mateobur

#!/bin/bash

#MINSIZE default ~ 100 MB
MINSIZE=102400

find / -type f -size +"$MINSIZE"k -exec du -sh {} \; 2>/dev/null | sort -rh

mateobur

$ kubectl describe service result
Name:              result
Namespace:         example-voting-app
Labels:            name=result
Annotations:       <none>
Selector:          app=example-voting-app,name=result,role=resultapp
Type:              ClusterIP
IP:                172.30.225.249
Port:              <unset>  80/TCP
TargetPort:        80/TCP

mateobur

$ kubectl describe pod db-6b8968c69-dq2v2
Name:               db-6b8968c69-dq2v2
Namespace:          example-voting-app
Node:               ip-10-0-0-12.ec2.internal/10.0.0.12
Controlled By:      ReplicaSet/db-6b8968c69
Labels:             app=example-voting-app
                    name=db
                    pod-template-hash=264524725
                    role=sqldb
IP:                 10.129.0.140

mateobur

{
  "id": "520c9307e00f8001968de85c60e7a2f92d14cfa975d3f0ed13ed80bf2de64834",
  "name": "/kubepods/besteffort/pod5c793840-3b87-11e9-b115-080027a63b2e/520c9307e00f8001968de85c60e7a2f92d14cfa975d3f0ed13ed80bf2de64834",
  "aliases": [
    "k8s_falco_falco-daemonset-cnjl5_default_5c793840-3b87-11e9-b115-080027a63b2e_3",
    "520c9307e00f8001968de85c60e7a2f92d14cfa975d3f0ed13ed80bf2de64834"
  ],
  "namespace": "docker",
  "spec": {
    "creation_time": "2019-02-28T20:05:53.28609329Z",

mateobur

Anchore engine policy validator is now installed.

Create a validating webhook resources to start enforcement:

KUBE_CA=$(kubectl config view --minify=true --flatten -o json | jq '.clusters[0].cluster."certificate-authority-data"' -r)
cat > validating-webook.yaml <<EOF
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
  name: analysis-anchore-policy-validator.admission.anchore.io

mateobur

H4sIAIP0NVsAA+w9a3PjxpH7Wb9isq7EpIpvSlRqdRtHK9G7irmSStLa8e1toSBgQCICARQGICVv
/D0f46rzXdVV5c/ll1z3PIABCBKQrFXsWLMqCejp7unpme7peWEXnunftucmi2nUffZpUg/S3t4u
/u3v7fb0vyo96w+H/d3h3qA/2nnW6w92e8NnZPcTyZNLCYvNiJBnczOmwQa8qvxfaFro7c9fOtZD
l4ENPMJ2LW3/4ai3g+3f6/f7o/7ezgDaf7i3N3hGeg8tSFn6lbd/d5tskW3yaZLk/M//+Rv+/Pi/
+rMOzODpD8BzL2so0+dCUT/ozzowA//3P3/8O/4U2GbMM/of/29FKiT/x50LLVbyh4zbSgE/kKxc
rcxUqeuEqlXbTDydj0aqgXmpaS8pF2pN/XIcVzWzwuuHgjbTromYogL4848iIMtRcA2lDJbyIVrm
HS2BY0+OjLPz8eT04IhEQRBfuzFxgojc/H7Uwl/GaKdFTN8mB+dviRlZMzemVpxElHFqK5iHHo0p
WbrxjExdm1yZjNokjAKLMkZmru3601aJXDdmHEcS23E9ugHVp/EyiK5JGETxBjTTj922TVE+N/Bb
6v0qKcUOacRcGDT8mLg+uFDPMzlZCSq9odaCYl3noAlWhnJ28JY0GJt1mROHTaiWdW0HQVQqpmXR
MG40ycXFpBt6puvH9CbeSEJNdtuOg3bCaE5YwqzIDeMyEte3Imq7V94tNOsVjBEgvu+40yTilOs6

mateobur

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: redis
spec:
  replicas: 1
  template:
    metadata:
      annotations:
        prometheus.io/scrape: "true"

mateobur

apiVersion: apps/v1
kind: Deployment
metadata:
  name: prometheus-deployment
  labels:
    app: prometheus
    purpose: example
spec:
  replicas: 2
  selector:

mateobur

- macro: nginx_consider_syscalls
  condition: (evt.num < 0)

- macro: app_nginx
  condition: container and container.image contains "nginx"

# Any outbound traffic raises a WARNING

- rule: Unauthorized process opened an outbound connection (nginx)
  desc: A nginx process tried to open an outbound connection and is not whitelisted

mateobur

{
	"timestamp": 1518849360000000,
	"timespan": 60000000,
	"alert": {
		"severity": 4,
		"editUrl": null,
		"scope": null,
		"name": "Policy 59: FILE POLICY: Read sensitive file untrusted",
		"description": "an attempt to read any sensitive file (e.g. files containing user/password/authentication information). Exceptions are made for known trusted programs.",
		"id": null