From 04326de232c99342668d12ff1976808c04c529a0 Mon Sep 17 00:00:00 2001 From: kcarmich Date: Thu, 2 Oct 2025 11:35:25 -0400 Subject: [PATCH] Updates to policy after 4.9 gui changes --- ...dd-logical-conditions-policy-criteria.adoc | 4 +- ...-policy-enforcement-creating-policies.adoc | 16 +- modules/configure-policy-rules.adoc | 13 +- modules/configure-policy-scope.adoc | 9 +- modules/create-new-system-policy.adoc | 2 +- modules/enable-policy.adoc | 14 + modules/enter-policy-details.adoc | 6 +- .../modify-existing-security-policies.adoc | 2 +- modules/policy-criteria.adoc | 504 +++++++++++------- modules/preview-policy-violations.adoc | 6 +- modules/select-policy-lifecycle.adoc | 16 +- modules/selecting-policy-notifiers.adoc | 4 +- modules/violation-view-policy-tab.adoc | 2 +- .../custom-security-policies.adoc | 13 + .../security-policy-reference.adoc | 17 +- 15 files changed, 383 insertions(+), 245 deletions(-) create mode 100644 modules/enable-policy.adoc diff --git a/modules/add-logical-conditions-policy-criteria.adoc b/modules/add-logical-conditions-policy-criteria.adoc index 07aaf9790380..e75fe9def98a 100644 --- a/modules/add-logical-conditions-policy-criteria.adoc +++ b/modules/add-logical-conditions-policy-criteria.adoc @@ -16,8 +16,8 @@ You can expand and collapse these categories to view the policy criteria attribu . Drag an attribute to the *Drop a policy field inside* area of the policy section. . Depending on the type of the attribute you select, you get different options to configure the conditions for the selected attribute. For example: -** If you select an attribute with Boolean values `Read-Only Root Filesystem`, you will see `READ-ONLY` and `WRITABLE` options. -** If you select an attribute with compound values `Environment variable`, you will see options to enter values for `Key`, `Value`, and `Value From` fields, and an icon to add more values for the available options. +** If you select an attribute with Boolean values, such as `Read-Only Root Filesystem`, you will see `READ-ONLY` and `WRITABLE` options. +** If you select an attribute with compound values, such as `Environment variable`, you will see options to enter values for `Key`, `Value`, and `Value From` fields, and an icon to add more values for the available options. .. To combine multiple values for an attribute, click the *Add* icon. .. You can also click on the logical operator `AND` or `OR` listed in a policy section, to toggle between `AND` and `OR` operators. Toggling between operators only works inside a policy section and not between two different policy sections. diff --git a/modules/configure-policy-enforcement-creating-policies.adoc b/modules/configure-policy-enforcement-creating-policies.adoc index a68206713a59..d2b5d0119f22 100644 --- a/modules/configure-policy-enforcement-creating-policies.adoc +++ b/modules/configure-policy-enforcement-creating-policies.adoc @@ -12,17 +12,17 @@ You can configure if {product-title-short} should only inform you with a notific . Select an enforcement method: * *Inform*: Include the violation in the violations list. -* *Inform and enforce*: enforce actions. If you select this option, you must select the enforcement behavior for the policy by using the toggle for each lifecycle. -The enforcement behavior you can select depends on the lifecycle stages you selected for the policy in the *Lifecycle* section of the policy definition. -The following enforcement behaviors are available depending on the lifecycle stage: -* *Build*: {product-title-short} fails your continuous integration (CI) builds when images match the criteria of the policy. -* *Deploy*: For the *Deploy* stage, {product-title-short} blocks the creation and update of deployments that match the conditions of the policy if the {product-title-short} admission controller is configured and running. +* *Inform and enforce*: Include the violation in the violation list and enforce actions that you have configured. If you select this option, you must select the enforcement behavior for the policy by using the toggle for the appropriate lifecycles. +. If you choose to enforce the policy, configure the enforcement behavior. The enforcement behavior you can select depends on the lifecycle stages you selected for the policy in the *Lifecycle* section of the policy definition. The following enforcement behaviors are available depending on the lifecycle stage: +* *Build*: Select *Enforce on Build* to have {product-title-short} fail your continuous integration (CI) builds when images match the criteria of the policy. You can download the `roxctl` CLI and configure the `roxctl image check` command to work with the policy. +* *Deploy*: Select *Enforce on Deploy* to have {product-title-short} block workload admission and updates that match the conditions of the policy if the {product-title-short} admission controller is configured and running. ** In clusters with admission controller enforcement, the Kubernetes or {ocp} API server blocks all noncompliant deployments. In other clusters, {product-title-short} edits noncompliant deployments to prevent pods from being scheduled. -** For existing deployments, policy changes only result in enforcement at the next detection of the criteria, when a Kubernetes event occurs. For more information about enforcement, see "Security policy enforcement for the deploy stage". -* *Runtime*: {product-title-short} deletes all pods when an event in the pods matches the criteria of the policy. +** For existing deployments, policy changes only result in enforcement at the next detection of the criteria, when a Kubernetes event occurs. For more information about enforcement, see "Deploy stage enforcement". +* *Runtime*: Select *Enforce on Runtime* to have {product-title-short} delete all pods when an event in the pods matches the criteria of the policy. + [WARNING] ==== Policy enforcement can impact running applications or development processes. Before you enable enforcement options, inform all stakeholders and plan how to respond to automated enforcement actions. -==== \ No newline at end of file +==== +. Click *Next*. \ No newline at end of file diff --git a/modules/configure-policy-rules.adoc b/modules/configure-policy-rules.adoc index f63f0b364bfa..e8a90c1d5da4 100644 --- a/modules/configure-policy-rules.adoc +++ b/modules/configure-policy-rules.adoc @@ -11,25 +11,24 @@ You can use policy fields, or criteria, to create rules for your policies. .Procedure -To create a policy rule: - -. In the *Rules* section, configure the conditions that you want to trigger the policy. You can edit the rule titles and click *Add a new rule* to add an additional rule. +. In the *Rules* section, configure the conditions that you want to trigger the policy. You