From 1fb9a29223fb547514e9f37b191b645d3ec22d4a Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Tue, 21 May 2024 15:22:54 +0300 Subject: [PATCH 01/22] Create local_policy.yaml --- config/linux/v1beta2/local_policy.yaml | 111 +++++++++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 config/linux/v1beta2/local_policy.yaml diff --git a/config/linux/v1beta2/local_policy.yaml b/config/linux/v1beta2/local_policy.yaml new file mode 100644 index 0000000..3672785 --- /dev/null +++ b/config/linux/v1beta2/local_policy.yaml @@ -0,0 +1,111 @@ +# open-appsec default declarative configuration file +# based on schema version: "v1beta2" +# more information on declarative configuration: https://docs.openappsec.io + +apiVersion: v1beta2 + +policies: + default: + # start in detect-learn and move to prevent-learn based on learning progress + mode: detect-learn + threatPreventionPractices: + - default-threat-prevention-practice + accessControlPractices: + - default-access-control-practice + customResponses: default-web-user-response + triggers: + - default-log-trigger + specificRules: + - host: www.example.com + # this is an example for specific rule, adjust the values as required for the protected app + mode: detect-learn + threatPreventionPractices: + - default-threat-prevention-practice + accessControlPractices: + - default-access-control-practice + triggers: + - default-log-trigger + +threatPreventionPractices: + - name: default-threat-prevention-practice + practiceMode: inherited + webAttacks: + overrideMode: inherited + minimumConfidence: high + intrusionPrevention: + # intrusion prevention (IPS) requires "Premium Edition" + overrideMode: inherited + maxPerformanceImpact: medium + minSeverityLevel: medium + minCveYear: 2016 + highConfidenceEventAction: inherited + mediumConfidenceEventAction: inherited + lowConfidenceEventAction: detect + fileSecurity: + # file security requires "Premium Edition" + overrideMode: inherited + minSeverityLevel: medium + highConfidenceEventAction: inherited + mediumConfidenceEventAction: inherited + lowConfidenceEventAction: detect + snortSignatures: + # you must specify snort signatures in configmap or file to activate snort inspection + overrideMode: inherited + configmap: [] + # relevant for deployments on kubernetes + # 0 or 1 configmaps supported in array + files: [] + # relevant for docker and linux embedded deployments + # 0 or 1 files supported in array + openapiSchemaValidation: # schema validation requires "Premium Edition" + overrideMode: inherited + configmap: [] + # relevant for deployments on kubernetes + # 0 or 1 configmaps supported in array + files: [] + # relevant for docker and linux embedded deployments + # 0 or 1 files supported in array + antiBot: # antibot requires "Premium Edition" + overrideMode: inherited + injectedUris: [] + validatedUris: [] + +accessControlPractices: + - name: default-access-control-practice + practiceMode: inherited + rateLimit: + # specify one or more rules below to use rate limiting + overrideMode: inherited + rules: [] + +logTriggers: + - name: default-log-trigger + accessControlLogging: + allowEvents: false + dropEvents: true + appsecLogging: + detectEvents: true + preventEvents: true + allWebRequests: false + extendedLogging: + urlPath: true + urlQuery: true + httpHeaders: false + requestBody: false + additionalSuspiciousEventsLogging: + enabled: true + minSeverity: high + responseBody: false + responseCode: true + + logDestination: + cloud: true + logToAgent: false + stdout: + format: json + +customResponses: + - name: default-web-user-response + mode: response-code-only + httpResponseCode: 403 + From afd2b4930baf3c1329f9672f2f6257205b1d02a2 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Tue, 21 May 2024 15:24:33 +0300 Subject: [PATCH 02/22] Create open-appsec-k8s-default-config-v1beta2.yaml --- ...pen-appsec-k8s-default-config-v1beta2.yaml | 126 ++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 config/k8s/open-appsec-k8s-default-config-v1beta2.yaml diff --git a/config/k8s/open-appsec-k8s-default-config-v1beta2.yaml b/config/k8s/open-appsec-k8s-default-config-v1beta2.yaml new file mode 100644 index 0000000..0384039 --- /dev/null +++ b/config/k8s/open-appsec-k8s-default-config-v1beta2.yaml @@ -0,0 +1,126 @@ +# open-appsec default declarative configuration file +# based on schema version: "v1beta2" +# more information on declarative configuration: https://docs.openappsec.io + +apiVersion: openappsec.io/v1beta2 +kind: Policy +metadata: + name: default-policy +spec: + default: + # start in detect-learn and move to prevent-learn based on learning progress + mode: detect-learn + threatPreventionPractices: + - default-threat-prevention-practice + accessControlPractices: + - default-access-control-practice + customResponses: default-web-user-response + triggers: + - default-log-trigger + specificRules: + - host: www.example.com + # this is an example for specific rule, adjust the values as required for the protected app + mode: detect-learn + threatPreventionPractices: + - default-threat-prevention-practice + accessControlPractices: + - default-access-control-practice + triggers: + - default-log-trigger +--- +apiVersion: openappsec.io/v1beta2 +kind: ThreatPreventionPractice +metadata: + name: default-threat-prevention-practice +spec: + practiceMode: inherited + webAttacks: + overrideMode: inherited + minimumConfidence: high + intrusionPrevention: + # intrusion prevention (IPS) requires "Premium Edition" + overrideMode: inherited + maxPerformanceImpact: medium + minSeverityLevel: medium + minCveYear: 2016 + highConfidenceEventAction: inherited + mediumConfidenceEventAction: inherited + lowConfidenceEventAction: detect + fileSecurity: + # file security requires "Premium Edition" + overrideMode: inherited + minSeverityLevel: medium + highConfidenceEventAction: inherited + mediumConfidenceEventAction: inherited + lowConfidenceEventAction: detect + snortSignatures: + # you must specify snort signatures in configmap or file to activate snort inspection + overrideMode: inherited + configmap: [] + # relevant for deployments on kubernetes + # 0 or 1 configmaps supported in array + files: [] + # relevant for docker and linux embedded deployments + # 0 or 1 files supported in array + openapiSchemaValidation: # schema validation requires "Premium Edition" + overrideMode: inherited + configmap: [] + # relevant for deployments on kubernetes + # 0 or 1 configmaps supported in array + files: [] + # relevant for docker and linux embedded deployments + # 0 or 1 files supported in array + antiBot: # antibot requires "Premium Edition" + overrideMode: inherited + injectedUris: [] + validatedUris: [] + +--- +apiVersion: openappsec.io/v1beta2 +kind: AccessControlPractice +metadata: + name: default-access-control-practice +spec: + practiceMode: inherited + rateLimit: + # specify one or more rules below to use rate limiting + overrideMode: inherited + rules: [] + +--- +apiVersion: openappsec.io/v1beta2 +kind: LogTrigger +metadata: + name: default-log-trigger +spec: + accessControlLogging: + allowEvents: false + dropEvents: true + appsecLogging: + detectEvents: true + preventEvents: true + allWebRequests: false + extendedLogging: + urlPath: true + urlQuery: true + httpHeaders: false + requestBody: false + additionalSuspiciousEventsLogging: + enabled: true + minSeverity: high + responseBody: false + responseCode: true + logDestination: + cloud: true + logToAgent: false + stdout: + format: json + +--- +apiVersion: openappsec.io/v1beta2 +kind: CustomResponse +metadata: + name: default-web-user-response +spec: + mode: response-code-only + httpResponseCode: 403 From 307fd8897dc9502a4362a1c914b327a4aa13749f Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Tue, 21 May 2024 15:24:55 +0300 Subject: [PATCH 03/22] Rename config/k8s/open-appsec-k8s-default-config-v1beta2.yaml to config/k8s/v1beta2/open-appsec-k8s-default-config-v1beta2.yaml --- .../k8s/{ => v1beta2}/open-appsec-k8s-default-config-v1beta2.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename config/k8s/{ => v1beta2}/open-appsec-k8s-default-config-v1beta2.yaml (100%) diff --git a/config/k8s/open-appsec-k8s-default-config-v1beta2.yaml b/config/k8s/v1beta2/open-appsec-k8s-default-config-v1beta2.yaml similarity index 100% rename from config/k8s/open-appsec-k8s-default-config-v1beta2.yaml rename to config/k8s/v1beta2/open-appsec-k8s-default-config-v1beta2.yaml From 8770257a6038d611d0a48a33eb1ba29c83225946 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Sun, 16 Jun 2024 10:44:21 +0300 Subject: [PATCH 04/22] Create local_policy.yaml for linux prevent --- .../linux/v1beta2/prevent/local_policy.yaml | 110 ++++++++++++++++++ 1 file changed, 110 insertions(+) create mode 100644 config/linux/v1beta2/prevent/local_policy.yaml diff --git a/config/linux/v1beta2/prevent/local_policy.yaml b/config/linux/v1beta2/prevent/local_policy.yaml new file mode 100644 index 0000000..b4d3d1d --- /dev/null +++ b/config/linux/v1beta2/prevent/local_policy.yaml @@ -0,0 +1,110 @@ +# open-appsec default declarative configuration file +# based on schema version: "v1beta2" +# more information on declarative configuration: https://docs.openappsec.io + +apiVersion: v1beta2 + +policies: + default: + # start in prevent-learn + mode: prevent-learn + threatPreventionPractices: + - default-threat-prevention-practice + accessControlPractices: + - default-access-control-practice + customResponses: default-web-user-response + triggers: + - default-log-trigger + specificRules: + - host: www.example.com + # this is an example for specific rule, adjust the values as required for the protected app + mode: detect-learn + threatPreventionPractices: + - default-threat-prevention-practice + accessControlPractices: + - default-access-control-practice + triggers: + - default-log-trigger + +threatPreventionPractices: + - name: default-threat-prevention-practice + practiceMode: inherited + webAttacks: + overrideMode: inherited + minimumConfidence: high + intrusionPrevention: + # intrusion prevention (IPS) requires "Premium