Local Policy File (Advanced)

Here you find the full specification for the different configuration sections and elements that can be part of the declarative configuration file including an example for each:

Policies

The policies section defines the default behaviors that will apply to all web resources exposed by the NGINX server or Kong Gateway as well as specific rules for overriding the default behaviour for specific hostname/path combinations.

Example
policies:
  default:
    triggers:
    - appsec-special-log-trigger
    mode: detect-learn
    practices:
    - webapp-default-practice
    source-identifiers: appsec-source-identifiers-sourceip-example
    trusted-sources: appsec-trusted-source-example
    custom-response: appsec-web-user-response-example
    exceptions:
    - appsec-exception-example
  specific-rules:
  - host: web.server.com/example
    triggers:
    - appsec-special-log-trigger
    mode: prevent-learn
    practices:
    - webapp-best-practice
    source-identifiers: appsec-source-identifiers-sourceip-example
    trusted-sources: appsec-trusted-source-example
    custom-response: appsec-web-user-response-example
    exceptions:
    - appsec-exception-example
  - host: web.server.com/another-example
    triggers:
    - appsec-special-log-trigger
    mode: prevent-learn
    practices:
    - webapp-best-practice
    source-identifiers: appsec-source-identifiers-sourceip-example
    trusted-sources: appsec-trusted-source-example
    custom-response: appsec-web-user-response-example
    exceptions:
    - appsec-exception-example
Specification

default

  • mode string enum - security engines operation mode. Blocking will only happen in prevent-learn mode

    • prevent-learn / detect-learn / prevent / detect / inactive (note that prevent and detect are just aliases for prevent-learn and detect-learn)

  • practices array of strings - defines which security engines to activate and their specific settings (Although this is an array already there cannot be multiple practices of the same kind specified here for now!)

    • reference to Practice resource(s)

  • triggers array of strings - defines logging verbosity and destination (stdout, syslog, cloud, etc) (Although this is an array for now only a single trigger is supported!)

    • reference to LogTrigger resource(s)

  • custom-response string - defines prevent mode behaviors upon decision to block: HTTP response code, block page, http redirect

    • reference to CustomResponse resource

  • source-identifiers string - defines how ML engine will distinguish between sources based on IP address, X-Foward-For, Key in Header/Cookie/JWT

    • reference to SourcesIdentifier resource

  • trusted-sources string - defines which traffic sources are very unlikely to be malicious. Used for Machine Learning engine.

  • exceptions arrays of strings - defines exceptions to be applied based on e.g. countryCode, countryName, sourceIP, URL, hostName, sourceIdentifier

    • reference to Exception resource(s)

specific-rules list list of one or more per-host (ingress rule) policies that will override the defaults above

  • host string - policy will apply to this host

    • network path (exactly as appear in ingress rules)

  • All other keys can be used same as decribed above for default.

Practices

Practice resources define which security engines will be active and what their settings are.

Example
practices:
  - name: webapp-best-practice
    openapi-schema-validation:
      files: []
      override-mode: 'prevent'
    snort-signatures:
      files: []
      override-mode: 'prevent'
    web-attacks:
      max-body-size-kb: 1222
      max-header-size-bytes: 44343
      max-object-depth: 2111
      max-url-size-bytes: 34434
      minimum-confidence: high
      override-mode: 'prevent'
      protections:
        csrf-enabled: prevent
        error-disclosure-enabled: prevent
        non-valid-http-methods: true
        open-redirect-enabled: prevent
    anti-bot:
      injected-URIs: []
      validated-URIs: []
      override-mode: 'prevent'
Specification
  • web-attacks - open-appsec ML engine settings

    • override-mode string enum - allows overriding the mode defined at the Policy level for this specific engine (when set to as-top-level the value will be inherited from mode setting in the policy)

      • prevent-learn / detect-learn / prevent / detect / inactive / as-top-level

    • minimum-confidence string enum, default: high - defines which security engines to activate and their specific settings

