Local Policy File v1beta2 (beta)

In order to use the v1beta2 CRDs simply replace the existing configuration file on your agent

  • For Linux deployments use

open-appsec-ctl --edit-policy
  • For Docker Deployment replace the mounted local configuration file

Make sure to apply policy once done.

open-appsec-ctl --apply-policy

Example configurations can be found here.

Local Policy Configuration

You can download all the configuration segments examples shown below in a single file here:

https://raw.githubusercontent.com/openappsec/openappsec/main/config/linux/v1beta2/example/local_policy.yaml

Policies

The policies section defines the default behaviors that will apply to all web resources exposed as well as specific rules for overriding the default behavior for specific hostname/path combinations.

Example
policies:
  default:
    mode: detect-learn
    accessControlPractices: [access-control-practice-example]
    threatPreventionPractices: [threat-prevention-practice-example]
    triggers: [log-trigger-example]
    customResponse: web-user-response-exmaple
    sourceIdentifiers: ""
    trustedSources: ""
    exceptions:
      - exception-example
  specificRules:
    - host: "example.com"
      mode: prevent-learn
      threatPreventionPractices: [threat-prevention-practice-example]
      accessControlPractices: [access-control-practice-example]
      triggers: [log-trigger-example]
      customResponse: web-user-response-exmaple
      sourceIdentifiers: ""
      trustedSources: ""
      exceptions:
        - exception-example
Specification
  • default (object, required): The default configuration for the policy. This field is required.

    • mode (string, required): Specifies the mode of the entire policy.

      • Possible values: prevent-learn, detect-learn, prevent, detect, inactive.

      • Default: detect-learn.

    • threatPreventionPractices (array<string>, required): A list of threat prevention practices.

      • Minimum items: 0.

    • accessControlPractices (array<string>, required): A list of access control practices.

      • Minimum items: 0.

    • customResponse (string, optional): Specifies a custom response code.

      • Default: 403.

    • triggers (array<string>, required): Specifies additional triggers for the policy.

    • sourceIdentifiers (string, optional): Specifies source identifiers for the policy.

    • trustedSources (string, optional): Specifies trusted sources for the policy.

    • exceptions (array<string>, optional): Specifies exception rules for the policy.

  • specificRules (array<object>, optional): Specifies rules tailored to specific hosts.

    • host (string, required): Specifies the host for the rule.

    • mode (string, required): Mode for the specific rule.

      • Possible values: prevent-learn, detect-learn, prevent, detect, inactive.

      • Default: detect-learn.

    • threatPreventionPractices (array<string>, required): Threat prevention practices for the specific rule.

    • accessControlPractices (array<string>, required): Access control practices for the specific rule.

    • triggers (array<string>, required): Triggers for the specific rule.

    • customResponse (string, optional): Custom response code for the specific rule.

    • sourceIdentifiers (string, optional): Source identifiers for the specific rule.

    • trustedSources (string, optional): Trusted sources for the specific rule.

    • exceptions (array<string>, optional): Exception rules for the specific rule.

Threat Prevention Practice

Practice resources define which threat prevention security engines will be active and what their settings are.

Example
threatPreventionPractices:
  - name: threat-prevention-practice-example
    practiceMode: inherited
    webAttacks:
      overrideMode: inherited
      minimumConfidence: high
    intrusionPrevention:
    # intrusion prevention (IPS) requires "Premium Edition"
      overrideMode: inherited
      maxPerformanceImpact: medium
      minSeverityLevel: medium
      minCveYear: 2016
      highConfidenceEventAction: inherited
      mediumConfidenceEventAction: inherited
      lowConfidenceEventAction: detect
    fileSecurity:
    # file security requires "Premium Edition"
      overrideMode: inherited
      minSeverityLevel: medium
      highConfidenceEventAction: inherited
      mediumConfidenceEventAction: inherited
      lowConfidenceEventAction: detect
    snortSignatures:
      # you must specify snort signatures in configmap or file to activate snort inspection
      overrideMode: inherited
      configmap: []
      # relevant for deployments on kubernetes
      # 0 or 1 configmaps supported in array
      files: []
      # relevant for docker and linux embedded deployments
      # 0 or 1 files supported in array
    schemaValidation: # schema validation requires "Premium Edition" 
      overrideMode: inherited
      configmap: []
      # relevant for deployments on kubernetes
      # 0 or 1 configmaps supported in array
      files: []
      # relevant for docker and linux embedded deployments
      # 0 or 1 files supported in array
    antiBot: # antibot requires "Premium Edition" 
      overrideMode: inherited
      injectedUris: []
      validatedUris: []
Specification
  • name (string ,required) Unique name for the threat prevention practice.

