From cd0f40ca574045c0b13bf9148c8d5b18d475315d Mon Sep 17 00:00:00 2001 From: Joshua Eason Date: Tue, 8 Jun 2021 14:54:08 +0000 Subject: [PATCH 1/7] Getting rid of update-checklist-AO branch --- .../issue_templates/Application - Initial.md | 143 ++++++++++++++++-- 1 file changed, 131 insertions(+), 12 deletions(-) diff --git a/.gitlab/issue_templates/Application - Initial.md b/.gitlab/issue_templates/Application - Initial.md index 7ddab91..574f8c6 100644 --- a/.gitlab/issue_templates/Application - Initial.md +++ b/.gitlab/issue_templates/Application - Initial.md @@ -17,6 +17,13 @@ If you need to contact the Container Hardening team, please identify your assign If you have no assignee, feel free to tag Container Hardening leadership in your issue by commenting on this issue with your questions/concerns and then add `/cc @ironbank-notifications/leadership`. Gitlab will automatically notify all Container Hardening leadership to look at this issue and respond. +## Get Unstuck/AMA: +Iron Bank Get Unstuck/AMA Working Sessions every Wednesday from 1630-1730EST. +Need some help with your containers getting through Iron Bank? Have questions on where things are at? Are you feeling stuck and want to figure out the next steps? This is the meeting for you! Come meet with the Iron Bank leadership and engineers to get answers to your questions. + Register in advance for this meeting: https://www.zoomgov.com/meeting/register/vJIsf-ytpz8qHSN_JW8Hl9Qf0AZZXSCSmfo +After registering, you will receive a confirmation email containing information about joining the meeting. + +If you have any questions, please come to our Get Unstuck/AMA sessions. There we will have the right combination of business folks and engineers to get your questions answered. ## Responsibilities @@ -25,28 +32,140 @@ If this application is owned by a Contributor or Vendor (identifed as `Owner::Co ## Definition of Done -Hardening: -- [ ] Hardening manifest is created and adheres to the schema (https://repo1.dsop.io/ironbank-tools/ironbank-pipeline/-/blob/master/schema/hardening_manifest.schema.json) -- [ ] Container builds successfully through the Gitlab CI pipeline -- [ ] Branch has been merged into `development` -- [ ] Project is configured for automatic renovate updates (if possible) -Justifications: -- [ ] All findings have been justified per the above documentation +This checklist is meant to provide a high level overview of the process and steps for getting your container(s) onto Iron Bank. + +- [ ] Create a Repo1 account (https://repo1.dso.mil/users/sign_in) to get access to the public repository of containers. You can register by clicking on the 'Sign in with Iron Bank SSO' button in the sign-in page, followed by the Register button + +- [ ] Fill out the onboarding form: https://p1.dso.mil/#/products/iron-bank/getting-started + +- [ ] Attend our once weekly onboarding session where you can ask questions. [Register here](https://www.zoomgov.com/meeting/register/vJIsce6rpzkqGq9hHHRscNfGENYqvRL1s10%E2%81%A9). + +- [ ] Your Onboarding form will be processed by the Iron Bank team, who will then assign it a priority level and create your repository. You will receive an email that your Gitlab issue has been created and is ready for you to complete the hardening process + +- [ ] Ensure that all POCs are assigned to the issue to ensure proper tracking and notifications + +## Hardening Process + +### Repository Requirements + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/structure_requirements.md) + +- [ ] A Dockerfile has been created in the root of the repository + +- [ ] Hardening_manifest.yaml has been created in the root of the repository + +- [ ] The project has a LICENSE or a copy of the EULA + +- [ ] The project has a README in the root of the repository with sufficient instructions on using the Iron Bank version of the image + +- [ ] If your container is an enterprise/commercial container, the opensource version is ready + +- [ ] Scripts used in the Dockerfile are placed into a `scripts` directory + +- [ ] Configuration files are placed into a `config` directory + +- [ ] Project is [configured for automatic renovate updates](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/Renovate.md) (if possible) + + - [ ] Renovate.json is present in root of repository + + - [ ] Reviewers have been specified for notifications on new merge requests + +### Dockerfile Requirements + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/Dockerfile_Requirements.md) + +- [ ] There is one Dockerfile named Dockerfile + +- [ ] The Dockerfile has the BASE_REGISTRY, BASE_IMAGE, and BASE_TAG arguments (used for local builds; the values in hardening_manifest.yaml are what will be used in the Container Hardening Pipeline) + +- [ ] The Dockerfile is [based on a hardened Iron Bank image](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/Dockerfile_Requirements.md#requirements) + +- [ ] The Dockerfile includes a HEALTHCHECK (required if it is an application container) + +- [ ] The Dockerfile starts the container as a non-root USER. Otherwise, if you must run as root, you must have proper justification. + +- [ ] If your ENTRYPOINT entails using a script, the script is copied from a scripts directory on the project root + +- [ ] No ADD instructions are used in the Dockerfile + +## Hardening Manifest + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/hardening%20manifest) + +- [ ] Begin with this example and update with relevant information: https://repo1.dso.mil/dsop/dccscr/-/blob/master/hardening%20manifest/hardening_manifest.yaml + +- [ ] Hardening manifest adheres to the following schema: https://repo1.dsop.io/ironbank-tools/ironbank-pipeline/-/blob/master/schema/hardening_manifest.schema.json + +- [ ] The BASE_IMAGE and BASE_TAG arguments refer to a hardened/approved Iron Bank image (BASE_REGISTRY defaults to `registry1.dso.mil/ironbank` in the pipeline) + +- [ ] Relevant image metadata has been entered for the corresponding labels + +- [ ] Any downloaded resources include a checksum for verification (letters must be lowercase) + +- [ ] For resource URLs that require authentication, credentials have been provided to an Iron Bank team member + +- [ ] The maintainers' contact information has been provided in the `maintainers` section + +## Gitlab CI Pipeline + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/pipeline) + +- [ ] Validate your container builds successfully through the Gitlab CI pipeline. When viewing the repository in repo1.dso.mil, go to `CI/CD > Pipelines` on the left. From there, you can see the status of your pipelines. + +- [ ] Review scan output from `csv output` stage of the pipeline. For instructions on downloading the findings spreadsheet, click [here](https://repo1.dso.mil/dsop/dccscr/-/blob/master/pre-approval/spreadsheet.md) + +- [ ] Fix vulnerabilities that were found and run the pipeline again before requesting a merge to the development branch + +## Pre-Approval: + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/pre-approval) + +- [ ] Submit a Merge Request to the development branch + +- [ ] Feature branch has been merged into development + +- [ ] All findings from the development branch pipeline have been justified per the above documentation + - [ ] Justifications have been attached to this issue -- [ ] Apply the label `Approval` to indicate this container is ready for the approval phase -Note: The justifications must be provided in a timely fashion. Failure to do so could result in new findings being identified which may start this process over. +- [ ] Apply the `Approval` label and remove the `Doing` label to indicate this container is ready for the approval phase + +_Note: The justifications must be provided in a timely fashion. Failure to do so could result in new findings being identified which may start this process over._ + +## Approval Process (Container Hardening Team processes): + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/approval) -Approval Process (Container Hardening Team processes): - [ ] Peer review from Container Hardening Team + - [ ] Findings Approver has reviewed and approved all justifications + - [ ] Approval request has been sent to Authorizing Official + - [ ] Approval request has been processed by Authorizing Official -Note: If the above approval process is kicked back for any reason, the `Approval` label will be removed and the issue will be sent back to `Open`. Any comments will be listed in this issue for you to address. Once they have been addressed, you may re-add the `Approval` label. +One of the following statuses is assigned: + +- [ ] Conditional approval has been granted by the Authorizing Official for this container (`Approval::Expiring` label