Overriding managed rulesets
To customize the behavior of a managed ruleset, override it at deployment. When you override a ruleset, you specify changes to be executed in addition to the default configuration.
You can override a managed ruleset at the following levels:
- Ruleset overrides apply to all rules in the executed ruleset.
- Tag overrides apply to all rules with a specific tag. For example, use a tag override to customize the CIS Managed Ruleset so all rules with the wordpress tag are set to Block. If multiple tags have overrides and if a rule has more than one of these tags, the tag overrides order determines the behavior. For rules tagged with multiple overridden tags, the last tag’s overrides apply.
- Rule overrides apply to specific rules in a managed ruleset, referenced by their Rule ID.
Specific overrides take precedence over more general ones, and rule overrides take precedence over tag overrides, which take precedence over ruleset overrides.
Ruleset overrides and tag overrides apply to both existing and future rules in the managed ruleset. If you want to override existing rules only, you must use rule overrides.
Overriding workflow (API)
To apply an override for a managed ruleset, take the following steps.
-
List the rulesets available by using the list rulesets operation.
-
List the rules for that ruleset by using the get ruleset operation.
-
Call the update ruleset operation on your phase entry point.
-
Specify the overrides in the
action_parametersof the rule that executes your managed ruleset."action_parameters": { "id": "<RULESET_ID>", "overrides": { // ruleset overrides "property-to-modify": "value", "property-to-modify": "value", // tag overrides "categories": [ { "category": "<TAG_NAME>", "property-to-modify": "value", "property-to-modify": "value" } ], // rule overrides "rules": [ { "id": "<RULE_ID>", "property-to-modify": "value", "property-to-modify": "value" } ] } }
You can override the following rule properties.
- "action"
- "enabled"
Some managed rulesets can have extra override requirements, or they might override other rule properties.
It is not effective to enable all the rules in a managed ruleset at the instance level by using an override. This change can affect all the zones in your instance. Some rules are disabled by default because they eventually affect legitimate traffic. Do not enable these rules across zones without previous consideration.
Overriding managed rulesets in the console
To override a managed ruleset in the console, follow these steps:
-
In the CIS console, navigate to the Security section.
-
Select the WAF tab.
-
Click the name of the ruleset that you want override.
-
From the Configure deployment side panel, click Browse rules.
-
In the Override CIS Managed Ruleset rules side panel, you can:
- Select an action for any rule that you want to override.
- Select the Status toggle to enable or disable a rule.
-
After you have reconfigured the ruleset rules, click Continue.
-
Verify the list of rules to override, then click Save.
Click Reset to default to restore the original settings.
Listing managed rulesets from the CLI
To list all zone rulesets from the CLI, run the following command:
ibmcloud cis managed-waf rulesets DNS_DOMAIN_ID [-i, --instance INSTANCE] [--output FORMAT]
Command options
DNS_DOMAIN_ID- The ID of the domain.
-i, --instance value- The instance name or ID.
--output value- Specifies the output format; only JSON is supported.
Listing rules under a zone ruleset from the CLI
To list the rules under a zone ruleset from the CLI, run the following command:
ibmcloud cis managed-waf ruleset DNS_DOMAIN_ID RULESET_ID [-i, --instance INSTANCE] [--output FORMAT]
Command options
DNS_DOMAIN_ID- The ID of the domain.
RULESET_ID- The ID of the ruleset for the rules to be listed.
-i, --instance value- The instance name or ID.
--output value- Specifies the output format; only JSON is supported.
Overriding managed rulesets from the CLI
To override a managed WAF ruleset from the CLI, run the following command:
ibmcloud cis managed-waf deployment-add-ruleset DNS_DOMAIN_ID RULESET_ID [--match EXPRESSION] [--enabled true|false] [--override-action ACTION] [--override-status STATUS] [--paranoia-level LEVEL] [--override-rules RULE] [-i, --instance INSTANCE] [--output FORMAT]
Command options
DNS_DOMAIN_ID- the ID of the domain.