  • practiceMode (string ,optional) Defines the mode of operation for the practice. Possible values: inherited, prevent-learn, detect-learn, prevent, detect, inactive

    • Default: inherited from mode set in policy.

  • webAttacks (object ,required)

    • overrideMode (string ,optional) The override mode for web attacks. Possible values: prevent-learn, detect-learn, prevent, detect, inactive, inherited #inherited from threatPreventionPractice mode set in policy

      • Default: inherited

    • minimumConfidence (string ,optional) The minimum confidence level for web attacks. Possible values: medium, high, critical

      • Default: high

    • maxUrlSizeBytes (integer ,optional) Maximum URL size in bytes.

      • Default: 32768

    • maxObjectDepth (integer ,optional)Maximum object depth.

      • Default: 40

    • maxBodySizeKb (integer ,optional) Maximum body size in KB.

      • Default: 1000000

    • maxHeaderSizeBytes (integer ,optional) Maximum header size in bytes.

      • Default: 102400

    • protections (object, optional)

      • csrfProtection (string ,optional) CSRF protection mode. Possible values: prevent-learn, detect-learn, prevent, detect, inactive, inherited #inherited from overrideMode

        • Default: inactive

      • errorDisclosure (string ,optional) Error disclosure mode. Possible values: prevent-learn, detect-learn, prevent, detect, inactive, inherited #inherited from overrideMode

        • Default: inactive

      • openRedirect (string ,optional) Open redirect protection mode. Possible values: prevent-learn, detect-learn, prevent, detect, inactive, inherited #inherited from overrideMode

        • Default: inactive

      • nonValidHttpMethods (bollean,optional)

        • Default: false

  • antiBot (object, optional)

    • overrideMode (string ,required) Override mode for bot prevention. Possible values: prevent-learn, detect-learn, prevent, detect, inactive, inherited #inherited from threatPreventionPractice mode set in policy

      • Default: inactive

    • injectedUris (array<string>, optional) List of injected URIs to be checked for bot prevention.

    • validatedUris (array<string>, optional) List of validated URIs to be checked for bot prevention.

  • snortSignatures (object, optional)

    • overrideMode (string ,required) Override mode for Snort signatures. Possible values:prevent-learn, detect-learn, prevent, detect, inactive, inherited

      • Default: inherited inherited from threatPreventionPractice mode set in policy

    • configmap (array<string> ,optional) List of configuration maps related to Snort signatures.

    • files (array<string> ,optional)List of files related to Snort signatures.

  • schemaValidation (object, optional)

    • overrideMode (string ,required) Override mode for schema validation. Possible values: prevent-learn, detect-learn,prevent, detect, inactive, inherited

      • Default: inherited inherited from threatPreventionPractice mode set in policy

    • enforcementLevel (string ,optional) Level of enforcement for schema validation.

    • configmap (array<string> ,optional) List of configuration maps related to schema validation.