      • medium / high / critical

    • max-url-size-bytes integer, default: 32768

    • max-object-depth integer, default: 40

    • max-body-size-kb integer, default: 102400

    • max-header-size-bytes integer, default: 32768

    • protections - settings for various advanced protections:

      • csrf-enabled string, default: inactive - Cross Site Request Forgery protection

        • prevent-learn / detect-learn / prevent / detect / inactive

      • error-disclosure-enabled string, default: inactive - Prevent disclosure of technical information to the attacker in server error messages

        • prevent-learn / detect-learn / prevent / detect / inactive

      • open-redirect-enabled string, default: inactive - Protect against URL redirection to untrusted sites

        • prevent-learn / detect-learn / prevent / detect / inactive

      • non-valid-http-methods boolean, default: false - Prevent attacker from sending requests with unsafe HTTP methods

        • true / false

  • open-api-schema-validation (currently not supported yet, will be added soon)

    • configmap array of strings - specify configmap(s) containing the OpenAPI schema definitions

    • override-mode enum - allows overriding the mode defined at the Policy level for this specific engine (when set to as-top-level the value will be inherited from mode setting in the policy)

      • prevent-learn / detect-learn / prevent / detect / inactive / as-top-level

  • anti-bot (currently not supported yet, will be added soon)

    • override-mode enum - allows overriding the mode defined at the Policy level for this specific engine (when set to as-top-level the value will be inherited from mode setting in the policy)

      • prevent-learn / detect-learn / prevent / detect / inactive / as-top-level

    • injected-URIs array of strings - Provide URL(s) where Anti-Bot check is injected with GET request

    • validated-URIs array of strings - Provide URL(s) where result of Anti-Bot check is received from with POST request

  • snort-signatures (currently not supported yet, will be added soon)

    • override-mode enum - allows overriding the mode defined at the Policy level for this specific engine (when set to as-top-level the value will be inherited from mode setting in the policy)

      • prevent-learn / detect-learn / prevent / detect / inactive / as-top-level

    • configmap array of strings - specify configmap(s) containing snort signatures

Custom Response

Optional custom responses can be configured to return in prevent mode either a customizable block page or the desired response code only. The custom responses than can be referenced within one or more policy elements.

Examples
custom-responses:
  - name: appsec-default-web-user-response
    mode: response-code-only
    http-response-code: 403
  - name: appsec-web-user-response-example
    mode: block-page
    http-response-code: 403
    message-title: Block page title
    message-body: "<h1>Access blocked by open-appsec.</h1><p>Your access will be logged.</p>"
Specification
  • mode enum - engine will take one of these actions upon decision to block request

    • block-page - send HTML with text to client + HTTP response code

    • response-code-only - send only response code

  • message-title string - title of block page that will be displayed only in case mode is block page and engine decided to block

  • message-body string - content of block page that will be displayed only in case mode is block page and engine decided to block

  • http-response-code integer between 100-599 - http code that will be returned to client upon engine decision to block; default is 403 - HTTP Forbidden

Log Trigger

Optional log trigger elements can be used to configure custom logging requirements. They can then be referenced within one or more policy elements.

Example
logtriggers:
  - name: appsec-special-log-trigger
    access-control-logging:
      allow-events: false
      drop-events: true
    additional-suspicious-events-logging:
      enabled: true
      minimum-severity: high
      response-body: false
    appsec-logging:
      all-web-requests: false
      detect-events: true
      prevent-events: true
    extended-logging:
      http-headers: false
      request-body: false
      url-path: false
      url-query: false
    log-destination:
      cloud: false
      file: "/a/b/c"
      stdout:
        format: json
      syslog-service:
      - address: 1.2.3.4
        port: 514
      cef-service:
        address: 5.6.7.8
        port: 514
        proto: tcp
Specification
  • access-control-logging - configure logging for Access Control events

    • allow-events boolean, default: false - log access control allow events

      • true / false

    • drop-events boolean, default: true - log access control drop events

      • true / false

  • additional-suspicious-events-logging configure additional logging for suspicious events based on a selectable minimum severity-level

    • enabled boolean default: true - enable/disable additional suspicious events logging

      • true / false

    • minimum-severity string enum, default: high - select minimum severity level

      • high / critical

  • appsec-logging configure logging for open-appsec events (threat prevention, machine learning)

    • detect-events boolean, default: true - log detected events

      • true / false

    • prevent-events boolean, default: true - log prevented events

      • true / false

    • all-web-requests boolean, default: false - log all web requests (has performance impact!)

