack"
ruleExpression: |-
??ASGMinSize?? assign "$resource.prod.ASGMinSize" AND
??ASGMinSize?? equals "2"
-
description: "24 Verify ASGMaxSize on Prod Stack"
id: 24
name: "24 Verify ASGMaxSize on Prod Stack"
ruleExpression: |-
??ASGMaxSize?? assign "$resource.prod.ASGMaxSize" AND
??ASGMaxSize?? equals "4"
-
description: "25 Verify VPCId on Prod Stack"
id: 25
name: "25 Verify VPCId on Prod Stack"
ruleExpression: |-
??VPCId?? assign "$resource.prod.VPCId" AND
??VPCId?? != null
-
description: "26 Verify Loadbalancer https settings Prod Stack"
id: 26
name: "26 Verify Loadbalancer https settings Prod Stack"
ruleExpression: |-
??OptionSettings_Array?? assign "$feed.Resources.bmcCaasPortalDevEnvironment.Properties.OptionSettings" AND
foreach loop_var IN #OptionSettings_Array#
??OptionName?? assign "$loop_var.OptionName" AND
if
??OptionName?? = "LoadBalancerHTTPPort"
then
??OptionValue?? assign "$loop_var.Value"
end
end
AND ??OptionValue?? = "OFF"
-
description: "27 Verify Loadbalancer SLL Certificate on Prod Stack if SSL is active"
id: 27
name: "27 Verify Loadbalancer SLL Certificate on Prod Stack if SSL is active"
ruleExpression: |-
??OptionSettings_Array?? assign "$feed.Resources.bmcCaasPortalDevEnvironment.Properties.OptionSettings" AND
foreach loop_var IN #OptionSettings_Array#
??OptionName?? assign "$loop_var.OptionName" AND
if
??OptionName?? = "LoadBalancerHTTPSPort"
then
??OptionValue?? assign "$loop_var.Value"
end AND
if
??OptionName?? = "SSLCertificateId"
then
??OptionValueSSL?? assign "$loop_var.Value.Ref"
end
end
AND ??OptionValue?? != null
AND ??OptionValueSSL?? = "serverCertificateARN" Click here to view a sample blueprint JSON file that is evaluated against the preceding blueprint policy YAML.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "BMC CaaS Portal template",
"Mappings": {
"VPCMap" : {
"dev" : { "InstanceType": "t2.micro", "Xms" : "256m", "ASGMinSize" : "1", "ASGMaxSize" : "1" },
"prod" : { "InstanceType": "t2.medium", "Xms" : "256m", "ASGMinSize" : "2", "ASGMaxSize" : "4",
"RUpdatePauseTime" : "PT5M",
"VPCId" : "vpc-582f213c", "Subnets" : "subnet-500f8d08,subnet-fdd66cd7", "ELBSubnets" : "subnet-5e0f8d06,subnet-f3d66cd9" }
}
},
"Resources": {
"bmcCaasPortal": {
"Type": "AWS::ElasticBeanstalk::Application",
"Properties": {
"Description": "Fully parameterized Caas portal cfn. BMC CaaS Portal provides GUI to CaaS customers to configure compliance as service and take actions on results."
