Merge pull request #148 from openappsec/orianelou-new-policy-files

Orianelou new policy files

build_system/docker/entry.sh

@@ -11,6 +11,7 @@ var_fog_address=
 var_proxy=
 var_mode=
 var_token=
+var_ignore=
 init=
 
 if [ ! -f /nano-service-installers/$ORCHESTRATION_INSTALLATION_SCRIPT ]; then
@@ -33,6 +34,8 @@ while true; do
         var_proxy="$1"
     elif [ "$1" == "--hybrid-mode" ] || [ "$1" == "--standalone" ]; then
         var_mode="--hybrid_mode"
+    elif [ "$1" == "--no-upgrade" ]; then
+        var_ignore="--ignore all"
     elif [ "$1" == "--token" ]; then
         shift
         var_token="$1"
@@ -60,6 +63,9 @@ fi
 if [ ! -z $var_mode ]; then
     orchestration_service_installation_flags="$orchestration_service_installation_flags $var_mode"
 fi
+if [ ! -z "$var_ignore" ]; then
+    orchestration_service_installation_flags="$orchestration_service_installation_flags $var_ignore"
+fi
 
 
 /nano-service-installers/$ORCHESTRATION_INSTALLATION_SCRIPT --install $orchestration_service_installation_flags

config/k8s/latest/open-appsec-k8s-default-config-v1beta2.yaml

@@ -0,0 +1,126 @@
+# open-appsec default declarative configuration file
+# based on schema version: "v1beta2"
+# more information on declarative configuration: https://docs.openappsec.io
+
+apiVersion: openappsec.io/v1beta2
+kind: Policy
+metadata:
+  name: default-policy
+spec:
+  default:
+    # start in detect-learn and move to prevent-learn based on learning progress 
+    mode: detect-learn
+    threatPreventionPractices:
+    - default-threat-prevention-practice
+    accessControlPractices:
+    - default-access-control-practice
+    customResponses: default-web-user-response
+    triggers:
+    - default-log-trigger
+  specificRules:
+    - host: www.example.com
+      # this is an example for specific rule, adjust the values as required for the protected app
+      mode: detect-learn
+      threatPreventionPractices:
+      - default-threat-prevention-practice
+      accessControlPractices:
+      - default-access-control-practice
+      triggers:
+      - default-log-trigger
+---
+apiVersion: openappsec.io/v1beta2
+kind: ThreatPreventionPractice
+metadata:
+  name: default-threat-prevention-practice
+spec:
+  practiceMode: inherited
+  webAttacks:
+    overrideMode: inherited
+    minimumConfidence: high
+  intrusionPrevention:
+  # intrusion prevention (IPS) requires "Premium Edition"
+    overrideMode: inherited
+    maxPerformanceImpact: medium
+    minSeverityLevel: medium
+    minCveYear: 2016
+    highConfidenceEventAction: inherited
+    mediumConfidenceEventAction: inherited
+    lowConfidenceEventAction: detect
+  fileSecurity:
+  # file security requires "Premium Edition"
+    overrideMode: inherited
+    minSeverityLevel: medium
+    highConfidenceEventAction: inherited
+    mediumConfidenceEventAction: inherited
+    lowConfidenceEventAction: detect
+  snortSignatures:
+    # you must specify snort signatures in configmap or file to activate snort inspection
+    overrideMode: inherited
+    configmap: []
+    # relevant for deployments on kubernetes
+    # 0 or 1 configmaps supported in array
+    files: []
+    # relevant for docker and linux embedded deployments
+    # 0 or 1 files supported in array
+  openapiSchemaValidation: # schema validation requires "Premium Edition"
+    overrideMode: inherited
+    configmap: []
+    # relevant for deployments on kubernetes
+    # 0 or 1 configmaps supported in array
+    files: []
+    # relevant for docker and linux embedded deployments
+    # 0 or 1 files supported in array
+  antiBot: # antibot requires "Premium Edition"
+    overrideMode: inherited
+    injectedUris: []
+    validatedUris: []
+
+---
+apiVersion: openappsec.io/v1beta2
+kind: AccessControlPractice
+metadata:
+  name: default-access-control-practice
+spec:
+  practiceMode: inherited
+  rateLimit:
+  # specify one or more rules below to use rate limiting
+    overrideMode: inherited
+    rules: []
+
+---
+apiVersion: openappsec.io/v1beta2
+kind: LogTrigger
+metadata:
+  name: default-log-trigger
+spec:
+  accessControlLogging:
+    allowEvents: false
+    dropEvents: true
+  appsecLogging:
+    detectEvents: true
+    preventEvents: true
+    allWebRequests: false
+  extendedLogging:
+    urlPath: true
+    urlQuery: true
+    httpHeaders: false
+    requestBody: false      
+  additionalSuspiciousEventsLogging:
+    enabled: true
+    minSeverity: high
+    responseBody: false
+    responseCode: true
+  logDestination:
+    cloud: true
+    logToAgent: false
+    stdout:
+      format: json
+    
+---
+apiVersion: openappsec.io/v1beta2
+kind: CustomResponse
+metadata:
+  name: default-web-user-response
+spec:
+  mode: response-code-only
+  httpResponseCode: 403

