Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
parent
ef827b2c69
commit
145721146e
35 changed files with 919 additions and 122 deletions
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: cilium.io/v1alpha1
|
||||
kind: TracingPolicy
|
||||
metadata:
|
||||
name: audit-network-connections
|
||||
annotations:
|
||||
security-tier: audit-baseline
|
||||
description: "Logs outound TCP connections at the kernel level."
|
||||
spec:
|
||||
kprobes:
|
||||
- call: "tcp_connect"
|
||||
syscall: false
|
||||
args:
|
||||
- index: 0
|
||||
type: "sock"
|
||||
selectors:
|
||||
- matchArgs:
|
||||
- index: 0
|
||||
operator: "NotDAddr"
|
||||
values:
|
||||
- "127.0.0.1"
|
||||
- "::1"
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
apiVersion: cilium.io/v1alpha1
|
||||
kind: TracingPolicy
|
||||
metadata:
|
||||
name: audit-process-execution
|
||||
annotations:
|
||||
security-tier: audit-baseline
|
||||
description: "Logs all process executions (sys_execve) for cluster-wide visibility."
|
||||
spec:
|
||||
kprobes:
|
||||
- call: "sys_execve"
|
||||
syscall: true
|
||||
args:
|
||||
- index: 0
|
||||
type: "string"
|
||||
- index: 1
|
||||
type: "string_array"
|
||||
selectors:
|
||||
- matchPIDs:
|
||||
- operator: NotIn
|
||||
followForks: true
|
||||
isNamespacePID: true
|
||||
values:
|
||||
- 1
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- audit-process-execution.yaml
|
||||
- audit-network-connections.yaml
|
||||
|
||||
commonAnnotations:
|
||||
argocd.argoproj.io/sync-wave: "1"
|
||||
|
|
@ -2,11 +2,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
|||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- tracingpolicy-shell-spawn.yaml
|
||||
- tracingpolicy-network-connections.yaml
|
||||
- tracingpolicy-sensitive-binaries.yaml
|
||||
- tracingpolicy-privilege-escalation.yaml
|
||||
- tracingpolicy-sensitive-file-access.yaml
|
||||
- 10-audit-baseline
|
||||
# - 20-enforce-execution
|
||||
# - 30-enforce-fim
|
||||
# - 40-enforce-network
|
||||
# - 50-enforce-privilege
|
||||
|
||||
commonLabels:
|
||||
app.kubernetes.io/part-of: tetragon-policies
|
||||
|
|
|
|||
|
|
@ -1,8 +0,0 @@
|
|||
apiVersion: cilium.io/v1alpha1
|
||||
kind: TracingPolicy
|
||||
metadata:
|
||||
name: detect-network-connections
|
||||
spec:
|
||||
tracepoints:
|
||||
- subsystem: tcp
|
||||
event: tcp_connect
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
apiVersion: cilium.io/v1alpha1
|
||||
kind: TracingPolicy
|
||||
metadata:
|
||||
name: detect-privilege-escalation
|
||||
spec:
|
||||
kprobes:
|
||||
- call: "commit_creds"
|
||||
syscall: false
|
||||
return: true
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
apiVersion: cilium.io/v1alpha1
|
||||
kind: TracingPolicy
|
||||
metadata:
|
||||
name: detect-sensitive-binary-execution
|
||||
spec:
|
||||
kprobes:
|
||||
- call: "security_bprm_check"
|
||||
syscall: false
|
||||
|
||||
selectors:
|
||||
- matchBinaries:
|
||||
- operator: In
|
||||
values:
|
||||
- /usr/bin/curl
|
||||
- /usr/bin/wget
|
||||
- /usr/bin/nc
|
||||
- /usr/bin/netcat
|
||||
- /usr/bin/nmap
|
||||
- /usr/bin/socat
|
||||
- /usr/bin/ssh
|
||||
- /usr/sbin/iptables
|
||||
- /usr/bin/apt
|
||||
- /usr/bin/apt-get
|
||||
|
||||
args:
|
||||
- index: 0
|
||||
type: string
|
||||
|
||||
return: true
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
apiVersion: cilium.io/v1alpha1
|
||||
kind: TracingPolicy
|
||||
metadata:
|
||||
name: detect-sensitive-file-access
|
||||
spec:
|
||||
kprobes:
|
||||
- call: "security_file_open"
|
||||
syscall: false
|
||||
|
||||
selectors:
|
||||
- matchArgs:
|
||||
- index: 0
|
||||
operator: Prefix
|
||||
values:
|
||||
- /etc/shadow
|
||||
- /etc/passwd
|
||||
- /root
|
||||
- /proc/kcore
|
||||
- /var/run/secrets/kubernetes.io
|
||||
|
||||
args:
|
||||
- index: 0
|
||||
type: string
|
||||
|
||||
return: true
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: cilium.io/v1alpha1
|
||||
kind: TracingPolicy
|
||||
metadata:
|
||||
name: detect-shell-spawn
|
||||
spec:
|
||||
kprobes:
|
||||
- call: "security_bprm_check"
|
||||
syscall: false
|
||||
|
||||
selectors:
|
||||
- matchBinaries:
|
||||
- operator: In
|
||||
values:
|
||||
- /bin/sh
|
||||
- /bin/bash
|
||||
- /bin/dash
|
||||
- /bin/ash
|
||||
- /busybox/sh
|
||||
|
||||
args:
|
||||
- index: 0
|
||||
type: string
|
||||
|
||||
return: true
|
||||
Loading…
Add table
Add a link
Reference in a new issue