Edition" + overrideMode: inherited + maxPerformanceImpact: medium + minSeverityLevel: medium + minCveYear: 2016 + highConfidenceEventAction: inherited + mediumConfidenceEventAction: inherited + lowConfidenceEventAction: detect + fileSecurity: + # file security requires "Premium Edition" + overrideMode: inherited + minSeverityLevel: medium + highConfidenceEventAction: inherited + mediumConfidenceEventAction: inherited + lowConfidenceEventAction: detect + snortSignatures: + # you must specify snort signatures in configmap or file to activate snort inspection + overrideMode: inherited + configmap: [] + # relevant for deployments on kubernetes + # 0 or 1 configmaps supported in array + files: [] + # relevant for docker and linux embedded deployments + # 0 or 1 files supported in array + openapiSchemaValidation: # schema validation requires "Premium Edition" + overrideMode: inherited + configmap: [] + # relevant for deployments on kubernetes + # 0 or 1 configmaps supported in array + files: [] + # relevant for docker and linux embedded deployments + # 0 or 1 files supported in array + antiBot: # antibot requires "Premium Edition" + overrideMode: inherited + injectedUris: [] + validatedUris: [] + +accessControlPractices: + - name: default-access-control-practice + practiceMode: inherited + rateLimit: + # specify one or more rules below to use rate limiting + overrideMode: inherited + rules: [] + +logTriggers: + - name: default-log-trigger + accessControlLogging: + allowEvents: false + dropEvents: true + appsecLogging: + detectEvents: true + preventEvents: true + allWebRequests: false + extendedLogging: + urlPath: true + urlQuery: true + httpHeaders: false + requestBody: false + additionalSuspiciousEventsLogging: + enabled: true + minSeverity: high + responseBody: false + responseCode: true + + logDestination: + cloud: true + logToAgent: false + stdout: + format: json + +customResponses: + - name: default-web-user-response + mode: response-code-only + httpResponseCode: 403 From 48d6baed3b40c6ca4eaa60569a12c5ad6127c691 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Sun, 16 Jun 2024 10:44:39 +0300 Subject: [PATCH 05/22] Rename config/linux/v1beta2/local_policy.yaml to config/linux/v1beta2/default/local_policy.yaml --- config/linux/v1beta2/{ => default}/local_policy.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename config/linux/v1beta2/{ => default}/local_policy.yaml (100%) diff --git a/config/linux/v1beta2/local_policy.yaml b/config/linux/v1beta2/default/local_policy.yaml similarity index 100% rename from config/linux/v1beta2/local_policy.yaml rename to config/linux/v1beta2/default/local_policy.yaml From 3c8672c565055c970386a28a0dc8a9401982a805 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Sun, 16 Jun 2024 10:54:05 +0300 Subject: [PATCH 06/22] Rename config/k8s/v1beta2/open-appsec-k8s-default-config-v1beta2.yaml to config/k8s/v1beta2/default/open-appsec-k8s-default-config-v1beta2.yaml --- .../{ => default}/open-appsec-k8s-default-config-v1beta2.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename config/k8s/v1beta2/{ => default}/open-appsec-k8s-default-config-v1beta2.yaml (100%) diff --git a/config/k8s/v1beta2/open-appsec-k8s-default-config-v1beta2.yaml b/config/k8s/v1beta2/default/open-appsec-k8s-default-config-v1beta2.yaml similarity index 100% rename from config/k8s/v1beta2/open-appsec-k8s-default-config-v1beta2.yaml rename to config/k8s/v1beta2/default/open-appsec-k8s-default-config-v1beta2.yaml From 78c4209406f49c9beef69214261708e5117ef82c Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Sun, 16 Jun 2024 10:55:23 +0300 Subject: [PATCH 07/22] Rename config/k8s/v1beta2/default/open-appsec-k8s-default-config-v1beta2.yaml to config/k8s/v1beta2/open-appsec-k8s-default-config-v1beta2.yaml --- .../{default => }/open-appsec-k8s-default-config-v1beta2.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename config/k8s/v1beta2/{default => }/open-appsec-k8s-default-config-v1beta2.yaml (100%) diff --git a/config/k8s/v1beta2/default/open-appsec-k8s-default-config-v1beta2.yaml b/config/k8s/v1beta2/open-appsec-k8s-default-config-v1beta2.yaml similarity index 100% rename from config/k8s/v1beta2/default/open-appsec-k8s-default-config-v1beta2.yaml rename to config/k8s/v1beta2/open-appsec-k8s-default-config-v1beta2.yaml From cf16343caa187cf4f6862b5e25956955d0102150 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Sun, 16 Jun 2024 10:56:16 +0300 Subject: [PATCH 08/22] Create open-appsec-k8s-prevent-config-v1beta2.yaml --- ...pen-appsec-k8s-prevent-config-v1beta2.yaml | 126 ++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 config/k8s/v1beta2/open-appsec-k8s-prevent-config-v1beta2.yaml diff --git a/config/k8s/v1beta2/open-appsec-k8s-prevent-config-v1beta2.yaml b/config/k8s/v1beta2/open-appsec-k8s-prevent-config-v1beta2.yaml new file mode 100644 index 0000000..ce0bfec --- /dev/null +++ b/config/k8s/v1beta2/open-appsec-k8s-prevent-config-v1beta2.yaml @@ -0,0 +1,126 @@ +# open-appsec default declarative configuration file +# based on