    • files (array<string> ,optional) List of files related to schema validation

  • intrusionPrevention (object, optional)

    • overrideMode string: (required) Override mode for intrusion prevention. Possible values: prevent-learn, detect-learn, prevent, detect, inactive, inherited inherited from threatPreventionPractice mode set in policy

      • Default: inactive

    • maxPerformanceImpact (string ,optional) ) Maximum acceptable performance impact. Possible values: low, medium, high

      • Default: medium

    • minSeverityLevel (string ,optional) Minimum severity level for intrusion prevention events. Possible values: low, medium, high, critical

      • Default: medium

    • minCveYear (integer, optional) ) Minimum year of CVE for inclusion in intrusion prevention events.

      • Default: 2016

    • highConfidenceEventAction (string ,optional) Action for high confidence events. Possible values: prevent, detect, inactive, inherited

      • Default: inherited as set in overrideMode for intrusionPrevention

    • mediumConfidenceEventAction (string ,optional) Action for medium confidence events. Possible values:prevent, detect, inactive, inherited

      • Default: inherited as set in overrideMode for intrusionPrevention

    • lowConfidenceEventAction (string ,optional) Action for medium confidence events. Possible values:prevent, detect, inactive, inherited

    • Default: detect

  • fileSecurity (object, optional)

    • overrideMode string: (required) Override mode for intrusion prevention. Possible values: prevent-learn, detect-learn, prevent, detect, inactive, inherited inherited from threatPreventionPractice mode set in policy

      • Default: inactive

    • minSeverityLevel (string ,optional) Minimum severity level for file secuirty events. Possible values: low, medium, high, critical

      • Default: medium

    • highConfidenceEventAction (string ,optional) Action for high confidence events. Possible values: prevent, detect, inactive, inherited

      • Default: inherited as set in overrideMode for intrusionPrevention

    • mediumConfidenceEventAction (string ,optional) Action for medium confidence events. Possible values:prevent, detect, inactive, inherited

      • Default: inherited as set in overrideMode for intrusionPrevention

    • lowConfidenceEventAction (string ,optional) Action for medium confidence events. Possible values:prevent, detect, inactive, inherited

      • Default: detect

    • archiveInspection (object, optional):

      • extractArchiveFiles (boolean, optional): Whether to extract files from archives for inspection.

        • Default: false.

      • scanMaxFileSize (integer, optional): Maximum file size to scan within archives. Default: 10.

      • scanMaxFileSizeUnit (string, optional): Unit of the maximum file size for scanning. Possible values: bytes, KB, MB, GB.

        • Default: MB.

      • archivedFilesWithinArchivedFiles (string, optional): Action for archived files nested within other archived files. Possible values: prevent, detect, inactive, inherited.

        • Default: inherited, as set in overrideMode for fileSecurity.

      • archivedFilesWhereContentExtractionFailed (string, optional): Action when content extraction from archived files fails. Possible values: prevent, detect, inactive, inherited.

        • Default: inherited, as set in overrideMode for fileSecurity.

    • largeFileInspection (object, optional):

      • fileSizeLimit (integer, optional): Maximum file size limit for inspection.

        • Default: 10.

      • fileSizeLimitUnit (string, optional): Unit of the file size limit. Possible values: bytes, KB, MB, GB.

        • Default: MB.

      • filesExceedingSizeLimitAction (string, optional): Action for files exceeding the size limit. Possible values: prevent, detect, inactive, inherited.

        • Default: inherited, as set in overrideMode for fileSecurity.

    • unnamedFilesAction (string, optional): Action for unnamed files. Possible values: prevent, detect, inactive, inherited.

      • Default: inherited, as set in overrideMode for fileSecurity.

    • threatEmulationEnabled (boolean, optional): Whether threat emulation is enabled for file security.

      • Default: false.

Access Control Practice

Practice resources define which Access Control security engines will be active and what their settings are.

Examples
accessControlPractices:
  - name: access-control-practice-example
    practiceMode: inherited
    rateLimit:
    # specify one or more rules below to use rate limiting
      overrideMode: inherited
      rules: []
Specification
  • name (string, required): The name of the access control policy.

