There are a number of ways to create a new library, but if you want to modify one of the libraries provided by IriusRisk to make it your own, first you should export the IriusRisk library, modify its ref (Unique ID) and name and then disable the library and upload your modified version. To accomplish this, follow the steps below:
Create a clone of the library that will be the custom library
- First, go to the "Risk pattern libraries" menu within the sidebar:
- Select the library you wish to change - in our case, we will select the library "CS-Default" - click on the "Action" button and from the drop-down options select the "Export" option:
- A new window appears in which we have to click the "Export" button. The file will be downloaded.
- Last, you will need to disable the library so that when we import the custom one it doesn't make any conflicts. In the same drop-down menu select the Disable option:
- Open the exported XML file with a text editor and change the library name and reference to your custom values. For this example we'll use:
Library Name: Customer Custom Library
Library Ref: customer-custom-library
We also set the revision number to 1 to indicate that this is the first revision of the library and a new description.
- In the exported XML file, update the library references for rules using find and replace. This will change all references from the previous (now disabled) library, to your new modified version.
Find: CS-Default -> Replace: customer-custom-library
- Also, you will need to remove UUIDs. You can use the following regex expression to search and replace UUIDs fo empty values:
Find with regex: 'uuid="[^"]+"' -> Replace: '' (empty)
- Optionally, you can change the filename of the library to avoid confusion.
Import the custom library into IriusRisk
- Then click the "Action" button on the top-left of the panel and select the option "Import Library".
- A new window appears, click the link "Select the file". The system browser appears. Select the modified XML library in the previous steps. The fields Name and Reference ID for the library are automatically completed.
- Finally, the new library appears alongside the other libraries and this new library is at this point a clone of the copied library having the same risk patterns and rules. Any changes you make in this library will never by overwritten by system or library upgrades.
After this, you can begin to modify the risk pattern and rules to adapt the library to your security model.
When IriusRisk is updated and a new version of the disabled library (CS-Default) is released:
- The CS-Default library stays disabled after the update.
- You can still take advantage of the new risk-patterns in CS-Default even if the CS-Default library is disabled by downloading the library as XML and inspecting the content.
We recommend using a distributed version control systems such as Git to manage your custom libraries. This way:
- Different contributors can work on the same library concurrently.
- Changes can be coordinated via a central server, or even on a peer-to-peer basis.
- Updates in IriusRisk default libraries can be selectively merged using diff tools.
Problems that may arise due to the cloning
We try to group the security content in our libraries so that each one can be self-contained but for some special cases we might have crossed references between libraries, meaning that a rule in one library can reference a risk pattern in another library and other kind of relations. We created a matrix table so you can see all these crossed references.
When you clone a default library you will be in complete control of the security content as well as the rules in it. We encourage you to take a look to all the rules in your custom library so that you understand what kind of actions will be taken when using your components.
Note that any other rules present in other default libraries that are used to import security content from a disabled library will still be working. Let's see an example:
- Following this tutorial you disabled CS-Default library, which contains the Active Directory risk pattern
- Suppose that a certain rule exists in the CS-Default-Security-Policies library that says that if a component is in the Internet trustzone the Active Directory risk pattern will be imported
- If you set one of the components from your custom library in the Internet trustzone you will see that this rule will be applied and a risk pattern from a disabled library will be imported in the component
- You may want to disable other libraries to avoid this behavior