Create open-appsec-k8s-v1beta2.yaml

Update local_policy.yaml

README.md

@@ -74,7 +74,7 @@ For Linux, if you’ve built your own package use the following commands:
 
 ```bash
 $ install-cp-nano-agent.sh --install --hybrid_mode
-$ install-cp-nano-service-http-transaction-handler.sh –install
+$ install-cp-nano-service-http-transaction-handler.sh --install
 $ install-cp-nano-attachment-registration-manager.sh --install
 ```
 You can add the ```--token <token>``` and ```--email <email address>``` options to the first command, to get a token follow [documentation](https://docs.openappsec.io/getting-started/using-the-web-ui-saas/connect-deployed-agents-to-saas-management-k8s-and-linux). 

config/crds/open-appsec-crd-v1beta2.yaml

@@ -138,6 +138,8 @@ spec:
                   items:
                     type: object
                     properties:
+                      name:
+                        type: string
                       host:
                         type: string
                       mode:
@@ -182,142 +184,6 @@ spec:
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
-metadata :
-  name : practices.openappsec.io
-
-spec:
-  group: openappsec.io
-  versions:
-    - name: v1beta1
-      served: true
-      storage: true
-      schema:
-        openAPIV3Schema:
-          type: object
-          properties:
-            spec:
-              type: object
-              properties:
-                web-attacks:
-                  type: object
-                  properties:
-                    override-mode:
-                      type: string
-                      enum:
-                        - prevent-learn
-                        - detect-learn
-                        - prevent
-                        - detect
-                        - inactive
-                    minimum-confidence:
-                      type: string
-                      enum:
-                        - medium
-                        - high
-                        - critical
-                    max-url-size-bytes:
-                      type: integer
-                    max-object-depth:
-                      type: integer
-                    max-body-size-kb:
-                      type: integer
-                    max-header-size-bytes:
-                      type: integer
-                    protections:
-                      type: object
-                      properties:
-                        csrf-enabled:
-                          type: string
-                          enum:
-                            - prevent-learn
-                            - detect-learn
-                            - prevent
-                            - detect
-                            - inactive
-                        error-disclosure-enabled:
-                          type: string
-                          enum:
-                            - prevent-learn
-                            - detect-learn
-                            - prevent
-                            - detect
-                            - inactive
-                        open-redirect-enabled:
-                          type: string
-                          enum:
-                            - prevent-learn
-                            - detect-learn
-                            - prevent
-                            - detect
-                            - inactive
-                        non-valid-http-methods:
-                          type: boolean
-                anti-bot:
-                  type: object
-                  properties:
-                    override-mode:
-                      type: string
-                      enum:
-                        - prevent-learn
-                        - detect-learn
-                        - prevent
-                        - detect
-                        - inactive
-                    injected-URIs:
-                      type: array
-                      items:
-                        type: object
-                        properties:
-                          uri:
-                            type: string
-                    validated-URIs:
-                      type: array
-                      items:
-                        type: object
-                        properties:
-                          uri:
-                            type: string
-                snort-signatures:
-                  type: object
-                  properties:
-                    override-mode:
-                      type: string
-                      enum:
-                        - prevent-learn
-                        - detect-learn
-                        - prevent
-                        - detect
-                        - inactive
-                    configmap:
-                      type: array
-                      items:
-                        type: string
-                openapi-schema-validation:
-                  type: object
-                  properties:
-                    override-mode:
-                      type: string
-                      enum:
-                        - prevent-learn
-                        - detect-learn
-                        - prevent
-                        - detect
-                        - inactive
-                    configmap:
-                      type: array
-                      items:
-                        type: string
-
-  scope: Cluster
-  names:
-    plural: practices
-    singular: practice
-    kind: Practice
-    shortNames:
-      - practice
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
 metadata :
   name : accesscontrolpractices.openappsec.io
   creationTimestamp: null
@@ -338,8 +204,6 @@ spec:
               properties:
                 appsecClassName:
                   type: string
-                name:
-                  type: string
                 practiceMode:
                   type: string
                   enum:
@@ -431,7 +295,7 @@ spec:
                   type: string
                   enum:
                     - block-page
-                    #- redirect
+                    - redirect
                     - response-code-only
                 message-title:
                   type: string
@@ -455,8 +319,6 @@ spec:
               properties:
                 appsecClassName:
                   type: string
-                name:
-                  type: string
                 mode:
                   type: string
                   enum:
@@ -569,8 +431,6 @@ spec:
               properties:
                 appsecClassName:
                   type: string
-                name:
-                  type: string
                 action:
                   type: string
                   enum:
@@ -718,8 +578,6 @@ spec:
               properties:
                 appsecClassName:
                   type: string
-                name:
-                  type: string
                 accessControlLogging:
                   type: object
                   properties:
@@ -801,8 +659,8 @@ spec:
                             - json
                             - json-formatted
                           default: json
-                    k8s-service:
+                    local-tuning:
-                      type: boolean # Default value is dependant on the environment type
+                      type: boolean
                     cefService:
                       type: array
                       items:
@@ -873,8 +731,6 @@ spec:
               properties:
                 appsecClassName:
                   type: string
-                name:
-                  type: string
                 sourcesIdentifiers: # required, minItems: 1
                   type: array
                   items:
@@ -929,8 +785,6 @@ spec:
               properties:
                 appsecClassName:
                   type: string
-                name:
-                  type: string
                 practiceMode:
                   type: string
                   enum:
@@ -1078,6 +932,8 @@ spec:
                         - inactive
                         - inherited #inherited from threatPreventionPractice mode set in policy
                       default: inactive
+                    enforcementLevel:
+                      type: string
                     configmap:
                       type: array
                       items:
@@ -1303,8 +1159,6 @@ spec:
               properties:
                 appsecClassName:
                   type: string
-                name:
-                  type: string
                 minNumOfSources:
                   type: integer
                   default: 3