schema version: "v1beta2" +# more information on declarative configuration: https://docs.openappsec.io + +apiVersion: openappsec.io/v1beta2 +kind: Policy +metadata: + name: default-policy +spec: + default: + # start in prevent-learn + mode: prevent-learn + threatPreventionPractices: + - default-threat-prevention-practice + accessControlPractices: + - default-access-control-practice + customResponses: default-web-user-response + triggers: + - default-log-trigger + specificRules: + - host: www.example.com + # this is an example for specific rule, adjust the values as required for the protected app + mode: prevent-learn + threatPreventionPractices: + - default-threat-prevention-practice + accessControlPractices: + - default-access-control-practice + triggers: + - default-log-trigger +--- +apiVersion: openappsec.io/v1beta2 +kind: ThreatPreventionPractice +metadata: + name: default-threat-prevention-practice +spec: + practiceMode: inherited + webAttacks: + overrideMode: inherited + minimumConfidence: high + intrusionPrevention: + # intrusion prevention (IPS) requires "Premium Edition" + overrideMode: inherited + maxPerformanceImpact: medium + minSeverityLevel: medium + minCveYear: 2016 + highConfidenceEventAction: inherited + mediumConfidenceEventAction: inherited + lowConfidenceEventAction: detect + fileSecurity: + # file security requires "Premium Edition" + overrideMode: inherited + minSeverityLevel: medium + highConfidenceEventAction: inherited + mediumConfidenceEventAction: inherited + lowConfidenceEventAction: detect + snortSignatures: + # you must specify snort signatures in configmap or file to activate snort inspection + overrideMode: inherited + configmap: [] + # relevant for deployments on kubernetes + # 0 or 1 configmaps supported in array + files: [] + # relevant for docker and linux embedded deployments + # 0 or 1 files supported in array + openapiSchemaValidation: # schema validation requires "Premium Edition" + overrideMode: inherited + configmap: [] + # relevant for deployments on kubernetes + # 0 or 1 configmaps supported in array + files: [] + # relevant for docker and linux embedded deployments + # 0 or 1 files supported in array + antiBot: # antibot requires "Premium Edition" + overrideMode: inherited + injectedUris: [] + validatedUris: [] + +--- +apiVersion: openappsec.io/v1beta2 +kind: AccessControlPractice +metadata: + name: default-access-control-practice +spec: + practiceMode: inherited + rateLimit: + # specify one or more rules below to use rate limiting + overrideMode: inherited + rules: [] + +--- +apiVersion: openappsec.io/v1beta2 +kind: LogTrigger +metadata: + name: default-log-trigger +spec: + accessControlLogging: + allowEvents: false + dropEvents: true + appsecLogging: + detectEvents: true + preventEvents: true + allWebRequests: false + extendedLogging: + urlPath: true + urlQuery: true + httpHeaders: false + requestBody: false + additionalSuspiciousEventsLogging: + enabled: true + minSeverity: high + responseBody: false + responseCode: true + logDestination: + cloud: true + logToAgent: false + stdout: + format: json + +--- +apiVersion: openappsec.io/v1beta2 +kind: CustomResponse +metadata: + name: default-web-user-response +spec: + mode: response-code-only + httpResponseCode: 403 From 1254bb37b2e560f2befcd6405a621158194cd395 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 17 Jun 2024 13:34:35 +0300 Subject: [PATCH 09/22] Create local_policy.yaml --- config/linux/v1beta1/detect/local_policy.yaml | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 config/linux/v1beta1/detect/local_policy.yaml diff --git a/config/linux/v1beta1/detect/local_policy.yaml b/config/linux/v1beta1/detect/local_policy.yaml new file mode 100644 index 0000000..b7fa3d6 --- /dev/null +++ b/config/linux/v1beta1/detect/local_policy.yaml @@ -0,0 +1,52 @@ +policies: + default: + triggers: + - appsec-default-log-trigger + mode: detect-learn + practices: + - webapp-default-practice + custom-response: appsec-default-web-user-response + specific-rules: [] + +practices: + - name: webapp-default-practice + openapi-schema-validation: + configmap: [] + override-mode: detect-learn + snort-signatures: + configmap: [] + override-mode: detect-learn + web-attacks: + max-body-size-kb: 1000000 + max-header-size-bytes: 102400 + max-object-depth: 40 + max-url-size-bytes: 32768 + minimum-confidence: critical + override-mode: detect-learn + protections: + csrf-protection: inactive + error-disclosure: inactive + non-valid-http-methods: false + open-redirect: inactive + anti-bot: + injected-URIs: [] + validated-URIs: [] + override-mode: detect-learn + +log-triggers: + - name: appsec-default-log-trigger + access-control-logging: + allow-events: false + drop-events: true + additional-suspicious-events-logging: + enabled: true + minimum-severity: high + response-body: false + appsec-logging: + all-web-requests: false + detect-events: true + prevent-events: true + extended-logging: + http-headers: false + request-body: false + url-path: false From