can edit the rule titles; for example, you can change `Rule 1` to something more descriptive. . For each rule, click and drag policy fields into the *Policy Section* to add policy fields or criteria. + [NOTE] ==== -The policy fields that are available depend on the lifecycle stage you chose for the policy. For example, criteria under *Kubernetes access policies* or *Networking* are available when creating a policy for the runtime lifecycle, but not when creating a policy for the build lifecycle. See "Policy criteria" in the "Additional resources" section for more information about policy criteria, including information about criteria and the lifecycle phase in which they are available. +The policy fields that are available depend on the lifecycle stage you chose for the policy. For example, criteria under *Networking* or *Workload activity* are available when creating a policy for the runtime lifecycle, but not when creating a policy for the build lifecycle. For more information about policy criteria, including information about criteria and the lifecycle phase in which they are available, see "Policy criteria". ==== . For each field, you can select from options that are specific to the field. These differ depending on the type of field. For example: * The default behavior for a value that is a string is to match on a policy field, and you click *Not* to indicate when you do not want the field to match. * Some fields contain a value that is either `true` or `false`. * Some fields require you to select a value from a drop-down list. -* If you select an attribute with Boolean values `Read-Only Root Filesystem`, the `READ-ONLY` and `WRITABLE` options are available. -* If you select an attribute with compound values `Environment variable`, you can enter values for the `Key`, `Value`, and `Value From` fields, and click the icon to add more values for the available options. +* If you select an attribute with Boolean values, such as `Read-Only Root Filesystem`, the `READ-ONLY` and `WRITABLE` options are available. +* If you select an attribute with compound values, such as `Environment variable`, you can enter values for the `Key`, `Value`, and `Value From` fields, and then click the icon to add more values for the available options. + [NOTE] ==== -See "Policy criteria" in the "Additional resources" section for more information. +For more information about values available for policy criteria, see "Policy criteria". ==== . To combine multiple values for an attribute, click the *Add* icon. +. Optional: Click *Add a new rule* to add an additional rule. . Click *Next*. \ No newline at end of file diff --git a/modules/configure-policy-scope.adoc b/modules/configure-policy-scope.adoc index c0f08bc6e291..230bafc476c2 100644 --- a/modules/configure-policy-scope.adoc +++ b/modules/configure-policy-scope.adoc @@ -10,19 +10,20 @@ You can define the scope of a policy to restrict or allow the policy for certain .Procedure -. To restrict by scope, click *Add inclusion scope*. This enables this policy to only be applied for a specific cluster, a namespace, or a deployment label. +. Configure any of the following options: +* *Restrict by scope*: This enables this policy to only be applied for a specific cluster, a namespace, or a deployment label. You can add multiple scopes and also use regular expressions in link:https://github.com/google/re2/wiki/Syntax[RE2 Syntax] for namespaces and labels. -. To exclude by scope, for example, to exclude specific deployments, clusters, namespaces, and deployment labels from the policy, click *Add exclusion scope*. The policy will not apply to the entities that you select. You can add multiple scopes and also use regular expressions in link:https://github.com/google/re2/wiki/Syntax[RE2 Syntax] for namespaces and labels. However, you cannot use regular expressions for selecting deployments. +* *Exclude by scope*: Excludes specific deployments, clusters, namespaces, and deployment labels from the policy. The policy will not apply to the entities that you select. You can add multiple scopes and also use regular expressions in link:https://github.com/google/re2/wiki/Syntax[RE2 Syntax] for namespaces and labels. However, you cannot use regular expressions for selecting deployments. + [NOTE] ==== This function is only available for policies configured for the deploy and runtime lifecycle stages. ==== -. For policies configured for the build lifecycle stage, you can exclude images from the policy. In the *Exclude images (Build lifecycle only)* field, enter the images that you do not want to trigger a violation for. +* *Exclude images*: For policies configured for the build lifecycle stage, you can exclude images from the policy. Select the images for which you do not want to trigger a violation. + [NOTE] ==== -The *Excluded Images* setting only applies when you check images in a continuous integration system with the *Build* lifecycle stage. +The *Excluded Images* setting only applies when you check images in a continuous integration system with the *Build* lifecycle stage. It does not have any effect if you use this policy to check running deployments in the *Deploy* lifecycle stage or runtime activities in the *Runtime* lifecycle stage. ==== . Click *Next*. \ No newline at end of file diff --git a/modules/create-new-system-policy.adoc b/modules/create-new-system-policy.adoc index b3938a62cd53..2b98503fcdc2 100644 --- a/modules/create-new-system-policy.adoc +++ b/modules/create-new-system-policy.adoc @@ -60,7 +60,7 @@ The enforcement behavior is different for each lifecycle stage. * For the *Build* stage, {product-title-short} fails your CI builds when images match the conditions of the policy. * For the *Deploy* stage, {product-title-short} blocks the creation and update of deployments that match the conditions of the policy if the {product-title-short} admission controller is configured and running. ** In clusters with admission controller enforcement, the Kubernetes or {ocp} API server blocks all noncompliant deployments. In other clusters, {product-title-short} edits noncompliant deployments to prevent pods from being scheduled. -** For existing deployments, policy changes only result in enforcement at the next detection of the criteria, when a Kubernetes event occurs. For more information about enforcement, see "Security policy enforcement for the deploy stage". +** For existing deployments, policy changes only result in enforcement at the next detection of the criteria, when a Kubernetes event occurs. For more information about enforcement, see "Deploy stage enforcement". * For the *Runtime* stage, {product-title-short} stops all pods that match the conditions of the policy. ==== + diff --git a/modules/enable-policy.adoc