search
WebsiteManagement PortalPlaygroundGitHub

Local Policy File v1beta2 (beta)

circle-exclamation

Beta Feature Notice This feature is currently in beta and may undergo changes based on user feedback and testing. please note that some functionality may be subject to updates or improvements in future releases.

We encourage you to explore this feature and share your feedback to help us enhance it. If you encounter any issues or have suggestions, please contact us at [email protected]

circle-info

In order to use the v1beta2 CRDs simply replace the existing configuration file on your agent

  • For Linux deployments use

open-appsec-ctl --edit-policy

  • For Docker Deployment replace the mounted local configuration file

Make sure to apply policy once done. 

open-appsec-ctl --apply-policy

Example configurations can be found herearrow-up-right.

hashtag
Local Policy Configuration

You can download all the configuration segments examples shown below in a single file here:

wget https://raw.githubusercontent.com/openappsec/openappsec/main/config/linux/v1beta2/example/local_policy.yaml
https://raw.githubusercontent.com/openappsec/openappsec/main/config/linux/v1beta2/example/local_policy.yamlraw.githubusercontent.comchevron-right
circle-exclamation

When creating your own local configuration file based on the v1beta2 configuration schema: Make sure to add apiVersion: v1beta2 at the top of the file to specify using v1beta2 of our local configuration.

hashtag
Policies

The policies section defines the default behaviors that will apply to all web resources exposed as well as specific rules for overriding the default behavior for specific hostname/path combinations.

chevron-right Examplehashtag
chevron-rightSpecificationhashtag

  • default (object, required): The default configuration for the policy. This field is required.

    • mode (string, required): Specifies the mode of the entire policy.

      • Possible values: prevent-learn, detect-learn, prevent, detect, inactive.

      • Default: detect-learn.

    • threatPreventionPractices (array<string>, required): A list of threat prevention practices.

      • Minimum items: 0.

    • accessControlPractices (array<string>, required): A list of access control practices.

      • Minimum items: 0.

    • customResponse (string, optional): Specifies a custom response code.

      • Default: 403.

    • triggers (array<string>, required): Specifies additional triggers for the policy.

    • sourceIdentifiers (string, optional): Specifies source identifiers for the policy.

    • trustedSources (string, optional): Specifies trusted sources for the policy.

    • exceptions (array<string>, optional): Specifies exception rules for the policy.

  • specificRules (array<object>, optional): Specifies rules tailored to specific hosts.

    • host (string, required): Specifies the host for the rule.

    • mode (string, required): Mode for the specific rule.

      • Possible values: prevent-learn, detect-learn, prevent, detect, inactive.

      • Default: detect-learn.

    • threatPreventionPractices (array<string>, required): Threat prevention practices for the specific rule.

    • accessControlPractices (array<string>, required): Access control practices for the specific rule.

    • triggers (array<string>, required): Triggers for the specific rule.

    • customResponse (string, optional): Custom response code for the specific rule.

    • sourceIdentifiers (string, optional): Source identifiers for the specific rule.

    • trustedSources (string, optional): Trusted sources for the specific rule.

    • exceptions (array<string>, optional): Exception rules for the specific rule.

hashtag
Threat Prevention Practice

Practice resources define which threat prevention security engines will be active and what their settings are.

chevron-rightExample hashtag
chevron-rightSpecificationhashtag

  • name (string ,required) Unique name for the threat prevention practice.

  • practiceMode (string ,optional) Defines the mode of operation for the practice. Possible values: inherited, prevent-learn, detect-learn, prevent, detect, inactive

    • Default: inherited from mode set in policy.

  • webAttacks (object ,required)

    • overrideMode (string ,optional) The override mode for web attacks. Possible values: prevent-learn, detect-learn, prevent, detect, inactive, inherited #inherited from threatPreventionPractice mode set in policy

      • Default: inherited

    • minimumConfidence (string ,optional) The minimum confidence level for web attacks. Possible values: medium, high, critical

      • Default: high

    • maxUrlSizeBytes (integer ,optional) Maximum URL size in bytes.

      • Default: 32768

    • maxObjectDepth (integer ,optional)Maximum object depth.

      • Default: 40

    • maxBodySizeKb (integer ,optional) Maximum body size in KB.

