diff --git a/modules/configure-policy-enforcement-creating-policies.adoc b/modules/configure-policy-enforcement-creating-policies.adoc index 195ba22ce795..834853b685fc 100644 --- a/modules/configure-policy-enforcement-creating-policies.adoc +++ b/modules/configure-policy-enforcement-creating-policies.adoc @@ -27,7 +27,7 @@ The following enforcement behaviors are available depending on the lifecycle sta Build:: Set *Enforce on Build* to on to have {product-title-short} fail your continuous integration (CI) builds when images match the criteria of the policy. You can download the `roxctl` CLI and configure the `roxctl image check` command to work with the policy. Deploy:: Set *Enforce on Deploy* to on to have {product-title-short} block any workload admissions or updates that match the policy criteria. You must configure and run the {product-title-short} admission controller for this enforcement to take effect. ** In clusters with admission controller enforcement, the Kubernetes or {ocp} API server blocks all noncompliant deployments. In clusters without admission controller enforcement, {product-title-short} modifies noncompliant deployments to prevent pods from scheduling. -** For existing deployments, policy changes only result in enforcement at the next detection of the criteria, when a Kubernetes event occurs. For more information about enforcement, see "Deploy stage enforcement". +** For existing deployments, policy changes only result in enforcement at the next detection of the criteria, when a Kubernetes event occurs. Runtime:: Set *Enforce on Runtime* to on to have {product-title-short} delete all pods when an event in the pods matches the criteria of the policy. + [WARNING] diff --git a/modules/configure-policy-rules.adoc b/modules/configure-policy-rules.adoc index f1fec840f28e..bdf3c72483f5 100644 --- a/modules/configure-policy-rules.adoc +++ b/modules/configure-policy-rules.adoc @@ -7,7 +7,7 @@ = Configuring policy rules [role="_abstract"] -To control when a policy is triggered, configure the specific conditions and rules that apply to your environment. You can customize these rules by dragging and dropping policy fields, such as networking or workload activity, to define criteria appropriate for the build or runtime lifecycle stages. +To control when a policy triggers, configure the specific conditions and rules that apply to your environment. You can customize these rules by dragging and dropping policy fields, such as networking or workload activity, to define criteria appropriate for the build or runtime lifecycle stages. .Procedure @@ -16,7 +16,7 @@ To control when a policy is triggered, configure the specific conditions and rul + [NOTE] ==== -The policy fields that are available depend on the lifecycle stage you chose for the policy. For example, the criteria associated to *Networking* or *Workload activity* are available when creating a policy for the runtime lifecycle, but not when creating a policy for the build lifecycle. For more information about policy criteria, including information about criteria and the lifecycle phase in which they are available, see "Policy criteria". +The lifecycle stage you chose for the policy determines which policy fields become available. For example, the criteria associated to *Networking* or *Workload activity* become available when creating a policy for the runtime lifecycle, but not when creating a policy for the build lifecycle. ==== . For each field, you can select from options that are specific to the field. These differ depending on the type of field. For example: * The default behavior for a value that is a string is to match on a policy field, and select the *Not* checkbox to indicate when you do not want the field to match. @@ -27,7 +27,7 @@ The policy fields that are available depend on the lifecycle stage you chose for + [NOTE] ==== -For more information about values available for policy criteria, see "Policy criteria". +For more information about values available for policy criteria, see the "Policy criteria" reference. ==== . To combine multiple values for an attribute, click the *Add value of policy field* icon. . Optional: To add an additional rule, click *Add a new rule* . diff --git a/modules/configure-policy-scope.adoc b/modules/configure-policy-scope.adoc index daf7b0e3ba22..1c47a6778ce1 100644 --- a/modules/configure-policy-scope.adoc +++ b/modules/configure-policy-scope.adoc @@ -19,12 +19,12 @@ Node event source does not support scoping. ==== Restrict by scope:: Use this setting to apply the policy to a specific cluster, namespace, or deployment label. -You can add one or more scopes and also use regular expressions in link:https://github.com/google/re2/wiki/Syntax[RE2 Syntax] for namespaces and labels. -Exclude by scope:: Excludes specific deployments, clusters, namespaces, and deployment labels from the policy. The policy will not apply to the entities that you select. You can add one or more scopes and also use regular expressions in link:https://github.com/google/re2/wiki/Syntax[RE2 Syntax] for namespaces and labels. +You can add one or more scopes and also use regular expressions in "RE2 Syntax" for namespaces and labels. +Exclude by scope:: Excludes specific deployments, clusters, namespaces, and deployment labels from the policy. The policy will not apply to the entities that you select. You can add one or more scopes and also use regular expressions in "RE2 Syntax" for namespaces and labels. + [NOTE] ==== -This function is only available for policies configured for the deploy and runtime lifecycle stages. +This function applies only to policies configured for the deploy and runtime lifecycle stages. ==== Exclude images:: For policies configured for the build lifecycle stage, you can exclude images from the policy. Select the images for which you do not want to trigger a violation. diff --git