is applied) + +- [ ] This container has been approved by the Authorizing Official (`Approved` label is applied) + +_Note: If the above approval process is kicked back for any reason, the `Approval` label will be removed and the issue will be sent back to `Open`. Any comments will be listed in this issue for you to address. Once they have been addressed, you may re-add the `Approval` label._ + +## Post-Approval + +[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/post%20approval) + +- [ ] Your issue has been closed + +- [ ] Your project has been merged into master + +- [ ] Master branch pipeline has completed successfully (at this point, the image is made available on `ironbank.dso.mil` and `registry1.dso.mil` ) + +_Note: Now that your application has been approved, your container(s) will be subjected to continuous monitoring. If new CVEs are discovered or bugs are identified, you will need to address the issues and return to step 5 (Gitlab CI Pipeline). As you make changes, please make sure you are adhering to all of the requirements of the hardening process._ + -## Post Approval ### Continuous Monitoring -- GitLab From 1a8b795596728e7cabc72cacefcde7b71eb8f200 Mon Sep 17 00:00:00 2001 From: ryryryan Date: Mon, 21 Jun 2021 14:06:17 +0000 Subject: [PATCH 2/7] Include Dockerfile --- Dockerfile | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 Dockerfile diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..d7ccc6b --- /dev/null +++ b/Dockerfile @@ -0,0 +1,27 @@ +# These three ARGs must point to an Iron Bank image - the BASE_REGISTRY should always be what is written below; please use \ +# '--build-arg' when building locally to replace these values +# If your container is not based on either the ubi7/ubi8 Iron Bank images, then it should be based on a different Iron Bank image +# Note that you will not be able to pull containers from nexus-docker-secure.levelup-dev.io into your local dev machine +ARG BASE_REGISTRY=registry1.dsop.io +ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8-minimal +ARG BASE_TAG=8.4 + +# FROM statement must reference the base image using the three ARGs established +FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} + +ENV REQIRED_PACKAGES="shadow-utils libsemanage" + +RUN microdnf --setopt=tsflags=nodocs install $REQIRED_PACKAGES \ + && useradd sysdig -u 1000 \ + && microdnf remove $REQIRED_PACKAGES \ + && microdnf clean all \ + && rm -rf /var/cache/yum + +ARG BINARY="webhook-v3.2.0" + +COPY ${BINARY} /bin/webhook + +EXPOSE 5000 +HEALTHCHECK --start-period=30s CMD curl -f 127.0.0.1:5000 || exit 1 +USER 1000 +ENTRYPOINT ["/bin/webhook"] \ No newline at end of file -- GitLab From 913be8c76599913f07d6698d3d6beede796333a8 Mon Sep 17 00:00:00 2001 From: ryryryan Date: Mon, 21 Jun 2021 14:12:44 +0000 Subject: [PATCH 3/7] Initial hardening manifest file --- hardening_manifest.yaml | 57 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 hardening_manifest.yaml diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml new file mode 100644 index 0000000..b9821fc --- /dev/null +++ b/hardening_manifest.yaml @@ -0,0 +1,57 @@ +apiVersion: v1 +# The repository name in registry1, excluding /ironbank/ +name: "sysdig/cloudsecurity/admission-controller-3.2.0" +# List of tags to push for the repository in registry1 +# The most specific version should be the first tag and will be shown +# on ironbank.dsop.io +tags: + - "3.2.0" + - "latest" +# Build args passed to Dockerfile ARGs +args: + BASE_IMAGE: "redhat/ubi/ubi8-minimal" + BASE_TAG: "8.4" +# Docker image labels +labels: + org.opencontainers.image.title: "admission-controller-5.3" + ## Human-readable description of the software packaged in the image + org.opencontainers.image.description: "Sysdig - Admission Controller" + ## License(s) under which contained software is distributed + org.opencontainers.image.licenses: "proprietary" + ## URL to find more information on the image + # org.opencontainers.image.url: "FIXME" + ## Name of the distributing entity, organization or individual + org.opencontainers.image.vendor: "Sysdig" + org.opencontainers.image.version: "3.2.0" + ## Keywords to help with search (ex. "cicd,gitops,golang") + # mil.dso.ironbank.image.keywords: "FIXME" + ## This value can be "opensource" or "commercial" + mil.dso.ironbank.image.type: "commercial" + ## Product the image belongs to for grouping multiple images + # mil.dso.ironbank.product.name: "FIXME" + + com.sysdig.builddate: "2021-06-16T06:38:36" + com.sysdig.commit: "7ba1422" + com.sysdig.component: "admission-controller" + com.sysdig.release: "3.2.0" + com.sysdig.version: "3.2.0" + com.sysdig.dod.commit: "2dd05a9" + com.sysdig.dod.builddate: "2021-06-16T07:38:00" + com.sysdig.baseimage: "registry1.dsop.io/ironbank/redhat/ubi/ubi8-minimal:8.4" +# List of resources to make available to the offline build context +resources: +- filename: webhook-v3.2.0 + url: https://s3.amazonaws.com/download.draios.com/repo1/admission-controller/webhook-v3.2.0 + validation: + type: sha256 + value: 767d3ceeac6a255b30442e4f2834e765e98f02c9a645b0483a0db76fb6a973c5 + +# List of project maintainers +# FIXME: Fill in the following details for the current container owner in the whitelist +# FIXME: Include any other vendor information if applicable +maintainers: + - email: "aitor.acedo@sysdig.com" + # # The name of the current container owner + name: "Aitor Acedo" + # # The gitlab username of the current container owner + username: "aitor.acedo" -- GitLab From 7a579db4d6d2b7a7d834c0c90ebc0c5648434049 Mon Sep 17 00:00:00 2001 From: ryryryan Date: Mon, 21 Jun 2021 14:16:35 +0000 Subject: [PATCH 4/7] Update README.md --- README.md | 39 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5dc6fa6..e7a6934 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,38 @@ -# +# Sysdig Admission Controller +Sysdig’s Admission Controller uses the Sysdig Secure Image Scanner to evaluate the scan results and the admission context, providing great flexibility on the admission decision. -Project template for all Iron Bank container repositories. \ No newline at end of file +Using native Kubernetes API extensions to perform the image scanning on admission enables major threat prevention with the hardening use case: “Only the images that are explicitly approved will be allowed to run on your cluster.” + +The admission decision relies not only on the image name and tag, but also on additional context from the admission review, including the namespace, pod metadata, etc. + +## Features + + * Registry and repository whitelist + * Global and per-namespace admission configuration + * Accept only the images that pass the scan (default) + * Directly reject non-whitelisted registries / repos, without scanning + * Accept the image even if it doesn’t pass the scan + * Do not accept any image that hasn’t been scanned already + * Pod mutation: image tag is replaced by digest to prevent TOCTOU issue if the tag is updated between the scan and the pod scheduling. + +## Requirements + +* Helm 3 +* Kubernetes 1.16 or higher + +## Installation + +Create a values.yaml overriding the desired values from the [values.yaml file in the repository](https://raw.githubusercontent.com/sysdiglabs/charts/master/charts/admission-controller/values.yaml): + +``` +$ kubectl create ns sysdig-admission-controller +$ helm repo add sysdig https://charts.sysdig.com +$ helm install -n sysdig-admission-controller sysdig-admission-controller -f values.yaml sysdig/admission-controller +``` + +### Basic settings + +The default settings in *values.yaml* should be right for most cases, but you must provide at minimum: + +* **sysdigSecureToken** - The Sysdig Secure Token for your account +* **sysdigSecureUrl** - if the default SasS URL does not fit your environment (if using the on-prem version of Sysdig Secure -- GitLab From b038619b5334c191177115024b512a96112f954a Mon Sep 17 00:00:00 2001 From: Aitor Acedo Date: Tue, 22 Jun 2021 08:06:24 +0000 Subject: [PATCH 5/7] LICENSE first version --- LICENSE | 892 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 892 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..b7e5848 --- /dev/null +++ b/LICENSE @@ -0,0 +1,892 @@ +Sysdig, Inc. |85 Second Street, Suite 800, San Francisco, CA 94105 | 415- 872 - 9473 | http://www.sysdig.com +LICENSE SUBSCRIPTION AGREEMENT +(On-Premise) +This License Subscription Agreement, including all exhibits, schedules, Statements of Work and Order Forms (as defined below) (collectively, +the “Agreement”) are the terms under which Sysdig, Inc. (“Sysdig”) agrees to grant the customer (“Customer”) use of the Software and access +to the Support Services and Services (as defined below). By indicating Customer’s acceptance of this Agreement, executing