Guardian Policy Management using Spyctl

Creating and Applying a Policy

See the tutorial: How To Lock Down Your Critical Workloads With Policies using Spyctl

Updating A Policy

Over time, Policies will generate deviations. Your Linux services and containers will continue to generate activity. Some of that activity may deviate from your policy. Investigating a deviation can lead to one of two scenarios.

1. There is a legitimate threat take steps to remediate, or

2. This is additional benign activity that should be added to the policy.

This reference guide covers the second scenario.

Viewing Deviations

Deviations come from processes or connections that deviated from your Guardian Workload Policies. They contain all of the information required to update your policy should you choose to merge them in. You can view Deviations with the get command:

spyctl get deviations [NAME_OR_UID]

For example:

spyctl get deviations
Getting policy deviations from 2024-01-15T23:06:33Z to 2024-01-16T23:06:33Z
UID                       NAME              STATUS     TYPE       CREATE_TIME           DEVIATIONS_(UNIQ/TOT)
pol:CB1fSLq4wpkFG5kWsQ2r  mongo-policy      Auditing   container  2024-01-16T15:00:43Z  2/33

Viewing the Diff

To see how the merging the deviations into your policy would affect it, you can see a git-like diff with the following command:

For example:

First, list the policies you have applied:

Then select the one you want to diff:

The output of the diff command will display a git-like diff of activity that doesn’t match the Policy. You can use the merge command to add the deviations to the Policy.

[Optional] Bulk Diff

You may have many policies, and diffing each one individually might be tiresome. To systematically diff all of your policies, use the following command:

You can also use the -y option to avoid any prompting.

Merging in the Deviations

To update the your policies with known-good deviations you can use the merge command.

For example:

You will have a chance to review any changes before they are applied.

[Optional] Bulk Merge

You may have many policies, merge in updates across all policies may be tiresome. To systematically merge in deviations across all of your policies, use the following command:

You can use the --yes-except option to avoid all prompts except reviewing the final changes, and you can use the -y option to avoid all prompts entirely.

Changing a Policy's Mode

Once your policy rarely produces deviations in audit mode you can change it to enforce mode. To change the Policy to enforce mode you must edit the yaml.

Use the edit command to edit the Policy's yaml.

For example:

Change the mode field in the spec:

To:

Then save to apply the update:

You should now see the following when issuing the get command:

Disabling and Re-enabling a Policy

If you notice that a Policy is too noisy, or you want to temporarily disable it, edit the yaml and update the enabled field:

Use the edit command to edit the Policy's yaml.

For example:

To:

Then save to apply the update:

To see that the Policy is indeed disabled, issue the command:

To re-enable a Policy you just can simply remove the enabled field in the spec or change false to true and then apply the Policy file again.

To see that the action was successful, issue the get command again:

Deleting a Policy

If you wish to completely remove a Policy from the Spyderbat Environment of the organization in your current Context you can use the delete command:

For example: