Policy Authoring Guide | Break up a Policy into Groups / Chapters
A group is a collection of related checks and queries in a policy. Groups are a way of breaking up a policy into more manageable sections.
A common way to use groups is to match the chapters in a written benchmark, policy, or other compliance document. For each chapter in the document, you can create a group in the policy.
Here's another simple example of a policy bundle containing one policy:
policies:
- uid: example-with-chapters
name: Simple example with chapters
version: "1.0.0"
scoring_system: highest impact
authors:
- name: Lunalectric
email: security@lunalectric.com
groups:
- title: SSH
checks:
- uid: sshd-01
title: Ensure the port is set to 22
mql: sshd.config.params["Port"] == 22
impact: 30
- uid: sshd-02
title: Prevent weaker CBC ciphers from being used
mql: sshd.config.ciphers.none( /cbc/ )
impact: 60
queries:
- uid: sshd-d-1
title: Gather SSH config params
mql: sshd.config.params
- title: Packages
checks:
- uid: pkg-01
title: Ensure AIDE is installed
mql: package("aide").installed
impact: 70
- uid: pkg-02
title: Ensure prelink is disabled
mql: package("prelink").installed == false
impact: 70
The policy contains two groups:
-
The
SSHgroup begins on line 10. It has two checks and one query, all concerning SSH parameters. -
The
Packagesgroup begins on line 26. It has two checks, both of which concern installed packages.
A policy can have as many groups as you need.
To check for errors in the policy bundles you write, run cnspec bundle lint BUNDLE-NAME.mql.yaml. For BUNDLE-NAME, substitute the name of your file.
Next steps
-
To learn about controlling the types of assets a policy applies to, read Limit Target Assets with Filters.
-
If you're ready to create your own policy: To learn how to set up, validate, and store policy bundles, read Manage Policies.