config/k8s/latest/open-appsec-k8s-prevent-config-v1beta2.yaml

@@ -0,0 +1,126 @@
+# open-appsec default declarative configuration file
+# based on schema version: "v1beta2"
+# more information on declarative configuration: https://docs.openappsec.io
+
+apiVersion: openappsec.io/v1beta2
+kind: Policy
+metadata:
+  name: default-policy
+spec:
+  default:
+    # start in prevent-learn
+    mode: prevent-learn
+    threatPreventionPractices:
+    - default-threat-prevention-practice
+    accessControlPractices:
+    - default-access-control-practice
+    customResponses: default-web-user-response
+    triggers:
+    - default-log-trigger
+  specificRules:
+    - host: www.example.com
+      # this is an example for specific rule, adjust the values as required for the protected app
+      mode: prevent-learn
+      threatPreventionPractices:
+      - default-threat-prevention-practice
+      accessControlPractices:
+      - default-access-control-practice
+      triggers:
+      - default-log-trigger
+---
+apiVersion: openappsec.io/v1beta2
+kind: ThreatPreventionPractice
+metadata:
+  name: default-threat-prevention-practice
+spec:
+  practiceMode: inherited
+  webAttacks:
+    overrideMode: inherited
+    minimumConfidence: high
+  intrusionPrevention:
+  # intrusion prevention (IPS) requires "Premium Edition"
+    overrideMode: inherited
+    maxPerformanceImpact: medium
+    minSeverityLevel: medium
+    minCveYear: 2016
+    highConfidenceEventAction: inherited
+    mediumConfidenceEventAction: inherited
+    lowConfidenceEventAction: detect
+  fileSecurity:
+  # file security requires "Premium Edition"
+    overrideMode: inherited
+    minSeverityLevel: medium
+    highConfidenceEventAction: inherited
+    mediumConfidenceEventAction: inherited
+    lowConfidenceEventAction: detect
+  snortSignatures:
+    # you must specify snort signatures in configmap or file to activate snort inspection
+    overrideMode: inherited
+    configmap: []
+    # relevant for deployments on kubernetes
+    # 0 or 1 configmaps supported in array
+    files: []
+    # relevant for docker and linux embedded deployments
+    # 0 or 1 files supported in array
+  openapiSchemaValidation: # schema validation requires "Premium Edition"
+    overrideMode: inherited
+    configmap: []
+    # relevant for deployments on kubernetes
+    # 0 or 1 configmaps supported in array
+    files: []
+    # relevant for docker and linux embedded deployments
+    # 0 or 1 files supported in array
+  antiBot: # antibot requires "Premium Edition"
+    overrideMode: inherited
+    injectedUris: []
+    validatedUris: []
+
+---
+apiVersion: openappsec.io/v1beta2
+kind: AccessControlPractice
+metadata:
+  name: default-access-control-practice
+spec:
+  practiceMode: inherited
+  rateLimit:
+  # specify one or more rules below to use rate limiting
+    overrideMode: inherited
+    rules: []
+
+---
+apiVersion: openappsec.io/v1beta2
+kind: LogTrigger
+metadata:
+  name: default-log-trigger
+spec:
+  accessControlLogging:
+    allowEvents: false
+    dropEvents: true
+  appsecLogging:
+    detectEvents: true
+    preventEvents: true
+    allWebRequests: false
+  extendedLogging:
+    urlPath: true
+    urlQuery: true
+    httpHeaders: false
+    requestBody: false      
+  additionalSuspiciousEventsLogging:
+    enabled: true
+    minSeverity: high
+    responseBody: false
+    responseCode: true
+  logDestination:
+    cloud: true
+    logToAgent: false
+    stdout:
+      format: json
+    
+---
+apiVersion: openappsec.io/v1beta2
+kind: CustomResponse
+metadata:
+  name: default-web-user-response
+spec:
+  mode: response-code-only
+  httpResponseCode: 403

