Appendix
Free Tier Policy Reference
The free tier policy definition is pre-configured and included in the BlueRock free tier AMI
{
"userspace_force_nx_stack": {
"enable": false
},
"container_drift": {
"enable": true,
"remediate": false,
"inline": false,
"file_drift": false,
"library_drift": true,
"container_exception_list": [],
"pipe_process_exception_list": [
"docker-entrypoi",
"containerd-shim",
"bpftrace"
],
"file_drift_exception_list": [
"/var/log/",
"/ (deleted)",
"/run/",
"/etc/nginx"
],
"interpreters": {
"/sh": [
"c"
],
"/dash": [
"c"
],
"/bash": [
"c"
],
"/ksh": [
"c"
],
"/ash": [
"c"
],
"/zsh": [
"c",
"s"
],
"/python": [
"c"
],
"/perl": [
"e",
"E"
]
}
},
"remote_shell_control": {
"enable": true,
"remediate": false,
"inline": false,
"transitive": false,
"explicit_deny": [
"/sh",
"/dash",
"/bash",
"/ksh",
"/ash",
"/zsh",
"/python",
"/perl"
],
"allow_list_path_transitive": [
"/usr/lib/systemd/systemd-resolved",
"/usr/lib/apt/methods/http",
"/usr/lib/apt/methods/rsh",
"/usr/lib/apt/methods/mirror",
"/usr/bin/cri-dockerd"
]
},
"container_capabilities": {
"enable": true,
"remediate": false,
"caps_denied": [],
"explicit_allow": []
},
"nsenter": {
"enable": true,
"remediate": false,
"inline": false
},
"container_socket_protect": {
"enable": true,
"remediate": false,
"inline": false,
"protected_file_paths": [
"/var/run/docker.sock",
"/run/containerd/containerd.sock",
"/run/containerd.sock",
"/run/containerd/containerd.sock",
"/.bottlerocket/rootfs/run/containerd/containerd.sock"
]
},
"rogue_container": {
"enable": false,
"remediate": false
},
"socket_detection": {
"enable": true,
"remediate": false,
"inline": false,
"process_address_list": {}
},
"process_exec": {
"enable": true,
"remediate": false,
"inline": false,
"allowed_paths": [
"/bin/",
"/sbin/",
"/usr/bin/",
"/usr/sbin/",
"/usr/local/bin/",
"/usr/local/sbin/",
"/usr/lib",
"/opt/",
"/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/",
"/x86_64-bottlerocket-linux-gnu/sys-root/usr/sbin/",
"/x86_64-bottlerocket-linux-gnu/sys-root/usr/local/bin/",
"/x86_64-bottlerocket-linux-gnu/sys-root/usr/local/sbin/",
"/x86_64-bottlerocket-linux-gnu/sys-root/usr/lib/",
"/x86_64-bottlerocket-linux-gnu/sys-root/usr/libexec/",
"/app/",
"/snap/",
"/runc",
"/eks-pod-identity-agent",
"/usr/local/aws-cli/",
"/aws/",
"/docker-entrypoint.d/",
"/csi-node-driver-registrar",
"/etc/eks/",
"/pause",
"/memfd:runc_cloned:/proc/self/exe",
"/docker-entrypoint.sh",
"/livenessprobe",
"/csi-resizer",
"/csi-snapshotter",
"/csi-provisioner",
"/csi-attacher",
"/var/lib/",
"/usr/share",
"/etc/",
"/coredns",
"/awscollector"
],
"excluded_paths": []
},
"mmap_exec_file": {
"enable": true,
"remediate": false,
"inline": false,
"allowed_paths": [
"/lib/",
"/lib64/",
"/usr/lib",
"/usr/local/lib/",
"/usr/local/lib64/",
"/opt/",
"/aws/",
"/snap/",
"/usr/local/aws-cli/",
"/x86_64-bottlerocket-linux-gnu/sys-root/lib/",
"/x86_64-bottlerocket-linux-gnu/sys-root/lib64/",
"/x86_64-bottlerocket-linux-gnu/sys-root/usr/lib/",
"/x86_64-bottlerocket-linux-gnu/sys-root/usr/local/lib/",
"/x86_64-bottlerocket-linux-gnu/sys-root/usr/local/lib64/"
],
"excluded_paths": []
},
"sensitive_file_access": {
"enable": true,
"remediate": false,
"inline": false,
"absolute_paths": [
{
"path": "/etc/passwd",
"write_only": true
},
{
"path": "/etc/shadow",
"write_only": true
},
{
"path": "/opt/bluerock/etc/config.source",
"write_only": true
}
],
"relative_paths": [
{
"path": "/.ssh/id_rsa",
"write_only": false
},
{
"path": "/.ssh/id_ecdsa",
"write_only": false
},
{
"path": "/.ssh/id_ecdsa_sk",
"write_only": false
},
{
"path": "/.ssh/id_ed25519",
"write_only": false
},
{
"path": "/.ssh/id_ed25519_sk",
"write_only": false
}
],
"allowed_paths": [
"/usr/sbin/unix_chkpwd",
"/usr/lib/systemd/systemd-userwork",
"/usr/bin/dockerd",