      • Default: 1000000

    • maxHeaderSizeBytes (integer ,optional) Maximum header size in bytes.

      • Default: 102400

    • protections (object, optional)

      • csrfProtection (string ,optional) CSRF protection mode. Possible values: prevent-learn, detect-learn, prevent, detect, inactive, inherited #inherited from overrideMode

        • Default: inactive

      • errorDisclosure (string ,optional) Error disclosure mode. Possible values: prevent-learn, detect-learn, prevent, detect, inactive, inherited #inherited from overrideMode

        • Default: inactive

      • openRedirect (string ,optional) Open redirect protection mode. Possible values: prevent-learn, detect-learn, prevent, detect, inactive, inherited #inherited from overrideMode

        • Default: inactive

      • nonValidHttpMethods (bollean,optional)

        • Default: false

  • antiBot (object, optional)

    • overrideMode (string ,required) Override mode for bot prevention. Possible values: prevent-learn, detect-learn, prevent, detect, inactive, inherited #inherited from threatPreventionPractice mode set in policy

      • Default: inactive

    • injectedUris (array<string>, optional) List of injected URIs to be checked for bot prevention.

    • validatedUris (array<string>, optional) List of validated URIs to be checked for bot prevention.

  • snortSignatures (object, optional)

    • overrideMode (string ,required) Override mode for Snort signatures. Possible values:prevent-learn, detect-learn, prevent, detect, inactive, inherited

      • Default: inherited inherited from threatPreventionPractice mode set in policy

    • configmap (array<string> ,optional) List of configuration maps related to Snort signatures.

    • files (array<string> ,optional)List of files related to Snort signatures.

  • schemaValidation (object, optional)

    • overrideMode (string ,required) Override mode for schema validation. Possible values: prevent-learn, detect-learn,prevent, detect, inactive, inherited

      • Default: inherited inherited from threatPreventionPractice mode set in policy

    • enforcementLevel (string ,optional) Level of enforcement for schema validation.

    • configmap (array<string> ,optional) List of configuration maps related to schema validation.

    • files (array<string> ,optional) List of files related to schema validation

  • intrusionPrevention (object, optional)

    • overrideMode string: (required) Override mode for intrusion prevention. Possible values: prevent-learn, detect-learn, prevent, detect, inactive, inherited inherited from threatPreventionPractice mode set in policy

      • Default: inactive

    • maxPerformanceImpact (string ,optional) ) Maximum acceptable performance impact. Possible values: low, medium, high

      • Default: medium

    • minSeverityLevel (string ,optional) Minimum severity level for intrusion prevention events. Possible values: low, medium, high, critical

      • Default: medium

    • minCveYear (integer, optional) ) Minimum year of CVE for inclusion in intrusion prevention events.

      • Default: 2016

    • highConfidenceEventAction (string ,optional) Action for high confidence events. Possible values: prevent, detect, inactive, inherited

      • Default: inherited as set in overrideMode for intrusionPrevention

    • mediumConfidenceEventAction (string ,optional) Action for medium confidence events. Possible values:prevent, detect, inactive, inherited

      • Default: inherited as set in overrideMode for intrusionPrevention

    • lowConfidenceEventAction (string ,optional) Action for medium confidence events. Possible values:prevent, detect, inactive, inherited

    • Default: detect

  • fileSecurity (object, optional)

    • overrideMode string: (required) Override mode for intrusion prevention. Possible values: prevent-learn, detect-learn, prevent, detect, inactive, inherited inherited from threatPreventionPractice mode set in policy

      • Default: inactive

    • minSeverityLevel (string ,optional) Minimum severity level for file secuirty events. Possible values: low, medium, high, critical

      • Default: medium

    • highConfidenceEventAction (string ,optional) Action for high confidence events. Possible values: prevent, detect, inactive, inherited

      • Default: inherited as set in overrideMode for intrusionPrevention

    • mediumConfidenceEventAction (string ,optional) Action for medium confidence events. Possible values:prevent, detect, inactive, inherited

      • Default: inherited as set in overrideMode for intrusionPrevention

    • lowConfidenceEventAction (string ,optional) Action for medium confidence events. Possible values:prevent, detect, inactive, inherited

      • Default: detect

    • archiveInspection (object, optional):

      • extractArchiveFiles (boolean, optional): Whether to extract files from archives for inspection.