an Order Form +that references this Agreement, or using the Software, Support Services and/or Services, Customer agrees to be bound by this Agreement. If +you are entering into this Agreement on behalf of an entity, such as the company you work for, then you represent to Sysdig that you have the +legal authority to bind the Customer to this Agreement. Sysdig and Customer are each a “Party” and collectively, the “Parties”, hereunder. + +1. DEFINITIONS +"Affiliate" means with respect to a Party, any person or entity that +controls, is controlled by, or is under common control with such +Party, where "control" means ownership of fifty percent (50%) or +more of the outstanding voting securities. + +“B2B Relationship Data” means any administrative, transactional +or account related data or communications provided by or on behalf +of Customer to Sysdig in connection with the creation, purchase, +maintenance, or support of Customer’s account with Sysdig. +"Contractor(s)" means any third-party provider, agents, +outsourcers or contractors performing services on Customer's +behalf. + +"Customer Data" means any data or other information which is +provided by (or on behalf of) Customer directly or indirectly in +connection with the Software, Services or Beta Releases, and shall +not include Customer Personal Data or Service Analytics as defined +hereunder. +"Customer Personal Data" means any Customer Data which (i) +qualifies as “Personal Data” “Personal Information” “Personally +Identifiable Information” or any substantially similar term under +applicable privacy laws and (ii) is processed by Sysdig on behalf of +Customer in connection with the Agreement. For the avoidance of +doubt, Customer Personal Data shall not include B2B Relationship +Data or Service Analytics as defined hereunder. +"Documentation" means the online help materials, including +technical specifications, describing functionality of the Software +provided by Sysdig on a publicly available website and updated +from time to time. + +"Intellectual Property Rights" means all current and future +worldwide intellectual property rights, including without limitation, +all patents, copyrights, trademarks, service marks, trade names, +domain name rights know-how and other trade secret rights, and all +other intellectual property rights and similar forms of protection, and +all applications and registrations for any of the foregoing. + +"License Entitlement" means the quantity of the license metrics +pursuant to which the Software is licensed by Sysdig, as set forth in +Order Form, which may include servers, agents, containers or hosts. + +"License Keys" means an alphanumeric code that enables use of +the Software. + +“Open Source Software” means a program in which source code +is made publicly and freely available for use and modification +pursuant to certain license terms. + +"Order Form" means a document executed by and between Sysdig +and Customer or electronically accepted by Customer that +references this Agreement, purchase confirmation or any other + +document which details the Software and Services to be provided by +Sysdig, the fees associated therewith, and any other transaction- +specific terms and conditions. +“Statement of Work” or “SOW” means a statement of work or +other such executed document that references this Agreement, +whereby Customer engages Sysdig to perform certain training, +consulting, technical account management, professional, or similar +services related thereto. +"Services" means any of the training services, technical account +management services, and/or consulting or other professional +services, pursuant to one or more Order Forms and SOW(s), if +applicable. +"Software" means any current and future Sysdig branded software +that is licensed for use on Customer’s premises or in Customer’s +cloud, during the Subscription Term, including all Updates thereto. +"Subscription Term" means the subscription period(s) specified in +an Order Form during which Customer is licensed to use and deploy +the Software, subject to the terms of this Agreement. +"Support Services" means the maintenance and support services +provided by Sysdig to Customer for the Software. +"Support Services Subscription" means the level of Support +Services purchased by Customer, as set forth in the Order Form. +Sysdig's commitments for each Support Services Subscription are +more fully described in the Support Services Policy, a current copy +of which is set forth in Exhibit A. +“Update” is a Software release that Sysdig makes generally +available to all Sysdig customers, along with any corresponding +changes to Documentation. An Update may be an error correction +or bug fix; or it may be enhancement, new feature, or new +functionality. +LICENSE +2.1. License Scope. Subject to the terms of this Agreement, +Sysdig grants to Customer a limited, revocable, non-exclusive, non- +transferable and non-sublicensable right and license to install and +use, in object code form, solely for internal business purposes, the +Software in accordance with the purchased License Entitlements as +set forth in the Order Form. Customer may permit its Contractors +and Affiliates to use and deploy the Software and Documentation +solely on behalf of and for the benefit of Customer, provided that +the Customer shall be liable for the compliance of all Contractors +and Affiliates with this Agreement, Documentation, and the Order +Form(s). +2.2. Delivery and Acceptance. Promptly following +execution of an Order Form and receipt of Customer's purchase +order, if applicable, Sysdig shall make the Software available for +Sysdig, Inc. |85 Second Street, Suite 800, San Francisco, CA 94105 | 415- 872 - 9473 | http://www.sysdig.com +download or deliver License Keys, which enable the Customer to +download the Software. The Software will be deemed to have been +delivered to Customer upon provision of the License Key or making +the Software available for download. + +2.3. Restrictions. Customer acknowledges that the Software +and its structure, organization and source code constitute valuable +trade secrets of Sysdig. Accordingly, except as otherwise expressly +set forth in this Agreement, Customer may not and shall not permit +any third party to: (a) translate, disclose, modify or create any +derivative works based on the Software; (b) market, sell, license, +sublicense, distribute, publish, display, reproduce, rent, lease, loan, +assign or otherwise transfer to a third party the Software or +Documentation or any copy thereof, in whole or in part; (c) except +to the extent permitted by law, decompile, disassemble, reverse +engineer, or otherwise attempt to derive source code from the +Software, in whole or in part; (d) operate the Software on behalf of +or for the benefit of any third party, including the operation of any +service that is accessed by a third party, for third-party training, +commercial time-sharing or service bureau use; (e) remove any +product identification, proprietary copyright or other notices +contained in the Software; (f) access or use the Software for the +purpose of building a product or service in competition with the +Software; and (g) circumvent or attempt to circumvent contractual +usage restrictions. + +2.4. Open Source Software and Third-Party Software. +Customer acknowledges and agrees that certain Open Source +Software libraries, components and utilities, and other third-party +software not owned or developed by Sysdig are embedded in the +Software. The publicly available open source license terms +governing the Open Source Software shall take precedence over this +Agreement to the extent that the Agreement imposes greater +restrictions on Customer. Customer hereby acknowledges that +Sysdig disclaims and makes no representation or warranty with +respect to the Open Source Software, or any portion thereof, and +assumes no liability for any claim that may arise with respect to such +Open Source Software or Customer's use or inability to use the +same. + +2.5. License Entitlement Review. Customer shall monitor +and ensure that use and deployment of the Software under this +Agreement is consistent with the applicable License Entitlement, as +set forth in the relevant Order Form. Sysdig, may, upon reasonable +notice, review Customer’s records of Software usage to verify that +Customer has: (a) used the Software solely in the manner authorized +herein; (b) paid all applicable license fees; and (c) otherwise +complied with the terms of this Agreement and Order Form(s). In +general, Sysdig does not require physical access to Customer's +premises, computing devices or systems in connection with any such +review. If, as a result