Create Policies with the CLI
This article describes functionality that is currently in preview. Access to Azure, Google Cloud, and OCI datasources is in preview status.
This topic walks you through using the Lacework CLI to create a custom violation policy that detects unrestricted ingress to TCP port 445. Port 445 is conventionally used for SMB communication, and should not be open to external networks.
If you are new to the Lacework CLI, see Get Started to learn about installing and configuring the CLI.
This walkthrough follows a basic end-to-end workflow to create a custom policy. For additional options when creating queries and policies, see LQL Queries and Policies. For information about policy types, see Custom Policy Types.
If you want to learn more about Custom Policies and LQL, take the Fine Tuning & Customization module (part of Technical Foundations: Deploy) from the Lacework Academy.
Create a Query
What Datasources Are Available
The easiest way to learn about the LQL datasources is to discover the names of the datasources and then get details about the one you are interested in.
Run the command that corresponds to your cloud provider:
lacework query list-sources | grep AWS
lacework query list-sources | grep GCP
lacework query list-sources | grep AZURE
lacework query list-sources | grep OCI
What Fields Can I Use from a Datasource
In order to learn which fields to use in your query, run the lacework query show-source command for a description of the fields. For some datasources, you can run the lacework query preview-source command (not available for all datasources).
The following command shows the details for the LW_CFG_AWS_EC2_SECURITY_GROUPS datasource.
lacework query show-source LW_CFG_AWS_EC2_SECURITY_GROUPS
DATASOURCE DESCRIPTION
---------------------------------+---------------------------------
LW_CFG_AWS_EC2_SECURITY_GROUPS Results from AWS EC2
'describe-security-groups'
FIELD NAME DATA TYPE DESCRIPTION
-------------------+-----------+---------------------------------
BATCH_START_TIME Timestamp Beginning of time interval
BATCH_END_TIME Timestamp End of time interval
QUERY_START_TIME Timestamp Start time of query for this
resource
QUERY_END_TIME Timestamp End time of query for this
resource
ARN String ARN for the resource
API_KEY String Key describing the API used to
fetch data for this resource
SERVICE String Service this resource belongs
to
ACCOUNT_ID String AWS Account ID
ACCOUNT_ALIAS String User friendly alias for AWS
Account
RESOURCE_TYPE String Type of this resource
RESOURCE_ID String Identifier for this resource
RESOURCE_REGION String Region this resource belongs
to
RESOURCE_CONFIG JSON JSON Definition of this
resource
RESOURCE_TAGS JSON Tags associated with this
resource
The RESOURCE_CONFIG field is frequently used in LQL. Because it is a JSON datasource, the LQL query must first convert the field using the array_to_rows() function. To know exactly which JSON fields you need, you can either read the cloud provider's API documentation, or write an LQL query to explore the full content before writing the actual policy.
Explore Datasources Using LQL
This example explores the LW_CFG_AWS_EC2_SECURITY_GROUPS datasource. Replace the datasource with LW_CFG_GCP_COMPUTE_FIREWALL or LW_CFG_AZURE_NETWORK_NETWORKSECURITYGROUPS if using Google Cloud or Azure, respectively.
Open your text editor, create a new file, and add the following content:
---
queryId: Explore_AWS_EC2_SECURITY_GROUPS
queryText: |-
{
source {
LW_CFG_AWS_EC2_SECURITY_GROUPS
}
return {
RESOURCE_CONFIG
}
}Save the file as YAML with the filename Explore_AWS_EC2_SECURITY_GROUPS.yaml. Note the file's location.