b/modules/enable-policy.adoc new file mode 100644 index 000000000000..0717113d2f7a --- /dev/null +++ b/modules/enable-policy.adoc @@ -0,0 +1,14 @@ +// Module included in the following assemblies: +// +// * operating/manage_security_policies/custom-security-policies.adoc +:_mod-docs-content-type: PROCEDURE +[id="enable-policy_{context}"] += Enable the policy + +[role="_abstract"] +Enable or disable the policy. + +.Procedure + +. Select *Enable* make the policy active, or *Disable* to disable it. +. Click *Next*. \ No newline at end of file diff --git a/modules/enter-policy-details.adoc b/modules/enter-policy-details.adoc index d512b95a3235..92fac1317213 100644 --- a/modules/enter-policy-details.adoc +++ b/modules/enter-policy-details.adoc @@ -6,13 +6,13 @@ = Entering policy details [role="_abstract"] -Enter details about your policy, such as the name, severity, description, and guidance to resolve violations of the policy. +Enter details about your policy, such as the name, severity, description, and guidance to resolve violations of the policy. Required fields are marked with an asterisk. .Procedure -. Enter a *Name* for the policy. +. Enter a *Name* for the policy. A policy must have a name between 5 and 128 characters, and cannot contain new lines or dollar signs. . Select a *Severity* level for this policy. -. Select a policy category for the policy. This is a required field. +. Select a policy category for the policy from the *Categories* list. . Enter details about the policy in the *Description* field. . Enter an explanation about why the policy exists in the *Rationale* field. . Enter steps to resolve violations of this policy in the *Guidance* field. diff --git a/modules/modify-existing-security-policies.adoc b/modules/modify-existing-security-policies.adoc index 2eb5ddcc071c..8da9b20b22ad 100644 --- a/modules/modify-existing-security-policies.adoc +++ b/modules/modify-existing-security-policies.adoc @@ -15,6 +15,6 @@ You can edit the policies you have created and the existing default policies pro + [NOTE] ==== -You cannot edit default policies. You must clone a default policy and edit the cloned policy. +You cannot edit certain fields of default system policies. To make changes to a default policy, clone the policy and edit the copy. ==== . Edit the fields that you want to change and click *Save*. diff --git a/modules/policy-criteria.adoc b/modules/policy-criteria.adoc index a7b45270cb3d..d1971417b90e 100644 --- a/modules/policy-criteria.adoc +++ b/modules/policy-criteria.adoc @@ -1,7 +1,7 @@ // Module included in the following assemblies: // // * operating/manage_security_policies/about-security-policies.adoc -:_mod-docs-content-type: CONCEPT +:_mod-docs-content-type: REFERENCE [id="policy-criteria_{context}"] = Policy criteria @@ -26,17 +26,20 @@ In this table: ** Boolean values `true` and `false` ** Numeric values that already use comparison, such as the `<`, `>`, `+<=+`, `>=` operators. ** Compound criteria that can have multiple values, for example: -*** *Dockerfile Line*, which includes both instructions and arguments. -*** *Environment Variable*, which consists of both name and value. -** Other meanings, including *Add Capabilities*, *Drop Capabilities*, *Days since image was created*, and *Days since image was last scanned*. +*** *Dockerfile line*, which includes both instructions and arguments. +*** *Environment variable*, which consists of both name and value. +** Other meanings, including *Add capabilities*, *Drop capabilities*, *Days since image was created*, and *Days since image was last scanned*. + +[id="reference-image-criteria_{context}"] +== Image criteria + +Image registry:: [cols="<,<,<,<,^,<"] |=== | *Attribute* | *Description* | *JSON Attribute* | *Allowed Values* | *Regex*, *NOT*, *AND, OR* | *Phase* -6+| *Section: Image registry* - -| Image Registry +| Image registry | The name of the image registry. | Image Registry | String @@ -78,58 +81,62 @@ AND, OR *Deploy*, + *Runtime* (when used with a Runtime criterion) +|=== -6+| *Section: Image contents* +Image contents:: -| The Common Vulnerabilities and Exposures (CVE) is fixable -| This criterion results in a violation only if the image in the deployment you are evaluating has a fixable CVE. -| Fixable -| Boolean -| ✕ -| *Build*, + -*Deploy*, + -*Runtime* (when used with a Runtime criterion) +[cols="<,<,<,<,^,<"] +|=== +| *Attribute* | *Description* | *JSON Attribute* | *Allowed Values* | *Regex*, *NOT*, *AND, OR* | *Phase* -| Days Since CVE Was First Discovered In Image -| This criterion results in a violation only if it has been more than a specified number of days since {product-title-short} discovered the CVE in a specific image. -| Days Since CVE Was First Discovered In Image +| Image age +| The minimum number of days from image creation date. +| Image Age | Integer | ✕ | *Build*, + *Deploy*, + *Runtime* (when used with a Runtime criterion) -| Days Since CVE Was First Discovered In System -| This criterion results in a violation only if it has been more than a specified number of days since {product-title-short} discovered the CVE across all deployed images in all clusters that {product-title-short} monitors. -| Days Since CVE Was First Discovered In System -| Integer -| ✕ +| Image user +| Matches the USER directive in the Dockerfile. See https://docs.docker.com/engine/reference/builder/#user for details +. +| Image User +| String +| Regex, + +NOT, + +AND, OR | *Build*, + *Deploy*, + *Runtime* (when used with a Runtime criterion) -| Image age -| The minimum number of days from image creation date. -| Image Age -| Integer -| ✕ +| Dockerfile line +| A specific line in the Dockerfile, including both instructions and arguments. +| Dockerfile Line +| One of: LABEL, RUN, CMD, EXPOSE, ENV, ADD, COPY, ENTRYPOINT, VOLUME, USER, WORKDIR, ONBUILD +| ! Regex only for values, + +AND, OR | *Build*, + *Deploy*, + *Runtime* (when used with a Runtime criterion) -| Image scan age -| The minimum number of days since the image was last scanned. -| Image Scan Age -| Integer -| ✕ +| Image component +| Name and version number of a specific software component present in an image. +| Image Component +| key=value + + +Value is optional. + + +If value is missing, it must be in format "key=". +| Regex, + +AND, OR | *Build*, + *Deploy*, + *Runtime* (when used with a Runtime criterion) -| Image User -| Matches the USER directive in the Dockerfile. See https://docs.docker.com/engine/reference/builder/#user for details -. -| Image User +| Image OS +| Name and version number of the base operating system of the image. For example, `alpine:3.17.3` +| Image OS | String | Regex, + NOT, + @@ -138,16 +145,51 @@ AND, OR *Deploy*, + *Runtime* (when used with a Runtime