Create open-appsec-k8s-v1beta2.yaml

README.md

@@ -74,7 +74,7 @@ For Linux, if you’ve built your own package use the following commands:
 
 ```bash
 $ install-cp-nano-agent.sh --install --hybrid_mode
-$ install-cp-nano-service-http-transaction-handler.sh –install
+$ install-cp-nano-service-http-transaction-handler.sh --install
 $ install-cp-nano-attachment-registration-manager.sh --install
 ```
 You can add the ```--token <token>``` and ```--email <email address>``` options to the first command, to get a token follow [documentation](https://docs.openappsec.io/getting-started/using-the-web-ui-saas/connect-deployed-agents-to-saas-management-k8s-and-linux). 

config/k8s/v1beta2/open-appsec-k8s-default-config-v1beta2.yaml

@@ -14,7 +14,7 @@ spec:
     - default-threat-prevention-practice
     accessControlPractices:
     - default-access-control-practice
-    customResponses: default-web-user-response
+    customResponse: default-web-user-response
     triggers:
     - default-log-trigger
   specificRules:
@@ -62,7 +62,7 @@ spec:
     files: []
     # relevant for docker and linux embedded deployments
     # 0 or 1 files supported in array
-  openapiSchemaValidation: # schema validation requires "Premium Edition"
+  schemaValidation: # schema validation requires "Premium Edition"
     overrideMode: inherited
     configmap: []
     # relevant for deployments on kubernetes

config/k8s/v1beta2/open-appsec-k8s-full-example-config-v1beta2.yaml

@@ -0,0 +1,163 @@
+apiVersion: openappsec.io/v1beta2
+kind: AccessControlPractice
+metadata:
+  name: access-control-practice-example
+spec:
+  practiceMode: prevent
+  rateLimit:
+    overrideMode: inherited
+    rules:
+    - action: prevent
+      comment: Limiting access to the resource
+      limit: 100
+      triggers:
+      - log-trigger-example
+      unit: minute
+      uri: /api/resource
+    - action: inherited
+      comment: Rate limiting for authentication requests
+      limit: 50
+      triggers:
+      - log-trigger-example
+      unit: second
+      uri: /api/auth
+
+---
+apiVersion: openappsec.io/v1beta2
+kind: CustomResponse
+metadata:
+  name: custom-response-block-page-example
+spec:
+  mode: block-page
+  messageTitle: "Access Denied"
+  messageBody: "Your request was blocked for security reasons."
+  httpResponseCode: 403
+
+---
+apiVersion: openappsec.io/v1beta2
+kind: Exception
+metadata:
+  name: exception-example
+spec:
+  action: accept
+  condition:
+    - key: countryCode
+      value: US
+
+---
+apiVersion: openappsec.io/v1beta2
+kind: LogTrigger
+metadata:
+  name: log-trigger-example
+spec:
+  accessControlLogging:
+    allowEvents: false
+    dropEvents: true
+  appsecLogging:
+    detectEvents: true
+    preventEvents: true
+    allWebRequests: false
+  additionalSuspiciousEventsLogging:
+    enabled: true
+    minSeverity: high # {high|critical}
+    responseBody: false
+    responseCode: true
+  extendedLogging:
+    urlPath: true
+    urlQuery: true
+    httpHeaders: false
+    requestBody: false
+  logDestination:
+    cloud: true
+    logToAgent: true
+    stdout:
+      format: json-formatted
+
+---
+apiVersion: openappsec.io/v1beta2
+kind: Policy
+metadata:
+    name: policy-example
+spec:
+    default:
+        mode: prevent-learn
+        accessControlPractices: [access-control-practice-example]
+        threatPreventionPractices: [threat-prevention-practice-example]
+        triggers: [log-trigger-example]
+        customResponse: custom-response-block-page-example
+        sourceIdentifiers: sources-identifier-example
+        trustedSources: trusted-sources-example
+        exceptions:
+        - exception-example
+---
+apiVersion: openappsec.io/v1beta2
+kind: ThreatPreventionPractice
+metadata:
+  name: threat-prevention-practice-example
+spec:
+  practiceMode: inherited
+  webAttacks:
+    overrideMode: inherited
+    minimumConfidence: high
+  intrusionPrevention:
+  # intrusion prevention (IPS) requires "Premium Edition"
+    overrideMode: inherited
+    maxPerformanceImpact: medium
+    minSeverityLevel: medium
+    minCveYear: 2016
+    highConfidenceEventAction: inherited
+    mediumConfidenceEventAction: inherited
+    lowConfidenceEventAction: detect
+  fileSecurity:
+  # file security requires "Premium Edition"
+    overrideMode: inherited
+    minSeverityLevel: medium
+    highConfidenceEventAction: inherited
+    mediumConfidenceEventAction: inherited
+    lowConfidenceEventAction: detect
+  snortSignatures:
+    # you must specify snort signatures in configmap or file to activate snort inspection
+    overrideMode: inherited
+    configmap: []
+    # relevant for deployments on kubernetes
+    # 0 or 1 configmaps supported in array
+    files: []
+    # relevant for docker and linux embedded deployments
+    # 0 or 1 files supported in array
+  schemaValidation: # schema validation requires "Premium Edition"
+    overrideMode: inherited
+    configmap: []
+    # relevant for deployments on kubernetes
+    # 0 or 1 configmaps supported in array
+    files: []
+    # relevant for docker and linux embedded deployments
+    # 0 or 1 files supported in array
+  antiBot: # antibot requires "Premium Edition"
+    overrideMode: inherited
+    injectedUris: []
+    validatedUris: []
+
+---
+apiVersion: openappsec.io/v1beta2
+kind: TrustedSource
+metadata:
+  name: trusted-sources-example
+spec:
+  minNumOfSources: 3
+  sourcesIdentifiers:
+    - 1.0.0.27
+    - 1.0.0.28
+    - 1.0.0.29
+
+---
+apiVersion: openappsec.io/v1beta2
+kind: SourcesIdentifier
+metadata:
+  name: sources-identifier-example
+spec:
+  sourcesIdentifiers:
+    - identifier: sourceip
+      value:
+        - "192.168.1.1" 
+        - "10.0.0.1"
+

