Open Raven

The Open Raven Documentation Site

Welcome to the Open Raven Documentation Site. You'll find comprehensive guides and documentation to help you start working with Open Raven as quickly as possible, as well as support if you get stuck. Let's jump right in.

Guides    

Create a New Policy Rule

To create a New Policy Rule, you will need to:

  1. Go to "Rules" and Create Rule
  2. Fill out the Form and Rules Editor
    a) Describe the Rule
    b) Edit the Rule Editor
  3. Save Your New Policy Rule

Let's get started.

Step 1. Go to "Rules" and Create Rule

In "Configuration," click on "Rules" and then Create Rule.

Step 2. Fill out the Form and Rules Editor

A form with all the required fields for the Rule attributes will appear on the left. A Rule editor will appear on the right.

a) Describe the Rule

Begin by defining a Reference ID and Policy Rule. It’s important to give the Rule a unique ID and a meaningful name that is easy to reference. The Rule Description should be short and should also provide more detail on what the Rule contains.

The Status of a Rule determines if it is in use or not.

The Risk Level for the Rule defines how you want to risk rank the Rule you are building. It will be used to determine the severity of the Violation created by any of the Rules in the editor.

b) Edit the Rule Editor

Policy Rules should always have a name (usually the same name set previously) and a number of “expressions” that must all be true for the Asset to not be in violation.

Below is an example of a Rule where S3 buckets must never be “public”:

import data.helpers

S3_PUBLIC {
     helpers.isS3bucket
     helpers.isPublic
}

In this Rule, we have one statement that checks if the Asset is an S3 bucket, followed by another statement that checks if it is public. If both of these statements evaluate as true, then a Policy Rule Violation is created.

When writing a Rule against Data Classes (or Data Collections), additional functions are required to capture the number and locations of data objects that are in violation.

For example, if you were to create a Rule that ensures data stores that contain social security numbers are encrypted, you would need the following Rule:

import data.helpers

DATA_SSN_ENCR = ret {
    helpers.isDataStore
    helpers.isNotEncrypted
    ret := helpers.hasDataClass("SSN")
}

Notice that the Rule has “= ret” (cf. “returns”) and that the “hasDataClass” (or hasDataFromCollection, if using one of the Data Collections) statement is assigned to it.

If you need help creating Policy Rules, Open Raven has over 150 Policy Rule Helper Functions. However, a Rule does not necessarily have to utilize Helper Functions. Instead, it can refer to the Asset’s discovery data directly. To refer to the Asset's discovery data directly, look at the Asset document (in Explore Data with Kibana) and identify the field(s) that the Rule would evaluate.

For example, if you wanted to make sure that all RDS instances were running a minimum version:

import data.helpers

RDS_MIN_VERSION {
     input.asset.resourceType == "AWS::RDS::DBInstance"
     input.asset.configuration.engine == "postgres"
     input.asset.configuration.engineVersion == "9.6.18"
}

There are many ways to write Policy Rules. The underlying Policy engine is based on Open Policy Agent (OPA). Open Raven captures lots of data about Assets during discovery and provides a robust, flexible Rules capability. We encourage you to create your own Rules using the examples above as starting points.

Step 3. Save Your New Policy Rule

Click Save

If you have questions or need assistance creating your own Rules, please reach out to our support team at [email protected].

Updated 6 months ago


Create a New Policy Rule


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.