Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for centralized allowlists #3355

Open
wants to merge 16 commits into
base: master
Choose a base branch
from
Open

Add support for centralized allowlists #3355

wants to merge 16 commits into from

Conversation

blotus
Copy link
Member

@blotus blotus commented Dec 8, 2024

This PR adds a new type of allowlist that is managed by LAPI and applies to alerts, blocklists content and appsec (but not to manual decisions with cscli):

  • alerts are dropped (with a log message)
  • blocklist content matching an allowlist is ignored
  • appsec requests matching an allowlist are not processed

Compared to existing types of allowlists in crowdsec (in parsers, postoverflows, custom profiles or appsec hooks), they only support IPs and ranges (ie, no arbitrary expression), but they can have an optional expiration.

An alert is considered allowlisted in the following situations:

  • The source of the alert is an exact match with a non-expired allowlist item
  • The source of the alert belongs to a non-expired (range) allowlist item
  • The source of the alert contains a non-expired allowlisted item (eg, 1.2.3.4 is allowlisted, and an alert on 1.2.3.0/24 is generated): while this seems counter-intuitive, range alerts are rare and it would be add a lot of complexity to carve out the specific IPs that are allowlisted from the alert source (and generate multiple sub-alerts).

They can be managed with:

  • cscli
  • The console (allowlists created from the console are not editable with cscli to avoid conflict), in which case they are pulled from CAPI or PAPI.

If a local allowlist is created, and another one with the same name is created in the console, the one from the console will replace the local one.

@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 8, 2024

@blotus: There are no 'kind' label on this PR. You need a 'kind' label to generate the release automatically.

  • /kind feature
  • /kind enhancement
  • /kind refactoring
  • /kind fix
  • /kind chore
  • /kind dependencies
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 8, 2024

@blotus: There are no area labels on this PR. You can add as many areas as you see fit.

  • /area agent
  • /area local-api
  • /area cscli
  • /area appsec
  • /area security
  • /area configuration
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@blotus
Copy link
Member Author

blotus commented Dec 8, 2024

/kind feature
/area local-api

@codecov Codecov
Copy link

codecov bot commented Dec 9, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 21.97384% with 3281 lines in your changes missing coverage. Please review.

Project coverage is 54.38%. Comparing base (d35d01f) to head (c9bf246).

Files with missing lines Patch % Lines
pkg/database/ent/allowlistitem_query.go 12.82% 355 Missing and 12 partials ⚠️
cmd/crowdsec-cli/cliallowlists/allowlists.go 20.48% 324 Missing and 6 partials ⚠️
pkg/database/ent/allowlist_query.go 22.56% 307 Missing and 19 partials ⚠️
pkg/database/ent/allowlistitem_update.go 0.00% 311 Missing ⚠️
pkg/database/ent/allowlistitem/where.go 14.98% 227 Missing ⚠️
pkg/database/ent/allowlist_update.go 18.18% 219 Missing and 6 partials ⚠️
pkg/database/ent/allowlist/where.go 2.31% 169 Missing ⚠️
pkg/database/ent/allowlistitem_create.go 35.40% 160 Missing and 6 partials ⚠️
pkg/database/ent/allowlist_create.go 27.05% 143 Missing and 8 partials ⚠️
pkg/database/allowlists.go 56.52% 92 Missing and 8 partials ⚠️
... and 23 more
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #3355      +/-   ##
==========================================
- Coverage   58.45%   54.38%   -4.07%     
==========================================
  Files         351      376      +25     
  Lines       37823    41982    +4159     
==========================================
+ Hits        22109    22833     +724     
- Misses      13812    17139    +3327     
- Partials     1902     2010     +108
Flag Coverage Δ
bats 38.06% <10.70%> (-3.15%) ⬇️
unit-linux 33.82% <11.63%> (-0.60%) ⬇️
unit-windows 26.05% <15.71%> (-3.60%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@blotus blotus force-pushed the centralized-allowlists branch from 3a34d3a to 8385b05 Compare December 9, 2024 00:19
@blotus blotus force-pushed the centralized-allowlists branch from 8385b05 to dbb9adc Compare December 9, 2024 00:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/local-api kind/feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@blotus