config/k8s/v1beta2/open-appsec-k8s-prevent-config-v1beta2.yaml

@@ -14,7 +14,7 @@ spec:
     - default-threat-prevention-practice
     accessControlPractices:
     - default-access-control-practice
-    customResponses: default-web-user-response
+    customResponse: default-web-user-response
     triggers:
     - default-log-trigger
   specificRules:
@@ -62,7 +62,7 @@ spec:
     files: []
     # relevant for docker and linux embedded deployments
     # 0 or 1 files supported in array
-  openapiSchemaValidation: # schema validation requires "Premium Edition"
+  schemaValidation: # schema validation requires "Premium Edition"
     overrideMode: inherited
     configmap: []
     # relevant for deployments on kubernetes

config/k8s/v1beta2/open-appsec-k8s-v1beta2.yaml

@@ -0,0 +1,106 @@
+apiVersion: openappsec.io/v1beta2
+kind: Policy
+metadata:
+    name: open-appsec-best-practice-policy
+spec:
+    default:
+        mode: prevent-learn
+        accessControlPractices: []
+        threatPreventionPractices: []
+        triggers: [appsec-log-trigger]
+        customResponse: 403-forbidden
+        sourceIdentifiers: ""
+        trustedSources: ""
+        exceptions: []
+---
+
+apiVersion: openappsec.io/v1beta2
+kind: ThreatPreventionPractice
+metadata:
+  name: appsec-best-practice
+spec:
+  antiBot:
+    injectedUris: []
+    overrideMode: prevent
+    validatedUris: []
+  fileSecurity:
+    archiveInspection:
+      archivedFilesWhereContentExtractionFailed: detect
+      archivedFilesWithinArchivedFiles: prevent
+      extractArchiveFiles: true
+      scanMaxFileSize: 30
+      scanMaxFileSizeUnit: GB
+    largeFileInspection:
+      fileSizeLimit: 50
+      fileSizeLimitUnit: KB
+      filesExceedingSizeLimitAction: detect
+    highConfidenceEventAction: prevent
+    lowConfidenceEventAction: detect
+    mediumConfidenceEventAction: prevent
+    minSeverityLevel: medium
+    overrideMode: prevent
+    threatEmulationEnabled: false
+    unnamedFilesAction: prevent
+  intrusionPrevention:
+    highConfidenceEventAction: prevent
+    lowConfidenceEventAction: detect
+    maxPerformanceImpact: medium
+    mediumConfidenceEventAction: prevent
+    minCveYear: 2016
+    minSeverityLevel: medium
+    overrideMode: prevent
+  practiceMode: prevent
+  schemaValidation:
+    configmap:
+    - openapi-config
+    enforcementLevel: fullSchema
+    overrideMode: prevent
+  snortSignatures:
+    configmap:
+    - alert-config
+    overrideMode: prevent
+  webAttacks:
+    maxBodySizeKb: 1000000
+    maxHeaderSizeBytes: 102400
+    maxObjectDepth: 40
+    maxUrlSizeBytes: 32768
+    minimumConfidence: high
+    overrideMode: prevent
+---
+apiVersion: openappsec.io/v1beta2
+kind: LogTrigger
+metadata:
+  name: appsec-log-trigger
+spec:
+  accessControlLogging:
+    allowEvents: false
+    dropEvents: true
+  appsecLogging:
+    detectEvents: true
+    preventEvents: true
+    allWebRequests: false
+  additionalSuspiciousEventsLogging:
+    enabled: true
+    minSeverity: high # {high|critical}
+    responseBody: false
+    responseCode: true
+  extendedLogging:
+    urlPath: true
+    urlQuery: true
+    httpHeaders: false
+    requestBody: false
+  logDestination:
+    cloud: true
+    logToAgent: true
+    stdout:
+      format: json-formatted
+---
+apiVersion: openappsec.io/v1beta2
+kind: CustomResponse
+metadata:
+  name: 403-forbidden
+spec:
+  mode: response-code-only ## configurable modes: {block-page|redirect|response-code-only}
+  messageTitle: ""
+  messageBody: ""
+  httpResponseCode: 403