Policy Authoring Guide | Reuse Queries and Checks

Now that you've explored the very basic elements of a policy and a policy bundle and defined policy scoring, you can learn how to include multiple policies in a bundle and reuse queries and checks among them.

Here's another simple example of a policy bundle:

policies:
  - uid: luna1
    name: Lunalectric policy 1
    version: "1.0.0"
    scoring_system: highest impact
    authors:
      - name: Lunalectric
        email: security@lunalectric.com
    docs:
      desc: |-
        Descriptive documentation about this policy
    groups:
      - title: test
        checks:
          - uid: sshd-01
            title: Ensure the port is set to 22
            mql: sshd.config.params["Port"] == 22
            impact: 30

          - uid: sshd-02
            title: Prevent weaker CBC ciphers from being used
            mql: sshd.config.ciphers.none( /cbc/ )
            impact: 60

          - uid: shared1

        queries:
          - uid: sshd-d-1
            title: Gather SSH config params
            mql: sshd.config.params

  - uid: luna2
    name: Luna policy 2
    version: "1.0.0"
    scoring_system: highest impact
    authors:
      - name: Lunalectric
        email: security@lunalectric.com
    groups:
      - title: test2
        checks:
          - uid: sshd-03
            title: Ensure SSH protocol is set to 2
            mql: sshd.config.params["Protocol"] == 2
            impact: 50

          - uid: shared1

queries:
  - uid: shared1
    title: Enable strict mode
    mql: sshd.config.params["StrictModes"] == "yes"
    impact: 70

Multiple policies in a bundle

Policy bundles can contain any number of policies. You write them in the policies section of the bundle. The example above has two policies: Luna policy 1 (lines 2-25) and Luna policy 2 (lines 27-42). To learn the basic elements of a policy, read Write Custom Policies.

Reusing queries and checks

Notice that the example policy bundle above has a main section at the end named queries. It's at the same level in the hierarchy as the policies section. This is the shared queries and checks section, intended for items you'll use more than once. Here you can put queries and checks that you want to include in multiple policies. Instead of writing the same query or check twice or ten times in many policies, you can write it once, store it in this shared queries section, and simply reference it in any policy you want to include it in.

In the example policy bundle above, there's one shared item in the shared queries section: Enable strict mode. Line 45 defines the shared item's UID as shared1. Both policies reference it (include it in their checks) using its that shared1 UID (on lines 21 and 42).

info

The shared queries main section of a policy bundle can contain both queries that only collect information and checks (queries that make assertions and produce scores when the scan runs).

tip

To check for errors in the policy bundles you write, run cnspec bundle lint BUNDLE-NAME.mql.yaml. For BUNDLE-NAME, substitute the name of your file.

Next steps

• To learn how to organize a policy into sections, read Break up a Policy into Groups.

• If you're ready to create your own policy: To learn how to set up, validate, and store policy bundles, read Manage Policies.

---