ded2a5ffc2fd4e81c16282de5925cc8abb1b2de9 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 17 Jun 2024 13:36:23 +0300 Subject: [PATCH 10/22] Create local_policy.yaml --- .../linux/v1beta1/prevent/local_policy.yaml | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 config/linux/v1beta1/prevent/local_policy.yaml diff --git a/config/linux/v1beta1/prevent/local_policy.yaml b/config/linux/v1beta1/prevent/local_policy.yaml new file mode 100644 index 0000000..6313e5f --- /dev/null +++ b/config/linux/v1beta1/prevent/local_policy.yaml @@ -0,0 +1,52 @@ +policies: + default: + triggers: + - appsec-default-log-trigger + mode: prevent-learn + practices: + - webapp-default-practice + custom-response: appsec-default-web-user-response + specific-rules: [] + +practices: + - name: webapp-default-practice + openapi-schema-validation: + configmap: [] + override-mode: prevent-learn + snort-signatures: + configmap: [] + override-mode: prevent-learn + web-attacks: + max-body-size-kb: 1000000 + max-header-size-bytes: 102400 + max-object-depth: 40 + max-url-size-bytes: 32768 + minimum-confidence: critical + override-mode: prevent-learn + protections: + csrf-protection: inactive + error-disclosure: inactive + non-valid-http-methods: false + open-redirect: inactive + anti-bot: + injected-URIs: [] + validated-URIs: [] + override-mode: prevent-learn + +log-triggers: + - name: appsec-default-log-trigger + access-control-logging: + allow-events: false + drop-events: true + additional-suspicious-events-logging: + enabled: true + minimum-severity: high + response-body: false + appsec-logging: + all-web-requests: false + detect-events: true + prevent-events: true + extended-logging: + http-headers: false + request-body: false + url-path: false From 18b1b63c4297d9dd4a66e2edbfc76cd95e54dc24 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 17 Jun 2024 13:38:31 +0300 Subject: [PATCH 11/22] Create local_policy.yaml --- config/linux/latest/prevent/local_policy.yaml | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 config/linux/latest/prevent/local_policy.yaml diff --git a/config/linux/latest/prevent/local_policy.yaml b/config/linux/latest/prevent/local_policy.yaml new file mode 100644 index 0000000..6313e5f --- /dev/null +++ b/config/linux/latest/prevent/local_policy.yaml @@ -0,0 +1,52 @@ +policies: + default: + triggers: + - appsec-default-log-trigger + mode: prevent-learn + practices: + - webapp-default-practice + custom-response: appsec-default-web-user-response + specific-rules: [] + +practices: + - name: webapp-default-practice + openapi-schema-validation: + configmap: [] + override-mode: prevent-learn + snort-signatures: + configmap: [] + override-mode: prevent-learn + web-attacks: + max-body-size-kb: 1000000 + max-header-size-bytes: 102400 + max-object-depth: 40 + max-url-size-bytes: 32768 + minimum-confidence: critical + override-mode: prevent-learn + protections: + csrf-protection: inactive + error-disclosure: inactive + non-valid-http-methods: false + open-redirect: inactive + anti-bot: + injected-URIs: [] + validated-URIs: [] + override-mode: prevent-learn + +log-triggers: + - name: appsec-default-log-trigger + access-control-logging: + allow-events: false + drop-events: true + additional-suspicious-events-logging: + enabled: true + minimum-severity: high + response-body: false + appsec-logging: + all-web-requests: false + detect-events: true + prevent-events: true + extended-logging: + http-headers: false + request-body: false + url-path: false From 504d1415a5ab6cfc9b7b221b07939b05d7cc133a Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 17 Jun 2024 13:39:40 +0300 Subject: [PATCH 12/22] Create local_policy.yaml --- config/linux/latest/detect/local_policy.yaml | 52 ++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 config/linux/latest/detect/local_policy.yaml diff --git a/config/linux/latest/detect/local_policy.yaml b/config/linux/latest/detect/local_policy.yaml new file mode 100644 index 0000000..b7fa3d6 --- /dev/null +++ b/config/linux/latest/detect/local_policy.yaml @@ -0,0 +1,52 @@ +policies: + default: + triggers: + - appsec-default-log-trigger + mode: detect-learn + practices: + - webapp-default-practice + custom-response: appsec-default-web-user-response + specific-rules: [] + +practices: + - name: webapp-default-practice + openapi-schema-validation: + configmap: [] + override-mode: detect-learn + snort-signatures: + configmap: [] + override-mode: detect-learn + web-attacks: + max-body-size-kb: 1000000 + max-header-size-bytes: 102400 + max-object-depth: 40 + max-url-size-bytes: 32768 + minimum-confidence: critical + override-mode: detect-learn + protections: + csrf-protection: inactive + error-disclosure: inactive + non-valid-http-methods: false + open-redirect: inactive + anti-bot: + injected-URIs: [] + validated-URIs: [] + override-mode: detect-learn + +log-triggers: + - name: appsec-default-log-trigger + access-control-logging: + allow-events: false + drop-events: true + additional-suspicious-events-logging: + enabled: true + minimum-severity: high + response-body: false + appsec-logging: + all-web-requests: false + detect-events: true + prevent-events: true + extended-logging: + http-headers: false + request-body: false + url-path: false From 74bb3086ecb33eed8e47f0ad03ae99e77edf617a Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 17 Jun 2024 13:41:29 +0300 Subject: [PATCH 13/22] Create open-appsec-k8s-default-config-v1beta21.yaml --- .../open-appsec-k8s-default-config-v1beta21.