}
},
"bmcCaasPortalVersion": {
"Type": "AWS::ElasticBeanstalk::ApplicationVersion",
"Properties": {
"ApplicationName": {
"Ref": "bmcCaasPortal"
},
"SourceBundle": {
"S3Bucket": {
"Ref": "deploymentArtifactBucket"
},
"S3Key": {
"Ref": "warfile"
}
}
}
},
"bmcCaasPortalConfigurationTemplate": {
"Type": "AWS::ElasticBeanstalk::ConfigurationTemplate",
"Properties": {
"ApplicationName": {
"Ref": "bmcCaasPortal"
},
"SolutionStackName": {
"Ref": "stackName"
}
}
},
"bmcCaasPortalDevEnvironment": {
"Type": "AWS::ElasticBeanstalk::Environment",
"Condition" : "isEnvironmentTypeNonProd",
"Properties": {
"ApplicationName": {
"Ref": "bmcCaasPortal"
},
"TemplateName": {
"Ref": "bmcCaasPortalConfigurationTemplate"
},
"VersionLabel": {
"Ref": "bmcCaasPortalVersion"
},
"OptionSettings": [
{
"Namespace" : "aws:elasticbeanstalk:container:tomcat:jvmoptions",
"OptionName" : "Xms",
"Value" : { "Fn::FindInMap" : [ "VPCMap", { "Ref" : "environmentType" }, "Xms" ] }
},
{
"Namespace" : "aws:autoscaling:asg",
"OptionName" : "MinSize",
"Value" : { "Fn::FindInMap" : [ "VPCMap", { "Ref" : "environmentType" }, "ASGMinSize" ] }
},
{
"Namespace" : "aws:autoscaling:asg",
"OptionName" : "MaxSize",
"Value" : { "Fn::FindInMap" : [ "VPCMap", { "Ref" : "environmentType" }, "ASGMaxSize" ] }
},
{
"Namespace" : "aws:elb:loadbalancer",
"OptionName" : "LoadBalancerHTTPPort",
"Value" : "OFF"
},
{
"Namespace" : "aws:elb:loadbalancer",
"OptionName" : "SSLCertificateId",
"Value" : {
"Ref": "serverCertificateARN"
}
},
{
"Namespace" : "aws:elb:loadbalancer",
"OptionName" : "LoadBalancerPortProtocol",
"Value" : "HTTP"
},
{
"Namespace" : "aws:elb:loadbalancer",
"OptionName" : "LoadBalancerHTTPSPort",
"Value" : "443"
},
{
"Namespace" : "aws:elb:loadbalancer",
"OptionName" : "LoadBalancerSSLPortProtocol",
"Value" : "HTTPS"
},
{
"Namespace" : "aws:elb:policies:AWSEB-ELB-StickinessPolicy",
"OptionName" : "Stickiness Policy",
"Value" : "true"
},
{
"Namespace": "aws:elasticbeanstalk:application:environment",
"OptionName": "aws.gateway.endpoint",
"Value": {
"Ref": "mgmtGatewayUrl"
}
},
{
"Namespace": "aws:elasticbeanstalk:application:environment",
"OptionName": "aws.gateway.ingest.endpoint",
"Value": {
"Ref": "ingestGatewayUrl"
}
},
{
"Namespace": "aws:elasticbeanstalk:application:environment",
"OptionName": "number.attribute.csv",
"Value": "25"
},
{
"Namespace" : "aws:autoscaling:launchconfiguration",
"OptionName" : "InstanceType",
"Value" : { "Fn::FindInMap" : [ "VPCMap", { "Ref" : "environmentType" }, "InstanceType" ] }
}
]
}
},
"bmcCaasPortalProdEnvironment": {
"Type": "AWS::ElasticBeanstalk::Environment",
"Condition" : "isEnvironmentTypeProd",
"Properties": {
"ApplicationName": {
"Ref": "bmcCaasPortal"
},
"TemplateName": {
"Ref": "bmcCaasPortalConfigurationTemplate"
},
"VersionLabel": {
"Ref": "bmcCaasPortalVersion"
},
"OptionSettings": [
{
"Namespace" : "aws:elasticbeanstalk:container:tomcat:jvmoptions",
"OptionName" : "Xms",
"Value" : { "Fn::FindInMap" : [ "VPCMap", { "Ref" : "environmentType" }, "Xms" ] }
},
{
"Namespace" : "aws:autoscaling:asg",
"OptionName" : "MinSize",
"Value" : { "Fn::FindInMap" : [ "VPCMap", { "Ref" : "environmentType" }, "ASGMinSize" ] }
},
{
"Namespace" : "aws:autoscaling:asg",
"OptionName" : "MaxSize",
"Value" : { "Fn::FindInMap" : [ "VPCMap", { "Ref" : "environmentType" }, "ASGMaxSize" ] }
},
{
"Namespace" : "aws:elb:loadbalancer",
"OptionName" : "LoadBalancerHTTPPort",
"Value" : "OFF"
},
{
"Namespace" : "aws:elb:loadbalancer",
"OptionName" : "SSLCertificateId",
"Value" : {
"Ref": "serverCertificateARN"
}
},
{
"Namespace" : "aws:elb:loadbalancer",
"OptionName" : "LoadBalancerPortProtocol",
"Value" : "HTTP"
},
{
"Namespace" : "aws:elb:loadbalancer",
"OptionName" : "LoadBalancerHTTPSPort",
"Value" : "443"
},
{
"Namespace" : "aws:elb:loadbalancer",
"OptionName" : "LoadBalancerSSLPortProtocol",
