How do I create a vulnerability policy

To begin using Tanzu Salt for vulnerability scans, first create your security policy. In your policy, add the minions you want to target in an assessment and determine the assessment’s run schedule.

A vulnerability policy is comprised of a target and an assessment schedule. The target determines which minions to include in an assessment and the schedule determines when assessments will be run. A security policy also stores the results of the most recent assessment in Tanzu Salt. Policies can also include schedules, as well as specifications for handling exemptions.

Choose the schedule frequency from Recurring, Repeat Date & Time, Once, or Cron Expression. Additional options are available, depending on the scheduled activity, and on the schedule frequency you choose. This table explains the schedule options:

Schedule option Description
Recurring Set an interval for repeating the schedule, with optional fields for start or end date, splay, and maximum number of parallel jobs.
Once Choose to repeat the schedule weekly or daily, with optional fields for start or end data, and maximum number of parallel jobs.
Cron Enter a cron expression to define a custom schedule based on Croniter syntax. For best results, avoid scheduling jobs less than 60 seconds apart when defining a custom cron expression. For more information, see the Cron Editor for guidelines.
Not Scheduled (on demand) Choose to run only single assessments as needed. No set schedule is defined.

Note:
In the schedule editor, the terms “Job” and “Assessment” are used interchangeably. When you define a schedule for the policy, you are scheduling the assessment only—not the remediation.

Prerequisites

Before creating your first security policy, you need access to the vulnerability library. For more information, see Using the vulnerability library for more information.

You must also create the targets that you want to assess before creating your policy. A target is the group of assets (referred to as minions) your policy will apply to.

Note:
A target is the group of minions, across one or many Salt masters, that a job’s Salt command applies to. A Salt master can also be managed like a minion and can be a target if it is running the minion service. When you choose a target in Tanzu Salt, you define the group of assets (referred to as minions) your policy will apply to. You can choose an existing target or create a new one.

Procedure

  1. In the Vulnerability workspace, click Create Policy.

    New vulnerability policy

  2. Enter a policy name and select the target you want to access.

    Note:
    Scanning a large number of minions might result in long processing times. This could also delay other processes, such as jobs running, in Tanzu Salt. Make sure to account for extra time required to run large assessments.

  3. Define a schedule frequency.

  4. (Optional) Select Run assessment on save.

  5. Click Save.

The policy is saved. If you selected Run assessment on save, the policy is run immediately after saving. If necessary, you can edit a policy by selecting the policy from the Vulnerability workspace and clicking Edit Policy and then Save.

check-circle-line exclamation-circle-line close-line
Scroll to top icon