criterion) -| Dockerfile Line -| A specific line in the Dockerfile, including both instructions and arguments. -| Dockerfile Line -| One of: LABEL, RUN, CMD, EXPOSE, ENV, ADD, COPY, ENTRYPOINT, VOLUME, USER, WORKDIR, ONBUILD -| ! Regex only for values, + +| Require image label +| Ensure the presence of a Docker image label. The policy triggers if any image in the deployment does not have the specified label. You can use regular expressions for both key and value fields to match labels. The `Require Image Label` policy criteria only works when you integrate with a Docker registry. For details about Docker labels see Docker documentation, https://docs.docker.com/config/labels-custom-metadata/. +| Required Image Label +| key=value + + +Value is optional. + + +If value is missing, it must be in format "key=". +| Regex, + +AND, OR +| *Build*, + +*Deploy*, + +*Runtime* (when used with a Runtime criterion) + +| Disallow image label +| Ensure that a particular Docker image label is NOT used. The policy triggers if any image in the deployment has the specified label. You can use regular expressions for both key and value fields to match labels. The 'Disallow Image Label policy' criteria only works when you integrate with a Docker registry. For details about Docker labels see Docker documentation, https://docs.docker.com/config/labels-custom-metadata/. +| Disallowed Image Label +| key=value + + +Value is optional. + + +If value is missing, it must be in format "key=". +| Regex, + AND, OR | *Build*, + *Deploy*, + *Runtime* (when used with a Runtime criterion) +|=== + +Image scanning:: + +[cols="<,<,<,<,^,<"] +|=== +| *Attribute* | *Description* | *JSON Attribute* | *Allowed Values* | *Regex*, *NOT*, *AND, OR* | *Phase* + +| Image scan age +| The minimum number of days since the image was last scanned. +| Image Scan Age +| Integer +| ✕ +| *Build*, + +*Deploy*, + +*Runtime* (when used with a Runtime criterion) + | Image scan status | Check if an image was scanned. | Unscanned Image @@ -174,6 +216,23 @@ Examples: + *Deploy*, + *Runtime* (when used with a Runtime criterion) +| National Vulnerability Database (NVD) CVSS +| Requires Scanner V4. NVD CVSS: Use it to match images with vulnerabilities reported by NVD whose scores are greater than `>`, less than `<`, or equal to `=` the specified CVSS. +| CVSS +| <, >, \<=, >= or nothing (which implies equal to) + + +-- and -- + + +a decimal (a number with an optional fractional value). + + +Examples: + +>=5, or + +9.5 +| AND, OR +| *Build*, + +*Deploy*, + +*Runtime* (when used with a Runtime criterion) + | Severity | The severity of the vulnerability based on the CVSS or the vendor. Can be one of Low, Moderate, Important or Critical. | Severity @@ -196,7 +255,16 @@ CRITICAL *Deploy*, + *Runtime* (when used with a Runtime criterion) -| Fixed By +| Fixable +| This criterion results in a violation only if the image in the deployment you are evaluating has a fixable CVE. +| Fixable +| Boolean +| ✕ +| *Build*, + +*Deploy*, + +*Runtime* (when used with a Runtime criterion) + +| Fixed by | The version string of a package that fixes a flagged vulnerability in an image. This criterion may be used in addition to other criteria that identify a vulnerability, for example using the CVE criterion. | Fixed By | String @@ -218,62 +286,45 @@ AND, OR *Deploy*, + *Runtime* (when used with a Runtime criterion) -| Image Component -| Name and version number of a specific software component present in an image. -| Image Component -| key=value + - -Value is optional. + - -If value is missing, it must be in format "key=". -| Regex, + -AND, OR +| Days since CVE was published +| This criterion results in a violation only if it has been more than a specified number of days since {product-title-short} was first published. +| Days Since CVE Was First Published +| Integer +| ✕ | *Build*, + *Deploy*, + *Runtime* (when used with a Runtime criterion) -| Image OS -| Name and version number of the base operating system of the image. For example, `alpine:3.17.3` -| Image OS -| String -| Regex, + -NOT, + -AND, OR + +| Days since CVE was first discovered in image +| This criterion results in a violation only if it has been more than a specified number of days since {product-title-short} discovered the CVE in a specific image. +| Days Since CVE Was First Discovered In Image +| Integer +| ✕ | *Build*, + *Deploy*, + *Runtime* (when used with a Runtime criterion) -| Require image label -| Ensure the presence of a Docker image label. The policy triggers if any image in the deployment does not have the specified label. You can use regular expressions for both key and value fields to match labels. The `Require Image Label` policy criteria only works when you integrate with a Docker registry. For details about Docker labels see Docker documentation, https://docs.docker.com/config/labels-custom-metadata/. -| Required Image Label -| key=value + - -Value is optional. + - -If value is missing, it must be in format "key=". -| Regex, + -AND, OR +| Days since CVE was first discovered in system +| This criterion results in a violation only if it has been more than a specified number of days since {product-title-short} discovered the CVE across all deployed images in all clusters that {product-title-short} monitors. +| Days Since CVE Was First Discovered In System +| Integer +| ✕ | *Build*, + *Deploy*, + *Runtime* (when used with a Runtime criterion) +|=== -| Disallow image label -| Ensure that a particular Docker image label is NOT used. The policy triggers if any image in the deployment has the specified label. You can use regular expressions for both key and value fields to match labels. The 'Disallow Image Label policy' criteria only works when you integrate with a Docker registry. For details about Docker labels see Docker documentation, https://docs.docker.com/config/labels-custom-metadata/. -| Disallowed Image Label -| key=value + - -Value is optional. + +[id="workload-config-criteria_{context}"] +== Workload configuration criteria -If value is missing, it must be in format "key=". -| Regex, + -AND, OR -| *Build*, + -*Deploy*, + -*Runtime* (when used with a Runtime criterion) +Container configuration:: -6+| *Section: Container configuration* +[cols="<,<,<,<,^,<"] +|=== +| *Attribute* | *Description* | *JSON Attribute* | *Allowed Values* | *Regex*, *NOT*, *AND, OR* | *Phase* -| Environment Variable +| Environment variable | Check environment variables by name or value. When you create a policy that includes the environment variable attribute, you can choose which types of environment variables the policy should match. For example, you can specify raw values, which are provided directly in the deployment YAML, or you can specify references to values from config