      • true / false

    • extended-logging

      • url-path boolean, default: true - log URL path

        • true / false

      • url-query boolean, default: true - log URL query

        • true / false

      • http-headers boolean, default: false - log the HTTP headers (has performance impact!)

        • true / false

      • request-body boolean, default: false - log the request body (has performance impact)

        • true / false

  • log-destination

    • cloud boolean, default: false - enable or disable logging to the appsec-open Cloud Service (relevant when being connected to SaaS Mgmt WebUI)

      • true / false

    • file string - define file path to save logs to (local path from root directory of the open-appsec container, could also refer to a mountPath for a mounted Persistent Volume in the container)

    • stdout - configure logging to standard-out

      • format string enum - define the desired log format

        • json / json-formatted - select between formatted or standard json

    • syslog-service objects array - define one or more syslog servers and corresponding ports to send logs to

      • address string - Syslog server IP address

      • port integer - Syslog server port

    • cef-service - allows sending files to a log destination in CEF format

      • address string - CEF server IP address

      • port integer - CEF server port

      • proto string enum Select the correct protocol

        • tcp / udp - Chose TCP or UDP protocol

Exceptions

Optional exception elements can be used to configure custom exceptions. They can then be referenced within one or more policy elements.

Example
exceptions:
  - name: appsec-exception-example
    action: skip
    comment: This is an example exception comment
    countryCode:
    - CA
    - IL
    countryName:
    - Israel
    - Canada
    hostName:
    - fff
    paramName:
    - key
    paramValue:
    - rrr
    protectionName:
    - cveee
    sourceIdentifier:
    - david
    sourceIp:
    - 1.2.3.4
    - '3,3,3,3'
    url:
    - "/rrr"
  - name: exception-example-2
    action: accept
    hostName:
    - fff
    url:
    - "/rrr"
  - name: exception-example-3
    action: drop
    comment: This is an example exception comment
    countryName:
    - Israel
    - Canada
    protectionName:
    - cveee
    sourceIdentifier:
    - david
    sourceIp:
    - 1.2.3.4
    - 2.3.4.5
    url:
    - "/rrr"
  - name: exception-example-4
    action: suppressLog
    comment: This is an example exception comment
    countryCode:
    - CA
    - IL
    countryName:
    - Israel
    - Canada
    hostName:
    - fff
    url:
    - "/rrr"
Specification

Define a list of actions-objects with the corresponding parameters to match to configure flexible custom exceptions/rules, each having the following configurable keys:

  • action string enum - Action to be performed when exception matches

    • skip / accept / drop / suppressLog

  • sourceIp string array - Source IP(s)

  • url string array - URL(s)

  • sourceIdentifier string array - Identified source(s)

  • protectionName string array - Protection(s)

  • paramValue string array - Parameter value(s)

  • paramName string array - Parameter name(s)

  • hostName string array - Host name(s)

  • countryCode string array - Country code(s)

  • countryName string array - Country name(s)

  • comment string - Comment for the exception

Trusted Sources

Optional trusted sources can be defined, for which the machine learning engine will assume, that the traffic originating from them is benign and learn accordingly.

Trusted sources elements can then be referenced within the policies section.

Example
trustedsources:
  - name: appsec-trusted-source-example
    minNumOfSources: 3
    sourcesIdentifiers: [source-identifier-1, source-identifier-2]
Specification

Define trusted sources by referencing the source identifiers custom resources as well as setting the minimum amount of sources that need to be observed by the behavioural ML engine sending certain identical traffic patterns in order to learn this behaviour as being benign.

  • minNumOfSources integer - Minimum amount of sources having to be observed sending same traffic patterns to learn behaviour as benign.