"/usr/sbin/useradd"
]
},
"process_detection": {
"enable": true,
"remediate": false,
"inline": false,
"suspicious_list_path": [
"/nc",
"/wget"
],
"exception_list_comm": [
"setup-policy-ro"
]
},
"detect_setugid": {
"enable": true
},
"process_restriction": {
"enable": true,
"remediate": false,
"inline": false,
"process_groups": [
{
"restricted": [
"httpd",
"nginx",
"lighttpd",
"apache2"
],
"executable": [
"/nc",
"/netcat",
"/netcat-openbsd",
"/netcat-traditional",
"/socat"
]
},
{
"restricted": [
"httpd",
"nginx",
"lighttpd",
"apache2"
],
"executable": [
"/sh",
"/dash",
"/bash",
"/ksh",
"/ash",
"/zsh",
"/python",
"/perl"
]
}
]
},
"forced_mem_access": {
"enable": false,
"remediate": false,
"inline": false,
"prevent_writes_only": true
},
"fileless_exec": {
"enable": true,
"remediate": false,
"inline": false
},
"system_visibility": {
"enable": true,
"trace_exclusion_list": [
"basename",
"cat",
"cd",
"cmp",
"cp",
"date",
"egrep",
"fgrep",
"file",
"find",
"grep",
"groups",
"head",
"id",
"jq",
"less",
"ls",
"ln",
"mkdir",
"more",
"mv",
"ping",
"ps",
"pwd",
"rm",
"rmdir",
"sort",
"stat",
"tail",
"tee",
"touch",
"uname",
"users",
"wc",
"which",
"whoami",
"zcat",
"zcmp",
"zgrep"
]
},
"python_sensor": {
"enable": true,
"pickle": {
"enable": true,
"remediate": false,
"inline": false,
"deny_list": [
"builtins.exec",
"posix.system",
"socket.socket"
],
"allow_list": null
},
"pathtraversal": {
"enable": true,
"remediate": false,
"inline": false,
"deny_list": [
"/etc/passwd",
"/etc/shadow"
],
"allow_list": null
},
"profiling": {
"enable": false
},
"imports": {
"enable": true,
"remediate": false,
"inline": false,
"deny_list": [],
"allow_list": null
},
"imports_fileslist": {
"enable": false
},
"execs": {
"enable": true,
"remediate": false,
"deny_list": [],
"inline": false,
"allow_list": null
},
"loads": {
"enable": true,
"remediate": false,
"inline": false,
"dlsym": {
"deny_list": [],
"allow_list": null
},
"dlopen": {
"deny_list": [],
"allow_list": null
},
"load": {
"deny_list": [],
"allow_list": null
}
},
"urllib": {
"enable": true,
"remediate": false,
"inline": false
},
"http_server": {
"enable": true,
"remediate": false,
"inline": false
},
"ssrf": {
"enable": true,
"remediate": false,
"inline": false,
"allow_list": []
},
"internal_exception": {
"remediate": false,
"inline": false
},
"zip_slip": {
"enable": true,
"remediate": false,
"inline": false
},
"symlink": {
"enable": true,
"remediate": false,
"inline": false
},
"http": {
"enable": true,
"remediate": false,
"inline": false
},
"tracing": {
"enable": true,
"functions": false,
"bytecode_tracer": false,
"legacy_tracer": false
},
"mcp": {
"enable": false,
"remediate": false,
"inline": true,
"tools": {
"allow_list": null,
"deny_list": []
}
}
},
"java_sensor": {
"enable": true,
"tracing_stderr": {
"enable": false
},
"tracing_file": {
"enable": false,
"path": null
},
"class_load": {
"enable": true,
"remediate": false,
"inline": false,
"deny_list": [],
"allow_list": null
},
"pathtraversal": {
"enable": true,
"remediate": false,
"inline": false,
"allow_list": []
},
"resolve_class": {
"enable": true,
"remediate": false,
"inline": false,
"deny_list": [],
"allow_list": null
},
"exec": {
"enable": true,
"remediate": false,
"inline": false
},
"exec_network": {
"enable": true,
"remediate": false,
"inline": false
},
"internal_error": {
"remediate": false,
"inline": false
},
"zip_slip": {
"enable": true,
"remediate": false,
"inline": false
},
"code_injection": {
"enable": true,
"remediate": false,
"inline": false
},
"debug": {
"enable": false
},
"observe_only": {
"enable": false
},
"ssrf": {
"enable": true,
"remediate": false,
"inline": false,
"allow_list_conn_protocols": [
"http",
"https"
],
"allow_list_url_protocols": [
"http",
"https",
"file",
"jrt",
"jar"
],
"allow_list_hosts": []
}
}
}Last updated