| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2025-02-27 |
cis |
{{site.data.keyword.attribute-definition-list}}
{: #overriding-rulesets}
To customize the behavior of a managed ruleset, override it at deployment. When you override a ruleset, you specify changes to be executed in addition to the default configuration.
You can override a managed ruleset at the following levels:
- Ruleset overrides apply to all rules in the executed ruleset.
- Tag overrides apply to all rules with a specific tag. For example, use a tag override to customize the CIS Managed Ruleset so all rules with the wordpress tag are set to Block. If multiple tags have overrides and if a rule has more than one of these tags, the tag overrides order determines the behavior. For rules tagged with multiple overridden tags, the last tag’s overrides apply.
- Rule overrides apply to specific rules in a managed ruleset, referenced by their Rule ID.
Specific overrides take precedence over more general ones, and rule overrides take precedence over tag overrides, which take precedence over ruleset overrides. {: important}
Ruleset overrides and tag overrides apply to both existing and future rules in the managed ruleset. If you want to override existing rules only, you must use rule overrides.
{: #override-workflow}
To apply an override for a managed ruleset, take the following steps.
- List the rulesets available by using the list rulesets operation.
- List the rules for that ruleset by using the get ruleset operation.
- Call the update ruleset operation on your phase entry point.
- Specify the overrides in the
action_parametersof the rule that executes your managed ruleset.
"action_parameters": {
"id": "<RULESET_ID>",
"overrides": {
// ruleset overrides
"property-to-modify": "value",
"property-to-modify": "value",
// tag overrides
"categories": [
{
"category": "<TAG_NAME>",
"property-to-modify": "value",
"property-to-modify": "value"
}
],
// rule overrides
"rules": [
{
"id": "<RULE_ID>",
"property-to-modify": "value",
"property-to-modify": "value"
}
]
}
}{: codeblock}
You can override the following rule properties.
- "action"
- "enabled"
Some managed rulesets can have extra override requirements, or they might override other rule properties.
It is not effective to enable all the rules in a managed ruleset at the instance level by using an override. This change can affect all the zones in your instance. Some rules are disabled by default because they eventually affect legitimate traffic. Do not enable these rules across zones without previous consideration.
{: #cli-override-rule-sets} {: cli}
You can override rulesets from the CLI.
{: #cli-override-list-rule-sets}
To list all zone rulesets from the CLI, run the following command:
ibmcloud cis managed-waf rulesets DNS_DOMAIN_ID [-i, --instance INSTANCE] [--output FORMAT]{: pre}
Where:
DNS_DOMAIN_IDis the ID of the domain.-i, --instance valueis the instance name or ID.--output valuespecifies the output format; only JSON is supported.
{: #cli-override-list-rule-sets-rules}
To list the rules under a zone ruleset from the CLI, run the following command:
ibmcloud cis managed-waf ruleset DNS_DOMAIN_ID RULESET_ID [-i, --instance INSTANCE] [--output FORMAT]{: pre}
Where:
DNS_DOMAIN_IDis the ID of the domain.RULESET_IDis the ID of the ruleset for the rules to be listed.-i, --instance valueis the instance name or ID.--output valuespecifies the output format; only JSON is supported.
{: #cli-override-entry-point-rule-set}
To override a managed WAF ruleset from the CLI, run the following command:
ibmcloud cis managed-waf deployment-add-ruleset DNS_DOMAIN_ID RULESET_ID [--match EXPRESSION] [--enabled true|false] [--override-action ACTION] [--override-status STATUS] [--paranoia-level LEVEL] [--override-rules RULE] [-i, --instance INSTANCE] [--output FORMAT]{: pre}
Where:
DNS_DOMAIN_IDis the ID of the domain.--match valueis the conditions that must be matched for the rule to run. See Using fields, functions, and expressions for a list of values to match.--enabled valueindicates whether the rule is active. Defaults to "true".--override-action valueis the ruleset action of any overrides. Valid values are "managed_challenge", "block", "js_challenge", "log", "challenge".--paranoia-level valueis the OWASP paranoia level. Valid values are "PL1", "PL2", "PL3", "PL4" and it's only available forCIS OWASP Core Ruleset.--override-rules valueis the rules options of the overrides. For example,--override-rules rule=RULE_ID,action=ACTION,enabled=STATUS.-i, --instance valueis the instance name or ID.--output valuespecifies the output format; only JSON is supported.
{: #api-override-rule-sets} {: api}
You can override rulesets from the API.
{: #api-override-list-zone-rule-sets}
To list all zone rulesets from the API, run the following command:
curl -X GET \
https://api.cis.cloud.ibm.com/v1/$CRN/zones/$ZONE_ID/rulesets \
-H 'content-type: application/json' \
-H 'accept: application/json' \
-H 'x-auth-user-token: Bearer xxxxxx'{: codeblock}
{: #api-override-list-rule-sets-rules}
To list all rules for a specific ruleset, run the following command:
curl -X GET \
https://api.cis.cloud.ibm.com/v1/$CRN/zones/$ZONE_ID/rulesets/$RULESET_ID \
-H 'content-type: application/json' \
-H 'accept: application/json' \
-H 'x-auth-user-token: Bearer xxxxxx'{: codeblock}
Where:
$RULESET_IDis the ID of the managed ruleset which the rules are listed for.
{: #api-override-entry-point-rule-set}
To update the entry point ruleset from the API with an override, run the following command:
curl -X PUT \
https://api.cis.cloud.ibm.com/v1/$CRN/zones/$ZONE_ID/rulesets/phases/$RULESET_PHASE/entrypoint \
-H 'content-type: application/json' \
-H 'accept: application/json' \
-H 'x-auth-user-token: Bearer xxxxxx' \
-d '{"description":"Deploy managed ruleset, enabling a specific rule with log action","rules":[{"action":"execute","expression":"true","action_parameters":{"id":"<MANAGED_RULESET_ID>","overrides":{"rules":[{"id":"<RULE_ID>","enabled":true,"action":"log"}]}}}]}'{: codeblock}
Where:
$RULESET_PHASEis the ruleset phase that is deployed to. Usehttp_request_firewall_managedto override managed WAF rulesets.-dis the object of attributes that are required to create the ruleset.descriptiondefines your own summary of what a ruleset is accomplishing.rulesis the array of rules to deploy with the ruleset.actionis the action for the rule to take. See WAF ruleset actions for a description of available actions.action_parametersis the object for defining what the action operates on.idis the ID of the ruleset to execute. This ID is retrieved from the list zone rulesets operation.overridesis the object of overrides to set upon the selected ruleset.rulesis the list of rules that are overridden with the selected properties.idis the ID of the rule to override. This ID is retrieved from the list zone ruleset rules operation.enabledoverwrites even when the rule is enabled.actionspecifies the overridden action that the rule takes.
expressionis the condition under which the rule runs. Using "true" means that this rule always runs.descriptiondefines your own summary of what the rule is accomplishing.