of the review, it is determined that Customer +is utilizing more licenses than it is entitled under the License +Entitlement as set forth in the Order Form, Customer will promptly +pay directly to Sysdig all underpayments revealed by such review. +2.6 Use of Services Deliverables. Subject to Customer’s +payment of all fees due hereunder, Sysdig grants Customer a +limited, non-exclusive, royalty-free, non-sublicensable, non- +transferable license (except as specifically permitted in this +Agreement), to use those elements of the Sysdig Technology (as +defined below) embodied in the Services deliverables, if any, in + +Customer’s ordinary course of business, solely as so embodied. +Sysdig reserves all other rights in and to the Sysdig Technology. +2.7 Affiliates. The Parties agree that their respective Affiliates +may also conduct business under this Agreement by entering into +Order Forms, subject to this Agreement. Accordingly, where +Affiliates of the Parties conduct business hereunder, references to +Customer herein shall include any applicable Affiliate of Customer. +SUPPORT SERVICES +3.1. Sysdig will provide Customer with Support Services in +accordance with the purchased Support Services Subscription, as set +forth in the Order Form. +3.2. Support Services will be delivered to Customer as set +forth in this Agreement, provided that the Customer: notifies Sysdig +of issues in accordance with the Support Services Policy; engages +with Sysdig in good faith to resolve any issues with the Software by +making necessary resources and information available to Sysdig; +makes reasonable efforts to apply the solution recommended by +Sysdig; and has deployed all of the major and minor releases of the +Software issued by Sysdig that are no more than two releases back +or six (6) months old from the date of their release. Customer shall +be entitled to Updates to the extent Sysdig incorporates such +Updates into the Software subject to the applicable Order Form +during the Subscription Term. +SOFTWARE PURCHASED THROUGH +RESELLERS. The Parties agree that Customer may purchase +through Resellers Software, Support Services and Services that are +governed by this Agreement. Where Customer purchases through a +Reseller, the Reseller will enter into an Order Form with Sysdig that +shows Customer as the "ship to" party and Reseller as the "bill to" +party, and Reseller and Customer will enter into a separate +agreement setting forth the fees to be paid by Customer to Reseller, +as well as any other terms or conditions that apply between them. +Sysdig hereby agrees that, subject to receiving payment from the +Reseller, Sysdig shall be responsible to Customer, pursuant to the +terms and conditions of this Agreement, for providing the Software +under any such Order Form. Customer hereby acknowledges that +Sysdig will not be responsible for the obligations of any Reseller to +Customer under such separate agreement, for the acts or omissions +of Reseller, or for any third-party products or services furnished to +Customer by any Reseller. For the avoidance of doubt, the Sections +herein entitled “Payment” and “Taxes” will be of no effect where +Customer purchases through a Reseller, as payment and taxes will +be addressed in the agreement between Reseller and Customer. +OWNERSHIP. The Software, Support Services, +Services and Documentation, all copies and portions thereof, and all +Intellectual Property Rights therein, including, but not limited to +derivative works therefrom (“Sysdig Technology”), are and shall +remain the sole and exclusive property of Sysdig notwithstanding +any other provision in this Agreement. Customer is not authorized +to use (and shall not permit any third party to use) the Sysdig +Technology or any portion thereof except as expressly authorized +by this Agreement. +5.1. Service Analytics. Sysdig may process Service Analytics for +internal business purposes in order to deliver, enhance, secure and +support Sysdig products and services, including Software and +Services. Customer may have the ability to configure the Software +to limit the Service Analytics that are collected. Customer may +Sysdig, Inc. |85 Second Street, Suite 800, San Francisco, CA 94105 | 415- 872 - 9473 | http://www.sysdig.com +refer to the Documentation and/or Customer’s account +representative for more information. “Service Analytics” means all +information and data that the Software generates or otherwise +obtain from Customer’s use of the foregoing, including but not +limited to usage statistics, telemetry and analytics and similar +information, collected by cookies, web beacons, and other similar +applications. Sysdig may disclose the results of its analysis of the +Service Analytics publicly or to third parties in connection with our +marketing and promotion efforts, including but not limited to +presentations, technical reports and whitepapers, provided that such +results do not contain any personally identifiable information, or +enable a third Party to determine the source of such information. + +PAYMENT; TAXES +6.1. Fees and Payment. All fees are as set forth in the +applicable Order Form and shall be paid by Customer within thirty +(30) days from the date of the invoice, unless otherwise specified in +the applicable Order Form. Except as expressly set forth in an Order +Form: (a) payment obligations are non-cancelable and fees are non- +refundable, unless specifically provided herein; and (b) Customer +may not decrease the purchased number of subscription rights +during the applicable Subscription Term. Where Customer +designates use of a third-party payment processor network, +Customer shall be responsible for payment of all fees and charges +associated with use of such network (including registration, +participation, and payment processing fees) and Sysdig may invoice +for such fees together with the subscription fees or on separate +invoice. + +6.2. Travel and Expenses. Customer will pay any +reasonable and actual out-of-pocket expenses incurred in +connection with the Services according to Sysdig’s Travel Policy, +including, without limitation, transportation, lodging, and any +incidentals associated with the Services provided to Customer such +as airfare, hotel, and meals. Sysdig shall provide Customer invoices +and receipts for such costs. + +6.3. Rescheduling Policy Applicable to Services. Sysdig +and Customer will commence Services on a start date to be mutually +agreed to between the Parties. Customer may reschedule Services +by notifying Sysdig in writing (which can include by email) with +fifteen (15) business days’ prior notice and Sysdig will make +commercially reasonable efforts to reschedule. If performance of +the Services is delayed due to Customer’s failure to provide +required access, personnel availability or is otherwise canceled with +less than fifteen (15) business days’ notice once ordered by +Customer, Sysdig may charge Customer the then prevailing daily +charge, plus reimbursement of all travel-related expenses (if +applicable), for each day (up to a maximum of 15 days) for each +person assigned by Sysdig to provide the Services. Sysdig strongly +recommends scheduling the Services engagement in a single +instance over a period of consecutive days. However, in no event +shall Services be scheduled in fewer than in one full day increments, +unless otherwise set forth in an SOW. No Services shall be +scheduled in partial day increments. + +6.4. Effect of Nonpayment. If Customer's account fails +into arrears and continues to remain unpaid for ten (10) days after +Sysdig provides notice to Customer of its delinquency, Sysdig +reserves the right to suspend or terminate this Agreement, +Customer’s right and license to the Software and Customer’s access + +to the Support Services. In the case of termination, Customer shall +uninstall all copies of the deployed Software immediately after the +termination. Unpaid amounts may be subject to interest at the lesser +of one and one-half percent (1.5%) per month or the maximum +permitted by law, plus collection costs. +6.5. Taxes. All fees stated on Order Form are exclusive of +any taxes, levies, or duties ("Taxes"), and Customer will be +responsible for payment of all such Taxes excluding taxes based +solely on Sysdig income. Unless Customer provides Sysdig a valid +state sales/use/excise tax exemption certificate, Customer will pay +and be solely responsible for all Taxes. Sysdig may invoice Taxes +in accordance with the applicable law together on one invoice or a +separate invoice. Sysdig reserves the right to determine the Taxes +for a transaction based on Customer's "bill to" or "ship to" address, +or other information