config/k8s/v1beta1/open-appsec-k8s-default-config-v1beta1.yaml

@@ -0,0 +1,13 @@
+apiVersion: openappsec.io/v1beta1
+kind: Policy
+metadata:
+    name: open-appsec-best-practice-policy
+spec:
+    default:
+        mode: detect-learn
+        practices: [appsec-best-practice]
+        triggers: [appsec-log-trigger]
+        custom-response: 403-forbidden
+        source-identifiers: ""
+        trusted-sources: ""
+        exceptions: []

config/k8s/v1beta1/open-appsec-k8s-prevent-config-v1beta1.yaml

@@ -0,0 +1,13 @@
+apiVersion: openappsec.io/v1beta1
+kind: Policy
+metadata:
+    name: open-appsec-best-practice-policy
+spec:
+    default:
+        mode: prevent-learn
+        practices: [appsec-best-practice]
+        triggers: [appsec-log-trigger]
+        custom-response: 403-forbidden
+        source-identifiers: ""
+        trusted-sources: ""
+        exceptions: []

config/k8s/v1beta2/open-appsec-k8s-default-config-v1beta2.yaml

@@ -0,0 +1,126 @@
+# open-appsec default declarative configuration file
+# based on schema version: "v1beta2"
+# more information on declarative configuration: https://docs.openappsec.io
+
+apiVersion: openappsec.io/v1beta2
+kind: Policy
+metadata:
+  name: default-policy
+spec:
+  default:
+    # start in detect-learn and move to prevent-learn based on learning progress 
+    mode: detect-learn
+    threatPreventionPractices:
+    - default-threat-prevention-practice
+    accessControlPractices:
+    - default-access-control-practice
+    customResponses: default-web-user-response
+    triggers:
+    - default-log-trigger
+  specificRules:
+    - host: www.example.com
+      # this is an example for specific rule, adjust the values as required for the protected app
+      mode: detect-learn
+      threatPreventionPractices:
+      - default-threat-prevention-practice
+      accessControlPractices:
+      - default-access-control-practice
+      triggers:
+      - default-log-trigger
+---
+apiVersion: openappsec.io/v1beta2
+kind: ThreatPreventionPractice
+metadata:
+  name: default-threat-prevention-practice
+spec:
+  practiceMode: inherited
+  webAttacks:
+    overrideMode: inherited
+    minimumConfidence: high
+  intrusionPrevention:
+  # intrusion prevention (IPS) requires "Premium Edition"
+    overrideMode: inherited
+    maxPerformanceImpact: medium
+    minSeverityLevel: medium
+    minCveYear: 2016
+    highConfidenceEventAction: inherited
+    mediumConfidenceEventAction: inherited
+    lowConfidenceEventAction: detect
+  fileSecurity:
+  # file security requires "Premium Edition"
+    overrideMode: inherited
+    minSeverityLevel: medium
+    highConfidenceEventAction: inherited
+    mediumConfidenceEventAction: inherited
+    lowConfidenceEventAction: detect
+  snortSignatures:
+    # you must specify snort signatures in configmap or file to activate snort inspection
+    overrideMode: inherited
+    configmap: []
+    # relevant for deployments on kubernetes
+    # 0 or 1 configmaps supported in array
+    files: []
+    # relevant for docker and linux embedded deployments
+    # 0 or 1 files supported in array
+  openapiSchemaValidation: # schema validation requires "Premium Edition"
+    overrideMode: inherited
+    configmap: []
+    # relevant for deployments on kubernetes
+    # 0 or 1 configmaps supported in array
+    files: []
+    # relevant for docker and linux embedded deployments
+    # 0 or 1 files supported in array
+  antiBot: # antibot requires "Premium Edition"
+    overrideMode: inherited
+    injectedUris: []
+    validatedUris: []
+
+---
+apiVersion: openappsec.io/v1beta2
+kind: AccessControlPractice
+metadata:
+  name: default-access-control-practice
+spec:
+  practiceMode: inherited
+  rateLimit:
+  # specify one or more rules below to use rate limiting
+    overrideMode: inherited
+    rules: []
+
+---
+apiVersion: openappsec.io/v1beta2
+kind: LogTrigger
+metadata:
+  name: default-log-trigger
+spec:
+  accessControlLogging:
+    allowEvents: false
+    dropEvents: true
+  appsecLogging:
+    detectEvents: true
+    preventEvents: true
+    allWebRequests: false
+  extendedLogging:
+    urlPath: true
