PaloAltoNetworks/rbac-police PaloAltoNetworks/rbac-police

  • Stars
    star
    280
  • Rank 147,492 (Top 3 %)
  • Language
    Go
  • License
    MIT License
  • Created over 2 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
PaloAltoNetworks/rbac-police
github

PaloAltoNetworks

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Evaluate the RBAC permissions of Kubernetes identities through policies written in Rego

rbac-police

Retrieve the RBAC permissions of Kubernetes identities - service accounts, pods, nodes, users and groups - and evaluate them using policies written in Rego.

example

The policy library includes over 20 policies that detect identities possessing risky permissions, each alerting on a different attack path.

Quick Start

  1. Clone the repository:

    git clone https://github.com/PaloAltoNetworks/rbac-police && cd rbac-police

  2. Either install rbac-police from a release:

    OS=linux  # OS=darwin
ARCH=amd64  # ARCH=arm64
LATEST_TAG=$(curl -s https://api.github.com/repos/PaloAltoNetworks/rbac-police/releases/latest | jq -r '.tag_name')
curl -L -o rbac-police "https://github.com/PaloAltoNetworks/rbac-police/releases/download/${LATEST_TAG}/rbac-police_${LATEST_TAG}_${OS}_${ARCH}" && chmod +x rbac-police

    Or build it with Golang>=1.16:

    go build

  3. Connect kubectl to a Kubernetes cluster.

  4. Evaluate RBAC permissions and identify privilege escalation paths in your cluster using the default policy library:

    ./rbac-police eval lib/

  5. Inspect the permissions of violating principals and identify the Roles and ClusterRoles granting them risky privileges. See the Recommendations section here for remediation advice.

    ./rbac-police expand -z sa=production-ns:violating-sa

Usage

Set severity threshold

Only evaluate policies with a severity equal to or higher than a threshold.

./rbac-police eval lib/ -s High

Inspect the permissions of specific identities

./rbac-police expand -z sa=kube-system:metrics-server
./rbac-police expand -z [email protected]
./rbac-police expand # all identities

Discover protections

Improve accuracy by considering features gates and admission controllers that can protect against certain attacks. Note that NodeRestriction is identified by impersonating a node and dry-run creating a pod, which may be logged by some systems.

./rbac-police eval lib/ -w

Configure violation types

Control which identities are evaluated for violations, default are sa,node,combined (see policies.md for more information).

./rbac-police eval lib/ --violations sa,user
./rbac-police eval lib/ --violations all # sa,node,combined,user,group

Note that by default, rbac-police only looks into service accounts assigned to a pod. Use -a to include all service accounts.

Scope to a namespace

Only look into service accounts and pods from a certain namespace.

./rbac-police eval lib/ -n production

Only SAs that exist on all nodes

Only alert on service accounts that exist on all nodes. Useful for identifying violating DaemonSets.

./rbac-police eval lib/ --only-sas-on-all-nodes

Ignore control plane

Ignore control plane pods and nodes in clusters that host the control plane.

./rbac-police eval lib/ --ignore-controlplane

Collect once for multiple evaluations

./rbac-police collect -o rbacDb.json

./rbac-police eval lib/ rbacDb.json -s High
./rbac-police eval lib/ rbacDb.json -s Medium --only-sas-on-all-nodes
./rbac-police expand rbacDb.json -z sa=ns:violating-sa

Documentation

Media Mentions

Radiohead:

rbac-police, I've given all I can. It's not enough...

N.W.A:

rbac-police comin' straight from the underground!

More Repositories

1

docusaurus-openapi-docs

🦝 OpenAPI plugin for generating API reference docs in Docusaurus v3.
TypeScript
683
star
2

WireLurkerDetector

Script for detecting the WireLurker malware family
Python
412
star
3

minemeld

Main MineMeld documentation repo
373
star
4

pan-os-python

The PAN-OS SDK for Python is a package to help interact with Palo Alto Networks devices (including physical and virtualized Next-generation Firewalls and Panorama). The pan-os-python SDK is object oriented and mimics the traditional interaction with the device via the GUI or CLI/API.
Python
339
star
5

ansible-pan

Ansible modules for Palo Alto Networks NGFWs
Python
228
star
6

pan-os-ansible

Ansible collection for easy automation of Palo Alto Networks next generation firewalls and Panorama, in both physical and virtual form factors.
Python
201
star
7

iron-skillet

IronSkillet is a set of day-one configuration templates for PAN-OS to enable alignment with security best practices. See the Quick Start section below to get started using the template configurations.
Python
200
star
8

minemeld-core

Engine of MineMeld
Python
140
star
9

terraform-templates

This repo contains Terraform templates to deploy infrastructure on AWS and Azure and to secure them using the Palo Alto Networks Next Generation Firewalls
Python
138
star
10

ansible-playbooks

Sample playbooks for the Palo Alto Networks Ansible modules.
Jinja
124
star
11

azure

VM-Series ARM Templates for Microsoft Azure
Python
101
star
12

Splunk-Apps

Palo Alto Networks App for Splunk leverages the data visibility provided by Palo Alto Networks next-generation firewalls and endpoint security with Splunk's extensive investigation and visualization capabilities to deliver an advanced security reporting and analysis tool.
Python
93
star
13