provided by Customer on the location of +Customer's use of the Software. Customer will be responsible for +any Taxes, penalties or interests that might apply based on Sysdig's +failure to charge appropriate tax due to incomplete or incorrect +location information provided by Customer. If Customer is required +by any foreign governmental authority to deduct or withhold any +portion of the amount invoiced for the delivery or use of the Service +under this Agreement, Customer shall increase the sum paid to +Sysdig by an amount necessary for the total payment to Sysdig +equal to the amount originally invoiced. +TERM AND TERMINATION +7.1. Term. This Agreement commences on the Effective +Date and unless earlier terminated pursuant to the terms of this +Agreement, the Agreement will continue for so long as there is an +Order Form in effect between the Parties. +7.2. Termination for Cause. Either Party may terminate this +Agreement (or any affected Order Form or Statement of Work) (a) +upon the other Party’s material breach that remains uncured for +thirty (30) days following notice of such breach, except that +termination will take effect on notice in the event of a breach of +Section 2.3 (“Restrictions”), Section 2.6 (“Use of Services +Deliverables”) or 11 (“Confidential Information”); or (b) +immediately in the event the other Party becomes the subject of a +petition in bankruptcy or any other proceeding relating to +insolvency, receivership, liquidation or assignment for the benefit +of creditors (and not dismissed within sixty (60) days thereafter). +7.3. Termination for Convenience. Either Party may +terminate this Agreement, Order Form(s) or Statement of Work, for +any reason or for no reason, by providing the other Party at least +thirty (30) days’ prior written notice. However, in the event of a +Customer termination for convenience, Customer shall not be +entitled to any refund or relief from payment of any fees paid or +payable under the Agreement, applicable Order Forms or Statement +of Work. +7.4. Effect of Termination. Upon early termination of this +Agreement by Customer for Sysdig's uncured material breach +pursuant to Section 7 .2 or by Sysdig pursuant to Section 7 .3, +Customer is entitled to a prorated refund of prepaid fees relating to +the Software applicable to the remaining period in the applicable +Subscription Term. Upon expiration or termination of this +Agreement by Sysdig for Customer’s uncured material breach +pursuant to Section 7 .2 or by Customer pursuant to Section 7 .3, fees +applicable to the duration of any applicable Subscription Term will +Sysdig, Inc. |85 Second Street, Suite 800, San Francisco, CA 94105 | 415- 872 - 9473 | http://www.sysdig.com +be immediately due and payable. Notwithstanding the terms and +conditions of an Order Form, Sysdig reserves the right not to renew +any Order Form. In addition, upon expiration or termination of this +Agreement for any reason: (a) all rights granted to Customer under +this Agreement, and Sysdig's obligation to provide Support +Services, Services, the Software and Beta Releases will terminate; +and (b) any payment obligations accrued pursuant to this +Agreement, as well as the provisions of Section 2.5, 5, 6, 7. 4 , 9 , 11, +and 12 of this Agreement will survive such expiration or +termination. Within thirty (30) days after termination of this +Agreement, the Recipient (as defined below) shall return or destroy +(or in the case of electronic data, use commercially reasonable +efforts to delete or render practicably inaccessible by Recipient) all +Confidential Information and materials containing any Confidential +Information of the Discloser (as defined below). Within thirty +(30) days after termination of this Agreement, Customer shall return +or destroy all copies of the Software and Beta Releases, and upon +Sysdig request, provide written certification of compliance with +such request. + +LIMITED WARRANTY +8.1. Mutual Warranties. Each Party represents and +warrants that it has the power and authority to enter into this +Agreement. + +8.2. Limited Performance Warranty. Sysdig warrants to +the Customer that the Software will, for a period of ninety (90) days +following its initial delivery ("Warranty Period"), substantially +conform to the applicable Documentation, provided that the +Software: (a) has been properly installed and used at all times and +in accordance with the applicable Documentation; and (b) has not +been altered or modified by anyone other than Sysdig or its +designee. Sysdig will, at its own expense correct any reproducible +error in the Software reported to Sysdig by Customer in writing +during the Warranty Period. If Sysdig determines that it is unable to +correct the error, Sysdig will replace the Software in accordance +with the Support Services Policy. This Section 8 .2 represents +Customer's exclusive remedy, and Sysdig's entire liability, for any +breach of the warranties set forth herein. + +8.3. Malicious Code. Sysdig warrants that Sysdig will not +knowingly introduce, software viruses, worms, Trojan horses or +other code, files, scripts, or agents intended to do harm. +8.4. Warranty Disclaimer. EXCEPT FOR THE +EXCLUSIVE WARRANTIES SET FORTH IN THIS SECTION 8, +TO THE MAXIMUM EXTENT PERMITTED UNDER +APPLICABLE LAW, THE SOFTWARE, DOCUMENTATION +SERVICES AND SUPPORT SERVICES ARE PROVIDED “AS +IS” WITHOUT WARRANTY OF ANY KIND, AND SYSDIG +MAKES NO WARRANTIES, EXPRESS, IMPLIED, +STATUTORY, OR OTHERWISE, WITH REGARDING OR +RELATING TO THE SOFTWARE, DOCUMENTATION, +SERVICES OR SUPPORT SERVICES. SYSDIG +SPECIFICALLY AND EXPLICITLY DISCLAIMS ALL OTHER +WARRANTIES, EXPRESS AND IMPLIED, INCLUDING +WITHOUT LIMITATION THE IMPLIED WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR +PURPOSE, NON-INFRINGEMENT, THOSE ARISING FROM A +COURSE OF DEALING, COURSE OF PERFORMANCE, +USAGE OR TRADE, AND ALL SUCH WARRANTIES ARE +HEREBY EXCLUDED TO THE FULLEST EXTENT + +PERMITTED BY LAW. FURTHER, SYSDIG DOES NOT +WARRANT THAT THE SOFTWARE WILL BE ERROR FREE +OR THAT THE USE OF THE SOFTWARE WILL BE +UNINTERRUPTED. SYSDIG’S SOLE AND EXCLUSIVE +LIABILITY AND CUSTOMER’S SOLE AND EXCLUSIVE +REMEDY IN RESPECT OF ANY MAINTENANCE OR +SUPPORT ISSUE SHALL BE LIMITED TO THE PROVISION +OF SUPPORT SERVICES. +9. LIMITATION OF REMEDIES AND DAMAGES +9.1. Liability Cap. EXCEPT WITH RESPECT TO: (A) +SYSDIG’S OBLIGATIONS UNDER SECTION 10 +(“INDEMNIFICATION”) (FOR WHICH THE LIABILITY +LIMITATION SHALL BE ONE MILLION DOLLARS +($1,000,000) IN THE AGGREGATE); AND (B) CUSTOMER’S +BREACH OF SECTION 2 (“LICENSE”) OR INFRINGEMENT +OF SYSDIG’S INTELLECTUAL PROPERTY, IN NO EVENT +SHALL EITHER PARTY’S TOTAL AGGREGATE LIABILITY +EXCEED THE AMOUNTS PAID BY AND/OR DUE FROM +CUSTOMER FOR THE THEN-CURRENT ANNUAL +SUBSCRIPTION TERM, UNDER THE APPLICABLE ORDER +FORM(S) RELATING TO THE CLAIM. +9.2. Consequential Damages. EXCEPT FOR +CUSTOMER'S INFRINGEMENT OF SYSDIG’S +INTELLECTUAL PROPERTY, IN NO EVENT SHALL EITHER +PARTY, OR SYSDIG'S AFFILIATES OR ITS LICENSORS BE +LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, +SPECIAL, INDIRECT, PUNITIVE OR EXEMPLARY +DAMAGES, INCLUDING WITHOUT LIMITATION LOST +PROFITS, LOSS OF USE, BUSINESS INTERRUPTIONS, LOSS +OF DATA, REVENUE, GOODWILL, PRODUCTION, +ANTICIPATED SAVINGS, OR COSTS OF PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES, IN CONNECTION +WITH OR ARISING OUT OF THE PERFORMANCE OF OR +FAILURE TO PERFORM THIS AGREEMENT, WHETHER +ALLEGED AS A BREACH OF CONTRACT OR TORTIOUS +CONDUCT, INCLUDING NEGLIGENCE, EVEN OF A PARTY +HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH +DAMAGES. +9.3. Limitations Fair and Reasonable. EACH PARTY +ACKNOWLEDGES THAT THE LIMITATIONS OF LIABILITY +SET FORTH IN THIS SECTION 9 REFLECT THE +ALLOCATION OF RISK BETWEEN THE PARTIES UNDER +THIS AGREEMENT, AND THAT IN THE ABSENCE OF SUCH +LIMITATIONS OF LIABILITY, THE ECONOMIC TERMS OF +THIS AGREEMENT WOULD BE SIGNIFICANTLY +DIFFERENT. +INDEMNIFICATION +10.1. By Sysdig. Sysdig shall defend Customer from and +against any claim by a third party alleging that the Software, when +used as authorized under this Agreement, infringes any trademark +or copyright of such third party, enforceable in the jurisdiction of +Customer’s use of the Software, or misappropriates a trade secret +(but only to the extent that such misappropriation is not a result of +Customer’s actions) (“Infringement Claim”) and shall indemnify +and hold harmless Customer from and against any damages and +costs awarded against Customer by a court of competent +jurisdiction or agreed in settlement by Sysdig (including reasonable +attorneys’ fees) resulting from such Infringement Claim, provided +Sysdig, Inc. |85 Second Street, Suite 