+    urlQuery: true
+    httpHeaders: false
+    requestBody: false      
+  additionalSuspiciousEventsLogging:
+    enabled: true
+    minSeverity: high
+    responseBody: false
+    responseCode: true
+  logDestination:
+    cloud: true
+    logToAgent: false
+    stdout:
+      format: json
+    
+---
+apiVersion: openappsec.io/v1beta2
+kind: CustomResponse
+metadata:
+  name: default-web-user-response
+spec:
+  mode: response-code-only
+  httpResponseCode: 403

config/k8s/v1beta2/open-appsec-k8s-prevent-config-v1beta2.yaml

@@ -0,0 +1,126 @@
+# open-appsec default declarative configuration file
+# based on schema version: "v1beta2"
+# more information on declarative configuration: https://docs.openappsec.io
+
+apiVersion: openappsec.io/v1beta2
+kind: Policy
+metadata:
+  name: default-policy
+spec:
+  default:
+    # start in prevent-learn
+    mode: prevent-learn
+    threatPreventionPractices:
+    - default-threat-prevention-practice
+    accessControlPractices:
+    - default-access-control-practice
+    customResponses: default-web-user-response
+    triggers:
+    - default-log-trigger
+  specificRules:
+    - host: www.example.com
+      # this is an example for specific rule, adjust the values as required for the protected app
+      mode: prevent-learn
+      threatPreventionPractices:
+      - default-threat-prevention-practice
+      accessControlPractices:
+      - default-access-control-practice
+      triggers:
+      - default-log-trigger
+---
+apiVersion: openappsec.io/v1beta2
+kind: ThreatPreventionPractice
+metadata:
+  name: default-threat-prevention-practice
+spec:
+  practiceMode: inherited
+  webAttacks:
+    overrideMode: inherited
+    minimumConfidence: high
+  intrusionPrevention:
+  # intrusion prevention (IPS) requires "Premium Edition"
+    overrideMode: inherited
+    maxPerformanceImpact: medium
+    minSeverityLevel: medium
+    minCveYear: 2016
+    highConfidenceEventAction: inherited
+    mediumConfidenceEventAction: inherited
+    lowConfidenceEventAction: detect
+  fileSecurity:
+  # file security requires "Premium Edition"
+    overrideMode: inherited
+    minSeverityLevel: medium
+    highConfidenceEventAction: inherited
+    mediumConfidenceEventAction: inherited
+    lowConfidenceEventAction: detect
+  snortSignatures:
+    # you must specify snort signatures in configmap or file to activate snort inspection
+    overrideMode: inherited
+    configmap: []
+    # relevant for deployments on kubernetes
+    # 0 or 1 configmaps supported in array
+    files: []
+    # relevant for docker and linux embedded deployments
+    # 0 or 1 files supported in array
+  openapiSchemaValidation: # schema validation requires "Premium Edition"
+    overrideMode: inherited
+    configmap: []
+    # relevant for deployments on kubernetes
+    # 0 or 1 configmaps supported in array
+    files: []
+    # relevant for docker and linux embedded deployments
+    # 0 or 1 files supported in array
+  antiBot: # antibot requires "Premium Edition"
+    overrideMode: inherited
+    injectedUris: []
+    validatedUris: []
+
+---
+apiVersion: openappsec.io/v1beta2
+kind: AccessControlPractice
+metadata:
+  name: default-access-control-practice
+spec:
+  practiceMode: inherited
+  rateLimit:
+  # specify one or more rules below to use rate limiting
+    overrideMode: inherited
+    rules: []
+
+---
+apiVersion: openappsec.io/v1beta2
+kind: LogTrigger
+metadata:
+  name: default-log-trigger
+spec:
+  accessControlLogging:
+    allowEvents: false
+    dropEvents: true
+  appsecLogging:
+    detectEvents: true
+    preventEvents: true
+    allWebRequests: false
+  extendedLogging:
+    urlPath: true
+    urlQuery: true
+    httpHeaders: false
+    requestBody: false      
+  additionalSuspiciousEventsLogging:
+    enabled: true
+    minSeverity: high
+    responseBody: false
+    responseCode: true
+  logDestination:
+    cloud: true
+    logToAgent: false
+    stdout:
+      format: json
+    
+---
+apiVersion: openappsec.io/v1beta2
+kind: CustomResponse
+metadata:
+  name: default-web-user-response
+spec:
+  mode: response-code-only
+  httpResponseCode: 403