config/k8s/v1beta2/open-appsec-k8s-default-config-v1beta2.yaml

@@ -14,7 +14,7 @@ spec:
     - default-threat-prevention-practice
     accessControlPractices:
     - default-access-control-practice
-    customResponses: default-web-user-response
+    customResponse: default-web-user-response
     triggers:
     - default-log-trigger
   specificRules:
@@ -62,7 +62,7 @@ spec:
     files: []
     # relevant for docker and linux embedded deployments
     # 0 or 1 files supported in array
-  openapiSchemaValidation: # schema validation requires "Premium Edition"
+  schemaValidation: # schema validation requires "Premium Edition"
     overrideMode: inherited
     configmap: []
     # relevant for deployments on kubernetes

config/k8s/v1beta2/open-appsec-k8s-full-example-config-v1beta2.yaml

@@ -0,0 +1,163 @@
+apiVersion: openappsec.io/v1beta2
+kind: AccessControlPractice
+metadata:
+  name: access-control-practice-example
+spec:
+  practiceMode: prevent
+  rateLimit:
+    overrideMode: inherited
+    rules:
+    - action: prevent
+      comment: Limiting access to the resource
+      limit: 100
+      triggers:
+      - log-trigger-example
+      unit: minute
+      uri: /api/resource
+    - action: inherited
+      comment: Rate limiting for authentication requests
+      limit: 50
+      triggers:
+      - log-trigger-example
+      unit: second
+      uri: /api/auth
+
+---
+apiVersion: openappsec.io/v1beta2
+kind: CustomResponse
+metadata:
+  name: custom-response-block-page-example
+spec:
+  mode: block-page
+  messageTitle: "Access Denied"
+  messageBody: "Your request was blocked for security reasons."
+  httpResponseCode: 403
+
+---
+apiVersion: openappsec.io/v1beta2
+kind: Exception
+metadata:
+  name: exception-example
+spec:
+  action: accept
+  condition:
+    - key: countryCode
+      value: US
+
+---
+apiVersion: openappsec.io/v1beta2
+kind: LogTrigger
+metadata:
+  name: log-trigger-example
+spec:
+  accessControlLogging:
+    allowEvents: false
+    dropEvents: true
+  appsecLogging:
+    detectEvents: true
+    preventEvents: true
+    allWebRequests: false
+  additionalSuspiciousEventsLogging:
+    enabled: true
+    minSeverity: high # {high|critical}
+    responseBody: false
+    responseCode: true
+  extendedLogging:
+    urlPath: true
+    urlQuery: true
+    httpHeaders: false
+    requestBody: false
+  logDestination:
+    cloud: true
+    logToAgent: true
+    stdout:
+      format: json-formatted
+
+---
+apiVersion: openappsec.io/v1beta2
+kind: Policy
+metadata:
+    name: policy-example
+spec:
+    default:
+        mode: prevent-learn
+        accessControlPractices: [access-control-practice-example]
+        threatPreventionPractices: [threat-prevention-practice-example]
+        triggers: [log-trigger-example]
+        customResponse: custom-response-block-page-example
+        sourceIdentifiers: sources-identifier-example
+        trustedSources: trusted-sources-example
+        exceptions:
+        - exception-example
+---
+apiVersion: openappsec.io/v1beta2
+kind: ThreatPreventionPractice
+metadata:
+  name: threat-prevention-practice-example
+spec:
+  practiceMode: inherited
+  webAttacks:
+    overrideMode: inherited
+    minimumConfidence: high
+  intrusionPrevention:
+  # intrusion prevention (IPS) requires "Premium Edition"
+    overrideMode: inherited
+    maxPerformanceImpact: medium
+    minSeverityLevel: medium
+    minCveYear: 2016
+    highConfidenceEventAction: inherited
+    mediumConfidenceEventAction: inherited
+    lowConfidenceEventAction: detect
+  fileSecurity:
+  # file security requires "Premium Edition"
+    overrideMode: inherited
+    minSeverityLevel: medium
+    highConfidenceEventAction: inherited
+    mediumConfidenceEventAction: inherited
+    lowConfidenceEventAction: detect
+  snortSignatures:
+    # you must specify snort signatures in configmap or file to activate snort inspection
+    overrideMode: inherited
+    configmap: []
+    # relevant for deployments on kubernetes
+    # 0 or 1 configmaps supported in array
+    files: []
+    # relevant for docker and linux embedded deployments
+    # 0 or 1 files supported in array
+  schemaValidation: # schema validation requires "Premium Edition"
+    overrideMode: inherited
+    configmap: []
+    # relevant for deployments on kubernetes
+    # 0 or 1 configmaps supported in array
+    files: []
+    # relevant for docker and linux embedded deployments
+    # 0 or 1 files supported in array
+  antiBot: # antibot requires "Premium Edition"
+    overrideMode: inherited
+    injectedUris: []
+    validatedUris: []
+
+---
+apiVersion: openappsec.io/v1beta2
+kind: TrustedSource
+metadata:
+  name: trusted-sources-example
+spec:
+  minNumOfSources: 3
+  sourcesIdentifiers:
+    - 1.0.0.27
+    - 1.0.0.28
+    - 1.0.0.29
+
+---
+apiVersion: openappsec.io/v1beta2
+kind: SourcesIdentifier
+metadata:
+  name: sources-identifier-example
+spec:
+  sourcesIdentifiers:
+    - identifier: sourceip
+      value:
+        - "192.168.1.1" 
+        - "10.0.0.1"
+

