Merge pull request #25 from olhado/release_2.3.1_agent

Release 2.3.1 agent

Author: olhado

Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: threatstack-agent
-version: 2.0.0
-appVersion: 2.3.0
+version: 2.1.0
+appVersion: 2.3.1
 description: A Helm chart for the Threat Stack Cloud Security Agent
 keywords:
 - security

templates/configmap.yaml

@@ -13,3 +13,9 @@ data:
 {{- if .Values.daemonset.customAuditRules }}
   custom-audit-rules-content: {{ toYaml .Values.daemonset.customAuditRules | indent 4 }}
 {{- end }}
+{{- if .Values.daemonset.customTsAuditdConfig }}
+  custom-tsauditd-config-content: {{ toYaml .Values.daemonset.customTsAuditdConfig | indent 4 }}
+{{- end }}
+{{- if .Values.daemonset.customLuaFilter }}
+  custom-luafilter-content: {{ toYaml .Values.daemonset.customLuaFilter | indent 4 }}
+{{- end }}

templates/daemonset.yaml

@@ -99,7 +99,7 @@ spec:
                 name: {{ include "threatstack-agent.name" . }}-config-args
                 key: config-args
         securityContext:
-          privileged: false
+          privileged: true
           capabilities:
             add: {{ .Values.capabilities | trim }}
 {{- if .Values.daemonset.resources }}
@@ -127,6 +127,16 @@ spec:
           - name: custom-audit-rules
             mountPath: /opt/threatstack/etc/audit-custom.rules
             subPath: audit-custom.rules
+{{- end }}
+{{- if .Values.daemonset.customTsAuditdConfig }}
+          - name: custom-tsauditd-config
+            mountPath: /opt/threatstack/etc/tsauditd-custom.cfg
+            subPath: tsauditd-custom.cfg
+{{- end }}
+{{- if .Values.daemonset.customLuaFilter }}
+          - name: custom-luafilter-config
+            mountPath: /opt/threatstack/etc/tsauditd-custom.lua
+            subPath: tsauditd-custom.lua
 {{- end }}
       volumes:
         - hostPath:
@@ -149,3 +159,19 @@ spec:
               - key: custom-audit-rules-content
                 path: audit-custom.rules
 {{- end }}
+{{- if .Values.daemonset.customTsAuditdConfig }}
+        - name: custom-tsauditd-config
+          configMap:
+            name: {{ include "threatstack-agent.name" . }}-config-args
+            items:
+              - key: custom-tsauditd-config-content
+                path: tsauditd-custom.cfg
+{{- end }}
+{{- if .Values.daemonset.customLuaFilter }}
+        - name: custom-luafilter-config
+          configMap:
+            name: {{ include "threatstack-agent.name" . }}-config-args
+            items:
+              - key: custom-luafilter-content
+                path: tsauditd-custom.lua
+{{- end }}

values.yaml

@@ -49,7 +49,7 @@ rbac:
 # additionalConfig      :: Additional parameters to configure the running agent
 # capabilities          :: Docker capabilites required for the proper operation of the agent
 capabilities: |
-  ["AUDIT_CONTROL", "AUDIT_READ", "SYS_CHROOT", "CHOWN","DAC_OVERRIDE", "DAC_READ_SEARCH", "FOWNER", "FSETID", "SETGID", "SETUID", "SYS_ADMIN", "SYS_PTRACE"]
+  ["AUDIT_CONTROL", "SYS_CHROOT", "CHOWN","DAC_OVERRIDE", "DAC_READ_SEARCH", "FOWNER", "FSETID", "SETGID", "SETUID", "SYS_ADMIN", "SYS_PTRACE"]
 
 #####
 # WARNING!
@@ -212,3 +212,26 @@ daemonset:
   #     the end
   #
   customAuditRules: ""
+
+  # Override this to provide custom auditd config
+  # https://threatstack.zendesk.com/hc/en-us/articles/360030897272-FAQ-Workaround-for-the-Known-Linux-Limitation-with-auditd
+  #
+  # Example:
+  #   customTsAuditdConfig: |
+  #     {
+  #       ...
+  #     }
+  #
+  customTsAuditdConfig: ""
+
+  # Override this to provide a custom lua filter to the agent.
+  # Make sure to use | to ensure the custom lua filter is
+  # properly parsed and output.
+  #
+  # Example:
+  #   customLuaFilter: |
+  #     foo
+  #     bar
+  #     the end
+  #
+  customLuaFilter: ""