-
Notifications
You must be signed in to change notification settings - Fork 103
Policy Expression DSL
Policy files, stored at policy/*.yml can specified through the -P flag. If no policy file is specified, all the policy files will be checked to see whether scan results match the rules in the file. When such a file is encountered, it is taken as the policy file. If no policy files match, the fallback policy file is mozilla_modern.yml.
Rules can be specified using the key rules:
rules:
rule1...
rule2...
Rules match against scan results. Using claudijd's gist, we could have a conditional like
rules:
ssh_version_eq: 2.0
ssh_lib_eq: openssh
ssh_lib_version_gte: 5.0
ssh_lib_version_lt: 5.4
which would match against (ssh_version == 2.0) && (ssh_lib == openssh) && (5.0 <= ssh_lib_version < 5.4).
(1) Just a case (by default we can only do and). This way we can do not, or, and and give the user control.
rules:
or:
and:
ssh_version_eq: 2.0
ssh_lib_eq: openssh
and:
ssh_version_eq: 1.34
ssh_lib_eq: dropbear
(2) So far the policy file looks something like
rules:
...
name: A
auth_methods:
...
kex:
...
encryption:
...
(so on)
However, we could alternatively have something like
rules:
...
defaults:
name: A
auth_methods:
...
kex:
...
encryption:
...
(so on)
and using YAML anchors, we can specify multiple policy specifications in less, even specifying which policy specification to run
rules:
openssh_2: # fire openssh_2
and:
ssh_lib: openssh
ssh_lib_version_gte: 2.0
ssh_lib_version_lt: 3.0
openssh_3: # fire openssh_3
and:
ssh_lib: openssh
ssh_lib_version_gte: 3.0
defaults: &defaults
auth_methods:
- publickey
kex:
- algo1
- algo2
openssh_2:
<<: *defaults
encryption:
- algo3
openssh_3:
<<: *defaults
encryption:
- algo4