a/modules/create-policy-categories-using-tab.adoc b/modules/create-policy-categories-using-tab.adoc index b7a4632a337e..9198861f33c7 100644 --- a/modules/create-policy-categories-using-tab.adoc +++ b/modules/create-policy-categories-using-tab.adoc @@ -11,6 +11,6 @@ You can create policy categories by using the *Policy categories* tab. You can a .Procedure . In the {product-title-short} portal, go to *Platform Configuration* -> *Policy Management*. -. Click the *Policy categories* tab. This tab provides a list of existing categories and allows you to filter the list by category name. You can also click *Show all categories* and select the checkbox to remove default or custom categories from the displayed list. +. Click the *Policy categories* tab. This tab provides a list of existing categories that you can filter by category name. You can also click *Show all categories* and select the checkbox to remove default or custom categories from the displayed list. . Click *Create category*. . Enter a category name and click *Create*. diff --git a/modules/create-policy-from-risk-view.adoc b/modules/create-policy-from-risk-view.adoc index fecc97af8e94..fa8bcb605076 100644 --- a/modules/create-policy-from-risk-view.adoc +++ b/modules/create-policy-from-risk-view.adoc @@ -13,4 +13,4 @@ You can generate a new security policy directly from the *Risk* view in the {pro .Procedure . In the {product-title-short} portal, click *Risk*. . Apply the local page filtering criteria that you want to create a policy for. For example, you can filter by using criteria such as a specific CVE, a cluster, a deployment, an image, or various other criteria. -. Click *Create policy* and complete the required fields to create a new policy. For the steps to create a policy, see "Creating a security policy from the system policies view". +. Click *Create policy* and complete the required fields to create a new policy. diff --git a/modules/enter-policy-details.adoc b/modules/enter-policy-details.adoc index 6797816f981a..0b01adec7a81 100644 --- a/modules/enter-policy-details.adoc +++ b/modules/enter-policy-details.adoc @@ -17,7 +17,7 @@ Configure the core attributes of your custom security policy to ensure exact thr . Enter details about the policy in the *Description* field. . Enter an explanation about why the policy exists in the *Rationale* field. . Enter steps to resolve violations of the policy in the *Guidance* field. -. Select the link:https://attack.mitre.org/matrices/enterprise/containers/[tactic and the techniques] you want to specify for the policy: +. Select the "tactic and the techniques" you want to specify for the policy: .. From the *Add tactic* list, select a tactic. .. From the *Add technique* list, select a technique for the tactic. You can specify one or more techniques for a tactic. . Click *Next*. \ No newline at end of file diff --git a/modules/modify-policy-categories-using-tab.adoc b/modules/modify-policy-categories-using-tab.adoc index 5d97bfe8de2b..1b5f35257a08 100644 --- a/modules/modify-policy-categories-using-tab.adoc +++ b/modules/modify-policy-categories-using-tab.adoc @@ -6,10 +6,10 @@ = Modifying policy categories by using the Policy categories tab [role="_abstract"] -You can modify policy categories by using the policy categories tab. You can also configure policy categories by using the `PolicyCategoryService` API object. For more information, go to *Help* -> *API reference* in the {product-title-short} portal. +You can change policy categories by using the policy categories tab. You can also configure policy categories by using the `PolicyCategoryService` API object. For more information, go to *Help* -> *API reference* in the {product-title-short} portal. .Procedure . In the {product-title-short} portal, go to *Platform Configuration* -> *Policy Management*. -. Click the *Policy categories* tab. This tab provides a list of existing categories and allows you to filter the list by category name. You can also click *Show all categories* and select the checkbox to remove default or custom categories from the displayed list. -. Click a policy name to edit or delete it. Default policy categories cannot be selected, edited, or deleted. \ No newline at end of file +. Click the *Policy categories* tab. This tab provides a list of existing categories that you can filter by category name. You can also click *Show all categories* and select the checkbox to remove default or custom categories from the displayed list. +. Click a policy name to edit or delete it. You cannot select, edit, or delete default policy categories. \ No newline at end of file diff --git a/modules/preview-policy-violations.adoc b/modules/preview-policy-violations.adoc index 321ff72d6ea9..eefab9d2f912 100644 --- a/modules/preview-policy-violations.adoc +++ b/modules/preview-policy-violations.adoc @@ -12,12 +12,12 @@ To ensure the policy is working correctly, verify the configuration options and .Procedure . Verify that the policy configuration is configured with the correct options. -. View the results in the *Preview policy violations* panel to ensure that the policy is working. This panel provides additional information, including whether build phase or deploy phase deployments have policy violations. +. View the results in the *Preview policy violations* panel to ensure that the policy works correctly. This panel provides additional information, including whether build phase or deploy phase deployments have policy violations. + [NOTE] ==== -Runtime violations are not available in this preview because they are generated when events occur in the future. +Runtime violations do not appear in this preview because the system generates them when events occur in the future. ==== + -Before you save the policy, verify that the violations seem accurate. +Before you save the policy, verify that the violations seem exact. . Click *Save*. \ No newline at end of file