diff --git a/modules/kubernetes/crowdsec/main.tf b/modules/kubernetes/crowdsec/main.tf index e272bcd5..18ae57a3 100644 --- a/modules/kubernetes/crowdsec/main.tf +++ b/modules/kubernetes/crowdsec/main.tf @@ -7,6 +7,7 @@ variable "crowdsec_dash_api_key" { type = string } # used for web dash variable "crowdsec_dash_machine_id" { type = string } # used for web dash variable "crowdsec_dash_machine_password" { type = string } # used for web dash variable "tier" { type = string } +variable "slack_webhook_url" { type = string } module "tls_secret" { source = "../setup_tls_secret" @@ -97,7 +98,7 @@ resource "helm_release" "crowdsec" { repository = "https://crowdsecurity.github.io/helm-charts" chart = "crowdsec" - values = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password, DB_PASSWORD = var.db_password, ENROLL_KEY = var.enroll_key })] + values = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password, DB_PASSWORD = var.db_password, ENROLL_KEY = var.enroll_key, SLACK_WEBHOOK_URL = var.slack_webhook_url })] timeout = 3600 } diff --git a/modules/kubernetes/crowdsec/values.yaml b/modules/kubernetes/crowdsec/values.yaml index 034d803a..efec9e53 100644 --- a/modules/kubernetes/crowdsec/values.yaml +++ b/modules/kubernetes/crowdsec/values.yaml @@ -5,19 +5,19 @@ agent: # To specify each pod you want to process it logs (pods present in the node) acquisition: # The namespace where the pod is located - - namespace: ingress-nginx + - namespace: traefik # The pod name - podName: ingress-nginx-controller-* + podName: traefik-* # as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs - program: nginx + program: traefik # Those are ENV variables env: # As it's a test, we don't want to share signals with CrowdSec so disable the Online API. # - name: DISABLE_ONLINE_API # value: "true" - # As we are running Nginx, we want to install the Nginx collection + # As we are running Traefik, we want to install the Traefik collection - name: COLLECTIONS - value: "crowdsecurity/nginx crowdsecurity/base-http-scenarios crowdsecurity/http-cve" + value: "crowdsecurity/traefik crowdsecurity/base-http-scenarios crowdsecurity/http-cve" - name: SCENARIOS value: "" # value: "crowdsecurity/http-crawl-aggressive" @@ -133,6 +133,8 @@ config: decisions: - type: captcha duration: 4h + notifications: + - slack_alerts on_success: break --- # Default: Ban for serious attacks (CVE exploits, scanners, brute force) @@ -142,6 +144,8 @@ config: decisions: - type: ban duration: 4h + notifications: + - slack_alerts on_success: break --- name: default_range_remediation @@ -150,6 +154,8 @@ config: decisions: - type: ban duration: 4h + notifications: + - slack_alerts on_success: break config.yaml.local: | @@ -170,3 +176,19 @@ config: - "192.168.0.0/16" - "10.0.0.0/8" - "172.16.0.0/12" + + notifications: + slack.yaml: | + type: slack + name: slack_alerts + log_level: info + format: | + :rotating_light: *CrowdSec Alert* + {{range .}} + *Scenario:* {{.Alert.Scenario}} + *Source IP:* {{.Alert.Source.IP}} ({{.Alert.Source.Cn}}) + *Decisions:* + {{range .Alert.Decisions}} - {{.Type}} for {{.Duration}} (scope: {{.Scope}}, value: {{.Value}}) + {{end}} + {{end}} + webhook: ${SLACK_WEBHOOK_URL} diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf index 49c58073..d3f0151f 100644 --- a/modules/kubernetes/main.tf +++ b/modules/kubernetes/main.tf @@ -589,6 +589,7 @@ module "crowdsec" { crowdsec_dash_api_key = var.crowdsec_dash_api_key crowdsec_dash_machine_id = var.crowdsec_dash_machine_id crowdsec_dash_machine_password = var.crowdsec_dash_machine_password + slack_webhook_url = var.alertmanager_slack_api_url } module "resume" {