Local Policy File v1beta2 (beta)
Beta Feature Notice This feature is currently in beta and may undergo changes based on user feedback and testing. please note that some functionality may be subject to updates or improvements in future releases.
We encourage you to explore this feature and share your feedback to help us enhance it. If you encounter any issues or have suggestions, please contact us at info@openappsec.io
In order to use the v1beta2 CRDs simply replace the existing configuration file on your agent
For Linux deployments use
open-appsec-ctl --edit-policyFor Docker Deployment replace the mounted local configuration file
Make sure to apply policy once done.
open-appsec-ctl --apply-policyExample configurations can be found here.
Local Policy Configuration
You can download all the configuration segments examples shown below in a single file here:
https://raw.githubusercontent.com/openappsec/openappsec/main/config/linux/v1beta2/example/local_policy.yamlWhen creating your own local configuration file based on the v1beta2 configuration schema:
Make sure to add apiVersion: v1beta2 at the top of the file to specify using v1beta2 of our local configuration.
Policies
The policies section defines the default behaviors that will apply to all web resources exposed as well as specific rules for overriding the default behavior for specific hostname/path combinations.
Example
policies:
default:
mode: detect-learn
accessControlPractices: [access-control-practice-example]
threatPreventionPractices: [threat-prevention-practice-example]
triggers: [log-trigger-example]
customResponse: web-user-response-exmaple
sourceIdentifiers: ""
trustedSources: ""
exceptions:
- exception-example
specificRules:
- host: "example.com"
mode: prevent-learn
threatPreventionPractices: [threat-prevention-practice-example]
accessControlPractices: [access-control-practice-example]
triggers: [log-trigger-example]
customResponse: web-user-response-exmaple
sourceIdentifiers: ""
trustedSources: ""
exceptions:
- exception-exampleSpecification
default (
object,required): The default configuration for the policy. This field is required.mode (
string, required): Specifies the mode of the entire policy.Possible values:
prevent-learn,detect-learn,prevent,detect,inactive.Default:
detect-learn.
threatPreventionPractices (
array<string>, required): A list of threat prevention practices.Minimum items: 0.
accessControlPractices (
array<string>, required): A list of access control practices.Minimum items: 0.
customResponse (
string, optional): Specifies a custom response code.Default:
403.
triggers (
array<string>, optional): Specifies additional triggers for the policy.sourceIdentifiers (
string, optional): Specifies source identifiers for the policy.trustedSources (
string, optional): Specifies trusted sources for the policy.exceptions (
array<string>, optional): Specifies exception rules for the policy.
specificRules (
array<object>, optional): Specifies rules tailored to specific hosts.host (
string, optional): Specifies the host for the rule.mode (
string, optional): Mode for the specific rule.Possible values:
prevent-learn,detect-learn,prevent,detect,inactive.Default:
detect-learn.
threatPreventionPractices (
array<string>, optional): Threat prevention practices for the specific rule.accessControlPractices (
array<string>, optional): Access control practices for the specific rule.triggers (
array<string>, optional): Triggers for the specific rule.customResponse (
string, optional): Custom response code for the specific rule.sourceIdentifiers (
string, optional): Source identifiers for the specific rule.trustedSources (
string, optional): Trusted sources for the specific rule.exceptions (
array<string>, optional): Exception rules for the specific rule.
Threat Prevention Practice
Practice resources define which threat prevention security engines will be active and what their settings are.
Example
threatPreventionPractices:
- name: threat-prevention-practice-example
practiceMode: inherited
webAttacks:
overrideMode: inherited
minimumConfidence: high
intrusionPrevention:
# intrusion prevention (IPS) requires "Premium Edition"
overrideMode: inherited
maxPerformanceImpact: medium
minSeverityLevel: medium
minCveYear: 2016
highConfidenceEventAction: inherited
mediumConfidenceEventAction: inherited
lowConfidenceEventAction: detect
fileSecurity:
# file security requires "Premium Edition"
overrideMode: inherited
minSeverityLevel: medium
highConfidenceEventAction: inherited
mediumConfidenceEventAction: inherited
lowConfidenceEventAction: detect
snortSignatures:
# you must specify snort signatures in configmap or file to activate snort inspection
overrideMode: inherited
configmap: []
# relevant for deployments on kubernetes
# 0 or 1 configmaps supported in array
files: []
# relevant for docker and linux embedded deployments
# 0 or 1 files supported in array
schemaValidation: # schema validation requires "Premium Edition"
overrideMode: inherited
configmap: []
# relevant for deployments on kubernetes
# 0 or 1 configmaps supported in array
files: []
# relevant for docker and linux embedded deployments
# 0 or 1 files supported in array
antiBot: # antibot requires "Premium Edition"
overrideMode: inherited
injectedUris: []
validatedUris: []Specification
name (
string,required) Unique name for the threat prevention practice.
