Custom Compliance content allows you to define your own security standards that supplement the library of security benchmarks and checks built into Tanzu Salt.
Custom content is useful for enhancing Tanzu Salt policies to fit your internal requirements.
Tanzu Salt includes a Custom Content Software Development Kit (SDK) you can use to create, test, and build your own custom security content. You can import your custom security content to use alongside the Tanzu Salt built-in security library for assessment and remediation. The ability to import custom content also allows you to version your content using a version control system of your choice, such as Git.
To use custom checks, you must first initialize the Tanzu Salt Custom Content SDK. The SDK includes sample files you can modify to create your own custom checks, as well as benchmarks. The SDK also includes a Docker-based testing environment where you can test your new content.
Once your custom content is created and tested, you can build a content file and import it into Tanzu Salt to begin assessing and remediating. Custom checks include a user icon , in contrast with Tanzu Salt checks that include a shield icon . Tanzu Salt tracks dependencies between policies and your custom content, and provides a list of dependencies that might break if you delete the content.
From the command line, navigate to the directory containing the file and run the command:
Operating System | Command |
---|---|
Mac OS or Linux | ./secops_sdk init |
Windows | secops_sdk.exe init |
No output is showed, which is expected. Your directory contains these folders and files:
(Optional) Commit changes to a version-controlled repository.
To create custom checks, in the Custom Content SDK, navigate to salt/locke/custom. To create custom benchmarks, skip to step 8.
Note:
All custom checks must be configured in both a state (.sls) and corresponding meta (.meta) file.
Create a copy for both a sample state (.sls) and corresponding meta (.meta) file, and rename both with your desired custom name. Save both of these files together in any subdirectory of salt/locke/custom.
Both files must be in the same directory and start with the same name, for example: my_first_check.meta
and my_first_check.sls
.
Edit the contents of the meta file to customize the check based on your needs.
Note:
Check meta files contain references to different benchmarks. When creating custom content, ensure that you include all associated benchmarks in your check meta file.
Edit the contents of the state file.
Sample_benchmark.meta
, and rename it with your desired custom name.Your custom checks and benchmarks are created. If needed, you can delete a custom check or benchmark by navigating to Compliance > Checks or Compliance > Benchmarks, clicking the menu icon next to the custom content, and clicking Delete.
After creating your custom content, you can test it by opening the command line, navigating to the Custom Content SDK sample_tests directory, and running these commands:
Command | Result |
---|---|
1. ./build.sh |
Builds a docker image of CentOS7 with Salt for testing. |
2. ./up.sh |
Starts the testing container |
3. ./test.sh salt-call –local state.apply locke.custom.mounts.my_first_check test=True |
Runs sample tests on checks you created in the salt/locke/custom directory. You can initiate custom checks as you would normal Salt states. For more information on Salt States, see How do I use Salt States |
4. ./down.sh |
After testing is complete, run this command to shut down the testing container. |
After testing your custom content, you can build your custom content library.