  • practiceMode (string, optional): Defines the mode for the access control policy. Possible values: prevent, detect, inactive, inherited (inherited values are determined by the mode set in the policy).

    • Default: inherited .

  • rateLimit (object, required):

    • overrideMode (string, optional): Allows overriding the mode defined at the policy level for this specific engine. Possible values: prevent, detect, inactive, inherited (inherited values are determined by the mode set in the practice).

      • Default: inactive.

    • rules (array<objects>, optional): List of rate-limiting rules.

      • action (string, optional): Action to take when a rate limit is exceeded. Possible values: inherited, prevent, detect (inherited values are determined by the mode set in the rate limiting overide mode).

        • Default: inherited.

      • condition (array<objects>, optional): List of conditions for rate limiting (currently not supported).

        • key (string, required): The key for the condition.

        • value (string, required): The value for the condition.

      • uri (string, optional): URI pattern for the rate limit rule.

      • limit (integer, optional): The rate limit threshold.

      • unit (string, optional): The time unit for the rate limit. Possible values: minute, second.

        • Default: minute.

      • triggers (array<objects>, optional): List of triggers that activate the rule.

      • comment (string, optional): A comment explaining the rate limit.

Custom Response

Optional custom responses can be configured to return in prevent mode either a customizable block page or the desired response code only. The custom responses than can be referenced within one or more policy elements.

Examples
customResponses:
  - name: web-user-response-exmaple
    mode: response-code-only
    httpResponseCode: 403
Specification
  • name (string, required): A unique name for the custom response configuration.

  • mode (string, required): Defines the response mode for blocked requests. Possible values: block-page, redirect, response-code-only.

    • Default: response-code-only.

  • messageTitle (string, optional): Title displayed on the block page (relevant when mode is block-page).

  • messageBody (string, optional): Body message displayed on the block page (relevant when mode is block-page).

  • httpResponseCode (integer, required): HTTP response code returned when blocking. Minimum: 100. Maximum: 599.

    • Default: 403.

  • redirectUrl (string, optional): URL to redirect the blocked requests to (relevant when mode is redirect).

  • redirectAddXEventId (boolean, optional): Adds an X-Event-ID header to redirected requests.

    • Default: false.

Log Trigger

Optional log trigger elements can be used to configure custom logging requirements. They can then be referenced within one or more policy elements.

Example
logTriggers:
  - name: log-trigger-example
    accessControlLogging:
      allowEvents: false
      dropEvents: true
    appsecLogging:
      detectEvents: true
      preventEvents: true
      allWebRequests: false
    extendedLogging:
      urlPath: true
      urlQuery: true
      httpHeaders: false
      requestBody: false
    additionalSuspiciousEventsLogging:
      enabled: true
      minSeverity: high
      responseBody: false
      responseCode: true
    logDestination:
      cloud: true
      logToAgent: false
      stdout:
        format: json
Specification

  • name (string, required): The unique name identifying the log trigger.

  • accessControlLogging (object, required): Configuration for access control logs.

    • allowEvents (boolean, optional): Log allowed events.

      • Default: false.

    • dropEvents (boolean, optional): Log dropped events.

      • Default: true.

  • appsecLogging (object, required): Configuration for application security logs.

    • detectEvents (boolean, optional): Log detection events.

      • Default: true.

    • preventEvents (boolean, optional): Log prevention events.

      • Default: true.

    • allWebRequests (boolean, optional): Log all web requests, regardless of action.

    • Default: false.

  • additionalSuspiciousEventsLogging (object, required): Configuration for logging suspicious events.

    • enabled (boolean, optional): Enable or disable logging for suspicious events. Default: true.

    • minSeverity (string, optional): Minimum severity level to log. Options: high, critical.

      • Default: high.

    • responseBody (boolean, optional): Include response body in logs.

      • Default: false.

    • responseCode (boolean, optional): Include response code in logs.

      • Default: true.

  • extendedLogging (object, required): Configuration for extended logging details.