In the Lacework CLI, run this command:
lacework query run -f <path_to>/Explore_AWS_EC2_SECURITY_GROUPS.yamlResponse{
"RESOURCE_CONFIG": {
"Description": "default VPC security group",
"GroupId": "sg-000",
"GroupName": "default",
"IpPermissions": [
{
"IpProtocol": "-1",
"IpRanges": [],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": [
{
"GroupId": "sg-000",
"UserId": "111"
}
]
}
],
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"Ipv6Ranges": [],
"PrefixListIds": [],
"UserIdGroupPairs": []
}
],
"OwnerId": "111",
"VpcId": "vpc-000"
}
}
Create a Query
Open your text editor, create a new file, and add the content that corresponds to your cloud provider:
AWS query---
queryId: LW_Custom_UnrestrictedIngressToTCP445
queryText: |-
{
source {
LW_CFG_AWS_EC2_SECURITY_GROUPS a,
array_to_rows(a.RESOURCE_CONFIG:IpPermissions) as (ip_permissions),
array_to_rows(ip_permissions:IpRanges) as (ip_ranges)
}
filter {
ip_permissions:IpProtocol = 'tcp'
and ip_permissions:FromPort = 445
and ip_permissions:ToPort = 445
and ip_ranges:CidrIp = '0.0.0.0/0'
}
return distinct {
ACCOUNT_ALIAS,
ACCOUNT_ID,
ARN as RESOURCE_KEY,
RESOURCE_REGION,
RESOURCE_TYPE,
SERVICE
}
}Google Cloud query---
queryId: LW_Custom_UnrestrictedIngressToTCP445
queryText: |-
{
source {
LW_CFG_GCP_COMPUTE_FIREWALL firewall,
array_to_rows(firewall.RESOURCE_CONFIG:allowed) as (allowed),
array_to_rows(allowed:ports) as (ports),
array_to_rows(firewall.RESOURCE_CONFIG:sourceRanges) as (ranges)
}
filter {
RESOURCE_CONFIG:direction = 'INGRESS'
and allowed:IPProtocol = 'tcp'
and ports = '445'
and ranges = '0.0.0.0/0'
}
return distinct {
ORGANIZATION_ID,
PROJECT_NUMBER,
PROJECT_ID,
FOLDER_IDS,
URN as RESOURCE_KEY,
RESOURCE_REGION,
RESOURCE_TYPE,
SERVICE
}
}Azure query---
queryId: LW_Custom_UnrestrictedIngressToTCP445
queryText: |-
{
source {
LW_CFG_AZURE_NETWORK_NETWORKSECURITYGROUPS a,
array_to_rows(a.RESOURCE_CONFIG:securityRules) as (rules)
}
filter {
rules:"properties".access = 'Allow'
and rules:"properties".direction = 'Inbound'
and rules:"properties".protocol = 'Tcp'
and rules:"properties".destinationPortRange = '445'
and rules:"properties".sourceAddressPrefix = '*'
}
return distinct {
TENANT_ID,
TENANT_NAME,
SUBSCRIPTION_ID,
SUBSCRIPTION_NAME,
URN as RESOURCE_KEY,
RESOURCE_REGION,
RESOURCE_TYPE
}
}OCI query---
queryId: LW_Custom_UnrestrictedIngressToTCP445
queryText: |-
{
source {
LW_CFG_OCI_NETWORK_NETWORK_SECURITY_GROUPS
}
filter {
RESOURCE_ID in {
source {
LW_CFG_OCI_NETWORK_NETWORK_SECURITY_GROUP_RULES
}
filter {
RESOURCE_CONFIG:direction = 'INGRESS'
and RESOURCE_CONFIG:"source" = '0.0.0.0/0'
and RESOURCE_CONFIG:protocol = '6'
and RESOURCE_CONFIG:tcp_options.destination_port_range.min <= 445
and RESOURCE_CONFIG:tcp_options.destination_port_range.max >= 445
}
return distinct {
RESOURCE_ID
}
}
}
return distinct {
COMPARTMENT_ID,
RESOURCE_KEY,
RESOURCE_REGION,
RESOURCE_TYPE,
SERVICE,
}
}Save the file as YAML with the filename LW_Custom_UnrestrictedIngressToTCP445.yaml. Note the file's location.
In the Lacework CLI, run this command:
lacework query create -f <path_to>/LW_Custom_UnrestrictedIngressToTCP445.yamlResponseThe query LW_Custom_UnrestrictedIngressToTCP445 was created.
