Add policy priorities #45
Conversation
New methods get_policy_priorities/set_policy_priorites map to GET /api/policies/priorities, PUT /api/policies/priorities, respsectively. They work on raw json objects. Some minimal massaging of the objects will be handled in the example programs.
It doesn't read the policy name from the cmdline, and reads the policy description from stdin.
Add the ability to return the order of policies only instead of the full list of priorities. With -o/--order-only, only the list of ids is returned. Also ensure that the list of priorities is always sorted in priorities order.
Example program to set the order of secure policies. Takes a simple list of policy ids as returned by list_policies --order-only, and wraps it in the necessary version/date object before using set_policy_priorities.
|
I believe the test failures are due to changes in our demo environment. The secure parts of the test, which use a different environment, are passing. @cecilpang and/or @ret2libc could you take a look to see if the use of the apis seem reasonable? |
|
I didn't run it, but the use of the APIs seems fine! |
|
@mstemm, yes, I've had to fix this failing test before. I think it usually fails when someone removes or does a shutdown/start on a managed host in the demo environment, resulting in a changed IP address. In the past I've been able to fix it by logging into the demo account and seeing what hosts are currently being monitored and change to the new hostname in the It might be tedious, but I'd like to fix the failing test. I have the login and password of what used to be the user attached to this, but when I logged in just now it had zero hosts being monitored, or at least that was the case under the default team. There's tons of other teams, and each is going to have its own token. I don't recall how to dig up the secret setting that becomes the |
|
Yeah, it's that the account changed. I'm going to switch it to the specific account I have set up for the secure side of tests (represented by PYTHON_SDC_TEST_API_TOKEN). |
Use list_policies -o to get the current policies order, reverse the order using "jq reverse", and set the order. Use grep -b to find where in the policies list the policy "Write Below Binary Dir" is, before and after setting the order. You should find that the position of the policy moves to farther in the output e.g. the end. Also use tee when fetching the falco rules file so if there's an error we will see it.
Move all of the monitor unit tests from .travis.yml into a script test_monitor_apis.sh, and get rid of the (commented-out) tests for the pip version of sdcclient. In test_monitor_apis.sh, instead of relying on a hard-coded hostname, start an agent on the fly using docker and use the current hostname for get_data_advanced/create_sysdig_capture. Also make changes to let multiple copies of test script run at once: Many of the test programs relied on hard coded names of alerts, dashboards, notification channels, etc. This caused problems when running two copies of the test script at once, for example for the travisci push and pr tests. Fix this by making the various alert/dashboard/channel names configurable in each example script, and using unique names in the wrapper script that calls the individual scripts.
mstemm
force-pushed
the
add-policy-priorities
branch
from
d0aafe7 to
da1783c
Compare
|
@philrz could you look at the last 2 commits, which update the unit tests to use the python testing account and also allow multiple copies to be run at once without stepping over each other? |
|
@mstemm: I guess strictly speaking, people who were running these examples out-of-the-box expecting positional command-line args will be broken & have to to adapt to the new |
Changes to support new Sysdig Secure APIs for policy ordering.