    • urlPath (boolean, optional): Log URL path.

      • Default: false.

    • urlQuery (boolean, optional): Log URL query parameters.

      • Default: false.

    • httpHeaders (boolean, optional): Log HTTP headers.

      • Default: false.

    • requestBody (boolean, optional): Log HTTP request body.

      • Default: false.

  • logDestination (object, required): Configuration for log destinations.

    • cloud (boolean, optional): Send logs to the cloud.

      • Default: false.

    • syslogService (array, optional): List of syslog services.

      • address (array<string>, required): Syslog server address.

      • port (integer, required): Syslog server port.

    • logToAgent (boolean, optional): Send logs to the agent.

      • Default: true.

    • stdout (object, optional): Configuration for logs sent to standard output.

      • format (string, optional): Log format. Options: json, json-formatted.

        • Default: json.

  • k8s-service (boolean, optional): Enable logging to Kubernetes service (default depends on environment type).

  • cefService (array, optional): List of CEF (Common Event Format) services.

    • address (string, required): CEF server address.

    • port (integer, required): CEF server port.

    • proto (string, optional): Protocol for CEF. Options: tcp, udp.

Exceptions

Optional exception elements can be used to configure custom exceptions. They can then be referenced within one or more policy elements.

Example
exceptions:
  - name: exception-example
    action: "accept"
    condition:
      - key: "countryCode"
        value: "US"
Specification
  • name: (string ,required) - The unique name identifying the exception.

  • action: (string ,required) - Action to take when the exception is triggered. Possible options: skip, accept, drop, suppressLog.

    • Default: accept.

  • condition: (array<object> ,required) - List of one or more conditions that must be met for the exception to apply.

    • key: (string ,required) - The key to evaluate, such as sourceIP, countryCode, or URL. find full list here.

    • value: (string ,required) - The value associated with the key to match.

Trusted Sources

Optional trusted sources can be defined, for which the machine learning engine will assume, that the traffic originating from them is benign and learn accordingly.

Trusted sources elements can then be referenced within the policies section.

Example
trustedsources:
  - name: trusted-sources-example
    minNumOfSources: 3
    sourcesIdentifiers:
    - 1.0.0.27
    - 1.0.0.28
    - 1.0.0.29
Specification
  • name: (string). A unique identifier for the trusted source configuration.

  • minNumOfSources: (integer , required) - The minimum number of trusted sources needed to apply the configuration.

    • Default: 3.

  • sourcesIdentifiers: (array<stri

Source Identifiers

Source Identifiers can be used to define how open-appsec distinguishes between different sources, e.g. based on source IP addresses, x-forwarded-for header content, etc.

Examples
sourcesIdentifiers:
  - name: sources-identifier-example
    - identifier: sourceip
      value:
        - "0.0.0.0"
Specification
  • name: (string ,required) A unique identifier for the sources configuration.

  • sourcesIdentifiers: (array<object>, required) A list of source identifiers to distinguish between sources based on the selected type and values. Each item is an object with the following properties:

    • identifier: (string enum, required) - The type of identifier. Possible options: headerkey, JWTKey, cookie, sourceip, x-forwarded-for

      • Default: sourceip.

    • value: (array<string>, required) - A list of values associated with the identifier. Each item is a string.

Schema file

Here you find the full schema file for the local declarative configuration yaml file. This also shows you which fields are required and which are optional

