add support for crown jewel policies

Add support for generating lenient policies protecting sensitive assets (mount points here) Signed-off-by: Ankur Kothiwal <[email protected]>
accuknox · Jun 7, 2023 · 136df30 · 136df30
1 parent abe7d0b
commit 136df30
Show file tree

Hide file tree

Showing 8 changed files with 480 additions and 3 deletions.
diff --git a/src/conf/local-file.yaml b/src/conf/local-file.yaml
@@ -120,6 +120,11 @@ recommend:
   cron-job-time-interval: "1h0m00s"       # format: XhYmZs
   recommend-host-policy: true
 
+# Recommended policies configuration
+crownjewel:
+  operation-mode: 1                       # 1: cronjob | 2: one-time-job
+  cron-job-time-interval: "1h0m00s"       # format: XhYmZs
+
 # license
 license:
   enabled: false

diff --git a/src/conf/local.yaml b/src/conf/local.yaml
@@ -72,6 +72,11 @@ recommend:
   cron-job-time-interval: "1h0m00s"       # format: XhYmZs
   recommend-host-policy: true
 
+# Recommended policies configuration
+crownjewel:
+  operation-mode: 1                       # 1: cronjob | 2: one-time-job
+  cron-job-time-interval: "1h0m00s"       # format: XhYmZs
+
 # license
 license:
   enabled: false

diff --git a/src/config/configManager.go b/src/config/configManager.go
@@ -218,6 +218,13 @@ func LoadConfigFromFile() {
 		RecommendAdmissionControllerPolicy: viper.GetBool("recommend.admission-controller-policy"),
 	}
 
+	// crown jewel policy configurations
+	CurrentCfg.ConfigCrownjewelPolicy = types.ConfigCrownjewelPolicy{
+		CronJobTimeInterval:     "@every " + viper.GetString("crownjewel.cron-job-time-interval"),
+		OneTimeJobTimeSelection: "", // e.g., 2021-01-20 07:00:23|2021-01-20 07:00:25
+		OperationMode:           viper.GetInt("crownjewel.operation-mode"),
+	}
+
 	// load database
 	CurrentCfg.ConfigDB = LoadConfigDB()
 
@@ -524,3 +531,22 @@ func GetCfgRecommendHostPolicy() bool {
 func GetCfgRecommendAdmissionControllerPolicy() bool {
 	return CurrentCfg.ConfigRecommendPolicy.RecommendAdmissionControllerPolicy
 }
+
+// ================================== //
+// == Get Crown Jewel Config Info == //
+// ================================ //
+
+// run the Crown jewel scan once
+func GetCfgCrownjewelOneTime() string {
+	return CurrentCfg.ConfigCrownjewelPolicy.OneTimeJobTimeSelection
+}
+
+// run the Crown jewel scan as a cron job
+func GetCfgCrownjewelCronJobTime() string {
+	return CurrentCfg.ConfigCrownjewelPolicy.CronJobTimeInterval
+}
+
+// dont' run the Crown jewel scan
+func GetCfgCrownjewelOperationMode() int {
+	return CurrentCfg.ConfigCrownjewelPolicy.OperationMode
+}