maps, secrets, fields, or resource requests or limits. For any type other than a raw value specified directly in the deployment YAML, the corresponding `value` attribute of the policy rule is ignored. In this case, the policy match is evaluated on the existence of the specified environment variable type. Additionally, this criteria disallows the creation of policies with a non-empty `value` attribute for types other than raw values. @@ -294,7 +345,6 @@ AND, OR | *Deploy*, + *Runtime* (when used with a Runtime criterion) - | Container CPU Request | Check for the number of cores reserved for a given resource. | Container CPU Request @@ -311,8 +361,7 @@ Examples: + | *Deploy*, + *Runtime* (when used with a Runtime criterion) - -| Container CPU Limit +| Container CPU limit | Check for the maximum number of cores a resource is allowed to use. | Container CPU Limit | (Same as Container CPU Request) @@ -320,7 +369,6 @@ Examples: + | *Deploy*, + *Runtime* (when used with a Runtime criterion) - | Container Memory Request | Number, including fraction, of MB requested. // Do we convert the K8s resource into MB (including convert MiB to MB) ? If so, the documentation should explain this conversion . @@ -330,7 +378,6 @@ Examples: + | *Deploy*, + *Runtime* (when used with a Runtime criterion) - | Container Memory Limit | Check for the maximum amount of memory a resource is allowed to use. | Container Memory Limit @@ -339,7 +386,6 @@ Examples: + | *Deploy*, + *Runtime* (when used with a Runtime criterion) - | Privileged container | Check if a deployment is configured in privileged mode. This criterion only checks the value of the `privileged` field in the respective link:https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#securitycontext-v1-core[Pod Security Context]. | Privileged Container @@ -348,7 +394,6 @@ Examples: + | *Deploy*, + *Runtime* (when used with a Runtime criterion) - | Root filesystem writeability | Check if a deployment is configured in the `readOnlyFilesystem` mode. | Read-Only Root Filesystem @@ -357,7 +402,6 @@ Examples: + | *Deploy*, + *Runtime* (when used with a Runtime criterion) - | Seccomp Profile Type | The type of `seccomp` profile defined for the deployment. If `seccomp` options are provided at both the pod and container level, the container options override the pod options. See link:https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1[Security Context]. | Seccomp Profile Type @@ -370,7 +414,6 @@ LOCALHOST | *Deploy*, + *Runtime* (when used with a Runtime criterion) - | Privilege escalation | Provides alerts when a deployment allows a container process to gain more privileges than its parent process. | Allow Privilege Escalation @@ -379,7 +422,6 @@ LOCALHOST | *Deploy*, + *Runtime* (when used with a Runtime criterion) - | Drop Capabilities | Linux capabilities that must be dropped from the container. Provides alerts when the specified capabilities are not dropped. For example, if configured with `SYS_ADMIN` AND `SYS_BOOT`, and the deployment drops only _one_ or _neither_ of these two capabilities, the alert occurs. @@ -430,7 +472,6 @@ WAKE_ALARM + | *Deploy*, + *Runtime* (when used with a Runtime criterion) - | Add Capabilities | Linux capabilities that must not be added to the container, such as the ability to send raw packets or override file permissions. Provides alerts when the specified capabilities are added. For example, if configured with `NET_ADMIN` or `NET_RAW`, and the deployment manifest YAML file includes at least one of these two capabilities, the alert occurs. | Add Capabilities @@ -476,7 +517,6 @@ WAKE_ALARM + | *Deploy*, + *Runtime* (when used with a Runtime criterion) - | Container Name | The name of the container. | Container Name @@ -487,7 +527,6 @@ AND, OR | *Deploy*, + *Runtime* (when used with a Runtime criterion) - | AppArmor Profile | The Application Armor ("AppArmor") profile used in the container. | AppArmor Profile @@ -498,7 +537,6 @@ AND, OR | *Deploy*, + *Runtime* (when used with a Runtime criterion) - | Liveness Probe | Whether the container defines a liveness probe. | Liveness Probe @@ -507,7 +545,6 @@ AND, OR | *Deploy*, + *Runtime* (when used with a Runtime criterion) - | Readiness Probe | Whether the container defines a readiness probe. | Readiness Probe @@ -515,11 +552,15 @@ AND, OR | ✕ | *Deploy*, + *Runtime* (when used with a Runtime criterion) +|=== +Deployment metadata:: -6+| *Section: Deployment metadata* +[cols="<,<,<,<,^,<"] +|=== +| *Attribute* | *Description* | *JSON Attribute* | *Allowed Values* | *Regex*, *NOT*, *AND, OR* | *Phase* -| Disallowed Annotation +| Disallowed annotation | An annotation which is not allowed to be present on Kubernetes resources in a specified environment. | Disallowed Annotation | key=value + @@ -532,7 +573,7 @@ AND, OR | *Deploy*, + *Runtime* (when used with a Runtime criterion) -| Required Label +| Required label | Check for the presence of a required label in Kubernetes. | Required Label | key=value + @@ -545,7 +586,7 @@ AND, OR | *Deploy*, + *Runtime* (when used with a Runtime criterion) -| Required Annotation +| Required annotation | Check for the presence of a required annotation in Kubernetes. | Required Annotation | key=value + @@ -558,7 +599,7 @@ AND, OR | *Deploy*, + *Runtime* (when used with a Runtime criterion) -| Runtime Class +| Runtime class | The `RuntimeClass` of the deployment. | Runtime Class | String @@ -568,7 +609,7 @@ AND, OR | *Deploy*, + *Runtime* (when used with a Runtime criterion) -| Host Network +| Host network | Check if `HostNetwork` is enabled which means that the container is not placed inside a separate network stack (for example, the container's networking is not containerized). This implies that the container has full access to the host's network interfaces. | Host Network | Boolean @@ -618,10 +659,15 @@ Examples: + AND, OR | *Deploy*, + *Runtime* (when used with a Runtime criterion) +|=== -6+| *Section: Storage* +Storage:: -| Volume Name +[cols="<,<,<,<,^,<"] +|=== +| *Attribute* | *Description* | *JSON Attribute* | *Allowed Values* | *Regex*, *NOT*, *AND, OR* | *Phase* + +| Volume name | Name of the storage. | Volume Name | String @@ -631,8 +677,8 @@ AND, OR | *Deploy*, + *Runtime* (when used with a Runtime criterion) -| Volume Source -| Indicates the form in which the volume is provisioned. For example, `persistentVolumeClaim` or `hostPath`. +| Volume source path +| The volume's path on the host. | Volume Source | String | Regex, + @@ -641,7 +687,7 @@ AND, OR | *Deploy*, + *Runtime* (when used with a Runtime criterion) -| Volume Destination +| Volume destination path | The path where the volume is mounted. | Volume Destination | String @@ -651,8 +697,8 @@ AND, OR | *Deploy*, + *Runtime* (when used