--match value- The conditions that must be matched for the rule to run. See Using fields, functions, and expressions for a list of values to match.
--enabled value- Indicates whether the rule is active. Defaults to "true".
--override-action value- The ruleset action of any overrides. Valid values are "managed_challenge", "block", "js_challenge", "log", "challenge".
--paranoia-level value- The OWASP paranoia level. Valid values are "PL1", "PL2", "PL3", "PL4" and it's only available for
CIS OWASP Core Ruleset. --override-rules value- The rules options of the overrides. For example,
--override-rules rule=RULE_ID,action=ACTION,enabled=STATUS. -i, --instance value- The instance name or ID.
--output value- Specifies the output format; only JSON is supported.
Listing zone rulesets from the API
To list all zone rulesets from the API, run the following command:
curl -X GET \
https://api.cis.cloud.ibm.com/v1/$CRN/zones/$ZONE_ID/rulesets \
-H 'content-type: application/json' \
-H 'accept: application/json' \
-H 'x-auth-user-token: Bearer xxxxxx'
Listing all rules for a ruleset from the API
To list all rules for a specific ruleset, run the following command:
curl -X GET \
https://api.cis.cloud.ibm.com/v1/$CRN/zones/$ZONE_ID/rulesets/$RULESET_ID \
-H 'content-type: application/json' \
-H 'accept: application/json' \
-H 'x-auth-user-token: Bearer xxxxxx'
Where:
$RULESET_IDis the ID of the managed ruleset which the rules are listed for.
Overriding an entry point ruleset from the API
To update the entry point ruleset from the API with an override, run the following command:
curl -X PUT \
https://api.cis.cloud.ibm.com/v1/$CRN/zones/$ZONE_ID/rulesets/phases/$RULESET_PHASE/entrypoint \
-H 'content-type: application/json' \
-H 'accept: application/json' \
-H 'x-auth-user-token: Bearer xxxxxx' \
-d '{"description":"Deploy managed ruleset, enabling a specific rule with log action","rules":[{"action":"execute","expression":"true","action_parameters":{"id":"<MANAGED_RULESET_ID>","overrides":{"rules":[{"id":"<RULE_ID>","enabled":true,"action":"log"}]}}}]}'
Where:
$RULESET_PHASEis the ruleset phase that is deployed to. Usehttp_request_firewall_managedto override managed WAF rulesets.-dis the object of attributes that are required to create the ruleset.descriptiondefines your own summary of what a ruleset is accomplishing.rulesis the array of rules to deploy with the ruleset.actionis the action for the rule to take. See WAF ruleset actions for a description of available actions.action_parametersis the object for defining what the action operates on.idis the ID of the ruleset to execute. This ID is retrieved from the list zone rulesets operation.overridesis the object of overrides to set upon the selected ruleset.rulesis the list of rules that are overridden with the selected properties.idis the ID of the rule to override. This ID is retrieved from the list zone ruleset rules operation.enabledoverwrites even when the rule is enabled.actionspecifies the overridden action that the rule takes.
expressionis the condition under which the rule runs. Using "true" means that this rule always runs.descriptiondefines your own summary of what the rule is accomplishing.
Listing managed rulesets with Terraform
The following example lists all managed rulesets using Terraform:
data "ibm_cis_rulesets" "tests" {
cis_id = ibm_cis.instance.id
domain_id = data.ibm_cis_domain.cis_domain.domain_id
}
For more information about the arguments and attributes, see ibm_cis_rulesets in the Terraform
registry.
Listing all rules of a managed ruleset with Terraform
The following example lists all rules of a managed ruleset using Terraform:
resource "ibm_cis_ruleset" "config" {
cis_id = ibm_cis.instance.id
domain_id = data.ibm_cis_domain.cis_domain.domain_id
ruleset_id = "943c5da120114ea5831dc1edf8b6f769"
}
For more information about the arguments and attributes, see ibm_cis_ruleset in the Terraform
registry.
