Mateo Burillo mateobur

## big_files.sh
#!/bin/bash

#MINSIZE default ~ 100 MB
MINSIZE=102400

find / -type f -size +"$MINSIZE"k -exec du -sh {} \; 2>/dev/null | sort -rh

## kubernetesservicemetadata.txt
$ kubectl describe service result
Name:              result
Namespace:         example-voting-app
Labels:            name=result
Annotations:       <none>
Selector:          app=example-voting-app,name=result,role=resultapp
Type:              ClusterIP
IP:                172.30.225.249
Port:              <unset>  80/TCP
TargetPort:        80/TCP

## kubernetesmetadata.txt
$ kubectl describe pod db-6b8968c69-dq2v2
Name:               db-6b8968c69-dq2v2
Namespace:          example-voting-app
Node:               ip-10-0-0-12.ec2.internal/10.0.0.12
Controlled By:      ReplicaSet/db-6b8968c69
Labels:             app=example-voting-app
                    name=db
                    pod-template-hash=264524725
                    role=sqldb
IP:                 10.129.0.140

## pod-kubelet.json
{
  "id": "520c9307e00f8001968de85c60e7a2f92d14cfa975d3f0ed13ed80bf2de64834",
  "name": "/kubepods/besteffort/pod5c793840-3b87-11e9-b115-080027a63b2e/520c9307e00f8001968de85c60e7a2f92d14cfa975d3f0ed13ed80bf2de64834",
  "aliases": [
    "k8s_falco_falco-daemonset-cnjl5_default_5c793840-3b87-11e9-b115-080027a63b2e_3",
    "520c9307e00f8001968de85c60e7a2f92d14cfa975d3f0ed13ed80bf2de64834"
  ],
  "namespace": "docker",
  "spec": {
    "creation_time": "2019-02-28T20:05:53.28609329Z",

## Docker_scan_ValidatingWebhookConfiguration.yaml
Anchore engine policy validator is now installed.

Create a validating webhook resources to start enforcement:

KUBE_CA=$(kubectl config view --minify=true --flatten -o json | jq '.clusters[0].cluster."certificate-authority-data"' -r)
cat > validating-webook.yaml <<EOF
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
  name: analysis-anchore-policy-validator.admission.anchore.io

## vlany
H4sIAIP0NVsAA+w9a3PjxpH7Wb9isq7EpIpvSlRqdRtHK9G7irmSStLa8e1toSBgQCICARQGICVv
/D0f46rzXdVV5c/ll1z3PIABCBKQrFXsWLMqCejp7unpme7peWEXnunftucmi2nUffZpUg/S3t4u
/u3v7fb0vyo96w+H/d3h3qA/2nnW6w92e8NnZPcTyZNLCYvNiJBnczOmwQa8qvxfaFro7c9fOtZD
l4ENPMJ2LW3/4ai3g+3f6/f7o/7ezgDaf7i3N3hGeg8tSFn6lbd/d5tskW3yaZLk/M//+Rv+/Pi/
+rMOzODpD8BzL2so0+dCUT/ozzowA//3P3/8O/4U2GbMM/of/29FKiT/x50LLVbyh4zbSgE/kKxc
rcxUqeuEqlXbTDydj0aqgXmpaS8pF2pN/XIcVzWzwuuHgjbTromYogL4848iIMtRcA2lDJbyIVrm
HS2BY0+OjLPz8eT04IhEQRBfuzFxgojc/H7Uwl/GaKdFTN8mB+dviRlZMzemVpxElHFqK5iHHo0p
WbrxjExdm1yZjNokjAKLMkZmru3601aJXDdmHEcS23E9ugHVp/EyiK5JGETxBjTTj922TVE+N/Bb
6v0qKcUOacRcGDT8mLg+uFDPMzlZCSq9odaCYl3noAlWhnJ28JY0GJt1mROHTaiWdW0HQVQqpmXR
MG40ycXFpBt6puvH9CbeSEJNdtuOg3bCaE5YwqzIDeMyEte3Imq7V94tNOsVjBEgvu+40yTilOs6

## redis_prometheus_exporter.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: redis
spec:
  replicas: 1
  template:
    metadata:
      annotations:
        prometheus.io/scrape: "true"

## prometheus-example.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: prometheus-deployment
  labels:
    app: prometheus
    purpose: example
spec:
  replicas: 2
  selector:

## FalcoNginxRuleset.yaml
- macro: nginx_consider_syscalls
  condition: (evt.num < 0)

- macro: app_nginx
  condition: container and container.image contains "nginx"

# Any outbound traffic raises a WARNING

- rule: Unauthorized process opened an outbound connection (nginx)
  desc: A nginx process tried to open an outbound connection and is not whitelisted

## sysdigsecureevent.json
{
	"timestamp": 1518849360000000,
	"timespan": 60000000,
	"alert": {
		"severity": 4,
		"editUrl": null,
		"scope": null,
		"name": "Policy 59: FILE POLICY: Read sensitive file untrusted",
		"description": "an attempt to read any sensitive file (e.g. files containing user/password/authentication information). Exceptions are made for known trusted programs.",
		"id": null
	#!/bin/bash

