Policies Flashcards
What is the heart of ACS?
policy engine
What are the advantage of a single policy engine for all lifecycle stages?
Policy criteria can cross all lifecycles stages; build, deploy, run.
How do you access the Policy menu?
Platform Configuration > Policy Management
What are attributes of a policy?
Severity
Rationale
Guidance
Description
Policy criteria
Type
Category
Scope
Lifecycle stages
Event source
Hey ACS philosophy
empower developers to understand and resolve security issues in their own deployments
What is the benefit of build time policy enforcement?
allows the build process to fail as soon as a serious, fixable vulnerability is identified in an image.
How do you configure policies for enforcement at build time?
command line or Pipelines.
configure a policy for enforcement
1) Go to : Platform Configuration → Policy Management
2) Identify the policy and the three dots on the right
3) Click on the 3 dots to enable the policy
CLI command to check image for violations of a policy
1) oc get route -n stackrox
2) roxctl -e $ROUTE:443 image check –image docker.io/vulnerables/cve-2017-7494 –insecure-skip-tls-verify
Examples of build time policy enforcements
1) Trigger build-time violations for images and deployments on the CLI and CI/CD pipelines
2) Enforce a container image vulnerability violation at build time
3) Codify an image vulnerability violation enforcement in a pipeline
4) Warn about deployment attributes from the command line and Pipeline
RHACS can prevent the deployment of applications that violate workflow, configuration, or security best practices before they become actively running containers. True or False?
True
Two approaches to enforcing deploy-time policies in RHACS
1) In clusters with listen and enforce AdmissionController options enabled, RHACS uses the admission controller to reject deployments that violate policy.
2) In clusters where the enforcement option is disabled, RHACS scales pod replicas to zero for deployments that violate policy.
How do you turn on admission controller
1) Platform Configuration > Clusters > Your cluster
2) Turn on feature related to Admission controller and dynamic sync
Test if unscanned images are enforced
1) Verify that admission controller is enabled
2) Pick an image that was not scanned
3) Create an application with this image: oc run nonsense –image=test-nonsense:latest
Prevent the deployment of applications that mishandle sensitive data
roxctl -e $CENTRAL:443 deployment check –file ./deployment.yaml –insecure-skip-tls-verify
Example of use of Runtime policies
threat detection
thread prevention
incident investigation
incident response
Runtime policy enforcement features
1) Prevent execution of package manager binary
2) Report and resolve violations
3) observes the processes running in containers
4) collects information about process to write policies.
5) create baseline policy configurations
Why have a policy to prevent Eeecution of package manager binaries such as apk, apt, or yum?
using a package manager to install or remove software on a running container violates the immutable principle of container operation.
How does ACS detects and avoids a runtime violation
1) using Linux kernel instrumentation to detect the running process
2) using K8S to terminate the pod for enforcement.
Enable enforcement of a policy
1) Go to Platform Configuration > Policy Management > Policy
2) Edit the policy
3) Enable inform and enforce