IAM-Deescalate

IAM-Deescalate helps mitigate privilege escalation risk in AWS identity and access management (IAM)
Python
89
star
14

terraform-provider-panos

Terraform Panos provider
Go
87
star
15

prisma-cloud-policies

PCS Policies Release Notice
81
star
16

prisma-cloud-docs

Prisma Cloud docs
80
star
17

aws

VM-Series for Amazon Web Services
Python
71
star
18

prisma_channel_resources

A collection of technical and sales resources related to Prisma Cloud Compute and Prisma Cloud Enterprise created for the PANW Channel Partner Ecosystem and other engineers working with the solution
Shell
66
star
19

pcs-postman

Postman collections for Prisma Cloud
60
star
20

aws-elb-autoscaling

Auto Scaling VM-Series firewalls in AWS
HTML
57
star
21

pan-os-php

Framework and utilities to easily manage and edit Palo Alto Network PANOS devices
PHP
54
star
22

terraform-provider-prismacloud

Terraform PrismaCloud provider
Go
53
star
23

Prisma-Enhanced-Remediation

Create custom auto-remediation solutions using serverless functions in the cloud.
Python
52
star
24

pango

pango is the underlying library for the Palo Alto Networks Terraform provider
Go
52
star
25

pyjarm

pyJARM is a library for doing JARM fingerprinting using python
Python
50
star
26

AWS-GWLB-VMSeries

This repository contains CFT and TF templates for deploying VM-Series Firewalls behind AWS Gateway Load Balancer
HCL
50
star
27

minemeld-ansible

Ansible playbook for installing MineMeld on Linux
Shell
48
star
28

can-ctr-escape-cve-2022-0492

Test whether a container environment is vulnerable to container escapes via CVE-2022-0492
Shell
46
star
29

prisma-cloud-scan

GitHub action to scan container images with Palo Alto Networks' Prisma Cloud
JavaScript
46
star
30

prismacloud-api-python

Prisma Cloud utility scripts, and a Python SDK for Prisma Cloud APIs.
Python
45
star
31

pan-cortex-data-lake-python

Python idiomatic SDK for Cortex™ Data Lake.
Python
44
star
32

InstallerHijackingVulnerabilityScanner

Java
43
star
33

research-notes

43
star
34

terraform-azurerm-vmseries-modules

Terraform Reusable Modules for VM-Series on Azure
HCL
43
star
35

aws-transit-vpc

automated AWS transit vpc
Python
41
star
36

panhandler

Panhandler is a tool to manage config snippets and Skillets for PAN-OS devices
HTML
41
star
37

minemeld-webui

WebUI of MineMeld
TypeScript
41
star
38

pan.dev

Palo Alto Networks for Developers
MDX
39
star
39

pcs-sizing-scripts

Prisma Cloud sizing scripts
Shell
37
star
40

minemeld-node-prototypes

Prototypes for MineMeld nodes
Python
37
star
41

TransitGatewayDeployment

Creates a Transit Gateway with two server VPCs and a security VPC
Python
35
star
42

terraform-aws-vmseries-modules

Terraform Reusable Modules for VM-Series on AWS
HCL
32
star
43

Kubernetes

Repository for Palo Alto Networks Kubernetes Security - CN Series.
30
star
44

ReferenceArchitectures

Palo Alto Networks Reference Architectures
29
star
45

evident-custom-signatures

Evident Security Platform Custom Signatures Samples
Ruby
28
star
46

pan-fca

Flexible Cloud Automation
Python
28
star
47

prismacloud-cli

The Prisma Cloud CLI is a command line interface for Prisma Cloud by Palo Alto Networks.
Python
27
star
48

terraform-best-practices

A set of best practices to be followed when contributing to the Palo Alto Networks terraform modules
27
star
49

report_to_misp

Parse a report and import the events into MISP
Python
26
star
50

tg

Certificate generation made easy
Go
26
star
51

autofocus-lenz

A command line utility to aid in using autofocus for IR and research
Python
25
star
52

azure-applicationgateway

Scale out security for web deployments using VM-Series firewalls and Azure Application Gateway web load balancer
25
star
53

prisma-cloud-compute-sample-code

Example scripts, snippets, and other documents related to Prisma Cloud Compute
Open Policy Agent
25
star
54

lab-aws-gwlb-vmseries

Materials for PS Regional Training AWS lab
HCL
24
star
55

terraform-provider-prismacloudcompute

Terraform provider for Prisma Cloud Compute
Go
24
star
56

gaia

Aporeto API (Elemental model)
Go
23
star
57

cobra-tool

Cloud Offensive Breach and Risk Assessment (COBRA) Tool
Python
23
star
58

prisma.pan.dev

The home of Developer docs for Prisma by Palo Alto Networks
JavaScript
21
star
59