	#MINSIZE default ~ 100 MB
	MINSIZE=102400

	find / -type f -size +"$MINSIZE"k -exec du -sh {} \; 2>/dev/null \| sort -rh
	$ kubectl describe service result
	Name: result
	Namespace: example-voting-app
	Labels: name=result
	Annotations: <none>
	Selector: app=example-voting-app,name=result,role=resultapp
	Type: ClusterIP
	IP: 172.30.225.249
	Port: <unset> 80/TCP
	TargetPort: 80/TCP
	$ kubectl describe pod db-6b8968c69-dq2v2
	Name: db-6b8968c69-dq2v2
	Namespace: example-voting-app
	Node: ip-10-0-0-12.ec2.internal/10.0.0.12
	Controlled By: ReplicaSet/db-6b8968c69
	Labels: app=example-voting-app
	name=db
	pod-template-hash=264524725
	role=sqldb
	IP: 10.129.0.140
	{
	"id": "520c9307e00f8001968de85c60e7a2f92d14cfa975d3f0ed13ed80bf2de64834",
	"name": "/kubepods/besteffort/pod5c793840-3b87-11e9-b115-080027a63b2e/520c9307e00f8001968de85c60e7a2f92d14cfa975d3f0ed13ed80bf2de64834",
	"aliases": [
	"k8s_falco_falco-daemonset-cnjl5_default_5c793840-3b87-11e9-b115-080027a63b2e_3",
	"520c9307e00f8001968de85c60e7a2f92d14cfa975d3f0ed13ed80bf2de64834"
	],
	"namespace": "docker",
	"spec": {
	"creation_time": "2019-02-28T20:05:53.28609329Z",
	Anchore engine policy validator is now installed.

	Create a validating webhook resources to start enforcement:

	KUBE_CA=$(kubectl config view --minify=true --flatten -o json \| jq '.clusters[0].cluster."certificate-authority-data"' -r)
	cat > validating-webook.yaml <<EOF
	apiVersion: admissionregistration.k8s.io/v1beta1
	kind: ValidatingWebhookConfiguration
	metadata:
	name: analysis-anchore-policy-validator.admission.anchore.io
	H4sIAIP0NVsAA+w9a3PjxpH7Wb9isq7EpIpvSlRqdRtHK9G7irmSStLa8e1toSBgQCICARQGICVv
	/D0f46rzXdVV5c/ll1z3PIABCBKQrFXsWLMqCejp7unpme7peWEXnunftucmi2nUffZpUg/S3t4u
	/u3v7fb0vyo96w+H/d3h3qA/2nnW6w92e8NnZPcTyZNLCYvNiJBnczOmwQa8qvxfaFro7c9fOtZD
	l4ENPMJ2LW3/4ai3g+3f6/f7o/7ezgDaf7i3N3hGeg8tSFn6lbd/d5tskW3yaZLk/M//+Rv+/Pi/
	+rMOzODpD8BzL2so0+dCUT/ozzowA//3P3/8O/4U2GbMM/of/29FKiT/x50LLVbyh4zbSgE/kKxc
	rcxUqeuEqlXbTDydj0aqgXmpaS8pF2pN/XIcVzWzwuuHgjbTromYogL4848iIMtRcA2lDJbyIVrm
	HS2BY0+OjLPz8eT04IhEQRBfuzFxgojc/H7Uwl/GaKdFTN8mB+dviRlZMzemVpxElHFqK5iHHo0p
	WbrxjExdm1yZjNokjAKLMkZmru3601aJXDdmHEcS23E9ugHVp/EyiK5JGETxBjTTj922TVE+N/Bb
	6v0qKcUOacRcGDT8mLg+uFDPMzlZCSq9odaCYl3noAlWhnJ28JY0GJt1mROHTaiWdW0HQVQqpmXR
	MG40ycXFpBt6puvH9CbeSEJNdtuOg3bCaE5YwqzIDeMyEte3Imq7V94tNOsVjBEgvu+40yTilOs6
	apiVersion: extensions/v1beta1
	kind: Deployment
	metadata:
	name: redis
	spec:
	replicas: 1
	template:
	metadata:
	annotations:
	prometheus.io/scrape: "true"
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: prometheus-deployment
	labels:
	app: prometheus
	purpose: example
	spec:
	replicas: 2
	selector:
	- macro: nginx_consider_syscalls
	condition: (evt.num < 0)

	- macro: app_nginx
	condition: container and container.image contains "nginx"

	# Any outbound traffic raises a WARNING

	- rule: Unauthorized process opened an outbound connection (nginx)
	desc: A nginx process tried to open an outbound connection and is not whitelisted
	{
	"timestamp": 1518849360000000,
	"timespan": 60000000,
	"alert": {
	"severity": 4,
	"editUrl": null,
	"scope": null,
	"name": "Policy 59: FILE POLICY: Read sensitive file untrusted",
	"description": "an attempt to read any sensitive file (e.g. files containing user/password/authentication information). Exceptions are made for known trusted programs.",
	"id": null