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 config/k8s/v1beta1/open-appsec-k8s-default-config-v1beta21.yaml diff --git a/config/k8s/v1beta1/open-appsec-k8s-default-config-v1beta21.yaml b/config/k8s/v1beta1/open-appsec-k8s-default-config-v1beta21.yaml new file mode 100644 index 0000000..3ad8975 --- /dev/null +++ b/config/k8s/v1beta1/open-appsec-k8s-default-config-v1beta21.yaml @@ -0,0 +1,13 @@ +apiVersion: openappsec.io/v1beta1 +kind: Policy +metadata: + name: open-appsec-best-practice-policy +spec: + default: + mode: detect-learn + practices: [appsec-best-practice] + triggers: [appsec-log-trigger] + custom-response: 403-forbidden + source-identifiers: "" + trusted-sources: "" + exceptions: [] From 3b533608b1b32ad1b292b15f76d26f10fdaff32a Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 17 Jun 2024 13:42:13 +0300 Subject: [PATCH 14/22] Create open-appsec-k8s-prevent-config-v1beta1.yaml --- .../open-appsec-k8s-prevent-config-v1beta1.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 config/k8s/v1beta1/open-appsec-k8s-prevent-config-v1beta1.yaml diff --git a/config/k8s/v1beta1/open-appsec-k8s-prevent-config-v1beta1.yaml b/config/k8s/v1beta1/open-appsec-k8s-prevent-config-v1beta1.yaml new file mode 100644 index 0000000..87ef8d1 --- /dev/null +++ b/config/k8s/v1beta1/open-appsec-k8s-prevent-config-v1beta1.yaml @@ -0,0 +1,13 @@ +apiVersion: openappsec.io/v1beta1 +kind: Policy +metadata: + name: open-appsec-best-practice-policy +spec: + default: + mode: prevent-learn + practices: [appsec-best-practice] + triggers: [appsec-log-trigger] + custom-response: 403-forbidden + source-identifiers: "" + trusted-sources: "" + exceptions: [] From 4af9f18ada5d7c4207df1913227607447df7aa98 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 17 Jun 2024 13:44:25 +0300 Subject: [PATCH 15/22] Create open-appsec-k8s-default-config-v1beta2.yaml --- ...pen-appsec-k8s-default-config-v1beta2.yaml | 126 ++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 config/k8s/latest/open-appsec-k8s-default-config-v1beta2.yaml diff --git a/config/k8s/latest/open-appsec-k8s-default-config-v1beta2.yaml b/config/k8s/latest/open-appsec-k8s-default-config-v1beta2.yaml new file mode 100644 index 0000000..0384039 --- /dev/null +++ b/config/k8s/latest/open-appsec-k8s-default-config-v1beta2.yaml @@ -0,0 +1,126 @@ +# open-appsec default declarative configuration file +# based on schema version: "v1beta2" +# more information on declarative configuration: https://docs.openappsec.io + +apiVersion: openappsec.io/v1beta2 +kind: Policy +metadata: + name: default-policy +spec: + default: + # start in detect-learn and move to prevent-learn based on learning progress + mode: detect-learn + threatPreventionPractices: + - default-threat-prevention-practice + accessControlPractices: + - default-access-control-practice + customResponses: default-web-user-response + triggers: + - default-log-trigger + specificRules: + - host: www.example.com + # this is an example for specific rule, adjust the values as required for the protected app + mode: detect-learn + threatPreventionPractices: + - default-threat-prevention-practice + accessControlPractices: + - default-access-control-practice + triggers: + - default-log-trigger +--- +apiVersion: openappsec.io/v1beta2 +kind: ThreatPreventionPractice +metadata: + name: default-threat-prevention-practice +spec: + practiceMode: inherited + webAttacks: + overrideMode: inherited + minimumConfidence: high + intrusionPrevention: + # intrusion prevention (IPS) requires "Premium Edition" + overrideMode: inherited + maxPerformanceImpact: medium + minSeverityLevel: medium + minCveYear: 2016 + highConfidenceEventAction: inherited + mediumConfidenceEventAction: inherited + lowConfidenceEventAction: detect + fileSecurity: + # file security requires "Premium Edition" + overrideMode: inherited + minSeverityLevel: medium + highConfidenceEventAction: inherited + mediumConfidenceEventAction: inherited + lowConfidenceEventAction: detect + snortSignatures: + # you must specify snort signatures in configmap or file to activate snort inspection + overrideMode: inherited + configmap: [] + # relevant for deployments on kubernetes + # 0 or 1 configmaps supported in array + files: [] + # relevant for docker and linux embedded deployments + # 0 or 1 files supported in array + openapiSchemaValidation: # schema validation requires "Premium Edition" + overrideMode: inherited + configmap: [] + # relevant for deployments on kubernetes + # 0 or 1 configmaps supported in array + files: [] + # relevant for docker and linux embedded deployments + # 0 or 1 files