Skip to content

Commit

Permalink
chore: addressed review comments
Browse files Browse the repository at this point in the history
  • Loading branch information
@swarit-pandey
swarit-pandey committed Sep 9, 2024
1 parent f16f5f4 commit 6d868e3
Showing 1 changed file with 36 additions and 14 deletions.
50 changes: 36 additions & 14 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# CI/CD Security by AccuKnox
# Monitor & Audit CI/CD pipelines

![](./assets/ak-logo-light-back.png)

Expand All @@ -21,6 +21,12 @@ assessment, monitoring, and protection capabilities, it enables you to:
- Gain real-time visibility into your pipeline's security posture
- Streamline the integration of security practices into your DevOps workflow

Ensure application best practices by:

- Applying app hardening policies and checking whether it deviates during GH workflow execution.
- Identifying if there are any unknown processes spawning during CI/CD workflow execution.
- Identifying if any unwanted network connections are started in the pipeline.

In today's fast-paced software development landscape, where operational efficiency
is paramount, the CI/CD Scan by AccuKnox empowers DevSecOps teams to deploy with confidence.

Expand All @@ -32,7 +38,7 @@ for enforcing the security policies either in block or audit mode.

To learn more about KubeArmor please visit, https://kubearmor.io/

We install KubeArmor in systemd mode in the GitHub runner and that lets us watch over
This action installs KubeArmor in systemd mode in the GitHub runner and watches over
the events and enforce security policies safely.

## Features
Expand Down Expand Up @@ -67,20 +73,34 @@ Here is an example of a security policy
apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
name: hsp-kubearmor-dev-proc-path-block
name: hsp-create-account-create-local-account
spec:
nodeSelector:
matchLabels:
kubearmor.io/hostname: "*" # Apply to all hosts
kubearmor.io/hostname: "*" # this is typically replaced by the hostname of your system
message: Notification! User and password added/modified
file:
action: Audit
matchPaths:
- path: /etc/passwd
- path: /etc/shadow
severity: 3
process:
action: Audit
matchPaths:
- path: /usr/bin/sleep # try sleep 1
action:
Block
- path: /bin/useradd
- path: /bin/adduser
severity: 3
tags:
- MITRE
- T1136.001
```
Please make sure that in `kind` field you set `KubeArmorHostPolicy`.
The above policy will block the `sleep` call. To read more about how KubeArmorHost
As it can be seen in the above policy has Audit action defined for `file` and `process`
events, any accesses made to the given paths under the `matchPaths` field would generate
an 'Audit' alert from the system that you will be able to see in the report generated by this action.

Please make sure that in `kind` field you set `KubeArmorHostPolicy`. To read more about how KubeArmorHost
policies are written and designed please take a look at this: [KubeArmor policy spec for nodes/VMs](https://docs.kubearmor.io/kubearmor/documentation/host_security_policy_specification)

### 3) Process tree and behaviour
Expand All @@ -102,14 +122,14 @@ protocol, process making the network call and the name of the process itself.
For example:
![](./network_example_1.png)

<em>We will also support standard network policies in the coming realeases.</em>
<em>Support for network policies in coming releases.</em>

## Usage
The usage is as simple as <em>Plug-and-Play</em>, you only have to include the following
lines in your GitHub workflow and you are all set to go.

```yaml
- name: AccuKnox CI/CD scan
- name: AccuKnox CI/CD Monitor
uses: accuknox/report-action@v0
```

Expand All @@ -125,7 +145,7 @@ currently provide the following options
| ----------------- | ------- | -------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- |
| All | True | `bool` | No | All will lets system collect all the logs from KubeArmor which in turn collects all the events taking place in the runner | `all: false` |
| System | False | `bool` | No | This will only collect system events that includes network and process events | `system: false` |
| KubeArmor version | Latest | `string` | No | You can set the specific [release](https://github.com/kubearmor/KubeArmor/releases) version of KubeArmor | `kubearmor_version: '1.3.8'` |
| KubeArmor version | Latest | `string` | No | You can set the specific [release version](https://github.com/kubearmor/KubeArmor/releases) of KubeArmor | `kubearmor_version: '1.3.8'` |
| Knoxctl version | Latest | `string` | No | This lets you set a specific [release version](https://github.com/accuknox/knoxctl-website/releases) for knoxctl (knoxctl is the tool that parses and scans the CI/CD environment) | `knoxctl_version: '0.5.1'` |
| Policy Action | Audit | `string` | No | You can set the policy action to either Audit or Block | `policy_action: block` |
| Dryrun | False | `bool` | No | Setting dryrun to true will not apply any policy but save it as asset which can be downloaded | `dryrun: true` |
Expand All @@ -138,8 +158,9 @@ currently provide the following options
Few examples on how you can use the options given

#### Running scan in dryrun mode with a specific knoxctl and KubeArmor version

```yaml
- name: AccuKnox CI/CD scan
- name: AccuKnox CI/CD Monitor
uses: accuknox/report-action@v0
with:
kubearmor_version: '1.3.8'
Expand All @@ -151,8 +172,9 @@ With the above configuration the policies will not be applied on your system, an
policy based alerts will be generated.

#### Applying policies in block mode

```yaml
- name: AccuKnox CI/CD scan
- name: AccuKnox CI/CD Monitor
uses: accuknox/report-action@v0
with:
policy_action: "block"
Expand Down

0 comments on commit 6d868e3

Please sign in to comment.