800, San Francisco, CA 94105 | 415- 872 - 9473 | http://www.sysdig.com +that Customer: (a) promptly provides Sysdig with a written notice +of the Infringement Claim; (b) allows Sysdig sole control of the +defense and settlement of the Infringement Claim; and (c) +reasonably cooperated in response to Sysdig’s requests for +assistance and information. The Customer may participate in the +defense of the Infringement Claim, at the Customer’s sole expense +(not subject to reimbursement). Customer will not, without Sysdig’s +prior written consent, make any admission or prejudicial statement, +settle, compromise or consent to the entry of any judgement with +respect to any pending or threatened Infringement Claim. + +10.2. Exclusions. Sysdig shall have no obligation and assumes +no liability under this Section 10 or otherwise with respect to any +claim based on: (a) any modification of the software that is not +performed by or on behalf of Sysdig, or was performed in +compliance with customer's specifications; (b) the combination, +operation or use of the software with any other products, services, +or equipment not provided by Sysdig where there would be no +infringement claim but for such combination; (c) use of the +applicable software other than in accordance with the terms and +conditions of this agreement and the documentation; (d) use of any +older version of the software when use of a newer revision would +have avoided the infringement claim; (e) any claim that relates to +the Open Source Software, freeware and any derivatives or other +adaptations thereof; or (f) any software provided on a no-charge, +beta or evaluation basis. THIS SECTION 10 STATES +CUSTOMER'S SOLE AND EXCLUSIVE REMEDY AND +SYSDIG’S ENTIRE LIABILITY FOR ANY INFRINGEMENT +CLAIMS OR ACTIONS. +10.3. Remedies. If Customer’s use of the Software is (or in +Sysdig’s opinion is likely to be) enjoined, if required by settlement +or if Sysdig determines such actions are reasonably necessary to +avoid material liability, Sysdig may, at its option: (i) procure for +Customer the right to use the Software in accordance with this +Agreement; (ii) replace or modify, the Software to make it non- +infringing; or (iii) terminate Customer's right to use the Software +and discontinue the related Support Services, and upon Customer's +certification of deletion of the Software, refund prorated pre-paid +fees for the remainder of the applicable Subscription Term for the +Software. + +CONFIDENTIAL INFORMATION +11.1. “Confidential Information” means information and/or +materials provided by one party (“Discloser”) to the other party +(“Recipient”) which is identified as confidential at the time of +disclosure or should be reasonably known by the Receiving Party +to be confidential or proprietary due to the nature of the information +disclosed and the circumstances surrounding the disclosure. The +following information shall be considered Confidential Information +whether or not marked or identified as such: this Agreement, the +Sysdig Technology, License Keys, pricing information, any Beta +Releases, product roadmap or strategic marketing plans, non-public +material relating to the Software. Except as expressly authorized +herein, the Receiving Party shall (1) hold in confidence and not +disclose any Confidential Information to third parties and (2) not +use Confidential Information for any purpose other than fulfilling +its obligations and exercising its rights under this Agreement. The +Receiving Party may disclose Confidential Information to its +employees, agents, contractors and other representatives having a +legitimate need to know, provided that such representatives are + +bound to confidentiality obligations no less protective of the +Disclosing Party than this Section 11 and that the Receiving Party +remains responsible for compliance by any such representative with +the terms of this Section 11. The Receiving Party’s confidentiality +obligations shall not apply to information that the Receiving Party +can document: (i) was rightfully in its possession or known to it +prior to receipt of the Confidential Information; (ii) is or has become +public knowledge through no fault of the Receiving Party; (iii) is +rightfully obtained by the Receiving Party from a third party +without breach of any confidentiality obligation; or (iv) is +independently developed by employees of the Receiving Party who +had no access to such information. The Receiving Party may make +disclosures to the extent required by law or court order, provided +the Receiving Party notifies the Disclosing Party in advance and +cooperates in any effort to obtain confidential treatment. The +Receiving Party acknowledges that disclosure of Confidential +Information would cause substantial harm for which damages alone +would not be a sufficient remedy, and therefore that upon any such +disclosure by the Receiving Party the Disclosing Party shall be +entitled to seek appropriate equitable relief in addition to whatever +other remedies it might have at law. +11.2 Customer Personal Data. Customer acknowledges that the +Software and Services do not require Customer to input or otherwise +transmit Customer Personal Data and Customer agrees not to input +or otherwise transmit any Customer Personal Data to the Software +and Services without Sysdig’s explicit consent or as otherwise set +forth in the applicable Order Form or other written agreement +between the Parties. +3 Data Processing Agreement. Subject to Section 11.2, and +so long as Customer has separately executed the same, the terms of +the Sysdig Global Data Processing Agreement (“DPA”) are hereby +incorporated by reference and shall apply to Sysdig’s processing of +Customer Personal Data on behalf of Customer. Customer +represents and warrants that it has obtained all necessary consents +and permissions from data subjects for the submission and +processing of Customer Personal Data. +11.4 B2B Relationship Data; Service Analytics. For the +avoidance of doubt and subject to the terms hereunder, Sysdig +processes Service Analytics and B2B Relationship Data in its role +as an independent controller and in accordance with applicable laws +and Sysdig’s privacy policy. +GENERAL TERMS +12.1. Assignment. Neither Party may assign this Agreement, +in whole or in part, without the prior written consent of the other +Party, provided that no such consent will be required to assign this +Agreement in its entirety to (i) an Affiliate that is able to satisfy the +obligations of the assignor under this Agreement or (ii) a successor +in interest in connection with a merger, acquisition or sale of all or +substantially of the assigning Party’s assets, provided that the +assignee has agreed to be bound by all of the terms of this +Agreement and all fees owed to the other Party are paid in full. If +Customer is acquired by, sells substantially all its asses to, or +undergoes a change of control in a favor of, a direct competitor of +Sysdig, then Sysdig may terminate this Agreement upon thirty (30) +days prior written notice. +12.2. Severability. If any provision of this Agreement shall be +adjudged by any court of competent jurisdiction to be +unenforceable or invalid, that provision shall be limited to the +Sysdig, Inc. |85 Second Street, Suite 800, San Francisco, CA 94105 | 415- 872 - 9473 | http://www.sysdig.com +minimum extent necessary so that this Agreement shall otherwise +remain in effect. + +12.3. Governing Law; Jurisdiction and Venue. This +Agreement will be governed by the Applicable Law described +below as applicable (without regard to the conflicts of law +provisions of any jurisdiction), and claims arising out of or in +connection with this Agreement will be subject to binding +arbitration in accordance with Section 12.4 to be located in the +Arbitration Tribunal and Venue described below based on the +Customer's country of residence, as provided in the following table: + +Customer ’s +Residence +Applicable Law Arbitration Tribunal +and Venue +Americas State of +California, USA +American Arbitration +Association in San +Francisco, California, +USA +Outside of +the +Americas +England & Wales London Court of +International Arbitration, +London, England +Each Party irrevocably submits to the personal jurisdiction and +venue of and agrees to service of process issued or authorized by, +any court in the Jurisdiction in any action or proceeding. Neither +the United Nations Convention of Contracts for the International +Sale of Goods nor the Uniform Computer Information Transactions +Act will apply to this Agreement. + +12.4. Arbitration. Any and all disputes, claims or causes of +action, in law or equity, including