Policy Configuration

Defining Remediation Rules

The policy file (atropos_policy.yaml) defines which actions to take for each node at different entropy thresholds. It supports time windows, rate limiting, and escalation strategies.

Full Example

meta:
  version: "1.0"
  last_reviewed: "2026-01-18"

server:
  listen_addr: ":8443"
  hmac_secret: "change-me-in-prod"  # or ATROPOS_HMAC_SECRET

nodes:
  athena:
    host: "athena.local"
    port: 22
    user: "root"
    description: "Primary application server"
    time_windows:
      - start: "09:00"
        end: "17:00"
    rate_limit:
      max_cuts: 3
      window_minutes: 60
    strategies:
      - threshold: 0.85
        action: vbox_revert_snapshot
        snapshot_name: "LAST_ORDERED_STATE"
        critical: true
        on_failure: "ssh_isolate_network"
      - threshold: 0.70
        action: docker_pause_all

Metadata Block

meta:
  version: "1.0"
  last_reviewed: "2026-01-18"

Track policy version and review dates for audit purposes.

Server Configuration

server:
  listen_addr: ":8443"
  hmac_secret: "your-secret-here"

Field	Description
`listen_addr`	Address:port to listen on
`hmac_secret`	Secret for webhook signature verification

Override HMAC secret with ATROPOS_HMAC_SECRET env var in production.

Node Definitions

nodes:
  athena:
    host: "athena.local"
    port: 22
    user: "root"
    description: "Primary application server"
    strategies:
      - threshold: 0.85
        action: vbox_revert_snapshot

Field	Description
`host`	Hostname or IP for SSH actions
`port`	SSH port (default: 22)
`user`	SSH user for network commands
`description`	Human-readable description
`strategies`	List of threshold → action mappings

Strategies

Strategies define what action to take at each entropy level:

strategies:
  - threshold: 0.85
    action: vbox_revert_snapshot
    snapshot_name: "LAST_ORDERED_STATE"
    critical: true
    on_failure: "ssh_isolate_network"
  - threshold: 0.70
    action: docker_pause_all

Field	Description
`threshold`	Minimum entropy to trigger (0.0 - 1.0)
`action`	Cutter action to execute
`critical`	Mark as critical action
`on_failure`	Fallback action if primary fails
`snapshot_name`	VBox snapshot name (for vbox actions)
`command`	SSH command (for ssh_isolate_network)

Strategies are evaluated highest-threshold first. The first matching threshold wins.

Time Windows

Restrict when cuts can be executed:

time_windows:
  - start: "09:00"
    end: "17:00"    # Business hours only
  - start: "00:00"
    end: "04:00"    # Maintenance window

Cuts outside these windows will be queued or rejected.

Rate Limiting

Prevent cut storms by limiting frequency:

rate_limit:
  max_cuts: 5
  window_minutes: 60   # Max 5 cuts per hour

If rate limit is exceeded, subsequent cuts are rejected until the window resets.

Conditional Actions

Define fallback strategies when the primary action fails:

strategies:
  - threshold: 0.85
    action: vbox_revert_snapshot
    on_failure: "ssh_isolate_network"  # Fallback

If vbox_revert_snapshot fails, Atropos will automatically try ssh_isolate_network.

Notifications

Configure notifications in a separate file (atropos_notification.yaml):

Email

enabled: true
email:
  smtp_host: "smtp.example.com"
  smtp_port: 587
  smtp_user: "alerts@example.com"
  smtp_password: "password"
  from: "atropos@example.com"
  to:
    - "admin@example.com"
    - "ops@example.com"

Webhook

enabled: true
webhook:
  url: "https://hooks.example.com/atropos"
  headers:
    Authorization: "Bearer token123"
  retries: 3

Set config path via environment:

ATROPOS_NOTIFICATIONS_CONFIG=/path/to/config.yaml ./atropos