config/k8s/v1beta2/open-appsec-k8s-prevent-config-v1beta2.yaml

@@ -14,7 +14,7 @@ spec:
     - default-threat-prevention-practice
     accessControlPractices:
     - default-access-control-practice
-    customResponses: default-web-user-response
+    customResponse: default-web-user-response
     triggers:
     - default-log-trigger
   specificRules:
@@ -62,7 +62,7 @@ spec:
     files: []
     # relevant for docker and linux embedded deployments
     # 0 or 1 files supported in array
-  openapiSchemaValidation: # schema validation requires "Premium Edition"
+  schemaValidation: # schema validation requires "Premium Edition"
     overrideMode: inherited
     configmap: []
     # relevant for deployments on kubernetes

config/k8s/v1beta2/open-appsec-k8s-v1beta2.yaml

@@ -0,0 +1,106 @@
+apiVersion: openappsec.io/v1beta2
+kind: Policy
+metadata:
+    name: open-appsec-best-practice-policy
+spec:
+    default:
+        mode: prevent-learn
+        accessControlPractices: []
+        threatPreventionPractices: []
+        triggers: [appsec-log-trigger]
+        customResponse: 403-forbidden
+        sourceIdentifiers: ""
+        trustedSources: ""
+        exceptions: []
+---
+
+apiVersion: openappsec.io/v1beta2
+kind: ThreatPreventionPractice
+metadata:
+  name: appsec-best-practice
+spec:
+  antiBot:
+    injectedUris: []
+    overrideMode: prevent
+    validatedUris: []
+  fileSecurity:
+    archiveInspection:
+      archivedFilesWhereContentExtractionFailed: detect
+      archivedFilesWithinArchivedFiles: prevent
+      extractArchiveFiles: true
+      scanMaxFileSize: 30
+      scanMaxFileSizeUnit: GB
+    largeFileInspection:
+      fileSizeLimit: 50
+      fileSizeLimitUnit: KB
+      filesExceedingSizeLimitAction: detect
+    highConfidenceEventAction: prevent
+    lowConfidenceEventAction: detect
+    mediumConfidenceEventAction: prevent
+    minSeverityLevel: medium
+    overrideMode: prevent
+    threatEmulationEnabled: false
+    unnamedFilesAction: prevent
+  intrusionPrevention:
+    highConfidenceEventAction: prevent
+    lowConfidenceEventAction: detect
+    maxPerformanceImpact: medium
+    mediumConfidenceEventAction: prevent
+    minCveYear: 2016
+    minSeverityLevel: medium
+    overrideMode: prevent
+  practiceMode: prevent
+  schemaValidation:
+    configmap:
+    - openapi-config
+    enforcementLevel: fullSchema
+    overrideMode: prevent
+  snortSignatures:
+    configmap:
+    - alert-config
+    overrideMode: prevent
+  webAttacks:
+    maxBodySizeKb: 1000000
+    maxHeaderSizeBytes: 102400
+    maxObjectDepth: 40
+    maxUrlSizeBytes: 32768
+    minimumConfidence: high
+    overrideMode: prevent
+---
+apiVersion: openappsec.io/v1beta2
+kind: LogTrigger
+metadata:
+  name: appsec-log-trigger
+spec:
+  accessControlLogging:
+    allowEvents: false
+    dropEvents: true
+  appsecLogging:
+    detectEvents: true
+    preventEvents: true
+    allWebRequests: false
+  additionalSuspiciousEventsLogging:
+    enabled: true
+    minSeverity: high # {high|critical}
+    responseBody: false
+    responseCode: true
+  extendedLogging:
+    urlPath: true
+    urlQuery: true
+    httpHeaders: false
+    requestBody: false
+  logDestination:
+    cloud: true
+    logToAgent: true
+    stdout:
+      format: json-formatted
+---
+apiVersion: openappsec.io/v1beta2
+kind: CustomResponse
+metadata:
+  name: 403-forbidden
+spec:
+  mode: response-code-only ## configurable modes: {block-page|redirect|response-code-only}
+  messageTitle: ""
+  messageBody: ""
+  httpResponseCode: 403

