Skip to main content

Policy Authoring Guide | Limit Target Assets with Filters

Filters can specify what target assets a policy, group, check, or query can run against. A filter is simply a condition, written in MQL, that must be met. Any fields you can query about any resources can be the basis for a filter.

The most common basis for filters is platform information. For example, you can add a filter that tells cnspec to run a policy only on AWS EKS clusters. Or you can add a filter that tells cnspec to run a check only on certain versions of an operating system.

info

Filters are an essential part of creating variants. To learn about variants, read Make Policies Flexible with Variants.

Apply a filter to a check or query

Add filters information to a check or query to apply a filter to it.

This is an example of a check with a filter:

- uid: ssh-root-login-is-disabled
  title: Ensure SSH root login is disabled
  filters: package('openssh-server').installed
  impact: 90
  mql: sshd.config.params["PermitRootLogin"] == "no"

The filter in the ssh-root-login-is-disabled check tells cnspec to run the check only on assets that have the SSH Server package installed. When scanning an asset without SSH Server, cnspec skips this check.

Apply a filter to a chapter or group

Add filters information to a group to apply a filter to it.

This is an example of a chapter type of group with two filters:

groups:
  - title: AWS Compute Services
    type: chapter
    filters: |
      asset.name == "aws"
      asset.kind == "api"
    checks:

    ...

Unless the asset is an AWS compute service, cnspec skips all the checks and queries in this group when scanning the asset.

More examples of filters

This filter limits scans to only GCP projects:

asset.platform == "gcp-project"

This filter limits scans to only kubelets:

asset.family.contains('linux')
processes.where( executable == /kubelet/ ).list != []

To learn how to write your own filters, read Write Effective MQL and the MQL Reference.

Next steps

  • To learn an efficient way to define the ideal values that policies check against, read Define Properties.

  • You can find many examples of policy bundles in Mondoo's cnspec-policies GitHub repo.

  • To learn how to set up, validate, and store policy bundles, read Manage Policies.