supported in array + antiBot: # antibot requires "Premium Edition" + overrideMode: inherited + injectedUris: [] + validatedUris: [] + +--- +apiVersion: openappsec.io/v1beta2 +kind: AccessControlPractice +metadata: + name: default-access-control-practice +spec: + practiceMode: inherited + rateLimit: + # specify one or more rules below to use rate limiting + overrideMode: inherited + rules: [] + +--- +apiVersion: openappsec.io/v1beta2 +kind: LogTrigger +metadata: + name: default-log-trigger +spec: + accessControlLogging: + allowEvents: false + dropEvents: true + appsecLogging: + detectEvents: true + preventEvents: true + allWebRequests: false + extendedLogging: + urlPath: true + urlQuery: true + httpHeaders: false + requestBody: false + additionalSuspiciousEventsLogging: + enabled: true + minSeverity: high + responseBody: false + responseCode: true + logDestination: + cloud: true + logToAgent: false + stdout: + format: json + +--- +apiVersion: openappsec.io/v1beta2 +kind: CustomResponse +metadata: + name: default-web-user-response +spec: + mode: response-code-only + httpResponseCode: 403 From 4241b9c5745a0cbe6400b836cc7bd47a11b8d155 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 17 Jun 2024 13:44:45 +0300 Subject: [PATCH 16/22] Create open-appsec-k8s-prevent-config-v1beta2.yaml --- ...pen-appsec-k8s-prevent-config-v1beta2.yaml | 126 ++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 config/k8s/latest/open-appsec-k8s-prevent-config-v1beta2.yaml diff --git a/config/k8s/latest/open-appsec-k8s-prevent-config-v1beta2.yaml b/config/k8s/latest/open-appsec-k8s-prevent-config-v1beta2.yaml new file mode 100644 index 0000000..ce0bfec --- /dev/null +++ b/config/k8s/latest/open-appsec-k8s-prevent-config-v1beta2.yaml @@ -0,0 +1,126 @@ +# open-appsec default declarative configuration file +# based on schema version: "v1beta2" +# more information on declarative configuration: https://docs.openappsec.io + +apiVersion: openappsec.io/v1beta2 +kind: Policy +metadata: + name: default-policy +spec: + default: + # start in prevent-learn + mode: prevent-learn + threatPreventionPractices: + - default-threat-prevention-practice + accessControlPractices: + - default-access-control-practice + customResponses: default-web-user-response + triggers: + - default-log-trigger + specificRules: + - host: www.example.com + # this is an example for specific rule, adjust the values as required for the protected app + mode: prevent-learn + threatPreventionPractices: + - default-threat-prevention-practice + accessControlPractices: + - default-access-control-practice + triggers: + - default-log-trigger +--- +apiVersion: openappsec.io/v1beta2 +kind: ThreatPreventionPractice +metadata: + name: default-threat-prevention-practice +spec: + practiceMode: inherited + webAttacks: + overrideMode: inherited + minimumConfidence: high + intrusionPrevention: + # intrusion prevention (IPS) requires "Premium Edition" + overrideMode: inherited + maxPerformanceImpact: medium + minSeverityLevel: medium + minCveYear: 2016 + highConfidenceEventAction: inherited + mediumConfidenceEventAction: inherited + lowConfidenceEventAction: detect + fileSecurity: + # file security requires "Premium Edition" + overrideMode: inherited + minSeverityLevel: medium + highConfidenceEventAction: inherited + mediumConfidenceEventAction: inherited + lowConfidenceEventAction: detect + snortSignatures: + # you must specify snort signatures in configmap or file to activate snort inspection + overrideMode: inherited + configmap: [] + # relevant for deployments on kubernetes + # 0 or 1 configmaps supported in array + files: [] + # relevant for docker and linux embedded deployments + # 0 or 1 files supported in array + openapiSchemaValidation: # schema validation requires "Premium Edition" + overrideMode: inherited + configmap: [] + # relevant for deployments on kubernetes + # 0 or 1 configmaps supported in array + files: [] + # relevant for docker and linux embedded deployments + # 0 or 1 files supported in array + antiBot: # antibot requires "Premium Edition" + overrideMode: inherited + injectedUris: [] + validatedUris: [] + +--- +apiVersion: openappsec.io/v1beta2 +kind: AccessControlPractice +metadata: + name: default-access-control-practice +spec: + practiceMode: inherited + rateLimit: + # specify one or more rules below to use rate limiting + overrideMode: inherited + rules: [] + +--- +apiVersion: openappsec.io/v1beta2 +kind: LogTrigger +metadata: + name: default-log-trigger +spec: + accessControlLogging: + allowEvents: false + dropEvents: true + appsecLogging: + detectEvents: true + preventEvents: true + allWebRequests: false + extendedLogging: + urlPath: true + urlQuery: true + httpHeaders: false + requestBody: false + additionalSuspiciousEventsLogging: + enabled: true + minSeverity: high + responseBody: false + responseCode: true + logDestination: + cloud: true + logToAgent: false + stdout: + format: json + +--- +apiVersion: openappsec.io/v1beta2 +kind: CustomResponse +metadata: + name: default-web-user-response +spec: + mode: response-code-only + httpResponseCode: 403 From 88e0ccd3084518bce758806e2fd2e7a53b00fa01 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 17 Jun 2024 13:45:02 +0300 Subject: [PATCH 17/22] Rename open-appsec-k8s-default-config-v1beta21.yaml to open-appsec-k8s-default-config-v1beta1.yaml --- ...