config/linux/v1beta1/detect/local_policy.yaml

@@ -12,17 +12,17 @@ practices:
   - name: webapp-default-practice
     openapi-schema-validation:
       configmap: []
-      override-mode: detect-learn
+      override-mode: as-top-level
     snort-signatures:
       configmap: []
-      override-mode: detect-learn
+      override-mode: as-top-level
     web-attacks:
       max-body-size-kb: 1000000
       max-header-size-bytes: 102400
       max-object-depth: 40
       max-url-size-bytes: 32768
       minimum-confidence: critical
-      override-mode: detect-learn
+      override-mode: as-top-level
       protections:
         csrf-protection: inactive
         error-disclosure: inactive
@@ -31,7 +31,7 @@ practices:
     anti-bot:
       injected-URIs: []
       validated-URIs: []
-      override-mode: detect-learn
+      override-mode: as-top-level
 
 log-triggers:
   - name: appsec-default-log-trigger

config/linux/v1beta1/prevent/local_policy.yaml

@@ -12,17 +12,17 @@ practices:
   - name: webapp-default-practice
     openapi-schema-validation:
       configmap: []
-      override-mode: prevent-learn
+      override-mode: as-top-level
     snort-signatures:
       configmap: []
-      override-mode: prevent-learn
+      override-mode: as-top-level
     web-attacks:
       max-body-size-kb: 1000000
       max-header-size-bytes: 102400
       max-object-depth: 40
       max-url-size-bytes: 32768
       minimum-confidence: critical
-      override-mode: prevent-learn
+      override-mode: as-top-level
       protections:
         csrf-protection: inactive
         error-disclosure: inactive
@@ -31,7 +31,7 @@ practices:
     anti-bot:
       injected-URIs: []
       validated-URIs: []
-      override-mode: prevent-learn
+      override-mode: as-top-level
 
 log-triggers:
   - name: appsec-default-log-trigger

deployment/nginx/docker-compose.yaml

@@ -11,6 +11,7 @@ services:
       - user_email=${USER_EMAIL}
       - AGENT_TOKEN=${APPSEC_AGENT_TOKEN}
       - autoPolicyLoad=${APPSEC_AUTO_POLICY_LOAD}
+      - registered_server="NGINX Server"
     ipc: shareable
     volumes:
       - ${APPSEC_CONFIG}:/etc/cp/conf
@@ -94,7 +95,7 @@ services:
 ## uncomment this block for testing purposes only, make sure to also adjust the nginx.conf file 
 ## to include a proxy_pass directive forwarding external traffic on e.g. port 80 to the juiceshop-backend container
 ## you can use the example file available here:
-## https://github.com/openappsec/openappsec/blob/main/examples/juiceshop/default.conf
+## https://raw.githubusercontent.com/openappsec/openappsec/refs/heads/main/examples/juiceshop/default.conf
 ## place the file above in {NGINX_CONF_DIR} and uncomment the two lines for creating a volume mount
 ## in the appsec-nginx service definition
 ## note that juiceshop container listens on HTTP port 3000 by default

deployment/swag/docker-compose.yaml

@@ -30,7 +30,7 @@ services:
     restart: unless-stopped
     environment:
       - user_email=user@email.com # adjust with your own email
-      - registered_server='SWAG Server'
+      - registered_server=SWAG Server
       # if autoPolicyLoad is set to true, open-appsec will apply
       # changes in local_policy.yaml automatically
       - autoPolicyLoad=true