Bruno Charest
5bc12d0729
Some checks failed
Tests / Backend Tests (Python) (3.10) (push) Has been cancelled
Tests / Backend Tests (Python) (3.11) (push) Has been cancelled
Tests / Backend Tests (Python) (3.12) (push) Has been cancelled
Tests / Frontend Tests (JS) (push) Has been cancelled
Tests / Integration Tests (push) Has been cancelled
Tests / All Tests Passed (push) Has been cancelled
67 lines
2.5 KiB
Plaintext
67 lines
2.5 KiB
Plaintext
# Command Policy Configuration Example
|
|
# ====================================
|
|
#
|
|
# Copy this file to command_policy.yaml and customize as needed.
|
|
# Set COMMAND_POLICY_CONFIG=/path/to/command_policy.yaml to use.
|
|
#
|
|
# This file extends (not replaces) the default policy patterns.
|
|
|
|
# Policy mode:
|
|
# - 'strict': Only log commands matching allowlist (recommended)
|
|
# - 'permissive': Log everything except blocklist matches
|
|
mode: strict
|
|
|
|
# Additional blocklist patterns (regex, case-insensitive)
|
|
# Commands matching these will NEVER be logged
|
|
blocklist:
|
|
# Add your organization-specific sensitive patterns here
|
|
# - '\bcompany-secret\b'
|
|
# - '\binternal-api-key\b'
|
|
|
|
# Additional allowlist patterns (regex, case-insensitive)
|
|
# Commands matching these WILL be logged (if not in blocklist)
|
|
allowlist:
|
|
# Add your organization-specific safe commands here
|
|
# - '^our-monitoring-tool\s+(status|check)\b'
|
|
# - '^internal-cli\s+(info|list)\b'
|
|
|
|
# Masking patterns: [pattern, replacement]
|
|
# Sensitive values in allowed commands will be redacted
|
|
mask:
|
|
# Add custom masking for your tools
|
|
# - ['(--internal-token[=\s]+)\S+', '\1***']
|
|
# - ['(COMPANY_API_KEY=)\S+', '\1***']
|
|
|
|
# ============================================================================
|
|
# DEFAULT PATTERNS (for reference, these are built-in)
|
|
# ============================================================================
|
|
#
|
|
# BLOCKLIST (never logged):
|
|
# - password, passwd, token, apikey, secret keywords
|
|
# - docker login
|
|
# - curl/wget with Authorization headers
|
|
# - export of *TOKEN*, *SECRET*, *KEY*, *PASS* variables
|
|
# - cat ~/.ssh/*, /etc/shadow, id_rsa, authorized_keys
|
|
# - mysql -p*, psql with credentials
|
|
# - aws configure, gcloud auth, az login
|
|
# - kubectl get/describe/edit secret
|
|
# - ansible-vault encrypt/decrypt/edit
|
|
#
|
|
# ALLOWLIST (logged):
|
|
# - ls, cd, pwd, whoami, id, uname, hostname, date, uptime
|
|
# - df, du, free, lsblk, fdisk -l, mount
|
|
# - ps, top, htop, pgrep, pstree
|
|
# - ip addr/link/route, ifconfig, netstat, ss, ping, traceroute
|
|
# - systemctl status/start/stop/restart/enable/disable
|
|
# - journalctl, service status
|
|
# - docker ps/images/logs/inspect/stats/compose
|
|
# - apt/dnf/yum list/search/show (and install/update for audit)
|
|
# - tail, head, less, more, grep, awk, sed, find, locate
|
|
# - cp, mv, rm, mkdir, rmdir, chmod, chown
|
|
# - git status/log/diff/branch/show
|
|
# - ansible, ansible-playbook, ansible-galaxy
|
|
# - terraform plan/show/state/output/validate
|
|
# - zfs list/get/status, zpool list/status
|
|
# - lvs, vgs, pvs
|
|
# - clear, exit, logout
|