Custom Pattern as a Classification Value on NSX Data Security Regulation

Please note: as of NSX 6.2.3, the NSX Data Security feature has been deprecated. In NSX 6.2.3, you can continue to use this feature at your discretion, but be aware that this feature will be removed from NSX in a future release. Official communication available on the release notes for the (now pulled) NSX 6.2.3 Deprecated section

Recently a customer asked me if it was possible on NSX Data Security to have a custom violation pattern when scanning VMs.Actually I never even thought about that simply because Laws, Privacy and Security Regulations are very much standardised and have very specific patterns defined by governments all around the world. VMware Data Security supports PCI, PHI, and PII related regulations only and here you can see the complete list https://pubs.vmware.com/NSX-62/topic/com.vmware.nsx.reference.doc/GUID-1F4C32A8-9EA4-4F82-924C-D88323E3CF25.html 

Now back to the question: is it possible to have a custom violation pattern? The answer is yes! However it’s not available using the Web Client instead you have to create it via API, and it leverages Regular Expression (aka RegEx). There isn’t a lot of documentation out there so I’m sharing my discovery here given I spent some time figuring this out 🙂

DID YOU KNOW IT? As you can see the endpoint URL has a dlp and in case you didn’t know it’s an RSA product called Data Loss Prevention suite which RSA is dropping (see this link) which is why VMware has deprecated this module.

The regulation that we are going to use for this it’s called “Custom Account Numbers” and what we’re going to do in the next steps is to customise the content blade assigned to this regulation.

Get the list of regulation to find out the id

GET https://NSX-Manager-IP-Address/api/2.0/dlp/regulation

The full XML response you get back is the following


<Regulation>
 <revision>0</revision>
 <name>Custom Account Numbers</name>
 <description>Identifies documents and transmissions that contains identification or account numbers custom to your organisation. This policy requires customization of the Custom Accounts content blade.
 </description>
 <clientHandle/>
 <isUniversal>false</isUniversal>
 <universalRevision>0</universalRevision>
 <id>52</id>
 <classifications>
 <Classification>
 <id>20</id>
 <name>Custom Accounts</name>
 <providerName>Custom Accounts</providerName>
 <description>Custom Accounts</description>
 <customizable>true</customizable>
 </Classification>
 </classifications>
 <regions>ALL</regions>
 <categories>
 <string>PII</string>
 </categories>
</Regulation>

So we know that the Regulation ID = 52 and the Classification ID = 20

Get the classification value

GET https://NSX-Manager-IP-Address/api/2.0/dlp/classificationvalue

So we know the classificationValue ID = 3

Configure custom RegEx for a Classification Value

I’m going to make a very simple RegEx formatted as following:

vlab-[0-9]{3}-[A-Za-z]{4}[0-9]{2}

This will match any string like vlab-001-prod01 for instance, could be a hostname or whatever you want it to be really, you can play with this good online RegEx parser 🙂

Using a PUT https://NSX-Manager-IP-Address/api/2.0/dlp/policy/classificationvalues we can store this pattern inside the classificationValue, as following

Check it has been saved by doing another GET to https://NSX-Manager-IP-Address/api/2.0/dlp/classificationvalue

Configure a policy to use the custom regulation

From Data Security > Manage > click Edit under Regulation
Click All and type Custom on the search box. Select it and Next

Our predefined RegEx pattern will appear (I haven’t tried but I think you could also edit it from there) click Finish and Publish Changes

 

Create a file that violates the regulation

See the screenshot, I have created a file with the following text

Start a new Scan and wait for it to complete

Check the scan results

From Monitor > Reports and here we go!

Hope this was helpful, even though this module of NSX is going to disappear soon there may be companies out there still interested!
Ciao!

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.