config/linux/latest/detect/local_policy.yaml

@@ -0,0 +1,62 @@
+policies:
+  default:
+    triggers:
+    - appsec-default-log-trigger
+    mode: detect-learn
+    practices:
+    - webapp-default-practice
+    custom-response: appsec-default-web-user-response
+  specific-rules: []
+
+practices:
+  - name: webapp-default-practice
+    openapi-schema-validation:
+      configmap: []
+      override-mode: detect-learn
+    snort-signatures:
+      configmap: []
+      override-mode: detect-learn
+    web-attacks:
+      max-body-size-kb: 1000000
+      max-header-size-bytes: 102400
+      max-object-depth: 40
+      max-url-size-bytes: 32768
+      minimum-confidence: critical
+      override-mode: detect-learn
+      protections:
+        csrf-protection: inactive
+        error-disclosure: inactive
+        non-valid-http-methods: false
+        open-redirect: inactive
+    anti-bot:
+      injected-URIs: []
+      validated-URIs: []
+      override-mode: detect-learn
+
+log-triggers:
+  - name: appsec-default-log-trigger
+    access-control-logging:
+      allow-events: false
+      drop-events: true
+    additional-suspicious-events-logging:
+      enabled: true
+      minimum-severity: high
+      response-body: false
+    appsec-logging:
+      all-web-requests: false
+      detect-events: true
+      prevent-events: true
+    extended-logging:
+      http-headers: false
+      request-body: false
+      url-path: false
+      url-query: false
+    log-destination:
+      cloud: true
+      stdout:
+        format: json
+
+custom-responses:
+  - name: appsec-default-web-user-response
+    mode: response-code-only
+    http-response-code: 403

