From 9053ce59551b027ecd61cedc8dbccaed417b0d14 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Tue, 24 Mar 2026 16:05:17 -0700 Subject: [PATCH] Add security reference card and compliance report how-to Split report-reading guidance out of deploy-prowler into its own how-to (read-compliance-reports). Add security & compliance reference card (reference/operations/security) following the pattern of the observability card. Co-Authored-By: Claude Opus 4.6 (1M context) --- docs/how-to/operations/deploy-prowler.md | 10 +-- .../operations/read-compliance-reports.md | 79 +++++++++++++++++++ docs/reference/operations/security.md | 53 +++++++++++++ docs/reference/services/prowler.md | 2 + 4 files changed, 138 insertions(+), 6 deletions(-) create mode 100644 docs/how-to/operations/read-compliance-reports.md create mode 100644 docs/reference/operations/security.md diff --git a/docs/how-to/operations/deploy-prowler.md b/docs/how-to/operations/deploy-prowler.md index 8c9980b..2b29d39 100644 --- a/docs/how-to/operations/deploy-prowler.md +++ b/docs/how-to/operations/deploy-prowler.md @@ -33,11 +33,7 @@ Prowler's Kubernetes provider runs ~70 checks from the CIS Kubernetes Benchmark ## Reports -Reports are written to `sifaka:/volume1/reports/prowler//` in three formats: - -- **HTML** — human-readable, self-contained, filterable -- **CSV** — flat tabular, one row per finding -- **JSON-OCSF** — structured, for SIEM ingestion +Reports are written to `sifaka:/volume1/reports/prowler/` with timestamped filenames. See [[read-compliance-reports]] for how to access and interpret them. ## Running an ad-hoc scan @@ -55,9 +51,11 @@ kubectl logs -f job/prowler-manual -n prowler --context=minikube-indri Custom slim build at `containers/prowler/Dockerfile` — strips PowerShell, Trivy, and non-Kubernetes providers from upstream. See [[build-container-image]] for the build/release process. -**TODO:** Mirror prowler-cloud/prowler on forge for supply chain control. +Source is mirrored at `forge.ops.eblu.me/mirrors/prowler`. ## See also +- [[security]] — security & compliance posture overview +- [[read-compliance-reports]] — how to access and interpret scan reports - [[deploy-k8s-service]] — general K8s deployment how-to - [[build-container-image]] — container build pipeline diff --git a/docs/how-to/operations/read-compliance-reports.md b/docs/how-to/operations/read-compliance-reports.md new file mode 100644 index 0000000..e2088f7 --- /dev/null +++ b/docs/how-to/operations/read-compliance-reports.md @@ -0,0 +1,79 @@ +--- +title: Read Compliance Reports +modified: 2026-03-24 +last-reviewed: 2026-03-24 +tags: + - how-to + - security + - compliance +--- + +# Read Compliance Reports + +How to access and interpret compliance scan reports from [[prowler]] and other security scanners. + +## Accessing reports + +Reports are stored on sifaka at `/volume1/reports/`. Each scanner writes to its own subdirectory: + +| Scanner | Path | Schedule | +|---------|------|----------| +| [[prowler]] | `sifaka:/volume1/reports/prowler/` | Weekly (Sunday 3am) | + +Copy reports to your local machine (remember `scp -O` for sifaka): + +```fish +scp -O sifaka:/volume1/reports/prowler/prowler-output-In-Cluster-*.html /tmp/ +open /tmp/prowler-output-In-Cluster-*.html +``` + +## Report formats + +### HTML + +Open in a browser. Self-contained, filterable by severity, status, and service. Best for human review — shows pass/fail per check with remediation guidance. + +### CSV + +One row per finding. Columns include check ID, status, severity, resource, namespace, description, and remediation. Good for filtering in a spreadsheet or scripting. + +### JSON-OCSF + +Open Cybersecurity Schema Framework format. Machine-parseable, suitable for SIEM ingestion or programmatic analysis. + +### Compliance CSV + +In the `compliance/` subdirectory. Findings mapped to specific framework requirement IDs (e.g., CIS 1.11 section numbers). Shows which controls pass or fail. + +## Interpreting results + +### Status values + +- **PASS** — the resource