diff --git a/modules/auto-lock-process-baselines-known-limitations.adoc b/modules/auto-lock-process-baselines-known-limitations.adoc new file mode 100644 index 000000000000..9ce34def553b --- /dev/null +++ b/modules/auto-lock-process-baselines-known-limitations.adoc @@ -0,0 +1,21 @@ +// Module included in the following assemblies: +// +// * operating/evaluate-security-risks.adoc +:_mod-docs-content-type: CONCEPT +[id="auto-lock-process-baselines-known-limitations_{context}"] += Auto-lock process baselines known limitations + +[role="_abstract"] +Central, Central DB, and Sensor consume more CPU and memory resources when process baseline auto-lock is enabled. This can lead to CPU throttling and pods crashing due to running out of memory. + +The following results were obtained from tests with 1,000 deployments in which 5,000 process were spawned every 30 seconds (166.67 processes per second). The test was run with the feature enabled and disabled. Resource usage was compared between the two tests. For the tests the process baseline generation duration was set to three minutes and the rate of process creation did not change after the baseline generation period ended. + +* Sensor used 24 Mb more memory. +* The difference in Sensor memory usage did not appear to increase with time. +* Sensor CPU usage increased by 0.14 CPUs. +* Central used 175 Mb more memory. +* The rate of increase of Central memory usage was 65 Kb per second greater with auto-lock enabled. +* Central CPU usage increased by 0.12 CPUs. +* Central DB used 296 Mb more memory with auto-lock enabled. +* The difference in Central DB memory usage did not appear to increase over time. +* Central DB CPU usage was low and increased by 0.03 CPUs. diff --git a/modules/auto-lock-process-baselines.adoc b/modules/auto-lock-process-baselines.adoc new file mode 100644 index 000000000000..2943721db31a --- /dev/null +++ b/modules/auto-lock-process-baselines.adoc @@ -0,0 +1,27 @@ +// Module included in the following assemblies: +// +// * operating/evaluate-security-risks.adoc +:_mod-docs-content-type: PROCEDURE +[id="auto-lock-process-baselines_{context}"] += Configuring auto-lock for process baselines + +[role="_abstract"] +You can configure {product-title-short} to automatically lock process baselines when they leave the observation period. The auto-lock feature must be enabled in both Central and in the secured cluster. + +Note the following guidelines when using this feature: + +* The feature is enabled in Central by default and disabled in the secured clusters by default. Therefore, enabling the feature does not require restarting Central. However, changing the state of the feature in Central does require a restart of Central. +* The feature is only enabled for process baselines for secured clusters where the feature is enabled. +* Disabling the feature after it has been enabled does not unlock process baselines that have been locked by the feature. +* Enabling the feature does not lock process baselines that left the observation period before the feature was enabled. + +.Procedure + +. In the {ocp} web console, go to the {product-title-short} Operator page. +. In the top navigation menu, select *Secured Cluster*. +. Click the instance name, for example, *stackrox-secured-cluster-services*. +. Use one of the following methods to change the setting: +* In the *Form view*, under *Process baselines settings* -> *Auto Lock*, select *Enabled* or *Disabled*. +* Click *YAML* to open the YAML editor and locate the `spec.processBaselines.autoLock` attribute. Change to `Enabled` or `Disabled`. +. Click *Save.* +. To enable or disable the feature in Central, set the `ROX_AUTO_LOCK_PROCESS_BASELINES` environment variable. The default value is `true`. diff --git a/modules/bulk-locking-and-unlocking-process-baselines.adoc b/modules/bulk-locking-and-unlocking-process-baselines.adoc new file mode 100644 index 000000000000..0394e3a24779 --- /dev/null +++ b/modules/bulk-locking-and-unlocking-process-baselines.adoc @@ -0,0 +1,27 @@ +// Module included in the following assemblies: +// +// * operating/evaluate-security-risks.adoc +:_mod-docs-content-type: REFERENCE +[id="bulk-locking-and-unlocking-process-baselines_{context}"] += Bulk locking and unlocking process baselines + +[role="_abstract"] +You can lock or unlock all process baselines in a cluster by using API endpoints. You can specify an optional set of namespaces to limit the action to just those namespaces. The API endpoints are as follows: + +* `/v1/processbaselines/bulk/lock` +* `/v1/processbaselines/bulk/unlock` + +The following example shows the input for the endpoints: + +[source,json] +---- +{ + "cluster_id": "aeaaaaaa-0000-0000-0000-000000000000", + "namespaces": [ + "stackrox", + "gmp-system" + ] +} +---- + +These endpoints return success or an error. diff --git a/modules/secured-cluster-services-config.adoc b/modules/secured-cluster-services-config.adoc index f1dc790d7bf3..c86c84ca20b9 100644 --- a/modules/secured-cluster-services-config.adoc +++ b/modules/secured-cluster-services-config.adoc @@ -249,6 +249,9 @@ If you do not create this account, you must complete future upgrades manually if | `auditLogs.disableCollection` | If you set this option to `true`, {product-title} disables the audit log detection features used to detect access and modifications to configuration maps and secrets. +| `autoLockProcessBaselines.enabled` +| If you set this option to `true`, {product-title} enables automatically locking process baselines. The default is `false`. + | `scanner.disable` | If you set this option to `false`, {product-title} deploys a Scanner-slim and Scanner DB in the secured cluster to allow scanning images on the integrated OpenShift image registry. Enabling Scanner-slim is supported on {ocp} and Kubernetes secured clusters. Defaults to `true`. diff --git a/modules/use-process-baselines.adoc b/modules/use-process-baselines.adoc index 516b0c0b34e0..95e703be4379 100644 --- a/modules/use-process-baselines.adoc +++ b/modules/use-process-baselines.adoc @@ -28,10 +28,13 @@ After an hour from when {product-title} receives the first process indicator fro At this point: * {product-title} stops adding processes to the process baselines. -* New processes that are not in the process baseline show up as risks, but they do not trigger any violations. +* New processes that are not in the process baseline show up as risks, but they do not by default trigger any violations. -To generate violations, you must manually lock the process baseline. -//See <> for more details. +To generate violations, you must either manually lock the process baseline, or enable process baseline auto-lock feature. +//See <> for more details about manually locking and unlocking process baselines. +//See <> for more details about enabling the process baselines auto-lock feature. +//See <> for information how enabling the process baselines auto-lock feature may degrade performance. +//See <> for information on how to manually lock or unlock process baselines in bulk. In a *locked* state: diff --git a/operating/evaluate-security-risks.adoc b/operating/evaluate-security-risks.adoc index 1700e61827e7..eb77b7058f02 100644 --- a/operating/evaluate-security-risks.adoc +++ b/operating/evaluate-security-risks.adoc @@ -49,3 +49,9 @@ include::modules/add-process-to-baseline.adoc[leveloffset=+2] include::modules/remove-process-from-baseline.adoc[leveloffset=+2] include::modules/lock-and-unlock-process-baselines.adoc[leveloffset=+2] + +include::modules/auto-lock-process-baselines.adoc[leveloffset=+2] + +include::modules/auto-lock-process-baselines-known-limitations.adoc[leveloffset=+3] + +include::modules/bulk-locking-and-unlocking-process-baselines.adoc[leveloffset=+3]