Release prep: 54 engines, self-hosted signatures, i18n, dashboard updates

deploy/k8s-network-policy.yaml

@@ -0,0 +1,196 @@
+# SEC-011: K8s NetworkPolicy для изоляции SOC pods
+# Применяется: kubectl apply -f k8s-network-policy.yaml
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: soc-ingest-policy
+  namespace: sentinel
+  labels:
+    app: sentinel-soc
+    component: ingest
+    security: sec-011
+spec:
+  podSelector:
+    matchLabels:
+      app: sentinel-soc
+      component: ingest
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    # Accept from external (sensors, dashboard)
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: sentinel
+        - podSelector:
+            matchLabels:
+              app: sentinel-sensor
+      ports:
+        - protocol: TCP
+          port: 9750
+  egress:
+    # Only to correlate (IPC)
+    - to:
+        - podSelector:
+            matchLabels:
+              component: correlate
+      ports:
+        - protocol: TCP
+          port: 19751
+    # DNS resolution
+    - to:
+        - namespaceSelector: {}
+      ports:
+        - protocol: UDP
+          port: 53
+        - protocol: TCP
+          port: 53
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: soc-correlate-policy
+  namespace: sentinel
+  labels:
+    app: sentinel-soc
+    component: correlate
+    security: sec-011
+spec:
+  podSelector:
+    matchLabels:
+      app: sentinel-soc
+      component: correlate
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    # Only from ingest
+    - from:
+        - podSelector:
+            matchLabels:
+              component: ingest
+      ports:
+        - protocol: TCP
+          port: 19751
+  egress:
+    # Only to respond (IPC)
+    - to:
+        - podSelector:
+            matchLabels:
+              component: respond
+      ports:
+        - protocol: TCP
+          port: 19752
+    # DNS
+    - to:
+        - namespaceSelector: {}
+      ports:
+        - protocol: UDP
+          port: 53
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: soc-respond-policy
+  namespace: sentinel
+  labels:
+    app: sentinel-soc
+    component: respond
+    security: sec-011
+spec:
+  podSelector:
+    matchLabels:
+      app: sentinel-soc
+      component: respond
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    # Only from correlate
+    - from:
+        - podSelector:
+            matchLabels:
+              component: correlate
+      ports:
+        - protocol: TCP
+          port: 19752
+  egress:
+    # HTTPS outbound for webhooks
+    - to: []
+      ports:
+        - protocol: TCP
+          port: 443
+    # DNS
+    - to:
+        - namespaceSelector: {}
+      ports:
+        - protocol: UDP
+          port: 53
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: soc-immune-policy
+  namespace: sentinel
+  labels:
+    app: sentinel-soc
+    component: immune
+    security: sec-011
+spec:
+  podSelector:
+    matchLabels:
+      app: sentinel-soc
+      component: immune
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    # Health checks from watchdog mesh
+    - from:
+        - podSelector:
+            matchLabels:
+              app: sentinel-soc
+      ports:
+        - protocol: TCP
+          port: 9760
+  egress:
+    # Watchdog mesh heartbeats to peers
+    - to:
+        - podSelector:
+            matchLabels:
+              app: sentinel-soc
+      ports:
+        - protocol: TCP
+          port: 9760
+        - protocol: TCP
+          port: 9770
+    # DNS
+    - to:
+        - namespaceSelector: {}
+      ports:
+        - protocol: UDP
+          port: 53
+
+---
+
+# Default deny all in sentinel namespace
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: sentinel
+  labels:
+    security: sec-011
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress

deploy/policies/soc_runtime_policy.yaml

@@ -0,0 +1,97 @@
+version: "1.0"
+mode: audit  # audit | enforce | alert
+
+# SEC-002: eBPF Runtime Guard policies for SOC processes.
+# Each process has explicit rules defining allowed behavior.
+# Any deviation triggers alert (audit mode) or block (enforce mode).
+
+processes:
+  soc-ingest:
+    description: "HTTP ingest, auth, secret scanner, rate limit, persist"
+    allowed_exec: []  # No child processes
+    blocked_syscalls:
+      - ptrace
+      - process_vm_readv
+      - process_vm_writev
+      - kexec_load
+      - init_module
+      - finit_module
+    allowed_files:
+      - /var/lib/sentinel/data/*     # SQLite database
+      - /var/log/sentinel/*          # Logs
+      - /tmp/sentinel-soc/*          # IPC sockets
+    blocked_files:
+      - /etc/shadow
+      - /etc/passwd
+      - /root/*
+      - /home/*
+    allowed_network:
+      - "0.0.0.0:9750"              # Ingest HTTP port (listen)
+      - "127.0.0.1:19751"           # IPC to correlate
+    blocked_network:
+      - "10.0.0.0/8"                # Private ranges (no lateral)
+      - "192.168.0.0/16"
+    max_memory_mb: 512
+    max_cpu_percent: 25
+
+  soc-correlate:
+    description: "Correlation rules, incident creation, clustering — NO NETWORK"
+    allowed_exec: []
+    blocked_syscalls:
+      - ptrace
+      - execve
+      - fork
+      - clone3
+      - process_vm_readv
+      - socket           # No network at all
+      - connect
+      - bind
+      - listen
+    allowed_files:
+      - /var/lib/sentinel/data/*     # SQLite (read-only ideally)
+      - /var/lib/sentinel/rules/*    # Custom YAML rules
+      - /tmp/sentinel-soc/*          # IPC sockets
+    blocked_files:
+      - /etc/*
+      - /root/*
+      - /home/*
+      - /proc/*/mem
+    allowed_network: []             # NONE — IPC only via Unix socket
+    max_memory_mb: 1024
+    max_cpu_percent: 50
+
+  soc-respond:
+    description: "Playbook execution, webhook dispatch, audit log — HTTPS only"
+    allowed_exec: []
+    blocked_syscalls:
+      - ptrace
+      - execve
+      - fork
+      - clone3
+      - process_vm_readv
+    allowed_files:
+      - /var/lib/sentinel/audit/*    # Audit log (write)
+      - /tmp/sentinel-soc/*          # IPC sockets
+    blocked_files:
+      - /etc/*
+      - /root/*
+      - /home/*
+      - /var/lib/sentinel/data/*     # No DB access
+    allowed_network:
+      - "0.0.0.0/0:443"             # HTTPS outbound only (webhooks)
+    blocked_network:
+      - "10.0.0.0/8"
+      - "192.168.0.0/16"
+      - "172.16.0.0/12"
+    max_memory_mb: 256
+    max_cpu_percent: 10
+
+alerts:
+  on_violation:
+    - log_to_syslog
+    - send_to_soc_dashboard
+    - increment_circuit_breaker
+  on_critical:
+    - kill_process
+    - isolate_network
+    - notify_architect