  • sourcesIdentifiers string array - Specify one or more source identifiers

Source Identifiers

Source Identifiers can be used to define how open-appsec distinguishes between different sources, e.g. based on source IP addresses, x-forwarded-for header content, etc.

Examples
source-identifiers:
  - name: appsec-source-identifiers-sourceip-example
    identifiers:
    - sourceIdentifier: sourceip
  - name: appsec-source-identifiers-JWTKey-example
    identifiers:
    - sourceIdentifier: JWTKey
      value: userfield
  - name: appsec-source-identifiers-x-forwarded-for-example
    identifiers:
    - sourceIdentifier: x-forwarded-for
      value: [1.2.3.4,5.6.7.8]
Specification

Define list of one or more specific source identifiers that can be used in trusted sources custom resources.

  • identifiers objects array - provide single source-identifier Note: Although this is an array currently only adding single source identifier here is supported. (Later an option is planned to be added to provide multiple source-identifiers here, so that if the first one is not found in an http request then the next one would be checked.)

  • source-identifier string enum - Specify the source identifier type of which the content shall be matched

    • headerkey, JWTKey, cookie, sourceip, x-forwarded-for

  • value string array - Content to match the specified sourceIdentifier type

    • For types headerkey, cookie and JWTKey provide the fieldname that designates user

    • For type Source IP no value is required

    • For type x-forwarded-for provide previous proxy hops if there are any

Schema file

Here you find the full schema file for the local declarative configuration yaml file. This also shows you which fields are required and which are optional

