Policy Library

Congress bundles a library of useful policies to help users get started.

For example, the library/volume_encryption/servers_unencrypted_volume.yaml identifies and warns on servers with unencrypted volumes attached.

---
name: VolumeEncryption
description: "Warn/error on servers with unencrypted volumes attached."
depends-on:
  - SecurityGroups
rules:
  -
    rule: >
      servers_with_unencrypted_volume(server_id, server_name, volume_id, volume_name) :-
        nova:servers(id=server_id, name=server_name),
        cinder:attachments(volume_id=volume_id, server_id=server_id),
        cinder:volumes(id=volume_id, name=volume_name, encrypted=False)
  -
    comment: "Warn on servers with unencrypted volume."
    rule: >
      warning(server_id, server_name, volume_id, volume_name) :-
        servers_with_unencrypted_volume(server_id, server_name, volume_id, volume_name)

  -
    comment: "Servers with unencrypted volume, which is also not covered by
      a protected security group."
    rule: >
      unprotected_servers_with_unencrypted_volume(server_id, server_name, volume_id, volume_name) :-
        servers_with_unencrypted_volume(server_id, server_name, volume_id, volume_name),
        SecurityGroups:unprotected_servers(server_id)
  -
    comment: "Error on servers with unencrypted volume, which is also not covered by
      a protected security group."
    rule: >
      error(server_id, server_name, volume_id, volume_name) :-
        unprotected_servers_with_unencrypted_volume(server_id, server_name, volume_id, volume_name)

The latest collection library policies can be found here: https://github.com/openstack/congress/tree/master/library

To import a library policy YAML file into Congress, use the following CLI command (python-congressclient version 1.8.0 or higher https://pypi.org/project/python-congressclient/).

$ openstack congress policy create-from-file <path-to-policy-yaml>