with a Runtime criterion) -| Volume Type -| The type of volume. +| Volume type +| Indicates the form in which the volume is provisioned. For example, `persistentVolumeClaim` or `hostPath`. | Volume Type | String | Regex, + @@ -669,7 +715,7 @@ AND, OR | *Deploy*, + *Runtime* (when used with a Runtime criterion) -| Mount Propagation +| Mount propagation | Check if container is mounting volumes in `Bidirectional`, `Host to Container`, or `None` modes. | Mount Propagation | One of: + @@ -692,8 +738,8 @@ AND, OR 6+| *Section: Networking* -| Protocol -| Protocol, such as, TCP or UDP, that is used by the exposed port. +| Exposed port protocol +| Protocol, such as TCP or UDP, that is used by the exposed port. | Exposed Port Protocol | String | Regex, + @@ -702,7 +748,16 @@ AND, OR | *Deploy*, + *Runtime* (when used with a Runtime criterion) -| Port +| Exposed node port +| Port numbers exposed externally by a deployment. +| Exposed Node Port +| (Same as Exposed Port) +| NOT, + +AND, OR +| *Deploy*, + +*Runtime* (when used with a Runtime criterion) + +| Exposed port | Port numbers exposed by a deployment. | Exposed Port | <, >, <=, >= or nothing (which implies equal to) + @@ -719,16 +774,7 @@ AND, OR | *Deploy*, + *Runtime* (when used with a Runtime criterion) -| Exposed Node Port -| Port numbers exposed externally by a deployment. -| Exposed Node Port -| (Same as Exposed Port) -| NOT, + -AND, OR -| *Deploy*, + -*Runtime* (when used with a Runtime criterion) - -| Port Exposure +| Port exposure method | Exposure method of the service, for example, load balancer or node port. | Port Exposure Method | One of: + @@ -743,14 +789,7 @@ AND, OR | *Deploy*, + *Runtime* (when used with a Runtime criterion) -| Unexpected Network Flow Detected -| Check if the detected network traffic is part of the network baseline for the deployment. -| Unexpected Network Flow Detected -| Boolean -| ✕ -| *Runtime* ONLY - Network - -| Ingress Network Policy +| Ingress network policy | Check the presence or absence of ingress Kubernetes network policies. | Has Ingress Network Policy | Boolean @@ -759,7 +798,7 @@ AND, OR | *Deploy*, + *Runtime* (when used with a Runtime criterion) -| Egress Network Policy +| Egress network policy | Check the presence or absence of egress Kubernetes network policies. | Has Egress Network Policy | Boolean @@ -767,8 +806,55 @@ AND, OR AND, OR | *Deploy*, + *Runtime* (when used with a Runtime criterion) +|=== + +Access control:: -6+| *Section: Process activity* +[cols="<,<,<,<,^,<"] +|=== +| *Attribute* | *Description* | *JSON Attribute* | *Allowed Values* | *Regex*, *NOT*, *AND, OR* | *Phase* + +| Service account +| The name of the service account. +| Service Account +| String +| Regex, + +NOT, + +AND, OR +| *Deploy*, + +*Runtime* (when used with a Runtime criterion) + +| Automount service account token +| Check if the deployment configuration automatically mounts the service account token. +| Automount Service Account Token +| Boolean +| ✕ +| *Deploy*, + +*Runtime* (when used with a Runtime criterion) + +| Minimum RBAC permissions +| Match if the deployment's Kubernetes service account has Kubernetes RBAC permission level equal to `=` or greater than `>` the specified level. +| Minimum RBAC Permissions +| One of: + + +DEFAULT + +ELEVATED_IN_NAMESPACE + +ELEVATED_CLUSTER_WIDE + +CLUSTER_ADMIN +| NOT +| *Deploy*, + +*Runtime* (when used with a Runtime criterion) + +|=== + +[id="reference-workload-activity-criteria_{context}"] +== Workload activity criteria + +Process activity:: + +[cols="<,<,<,<,^,<"] +|=== +| *Attribute* | *Description* | *JSON Attribute* | *Allowed Values* | *Regex*, *NOT*, *AND, OR* | *Phase* | Process Name | Name of the process executed in a deployment. @@ -779,7 +865,7 @@ NOT, + AND, OR | *Runtime* ONLY - Process -| Process Ancestor +| Process ancestor | Name of any parent process for a process executed in a deployment. | Process Ancestor | String @@ -788,7 +874,7 @@ NOT, + AND, OR | *Runtime* ONLY - Process -| Process Arguments +| Process arguments | Command arguments for a process executed in a deployment. | Process Arguments | String @@ -805,49 +891,37 @@ AND, OR AND, OR | *Runtime* ONLY - Process -| Unexpected Process Executed -| Check deployments for which process executions are not listed in the deployment's locked process baseline. -| Unexpected Process Executed -| Boolean -| ✕ -| *Runtime* ONLY - Process +|=== -6+| *Section: Kubernetes access* +Baseline deviation:: -| Service Account -| The name of the service account. -| Service Account -| String -| Regex, + -NOT, + -AND, OR -| *Deploy*, + -*Runtime* (when used with a Runtime criterion) +[cols="<,<,<,<,^,<"] +|=== +| *Attribute* | *Description* | *JSON Attribute* | *Allowed Values* | *Regex*, *NOT*, *AND, OR* | *Phase* -| Automount Service Account Token -| Check if the deployment configuration automatically mounts the service account token. -| Automount Service Account Token +| Unexpected network flow detected +| Check if the detected network traffic is part of the network baseline for the deployment. +| Unexpected Network Flow Detected | Boolean | ✕ -| *Deploy*, + -*Runtime* (when used with a Runtime criterion) +| *Runtime* ONLY - Network -| Minimum RBAC Permissions -| Match if the deployment's Kubernetes service account has Kubernetes RBAC permission level equal to `=` or greater than `>` the specified level. -| Minimum RBAC Permissions -| One of: + +| Unexpected process executed +| Check deployments for which process executions are not listed in the deployment's locked process baseline. +| Unexpected Process Executed +| Boolean +| ✕ +| *Runtime* ONLY - Process -DEFAULT + -ELEVATED_IN_NAMESPACE + -ELEVATED_CLUSTER_WIDE + -CLUSTER_ADMIN -| NOT -| *Deploy*, + -*Runtime* (when used with a Runtime criterion) +|=== + +User issued container commands:: -6+| *Section: Kubernetes events* +[cols="<,<,<,<,^,<"] +|=== +| *Attribute* | *Description* | *JSON Attribute* | *Allowed Values* | *Regex*, *NOT*, *AND, OR* | *Phase* -| Kubernetes Action +| Kubernetes action | The name of the Kubernetes action, such as `Pod Exec`. | Kubernetes Resource | One of: + @@ -857,7 +931,14 @@ PODS_PORTFORWARD + | ! `OR` only | *Runtime* ONLY - Kubernetes Events -| Kubernetes User Name +| Kubernetes API verb +| Do not use; not valid for runtime policies. +| Kubernetes API Verb +| N/A +| N/A +| N/A + +| Kubernetes user name | The name of the user who accessed the resource. | Kubernetes User Name | Alphanumeric with hyphens (-) and colon (:) only @@ -866,7 +947,7 @@ NOT, + ! `OR` only | *Runtime* ONLY - Kubernetes Events -| Kubernetes User Group +| Kubernetes user group | The name of the group to which the user who accessed the resource belongs to. | Kubernetes User Groups | Alphanumeric with