without limitation, claims arising +out of or related to the Parties’ negotiations and inducements to +enter into this Agreement, enforcement, breach, performance or +interpretation of this Agreement will be submitted to mandatory, +binding arbitration under the auspices of the Arbitration Tribunal +applicable above, or its successors, under its then-current +commercial arbitration rules and procedures. Both Parties +acknowledge that by agreeing to arbitration, they waive the +right to resolve any such dispute through a trial by jury or +judge or administrative proceeding. Nothing in this Agreement +is intended to prevent either Party from obtaining injunctive relief +in any competent court to prevent irreparable harm pending the +conclusion of any such arbitration. Each Party will bear its own +expenses in the arbitration and will share equally the costs of the +arbitration; provided, however, that the arbitrator(s) or any other +court may, in its discretion, award reasonable costs and fees to the +prevailing Party. This Agreement is subject to the operation of the +1958 United Nations Convention on the Recognition and +Enforcement of Foreign Arbitral Awards. + +12.5. Notice. Notices to a Party will be sent by first-class mail, +overnight courier or prepaid post to the address for such Party as +identified on the first page of this Agreement and will be deemed +given seventy-two (72) hours after mailing or upon confirmed +delivery or receipt, whichever is sooner. Customer will address +notices to Sysdig Legal Department, with a copy to +legalnotices@sysdig.com. Either Party may from time to time +change its address for notices under this Section by giving the other +Party at least thirty (30) days prior written notice of the change. + +12.6. Force Majeure. Neither Party will be in default or liable +under this Agreement by reason of any failure in performance of +this Agreement if such failure arises, directly or indirectly, out of +causes reasonably beyond the reasonable control of such Party, +including acts of God or of the public enemy, terrorism, political +unrest, U.S. or foreign governmental acts in either a sovereign or +contractual capacity, fire, flood, failure of third Party connections, +epidemic, pandemic or virus, utilities or networks, earthquake, +hostile attacks, restrictions, strikes, and/or freight embargoes. +12.7. Amendments; Waivers. No supplement, modification, +or amendment of this Agreement shall be binding, unless executed +in writing by a duly authorized representative of each Party to this +Agreement. No waiver will be implied from conduct or failure to +enforce or exercise rights under this Agreement, nor will any waiver +be effective unless in a writing signed by a duly authorized +representative on behalf of the Party claimed to have waived. No +provision of any purchase order or other business form employed +by Customer will supersede the terms and conditions of this +Agreement, and any such document relating to this Agreement shall +be for administrative purposes only and shall have no legal effect. +12.8. Entire Agreement; Interpretation. This Agreement +is the complete and exclusive statement of the mutual +understanding of the Parties and supersedes all previous written and +oral agreements and communications relating to the subject matter +of this Agreement. In this Agreement, headings are for +convenience only and “including”, “e.g.”, and similar terms will be +construed without limitation. In the event of a conflict between the +terms of this Agreement and the terms of any Order Form, or +Exhibit hereto, such conflict will be resolved in the following order, +except to the extent expressly specified otherwise in the applicable +Order Form or SOW: (a) this Agreement; (b) the Exhibits (c) Order +Form and (d) Statement of Work. Any preprinted terms on any +Customer ordering documents or terms referenced or linked therein +will have no effect on the terms of this Agreement and are hereby +rejected, including where such Customer ordering document is +signed by Sysdig. The Support Service Policy may be updated from +time to time upon reasonable notice to Customer to reflect process +improvements or changing practices (but the modifications will not +materially decrease Sysdig’s obligations). +12.9. Feedback. Sysdig will be free to use, irrevocably, in +perpetuity, for free and for any purpose, all suggestions, ideas +and/or feedback relating to the Software, Support Services, Services +or Beta Releases (collectively, “Feedback”) provided by Customer, +its Affiliates and Contractors. +12.10. Independent Contractors. The Parties to this +Agreement are independent contractors. There is no relationship +of partnership, joint venture, employment, franchise or agency +created hereby between the Parties. Neither Party will have the +power to bind the other or incur obligations on the other Party’s +behalf without the other Party’s prior written consent. +12.11 Beta Releases. From time to time, Sysdig may grant +Customer access to “alpha”, “beta”, “technical preview” or other +early-stage products (“Beta Releases”). Customer shall comply +with all terms related to any Beta Releases as posted or otherwise +made available to Customer. Sysdig may add or modify terms +related to access or use of the Beta Release at any time. While +Sysdig may provide assistance with Beta Releases in its discretion, +Sysdig, Inc. |85 Second Street, Suite 800, San Francisco, CA 94105 | 415- 872 - 9473 | http://www.sysdig.com +notwithstanding anything to the contrary in this Agreement, +CUSTOMER AGREES THAT ANY BETA RELEASE IS +PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS +WITHOUT ANY WARRANTY, SUPPORT SERVICES, +MAINTENANCE, STORAGE, OR SERVICE LEVEL +OBLIGATIONS OF ANY KIND. CUSTOMER FURTHER +ACKNOWLEDGES AND AGREES THAT BETA RELEASES +MAY NOT BE COMPLETE OR FULLY FUNCTIONAL AND +MAY CONTAIN BUGS, ERRORS, OMISSIONS, AND OTHER +PROBLEMS FOR WHICH SYSDIG WILL NOT BE +RESPONSIBLE. Sysdig makes no promises that future versions of +a Beta Release will be released. Customer’s use of the Beta Release +will automatically terminate upon the release of a generally +available version of the applicable Beta Release or upon notice of +termination by Sysdig. Either Party may suspend or terminate +access or use of any Beta Release at any time for any reason or no +reason. Notwithstanding anything to the contrary in the +Agreement, after suspension or termination of Customer’s access to +or use of any Beta Release for any reason Customer will not have +any further right to access or use the applicable Beta Release. +Notwithstanding anything contained to the contrary in this +Agreement, Sysdig and its licensors’ cumulative and aggregate +liability arising out of or relating to the Beta Releases is limited to +$1,000 USD. + +12.12 Export Control. In its use of the Software, Support +Services, Services, and Beta Releases, Customer agrees to comply +with all export and import laws and regulations of the United States +and other applicable jurisdictions. Without limiting the foregoing, +(i) Customer represents and warrants that it is not listed on any U.S. +government list of prohibited or restricted parties or located in (or a +national of) a country that is subject to a U.S. government embargo +or that has been designated by the U.S. government as a “terrorist +supporting” country, and (ii) Customer shall not (and shall not +permit any of its users to) deploy or use the Software or Beta +Releases in violation of any U.S. export embargo, prohibition or +restriction. + +12.13 Government End-Users. Elements of the Software, +Services, Support Services and Beta Releases are commercial +computer software. If the user or licensee of the Software is an + +agency, department, or other entity of the United States +Government, the use, duplication, reproduction, release, +modification, disclosure, or transfer of the Software, or any related +documentation of any kind, including technical data and manuals, +is restricted by a license agreement or by the terms of this +Agreement in accordance with Federal Acquisition Regulation +12.212 for civilian purposes and Defense Federal Acquisition +Regulation Supplement 227.7202 for military purposes. The +Software, Support Services, Services and Beta Releases were +developed fully at private expense. All other use is prohibited. +12.14 References. Unless otherwise specified in the applicable +Order Form, Sysdig may refer to Customer as one of Sysdig’s +customers and use Customer’s logo as part of such reference, +provided that Sysdig complies with any Customer trademark usage +requirements provided by Customer. Upon reasonable request, +Customer