add tetragon policies
Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
parent
baa0216960
commit
2671abc98c
8 changed files with 103 additions and 39 deletions
|
|
@ -20,4 +20,3 @@ spec:
|
|||
selfHeal: true
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
- ServerSideApply=true
|
||||
|
|
|
|||
|
|
@ -1,37 +0,0 @@
|
|||
apiVersion: cilium.io/v1alpha1
|
||||
kind: TracingPolicy
|
||||
metadata:
|
||||
name: block-tmp-execution
|
||||
namespace: kube-system
|
||||
spec:
|
||||
podSelector:
|
||||
matchExpressions:
|
||||
- key: "io.kubernetes.pod.namespace"
|
||||
operator: "NotIn"
|
||||
values:
|
||||
- kube-system
|
||||
- kube-public
|
||||
- kube-node-lease
|
||||
- argocd
|
||||
- kyverno
|
||||
- cilium-ingress
|
||||
- cilium-secrets
|
||||
- cert-manager
|
||||
- sealed-secrets
|
||||
- nfs-subdir-external-provisioner
|
||||
kprobes:
|
||||
- call: "sys_execve"
|
||||
syscall: true
|
||||
args:
|
||||
- index: 0
|
||||
type: "string"
|
||||
selectors:
|
||||
- matchArgs:
|
||||
- index: 0
|
||||
operator: "Prefix"
|
||||
values:
|
||||
- "/tmp/"
|
||||
- "/var/tmp/"
|
||||
- "/dev/shm/"
|
||||
matchActions:
|
||||
- action: Sigkill
|
||||
|
|
@ -2,4 +2,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
|||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- block-tmp-execution.yaml
|
||||
- tracingpolicy-shell-spawn.yaml
|
||||
- tracingpolicy-network-connections.yaml
|
||||
- tracingpolicy-sensitive-binaries.yaml
|
||||
- tracingpolicy-privilege-escalation.yaml
|
||||
- tracingpolicy-sensitive-file-access.yaml
|
||||
|
||||
commonLabels:
|
||||
app.kubernetes.io/part-of: tetragon-policies
|
||||
|
|
|
|||
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: cilium.io/v1alpha1
|
||||
kind: TracingPolicy
|
||||
metadata:
|
||||
name: detect-network-connections
|
||||
spec:
|
||||
tracepoints:
|
||||
- subsystem: tcp
|
||||
event: tcp_connect
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: cilium.io/v1alpha1
|
||||
kind: TracingPolicy
|
||||
metadata:
|
||||
name: detect-privilege-escalation
|
||||
spec:
|
||||
kprobes:
|
||||
- call: "commit_creds"
|
||||
syscall: false
|
||||
return: true
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
apiVersion: cilium.io/v1alpha1
|
||||
kind: TracingPolicy
|
||||
metadata:
|
||||
name: detect-sensitive-binary-execution
|
||||
spec:
|
||||
kprobes:
|
||||
- call: "security_bprm_check"
|
||||
syscall: false
|
||||
|
||||
selectors:
|
||||
- matchBinaries:
|
||||
- operator: In
|
||||
values:
|
||||
- /usr/bin/curl
|
||||
- /usr/bin/wget
|
||||
- /usr/bin/nc
|
||||
- /usr/bin/netcat
|
||||
- /usr/bin/nmap
|
||||
- /usr/bin/socat
|
||||
- /usr/bin/ssh
|
||||
- /usr/sbin/iptables
|
||||
- /usr/bin/apt
|
||||
- /usr/bin/apt-get
|
||||
|
||||
args:
|
||||
- index: 0
|
||||
type: string
|
||||
|
||||
return: true
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
apiVersion: cilium.io/v1alpha1
|
||||
kind: TracingPolicy
|
||||
metadata:
|
||||
name: detect-sensitive-file-access
|
||||
spec:
|
||||
kprobes:
|
||||
- call: "security_file_open"
|
||||
syscall: false
|
||||
|
||||
selectors:
|
||||
- matchArgs:
|
||||
- index: 0
|
||||
operator: Prefix
|
||||
values:
|
||||
- /etc/shadow
|
||||
- /etc/passwd
|
||||
- /root
|
||||
- /proc/kcore
|
||||
- /var/run/secrets/kubernetes.io
|
||||
|
||||
args:
|
||||
- index: 0
|
||||
type: string
|
||||
|
||||
return: true
|
||||
24
platform/tetragon/policies/tracingpolicy-shell-spawn.yaml
Normal file
24
platform/tetragon/policies/tracingpolicy-shell-spawn.yaml
Normal file
|
|
@ -0,0 +1,24 @@
|
|||
apiVersion: cilium.io/v1alpha1
|
||||
kind: TracingPolicy
|
||||
metadata:
|
||||
name: detect-shell-spawn
|
||||
spec:
|
||||
kprobes:
|
||||
- call: "security_bprm_check"
|
||||
syscall: false
|
||||
|
||||
selectors:
|
||||
- matchBinaries:
|
||||
- operator: In
|
||||
values:
|
||||
- /bin/sh
|
||||
- /bin/bash
|
||||
- /bin/dash
|
||||
- /bin/ash
|
||||
- /busybox/sh
|
||||
|
||||
args:
|
||||
- index: 0
|
||||
type: string
|
||||
|
||||
return: true
|
||||
Loading…
Add table
Add a link
Reference in a new issue