Schema file for local policy file
type: object
properties:
  apiVersion:
    type: string
    enum:
    - v1beta1
    - v1beta2
  policies:
    type: object
    properties:
      appsecClassName:
        type: string
      default:
        type: object
        required:
        - mode
        - threatPreventionPractices
        - accessControlPractices
        properties:
          mode:
            type: string
            enum:
            - prevent-learn
            - detect-learn
            - prevent
            - detect
            - inactive
            default: detect-learn
          threatPreventionPractices:
            type: array
            items:
              type: string
          accessControlPractices:
            type: array
            items:
              type: string
          customResponse:
            type: string
            default: "403"
          triggers:
            type: array
            items:
              type: string
          sourceIdentifiers:
            type: string
          trustedSources:
            type: string
          exceptions:
            type: array
            items:
              type: string
      specificRules:
        type: array
        items:
          type: object
          properties:
            name:
              type: string
            host:
              type: string
            mode:
              type: string
              enum:
              - prevent-learn
              - detect-learn
              - prevent
              - detect
              - inactive
              default: detect-learn
            threatPreventionPractices:
              type: array
              items:
                type: string
            accessControlPractices:
              type: array
              items:
                type: string
            triggers:
              type: array
              items:
                type: string
            customResponse:
              type: string
            sourceIdentifiers:
              type: string
            trustedSources:
              type: string
            exceptions:
              type: array
              items:
                type: string
  logTriggers:
    type: array
    items:
      type: object
      required:
      - accessControlLogging
      - appsecLogging
      - additionalSuspiciousEventsLogging
      - extendedLogging
      - logDestination
      properties:
        appsecClassName:
          type: string
        name:
          type: string
        accessControlLogging:
          type: object
          properties:
            allowEvents:
              type: boolean
              default: false
            dropEvents:
              type: boolean
              default: true
        appsecLogging:
          type: object
          properties:
            detectEvents:
              type: boolean
              default: true
            preventEvents:
              type: boolean
              default: true
            allWebRequests:
              type: boolean
              default: false
        additionalSuspiciousEventsLogging:
          type: object
          properties:
            enabled:
              type: boolean
              default: true
            minSeverity:
              type: string
              enum:
              - high
              - critical
              default: high
            responseBody:
              type: boolean
              default: false
            responseCode:
              type: boolean
              default: true
        extendedLogging:
          type: object
          properties:
            urlPath:
              type: boolean
              default: false
            urlQuery:
              type: boolean
              default: false
            httpHeaders:
              type: boolean
              default: false
            requestBody:
              type: boolean
              default: false
        logDestination:
          type: object
          properties:
            cloud:
              type: boolean
              default: false
            local-tuning:
              type: boolean
              default: false
            syslogService:
              type: array
              items:
                type: object
                properties:
                  address:
                    type: string
                  port:
                    type: integer
            logToAgent:
              type: boolean
              default: true
            stdout:
              type: object
              properties:
                format:
                  type: string
                  enum:
                  - json
                  - json-formatted
                  default: json
            cefService:
              type: array
              items:
                type: object
                properties:
                  address:
                    type: string
                  port:
                    type: integer
                  proto:
                    type: string
                    enum:
                    - tcp
                    - udp
  threatPreventionPractices:
    type: array
    items:
      type: object
      required:
      - webAttacks
      - intrusionPrevention
      - fileSecurity
      - snortSignatures
      properties:
        appsecClassName:
          type: string
        name:
          type: string
        practiceMode:
          type: string
          enum:
          - inherited
          - prevent-learn
          - detect-learn
          - prevent
          - detect
          - inactive
          default: inherited
        webAttacks:
          type: object
          required:
          - overrideMode
          properties:
            overrideMode:
              type: string
              enum:
              - prevent-learn
              - detect-learn
              - prevent
              - detect
              - inactive
              - inherited
              default: inactive
            minimumConfidence:
              type: string
              enum:
              - medium
              - high
              - critical
              default: high
            maxUrlSizeBytes:
              type: integer
              default: 32768
            maxObjectDepth:
              type: integer
              default: 40
            maxBodySizeKb:
              type: integer
              default: 1000000