Azure-Transit-VNet

Azure security with VM-Series in a hub-and-spoke architecture
Python
19
star
60

pan-stix

pan-stix
Python
19
star
61

minemeld-misp

MineMeld nodes for MISP
Python
19
star
62

autofocus-client-library

A python client library for interfacing with the autofocus rest services
Python
19
star
63

openstack-templates

VM-Series Firewalls on OpenStack
Rich Text Format
19
star
64

Splunk_TA_paloalto

The Palo Alto Networks Add-on for Splunk allows a Splunk® Enterprise or Splunk Cloud administrator to collect data from Palo Alto Networks Next-Generation Firewall devices and Advanced Endpoint Protection.
Python
19
star
65

azure-autoscaling

Azure autoscaling solution using VMSS
C#
17
star
66

regolithe

Regolithe Specifications + Dev Tools
Go
17
star
67

elemental

Go library implementing the Regolithe specifications as Elemental model
Go
17
star
68

tcpsession

A python library to extract TCP sessions from PCAPs.
Python
16
star
69

prisma-cloud-best-practices

Prisma Cloud best practice documentation and guides
16
star
70

GCP-Terraform-Samples

This repository is deprecated
HCL
16
star
71

manipulate

Go library to perform CRUD operations on an Elemental model with multiple backend implementations
Go
16
star
72

minemeld-docker

Official Palo Alto Networks MineMeld docker
Shell
15
star
73

cn-series-deploy

A set of Terraform plans for deploying a Kubernetes cluster protected by a CN-Series containerize firewall
HCL
15
star
74

prisma-cloud-compute-operator

Makefile
15
star
75

prisma-cloud-go

Prisma Cloud SDK in Go
Go
15
star
76

multicloud-automation-lab

Multi-Cloud Security Automation Lab
HCL
14
star
77

pantools

A collection of pre-installed tools commonly used with Palo Alto Networks products packaged as a Docker container
Dockerfile
14
star
78

terraform-provider-cloudngfwaws

The Terraform provider for the Palo Alto Networks AWS cloud NGFW
Go
14
star
79

terraform-ansible-intro

Introduction to Terraform and Ansible
HCL
14
star
80

terraform-google-vmseries-modules

Terraform Reusable Modules for VM-Series on Google Cloud Platform (GCP)
HCL
13
star
81

wsc

wsc is a library that allows to interact with web sockets using channels.
Go
13
star
82

cn-series-helm

This repo is for deploying CN-series firewall using Helm Package Manager for Kubernetes
Mustache
13
star
83

aws-alb-sandwich

AWS ALB Sandwich with VM-Series
PHP
12
star
84

cis-benchmarks

CIS benchmark quickplay for rapid assessments of the NGFW
Jinja
12
star
85

SafeNetworking

Read only mirror. To contribute or submit issues, please go to the website link --->
Python
12
star
86

misp-to-autofocus

Script for pulling events from a MISP database and converting them to Autofocus queries.
Python
12
star
87

Prisma-Cloud-DevOps-Security

Shell
12
star
88

gcp-two-tier

VM-Series templates for Google Cloud Platform
Python
11
star
89

pcs-serverless-syslog

Prisma Cloud serverless function that can accept webhook and send alerts to syslog, S3, and SQS
Python
11
star
90

mtlsproxy

Simple mtls HTTPs proxy to use as a sidecar for protecting non critical services
Go
11
star
91

youtube-miner

MineMeld Miner for Youtube channels
Python
11
star
92

terraform-provider-prismacloud-orig

Terraform provider for Prisma Cloud
Go
11
star
93

HomeSkillet

Simple 2-zone internet gateway configuration for home use
Jinja
11
star
94

pancloud-nodejs

Palo Alto Networks Application Framework NodeJS SDK
TypeScript
11
star
95

panos-bootstrapper

A Utility to bootstrap a new PAN-OS NGFW. This utility provides an API only. An example web interface is provided here: https://github.com/PaloAltoNetworks/panos-bootstrapper-ui
Python
11
star
96

prisma-access-skillets

Suite of skillets for initial Prisma Access deployment and configuration
HCL
10
star
97

panos-bootstrapper-ui

PAN-OS Bootstrapper UI provides a simple, example web-UI that consumes the PAN-OS Bootstrapper utility API.
Python
10
star
98

terraform-iac-lab

Infrastructure as Code lab using Terraform and GCP
HCL
9
star
99

pan-threat-vault-python

Python interface to the Palo Alto Networks Threat Vault API
Python
9
star
100

azure-terraform-vmseries-fast-ha-failover

Azure Load Balancer and HA Combined Deployment for Faster Failover with no API Calls
HCL
9
star