Twistlock system custom rule IDs are not consistent - breaks policies during upgrades

Twistlock system custom rule IDs are not consistent between different installations. Some rules (especially Waas) are in a different order, some are named differently, and some system custom rules only exist if they were installed with a particular version of PCC.

Here is a screenshot showing the custom rules that are created by the system. Note, there is a separate tab for the Waas rules. System rules come from the vendor and often accompany a new release.

The bottom line is that you cannot depend on the system custom rules IDs to be consistent for deploying policies. I have seen situations where the runtime IDs were incorrect and results in a bad policy.

Solution:

Don't use the system rules. Instead clone them and use the clones for policies. The user custom rule policy ID numbers need to be translated (to include their usages in policies) during install time. I have already written code to do this as a part of effort to backup and restore runtime configurations between multiple environments.

We should discuss this and Twistlock CaC in general further.