practiceMode (
string,optional) Defines the mode of operation for the practice. Possible values:inherited, prevent-learn, detect-learn, prevent, detect, inactiveDefault:
inheritedfrom mode set in policy.
webAttacks (
object,required)overrideMode (
string,optional) The override mode for web attacks. Possible values:prevent-learn, detect-learn, prevent, detect, inactive, inherited#inherited from threatPreventionPractice mode set in policyDefault:
inherited
minimumConfidence (
string,optional) The minimum confidence level for web attacks. Possible values:medium, high, criticalDefault:
high
maxUrlSizeBytes (
integer,optional) Maximum URL size in bytes.Default:
32768
maxObjectDepth (
integer,optional)Maximum object depth.Default:
40
maxBodySizeKb (
integer,optional) Maximum body size in KB.Default:
1000000
maxHeaderSizeBytes (
integer,optional) Maximum header size in bytes.Default:
102400
protections (
object,optional)csrfProtection (
string,optional) CSRF protection mode. Possible values:prevent-learn, detect-learn, prevent, detect, inactive, inherited#inherited from overrideModeDefault:
inactive
errorDisclosure (
string,optional) Error disclosure mode. Possible values:prevent-learn, detect-learn, prevent, detect, inactive, inherited#inherited from overrideModeDefault:
inactive
openRedirect (
string,optional) Open redirect protection mode. Possible values:prevent-learn, detect-learn, prevent, detect, inactive, inherited#inherited from overrideModeDefault:
inactive
nonValidHttpMethods (
bollean,optional)Default:
false
antiBot (
object, optional)overrideMode (
string,required) Override mode for bot prevention. Possible values:prevent-learn, detect-learn, prevent, detect, inactive, inherited#inherited from threatPreventionPractice mode set in policyDefault:
inactive
injectedUris (
array<string>, optional) List of injected URIs to be checked for bot prevention.validatedUris (
array<string>, optional) List of validated URIs to be checked for bot prevention.
snortSignatures (
object, optional)overrideMode (
string,required) Override mode for Snort signatures. Possible values:prevent-learn, detect-learn, prevent, detect, inactive, inheritedDefault:
inheritedinherited from threatPreventionPractice mode set in policy
configmap (
array<string>,optional) List of configuration maps related to Snort signatures.files (
array<string>,optional)List of files related to Snort signatures.
schemaValidation (
object, optional)overrideMode (
string,required) Override mode for schema validation. Possible values:prevent-learn, detect-learn,prevent, detect, inactive, inheritedDefault:
inheritedinherited from threatPreventionPractice mode set in policy
enforcementLevel (
string,optional) Level of enforcement for schema validation.configmap (
array<string>,optional) List of configuration maps related to schema validation.files (
array<string>,optional) List of files related to schema validation
intrusionPrevention (
object, optional)overrideMode
string: (required) Override mode for intrusion prevention. Possible values:prevent-learn, detect-learn, prevent, detect, inactive, inheritedinherited from threatPreventionPractice mode set in policyDefault:
inactive
maxPerformanceImpact (
string,optional) ) Maximum acceptable performance impact. Possible values:low, medium, highDefault:
medium
minSeverityLevel (
string,optional) Minimum severity level for intrusion prevention events. Possible values:low, medium, high, criticalDefault:
medium
minCveYear (
integer, optional) ) Minimum year of CVE for inclusion in intrusion prevention events.Default:
2016
highConfidenceEventAction (
string,optional) Action for high confidence events. Possible values:prevent, detect, inactive, inheritedDefault:
inheritedas set in overrideMode for intrusionPrevention
mediumConfidenceEventAction (
string,optional) Action for medium confidence events. Possible values:prevent, detect, inactive, inheritedDefault:
inheritedas set in overrideMode for intrusionPrevention
lowConfidenceEventAction (
string,optional) Action for medium confidence events. Possible values:prevent, detect, inactive, inheritedDefault:
detect
fileSecurity (
object, optional)overrideMode
string: (required) Override mode for intrusion prevention. Possible values:prevent-learn, detect-learn, prevent, detect, inactive, inheritedinherited from threatPreventionPractice mode set in policyDefault:
inactive
minSeverityLevel (
string,optional) Minimum severity level for file secuirty events. Possible values:low, medium, high, criticalDefault:
medium
highConfidenceEventAction (
string,optional) Action for high confidence events. Possible values:prevent, detect, inactive, inheritedDefault:
inheritedas set in overrideMode for intrusionPrevention
mediumConfidenceEventAction (
string,optional) Action for medium confidence events. Possible values:prevent, detect, inactive, inheritedDefault:
inheritedas set in overrideMode for intrusionPrevention
lowConfidenceEventAction (
string,optional) Action for medium confidence events. Possible values:prevent, detect, inactive, inheritedDefault:
detect
archiveInspection (
object, optional):extractArchiveFiles (
boolean, optional): Whether to extract files from archives for inspection.Default:
false.
