diff --git a/contribution/development_guide.md b/contribution/development_guide.md index 14998e3c77..1c9facb168 100644 --- a/contribution/development_guide.md +++ b/contribution/development_guide.md @@ -120,10 +120,10 @@ - "Started to serve gRPC-based log feeds" - "Started to monitor system events" - - "Started to protect a host and containers" + - "Started to protect a host and containers" (if -enableHostPolicy is set) - "Started to monitor Pod events" - "Started to monitor security policies" - - "Started to monitor host security policies" + - "Started to monitor host security policies" (if -enableHostPolicy is set) - "Started to monitor {Docker|Containrd} events" - "Detected a Pod (added/...)" diff --git a/getting-started/host_security_policy_examples.md b/getting-started/host_security_policy_examples.md index d0a934f77e..aceffa1826 100644 --- a/getting-started/host_security_policy_examples.md +++ b/getting-started/host_security_policy_examples.md @@ -14,7 +14,6 @@ Here, we demonstrate how to define host security policies. nodeSelector: matchLabels: kubernetes.io/hostname: ubuntu20 - severity: 5 process: matchPaths: - path: /usr/bin/sleep # try sleep 1 @@ -36,7 +35,6 @@ Here, we demonstrate how to define host security policies. nodeSelector: matchLabels: kubernetes.io/hostname: ubuntu20 - severity: 5 file: matchPaths: - path: /etc/shadow # cat /etc/shadow diff --git a/getting-started/host_security_policy_specification.md b/getting-started/host_security_policy_specification.md index 138aec4397..fd372557fe 100644 --- a/getting-started/host_security_policy_specification.md +++ b/getting-started/host_security_policy_specification.md @@ -11,11 +11,8 @@ metadata: name: [policy name] spec: - severity: [1-10] - - tag: # --> optional - - [tag] - + severity: [1-10] # --> optional (1 by default) + tags: ["tag", ...] # --> optional message: [message] # --> optional nodeSelector: @@ -82,7 +79,7 @@ spec: - dir: [absolute directory path] recursive: [true|false] - action: [Audit|Allow|Block|AllowWithAudit|BlockWithAudit] + action: [Audit|Allow|Block|AllowWithAudit|BlockWithAudit] (Block by default) ``` ## Policy Spec Description @@ -111,14 +108,12 @@ Now, we will briefly explain how to define a host security policy. severity: [1-10] ``` -* Tag +* Tags - The tag part is optional. You can define multiple tags (e.g., WARNNING, SENSITIVE, MITRE, STIG, etc.) to categorize security policies. + The tags part is optional. You can define multiple tags (e.g., WARNNING, SENSITIVE, MITRE, STIG, etc.) to categorize security policies. ```text - tag: - - [tag1] - - [tagN] + tags: ["tag1", ..., "tagN"] ``` * Message diff --git a/getting-started/security_policy_examples.md b/getting-started/security_policy_examples.md index 41d9395b66..02cdc8a636 100644 --- a/getting-started/security_policy_examples.md +++ b/getting-started/security_policy_examples.md @@ -12,7 +12,6 @@ Here, we demonstrate how to define security policies using our example microserv name: ksp-group-1-proc-path-block namespace: multiubuntu spec: - severity: 5 selector: matchLabels: group: group-1 @@ -35,7 +34,6 @@ Here, we demonstrate how to define security policies using our example microserv name: ksp-ubuntu-1-proc-dir-block namespace: multiubuntu spec: - severity: 1 selector: matchLabels: container: ubuntu-1 @@ -58,7 +56,6 @@ Here, we demonstrate how to define security policies using our example microserv name: ksp-ubuntu-2-proc-dir-recursive-block namespace: multiubuntu spec: - severity: 2 selector: matchLabels: container: ubuntu-2 @@ -82,7 +79,6 @@ Here, we demonstrate how to define security policies using our example microserv name: ksp-ubuntu-3-proc-dir-allow namespace: multiubuntu spec: - severity: 5 selector: matchLabels: container: ubuntu-3 @@ -109,7 +105,6 @@ Here, we demonstrate how to define security policies using our example microserv name: ksp-ubuntu-3-proc-path-owner-allow namespace: multiubuntu spec: - severity: 7 selector: matchLabels: container: ubuntu-3 @@ -142,7 +137,6 @@ Here, we demonstrate how to define security policies using our example microserv name: ksp-ubuntu-4-file-path-readonly-allow namespace: multiubuntu spec: - severity: 10 selector: matchLabels: container: ubuntu-4 @@ -170,7 +164,6 @@ Here, we demonstrate how to define security policies using our example microserv name: ksp-ubuntu-5-file-dir-recursive-block namespace: multiubuntu spec: - severity: 9 selector: matchLabels: container: ubuntu-5 @@ -194,7 +187,6 @@ Here, we demonstrate how to define security policies using our example microserv name: ksp-ubuntu-5-net-icmp-block namespace: multiubuntu spec: - severity: 8 selector: matchLabels: container: ubuntu-5 @@ -217,7 +209,6 @@ Here, we demonstrate how to define security policies using our example microserv name: ksp-ubuntu-1-cap-net-raw-block namespace: multiubuntu spec: - severity: 1 selector: matchLabels: container: ubuntu-1 diff --git a/getting-started/security_policy_specification.md b/getting-started/security_policy_specification.md index bf91960257..18841be88d 100644 --- a/getting-started/security_policy_specification.md +++ b/getting-started/security_policy_specification.md @@ -12,11 +12,8 @@ metadata: namespace: [namespace name] spec: - severity: [1-10] - - tag: # --> optional - - [tag] - + severity: [1-10] # --> optional (1 by default) + tags: ["tag", ...] # --> optional message: [message] # --> optional selector: @@ -83,7 +80,7 @@ spec: - dir: [absolute directory path] recursive: [true|false] - action: [Audit|Allow|Block|AllowWithAudit|BlockWithAudit] + action: [Audit|Allow|Block|AllowWithAudit|BlockWithAudit] (Block by default) ``` ## Policy Spec Description @@ -110,14 +107,12 @@ Now, we will briefly explain how to define a security policy. severity: [1-10] ``` -* Tag +* Tags - The tag part is optional. You can define multiple tags (e.g., WARNNING, SENSITIVE, MITRE, STIG, etc.) to categorize security policies. + The tags part is optional. You can define multiple tags (e.g., WARNNING, SENSITIVE, MITRE, STIG, etc.) to categorize security policies. ```text - tag: - - [tag1] - - [tagN] + tags: ["tag1", ..., "tagN"] ``` * Message