Policies

Question 1

What is the heart of ACS?

Answer 1

policy engine

Question 2

What are the advantage of a single policy engine for all lifecycle stages?

Answer 2

Policy criteria can cross all lifecycles stages; build, deploy, run.

Question 3

How do you access the Policy menu?

Answer 3

Platform Configuration > Policy Management

Question 4

What are attributes of a policy?

Answer 4

Severity
Rationale
Guidance
Description
Policy criteria
Type
Category
Scope
Lifecycle stages
Event source

Question 5

Hey ACS philosophy

Answer 5

empower developers to understand and resolve security issues in their own deployments

Question 6

What is the benefit of build time policy enforcement?

Answer 6

allows the build process to fail as soon as a serious, fixable vulnerability is identified in an image.

Question 7

How do you configure policies for enforcement at build time?

Answer 7

command line or Pipelines.

Question 8

configure a policy for enforcement

Answer 8

1) Go to : Platform Configuration → Policy Management
2) Identify the policy and the three dots on the right
3) Click on the 3 dots to enable the policy

Question 9

CLI command to check image for violations of a policy

Answer 9

1) oc get route -n stackrox
2) roxctl -e $ROUTE:443 image check –image docker.io/vulnerables/cve-2017-7494 –insecure-skip-tls-verify

Question 10

Examples of build time policy enforcements

Answer 10

1) Trigger build-time violations for images and deployments on the CLI and CI/CD pipelines

2) Enforce a container image vulnerability violation at build time

3) Codify an image vulnerability violation enforcement in a pipeline

4) Warn about deployment attributes from the command line and Pipeline

Question 11

RHACS can prevent the deployment of applications that violate workflow, configuration, or security best practices before they become actively running containers. True or False?

Answer 11

True

Question 12

Two approaches to enforcing deploy-time policies in RHACS

Answer 12

1) In clusters with listen and enforce AdmissionController options enabled, RHACS uses the admission controller to reject deployments that violate policy.

2) In clusters where the enforcement option is disabled, RHACS scales pod replicas to zero for deployments that violate policy.

Question 13

How do you turn on admission controller

Answer 13

1) Platform Configuration > Clusters > Your cluster
2) Turn on feature related to Admission controller and dynamic sync

Question 14

Test if unscanned images are enforced

Answer 14

1) Verify that admission controller is enabled
2) Pick an image that was not scanned
3) Create an application with this image: oc run nonsense –image=test-nonsense:latest

Question 15

Prevent the deployment of applications that mishandle sensitive data

Answer 15

roxctl -e $CENTRAL:443 deployment check –file ./deployment.yaml –insecure-skip-tls-verify

Question 16

Example of use of Runtime policies

Answer 16

threat detection
thread prevention
incident investigation
incident response

Question 17

Runtime policy enforcement features

Answer 17

1) Prevent execution of package manager binary
2) Report and resolve violations
3) observes the processes running in containers
4) collects information about process to write policies.
5) create baseline policy configurations

Question 18

Why have a policy to prevent Eeecution of package manager binaries such as apk, apt, or yum?

Answer 18

using a package manager to install or remove software on a running container violates the immutable principle of container operation.

Question 19

How does ACS detects and avoids a runtime violation

Answer 19

1) using Linux kernel instrumentation to detect the running process
2) using K8S to terminate the pod for enforcement.

Question 20

Enable enforcement of a policy

Answer 20

1) Go to Platform Configuration > Policy Management > Policy
2) Edit the policy
3) Enable inform and enforce