Test Using Collected Data
In the Lacework CLI, run this command:
lacework query run LW_Custom_UnrestrictedIngressToTCP445
[
{
"ACCOUNT_ALIAS": "",
"ACCOUNT_ID": "aaa",
"RESOURCE_KEY": "arn:aws:ec2:us-east-2:aaa:security-group/sg-bbb",
"RESOURCE_REGION": "us-east-2",
"RESOURCE_TYPE": "ec2:security-group",
"SERVICE": "ec2"
}
]
[
{
"FOLDER_IDS": [],
"ORGANIZATION_ID": "aaa",
"PROJECT_ID": "ccc",
"PROJECT_NUMBER": "bbb",
"RESOURCE_KEY": "gcp:bbb://compute.googleapis.com/projects/ccc/global/firewalls/ddd",
"RESOURCE_REGION": "global",
"RESOURCE_TYPE": "compute.googleapis.com/Firewall",
"SERVICE": "compute"
}
]
[
{
"RESOURCE_KEY": "/subscriptions/aaa/resourceGroups/bbb/providers/Microsoft.Network/networkSecurityGroups/ddd",
"RESOURCE_REGION": "westus",
"RESOURCE_TYPE": "microsoft.network/networksecuritygroups",
"SUBSCRIPTION_ID": "aaa",
"SUBSCRIPTION_NAME": "eee",
"TENANT_ID": "ccc",
"TENANT_NAME": "fff"
}
]
[
{
"COMPARTMENT_ID": "ocid1.tenancy.oc1..aaa",
"RESOURCE_KEY": "ocid1.networksecuritygroup.oc1.us-sanjose-1.aaa",
"RESOURCE_REGION": "us-sanjose-1",
"RESOURCE_TYPE": "nsg",
"SERVICE": "network"
}
]
Create a Policy
Open your text editor, create a new file, and add the content that corresponds to your cloud provider:
AWS policy---
title: Security Groups Should Not Allow Unrestricted Ingress to TCP Port 445
enabled: false
policyType: Violation
alertEnabled: false
alertProfile: LW_CFG_AWS_DEFAULT_PROFILE.CFG_AWS_Violation
evalFrequency: Daily
queryId: LW_Custom_UnrestrictedIngressToTCP445
severity: high
description: Security groups should not allow unrestricted ingress to TCP port 445
remediation: Policy remediationGoogle Cloud policy---
title: Security Groups Should Not Allow Unrestricted Ingress to TCP Port 445
enabled: false
policyType: Violation
alertEnabled: false
alertProfile: LW_CFG_GCP_DEFAULT_PROFILE.Violation
evalFrequency: Daily
queryId: LW_Custom_UnrestrictedIngressToTCP445
severity: high
description: Security groups should not allow unrestricted ingress to TCP port 445
remediation: Policy remediationAzure policy---
title: Network Security Groups Should Not Allow Unrestricted Ingress to TCP Port 445
enabled: false
policyType: Violation
alertEnabled: false
alertProfile: LW_CFG_AZURE_DEFAULT_PROFILE.Violation
evalFrequency: Daily
queryId: LW_Custom_UnrestrictedIngressToTCP445
severity: high
description: Network security groups should not allow unrestricted ingress to TCP port 445
remediation: Policy remediationOCI policy---
title: Network Security Groups Should Not Allow Unrestricted Ingress to TCP Port 445
enabled: false
policyType: Violation
alertEnabled: false
alertProfile: LW_CFG_OCI_DEFAULT_PROFILE.Violation
evalFrequency: Daily
queryId: LW_Custom_UnrestrictedIngressToTCP445
severity: high
description: Network security groups should not allow unrestricted ingress to TCP port 445
remediation: Policy remediation
The fields in the policy definition are:
title: Customize the event title.enabled: Enable or disable the policy (true|false).policyType: EnterViolationas thepolicyType.alertEnabled: Enable or disable alerts (true|false).alertProfile: Provide thealertProfileandalerttemplate name within the alert profile. It follows the formatalertProfileId.alert_template_name.evalFrequency: Optional. Set theevalFrequency(Hourly|Daily).queryId: Provide thequeryID. It must match the ID of the query you want to use.severity: Set the desired severity (critical|high|medium|low|info).description: Customize the description to display.remediation: Customize the remediation message to display.
Save the file as YAML with the filename UnrestrictedIngressToTCP445.yaml. Note the file's location.
In the Lacework CLI, run this command:
lacework policy create -f <path_to>/UnrestrictedIngressToTCP445.yamlResponseThe policy <policy_name> was created.
Enable Alerts
The policy you just created is not enabled and does not yet raise alerts when violations occur. The following enables alerts for the policy.
In your text editor, open the UnrestrictedIngressToTCP445.yaml file and update these fields:
enabled: falsetoenabled: truealertEnabled: falsetoalertEnabled: true
Save your changes.
In the Lacework CLI, run this command:
lacework policy update -f <path_to>/UnrestrictedIngressToTCP445.yamlResponseThe policy <policy_name> was updated.