ASSURE Type Policies
ASSURE-type policies serve as proactive compliance tools within your codebase or configuration settings, distinctly contrasting with the reactive nature of SCAN-type policies.
Instead of searching for known issues or vulnerabilities, ASSURE policies help in affirming the presence of specific, desirable patterns within your target codebase. These patterns are pivotal in ensuring that your codebase adheres to compliance standards or configuration requirements.
Consider the case where it's critical to verify specific database configurations: ASSURE policies can be employed to confirm that the database operates on a designated port (e.g., Port X), encryption is activated, and the database remains inaccessible to the public internet. The outcomes generated by ASSURE policies not only affirm a setup that meets compliance standards but also highlight any lapses (omissions) in expected policy configurations or any discrepancies from the set benchmarks.
This approach shifts the focus from merely identifying and rectifying problems to actively validating and ensuring the desired state of system configurations, thereby fostering a more secure and compliant infrastructure.
TIP
This Policy type gets even better with the addition of CUE lang schema validation, REGO policies and FileType (JSON,TOML,YAML) compliance.
REGEX
The default REGEX ASSURE Policies accepts multiple REGEX patterns per Policy definition
Example
The setup
intercept config -r
intercept config -a /app/examples/policy/assure.yaml
intercept assure -t /app/examples/target -i "AWS" -b "false"
cat intercept.assure.sarif.jsonINFO
All rule types can be filtered by a combination of TAGS, ENVIRONMENT name and their own ENFORCEMENT levels. Make sure to explore it.
The Policy
- name: ASSURE SSL (OK)
id: 201
description: Assure ssl_cyphers only contains GANSO_SSL
error: Misconfiguration or omission is fatal
tags: AWS
type: assure
fatal: true
enforcement: true
environment: all
confidence: high
patterns:
- ssl_cyphers\s*=\s*"GANSO_SSL"
- name: Weak Cyphers (NOT FOUND)
id: 202
description: Assure ssl_weak_cyphers only contains PATO_SSL
error: Misconfiguration or omission is NOT fatal but not recommended
tags: AWS
type: assure
fatal: false
enforcement: true
environment: all
confidence: high
patterns:
- ssl_weak_cyphers\s*=\s*"PATO_SSL"
- ssl_strong_cyphers\s*=\s*"LION_SSL"SARIF Output
{
"version": "2.1.0",
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"runs": [
... REDACTED
"artifacts": [
{
"location": {
"uri": "/app/examples/target/long.code"
},
"length": -1
}
],
"results": [
{
"ruleId": "intercept.cc.assure.policy.201: ASSURE SSL",
"ruleIndex": 0,
"level": "note",
"message": {
"text": "Assure ssl_cyphers only contains GANSO_SSL"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "/app/examples/target/long.code"
},
"region": {
"startLine": 8498,
"endLine": 8498,
"snippet": {
"text": "ssl_cyphers = \"GANSO_SSL\""
}
}
}
}
]
}
]
}
]Console Output
│
├ ASSURE Rule # 201
│ Rule name : ASSURE SSL
│ Rule description : Assure ssl_cyphers only contains GANSO_SSL
│ Impacted Env : all
│ Confidence : high
│ Tags : AWS
│
/app/examples/target/long.code
8498:ssl_cyphers = "GANSO_SSL"
│
│ Compliant
│
│
│
│
├────────────────────────────────────────────────────────────
│
├ ASSURE Rule # 202
│ Rule name : Weak Cyphers (NOT FOUND)
│ Rule description : Assure ssl_weak_cyphers only contains PATO_SSL
│ Impacted Env : all
│ Confidence : high
│ Tags : AWS
│
│
│ NOT FOUND
│ Misconfiguration or omission is NOT fatal but not recommended
│
│
│ ASSURE Rule : Weak Cyphers (NOT FOUND)
│ Target Environment : all
│ Suggested Solution :
│
│
│Run it
docker pull ghcr.io/xfhg/intercept:latest
docker run -v --rm -w $PWD -v $PWD:$PWD -e TERM=xterm-256color ghcr.io/xfhg/intercept intercept config -a examples/policy/assure.yaml
docker run -v --rm -w $PWD -v $PWD:$PWD -e TERM=xterm-256color ghcr.io/xfhg/intercept intercept assure -t examples/target