Skip to main content

Compliance for Custom Systems
ENTERPRISE

For some system-types, often to meet organization compliance requirements, it is useful to continually monitor a real-world system and enumerate all resources which violate a particular policy. A Custom system allows you do this, but unlike other system-types (such as Kubernetes) which automatically know how and what to monitor, you must write the policy that identifies which resources are in violation.

To provide the list of resources, you dedicate a portion of the pre-built data source dataset to store those resources. For example, you can use data.dataset.resources. When you work outside the Styra DAS, you must periodically push the current resource list into the datasource at the appropriate location.

Additionally, create a Monitor policy which returns the list of resources that violate your core policy as follows:

note

This policy utilizes the Rules policy to make the actual decision on a single resource, but this is optional.

package monitor

#The list of resources that you want to monitor.
import data.dataset.resources

# A rule that returns the list of resource-message pairs that violate a policy.
monitoring_failure[[resource, message]] {
# Iterate over the list of resources.
some i
resource := data.dataset.resources[i]

# Run that resource against the Rules policy.
not data.rules.allow with input as resource

# Construct the message to show on the compliance report.
message := sprintf("Resource %v/%v violated policy", [resource.id, resource.name])
}

Now, you have the same compliance functionality that you do with DAS systems which support Compliance out-of-the-box:

  • The Compliance report can be found by clicking on your system in the left-hand navigation panel and choosing the Compliance tab.

  • The Compliance time-series graph is shown by clicking on your system in the left-hand navigation panel and choosing the Monitoring tab.