Still can't find what you're looking for?Policies
A policy in Cloudhouse Guardian (Guardian) is essentially a configuration baseline for the security and maintenance of a system. Policies confirm compliance. There are two types of policies in Guardian: Custom (created) and Public (default). A custom policy is a manually created set of checks used to accommodate an individual user or company's needs. A public policy is an industry-standard policy, as stipulated by the Center for Internet Security (CIS). In Guardian, these are known as benchmarks. For more information, see Benchmarks. The Policies tab (
Policies are an excellent resource in Guardian that allow you to define a desired configuration state at the node or node group level. For example, you could create a policy to ensure that a set of roles and features are installed on a node, or that certain environment variables are set. The policy checks are then run each time the node is scanned, with the results indicating whether the checks passed or failed. A node group can contain multiple policies that are applied to the same or a different set of nodes.
Note: Policies in the Guardian appliance offer slightly different functionality from the Policy API. For more information on the API, see the Guardian API (V2) Policies documentation.
Custom Policies
In the Policies drop-down menu, click Custom to display the Custom Policies page. Here, a list of all the policies that have been manually created within your Guardian instance are displayed, specific to the environment you are in.
Note: Alternatively, you can click All Policies to display both custom and public policies.
Here, you can click View to display the checks that comprise the policy within the Policy Builder page, or click the View drop-down to display the following list of options:
| Option | Description |
|---|---|
| Edit | Click to edit the policy. The Edit Policy page is displayed, see Edit Policy for more information. |
| Show on Node | Click to show whether the policy passes or fails on any selected node. The node scan results page is displayed, see Node Scan Results for more information. |
| Report | Click to display a report for the selected policy, see Policy Reports for more information. |
| Clone | Click to create a clone of the selected policy. |
| Policy Documentation | Click to download a PDF containing the full set of checks included in the selected policy. |
| Add To Node Group | Click to add the policy to a node group. |
| Export | Click to export the policy, see Export / Import Policy for more information. |
| Delete | Click to delete the selected policy. If selected, a confirmation dialog is displayed. Click OK to confirm the action. Once deleted, the policy cannot be restored. |
There are multiple ways to create a custom policy, including:
-
Building a Custom Policy – Click the Build Policy button on the Policies tab to access the Build Custom Policy dialog. Here, you can build a custom policy by defining the associated checks from scratch. See Build Custom Policy for more information.
-
Creating a Policy from a Node Scan – When accessing a node's scan results, you can right-click on a configuration item or attribute within the results to create a policy with checks based on the current configuration of the selected item. The policy checks are then run during each scan to give visibility on whether the same configuration is upheld between scans. See Create Policy From Node Scan for more information.
-
Importing a Policy – Build a custom policy and then use an imported policy to define the checks you want included. You can import a policy from the Guardian Policy Library, the Cloudhouse Public Policies repository, or a policy that was previously exported from Guardian that you may have edited. For more information, see Import a Policy.
-
Editing an Existing Policy's Checks – You can export a public policy and edit the checks being run, then re-import it back into Guardian. For more information, see Export a Policy. Or, for custom policies, you can edit the checks directly within Guardian. For more information, see Edit Policy.
Public Policies
In the Policies drop-down menu, click Public to display the Public Policies page. Here, a list of supported CIS benchmarks are displayed. For more information on this page, see Benchmarks.
Note: Alternatively, you can click All Policies to display both custom and public policies.