            maxHeaderSizeBytes:
              type: integer
              default: 102400
            protections:
              type: object
              properties:
                csrfProtection:
                  type: string
                  enum:
                  - prevent-learn
                  - detect-learn
                  - prevent
                  - detect
                  - inactive
                  - inherited
                  default: inactive
                errorDisclosure:
                  type: string
                  enum:
                  - prevent-learn
                  - detect-learn
                  - prevent
                  - detect
                  - inactive
                  - inherited
                  default: inactive
                openRedirect:
                  type: string
                  enum:
                  - prevent-learn
                  - detect-learn
                  - prevent
                  - detect
                  - inactive
                  - inherited
                  default: inactive
                nonValidHttpMethods:
                  type: boolean
                  default: false
        antiBot:
          type: object
          required:
          - overrideMode
          properties:
            overrideMode:
              type: string
              enum:
              - prevent-learn
              - detect-learn
              - prevent
              - detect
              - inactive
              - inherited
              default: inactive
            injectedUris:
              type: array
              items:
                type: object
                properties:
                  uri:
                    type: string
            validatedUris:
              type: array
              items:
                type: object
                properties:
                  uri:
                    type: string
        snortSignatures:
          type: object
          required:
          - overrideMode
          properties:
            overrideMode:
              type: string
              enum:
              - prevent-learn
              - detect-learn
              - prevent
              - detect
              - inactive
              - inherited
              default: inactive
            configmap:
              type: array
              items:
                type: string
            files:
              type: array
              items:
                type: string
        schemaValidation:
          type: object
          required:
          - overrideMode
          properties:
            overrideMode:
              type: string
              enum:
              - prevent-learn
              - detect-learn
              - prevent
              - detect
              - inactive
              - inherited
              default: inactive
            enforcementLevel:
              type: string
            configmap:
              type: array
              items:
                type: string
            files:
              type: array
              items:
                type: string
        intrusionPrevention:
          type: object
          required:
          - overrideMode
          properties:
            overrideMode:
              type: string
              enum:
              - prevent-learn
              - detect-learn
              - prevent
              - detect
              - inactive
              - inherited
              default: inactive
            maxPerformanceImpact:
              type: string
              enum:
              - low
              - medium
              - high
              default: medium
            minSeverityLevel:
              type: string
              enum:
              - low
              - medium
              - high
              - critical
              default: medium
            minCveYear:
              type: integer
              default: 2016
            highConfidenceEventAction:
              type: string
              enum:
              - prevent
              - detect
              - inactive
              - inherited
              default: inherited
            mediumConfidenceEventAction:
              type: string
              enum:
              - prevent
              - detect
              - inactive
              - inherited
              default: inherited
            lowConfidenceEventAction:
              type: string
              enum:
              - prevent
              - detect
              - inactive
              - inherited
              default: detect
        fileSecurity:
          type: object
          required:
          - overrideMode
          properties:
            overrideMode:
              type: string
              enum:
              - prevent-learn
              - detect-learn
              - prevent
              - detect
              - inactive
              - inherited
              default: inactive
            minSeverityLevel:
              type: string
              enum:
              - low
              - medium
              - high
              - critical
              default: medium
            highConfidenceEventAction:
              type: string
              enum:
              - prevent
              - detect
              - inactive
              - inherited
              default: inherited
            mediumConfidenceEventAction:
              type: string
              enum:
              - prevent
              - detect
              - inactive
              - inherited
              default: inherited
            lowConfidenceEventAction:
              type: string
              enum:
              - prevent
              - detect
              - inactive
              - inherited
              default: detect
            archiveInspection:
              type: object
              properties:
                extractArchiveFiles:
                  type: boolean
                  default: false
                scanMaxFileSize:
                  type: integer
                  default: 10
                scanMaxFileSizeUnit:
                  type: string
                  enum:
                  - bytes
                  - KB
                  - MB
                  - GB
                  default: MB
                archivedFilesWithinArchivedFiles:
                  type: string
                  enum:
                  - prevent