scanMaxFileSize (
integer, optional): Maximum file size to scan within archives. Default: 10.scanMaxFileSizeUnit (
string, optional): Unit of the maximum file size for scanning. Possible values:bytes, KB, MB, GB.Default:
MB.
archivedFilesWithinArchivedFiles (
string, optional): Action for archived files nested within other archived files. Possible values:prevent, detect, inactive, inherited.Default: inherited, as set in overrideMode for fileSecurity.
archivedFilesWhereContentExtractionFailed (
string, optional): Action when content extraction from archived files fails. Possible values:prevent, detect, inactive, inherited.Default: inherited, as set in overrideMode for fileSecurity.
largeFileInspection (
object, optional):fileSizeLimit (
integer, optional): Maximum file size limit for inspection.Default:
10.
fileSizeLimitUnit (
string, optional): Unit of the file size limit. Possible values:bytes, KB, MB, GB.Default:
MB.
filesExceedingSizeLimitAction (
string, optional): Action for files exceeding the size limit. Possible values:prevent, detect, inactive, inherited.Default:
inherited, as set in overrideMode for fileSecurity.
unnamedFilesAction (
string, optional): Action for unnamed files. Possible values:prevent, detect, inactive, inherited.Default:
inherited, as set in overrideMode for fileSecurity.
threatEmulationEnabled (
boolean, optional): Whether threat emulation is enabled for file security.Default:
false.
Access Control Practice
Practice resources define which Access Control security engines will be active and what their settings are.
Examples
accessControlPractices:
- name: access-control-practice-example
practiceMode: inherited
rateLimit:
# specify one or more rules below to use rate limiting
overrideMode: inherited
rules: []Specification
name (
string, required): The name of the access control policy.
practiceMode (
string, optional): Defines the mode for the access control policy. Possible values:prevent, detect, inactive, inherited (inherited values are determined by the mode set in the policy).Default:
inherited.
rateLimit (
object, required):overrideMode (
string, optional): Allows overriding the mode defined at the policy level for this specific engine. Possible values:prevent, detect, inactive, inherited (inherited values are determined by the mode set in the practice).Default:
inactive.
rules (
array<objects>, optional): List of rate-limiting rules.action (
string, optional): Action to take when a rate limit is exceeded. Possible values:inherited, prevent, detect (inherited values are determined by the mode set in the rate limiting overide mode).Default:
inherited.
condition (
array<objects>, optional): List of conditions for rate limiting (currently not supported).key (
string, required): The key for the condition.value (
string, required): The value for the condition.
uri (
string, optional): URI pattern for the rate limit rule.limit (
integer, optional): The rate limit threshold.unit (
string, optional): The time unit for the rate limit. Possible values:minute, second.Default:
minute.
triggers (
array<objects>, optional): List of triggers that activate the rule.comment (
string, optional): A comment explaining the rate limit.
Custom Response
Optional custom responses can be configured to return in prevent mode either a customizable block page or the desired response code only. The custom responses than can be referenced within one or more policy elements.
Examples
customResponses:
- name: web-user-response-exmaple
mode: response-code-only
httpResponseCode: 403Specification
name (
string, required): A unique name for the custom response configuration.
mode (
string, required): Defines the response mode for blocked requests. Possible values: block-page, redirect, response-code-only.Default:
response-code-only.
messageTitle (
string, optional): Title displayed on the block page (relevant when mode is block-page).
messageBody (
string, optional): Body message displayed on the block page (relevant when mode is block-page).
httpResponseCode (
integer, required): HTTP response code returned when blocking. Minimum: 100. Maximum: 599.Default:
403.
redirectUrl (
string, optional): URL to redirect the blocked requests to (relevant when mode is redirect).
redirectAddXEventId (
boolean, optional): Adds an X-Event-ID header to redirected requests.Default:
false.
Log Trigger
Optional log trigger elements can be used to configure custom logging requirements. They can then be referenced within one or more policy elements.