diff --git a/modules/select-policy-lifecycle.adoc b/modules/select-policy-lifecycle.adoc index 189492894ab5..655155f0648e 100644 --- a/modules/select-policy-lifecycle.adoc +++ b/modules/select-policy-lifecycle.adoc @@ -9,16 +9,14 @@ [role="_abstract"] Define when {product-title-short} evaluates policies by assigning a specific lifecycle stage. You can target these specific phases to inspect images during the continuous integration (CI) process or monitor workload activity on a live node, ensuring that enforcement actions occur at the appropriate time. -For more information, see "Understanding the {product-title-short} policy evaluation engine". - .Procedure . Select the *Lifecycle stages* for the policy: + -The following options are associated with the lifecycle stages: +The lifecycle stages have the following options: Build:: Policies in this stage inspect image criteria such as the image registry, content, vulnerability data, and the scanning process. The CI pipeline evaluates these policies during the build process. If you enable enforcement, a policy violation fails the build. {product-title-short} does not store violations from this stage. -Deploy:: Policies in this stage inspect workload configurations and their images. {product-title-short} evaluates these policies when you create or update a workload resource and re-evaluates them periodically or on demand. When you enable enforcement, a policy violation causes the admission controller to reject the deployment or update try, or scale the workload replicas to zero. +Deploy:: Policies in this stage inspect workload configurations and their images. {product-title-short} evaluates these policies when you create or update a workload resource and re-evaluates them periodically or on-demand. When you enable enforcement, a policy violation causes the admission controller to reject the deployment or update try, or scale the workload replicas to zero. Build and Deploy:: Select this stage if you want your policy to inspect images in both the build pipeline and during workload admission, and to apply enforcement to either or both stages. Runtime:: Policies in this stage inspect either workload activity or Kubernetes resource operations associated with the following event sources: Deployment::: To use runtime policies for workload activity, you must include at least one workload activity criterion. You can combine workload activity criteria with image or workload configuration criteria. If you enable enforcement, {product-title-short} terminates the offending pod, and the orchestrator then re-creates the pod. diff --git a/operating/manage_security_policies/custom-security-policies.adoc b/operating/manage_security_policies/custom-security-policies.adoc index 82538d5f2c53..63728290ced0 100644 --- a/operating/manage_security_policies/custom-security-policies.adoc +++ b/operating/manage_security_policies/custom-security-policies.adoc @@ -12,40 +12,71 @@ Create custom security policies in the {product-title-short} portal to enforce c include::modules/common-attributes.adoc[] +//Creating a security policy from the system policies view include::modules/create-policy-from-system-policies-view.adoc[leveloffset=+1] +//Entering policy details include::modules/enter-policy-details.adoc[leveloffset=+2] +[role="_additional-resources"] +.Additional resources +* link:https://attack.mitre.org/matrices/enterprise/containers/[MITRE ATT&CK tactics and techniques for containers] + +//Selecting the policy lifecycle stage include::modules/select-policy-lifecycle.adoc[leveloffset=+2] +[role="_additional-resources"] +.Additional resources +* xref:../../operating/manage_security_policies/about-security-policies.adoc#policy-evaluation-engine_about-security-policies[Understanding the {product-title-short} policy evaluation engine] + +//Configuring policy rules include::modules/configure-policy-rules.adoc[leveloffset=+2] [role="_additional-resources"] .Additional resources * xref:../../operating/manage_security_policies/security-policy-reference.adoc#policy-criteria_security-policy-reference[Policy criteria] +//Configuring the policy scope include::modules/configure-policy-scope.adoc[leveloffset=+2] +[role="_additional-resources"] +.Additional resources +* link:https://github.com/google/re2/wiki/Syntax[RE2 Syntax] + +//Enable the policy include::modules/enable-policy.adoc[leveloffset=+2] +//Configuring policy enforcement include::modules/configure-policy-enforcement-creating-policies.adoc[leveloffset=+2] [role="_additional-resources"] .Additional resources * xref:../../operating/manage_security_policies/about-security-policies.adoc#policy-enforcement-deploy_about-security-policies[Deploy stage enforcement] +//Selecting policy notifiers include::modules/selecting-policy-notifiers.adoc[leveloffset=+2] +//Reviewing the policy and previewing violations include::modules/preview-policy-violations.adoc[leveloffset=+2] +//Verifying file activity policies include::modules/verifying-file-activity-policies.adoc[leveloffset=+2] +//Creating a security policy from the risk view include::modules/create-policy-from-risk-view.adoc[leveloffset=+1] +[role="_additional-resources"] +.Additional resources +* xref:../../operating/manage_security_policies/custom-security-policies.adoc#create-policy-from-system-policies-view_custom-security-policies[Creating a security policy from the system policies view] + +//Modifying existing security policies include::modules/modify-existing-security-policies.adoc[leveloffset=+1] +//Disabling a policy include::modules/disable-associated-policies.adoc[leveloffset=+2] +//Creating policy categories by using the Policy categories tab include::modules/create-policy-categories-using-tab.adoc[leveloffset=+2] +//Modifying policy categories by using the Policy categories tab include::modules/modify-policy-categories-using-tab.adoc[leveloffset=+2] \ No newline at end of file