Overriding a rule with Terraform
This example shows how to deploy the CIS managed ruleset with various overrides. First, it enables and blocks traffic for all rules. Then, it enables and blocks traffic for a specific rule. Finally, it enables and blocks traffic for all rules
in the wordpress category. Essentially, this example illustrates the different methods for overriding deployed rules (global, specific, by category).
resource "ibm_cis_ruleset_entrypoint_version" "test" {
cis_id = ibm_cis.instance.id
domain_id = data.ibm_cis_domain.cis_domain.domain_id
phase = "http_request_firewall_managed"
rulesets {
description = "Entrypoint ruleset for managed ruleset"
rules {
action = "execute"
description = "Deploy CIS managed ruleset"
enabled = true
expression = "true"
action_parameters {
id = "efb7b8c949ac4650a09736fc376e9aee"
overrides {
action = "block"
enabled = true
override_rules {
rule_id = "var.overriden_rule.id"
enabled = true
action = "block"
}
categories {
category = "wordpress"
enabled = true
action = "block"
}
}
}
}
}
}
The following example shows how to create a WAF entry point and override a rule with Terraform:
resource "ibm_cis_ruleset_entrypoint_version" "waf_config" {
cis_id = ibm_cis.instance.id
domain_id = data.ibm_cis_domain.cis_domain.domain_id
phase = "http_request_firewall_managed"
rulesets {
description = "Entry Point rulesets"
}
lifecycle {
ignore_changes = [
rulesets
]
}
}
data "ibm_cis_ruleset_entrypoint_versions" "test"{
cis_id = ibm_cis.instance.id
domain_id = data.ibm_cis_domain.cis_domain.domain_id
phase = "http_request_firewall_managed"
depends_on = [
ibm_cis_ruleset_entrypoint_version.waf_config
]
}
resource ibm_cis_ruleset_rule "rule1" {
cis_id = ibm_cis.instance.id
domain_id = data.ibm_cis_domain.cis_domain.domain_id
ruleset_id = data.ibm_cis_ruleset_entrypoint_versions.test.rulesets[0].ruleset_id
rule {
action = "execute"
description = "OWASP Core RuleSet"
enabled = true
expression = "true"
action_parameters {
id = "4814384a9e5d4991b9815dcfc25d2f1f"
overrides {
categories {
category = "paranoia-level-2"
enabled = false
}
categories {
category = "paranoia-level-3"
enabled = false
}
categories {
category = "paranoia-level-4"
enabled = false
}
override_rules {
rule_id = "6179ae15870a4bb7b2d480d4843b323c"
action = "block"
score_threshold = 60
enabled = true
}
override_rules {
rule_id = "8ac8bc2a661e475d940980f9317f28e1"
enabled = true
}
}
}
}
}
resource ibm_cis_ruleset_rule "rule2" {
cis_id = ibm_cis.instance.id
domain_id = data.ibm_cis_domain.cis_domain.domain_id
ruleset_id = data.ibm_cis_ruleset_entrypoint_versions.test.rulesets[0].ruleset_id
rule {
action = "execute"
description = "CIS exposed credential ruleset"
enabled = true
expression = "true"
action_parameters {
id = "c2e184081120413c86c3ab7e14069605"
overrides {
override_rules {
rule_id = "53f38cd8974a4cd3bc9a8a64fc731fb0"
enabled = true
action = "log"
}
}
}
}
}
resource ibm_cis_ruleset_rule "rule3" {
cis_id = ibm_cis.instance.id
domain_id = data.ibm_cis_domain.cis_domain.domain_id
ruleset_id = data.ibm_cis_ruleset_entrypoint_versions.test.rulesets[0].ruleset_id
rule {
action = "execute"
description = "CIS Managed ruleset"
enabled = true
expression = "true"
action_parameters {
id = "efb7b8c949ac4650a09736fc376e9aee"
overrides {
override_rules {
rule_id = "5de7edfa648c4d6891dc3e7f84534ffa"
enabled = true
action = "block"
}
}
}
}
}
For more information about the arguments and attributes, see ibm_cis_ruleset_entrypoint_version in the Terraform registry.