Rapid7 recently addressed a bug within InsightVM’s Custom Policy Builder where some built-in
policies were not translated correctly during the editing process. For some customers, this
resulted in inaccurate policy compliance results for specific custom edited rules.
 
 

InsightVM’s Custom Policy Builder allows Rapid7 customers to edit existing policies in various
domains like CIS, DISA, USGCB, and others. When a customer chooses to edit an existing built-in
policy, Custom Policy Builder converts the built-in policy content from XML to JSON, to allow for
easier editing. For specific policies with complex checks (multiple nested logical operations), the
conversion process from XML to JSON only honored the first logical operator.
 
 

For example, a complex check with multiple nested logical operations in XML might look like:
 

During the XML to JSON conversion, the bug in Custom Policy Builder would only honor the first
logical operator and would change the rule above to the following in JSON:

 
 

This conversion error changes the intent of the policy. To provide a simplified example, a policy
rule might require:
 Password of 12 characters AND

A mix of uppercase/lowercase letters OR

At least one number OR

At least one special character

When converting the policy to JSON to edit, the policy rule would change to:

Password of 12 characters AND

A mix of uppercase/lowercase letters AND

At least one number AND

At least one special character

 
 

Prior to September 8, 2021 at 1:35 PM EST, customers who have used Custom Policy Builder to
edit any of the built-in policies here have been affected by the XML → JSON conversion bug. If
customers are actively scanning their environment for any customized version of an affected
policy, they will need to delete the affected custom policy and recreate it in Custom Policy
Builder. Custom policies created after September 8, 2021 at 1:35 PM EST are not affected and
will not need to be recreated.
 
 

Customers should document any changes made or additional complex checks they have added
to each custom policy before deleting. This information will be needed to recreate the policy.
 
 

Additional guidance and documentation around how to recreate a custom policy can be found
here.
 
 

The InsightVM team deployed the fix within Custom Policy Builder to production, in all regions, on
September 8, 2021 at 1:35 PM EST. Policies edited after September 8, 2021 at 1:35 PM EST and
moving forward will convert the XML version of the policy to JSON correctly.
 
 

If you have any questions, please reach out to your Customer Success Manager.
 

 
 
  
 
Products & Services Company
   
 
InsightIDR About Us
Sales: 866-7-Rapid7    
 
InsightOps News
Support: 866-390-8113    
 

Incident Response: 844- InsightVM Careers

   

RAPID-IR InsightAppSec Contact Us

 
 
InsightConnect
120 Causeway Street  

Suite 400 Metasploit

 

Boston, MA 02114-1313 Services

 

Product Training &

Certification
 This email was sent to 
 

 
©Rapid7 Legal | Privacy Policy | Disclosure Policy | Export Notice