https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# neuvector-security
a
This message was deleted.
i
I believe you can just explicitly 'allow' those commands and deny '*'
n
Or the other way around, allow “*”. Deny mount.nfs, or mount.nfs4
I did a test, with a couple of federated process rules (we manage neuvector in a federated way) Created 3 process profile rules: • deny mount.nfs • deny mount.nfs4 • allow “*” I noticed that for every process i still got an alert. So i did another test, i created a proces profule rules on the specific group allow “*”, and removed the federated allow. Now i only see the mount.nfs alerts. Is this expected behaviour?
i
If something is denied, yes, I expect to see an alert. But I am rather new to neuvector, so not 100% sure. If you have an allow rule, you won't get alerts for the 'allowed' stuff.
I also do not see, what you want to achieve with 'allow *'. You cannot have a complete set of attack vectors 'denied' and then allow the rest. It is easier the other way around. If you want to avoid accidentally deny something, use the 'monitor' mode until you do not get false positives anymore.
n
For us working with neuvector is also a learning curve. I also have some other ideas on improving the alerting, like you said monitoring
i
Me too, but until I manage to convince my boss to pay for a support license, I cannot make any requests 😉
n
I did some extra tests, it looks like if federated policies work well with deny, but not with allow for processes that are not learned.
I am gonna test another route with the prometheus exporter, i have it up and running, but i see some issues with the helm chart, gonna make an issue for that when i have the time
2 Views
Open in Slack
PreviousNext
Powered by