Skip to main content

Managing and customizing polices

Overview​

The POLICY HUB in Mondoo Platform comes with a default set of security policies enabled to cover a wide-range of use cases. These default policies can be easily disabled or customized to meet your needs, or you can choose to enable any number of the ever-growing list of additional policies in Mondoo Platform.

This guide covers how to manage and customize policies in Mondoo Platform.

info

Need Help?

Join us in the Mondoo Community Slack channel if you run into any issues. We are here to help!

Prerequisites​

Before you begin, you should have the following:

Understanding the Policy Hub in spaces​

Each space in Mondoo Platform has a POLICY HUB that is isolated from any other space within your organization, which means any policies enabled, disabled, or customized only affect that specific space. This isolation is designed to provide a way to group common infrastructure, and tailor fine-grained policies to meet your requirements.

info

Using spaces to group infrastructure

A space can be used to group infrastructure that must follow a specific compliance requirement such as HIPAA, or GDPR. Use the POLICY HUB for that space to enable appropriate policies, and customizing the controls within those policies.

Enabling policies​

When you navigate to the POLICY HUB, you will see a list of all of the policies that are enabled in that space. A new space comes with a default list of policies enabled.

Enabling Policies

To enable additional policies:

  1. Log in to Mondoo Platform
  2. Navigate to the POLICY HUB.
  3. Select the ADD POLICY to view the all available policies.
  4. Locate the policy, or policies you want to enable either by scrolling through the list of available policies, or by using the Filter search box.
  5. Check the box next to any policy, and then select the ENABLE button.

Any changes will take effect immediately. Assets registered to the space will automatically run applicable policies on their next scan.

Understanding how policies are applied​

Every policy in the POLICY HUB is designed to only run against the type of asset it was written for. While you may have a space with AWS, Google Cloud, and Azure policies enabled, AWS policies will only run against AWS environments, and Google Cloud policies will only run against Google Cloud environments. This is achieved by a configuration within each policy called an asset_filter.

Each time a mondoo scan is initiated against a target, the asset type is passed to Mondoo Platform and a list of policies enabled for that asset type is returned to run a scan. For example, when running mondoo scan aws, platform.name == "aws" and platform.kind == "api" are sent to Mondoo Platform to retrieve any enabled policies that match that asset type.

The following section provides additional examples of asset_filter configurations in Mondoo policies.

Example: asset_filter for Amazon Web Services accounts​

The following is an example of the asset_filter configuration in the AWS Operational Best Practices policies:

- asset_filter:
query: |
platform.name == "aws"
platform.kind == "api"

Example: asset_filter for VMware vSphere ESXi Security by Mondoo​

This example from the VMware vSphere ESXi Security by Mondoo uses regular expressions to design an asset_filter to run on VMware vSphere ESXi 6 or 7.

- asset_filter:
query: |
platform.name == "vmware-esxi"
platform.release == /^(6|7)\./

Example: asset_filter for openssh-server installed​

The asset_filter can also be used for more nuanced filters as well. The following example shows how you can use the asset_filter to run a policy on not just servers, but also containers that have openssh-server installed:

- asset_filter:
query:
package('openssh-server').installed
info

The example could be used to stop a container build, or a container deployment that has inadvertently shipped openssh-server as part of the artifact.

Example: asset_filter for httpd or apache2 running​

Another example could be to write a policy for hosts running Apache2. The following example shows how an asset_filter can be used with the || operator to test for Apache2 running on RHEL or Debian/Ubuntu systems:

- asset_filter:
query:
service('httpd').running || service('apache2').running

Once a policy is enabled in a given space, any assets matching the asset filter in the policy will run the policy and generate a report with the score for the asset, and results.

Disabling policies​

To disable policies:

  1. Log in to Mondoo Platform.
  2. Navigate to the POLICY HUB.
  3. Locate the policy, or policies you want to disable either by scrolling through the list of enabled policies, or by using the Filter search box.
  4. Check the box next to one or more policies you wish to disable, and then select the DISABLE button.

Your changes will take effect immediately.

caution

Disabling policies will delete any existing reports from that policy in the space

Customizing policies​

Mondoo Platform makes it simple to customize policies by providing configuration for individual controls within each policy. Each control provides the following configuration:

  • ENABLE (default) - Control will run on every asset that runs the policy.
  • IGNORE - Control will run be executed, but the result will not affect the score for the asset.
  • DISABLE - Control is disabled and will not be executed.

Customizing Policies

To configure queries within a policy:

  1. In Mondoo Platform navigate to the POLICY HUB.
  2. Locate the policy you want to customize and select it to view more details.
  3. Select the QUERIES tab to view a list of queries associated with the policy.
  4. Locate the query you want to configure, check the box beside it, and select either ENABLE, IGNORE, or DISABLE

An image of queries that have been ignored or disabled

Queries that have been configured to IGNORE or DISABLE will be marked as such in the UI.