        • Default: false.

      • scanMaxFileSize (integer, optional): Maximum file size to scan within archives. Default: 10.

      • scanMaxFileSizeUnit (string, optional): Unit of the maximum file size for scanning. Possible values: bytes, KB, MB, GB.

        • Default: MB.

      • archivedFilesWithinArchivedFiles (string, optional): Action for archived files nested within other archived files. Possible values: prevent, detect, inactive, inherited.

        • Default: inherited, as set in overrideMode for fileSecurity.

      • archivedFilesWhereContentExtractionFailed (string, optional): Action when content extraction from archived files fails. Possible values: prevent, detect, inactive, inherited.

        • Default: inherited, as set in overrideMode for fileSecurity.

    • largeFileInspection (object, optional):

      • fileSizeLimit (integer, optional): Maximum file size limit for inspection.

        • Default: 10.

      • fileSizeLimitUnit (string, optional): Unit of the file size limit. Possible values: bytes, KB, MB, GB.

        • Default: MB.

      • filesExceedingSizeLimitAction (string, optional): Action for files exceeding the size limit. Possible values: prevent, detect, inactive, inherited.

        • Default: inherited, as set in overrideMode for fileSecurity.

    • unnamedFilesAction (string, optional): Action for unnamed files. Possible values: prevent, detect, inactive, inherited.

      • Default: inherited, as set in overrideMode for fileSecurity.

    • threatEmulationEnabled (boolean, optional): Whether threat emulation is enabled for file security.

      • Default: false.

hashtag
Access Control Practice

Practice resources define which Access Control security engines will be active and what their settings are.

chevron-rightExamples hashtag
chevron-rightSpecificationhashtag

  • name (string, required): The name of the access control policy.

  • practiceMode (string, optional): Defines the mode for the access control policy. Possible values: prevent, detect, inactive, inherited (inherited values are determined by the mode set in the policy).

    • Default: inherited .

  • rateLimit (object, required):

    • overrideMode (string, optional): Allows overriding the mode defined at the policy level for this specific engine. Possible values: prevent, detect, inactive, inherited (inherited values are determined by the mode set in the practice).

      • Default: inactive.

    • rules (array<objects>, optional): List of rate-limiting rules.

      • action (string, optional): Action to take when a rate limit is exceeded. Possible values: inherited, prevent, detect (inherited values are determined by the mode set in the rate limiting overide mode).

        • Default: inherited.

      • condition (array<objects>, optional): List of conditions for rate limiting (currently not supported).

        • key (string, required): The key for the condition.

        • value (string, required): The value for the condition.

      • uri (string, optional): URI pattern for the rate limit rule.

      • limit (integer, optional): The rate limit threshold.

      • unit (string, optional): The time unit for the rate limit. Possible values: minute, second.

        • Default: minute.

      • triggers (array<objects>, optional): List of triggers that activate the rule.

      • comment (string, optional): A comment explaining the rate limit.

hashtag
Custom Response

Optional custom responses can be configured to return in prevent mode either a customizable block page or the desired response code only. The custom responses than can be referenced within one or more policy elements.

chevron-rightExamples hashtag
chevron-rightSpecificationhashtag

  • name (string, required): A unique name for the custom response configuration.

  • mode (string, required): Defines the response mode for blocked requests. Possible values: block-page, redirect, response-code-only.

    • Default: response-code-only.

  • messageTitle (string, optional): Title displayed on the block page (relevant when mode is block-page).

  • messageBody (string, optional): Body message displayed on the block page (relevant when mode is block-page).

  • httpResponseCode (integer, required): HTTP response code returned when blocking. Minimum: 100. Maximum: 599.

    • Default: 403.

  • redirectUrl (string, optional): URL to redirect the blocked requests to (relevant when mode is redirect).

  • redirectAddXEventId (boolean, optional): Adds an X-Event-ID header to redirected requests.

    • Default: false.

hashtag
Log Trigger

Optional log trigger elements can be used to configure custom logging requirements. They can then be referenced within one or more policy elements.

chevron-rightExample hashtag
chevron-rightSpecificationhashtag

  • name (string, required): The unique name identifying the log trigger.

  • accessControlLogging (object, required): Configuration for access control logs.