hyphens (-) and colon (:) only @@ -875,23 +956,18 @@ NOT, + ! `OR` only | *Runtime* ONLY - Kubernetes Events -| Kubernetes Resource Type -| Type of the accessed Kubernetes resource. -| Kubernetes Resource -| One of: + +|=== -Config maps + -Secrets + -ClusterRoles + -ClusterRoleBindings + -NetworkPolicies + -SecurityContextConstraints + -EgressFirewalls +[id="kube-resource-operations_{context}"] +== Audit log: Kubernetes resource operations -| ! `OR` only -| *Runtime* ONLY - Audit Log +Resource operation (Required):: -| Kubernetes API Verb +[cols="<,<,<,<,^,<"] +|=== +| *Attribute* | *Description* | *JSON Attribute* | *Allowed Values* | *Regex*, *NOT*, *AND, OR* | *Phase* + +| Kubernetes API verb | The Kubernetes API verb that is used to access the resource, such as `GET` or `POST`. | Kubernetes API Verb | One of: + @@ -904,7 +980,31 @@ UPDATE + | ! `OR` only | *Runtime* ONLY - Audit Log -| Kubernetes Resource Name +| Kubernetes Resource Type +| Type of the accessed Kubernetes resource. +| Kubernetes Resource +| One of: + + +CONFIGMAPS + +SECRETS + +CLUSTERROLES + +CLUSTERROLEBINDINGS + +NETWORKPOLICIES + +SECURITYCONTEXTCONSTRAINTS + +EGRESSFIREWALLS + +| ! `OR` only +| *Runtime* ONLY - Audit Log + +|=== + +Resource attributes:: + +[cols="<,<,<,<,^,<"] +|=== +| *Attribute* | *Description* | *JSON Attribute* | *Allowed Values* | *Regex*, *NOT*, *AND, OR* | *Phase* + +| Kubernetes resource name | The name of the accessed Kubernetes resource. | Kubernetes Resource Name | Alphanumeric with hyphens (-) and colon (:) only @@ -913,7 +1013,25 @@ NOT, + ! `OR` only | *Runtime* ONLY - Audit Log -| User Agent +| Kubernetes user name +| The name of the user who accessed the resource. +| Kubernetes User Name +| Alphanumeric with hyphens (-) and colon (:) only +| Regex, + +NOT, + +! `OR` only +| *Runtime* ONLY - Kubernetes Events + +| Kubernetes user groups +| The name of the group to which the user who accessed the resource belongs to. +| Kubernetes User Groups +| Alphanumeric with hyphens (-) and colon (:) only +| Regex, + +NOT, + +! `OR` only +| *Runtime* ONLY - Kubernetes Events + +| User agent | The user agent that the user used to access the resource. For example `oc`, or `kubectl`. | User Agent @@ -923,7 +1041,7 @@ NOT, + ! `OR` only | *Runtime* ONLY - Audit Log -| Source IP Address +| Source IP address | The IP address from which the user accessed the resource. | Source IP Address | IPV4 or IPV6 address @@ -932,7 +1050,7 @@ NOT, + ! `OR` only | *Runtime* ONLY - Audit Log -| Is Impersonated User +| Is impersonated user | Check if the request was made by a user that is impersonated by a service account or some other account. | Is Impersonated User | Boolean diff --git a/modules/preview-policy-violations.adoc b/modules/preview-policy-violations.adoc index 671426f6ac74..e2b4a97921b2 100644 --- a/modules/preview-policy-violations.adoc +++ b/modules/preview-policy-violations.adoc @@ -6,16 +6,16 @@ = Reviewing the policy and previewing violations [role="_abstract"] -When creating a policy, {product-title-short} provides a review window where you can view your policy configuration and preview the violations that will occur if the policy is implemented. +When creating a policy, {product-title-short} provides a preview window where you can view your policy configuration and preview the violations that will occur if the policy is implemented. .Procedure . Verify that the policy configuration is configured with the correct options. -. The *Preview violations* panel provides additional information, including whether or not build phase or deploy phase deployments have violations of the policy. +. View the results in the *Preview violations* panel to ensure that the policy is working. This panel provides additional information, including whether build phase or deploy phase deployments have policy violations. + [NOTE] ==== -Runtime violations are not available in this preview because they are generated in response to future events. +Runtime violations are not available in this preview because they are generated when events occur in the future. ==== Before you save the policy, verify that the violations seem accurate. . Click *Save*. \ No newline at end of file diff --git a/modules/select-policy-lifecycle.adoc b/modules/select-policy-lifecycle.adoc index d29bc2caabc8..47e43f7376b4 100644 --- a/modules/select-policy-lifecycle.adoc +++ b/modules/select-policy-lifecycle.adoc @@ -10,13 +10,11 @@ Select the lifecycle stage when the policy is used. For more information, see "U .Procedure -. Select the *Lifecycle stages* when the policy is used: *Build*, *Deploy*, or *Runtime*. -You can select more than one stage from the following choices: -* Build-time policies apply to image fields such as CVEs and Dockerfile instructions. -* Deploy-time policies can include all build-time policy criteria but they can also include user-pod interaction that has been configured in your cluster, such as running in privileged mode or mounting the Docker socket. -* Runtime policies can include all build-time and deploy-time policy criteria but they can also include data about process executions during runtime. You can further configure runtime policies to trigger policy violations based on the deployment events or audit logs. -+ -. If you selected the *Runtime* lifecycle stage, you must select one of the following *Event sources*: -* *Deployment*: {product-title-short} triggers policy violations when events occur during deployment, such as process activity in running pods, network or process deviations from the baseline, and user pod interaction such as using the `exec` command in a pod or pod port forwarding. -* *Audit logs*: {product-title-short} triggers policy violations when event sources match Kubernetes audit log records. +. Select the *Lifecycle stages* for the policy: +* *Build*: Policies in this stage can only inspect image criteria that are related to the image registry, content, vulnerability data and the scanning process. They are evaluated in the CI pipeline, allowing policy violations to break the build when enforced. Violations from this stage are not stored by {product-title-short}. +* *Deploy*: Policies in this stage can inspect workload configurations and their images. These policies are evaluated while creating or updating a workload resource, and re-evaluated periodically or on-demand. When enforced, a policy violation can cause the admission controller to reject the deploy or update attempt, or scale the workload replicas down to zero. +* *Build and Deploy*: Select this stage if you want your policy to inspect images in both the build pipeline and during workload admission, and to apply enforcement to either or both stages. +* *Runtime*: Policies in this