-v1beta21.yaml => open-appsec-k8s-default-config-v1beta1.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename config/k8s/v1beta1/{open-appsec-k8s-default-config-v1beta21.yaml => open-appsec-k8s-default-config-v1beta1.yaml} (100%) diff --git a/config/k8s/v1beta1/open-appsec-k8s-default-config-v1beta21.yaml b/config/k8s/v1beta1/open-appsec-k8s-default-config-v1beta1.yaml similarity index 100% rename from config/k8s/v1beta1/open-appsec-k8s-default-config-v1beta21.yaml rename to config/k8s/v1beta1/open-appsec-k8s-default-config-v1beta1.yaml From 057bc42375b078b166a04e8b60f8f875922527be Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 17 Jun 2024 13:47:24 +0300 Subject: [PATCH 18/22] Update local_policy.yaml --- examples/local_policy.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/examples/local_policy.yaml b/examples/local_policy.yaml index 8fe198c..7bd0542 100644 --- a/examples/local_policy.yaml +++ b/examples/local_policy.yaml @@ -24,10 +24,10 @@ practices: minimum-confidence: critical override-mode: prevent-learn protections: - csrf-protection: prevent-learn - error-disclosure: prevent-learn - non-valid-http-methods: true - open-redirect: prevent-learn + csrf-protection: inactive + error-disclosure: inactive + non-valid-http-methods: false + open-redirect: inactive anti-bot: injected-URIs: [] validated-URIs: [] @@ -59,4 +59,4 @@ log-triggers: custom-responses: - name: appsec-default-web-user-response mode: response-code-only - http-response-code: 403 \ No newline at end of file + http-response-code: 403 From 46682bcdceca3e424776cff587199a1785497290 Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 17 Jun 2024 13:48:39 +0300 Subject: [PATCH 19/22] Update local_policy.yaml --- config/linux/v1beta1/prevent/local_policy.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/config/linux/v1beta1/prevent/local_policy.yaml b/config/linux/v1beta1/prevent/local_policy.yaml index 6313e5f..02d49d3 100644 --- a/config/linux/v1beta1/prevent/local_policy.yaml +++ b/config/linux/v1beta1/prevent/local_policy.yaml @@ -50,3 +50,13 @@ log-triggers: http-headers: false request-body: false url-path: false + url-query: false + log-destination: + cloud: true + stdout: + format: json + +custom-responses: + - name: appsec-default-web-user-response + mode: response-code-only + http-response-code: 403 From 9392bbb26c9f9d33caa695fd86522dfdfa621f6b Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 17 Jun 2024 13:49:01 +0300 Subject: [PATCH 20/22] Update local_policy.yaml --- config/linux/v1beta1/detect/local_policy.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/config/linux/v1beta1/detect/local_policy.yaml b/config/linux/v1beta1/detect/local_policy.yaml index b7fa3d6..b279d5f 100644 --- a/config/linux/v1beta1/detect/local_policy.yaml +++ b/config/linux/v1beta1/detect/local_policy.yaml @@ -50,3 +50,13 @@ log-triggers: http-headers: false request-body: false url-path: false + url-query: false + log-destination: + cloud: true + stdout: + format: json + +custom-responses: + - name: appsec-default-web-user-response + mode: response-code-only + http-response-code: 403 From 663782009c98aef7958c7c5b4e65fc33c07eac7c Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 17 Jun 2024 13:49:18 +0300 Subject: [PATCH 21/22] Update local_policy.yaml --- config/linux/latest/detect/local_policy.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/config/linux/latest/detect/local_policy.yaml b/config/linux/latest/detect/local_policy.yaml index b7fa3d6..b279d5f 100644 --- a/config/linux/latest/detect/local_policy.yaml +++ b/config/linux/latest/detect/local_policy.yaml @@ -50,3 +50,13 @@ log-triggers: http-headers: false request-body: false url-path: false + url-query: false + log-destination: + cloud: true + stdout: + format: json + +custom-responses: + - name: appsec-default-web-user-response + mode: response-code-only + http-response-code: 403 From be6591a670cc30a0a71a1ac323fed978ac0bcb1b Mon Sep 17 00:00:00 2001 From: orianelou <126462046+orianelou@users.noreply.github.com> Date: Mon, 17 Jun 2024 13:49:48 +0300 Subject: [PATCH 22/22] Update local_policy.yaml --- config/linux/latest/prevent/local_policy.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/config/linux/latest/prevent/local_policy.yaml b/config/linux/latest/prevent/local_policy.yaml index 6313e5f..02d49d3 100644 --- a/config/linux/latest/prevent/local_policy.yaml +++ b/config/linux/latest/prevent/local_policy.yaml @@ -50,3 +50,13 @@ log-triggers: http-headers: false request-body: false url-path: false + url-query: false + log-destination: + cloud: true + stdout: + format: json + +custom-responses: + - name: appsec-default-web-user-response + mode: response-code-only + http-response-code: 403