new waf configs

Author: steveh565

README.md

@@ -29,7 +29,7 @@ This implementation is designed to deploy into an existing Azure resource-group
 ### Part I: Regions, Resource Groups, VNets, Subnets, NatGW, NSGs
   1. Clone the repo to your local environment.
   2. Create a Resource Group in the Azure region of your choice.
-  3. Create 3 Network Security Groups:
+  3. Create three Network Security Groups:
       - mgmtNsg (default ruleset)
       - extNsg (default ruleset)
       - intNsg (default ruleset)
@@ -191,6 +191,7 @@ Part V: Deploy the modern observability software stack
   for i in `ls -1 *.yml`; do (kubectl apply -n grafana-system -f $i)
 ```
 ### Part VI: Initial Setup
+
   23. Extract the ElasticSearch admin password using the following command:
 ```bash
   #Fetch ES Creds
@@ -210,13 +211,13 @@ Part V: Deploy the modern observability software stack
   echo ""
 ```
   25. Import the Kibana Dashboards
-    - Login to ElasticSearch with credentials retrieved in Step 23.
-    - In the Main Menu, select Stack Management
-    - In the new menu, under Kibana, select Data Management
-    - Select Dashboards
-    - Select Import
-    - Browse to the local copy of the kibana dashboards and select the first bundle (.ndjson)
-    - Repeat for the second and third bundle
+      - Login to ElasticSearch with credentials retrieved in Step 23.
+      - In the Main Menu, select Stack Management
+      - In the new menu, under Kibana, select Data Management
+      - Select Dashboards
+      - Select Import
+      - Browse to the local copy of the kibana dashboards and select the first bundle (.ndjson)
+      - Repeat for the second and third bundle
 
 ### Part V: Out of the box functionality
 

f5BigIp/irules/userDefinedViolation.tcl

@@ -0,0 +1,74 @@
+when RULE_INIT {
+  #debug logging flag
+  set debug 0
+}
+ 
+when HTTP_REQUEST {
+  # get LTM policy matched rule and chosen ASM security policy
+  set policy [POLICY::names matched]
+  if { $debug } {
+    log local0. "Matched policy [POLICY::names matched]"
+    log local0. "Matched rule in policy [POLICY::rules matched]"
+    log local0. "ASM policy [ASM::policy] enforcing"
+  }
+}
+ 
+when ASM_REQUEST_DONE {
+  # define custom violation conditions
+  # user-defined violation: VIOLATION_TOO_MANY_VIOLATIONS
+  set violationName "VIOLATION_TOO_MANY_VIOLATIONS"
+  if {[ASM::violation count] > 20 and [ASM::severity] eq "Error"} {
+    ASM::raise $violationName
+  }
+  # user-defined violation: X
+  # debug logging
+  if { $debug } {
+    log local0. "SupportID: [ASM::support_id];"
+    log local0. "Request Status: [ASM::status];"
+    log local0. "Severity: [ASM::severity];"
+    log local0. "ClientIP: [ASM::client_ip];"
+    log local0. "Number Violations: [ASM::violation count]"
+    log local0. "Violations Names: [ASM::violation names];"
+    log local0. "Attack Types: [ASM::violation attack_types];"
+    log local0. "Violation details: [ASM::violation details];"
+  }
+}
+
+when ASM_REQUEST_VIOLATION {
+  if { $debug } {
+    log local0. "SupportID: [ASM::support_id];"
+    log local0. "Request Status: [ASM::status];"
+    log local0. "Severity: [ASM::severity];"
+    log local0. "ClientIP: [ASM::client_ip];"
+    log local0. "Number Violations: [ASM::violation count]"
+    log local0. "Violations Names: [ASM::violation names];"
+    log local0. "Attack Types: [ASM::violation attack_types];"
+    log local0. "Violation details: [ASM::violation details];"
+  }
+}
+
+when ASM_RESPONSE_VIOLATION {
+  if { $debug } {
+    log local0. "SupportID: [ASM::support_id];"
+    log local0. "Request Status: [ASM::status];"
+    log local0. "Severity: [ASM::severity];"
+    log local0. "ClientIP: [ASM::client_ip];"
+    log local0. "Number Violations: [ASM::violation count]"
+    log local0. "Violations Names: [ASM::violation names];"
+    log local0. "Attack Types: [ASM::violation attack_types];"
+    log local0. "Violation details: [ASM::violation details];"
+  }
+}
+
+when ASM_REQUEST_BLOCKING {
+  if { $debug } {
+    log local0. "SupportID: [ASM::support_id];"
+    log local0. "Request Status: [ASM::status];"
+    log local0. "Severity: [ASM::severity];"
+    log local0. "ClientIP: [ASM::client_ip];"
+    log local0. "Number Violations: [ASM::violation count]"
+    log local0. "Violations Names: [ASM::violation names];"
+    log local0. "Attack Types: [ASM::violation attack_types];"
+    log local0. "Violation details: [ASM::violation details];"
+  }
+}

helm/argocd/argo.sh

@@ -9,6 +9,6 @@ helm install --upgrade argocd-stack argo/argo-cd -n argocd --create-namespace --
 
 # show elastic-operator logs
 argoPass=`kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d`
-echo "Username: elastic"
+echo "Username: admin"
 echo "Password: ${argoPass}"
 echo ""

terraform/az-auto-scaleset-byol/alb.tf

@@ -7,7 +7,7 @@ resource "azurerm_public_ip" "lbpip" {
   sku                 = "Standard"
   resource_group_name = data.azurerm_resource_group.main.name
   allocation_method   = "Static"
-  domain_name_label   = "overwatch-lbpip"
+  domain_name_label   = "ingress-lbpip"
   tags = {
     owner = var.resourceOwner
   }
@@ -73,6 +73,20 @@ resource "azurerm_lb_rule" "lb_rule-https" {
   probe_id                       = azurerm_lb_probe.lb_probe.id
 }
 
+# Create frontend LB rule
+resource "azurerm_lb_rule" "lb_rule-f5SyslogTcp" {
+  name                           = "LBRule-Syslog-TCP"
+  loadbalancer_id                = azurerm_lb.lb.id
+  protocol                       = "Tcp"
+  frontend_port                  = 8514
+  backend_port                   = 8514
+  frontend_ip_configuration_name = "LoadBalancerFrontEnd"
+  enable_floating_ip             = false
+  backend_address_pool_ids       = [azurerm_lb_backend_address_pool.backend_pool.id]
+  idle_timeout_in_minutes        = 5
+  probe_id                       = azurerm_lb_probe.lb_probe.id
+}
+
 # Create frontend LB rule
 resource "azurerm_lb_rule" "lb_rule-syslogTcp" {
   name                           = "LBRule-Syslog-TCP"