"Value" : "HTTPS"
},
{
"Namespace" : "aws:elb:policies:AWSEB-ELB-StickinessPolicy",
"OptionName" : "Stickiness Policy",
"Value" : "true"
},
{
"Namespace": "aws:elasticbeanstalk:application:environment",
"OptionName": "aws.gateway.endpoint",
"Value": {
"Ref": "mgmtGatewayUrl"
}
},
{
"Namespace": "aws:elasticbeanstalk:application:environment",
"OptionName": "aws.gateway.ingest.endpoint",
"Value": {
"Ref": "ingestGatewayUrl"
}
},
{
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "RollingUpdateEnabled",
"Value": "true"
},
{
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "RollingUpdateType",
"Value": "Time"
},
{
"Namespace": "aws:autoscaling:updatepolicy:rollingupdate",
"OptionName": "PauseTime",
"Value": { "Fn::FindInMap" : [ "VPCMap", { "Ref" : "environmentType" }, "RUpdatePauseTime" ] }
},
{
"Namespace" : "aws:autoscaling:launchconfiguration",
"OptionName" : "InstanceType",
"Value" : { "Fn::FindInMap" : [ "VPCMap", { "Ref" : "environmentType" }, "InstanceType" ] }
},
{
"Namespace" : "aws:ec2:vpc",
"OptionName" : "VPCId",
"Value" : {
"Fn::If" : [
"isVPCSupplied",
{ "Ref" : "vpcId" },
{ "Fn::FindInMap" : [ "VPCMap", { "Ref" : "environmentType" }, "VPCId" ] }
]
}
},
{
"Namespace" : "aws:ec2:vpc",
"OptionName" : "Subnets",
"Value" : {
"Fn::If" : [
"isVPCSupplied",
{ "Ref" : "vpcSubnetId" },
{ "Fn::FindInMap" : [ "VPCMap", { "Ref" : "environmentType" }, "Subnets" ] }
]
}
},
{
"Namespace" : "aws:ec2:vpc",
"OptionName" : "ELBSubnets",
"Value" : {
"Fn::If" : [
"isVPCSupplied",
{ "Ref" : "vpcELBSubnetId" },
{ "Fn::FindInMap" : [ "VPCMap", { "Ref" : "environmentType" }, "ELBSubnets" ] }
]
}
}
]
}
}
},
"Conditions" : {
"isEnvironmentTypeProd" : { "Fn::Equals" : [ { "Ref" : "environmentType" }, "prod" ] },
"isEnvironmentTypeNonProd" : { "Fn::Not" : [ { "Fn::Equals" : [ { "Ref" : "environmentType" }, "prod" ] } ] },
"isVPCSupplied" : { "Fn::Not" : [ { "Fn::Equals" : [ { "Ref" : "vpcId" }, "" ] } ] }
},
"Parameters": {
"environmentType": {
"Description": "Environment Type.",
"Type": "String",
"Default" : "dev",
"AllowedValues" : [ "dev", "prod" ],
"ConstraintDescription" : "Must specify 'dev' or 'prod'"
},
"serverCertificateARN" : {
"Description": "HTTPS certificate of server.",
"Type": "String"
},
"mgmtGatewayUrl": {
"Description": "Mgmt Gateway Url",
"Type": "String"
},
"ingestGatewayUrl": {
"Description": "Ingest Gateway Url",
"Type": "String"
},
"deploymentArtifactBucket": {
"Description": "deploymentArtifactBucket",
"Type": "String"
},
"warfile": {
"Description": "War file",
"Type": "String"
},
"stackName": {
"Description": "Stack Name",
"Type": "String"
},
"vpcId": {
"Description": "VPC to host the EBS environment.",
"Type": "String"
},
"vpcSubnetId": {
"Description": "ID of internal subnet of specified VPC. Mandatory if vpcId is specified.",
"Type": "String"
},
"vpcELBSubnetId": {
"Description": "ID of subnet to be used for load balancing in specified VPC. Mandatory if vpcId is specified. It can be same as vpcSubnetId.",
"Type": "String"
}
},
"Outputs": {
"DEVURL": {
"Condition" : "isEnvironmentTypeNonProd",
"Description": "URL of the BMC Caas Portal Non-Production",
"Value": {
"Fn::Join": [
"",
[
"https://",
{
"Fn::GetAtt": [
"bmcCaasPortalDevEnvironment",
"EndpointURL"
]
}
]
]
}
},
"URL": {
"Condition" : "isEnvironmentTypeProd",
"Description": "URL of the BMC Caas Portal Production",
"Value": {
"Fn::Join": [
"",
[
"https://",
{
"Fn::GetAtt": [
"bmcCaasPortalProdEnvironment",
"EndpointURL"
]
}
]
]
}
}
}
}BMC Cloud Lifecycle Management blueprint policies
As a BMC Cloud Lifecycle Management customer, you could create custom blueprint policies that check a variety of requirements for on-premises deployments, and then leverage BMC Helix Cloud Security to verify that a specific blueprint is compliant with your organizational policies.
