Skip to main content

Using Policy Creation Tool

Policies can also be created by the Key Manager policy creation tool. This tool allows creation of policies that enforce a desired standard (HIPAA, PCI DSS, SANS CIS, SOX, NIST).

To create a policy with the policy creation tool:

  1. Log in to any Key Manager server as a command-line client user.

  2. Navigate to /opt/sshmgr/examples/ukm-policy-tool/

  3. Now you are ready to generate policies based on a number of regulatory bodies.

    For example, to create a set of policies based on the NIST Recommendation for Key Management (see https://csrc.nist.gov/Projects/Key-Management/key-management-guidelines), you would run the following command:

    # ./create-ukm-policies.sh --create nist

These created policies can now be used to evaluate an environment managed by Key Manager. The policies can be edited as deemed necessary and appropriate for the specific environment.

For more information about the usage of the tool, consult the help file by running the following command at /opt/sshmgr/examples/ukm-policy-tool/:

# ./create-ukm-policies.sh --help
note

As a general rule, the sample policies target evaluations your whole environment. If you want to target specific host groups or hosts with a specific classification , this can be accomplished by editing the policy.

A segregation of duty policy requires further configuration where managed hosts must be classified in order for the Key Manager to be able to determine which trust relationships must be flagged as violations.