stage inspect either workload activity or Kubernetes resource operations associated with the following two event sources: +** *Deployment*: Runtime policies inspecting workload activity require at least one workload activity criterion. Workload activity criteria can be combined with image or workload configuration criteria. Enforcement terminates the offending pod, and then the pod is re-created. +** *Audit logs*: Runtime policies that evaluate Kubernetes resource operations look for sensitive operations by using the Kubernetes audit log. You cannot configure enforcement for policies that use this source, because the operations have already occurred. . Click *Next*. \ No newline at end of file diff --git a/modules/selecting-policy-notifiers.adoc b/modules/selecting-policy-notifiers.adoc index e51539402c8d..6de34e31daa6 100644 --- a/modules/selecting-policy-notifiers.adoc +++ b/modules/selecting-policy-notifiers.adoc @@ -6,11 +6,11 @@ = Selecting policy notifiers [role="_abstract"] -You can attach notifiers to the policy to send policy violations to email recipients or external tooling such as Jira, Splunk, or other applications that use webhooks. +You can attach notifiers to the policy to send policy violations to email recipients, or to external tools such as Slack, Jira, Splunk, or other applications that use webhooks. .Prerequisite -* You must have previously configured the notification before it is visible and available to select in the list. You configure these integrations in the *Platform Configuration* -> *Integrations* page, in the *Notifier Integrations* section. +* You must have previously configured the notifier before it is visible and available to select in the list. You configure these integrations in the *Platform Configuration* -> *Integrations* page, in the *Notifier Integrations* section. .Procedure diff --git a/modules/violation-view-policy-tab.adoc b/modules/violation-view-policy-tab.adoc index 635a2ef37057..0ce6cb0b108a 100644 --- a/modules/violation-view-policy-tab.adoc +++ b/modules/violation-view-policy-tab.adoc @@ -35,7 +35,7 @@ The *Policy behavior* section provides the following information: ** *Build*: {product-title-short} fails your continuous integration (CI) builds when images match the criteria of the policy. ** *Deploy*: For the *Deploy* stage, {product-title-short} blocks the creation and update of deployments that match the conditions of the policy if the {product-title-short} admission controller is configured and running. *** In clusters with admission controller enforcement, the Kubernetes or {ocp} API server blocks all noncompliant deployments. In other clusters, {product-title-short} edits noncompliant deployments to prevent pods from being scheduled. -*** For existing deployments, policy changes only result in enforcement at the next detection of the criteria, when a Kubernetes event occurs. For more information about enforcement, see "Security policy enforcement for the deploy stage". +*** For existing deployments, policy changes only result in enforcement at the next detection of the criteria, when a Kubernetes event occurs. For more information about enforcement, see "Deploy stage enforcement". ** *Runtime*: {product-title-short} deletes all pods when an event in the pods matches the criteria of the policy. == Policy criteria section diff --git a/operating/manage_security_policies/custom-security-policies.adoc b/operating/manage_security_policies/custom-security-policies.adoc index 3325e96ed830..931629cbf4e3 100644 --- a/operating/manage_security_policies/custom-security-policies.adoc +++ b/operating/manage_security_policies/custom-security-policies.adoc @@ -13,8 +13,21 @@ include::modules/create-policy-from-system-policies-view.adoc[leveloffset=+1] include::modules/enter-policy-details.adoc[leveloffset=+2] include::modules/select-policy-lifecycle.adoc[leveloffset=+2] include::modules/configure-policy-rules.adoc[leveloffset=+2] + +[role="_additional-resources"] +.Additional resources + +* xref:../../operating/manage_security_policies/security-policy-reference.adoc#policy-criteria_security-policy-reference[Policy criteria] + include::modules/configure-policy-scope.adoc[leveloffset=+2] +include::modules/enable-policy.adoc[leveloffset=+2] include::modules/configure-policy-enforcement-creating-policies.adoc[leveloffset=+2] + +[role="_additional-resources"] +.Additional resources + +* xref:../../operating/manage_security_policies/about-security-policies.adoc#policy-enforcement-deploy_about-security-policies[Deploy stage enforcement] + include::modules/selecting-policy-notifiers.adoc[leveloffset=+2] include::modules/preview-policy-violations.adoc[leveloffset=+2] diff --git a/operating/manage_security_policies/security-policy-reference.adoc b/operating/manage_security_policies/security-policy-reference.adoc index 4bafacfc0bf9..0dfdde4589b7 100644 --- a/operating/manage_security_policies/security-policy-reference.adoc +++ b/operating/manage_security_policies/security-policy-reference.adoc @@ -7,24 +7,19 @@ include::modules/common-attributes.adoc[] toc::[] [role="_abstract"] -You can use policy categories to manage your policies, and security criteria are available to use in building custom policies. Different criteria are available depending on the policy lifecycle stage. - -include::modules/default-security-policies.adoc[leveloffset=+1] +You can use policy categories to manage your policies. Security criteria are available to use in building custom policies. Different criteria are available, depending on the policy lifecycle stage. Lists of default security policies, or policies that are included in the system by default, are provided and organized by severity. include::modules/con-policy-categories.adoc[leveloffset=+1] include::modules/policy-criteria.adoc[leveloffset=+1] -[id="default-security-policies-list"] -== Default security policies - -{product-title-short} provides included security policies that you can use to prevent high-risk service deployments in your environment and respond to runtime security incidents. The listed policies are organized by severity level: critical, high, medium, and low. +include::modules/default-security-policies.adoc[leveloffset=+1] -include::modules/critical-sev-security-policies.adoc[leveloffset=+1] +include::modules/critical-sev-security-policies.adoc[leveloffset=+2] -include::modules/high-sev-security-policies.adoc[leveloffset=+1] +include::modules/high-sev-security-policies.adoc[leveloffset=+2] -include::modules/medium-sev-security-policies.adoc[leveloffset=+1] +include::modules/medium-sev-security-policies.adoc[leveloffset=+2] -include::modules/low-sev-security-policies.adoc[leveloffset=+1] +include::modules/low-sev-security-policies.adoc[leveloffset=+2]