feat: add a default syscall_config.yaml file (#73)

## Summary Lacework now supports syscall monitoring. From the work done in https://github.com/lacework/terraform-aws-ssm-agent/pull/46/files, I created the required syscall_config.yaml file in the EKS DaemonSet. ## How did you test this change? The change got tested in our development environment. ## Issue A new syscall_config.yaml file is required by the Lacework agent. This is a naive first implementation.
lacework · Aug 7, 2023 · 6cecea5 · 6cecea5
1 parent 3c95a1e
commit 6cecea5
Show file tree

Hide file tree

Showing 7 changed files with 114 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -49,6 +49,7 @@ The `main.tf` file will configure a Kubernetes Secret and DaemonSet which will t
 | <a name="input_lacework_access_token"></a> [lacework\_access\_token](#input\_lacework\_access\_token) | The access token for the Lacework agent | `string` | n/a | yes |
 | <a name="input_lacework_agent_autoupgrade"></a> [lacework\_agent\_autoupgrade](#input\_lacework\_agent\_autoupgrade) | Boolean value to control whether or not the agent should automatically upgrade to newer versions when available | `bool` | `true` | no |
 | <a name="input_lacework_agent_configuration"></a> [lacework\_agent\_configuration](#input\_lacework\_agent\_configuration) | A map/dictionary of configuration parameters for the Lacework datacollector | `any` | `{}` | no |
+| <a name="input_lacework_enable_default_syscall_config"></a> [lacework\_enable\_default\_syscall\_config](#input\_lacework\_enable\_default\_syscall\_config) | A flag to enable the default syscall config | `bool` | `false` | no |
 | <a name="input_lacework_agent_interface_connection_size"></a> [lacework\_agent\_interface\_connection\_size](#input\_lacework\_agent\_interface\_connection\_size) | Desired value for the InterfaceConnectionSize Lacework agent parameter | `string` | `""` | no |
 | <a name="input_lacework_agent_log_stdout"></a> [lacework\_agent\_log\_stdout](#input\_lacework\_agent\_log\_stdout) | Enable Lacework agent stdout logging. | `bool` | `true` | no |
 | <a name="input_lacework_agent_name"></a> [lacework\_agent\_name](#input\_lacework\_agent\_name) | The name for the Lacework agent service within Kubernetes | `string` | `"lacework-agent"` | no |

diff --git a/examples/with-syscall-config/README.md b/examples/with-syscall-config/README.md
@@ -0,0 +1,25 @@
+# Enable default syscall config
+
+This example shows how to use the Terraform Provider for Lacework to create
+a new Lacework Agent Token and use it to generate a Kubernetes DaemonSet and
+Secret configuration for deploying the Lacework Datacollector Agent. In this
+specific example, we enable the default syscall config.
+
+```hcl
+provider "kubernetes" {}
+
+provider "lacework" {}
+
+resource "lacework_agent_access_token" "k8s" {
+  name        = "prod"
+  description = "k8s deployment for production env"
+}
+
+module "lacework_k8s_datacollector" {
+  source  = "lacework/agent/kubernetes"
+  version = "~> 2.0"
+
+  lacework_access_token                  = lacework_agent_access_token.k8s.token
+  lacework_enable_default_syscall_config = true
+}
+```
diff --git a/examples/with-syscall-config/main.tf b/examples/with-syscall-config/main.tf
@@ -0,0 +1,15 @@
+provider "kubernetes" {}
+
+provider "lacework" {}
+
+resource "lacework_agent_access_token" "k8s" {
+  name        = "prod"
+  description = "k8s deployment for production env"
+}
+
+module "lacework_k8s_datacollector" {
+  source = "../../"
+
+  lacework_access_token                  = lacework_agent_access_token.k8s.token
+  lacework_enable_default_syscall_config = true
+}
diff --git a/examples/with-syscall-config/versions.tf b/examples/with-syscall-config/versions.tf
@@ -0,0 +1,11 @@
+terraform {
+  required_version = ">= 0.15"
+
+  required_providers {
+    kubernetes = "~> 2.2"
+    lacework = {
+      source  = "lacework/lacework"
+      version = "~> 1.0"
+    }
+  }
+}
diff --git a/lacework_node.tf b/lacework_node.tf
@@ -9,15 +9,19 @@ locals {
     lacework_proxy_url                       = var.lacework_proxy_url
     lacework_server_url                      = var.lacework_server_url
   })
+  node_syscall_config_data  = file("${path.module}/syscall_config.yaml")
   lacework_agent_log_stdout = var.lacework_agent_log_stdout ? "yes" : ""
   node_config_name          = "${var.lacework_config_name}-${random_id.node_config_name_tail.hex}"
   merged_node_config        = jsonencode(merge(jsondecode(local.node_config_data), var.lacework_agent_configuration))
+
+  # A list we can iterate on in our dynamic statement to mount config files
+  config_items = var.lacework_enable_default_syscall_config ? ["config.json", "syscall_config.yaml"] : ["config.json"]
 }
 
 resource "random_id" "node_config_name_tail" {
   byte_length = 8
   keepers = {
-    data = local.merged_node_config
+    data = var.lacework_enable_default_syscall_config ? "${local.merged_node_config}${local.node_syscall_config_data}" : local.merged_node_config
   }
 }
 
@@ -47,7 +51,10 @@ resource "kubernetes_secret" "lacework_config" {
     }
   }
 
-  data = {
+  data = var.lacework_enable_default_syscall_config ? {
+    "config.json"         = local.merged_node_config
+    "syscall_config.yaml" = local.node_syscall_config_data
+    } : {
     "config.json" = local.merged_node_config
   }
 }
@@ -264,9 +271,14 @@ resource "kubernetes_daemonset" "lacework_datacollector" {
           name = "config"
           secret {
             secret_name = local.node_config_name
-            items {
-              key  = "config.json"
-              path = "config.json"
+
+            dynamic "items" {
+              for_each = toset(local.config_items)
+
+              content {
+                key  = items.key
+                path = items.key
+              }
             }
           }
         }

diff --git a/syscall_config.yaml b/syscall_config.yaml
@@ -0,0 +1,39 @@
+etype.exec:
+  group-by:
+    - none
+etype.initmod:
+  group-by:
+    - none
+etype.finitmod:
+  group-by:
+    - none
+etype.file:
+  send-if-matches:
+    user-authorized-keys:
+      watchpath: /home/*/.ssh/authorized_keys
+      watchfor: create, modify
+    root-authorized-keys:
+      watchpath: /root/.ssh/authorized_keys
+      watchfor: create, modify
+    cronfiles:
+      watchpath: /etc/cron*
+      depth: 2
+    systemd:
+      watchpath: /etc/systemd/*
+      depth: 2
+    boot-initd:
+      watchpath: /etc/init.d/*
+      depth: 2
+    boot-rc:
+      watchpath: /etc/rc*
+      depth: 2
+    shadow-file:
+      watchpath: /etc/shadow*
+    watchlacework:
+      watchpath: /var/lib/lacework
+      depth: 2
+    watchpasswd:
+      watchpath: /etc/passwd
+    watchsshconfig:
+      watchpath: /etc/ssh/sshd_config
+      watchfor: create, modify
diff --git a/variables.tf b/variables.tf
@@ -39,6 +39,12 @@ variable "lacework_agent_configuration" {
   default     = {}
 }
 
+variable "lacework_enable_default_syscall_config" {
+  type        = bool
+  default     = false
+  description = "A flag to enable the default syscall config"
+}
+
 variable "lacework_cluster_configuration" {
   type        = map(any)
   description = "A map/dictionary of configuration parameters for the Lacework K8s collector"