config/linux/latest/prevent/local_policy.yaml

@@ -0,0 +1,62 @@
+policies:
+  default:
+    triggers:
+    - appsec-default-log-trigger
+    mode: prevent-learn
+    practices:
+    - webapp-default-practice
+    custom-response: appsec-default-web-user-response
+  specific-rules: []
+
+practices:
+  - name: webapp-default-practice
+    openapi-schema-validation:
+      configmap: []
+      override-mode: prevent-learn
+    snort-signatures:
+      configmap: []
+      override-mode: prevent-learn
+    web-attacks:
+      max-body-size-kb: 1000000
+      max-header-size-bytes: 102400
+      max-object-depth: 40
+      max-url-size-bytes: 32768
+      minimum-confidence: critical
+      override-mode: prevent-learn
+      protections:
+        csrf-protection: inactive
+        error-disclosure: inactive
+        non-valid-http-methods: false
+        open-redirect: inactive
+    anti-bot:
+      injected-URIs: []
+      validated-URIs: []
+      override-mode: prevent-learn
+
+log-triggers:
+  - name: appsec-default-log-trigger
+    access-control-logging:
+      allow-events: false
+      drop-events: true
+    additional-suspicious-events-logging:
+      enabled: true
+      minimum-severity: high
+      response-body: false
+    appsec-logging:
+      all-web-requests: false
+      detect-events: true
+      prevent-events: true
+    extended-logging:
+      http-headers: false
+      request-body: false
+      url-path: false
+      url-query: false
+    log-destination:
+      cloud: true
+      stdout:
+        format: json
+
+custom-responses:
+  - name: appsec-default-web-user-response
+    mode: response-code-only
+    http-response-code: 403

config/linux/v1beta1/detect/local_policy.yaml

@@ -0,0 +1,62 @@
+policies:
+  default:
+    triggers:
+    - appsec-default-log-trigger
+    mode: detect-learn
+    practices:
+    - webapp-default-practice
+    custom-response: appsec-default-web-user-response
+  specific-rules: []
+
+practices:
+  - name: webapp-default-practice
+    openapi-schema-validation:
+      configmap: []
+      override-mode: detect-learn
+    snort-signatures:
+      configmap: []
+      override-mode: detect-learn
+    web-attacks:
+      max-body-size-kb: 1000000
+      max-header-size-bytes: 102400
+      max-object-depth: 40
+      max-url-size-bytes: 32768
+      minimum-confidence: critical
+      override-mode: detect-learn
+      protections:
+        csrf-protection: inactive
+        error-disclosure: inactive
+        non-valid-http-methods: false
+        open-redirect: inactive
+    anti-bot:
+      injected-URIs: []
+      validated-URIs: []
+      override-mode: detect-learn
+
+log-triggers:
+  - name: appsec-default-log-trigger
+    access-control-logging:
+      allow-events: false
+      drop-events: true
+    additional-suspicious-events-logging:
+      enabled: true
+      minimum-severity: high
+      response-body: false
+    appsec-logging:
+      all-web-requests: false
+      detect-events: true
+      prevent-events: true
+    extended-logging:
+      http-headers: false
+      request-body: false
+      url-path: false
+      url-query: false
+    log-destination:
+      cloud: true
+      stdout:
+        format: json
+
+custom-responses:
+  - name: appsec-default-web-user-response
+    mode: response-code-only
+    http-response-code: 403

config/linux/v1beta1/prevent/local_policy.yaml

@@ -0,0 +1,62 @@
+policies:
+  default:
+    triggers:
+    - appsec-default-log-trigger
+    mode: prevent-learn
+    practices:
+    - webapp-default-practice
+    custom-response: appsec-default-web-user-response
+  specific-rules: []
+
+practices:
+  - name: webapp-default-practice
+    openapi-schema-validation:
+      configmap: []
+      override-mode: prevent-learn
+    snort-signatures:
+      configmap: []
+      override-mode: prevent-learn
+    web-attacks:
+      max-body-size-kb: 1000000
+      max-header-size-bytes: 102400
+      max-object-depth: 40
+      max-url-size-bytes: 32768
+      minimum-confidence: critical
+      override-mode: prevent-learn
+      protections:
+        csrf-protection: inactive
+        error-disclosure: inactive
+        non-valid-http-methods: false
+        open-redirect: inactive
+    anti-bot:
+      injected-URIs: []
+      validated-URIs: []
+      override-mode: prevent-learn
+
+log-triggers:
+  - name: appsec-default-log-trigger
+    access-control-logging:
+      allow-events: false
+      drop-events: true
+    additional-suspicious-events-logging:
+      enabled: true
+      minimum-severity: high
+      response-body: false
+    appsec-logging:
+      all-web-requests: false
+      detect-events: true
+      prevent-events: true
+    extended-logging:
+      http-headers: false
+      request-body: false
+      url-path: false
+      url-query: false
+    log-destination:
+      cloud: true
+      stdout:
+        format: json
+
+custom-responses:
+  - name: appsec-default-web-user-response
+    mode: response-code-only
+    http-response-code: 403

