Environment

Aqua 4.0.


Deployment Task

This article details the JSON body needed to create Runtime Policies via REST API based on Aqua 4.0.


Note: This article assumes you have already set up authentication via JWT or basic authentication. Please see the Authentication API documentation.



Deployment Steps


1) Optional GET request to return an existing Runtime Policy for use as a template/example similar to 'Default' or 'HIPAA':


http(s)://hostURL/api/v2/runtime_policies/Aqua default runtime policy

http(s)://hostURL/api/v2/runtime_policies/HIPAA


2) POST JSON body to http(s)://hostURL/api/v2/runtime_policies:


{
    "enabled": true,
    "bypass_scope": {
        "enabled": false,
        "scope": {
            "variables": [],
            "expression": ""
        }
    },
    "forkGuardProcLimit": 100,
    "executable_blacklist": {
        "executables": []
    },
    "restricted_volumes": {
        "volumes": [
            "/home"
        ],
        "enabled": true
    },
    "scope": {
        "expression": "v1",
        "variables": [
            {
                "attribute": "image.name",
                "value": "*",
                "name": ""
            }
        ]
    },
    "name": "API Policy",
    "description": "Policy description",
    "enable_port_scan_protection": true,
    "enable_ip_reputation": true,
    "enable_fork_guard": true,
    "fork_guard_process_limit": 2,
    "block_nw_unlink_cont": true,
    "prevent_override_default_config": {
        "enabled": true,
        "enforce_seccomp": true,
        "enforce_selinux": true,
        "enforce_apparmor": true
    },
    "drift_prevention": {
        "enabled": true,
        "exec_lockdown": true,
        "image_lockdown": true
    },
    "no_new_privileges": true,
    "limit_container_privileges": {
        "enabled": true,
        "netmode": true,
        "block_add_capabilities": true,
        "prevent_root_user": true,
        "prevent_low_port_binding": true,
        "privileged": true,
        "use_host_user": true,
        "ipcmode": true,
        "pidmode": true,
        "usermode": true,
        "utsmode": true
    },
    "only_registered_images": true,
    "block_disallowed_images": true,
    "auditing": {
        "enabled": true,
        "audit_os_user_activity": true,
        "audit_all_processes": true,
        "audit_process_cmdline": true,
        "audit_all_network": true
    },
    "whitelisted_os_users": {
        "enabled": true,
        "user_white_list": [
            "juser"
        ],
        "group_white_list": [
            "devops"
        ]
    },
    "blacklisted_os_users": {
        "enabled": true,
        "user_black_list": [
            "tuser"
        ],
        "group_black_list": [
            "users"
        ]
    }
}