                  - detect
                  - inactive
                  - inherited #as set in overrideMode for fileSecurity
                  default: inherited
                archivedFilesWhereContentExtractionFailed:
                  type: string
                  enum:
                  - prevent
                  - detect
                  - inactive
                  - inherited #as set in overrideMode for fileSecurity
                  default: inherited
            largeFileInspection:
              type: object
              properties:
                fileSizeLimit:
                  type: integer
                  default: 10
                fileSizeLimitUnit:
                  type: string
                  enum:
                  - bytes
                  - KB
                  - MB
                  - GB
                  default: MB
                filesExceedingSizeLimitAction:
                  type: string
                  enum:
                  - prevent
                  - detect
                  - inactive
                  - inherited #as set in overrideMode for fileSecurity
                  default: inherited
            unnamedFilesAction:
              type: string
              enum:
              - prevent
              - detect
              - inactive
              - inherited #as set in overrideMode for fileSecurity
              default: inherited
            threatEmulationEnabled:
              type: boolean
              default: false
  accessControlPractices:
    type: array
    items:
      type: object
      required:
      - rateLimit
      properties:
        appsecClassName:
          type: string
        name:
          type: string
        practiceMode:
          type: string
          enum:
          - inherited #inherited from mode set in policy
          - prevent
          - detect
          - inactive
          default: inherited
        rateLimit:
          type: object
          required:
          - overrideMode
          properties:
            overrideMode:
              type: string
              enum:
              - prevent
              - detect
              - inactive
              - inherited
              default: inactive
            rules:
              type: array
              items:
                type: object
                properties:
                  action: # currently not supported
                    type: string
                    enum:
                    - inherited
                    - prevent
                    - detect
                    default: inherited
                  condition: # currently not supported
                    type: array
                    items:
                      type: object
                      required:
                      - key
                      - value
                      properties:
                        key:
                          type: string
                        value:
                          type: string
                  uri:
                    type: string
                  limit:
                    type: integer
                  unit:
                    type: string
                    enum:
                    - minute
                    - second
                    default: minute
                  triggers:
                    type: array
                    items:
                      type: string
                  comment:
                    type: string
  customResponses:
    type: array
    items:
      type: object
      required:
      - mode
      properties:
        appsecClassName:
          type: string
        name:
          type: string
        mode:
          type: string
          enum:
          - block-page
          - redirect
          - response-code-only
          default: response-code-only
        messageTitle:
          type: string
        messageBody:
          type: string
        httpResponseCode:
          type: integer
          minimum: 100
          maximum: 599
          default: 403
        redirectUrl:
          type: string
        redirectAddXEventId:
          type: boolean
          default: false
  sourcesIdentifiers:
    type: array
    items:
      type: object
      required:
      - sourcesIdentifiers
      properties:
        name:
          type: string
        sourcesIdentifiers:
          type: array
          items:
            type: object
            required:
            - identifier
            properties:
              identifier:
                type: string
                enum:
                - headerkey
                - JWTKey
                - cookie
                - sourceip
                - x-forwarded-for
                default: sourceip
              value:
                type: array
                items:
                  type: string
  exceptions:
    type: array
    items:
      type: object
      required:
      - action
      - condition
      properties:
        appsecClassName:
          type: string
        name:
          type: string
        action:
          type: string
          enum:
          - skip
          - accept
          - drop
          - suppressLog
          default: accept
        condition:
          type: array
          items:
            type: object
            required:
            - key
            - value
            properties:
              key:
                type: string
              value:
                type: string
  trustedSources:
    type: array
    items:
      type: object
      required:
      - minNumOfSources
      - sourcesIdentifiers
      properties:
        appsecClassName:
          type: string
        name:
          type: string
        minNumOfSources:
          type: integer
          default: 3
        sourcesIdentifiers:
          type: array
          items:
            type: string
  policyActivations:
    type: array
    items:
      type: object
      properties:
        appsecClassName:
          type: string
        enabledPolicies:
          type: array
          items:
            type: object
            properties:
              name:
                type: string
              hosts:
                type: array
                items:
                  type: string
            required:
            - hosts
      required:
      - enabledPolicies
additionalProperties: false

Last updated

Was this helpful?