config/linux/v1beta2/default/local_policy.yaml

@@ -0,0 +1,111 @@
+# open-appsec default declarative configuration file
+# based on schema version: "v1beta2"
+# more information on declarative configuration: https://docs.openappsec.io
+
+apiVersion: v1beta2
+
+policies:
+  default:
+    # start in detect-learn and move to prevent-learn based on learning progress 
+    mode: detect-learn
+    threatPreventionPractices:
+    - default-threat-prevention-practice
+    accessControlPractices:
+    - default-access-control-practice
+    customResponses: default-web-user-response
+    triggers:
+    - default-log-trigger
+  specificRules:
+    - host: www.example.com
+      # this is an example for specific rule, adjust the values as required for the protected app
+      mode: detect-learn
+      threatPreventionPractices:
+      - default-threat-prevention-practice
+      accessControlPractices:
+      - default-access-control-practice
+      triggers:
+      - default-log-trigger
+
+threatPreventionPractices:
+  - name: default-threat-prevention-practice
+    practiceMode: inherited
+    webAttacks:
+      overrideMode: inherited
+      minimumConfidence: high
+    intrusionPrevention:
+    # intrusion prevention (IPS) requires "Premium Edition"
+      overrideMode: inherited
+      maxPerformanceImpact: medium
+      minSeverityLevel: medium
+      minCveYear: 2016
+      highConfidenceEventAction: inherited
+      mediumConfidenceEventAction: inherited
+      lowConfidenceEventAction: detect
+    fileSecurity:
+    # file security requires "Premium Edition"
+      overrideMode: inherited
+      minSeverityLevel: medium
+      highConfidenceEventAction: inherited
+      mediumConfidenceEventAction: inherited
+      lowConfidenceEventAction: detect
+    snortSignatures:
+      # you must specify snort signatures in configmap or file to activate snort inspection
+      overrideMode: inherited
+      configmap: []
+      # relevant for deployments on kubernetes
+      # 0 or 1 configmaps supported in array
+      files: []
+      # relevant for docker and linux embedded deployments
+      # 0 or 1 files supported in array
+    openapiSchemaValidation: # schema validation requires "Premium Edition" 
+      overrideMode: inherited
+      configmap: []
+      # relevant for deployments on kubernetes
+      # 0 or 1 configmaps supported in array
+      files: []
+      # relevant for docker and linux embedded deployments
+      # 0 or 1 files supported in array
+    antiBot: # antibot requires "Premium Edition" 
+      overrideMode: inherited
+      injectedUris: []
+      validatedUris: []
+
+accessControlPractices:
+  - name: default-access-control-practice
+    practiceMode: inherited
+    rateLimit:
+    # specify one or more rules below to use rate limiting
+      overrideMode: inherited
+      rules: []
+
+logTriggers:
+  - name: default-log-trigger
+    accessControlLogging:
+      allowEvents: false
+      dropEvents: true
+    appsecLogging:
+      detectEvents: true
+      preventEvents: true
+      allWebRequests: false
+    extendedLogging:
+      urlPath: true
+      urlQuery: true
+      httpHeaders: false
+      requestBody: false      
+    additionalSuspiciousEventsLogging:
+      enabled: true
+      minSeverity: high
+      responseBody: false
+      responseCode: true
+
+    logDestination:
+      cloud: true
+      logToAgent: false
+      stdout:
+        format: json
+
+customResponses:
+  - name: default-web-user-response
+    mode: response-code-only
+    httpResponseCode: 403
+