Example
logTriggers:
- name: log-trigger-example
accessControlLogging:
allowEvents: false
dropEvents: true
appsecLogging:
detectEvents: true
preventEvents: true
allWebRequests: false
extendedLogging:
urlPath: true
urlQuery: true
httpHeaders: false
requestBody: false
additionalSuspiciousEventsLogging:
enabled: true
minSeverity: high
responseBody: false
responseCode: true
logDestination:
cloud: true
logToAgent: false
stdout:
format: jsonSpecification
name (
string, required): The unique name identifying the log trigger.
accessControlLogging (
object, required): Configuration for access control logs.allowEvents (
boolean, optional): Log allowed events.Default:
false.
dropEvents (
boolean, optional): Log dropped events.Default:
true.
appsecLogging (object, required): Configuration for application security logs.
detectEvents (
boolean, optional): Log detection events.Default:
true.
preventEvents (
boolean, optional): Log prevention events.Default:
true.
allWebRequests (
boolean, optional): Log all web requests, regardless of action.Default:
false.
additionalSuspiciousEventsLogging (
object, required): Configuration for logging suspicious events.enabled (
boolean, optional): Enable or disable logging for suspicious events. Default:true.minSeverity (
string, optional): Minimum severity level to log. Options:high, critical.Default:
high.
responseBody (
boolean, optional): Include response body in logs.Default:
false.
responseCode (
boolean, optional): Include response code in logs.Default:
true.
extendedLogging (
object, required): Configuration for extended logging details.urlPath (
boolean, optional): Log URL path.Default:
false.
urlQuery (
boolean, optional): Log URL query parameters.Default:
false.
httpHeaders (
boolean, optional): Log HTTP headers.Default:
false.
requestBody (
boolean, optional): Log HTTP request body.Default:
false.
logDestination (
object, required): Configuration for log destinations.cloud (
boolean, optional): Send logs to the cloud.Default:
false.
syslogService (
array, optional): List of syslog services.address (
array<string>, required): Syslog server address.port (
integer, required): Syslog server port.
logToAgent (
boolean, optional): Send logs to the agent.Default: true.
stdout (
object, optional): Configuration for logs sent to standard output.format (
string, optional): Log format. Options:json, json-formatted.Default:
json.
k8s-service (
boolean, optional): Enable logging to Kubernetes service (default depends on environment type).
cefService (
array, optional): List of CEF (Common Event Format) services.address (
string, required): CEF server address.port (
integer, required): CEF server port.proto (
string, optional): Protocol for CEF. Options: tcp, udp.
Exceptions
Optional exception elements can be used to configure custom exceptions. They can then be referenced within one or more policy elements.
Example
exceptions:
- name: exception-example
action: "accept"
condition:
- key: "countryCode"
value: "US"Specification
name: (
string,required) - The unique name identifying the exception.
action: (
string,required) - Action to take when the exception is triggered. Possible options:skip,accept,drop,suppressLog.Default:
accept.
condition: (
array<object>,required) - List of one or more conditions that must be met for the exception to apply.key: (
string,required) - The key to evaluate, such assourceIP,countryCode, orURL.find full list here.value: (
string,required) - The value associated with the key to match.
Trusted Sources
Optional trusted sources can be defined, for which the machine learning engine will assume, that the traffic originating from them is benign and learn accordingly.
Trusted sources elements can then be referenced within the policies section.
Example
trustedsources:
- name: trusted-sources-example
minNumOfSources: 3
sourcesIdentifiers:
- 1.0.0.27
- 1.0.0.28
- 1.0.0.29Specification
name: (
string). A unique identifier for the trusted source configuration.
minNumOfSources: (
integer, required) - The minimum number of trusted sources needed to apply the configuration.Default:
3.
sourcesIdentifiers: (
array<stri
Source Identifiers
Source Identifiers can be used to define how open-appsec distinguishes between different sources, e.g. based on source IP addresses, x-forwarded-for header content, etc.
Examples
sourcesIdentifiers:
- name: sources-identifier-example
- identifier: sourceip
value:
- "0.0.0.0"Specification
name: (
string,required) A unique identifier for the sources configuration.
sourcesIdentifiers: (
array<object>, required) A list of source identifiers to distinguish between sources based on the selected type and values. Each item is anobjectwith the following properties:identifier: (
string enum, required) - The type of identifier. Possible options:headerkey, JWTKey, cookie, sourceip, x-forwarded-forDefault:
sourceip.
value: (
array<string>, required) - A list of values associated with the identifier. Each item is astring.
