Getting Familiar with Our Updated Policies Feature
By Greg Pollock on
September 1, 2015
We've just updated the architecture of our Policies feature to optimize them for scale and usability. Once you've scanned your first node, creating policies to validate desired state is the next step.
You can access the "add to policy" option through the right click menu. (This is also where you find the ability to add items to an ignore list or generate code snippets for automation tools like Puppet and Chef.)
If you want to monitor something that isn't part of a default scan, you first need to add it to the scan options. Some types of scan options are fairly focused– for example, connectivity checks only require you to select the connection protocol (TCP or UDP) and the port(s) you want to scan. Others are very broad– directories allow you to specify any file path, including application configs, or run any command. We use the "custom script" option to check for free disk space on our own instances, for example.
One of the benefits of adding those items as scan options is that they will be automatically monitored along with every other item on the node. By adding them to a policy you essentially escalate them from "things where I want to track state" to "things where I want to know if they step out of compliance."
When you right click and select "add to policy" the next step is to choose which group this policy will be applied to. Policies and scan options are always applied to groups rather than individual nodes to ensure that you have apples-to-apples comparisons for the state of your environments. After selecting a group, the next step is to add to an existing policy or a create a new one.
The node page will now show those items are passing their policy checks since they were used to define the desired state. To see if other nodes in their group are configured the same, clicking the "generate report" button will take you to the results of that policy being evaluated against every other node in the group. You can dig into the details of what checks are failing, and if you want to focus on failures you can use the toggles on the left to remove passing items (or to remove failing items if you need a self esteem boost).
To edit a test, click on an item with a policy. You'll see the values that the scan has recorded and, if there are policy checks, the values the policy(s) expect. If you want to change the check, clicking "edit" will allow you to modify the policy. Because policies are applied to group, you might want to switch from an exact content check to one that ensures key lines of a config file have been included. In edit mode you can customize your policy checks to make them as advanced as you want. Whatever changes you make will automatically be applied to the rest of the group.
To delete a policy, you must first remove it from any groups using it (as a precaution you don't step on anyone's toes). Go to the group, then click the blue "policies" tab in the upper right. This will show any policies that the group is currently using. You can select "remove" from the dropdown to remove it from the group.
Once a policy is applied to a group you can see the results for your nodes compare to their desired state by going to that policy's report. This is available at the top of the screen whenever you update or create a policy or from the gear icon next to the policy name in the "Policies" section in the left pane. The policy report will give you a high level view of your compliance for any period of time that you can drill into to find offending items.
To see what policies you have, and to see just the contents of those policies, you can select "Policies" from the "Manage" subnav. Here you can delete policies that no groups are using, check out the contents of each policy (and previous versions), or jump straight to the reporting view to see your current compliance. Whether you are creating, editing, or reading policies, whatever you need requires only a few clicks (and a few seconds) to get the information you want.