The rules in the blueprint policy sample in this section evaluate whether:
- The network tag is "gold"
- The NICs have a "Management" or "Customer" tag
- All compute containers have a minimum of 2048 MB memory and 2 CPUs but no more than 4 CPUs
- The OS (installable resource) is Windows
- Windows Apache is installed with VM deployment
- The network path is set to deny traffic to SSH protocol
- The compliance job runs on the VM after provisioning
Once you establish that the blueprint has passed all the necessary rules specified in your policy, you could go ahead with provisioning in BMC Cloud Lifecycle Management.
Click here to view a sample blueprint policy YAML file that checks if the network tag is "gold".
---
author: "BMC Software"
dateOfCreation: "Thu Feb 18 02:47:49 PST 2016"
selectionHint : "CLMBlueprint"
resourceSpec:
expression: $.entries[*].document.configurations[*]
nameExpression: $.name
typeExpression: "Blueprint"
groups:
-
description: "CLM blueprint configuration rules"
id: 1
name: "CLM blueprint configuration rules"
rules:
-
description: "Check whether network tag is gold or not"
id: 1
name: "Check whether network tag is gold or not"
refNumber: ~
ruleExpression: |-
??resource_tag?? assign "$resource.tags[*].tag" AND
??resource_tag?? contains "Gold"
-
description: "Check whether all NICS are tagged with Management or Customer tag"
id: 2
name: "Check whether all NICS are tagged with Management or Customer tag"
refNumber: ~
ruleExpression: |-
??nic_tag?? assign "$resource.deploymentModel.resourceset[*].network.nics[*].tags[*].tag" AND
??nic_tag?? contains "Management" OR
??nic_tag?? contains "Customer"
-
description: "Check whether all compute containers have a minimum of 2048 MB memory and 2 CPUS but no more than 4 CPUs"
id: 3
name: "Check whether all compute containers have a minimum of 2048 MB memory and 2 CPUS but no more than 4 CPUs"
refNumber: ~
ruleExpression: |-
??memory_mb?? assign "$resource.deploymentModel.resourceset[*].compute.computecontainer.memory[*].mb"
AND
??cpu_count?? assign "$resource.deploymentModel.resourceset[*].compute.computecontainer.cpus[*].count"
AND
foreach loop_mb IN #memory_mb#
??loop_mb?? >= 2048
end
AND
foreach loop_cpu IN #cpu_count#
??loop_cpu?? >= 2 AND ??loop_cpu?? <= 4
end
-
description: "Check whether installableresource is windows or not"
id: 4
name: "Check for windows OS"
refNumber: ~
ruleExpression: |-
??providerName?? assign "$resource.deploymentModel.resourceset[*].compute.computecontainer.cloudPlatforms[*].name" AND
??template?? assign "$resource.deploymentModel.resourceset[*].compute.computecontainer.cloudPlatforms[*].installableresources[*]" AND
??providerName?? contains "vmware" AND
??template?? contains "PDC000000012427"
-
description: "Check whether windows apache is installed or not with VM deployment"
id: 5
name: "Check windows apache"
refNumber: ~
ruleExpression: |-
