INTERCEPT

Appearance

ASSURE Type Policies

ASSURE-type policies serve as proactive compliance tools within your codebase or configuration settings, distinctly contrasting with the reactive nature of SCAN-type policies.

Instead of searching for known issues or vulnerabilities, ASSURE policies help in affirming the presence of specific, desirable patterns within your target codebase. These patterns are pivotal in ensuring that your codebase adheres to compliance standards or configuration requirements.

Consider the case where it's critical to verify specific database configurations: ASSURE policies can be employed to confirm that the database operates on a designated port (e.g., port 443), encryption is activated, and the database remains inaccessible to the public internet. The outcomes generated by ASSURE policies not only affirm a setup that meets compliance standards but also highlight any lapses (omissions) in expected policy configurations or any discrepancies from the set benchmarks.

This approach shifts the focus from merely identifying and rectifying problems to actively validating and ensuring the desired state of system configurations, thereby fostering a more secure and compliant infrastructure.

Examples

The default REGEX ASSURE Policies accepts multiple REGEX patterns per Policy definition, a policy PASS means at least ONE pattern is matched.

yaml
Policies:
  - id: "ASSURE-001 Required Security Settings"
    type: "assure"
    filepattern: "config.*\\.(json|yaml|ini)$"
    enforcement:
      - environment: "production"
        fatal: "true"
        exceptions: "false"
        confidence: "high"
      - environment: "development"
        fatal: "false"
        exceptions: "false"
        confidence: "high"
    metadata:
      name: "Ensure required security settings"
      description: "Verify that configuration files contain required security settings"
      msg_solution: "Add the missing security settings to the configuration file."
      msg_error: "Configuration file is missing required security settings."
      tags:
        - "security"
        - "config"
      score: "8"
    _regex:
      - "ssl_enabled:\\s*true"
      - "use_encryption:\\s*true"

TIP

with the filepattern key you can narrow down or filter the files affected/detected/assessed by this policy

INFO

This Policy type gets even better with the addition of CUE lang schema validation, REGO policies and FileType (JSON,TOML,YAML,INI) compliance. check the ASSURE FILETYPE