    • allowEvents (boolean, optional): Log allowed events.

      • Default: false.

    • dropEvents (boolean, optional): Log dropped events.

      • Default: true.

  • appsecLogging (object, required): Configuration for application security logs.

    • detectEvents (boolean, optional): Log detection events.

      • Default: true.

    • preventEvents (boolean, optional): Log prevention events.

      • Default: true.

    • allWebRequests (boolean, optional): Log all web requests, regardless of action.

    • Default: false.

  • additionalSuspiciousEventsLogging (object, required): Configuration for logging suspicious events.

    • enabled (boolean, optional): Enable or disable logging for suspicious events. Default: true.

    • minSeverity (string, optional): Minimum severity level to log. Options: high, critical.

      • Default: high.

    • responseBody (boolean, optional): Include response body in logs.

      • Default: false.

    • responseCode (boolean, optional): Include response code in logs.

      • Default: true.

  • extendedLogging (object, required): Configuration for extended logging details.

    • urlPath (boolean, optional): Log URL path.

      • Default: false.

    • urlQuery (boolean, optional): Log URL query parameters.

      • Default: false.

    • httpHeaders (boolean, optional): Log HTTP headers.

      • Default: false.

    • requestBody (boolean, optional): Log HTTP request body.

      • Default: false.

  • logDestination (object, required): Configuration for log destinations.

    • cloud (boolean, optional): Send logs to the cloud.

      • Default: false.

    • syslogService (array, optional): List of syslog services.

      • address (array<string>, required): Syslog server address.

      • port (integer, required): Syslog server port.

    • logToAgent (boolean, optional): Send logs to the agent.

      • Default: true.

    • stdout (object, optional): Configuration for logs sent to standard output.

      • format (string, optional): Log format. Options: json, json-formatted.

        • Default: json.

  • k8s-service (boolean, optional): Enable logging to Kubernetes service (default depends on environment type).

  • cefService (array, optional): List of CEF (Common Event Format) services.

    • address (string, required): CEF server address.

    • port (integer, required): CEF server port.

    • proto (string, optional): Protocol for CEF. Options: tcp, udp.

hashtag
Exceptions

Optional exception elements can be used to configure custom exceptions. They can then be referenced within one or more policy elements.

chevron-rightExample hashtag
chevron-rightSpecificationhashtag

  • name: (string ,required) - The unique name identifying the exception.

  • action: (string ,required) - Action to take when the exception is triggered. Possible options: skip, accept, drop, suppressLog.

    • Default: accept.

  • condition: (array<object> ,required) - List of one or more conditions that must be met for the exception to apply.

    • key: (string ,required) - The key to evaluate, such as sourceIP, countryCode, or URL. find full list here.

    • value: (string ,required) - The value associated with the key to match.

hashtag
Trusted Sources

Optional trusted sources can be defined, for which the machine learning engine will assume, that the traffic originating from them is benign and learn accordingly.

Trusted sources elements can then be referenced within the policies section.

chevron-rightExample hashtag
chevron-rightSpecificationhashtag

  • name: (string). A unique identifier for the trusted source configuration.

  • minNumOfSources: (integer , required) - The minimum number of trusted sources needed to apply the configuration.

    • Default: 3.

  • sourcesIdentifiers: (array<stri

hashtag
Source Identifiers

Source Identifiers can be used to define how open-appsec distinguishes between different sources, e.g. based on source IP addresses, x-forwarded-for header content, etc.

chevron-rightExamples hashtag
chevron-rightSpecificationhashtag

  • name: (string ,required) A unique identifier for the sources configuration.

  • sourcesIdentifiers: (array<object>, required) A list of source identifiers to distinguish between sources based on the selected type and values. Each item is an object with the following properties:

    • identifier: (string enum, required) - The type of identifier. Possible options: headerkey, JWTKey, cookie, sourceip, x-forwarded-for

      • Default: sourceip.

    • value: (array<string>, required) - A list of values associated with the identifier. Each item is a string.

hashtag
Schema file

Here you find the full schema file for the local declarative configuration yaml file. This also shows you which fields are required and which are optional

chevron-rightSchema file for local policy filehashtag

PreviousLocal Policy File (Advanced)NextMonitor Events

Last updated

Was this helpful?