Define a complete security policy

In this section, you will learn:

  • How to define more advanced configuration policies

  • How to link different components, using conditional evaluation of methods.

  • How to define and use techniques with parameters

Technique conception

In the first part, we defined a very simple technique that managed a user.

In this part, we will create a technique to disable weak ciphers.

This technique will need parameters.

What are parameters? Just like we saw in the built-in techniques, you can pass parameters to techniques created in the technique editor. They are part of the technique definition, and their value is usable with the ${variable_name} syntax.

For this policy, we want to:

  • configure ciphers in the /etc/ssh/sshd_config file. As the ciphers can change according the use case, we will pass them as parameters.

  • restart sshd service if there has been a modification

  • check $ sshd -T output in case sshd_config file has been modified without restarting service

Moreover, as those policies should be applied only on Linux machines, we will add a condition in Rudder to respect that.

Technique creation

Parameter configuration

Now, let’s get to work and start building our technique:

  1. go to the technique editor (Configurations → Techniques) and click on Create

  2. call it "Disable weak ciphers" and add a description

  3. let’s add a parameter to list strong ciphers in clicking on tab Parameters

  4. fill Variable name with strong_ciphers

Technique parameters

Methods

Add a block to condition the grouped methods

Now, let’s add methods:

  1. click on Add to show the building blocks on the right

  2. then select New block. This block will enable us to add a condition to ensure the methods will be applied on Linux machines.

  3. in the block, add a name and click on the Conditions tab.

  4. in the Operating system list, select linux

New technique disable weak ciphers

A condition is represented by a string, and can be either defined or not. The conditions express what the current execution environment is:

  • We are on a Debian 9 system

  • The content of the configuration file has just been modified (see below)

  • etc.

We can use conditions to limit the evaluation of a method to a specific context, for example only on debian 9 or only when a given file has been modified by the agent.

This allows:

  • using actions (like service restart) by limiting them to a specific context

  • writing generic policies compatible with different operating systems, by having specific parts for each

The File key-value present method

  1. in the block, go back to the Content tab

  2. drag and drop in the block the File key-value present method. You can find it using Filter or in clicking on the File category in the right part. This method ensures the file contains an entry key → value with arbitrary separator between the key and its value. It is exactly what we need to configure the line defining ciphers.

  3. fill the method content: add a name, fill the Path with our /etc/ssh/ssh_config file, the Key is Ciphers, the Value is our parameter ${strong_ciphers} and finally the separator is a space

New technique disable weak ciphers

Restart service sshd when needed

Now, let’s add the method to restart our service when there has been a change in the /etc/ssh/ssh_config file:

  1. drag and drop in the block the method Service restart. You can find it using Filter or in clicking on the Service category in the right part.

  2. fill the method content: add a block name and fill the Name with sshd

  3. then let’s add the condition to restart the service only when there has been a change in the file /etc/ssh/ssh_config:

    1. select the method File key-value present and click on tab Result conditions.

    2. copy the result conditions Repaired.

    3. paste it in the tab Conditions of the method Service restart.

Method service restart for sshd

You can spot it is different compared to our other methods: in this case it is not a state but an action we need to express. As we do not want the action method to be executed at every agent run, we have added a condition: the /etc/ssh/sshd_config modification.

Every method will define a result condition that is one of the conditions displayed in method details:

It can be:

  • Success: When the state was already compliant

  • Repaired: When the state has been modified by the agent to become compliant

  • Error: When the expected state could not be reached

Conditions can be combined using boolean operators:

  • ! for not

  • | for or

  • . for and

  • ( and ) for grouping

Audit from command to check current configuration

Finally, we will check ciphers in the output of the command sshd -T:

  1. drag and drop in the block the method Audit from command. You can find it using Filter or in clicking on the Audit category in the right part. As its name suggests, this method execute a command in audit mode.

  2. fill method content:

    1. add a name

    2. the Command should be sshd -T | grep 'ciphers ${strong_ciphers}'

    3. the Compliant code should be 0

  3. finally, Save the technique

Method Audit from command for sshd -T

Conclusion

Here is the final content of our technique:

Final list of methods

We now have defined a security policy, now, we will apply it to a machine and check the results.


← Manage configuration policies Apply a security policy →