-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add support for crown jewel policies #739
base: crown-jewel
Are you sure you want to change the base?
Conversation
b722107
to
a042869
Compare
136df30
to
17d2f12
Compare
fb30102
to
45d3606
Compare
d25ad16
to
8a15eaf
Compare
if CrownjewelCronJob != nil { | ||
log.Info().Msg("Got a signal to terminate the auto system policy discovery") | ||
|
||
CrownjewelStopChan = make(chan struct{}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can see this channel also getting initialized through init, can you explain the flow here?
for _, pod := range podList.Items { | ||
for _, container := range pod.Spec.Containers { | ||
sumResp, err := obs.GetSummaryData(&opb.Request{ | ||
PodName: pod.Name, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are we using pod name?
And how mount paths from observability data is utilized?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are we using pod name?
We are checking the resource to be pods (instead of deployment/statefulset etc.) because pod labels contains all the labels for that resource which might be missing in other workload (say statefulset for eg.).
Here below is an example of a vault statefulset:
Pod Labels:
Labels: app.kubernetes.io/instance=vault
app.kubernetes.io/name=vault
component=server
controller-revision-hash=vault-5f4c59685d
helm.sh/chart=vault-0.24.1
statefulset.kubernetes.io/pod-name=vault-0
Statefulset labels:
Labels: app.kubernetes.io/instance=vault
app.kubernetes.io/name=vault
component=server
helm.sh/chart=vault-0.24.1```
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And how mount paths from observability data is utilized?
PTAL at #739 (comment), if anything is unclear please comment.
The code implementation can be summarized as below:
All the required info about the mount points which are mounted and actually being used are used to create a crown jewel policy using getCrownjewelPolicy() func.
The logic for updating the crown jewel policies to the DB is the same as was for other system policies. |
8a15eaf
to
b5551a4
Compare
Add support for generating lenient policies protecting sensitive assets (mount points here) Signed-off-by: Ankur Kothiwal <ankur.kothiwal99@gmail.com>
b5551a4
to
098eaaa
Compare
…rosegmented policies
Description
Add support for generating lenient policies protecting sensitive assets (mount points here)
Problem
Currently we were discovering least-permissive security policies using Discovery Engine. Ideally these policies were designed to get us a Zero-trust security posture by only allowing the binaries which are essential for running any particular application. But the issue with these types of policies is that it's very difficult to actually create an exhaustive policy which contains all the necessary binaries allowed. If we miss even a single important binary, that would have caused the whole application to crash in worst case.
Solution
The aim of this PR is to identify the crown-jewels or the list of important assets which when protected can give us a fairly good security posture for the whole application.
PR changes
This PR identifies the paths mounted by any application and check if they are actually being used. We then create a "Crown-jewel" lenient policy which only allows the access of the particular mount paths by a particular binary based on the actual usage and deny access from others.
Example of a Crown jewel policy:
Here in the above policy, access to the dir:
/home/vault/
is only allowed by/bin/sh
and/vault/data/
by/bin/vault
. The other mount path/vault/config/
is not being used, so it's set toBlock
. As Vault is using Alpine image, that's why we see the process/bin/busybox
being used (will be a symlink to system packages).ref: #715