Skip to content

Instantly share code, notes, and snippets.

View nyrahul's full-sized avatar
🐞

Rahul Jadhav nyrahul

🐞
107 followers · 20 following
  • AccuKnox
View GitHub Profile
@nyrahul
nyrahul / perms.sh
Created November 11, 2024 10:45
Fix permissions
kubectl exec -it -n accuknox-divy deployments/uwsgi -- python3 manage.py shell -c "from source.models.roles import Role
from tenant.models import Permission,Client, VisiblePermissions
from django_tenants.utils import schema_context
for client in Client.objects.exclude(schema_name__in=['root']):
with schema_context(client.schema_name):
print(client.schema_name)
admin_role = Role.objects.get(name='Admin')
for permission in Permission.objects.all():
@nyrahul
nyrahul / notes.md
Last active October 22, 2024 03:19
DragonFly Security Review Notes

DragonFly Security Review Notes

Joint Security Assessment Document

Finding: Dragonfly needs HostIPC, HostPID, HostNetwork access
Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.
@nyrahul
nyrahul / check-job-status.sh
Last active August 4, 2024 04:46
Check cluster kueue job status
# Show all workloads/jobs
kubectl get workload -A -o json | jq '.items[] | "\(.metadata.namespace) \(.metadata.name) \(.status.conditions[-1].type)"'
# Show Admitted workloads/jobs
kubectl get workload -A -o json | jq -c '.items[] | select(.status.conditions[-1].type == "Admitted") | [.metadata.namespace,.metadata.name]'
# Get all jobs across all namespaces in Pending state ... AccuKnox executes the jobs in init containers
kubectl get pods -A --selector job-type=accuknox-jobs --field-selector=status.phase==Pending
# list k8s-jobs queue
@nyrahul
nyrahul / clam.sh
Last active April 15, 2024 07:47
clamav scan
#!/bin/bash
# Update scan database
sudo freshclam --datadir=$PWD/clamdb --foreground
# Run the scan on the given folder path
docker run \
-it --rm \
--mount type=bind,source=$PWD/env,target=/scandir \
-v $PWD/clamdb:/clamdb \
@nyrahul
nyrahul / artifact api.sh
Last active August 5, 2024 18:43
AccuKnox Artifact API
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
trivy image -f json -o results.json --timeout 3600s nginx:latest
curl --location 'https://cspm.demo.accuknox.com/api/v1/artifact/?tenant_id=2618&data_type=TR&save_to_s3=True&label_id=testknox' --header 'Tenant-Id: 2618' --header 'Authorization: Bearer <TOKEN>' --form 'file=@"results.json"'
# Sonar qube scanner
sonar-scanner -Dsonar.token=<SQ-TOKEN> -Dsonar.projectKey=nimbus -Dsonar.analysis.mode=preview -Dsonar.report.export.path=sonar-report.json
curl -u <SQ-TOKEN>: 'http://35.188.10.229:9000/api/issues/search?components=nimbus' -o sonar-report.json
curl --location 'https://cspm.demo.accuknox.com/api/v1/artifact/?tenant_id=2509&data_type=SQ&save_to_s3=True&label_id=SAST' --header 'Tenant-Id: 2509' --header 'Authorization: Bearer <ARTIFACT-TOKEN>' --form 'file=@"sonar-report.json"'
@nyrahul
nyrahul / ai-security-bookmarks.md
Last active August 5, 2024 13:26
AI Security bookmarks

Public sources

Title Type Date Comment
AI-Exploits code A collection of real world AI/ML exploits for responsibly disclosed vulnerabilities
LLM-Guard code The Security Toolkit for LLM Interactions
Garak code LLM vulnerability scanner
NIST AI RMF Playbook doc NST AI RM Playbook
MITRE ATLAS doc Adversarial Threat Landscape for AI Systems
NIST AI 100-2e2023 doc Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations
@nyrahul
nyrahul / prevent-crypto-miners.yaml
Last active March 22, 2024 10:20
KubeArmor policy template for preventing crypto miners execution
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: prevent-crypto-miners
spec:
selector:
matchLabels:
app: wordpress
action: Block
@nyrahul
nyrahul / tenant-status.py
Last active May 30, 2024 10:18
CSPM get tenant status
-----
# exec into any celery pod
# python3 manage.py shell
# Cut paste below code and execute
# kubectl exec -n accuknox-divy deployments/uwsgi -- python3 manage.py generate_report > report.csv
from django.core.management.base import BaseCommand
from django.db import connection
from django.utils import timezone
from django_tenants.utils import schema_context
@nyrahul
nyrahul / kind-cluster-issue-apparmor.md
Last active September 24, 2023 15:47

Step 1: Create cluster

./create-cluster.sh

Step 2: Install apparmor utilities

# Install apparmor utilites in the kind cluster nodes
docker exec -it cluster01-worker bash -c "apt update && apt install apparmor-utils -y && systemctl restart containerd"
docker exec -it cluster01-control-plane bash -c "apt update && apt install apparmor-utils -y && systemctl restart containerd"
@nyrahul
nyrahul / pulsar-admin.sh
Last active April 21, 2024 17:56
bin/pulsar-admin tenants list
bin/pulsar-admin namespaces list "accuknox"
bin/pulsar-admin topics list "accuknox/cluster"
bin/pulsar-admin topics list "accuknox/datapipeline"
bin/pulsar-admin topics stats "persistent://accuknox/datapipeline/kubearmoralerts" | less
bin/pulsar-admin topics examine-messages --initialPosition latest --messagePosition 1 "persistent://accuknox/datapipeline/kubearmoralerts"
bin/pulsar-admin topics clear-backlog -s "accuknox-data-offloader" "persistent://accuknox/datapipeline/kubearmoralerts"