??softwareId?? assign "$resource.functionalModel.functionalcomponent[*].software[*].productcatalogid" AND
??softwareName?? assign "$resource.functionalModel.functionalcomponent[*].software[*].name" AND
??softwareId?? contains "PDC000000012131" AND
??softwareName?? contains "Windows_Apache"
-
description: "Verify that network path is set to deny traffic to ssh protocol"
id: 6
name: "Check Network Path"
refNumber: ~
ruleExpression: |-
??paths?? assign "$resource.deploymentModel.networkpaths" AND
foreach loop_path IN #paths#
??port?? assign "$loop_path.targetendpoint.port" AND
??permit?? assign "$loop_path.permit" AND
if
??port?? equals "22"
then
??permit?? equals false
else
??port?? does not equal 22
end
end
-
description: "Verify that compliance job runs on VM after provisioning"
id: 7
name: "Check compliance job"
refNumber: ~
ruleExpression: |-
??complianceType?? assign "$resource.deploymentModel.resourceset[*].secOpsComponent[*].type" AND
??complianceType?? contains "compliance"
name: "CLM Blueprint Policy" Click here to view a sample blueprint JSON file that is evaluated against the preceding blueprint policy YAML.
{
"cloudClass": "com.bmc.cloud.blueprint.spec.DocumentBundle",
"entries": [
{
"name": "Automation_Windows",
"blueprintDescription": "IMPORTED_BP",
"blueprintGuid": "9dbf5b6a-c6dd-4b7e-bb9e-e5e4a062b7bd",
"blueprintDocumentGuid": "f6f316b9-f532-4ec3-b962-169d7c57cdde",
"document": {
"category": "ServiceBlueprint",
"purpose": "ServiceOfferingModel",
"author": "clmadmin",
"schemaVersion": "4.6",
"configurations": [
{
"functionalModel": {
"functionalcomponent": [
{
"software": [
{
"installableResourceType": "Product Catalog",
"productcatalogid": "PDC000000012131",
"sequence": 1,
"standard": true,
"guid": "b02ebee4-1bc8-4515-9cb8-8731e885d052",
"name": "Windows_Apache"
}
],
"guid": "29348db4-d3a7-4aa0-b626-a326c4ef3a5e",
"name": "Windows OS"
}
],
"guid": "b3b63da8-83ad-47a0-a91b-4d23c087b1a0"
},
"deploymentModel": {
"resourceset": [
{
"functionalComponentReferences": [
{
"type": "functionalcomponent",
"objectGuid": "29348db4-d3a7-4aa0-b626-a326c4ef3a5e",
"guid": "85bf095c-2da5-4ea1-ab22-094923b070fe"
}
],
"secOpsComponent": [
{
"type": "compliance",
"componentDetails": [
{
"name": "CIS_Daily",
"guid": "5dd292c7-716c-4811-b456-3591d38ded1a"
}
],
"guid": "158a3e09-6c38-4348-a4a8-c356cf2708a9"
}
],
"compute": {
"instances": 1,
"computecontainer": {
"cloudPlatforms": [
{
"name": "vmware",
"installableresources": [
"PDC000000012427"
],
"guid": "1a69b9fe-88dd-401b-9893-8fa94f9efbc8"
}
],
"memory": [
{
"mb": 2048,
"policy": "No Less Than",
"guid": "19879e08-6fcd-4add-a71a-590ef046b557"
}
],
"cpus": [
{
"count": 2,
"policy": "No Less Than",
"guid": "615f7847-41de-4a89-8508-d53f58fa2665"
}
],
"hwarchitecture": "X86",
"virtual": true,
"installsoftware": true,
"guid": "0bfcb64a-5cb8-4f25-966b-e6713ca5a61a",
"name": "vmware"
},
"guid": "7c504438-7a23-442c-ab75-39abf4b41033"
},
"network": {