Schema file for local policy file
type: object
properties:
  policies:
    type: object
    properties:
      default:
        type: object
        properties:
          custom-response:
            type: string
          exceptions:
            items:
              type: string
            type: array
          mode:
            enum:
              - prevent-learn
              - detect-learn
              - prevent
              - detect
              - inactive
            type: string
          practices:
            items:
              type: string
            type: array
          source-identifiers:
            type: string
          triggers:
            items:
              type: string
            type: array
          trusted-sources:
            type: string
        required:
          - mode
          - practices
          - triggers
      specific-rules:
        type: array
        items:
          properties:
            host:
              type: string
            custom-response:
              type: string
            exceptions:
              items:
                type: string
              type: array
            mode:
              enum:
                - prevent-learn
                - detect-learn
                - prevent
                - detect
                - inactive
              type: string
            practices:
              items:
                type: string
              type: array
            source-identifiers:
              type: string
            triggers:
              items:
                type: string
              type: array
            trusted-sources:
              type: string
          required:
            - mode
            - host
            - practices
            - triggers
          type: object
  practices:
    type: array
    items:
      properties:
        name:
          type: string
        anti-bot:
          properties:
            injected-URIs:
              items:
                properties:
                  uri:
                    type: string
                type: object
              type: array
            override-mode:
              enum:
                - prevent-learn
                - detect-learn
                - prevent
                - detect
                - inactive
                - as-top-level
              type: string
              default: "inactive"
            validated-URIs:
              items:
                properties:
                  uri:
                    type: string
                type: object
              type: array
          type: object
        openapi-schema-validation:
          properties:
            files:
              items:
                type: string
              type: array
            override-mode:
              enum:
                - prevent-learn
                - detect-learn
                - prevent
                - detect
                - inactive
                - as-top-level
              type: string
          type: object
        snort-signatures:
          properties:
            files:
              items:
                type: string
              type: array
            override-mode:
              enum:
                - prevent-learn
                - detect-learn
                - prevent
                - detect
                - inactive
                - as-top-level
              type: string
          type: object
        web-attacks:
          properties:
            max-body-size-kb:
              type: integer
            max-header-size-bytes:
              type: integer
            max-object-depth:
              type: integer
            max-url-size-bytes:
              type: integer
            minimum-confidence:
              enum:
                - medium
                - high
                - critical
              type: string
            override-mode:
              enum:
                - prevent-learn
                - detect-learn
                - prevent
                - detect
                - inactive
                - as-top-level
              type: string
            protections:
              properties:
                csrf-enabled:
                  enum:
                    - prevent-learn
                    - detect-learn
                    - prevent
                    - detect
                    - inactive
                  type: string
                error-disclosure-enabled:
                  enum:
                    - prevent-learn
                    - detect-learn
                    - prevent
                    - detect
                    - inactive
                  type: string
                non-valid-http-methods:
                  type: boolean
                open-redirect-enabled:
                  enum:
                    - prevent-learn
                    - detect-learn
                    - prevent
                    - detect
                    - inactive
                  type: string
              type: object
          type: object
      required:
        - name
  custom-responses:
    type: array
    minItems: 0
    items:
      type: object
      properties:
        name:
          type: string
        http-response-code:
          maximum: 599
          minimum: 100
          default: 403
          type: integer
        message-body:
          type: string
          default: "Attack blocked by web application protection"
        message-title:
          type: string
          default: "Openappsec's <b>Application Security</b> has detected an attack and blocked it."
        mode:
          enum:
            - block-page
            - response-code-only
          type: string
      required:
        - name
  log-triggers:
    type: array
    minItems: 0
    items:
      type: object
      properties:
        name:
          type: string
        access-control-logging:
          properties:
            allow-events:
              type: boolean
              default: false
            drop-events:
              type: boolean
              default: false
          type: object
        additional-suspicious-events-logging:
          properties:
            enabled:
              type: boolean
              default true:
            minimum-severity:
              enum:
                - high
                - critical
              type: string
              default: "high"
            response-body:
              type: boolean
              default: false
            response-code:
              type: boolean
              default: true
          type: object
        appsec-logging:
          properties:
            all-web-requests:
              type: boolean
              default: false
            detect-events:
              type: boolean
              default: false
            prevent-events:
              type: boolean
              default: true
          type: object
        extended-logging:
          properties:
            http-headers:
              type: boolean
              default: false
            request-body:
              type: boolean
              default: false
            url-path:
              type: boolean
              default: false
            url-query:
              type: boolean
              default: false
          type: object
        log-destination:
          properties:
            cef-service:
              minItems: 0
              items:
                properties:
                  address:
                    type: string
                  port:
                    type: integer
                  proto:
                    enum:
                      - tcp
                      - udp
                    type: string
                type: object
              type: array
            cloud:
              type: boolean
              default: false
            stdout:
              properties:
                format:
                  enum:
                    - json
                    - json-formatted
                  type: string
                  default: json
              type: object
            syslog-service:
              minItems: 0
              items:
                properties:
                  address:
                    type: string
                  port:
                    type: integer
                type: object
              type: array
          type: object
      required:
        - name
  exceptions:
    type: array
    minItems: 0
    items:
      type: object
      properties:
        name:
          type: string
        action:
          enum:
            - skip
            - accept
            - drop
            - suppressLog
          type: string
        comment:
          type: string
        countryCode:
          items:
            type: string
          type: array
        countryName:
          items:
            type: string
          type: array
        hostName:
          items:
            type: string
          type: array
        paramName:
          items:
            type: string
          type: array
        paramValue:
          items:
            type: string
          type: array
        protectionName:
          items:
            type: string
          type: array
        sourceIdentifier:
          items:
            type: string
          type: array
        sourceIp:
          items:
            type: string
          type: array
        url:
          items:
            type: string
          type: array
      required:
        - name
        - action
  trusted-sources:
    type: array
    minItems: 0
    items:
      type: object
      properties:
        name:
          type: string
        minNumOfSources:
          type: integer
          minimum: 1
          default: 3
        sources-identifiers:
          items:
            type: string
          type: array
      required:
        - name
        - sources-identifiers
  source-identifiers:
    type: array
    minItems: 0
    items:
      type: object
      properties:
        name:
          type: string
        identifiers:
          type: array
          minItems: 1
          items:
            type: object
            source-identifier:
              enum:
                - headerkey
                - JWTKey
                - cookie
                - sourceip
                - x-forwarded-for
              type: string
            value:
              items:
                type: string
              type: array
          required:
            - source-identifier
      required:
        - name
        - identifiers
additionalProperties: false

Last updated