forked from open-cluster-management-io/policy-collection
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpolicy-falco-auditing.yaml
102 lines (101 loc) · 4.54 KB
/
policy-falco-auditing.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# This policy enables forwarding audit events from the OpenShift kubernetes API
# server to a webserver (this is intended to send to a falco agent).
# Note that this makes changes to the kubernetes api server
# that are unsupported so review the implications of this policy before using it.
#
# SETUP: Perform each of these steps to setup this policy for your environment.
# 1. Set remediationAction to "enforce" to configure audit log forwarding.
# 2. Change the placement rule and the namespace selector to match where falco is deployed
# This is only usable on OpenShift 4.x clusters with falco.
# 3. Update the base64 encoded file contents in the MachineConfig object. The procedure
# to complete this is:
# - Run: echo '<encoded-value>' | base64 --decode > webhook-config.yaml
# - Edit the file webhook-config.yaml and change the URL so the hostname api.cluster.dev.mydomain.com
# matches the hostname returned by: oc cluster-info
# - Re-encode the file: cat webhook-config.yaml | base64
# - Update the policy with this new encoded value.
# - Recognize this must be done separately for each cluster you want to configure falco audit
# processing on. This is not required for processing falco rules, it is only needed on
# OpenShift clusters where you want to process the falco auditing rules.
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: policy-falco-auditing
annotations:
policy.open-cluster-management.io/standards: NIST 800-53
policy.open-cluster-management.io/categories: CM Configuration Management
policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
spec:
remediationAction: inform
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-falco-auditing
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
severity: low
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: masters-audit-configuration
spec:
config:
ignition:
version: 3.2.0
storage:
files:
- contents:
source: data:text/plain;charset=utf-8;base64,YXBpVmVyc2lvbjogdjEKa2luZDogQ29uZmlnCmNsdXN0ZXJzOgotIG5hbWU6IGZhbGNvCiAgY2x1c3RlcjoKICAgICMgY2VydGlmaWNhdGUtYXV0aG9yaXR5OiAvcGF0aC90by9jYS5jcnQgIyBmb3IgaHR0cHMKICAgIHNlcnZlcjogaHR0cDovL2FwaS5jbHVzdGVyLmRldi5teWRvbWFpbi5jb206MzI3NjUvazhzLWF1ZGl0CmNvbnRleHRzOgotIGNvbnRleHQ6CiAgICBjbHVzdGVyOiBmYWxjbwogICAgdXNlcjogIiIKICBuYW1lOiBkZWZhdWx0LWNvbnRleHQKY3VycmVudC1jb250ZXh0OiBkZWZhdWx0LWNvbnRleHQKcHJlZmVyZW5jZXM6IHt9CnVzZXJzOiBbXQo=
filesystem: root
mode: 384
path: /var/log/kube-apiserver/webhook-config.yaml
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-falco-auditing-k8sapiserver
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
severity: low
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: operator.openshift.io/v1
kind: KubeAPIServer
metadata:
name: cluster
spec:
unsupportedConfigOverrides:
apiServerArguments:
audit-webhook-config-file:
- /var/log/kube-apiserver/webhook-config.yaml
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-policy-falco-auditing
placementRef:
name: placement-policy-falco-auditing
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: policy-falco-auditing
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-policy-falco-auditing
spec:
clusterSelector:
matchExpressions:
- {key: environment, operator: In, values: ["dev"]}