Skip to main content

Compliance for Custom System

For some system-types, often for the sake of compliance, it is useful to continually monitor a real-world system and enumerate all those resources that violate a particular policy. A Custom system allows you do this, but unlike other system-types (such as, Kubernetes) that automatically know how and what to monitor, you must write the policy that identifies which resources are in violation.

To provide the list of resources,x you dedicate a portion of the pre-built data source dataset to store those resources. For example, data.dataset.resources. When you work outside the Styra DAS, you must periodically push the current resource list into the datasource at the appropriate location.

Additionally, you write a Monitor policy that returns the list of resources that violate your core policy as follows:

note

This policy utilizes the Rules policy to make the actual decision on a single resource, but this is optional.

package monitor

#The list of resources that you want to monitor.
import data.dataset.resources

# A rule that returns the list of resource-message pairs that violate a policy.
monitoring_failure[[resource, message]] {
# Iterate over the list of resources.
some i
resource := data.dataset.resources[i]
# Run that resource against the Rules policy.
not data.rules.allow with resource
# Construct the message to show on the compliance report.
message := sprintf("Resource %v/%v violated policy", [resource.id, resource.name])
}

Now, you have the same compliance functionality that you do with DAS systems that support Compliance out-of-the-box as follows:

  • The Compliance report can be found by clicking on your system's name in the left-hand navigation panel and choosing the Compliance tab on the right hand side.

  • The Compliance time-series graph is shown by clicking on your system's name in the left-hand navigation panel and choosing the Dashboard tab.