is configured securely per the check +- **FAIL** — remediation is recommended +- **MANUAL** — Prowler cannot determine the result automatically (e.g., kubelet file permissions when not running on the node) +- **MUTED** — the finding was explicitly suppressed via a mutelist + +### Severity + +Findings are categorized as **critical**, **high**, **medium**, or **low**. Focus on critical and high first. + +### Expected failures + +Not all failures require action. Common expected failures in our minikube cluster: + +- **Core/pod security (high):** System pods (ArgoCD, external-secrets, tailscale-operator) legitimately need elevated privileges. These can be mutelisted. +- **Apiserver (medium):** Audit logging, profiling, and some admission plugins are not configured in minikube defaults. Low risk for a homelab. +- **Kubelet (high):** Anonymous auth or read-only port settings from minikube defaults. + +### Acting on findings + +1. **Triage** — review new failures, distinguish real issues from expected noise +2. **Remediate** — fix what you can (pod security contexts, RBAC tightening) +3. **Mutelist** — suppress expected/accepted failures via Prowler's `--mutelist-file` to reduce noise in future scans +4. **Track** — compare reports over time to spot regressions + +## See also + +- [[security]] — security & compliance posture overview +- [[deploy-prowler]] — Prowler deployment and ad-hoc scans diff --git a/docs/reference/operations/security.md b/docs/reference/operations/security.md new file mode 100644 index 0000000..8a621b1 --- /dev/null +++ b/docs/reference/operations/security.md @@ -0,0 +1,53 @@ +--- +title: Security & Compliance +modified: 2026-03-24 +last-reviewed: 2026-03-24 +tags: + - operations + - security +--- + +# Security & Compliance + +Security posture and compliance scanning for BlumeOps infrastructure. + +## Compliance frameworks + +| Framework | Tool | Cluster | Notes | +|-----------|------|---------|-------| +| CIS Kubernetes Benchmark v1.11 | [[prowler]] | minikube-indri | Weekly CronJob, ~82 checks | +| PCI DSS v4.0 (K8s mapping) | [[prowler]] | minikube-indri | Reuses CIS checks mapped to PCI requirements | +| ISO 27001:2022 (K8s mapping) | [[prowler]] | minikube-indri | Partial — 22 of 92 controls mapped | + +## Scanning tools + +- [[prowler]] — CIS Kubernetes Benchmark scanner (weekly CronJob) + - [[deploy-prowler]] — deployment and ad-hoc scan how-to + - [[read-compliance-reports]] — accessing and interpreting reports + +## Identity & access + +- [[authentik]] — SSO/OIDC provider for all web services +- RBAC — Kubernetes role-based access control (audited by Prowler RBAC checks) + +## Network & TLS + +- [[caddy]] — TLS termination for `*.ops.eblu.me` services +- [[flyio-proxy]] — public ingress via Fly.io tunnel +- Tailscale — zero-trust mesh networking across all nodes + +## Secrets management + +- [[1password]] — root credential store +- [[external-secrets]] — Kubernetes secrets synced from 1Password + +## Reports + +All compliance scan reports are stored on `sifaka:/volume1/reports/`. See [[read-compliance-reports]] for access and interpretation. + +## Known gaps + +- No SOC 2 compliance mapping for Kubernetes (Prowler only maps SOC 2 for AWS/Azure/GCP) +- k3s control plane checks produce no results (embedded binary, no static pods) — consider kube-bench +- No container image vulnerability scanning yet (Prowler has an `image` provider) +- No IaC scanning of manifests/Dockerfiles yet (Prowler has an `iac` provider using Trivy) diff --git a/docs/reference/services/prowler.md b/docs/reference/services/prowler.md index 997a3a5..f68a573 100644 --- a/docs/reference/services/prowler.md +++ b/docs/reference/services/prowler.md @@ -27,4 +27,6 @@ Runs Prowler 5 as a CronJob against minikube-indri, executing CIS Kubernetes Ben ## See also +- [[security]] — security & compliance posture overview - [[deploy-prowler]] — deployment how-to, ad-hoc scan instructions, check relevance notes +- [[read-compliance-reports]] — how to access and interpret reports