Change User Group 1 sudo usermod -a -G www-data $USER Change Ownership of Laravel Directory 1 sudo chgrp -R www-data /home/laravel/www Change storage Directory Permission 1 sudo chmod -R 775 /home/laravel/www/storage Permanent Solution 1 sudo setfacl -d -R -m u:$USER:rwx,g:www-data:rwx,o:rx /home/laravel/www

Audit Stages Stage Description RequestReceived The stage for events generated as soon as the audit handler receives the request, and before it is delegated down the handler chain. ResponseStarted Once the response headers are sent, but before the response body is sent. This stage is only generated for long-running requests (e.g. watch). ResponseComplete The response body has been completed and no more bytes will be sent. Panic Events generated when a panic occurred.

Mutable Infrastructure Immutable Infrastructure Rolling Update In Kubernetes, it’s Rolling Update. Ensure Immutability of Containers at Runtime PodSecurityPolicy In Kubernetes, we can use PodSecurityPolicy for that. nginx.yaml 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 apiVersion: v1 kind: Pod metadata: labels: run: nginx name: nginx spec: containers: - image: nginx name: nginx securityContext: readOnlyRootFilesystem: true privileged: true volumeMounts: - name: cache-volume mountPath: /var/cache/nginx - name: runtime-volume mountPath: /var/run volumes: - name: cache-volume emptyDir: { } - name: runtime-volume emptyDir: { } psp.

Perform Behaviour Analytics of syscalls Analytics of syscalls We have to be noticed by unexpected executing of syscalls by crackers. So we have to build a system for that. Falco Falco Falco, the cloud-native runtime security project, is the de facto Kubernetes threat detection engine Falco Architecture Falco Install as a Package Download 1 2 3 curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add - echo "deb https://download.falco.org/packages/deb stable main" | tee -a /etc/apt/sources.

CVE(Common Vulnerabilities and Exposures) CVE The Common Vulnerabilities and Exposures system provides a reference-method for publicly known information-security vulnerabilities and exposures. CVE Severity Scores CVSS v2.0 Ratings Severity Base Score Range Low 0.0-3.9 Medium 4.0-6.9 High 7.0-10.0 CVSS v3.0 Ratings Severity Base Score Range None 0.0 Low 0.1-3.9 Medium 4.0-6.9 High 7.0-8.9 Critical 9.0-10.0 Trivy Trivy A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI.

KUBESEC KUBESEC Security risk analysis for Kubernetes resources KUBESEC.IO kubesec-test.yaml 1 2 3 4 5 6 7 8 9 10 apiVersion: v1 kind: Pod metadata: name: kubesec-demo spec: containers: - name: kubesec-demo image: gcr.io/google-samples/node-hello:1.0 securityContext: readOnlyRootFilesystem: true Command Line Usage 1 kubesec scan kubesec-test.yaml Docker Usage 1 docker run -i kubesec/kubesec:512c5e0 scan /dev/stdin < kubesec-test.yaml HTTP Server CLI with HTTP Run Background 1 kubesec http 8080 & 1 2 [1] 12345 {"severity":"info","timestamp":"2019-05-12T11:58:34.