https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# neuvector-security
a
This message was deleted.
q
Being able to roll-up repeated alert is def a good idea, and I believe is actiually a feature request in the queue.
Copy code
Alert: The Orts in namespace MORSELS were FUBARed; this alert repeated nn times over the last tt minutes
But!
Do you feel NeuVector should be doing this rollup, or is that better done in the SIEM where NeuVector Security Alerts are being sent?
i
Hey @quaint-candle-18606, I am not the OP but, I would also like to have related events grouped inside NeuVector. The first event could create an alert with a link to the grouped collection of events. Following events, should generate an alert only once in a while (say after 30 minutes ongoing activity in that collection). That goes beyond what you mention with roll-ups. The idea is, that related events happen because someone needs to access pods, do some special maintenance which are not "normal", like entering the container or copying files for analysis, etc. Or, maybe a simple solution, having a way to set 'downtime' for maintenance windows to disable all alerts and possible also all enforcing. @clever-analyst-3023 as a workaround, I disable actions (alerts) in the cluster when false positives are expected to happen.
q
are we talking about a. 
Notifications… Security Events
or b. 
Policy… Response Rules
?
assuming a.
but wanted to be sure. 🙂
i
I don't know about the OP, but I was talking about "Policy->Response Rules" which trigger messages to Slack in my case
q
gotcha
i
The security events log, is interesting to look at, but I would be confused if things are not ordered by timestamp.
q
totally agree. best-practice is to feed security events to a siem like datadog, splunk, etc.
i
Yes, we do not have that (yet) 😉
q
in the short term. if you know you’re going to be triggering a lot of response rules, proactively disable that rule.
are you maybe setting up a lot of response rules in lieu of the sec log --> siem config? 🙂
i
I am only setting up response rules for security events. After a few weeks of fine tuning, it is quiet. But when I go and start a pod with 'psql' to do some database work, it fires like mad 😉 In other words, it works as expected. This doesn't happen often, so we just live with the construction work noise from time to time. A bigger company might have problems with this approach but for small shops it is not a big deal.
q
i’d say in a scenario like that, you’d be doing that construction work in a dev/test cluster where there are no response rules. obv, “”best practice” and all. 😉
i
So no siem so far, security is in the hands of the same person doing the actual work (me).
q
this has testing on prod vibes. 😆
the topic of perhaps being able to set a group in a “maintenance mode” of sorts, where NeuVector is pretty much doing nothing has been bandied about now and then. But as you can imagine, the dev team is very reluctant to create what feels like a security hole.
i still think it has merit, personally
“Set these groups to maintenance mode for nn minutes” and require a specific role to have access to that.
i
Yes, that would be a nice feature to have (with a specified ending time, so it's not forgotten). It should have a big red warning sign on the Dashboard - SOME SERVICES ARE IN MAINTENANCE MODE, or something like that.
q
and then log THAT “Alert: Peter set the following groups to maintenance mode for 30 minutes”
i
Yes, perfekt idea. The idea of NV is not to make work harder, but have the application run safer when nobody is looking.
q
bingo
i
I wouldn't want to set the whole NV to maintenance (normally), but a namespace or a single POD would be sufficient
q
i would still give you the line: Do this work in a test environment. Send the tested stuff to a prod environment. 🫡
agreed. This would be most practical at the group level.
I’m against any sort of mode changes, etc at a cluster level, generally. (This should be about workloads, not clusters.)
👍 1
i
At the moment, when I do not forget about it, I could do this with the 'discover' mode, but I rather would like to have a temporary Maintenance/ignore mode.
q
right. You don’t want it learning Bad Things™
i
Well, also not want to audit and then remove all the tempoary rules.
✔️ 1
q
i can tell you that many folks will tell you to stop asking to solve a problem you shouldn’t be creating in the first place. 😄
but not everybody does everything perfectly, so i get you
🙂
i
If we had no security problems, we wouldn't need NV... 🙂
q
the real problem is humans. 😄
i
Yes, and complexity. Tell it your favorite AI.
q
that may be even worse. 🙃
Remember that a “squelch mode” that we’re talking about would be shutting off security for any given group and that, well, is what it is.
despite all that, I personally agree with you that it could be handy
i
That's fine with me. If the cat is triggering your alarm, you can as well turn it off. If you cannot turn it of, you may have to kill the cat 😞
q
and I’d also add an argument in favor of this: any group in that “maintenance” mode is in the same state it was before neuvector was ever installed. If giving people this option, even if its OMG not best practice, makes it easier for them to adopt neuvector then so be it.
keep the cat out of the production environment. 😉
i
Yes, agreed. Change needs time. And priority might be elsewere anyway.
q
bingo
True story: (Long ago) I had a chiropractor that said “As your doctor, I am advising that you quit running.”
and then added “You’re not going to quit running, are you?”
“Nope”
“Then as your doctor, I will do the best I can to help you.”
i
Good doctor 😉
q
he really was
So I understand that when I yell at you to “stop testing in prod” that you don’t really need to be told that. 🙂
we’re all doing what works for us with the tools we have
i
Actually, we were not testing in prod, but troubleshoot some issue with the database (remove some stale entries after an upgrade). We did it on the test system - in prod we will do the same, but then we will know exactly what to change. NV is new for us and we have to learn how to do it properly without triggering alarms. Anyway, NV will help us 99% of the time to catch bad things happening (but so far nothing happend, which is pleasantly boring ), and annoy us 1% of the time with false alarms.🙉
q
and squelching that 1% down is def a worthy goal 🤜 🤛
6 Views
Open in Slack
PreviousNext
Powered by