Schema file
Here you find the full schema file for the local declarative configuration yaml file. This also shows you which fields are required and which are optional
Schema file for local policy file
type: object
properties:
policies:
type: object
properties:
default:
type: object
properties:
custom-response:
type: string
exceptions:
items:
type: string
type: array
mode:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
type: string
practices:
items:
type: string
type: array
source-identifiers:
type: string
triggers:
items:
type: string
type: array
trusted-sources:
type: string
required:
- mode
- practices
- triggers
specific-rules:
type: array
items:
properties:
host:
type: string
custom-response:
type: string
exceptions:
items:
type: string
type: array
mode:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
type: string
practices:
items:
type: string
type: array
source-identifiers:
type: string
triggers:
items:
type: string
type: array
trusted-sources:
type: string
required:
- mode
- host
- practices
- triggers
type: object
practices:
type: array
items:
properties:
name:
type: string
anti-bot:
properties:
injected-URIs:
items:
properties:
uri:
type: string
type: object
type: array
override-mode:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- as-top-level
type: string
default: "inactive"
validated-URIs:
items:
properties:
uri:
type: string
type: object
type: array
type: object
openapi-schema-validation:
properties:
files:
items:
type: string
type: array
override-mode:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- as-top-level
type: string
type: object
snort-signatures:
properties:
files:
items:
type: string
type: array
override-mode:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- as-top-level
type: string
type: object
web-attacks:
properties:
max-body-size-kb:
type: integer
max-header-size-bytes:
type: integer
max-object-depth:
type: integer
max-url-size-bytes:
type: integer
minimum-confidence:
enum:
- medium
- high
- critical
type: string
override-mode:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
- as-top-level
type: string
protections:
properties:
csrf-enabled:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
type: string
error-disclosure-enabled:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
type: string
non-valid-http-methods:
type: boolean
open-redirect-enabled:
enum:
- prevent-learn
- detect-learn
- prevent
- detect
- inactive
type: string
type: object
type: object
required:
- name
custom-responses:
type: array
minItems: 0
items:
type: object
properties:
name:
type: string
http-response-code:
maximum: 599
minimum: 100
default: 403
type: integer
message-body:
type: string
default: "Attack blocked by web application protection"
message-title:
type: string
default: "Openappsec's <b>Application Security</b> has detected an attack and blocked it."
mode:
enum:
- block-page
- response-code-only
type: string
required:
- name
log-triggers:
type: array
minItems: 0
items:
type: object
properties:
name:
type: string
access-control-logging:
properties:
allow-events:
type: boolean
default: false
drop-events:
type: boolean
default: false
type: object
additional-suspicious-events-logging:
properties:
enabled:
type: boolean
default true:
minimum-severity:
enum:
- high
- critical
type: string
default: "high"
response-body:
type: boolean
default: false
response-code:
type: boolean
default: true
type: object
appsec-logging:
properties:
all-web-requests:
type: boolean
default: false
detect-events:
type: boolean
default: false
prevent-events:
type: boolean
default: true
type: object
extended-logging:
properties:
http-headers:
type: boolean
default: false
request-body:
type: boolean
default: false
url-path:
type: boolean
default: false
url-query:
type: boolean
default: false
type: object
log-destination:
properties:
cef-service:
minItems: 0
items:
properties:
address:
type: string
port:
type: integer
proto:
enum:
- tcp
- udp
type: string
type: object
type: array
cloud:
type: boolean
default: false
stdout:
properties:
format:
enum:
- json
- json-formatted
type: string
default: json
type: object
syslog-service:
minItems: 0
items:
properties:
address:
type: string
port:
type: integer
type: object
type: array
type: object
required:
- name
exceptions:
type: array
minItems: 0
items:
type: object
properties:
name:
type: string
action:
enum:
- skip
- accept
- drop
- suppressLog
type: string
comment:
type: string
countryCode:
items:
type: string
type: array
countryName:
items:
type: string
type: array
hostName:
items:
type: string
type: array
paramName:
items:
type: string
type: array
paramValue:
items:
type: string
type: array
protectionName:
items:
type: string
type: array
sourceIdentifier:
items:
type: string
type: array
sourceIp:
items:
type: string
type: array
url:
items:
type: string
type: array
required:
- name
- action
trusted-sources:
type: array
minItems: 0
items:
type: object
properties:
name:
type: string
minNumOfSources:
type: integer
minimum: 1
default: 3
sources-identifiers:
items:
type: string
type: array
required:
- name
- sources-identifiers
source-identifiers:
type: array
minItems: 0
items:
type: object
properties:
name:
type: string
identifiers:
type: array
minItems: 1
items:
type: object
source-identifier:
enum:
- headerkey
- JWTKey
- cookie
- sourceip
- x-forwarded-for
type: string
value:
items:
type: string
type: array
required:
- source-identifier
required:
- name
- identifiers
additionalProperties: falseLast updated
Was this helpful?