deploy/profiles/soc-strict.json

@@ -0,0 +1,87 @@
+{
+  "defaultAction": "SCMP_ACT_ERRNO",
+  "architectures": ["SCMP_ARCH_X86_64", "SCMP_ARCH_AARCH64"],
+  "syscalls": [
+    {
+      "names": [
+        "accept", "accept4", "bind", "connect", "listen", "socket",
+        "sendto", "recvfrom", "sendmsg", "recvmsg", "getsockname",
+        "getpeername", "setsockopt", "getsockopt", "shutdown",
+        "epoll_create1", "epoll_ctl", "epoll_wait", "epoll_pwait",
+        "poll", "select", "pselect6"
+      ],
+      "action": "SCMP_ACT_ALLOW",
+      "comment": "Network — required for HTTP server + SQLite + IPC"
+    },
+    {
+      "names": [
+        "openat", "close", "read", "write", "pread64", "pwrite64",
+        "lseek", "fstat", "stat", "lstat", "access", "faccessat",
+        "fcntl", "dup", "dup2", "dup3", "pipe", "pipe2",
+        "readlink", "readlinkat", "getcwd", "rename", "renameat",
+        "unlink", "unlinkat", "mkdir", "mkdirat", "rmdir",
+        "flock", "fsync", "fdatasync", "ftruncate", "fallocate"
+      ],
+      "action": "SCMP_ACT_ALLOW",
+      "comment": "Filesystem — required for SQLite WAL, audit log, config"
+    },
+    {
+      "names": [
+        "mmap", "munmap", "mprotect", "madvise", "mremap",
+        "brk", "sbrk", "mincore"
+      ],
+      "action": "SCMP_ACT_ALLOW",
+      "comment": "Memory management — required for Go runtime"
+    },
+    {
+      "names": [
+        "futex", "nanosleep", "clock_nanosleep", "clock_gettime",
+        "clock_getres", "gettimeofday", "sched_yield", "sched_getaffinity",
+        "rt_sigaction", "rt_sigprocmask", "rt_sigreturn", "sigaltstack",
+        "getpid", "gettid", "getuid", "getgid", "geteuid", "getegid",
+        "getppid", "getpgrp", "setpgid", "getrusage", "set_tid_address",
+        "set_robust_list", "get_robust_list", "tgkill",
+        "exit", "exit_group", "arch_prctl", "prctl",
+        "rseq", "getrandom", "uname"
+      ],
+      "action": "SCMP_ACT_ALLOW",
+      "comment": "System — required for Go runtime, signals, threads"
+    },
+    {
+      "names": [
+        "clone", "clone3", "wait4", "waitid"
+      ],
+      "action": "SCMP_ACT_ALLOW",
+      "comment": "Thread creation — required for goroutines"
+    },
+    {
+      "names": [
+        "ioctl"
+      ],
+      "action": "SCMP_ACT_ALLOW",
+      "args": [
+        {"index": 1, "value": 21523, "op": "SCMP_CMP_EQ"}
+      ],
+      "comment": "Terminal ioctl TIOCGWINSZ only"
+    },
+    {
+      "names": [
+        "ptrace", "process_vm_readv", "process_vm_writev",
+        "execve", "execveat", "fork", "vfork",
+        "mount", "umount2", "pivot_root", "chroot",
+        "reboot", "kexec_load", "init_module", "finit_module",
+        "delete_module", "create_module",
+        "ioperm", "iopl", "modify_ldt",
+        "setuid", "setgid", "setreuid", "setregid",
+        "setresuid", "setresgid", "setfsuid", "setfsgid",
+        "capset", "personality", "acct",
+        "keyctl", "add_key", "request_key",
+        "bpf", "perf_event_open", "userfaultfd",
+        "seccomp", "unshare", "setns"
+      ],
+      "action": "SCMP_ACT_ERRNO",
+      "errnoRet": 1,
+      "comment": "BLOCKED — ptrace, exec, debug, privilege escalation, kernel modules"
+    }
+  ]
+}