"nics": [
{
"isdhcp": true,
"nicnumber": 0,
"publicip": false,
"useExternalDNS": false,
"ipForDNS": "PrivateIP",
"guid": "4b745691-f77f-4542-a3ff-c899e37520e0",
"tags": [
{
"tag": "Management",
"taggroup": "NetworkType"
}
]
},
{
"isdhcp": true,
"nicnumber": 1,
"publicip": false,
"useExternalDNS": false,
"ipForDNS": "PrivateIP",
"guid": "79ca3df5-30b8-4e8e-9552-9d738ac86206",
"tags": [
{
"tag": "Customer",
"taggroup": "NetworkType"
}
]
}
],
"guid": "2161c259-b0c4-4e43-ad5f-bd58e0ee2c28"
},
"guid": "ce8ba073-d068-45c6-8e2e-618d1d7027af",
"name": "Single Resource"
}
],
"functionalModelReference": {
"type": "functionalmodel",
"objectGuid": "b3b63da8-83ad-47a0-a91b-4d23c087b1a0",
"guid": "41893689-aee9-4b57-b15e-fa923c19249e"
},
"installorder": {
"installstep": [
{
"sequence": 1,
"objectReferences": [
{
"type": "resourceset",
"objectGuid": "ce8ba073-d068-45c6-8e2e-618d1d7027af",
"guid": "9ed7ef25-9777-4440-9d77-5eddb56acc95"
}
],
"guid": "26c41304-4ea3-428f-ac6b-1f75c1de5988"
},
{
"sequence": 2,
"objectReferences": [
{
"type": "functionalcomponent",
"objectGuid": "29348db4-d3a7-4aa0-b626-a326c4ef3a5e",
"guid": "71872c6f-d734-4e53-8082-d67b9f335720"
}
],
"guid": "c88a0e06-ee2f-4af3-99d3-65cbe03a74b4"
}
],
"guid": "aa51e14e-cda7-4b60-9c5d-4fbb73d2e0aa"
},
"networkpaths": [
{
"enabled": true,
"permit": false,
"transportprotocol": 6,
"sourceendpoint": {
"nicnumber": 1,
"resourceSetReference": {
"type": "resourceset",
"objectGuid": "ce8ba073-d068-45c6-8e2e-618d1d7027af",
"guid": "f38405fb-6420-47c8-982f-1f437e905e6c"
},
"guid": "5790662e-4de0-4c99-822d-b7ef5595512d"
},
"targetendpoint": {
"port": "22",
"ipaddress": "192.168.10.10",
"guid": "54446b2b-5d34-497e-97ac-7fa6adf7e20f"
},
"isHidden": false,
"isNetworkPathLocked": true,
"isLogged": false,
"guid": "f0d2484a-4670-4068-894d-f4f37f40e424",
"name": "NP0"
}
],
"monitoring": {
"enable": true,
"enablePolicies": true,
"guid": "07239450-a424-4c5b-95b6-4ca42eee8e36"
},
"guid": "c9cf2310-41df-4677-bf41-a0c70ccbdba4"
},
"guid": "1b68c1c5-866e-465f-9418-60f6e1f34a0e",
"name": "Auto Single Tier VMWare",
"tags": [
{
"tag": "Gold",
"taggroup": "MonitoringLevel"
}
]
}
],
"guid": "1f367dbf-ae1f-4250-9968-cf54cd470529"
},
"guid": "0f21b838-9f24-40c5-9e4f-66e4b179936c"
}
],
"productCatalogEntries": [
{
"productId": "PDC000000012427",
"productName": "VMW-W2k8-64B-20GB",
"manufacturer": "vmware",
"tier1": "Software Distribution",
"tier2": "VM Template",
"tier3": "BladeLogic",
"guid": "92b21859-5108-43c8-8b03-1781df6c8387"
},
{
"productId": "PDC000000012131",
"productName": "Windows_Apache",
"manufacturer": "WIN",
"tier1": "Software Distribution",
"tier2": "Application",
"tier3": "BladeLogic",
"guid": "aa39f2d0-e000-4412-95bf-ea6f63ae640b"
}
],
"guid": "6caf043e-af02-480c-b6a6-225d2af40635"
}
Was this page helpful? Yes No
Submitting...
Thank you
Last modified by
Aleesha Fizal
on
Oct 26, 2018
Comments
Log in or register to comment.