Skip to main content

Manage Policies in the Registry

Mondoo Platform comes stocked with a constantly growing collection of policies, which are codified benchmarks used to assess your infrastructure. Policies control what vulnerabilities and misconfigurations Mondoo checks for when it evaluates your digital business assets. Mondoo's built-in policies are production ready, simple to deploy and customize in any environment, and actionable.

Mondoo continuously assesses your systems according to the policies you enable. The registry is where you control which policies Mondoo uses to assess your infrastructure.

Policy as code​

Security policies and compliance frameworks typically are documents. Text describes each guideline and its rationale, and sometimes the consequences of not complying.

But documents don't check your environments. The work to verify that your infrastructure follows security standards is often manual, time intensive, and error prone. For example, if you need to manually demonstrate compliance for an audit, it can take weeks just to provide a snapshot of a single moment in time.

Policy as code lets you automate compliance using security benchmarks and best practices. The code serves two purposes: It documents the security guidelines and it tests your systems to ensure they follow those guidelines.

Each Mondoo policy is a codified collection of checks that test for certain configurations. For example, the Linux Security policy includes these checks:

  • Don't accept ICMP redirects
  • Disable prelink
  • Enable reverse path filtering
  • ... and dozens more.

You choose whether to enable the Linux Security policy. If it's enabled, then when Mondoo scans Linux assets, it assesses them based on the checks defined in that policy (and any other applicable Linux policies you enable).

Mondoo has hundreds of policies for dozens of different types of assets.

Manage policies by space

In Mondoo, you manage policies separately for each space in your organization. When you create a new space, it contains a default set of policies. Each space in your account can have a unique set of policies, which you manage in the registry for that space.

Managing policies involves:

  • Enabling a policy to use it as a basis for scanning assets in the space

  • Disabling a policy to stop using it in the space

  • Previewing a policy to use it as a basis for scanning but exclude it from scoring

  • Customizing a policy to control how it evaluate assets

Any policies you enable, disable, preview, or customize in a space's registry affect only that space.

Access the registry for a space

  1. In the Mondoo Console, navigate to the space.

  2. In the side navigation bar, select Registry.

    Mondoo - navigate to the security registry for a space

Enable policies in a space

Enable a policy to use that policy as a basis for evaluating assets in the space.

  1. Access the registry for the space as instructed above.

  2. Locate the policy you want to enable by scrolling through the list of available policies or using the Filter search box.

  3. To enable a policy, select the enable icon (a bar chart) on that policy's row.

    Mondoo - enable the policy for a space

Changes take effect immediately. The next time Mondoo scans applicable assets in the space, it includes this policy.

Disable policies in a space

Disable a policy to stop using that policy as a basis for assessing the security of assets in the space.

caution

Disabling a policy deletes any existing reports from that policy in the space.

  1. Access the registry for the space as instructed above.

  2. Locate the policy you want to enable by scrolling through the list of available policies or using the Filter search box.

  3. To disable the policy, select the disable icon (a moon with Zs) on that policy's row.

    Mondoo - disable a policy for a space

Changes take effect immediately. The next time Mondoo scans applicable assets in the space, it does not include this policy.

Preview policies in a space

Preview a policy to use the policy as a basis for evaluating assets in the space but not score the policy. When Mondoo calculates an asset's overall score, it doesn't factor in how the asset performs in the scan based on this policy. When Mondoo calculates a space's or an organization's overall score, it doesn't factor in how any assets perform in a scan based on this policy.

  1. Access the registry for the space as instructed above.

  2. Locate the policy you want to enable by scrolling through the list of available policies or using the Filter search box.

  3. To preview the policy, select the preview icon (a light bulb) on that policy's row.

    Mondoo - preview a policy for a space

Changes take effect immediately. The next time Mondoo scans applicable assets in the space, it includes this policy's results but not its scores.

Customize policies in a space

Many policies have properties that you can customize to suit your organization's needs. Properties are the ideal values that policies check against.

For example, the ideal value for AWS users' minimum password lengths is 14 characters. The "Amazon Web Services (AWS) Best Practices for NIST 1800 25" policy checks that users are required to have passwords 14 characters or longer. The property iamPasswordPolicyMinimumPasswordLength tells Mondoo what the ideal value is. By default, that value is 14. If your organization has a different requirement for minimum password length, you can change this value.

Some other examples of properties are:

  • Whether to require an alert when certain events occur

  • Maximum time between password or key rotations

  • What SSL or TLS ciphers to allow

  • Allowed domains

  • Allowed algorithms

  • Blocked ports

When you change a property in a policy, that change is for the current space only. It doesn't apply to other spaces in your organization.

To change a property in a policy:

  1. Access the registry for the space as instructed above.

  2. Locate the policy in which you want to change a property: Scroll through the list of available policies or use the Filter search box.

  3. Select the policy to see its details.

    If the policy has properties, you see a Properties tab.

  4. Select the Properties tab to view all the properties in the policy.

    Mondoo - properties in a policy

  5. Select the property you want to change.

    Mondoo - change a policy property

  6. Type the new property value over the old one and then press Command + Return.

    A popup message confirms the change.

The change takes effect immediately. The next time Mondoo scans applicable assets in the space, it uses the new value.

Write custom policies

To learn how to write policies to meet your organization's specific needs, read the Policy Authoring Guide.