config/linux/v1beta2/prevent/local_policy.yaml

@@ -0,0 +1,110 @@
+# open-appsec default declarative configuration file
+# based on schema version: "v1beta2"
+# more information on declarative configuration: https://docs.openappsec.io
+
+apiVersion: v1beta2
+
+policies:
+  default:
+    # start in prevent-learn 
+    mode: prevent-learn
+    threatPreventionPractices:
+    - default-threat-prevention-practice
+    accessControlPractices:
+    - default-access-control-practice
+    customResponses: default-web-user-response
+    triggers:
+    - default-log-trigger
+  specificRules:
+    - host: www.example.com
+      # this is an example for specific rule, adjust the values as required for the protected app
+      mode: detect-learn
+      threatPreventionPractices:
+      - default-threat-prevention-practice
+      accessControlPractices:
+      - default-access-control-practice
+      triggers:
+      - default-log-trigger
+
+threatPreventionPractices:
+  - name: default-threat-prevention-practice
+    practiceMode: inherited
+    webAttacks:
+      overrideMode: inherited
+      minimumConfidence: high
+    intrusionPrevention:
+    # intrusion prevention (IPS) requires "Premium Edition"
+      overrideMode: inherited
+      maxPerformanceImpact: medium
+      minSeverityLevel: medium
+      minCveYear: 2016
+      highConfidenceEventAction: inherited
+      mediumConfidenceEventAction: inherited
+      lowConfidenceEventAction: detect
+    fileSecurity:
+    # file security requires "Premium Edition"
+      overrideMode: inherited
+      minSeverityLevel: medium
+      highConfidenceEventAction: inherited
+      mediumConfidenceEventAction: inherited
+      lowConfidenceEventAction: detect
+    snortSignatures:
+      # you must specify snort signatures in configmap or file to activate snort inspection
+      overrideMode: inherited
+      configmap: []
+      # relevant for deployments on kubernetes
+      # 0 or 1 configmaps supported in array
+      files: []
+      # relevant for docker and linux embedded deployments
+      # 0 or 1 files supported in array
+    openapiSchemaValidation: # schema validation requires "Premium Edition" 
+      overrideMode: inherited
+      configmap: []
+      # relevant for deployments on kubernetes
+      # 0 or 1 configmaps supported in array
+      files: []
+      # relevant for docker and linux embedded deployments
+      # 0 or 1 files supported in array
+    antiBot: # antibot requires "Premium Edition" 
+      overrideMode: inherited
+      injectedUris: []
+      validatedUris: []
+
+accessControlPractices:
+  - name: default-access-control-practice
+    practiceMode: inherited
+    rateLimit:
+    # specify one or more rules below to use rate limiting
+      overrideMode: inherited
+      rules: []
+
+logTriggers:
+  - name: default-log-trigger
+    accessControlLogging:
+      allowEvents: false
+      dropEvents: true
+    appsecLogging:
+      detectEvents: true
+      preventEvents: true
+      allWebRequests: false
+    extendedLogging:
+      urlPath: true
+      urlQuery: true
+      httpHeaders: false
+      requestBody: false      
+    additionalSuspiciousEventsLogging:
+      enabled: true
+      minSeverity: high
+      responseBody: false
+      responseCode: true
+
+    logDestination:
+      cloud: true
+      logToAgent: false
+      stdout:
+        format: json
+
+customResponses:
+  - name: default-web-user-response
+    mode: response-code-only
+    httpResponseCode: 403

examples/local_policy.yaml

@@ -24,10 +24,10 @@ practices:
       minimum-confidence: critical
       override-mode: prevent-learn
       protections:
-        csrf-protection: prevent-learn
+        csrf-protection: inactive
-        error-disclosure: prevent-learn
+        error-disclosure: inactive
-        non-valid-http-methods: true
+        non-valid-http-methods: false
-        open-redirect: prevent-learn
+        open-redirect: inactive
     anti-bot:
       injected-URIs: []
       validated-URIs: []
@@ -59,4 +59,4 @@ log-triggers:
 custom-responses:
   - name: appsec-default-web-user-response
     mode: response-code-only
-    http-response-code: 403
+    http-response-code: 403