77964e4042
bastion.toml manifest parser with variable validation and dependency declarations. Declarative compliance policy schema with per-platform check implementations. Template loader with variable substitution (Bastion-owned files only — never touches Ansible/Terraform). PolicyRegistry and AccordRegistry with builtin fallbacks. BOUNDARY: loader never touches automation framework files. Signed-off-by: Tyler King <tking@guildhouse.dev>
37 lines
788 B
TOML
37 lines
788 B
TOML
name = "test-workstation-policy"
|
|
description = "Test workstation compliance for ${org_name}"
|
|
version = "1.0.0"
|
|
framework = "test-framework"
|
|
framework_controls = ["TC-001", "TC-002"]
|
|
|
|
[[conditions]]
|
|
id = "disk-encryption"
|
|
kind = "DiskEncryption"
|
|
description = "Full disk encryption required"
|
|
framework_ref = "TC-001"
|
|
severity = "critical"
|
|
|
|
[conditions.linux]
|
|
script = "scripts/linux/check-encryption.sh"
|
|
expect = "encrypted"
|
|
|
|
[conditions.windows]
|
|
intune_field = "isEncrypted"
|
|
expect = true
|
|
|
|
[[conditions]]
|
|
id = "antivirus-active"
|
|
kind = "AntivirusActive"
|
|
description = "Antivirus must be running"
|
|
severity = "high"
|
|
|
|
[conditions.windows]
|
|
intune_field = "antiVirusStatus"
|
|
expect = "active"
|
|
|
|
[breach_response]
|
|
critical = "suspend_access"
|
|
high = "alert_msp"
|
|
|
|
[schedule]
|
|
interval_seconds = 300
|