Policy definition
Versio.io policies make it possible to check compliance with customer-specific or regulatory guidelines. Verification is carried out automatically each time an instance of the dataset has changed.
Example An SSH daemon configuration must not allow the direct login of an administrator on a Linux host if the hostname does not start with
pve. The corresponding policy configuration is shown in the following figure.
Figure: Policy configuration
Policy configuration
The following attributes must be defined for a policy:
| Attribute | Description |
|---|---|
| Name | Name of the policy. Please use self-explanatory names, as the potentially recognised offences take over the policy name. |
| Active | The execution of a rule can be activated and deactivated. |
| Description | Description of the policy. Please use self-explanatory descriptions. These are also adopted in potential violations. Here it is important that another user can recognise the reason for the violation and, if possible, problem-solving approaches in a timely manner. |
| Violation classification | A violation receives the classification of the guideline. The classification is a free text field and can be used on a customer-specific basis (e.g. Security, Maintenance, Hardening, etc.). The classification can be used as a filter grouping in the risk matrix and in alerting. |
| Violation severity | The defined severity of the policy is transferred to the potential violations of the policy. The following values are available: Info, Low, Medium, High and Critical. The severity is used to assess violations and categorise them in the risk matrix. It can also be used as a filter criterion in alerting. |
| Event creation | If the rule is violated, you can configure whether a violation is created at the start and/or end of the rule violation. |
| Rule | A rule can be executed in the form of a logic (AND and OR linked conditions) or a JavaScript. If the rule is true, the policy is violated and a violation is generated. |
Rule
The policy rule can be used to verify whether corresponding guidelines are being adhered to. A positive result (True) of the rule execution leads to the creation of a corresponding violation!
Logic
The rule based on a logic consists of conditions that are linked by AND and OR. These can be as complex as you like.
Figure: Policy rule logic
Condition
The conditions are an elementary part of a logic and can be defined on a customer-specific basis.
Figure: Policy condition
Attribute path
The attribute path can be used to determine values, arrays or objects from an Asset & Configuration Item instance in order to verify them in the condition. The instance is available in Versio.io in JSON format. You can use JSONPath to determine the attribute value (see link tip).
If you are not so familiar with JSONPath, you can also use the Versio.io attribute picker. This allows you to visually select an attribute in a JSON structure and obtain the corresponding JSONPath.
Figure: JSONPath attribute picker
Link tip Generel JSONPath description & examples: https://goessner.net/articles/JsonPath Versio.io internal used JSONPath engine: https://www.npmjs.com/package/jsonpath-plus JSONPath online editor: https://jsonpath.com
Operator
Operators compare the value of the attribute path with the verification value according to a specific characteristic. The following operators are available for the following data types:
| Operator | Attribute value data type |
Verifcation value data type |
Comparison only with the same data types |
|---|---|---|---|
| = | String, Number, Boolean | String, Number, Boolean | Yes |
| != | String, Number, Boolean | String, Number, Boolean | Yes |
| < | Number, String | Number, String | Yes |
| <= | Number, String | Number, String | Yes |
| > | Number, String | Number, String | Yes |
| >= | Number, String | Number, String | Yes |
| starts with | String | String | Yes |
| not starts with | String | String | Yes |
| ends with | String | String | Yes |
| not ends with | String | String | Yes |
| contains | String | String | Yes |
| not contains | String | String | Yes |
| match regexp | String | String | Yes |
| not match regexp | String | String | Yes |
| includes | Array | String, Number, Boolean | No |
| not includes | Array | String, Number, Boolean | No |
| in | String, Number, Boolean | Array | No |
| not in | String, Number, Boolean | Array | No |
| is defined | String, Number, Boolean, Array, Object, Undefined | No | |
| is not defined | String, Number, Boolean, Array, Object, Undefined | No |
Verification values
Verification values are used for comparison with the value in the attribute path. The following options are available for defining the verification value:
- Fixed values of the data types
String,NumberandBoolean. - Function
now()- Current time in Unix time format in milliseconds.
- Time calculation with integer values is supported:
now() + 7d. +and-are supported.- The following time units are available:
s: secondh: Hourd: dayw: weeks
- Values based on the JSONPath (like attribute path). This makes it possible, for example, to compare two attributes of an instance.
JavaScript
A rule based on JavaScript enables the use of all linguistic constructs of a programming language. For a few rules, mapping via JavaScipt is easier to implement than in a logic. The initial example is self-explanatory for use.
Figure: Policy rule JavaScript