will serve as a reference account for Sysdig, provided, +however, that Sysdig will provide Customer with reasonable notice +and obtain Customer’s consent before scheduling any reference +activity. Furthermore, if so specified in the applicable Order Form, +Sysdig may either: (a) issue a press release announcing the +relationship between Sysdig and Customer, or (b) submit a joint +press release to Customer for Customer’s approval, such approval +not to be unreasonably withheld or delayed. +12.1 5 Counterparts. This Agreement may be executed in +counterparts, which taken together shall form one binding legal +instrument. The Parties hereby consent to the use of electronic +signatures in connection with the execution of this Agreement, and +further agree that electronic signatures to this Agreement shall be +legally binding with the same force and effect as manually executed +signatures. +Sysdig, Inc. |85 Second Street, Suite 800, San Francisco, CA 94105 | 415- 872 - 9473 | http://www.sysdig.com +SUPPORT SERVICES POLICY +(On Prem) +DEFINITIONS +1.1 “Error” means a failure of the Software to conform to the specifications set forth in the Documentation, resulting in the +inability to use, or material restriction in, the use of the Software. + +1.2 “Start Time” means the time at which Sysdig first becomes aware of an Error. +SUPPORT SERVICES POLICY +Sysdig will provide Support Services to Customer through the portal located at https://support.sysdig.com or through other customer support +center contacts, set forth below (the “Customer Support Center”). Customer will receive Updates, other software modifications or additions, +procedures, or routine or configuration changes that may solve, bypass or eliminate the practical adverse effect of the Error. Customer will +designate a certain number of employees or agents that will interface with the Customer Support Center, and submit Errors, requests or support +tickets (the “Technical Support Contacts”). Customer is permitted to name as many Technical Contacts as allowed pursuant to the purchased +Support Service Subscription. Customer’s non-named Technical Contacts may contact the Customer Support Center only in case of an +emergency or on an exception basis, and Sysdig will respond to such Error submission and cooperate with the non-named Technical Contact, +subject to later verification and involvement of a named Technical Support Contact. Additional named Technical Support Contacts may be +permitted upon mutual agreement of the Parties. + +SUPPORT SERVICES SUBSCRIPTION +Pursuant to the purchased Support Services Subscription, set forth in the Order Form, Sysdig shall provide and Customer shall purchase and +maintain Premium Support Services. Customer will have access to the Customer Support Center 24 hours per day, 7 days a week. Submitted +Errors will be classified by severity as set forth in the table below. Customer may assign eight (8) Technical Support Contacts, which may +contact the Customer Support Center through any of the Customer Support Center Contacts, as set forth below. + +CUSTOMER SUPPORT CENTER CONTACT +Pursuant to the purchased Premium Support Services Subscription, Customer may contact the Customer Support Center as follows: +a) Telephone: +a. USA Toll Free: 1- 888 - 4 - SYSDIG (+1- 888 - 479 - 7344) +b. USA Regular: +1- 415 - 855 - 4DIG (+1- 415 - 855 - 4344) +c. UK Toll Free: +44- 808 - 168 - 9DIG (+44- 808 - 168 - 9344) +d. UK Regular: +44- 20 - 8049 - 7800 +b) Email: Create support ticket via email to support@sysdig.com. +c) Portal: https://support.sysdig.com and each Technical Support Contact must register with the Customer Support Center on the portal, +prior to submitting a ticket. +d) Language: Support Services will be provided in English language + +5. EXCLUDED SUPPORT SERVICES. +Sysdig shall not be obligated to fix any Error or problem: +a. where the Software is not used for its intended purpose; +b. where the Software has been altered, damaged, modified or incorporated into other software in a manner not approved by Sysdig; +c. where the Software is a release that is no longer supported by Sysdig; +d. which is caused by Customer’s or a third party’s software or equipment or by Customer’s negligence, abuse, misapplication, or use +of the Software other than as specified in the Documentation; or +e. which would be resolved by the Customer using an Update or newer version of the Software, or by adding hardware. + +If Sysdig determines that it has no obligation to fix the reported incident for one of the reasons stated above, the Parties may enter into a separate +agreement authorizing Sysdig to provide additional services at Sysdig’s then-current professional services rates plus expenses. + +END OF LIFE POLICY. Customer acknowledges that new features may be added to the Software based on market demand and +technological innovation. Accordingly, as Sysdig develops enhanced versions of the Software, Sysdig may cease to maintain and support older +versions of the Software. Sysdig will use commercially reasonable efforts to provide Support Services with respect to older versions of the +Software. Sysdig shall have no obligation to support Software outside of Sysdig’s stated EOS/EOL policy for the applicable Software. Such +EOS/EOL policies shall be made available to Customer either in the accompanying Documentation or upon request and are subject to update +from time to time in Sysdig’s reasonable discretion. +Sysdig, Inc. |85 Second Street, Suite 800, San Francisco, CA 94105 | 415- 872 - 9473 | http://www.sysdig.com +7. ERROR RESPONSE SERVICE LEVELS +Customer shall submit each ticket with a severity level designation based on the definitions in the table below. Severity response +times do not vary, whether Customer contacts the Customer Support Center via phone, email or portal. Sysdig shall respond to such ticket in +accordance with the severity designation and validate Customer’s severity level designation or notify Customer of a proposed change in the +severity level designation with justification for the change. Sysdig will provide continuous efforts to resolve Severity 1 issues until a workaround +or resolution can be provided or until the incident can be downgraded to a lower severity. Sysdig will use reasonable efforts to meet the target +response times for the Errors stated in the table below. + +Severity 1 +(Critical) +Description Premium Support +Services +Any Error in the Software causing the Software to be unusable, +resulting in a critical impact on the operation of the Software +and there is no workaround. +Sysdig will promptly: (i) assign a specialist to correct the Error; +(ii) provide ongoing communication on the status of an +Update; and (iii) begin to provide a temporary +workaround or fix. +Response Times +Within 30 minutes +Severity 2 +(Serious) +An Error in a Software where the Software will operate but its +operation is severely restricted. No workaround is available, +and performance may be degraded, or functions are limited. +Sysdig will promptly: (i) assign a specialist to correct the Error; +and (ii) provide additional escalated Support Services as +determined necessary by Sysdig. +Response Times +Within 2 hours +Severity 3 +(Moderate) +An Error in the Software where the Software will operate with +limitations that are not critical to the overall operation, such as +a workaround forces user and or a systems operator to use a +time-consuming procedure to operate the system; or removes +a non-essential feature. +Sysdig will triage the request and may include a resolution in +the next Update. +Response Time +Within 4 hours +Severity 4 +(Low) +An Error in the Software where the Software can be used with +only slight inconvenience. All Software feature requests fall +into this severity level. +Sysdig will triage the request and may include a resolution in +the next Update. +Response Time +Next business day -- GitLab From e422280db8347430762919200cb9d53fd5257ab1 Mon Sep 17 00:00:00 2001 From: Aitor Acedo Date: Tue, 22 Jun 2021 17:06:19 +0000 Subject: [PATCH 6/7] Updating tags and repository name --- hardening_manifest.yaml | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index b9821fc..0bf2a04 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -1,6 +1,9 @@ +--- apiVersion: v1 + # The repository name in registry1, excluding /ironbank/ -name: "sysdig/cloudsecurity/admission-controller-3.2.0" +name: "sysdig/sysdig-secure/admission-controller-3.2.0" + # List of tags to push for the repository in registry1 # The most specific version should be the first tag and will be shown # on ironbank.dsop.io @@ -11,9 +14,10 @@ tags: args: BASE_IMAGE: "redhat/ubi/ubi8-minimal" BASE_TAG: "8.4" + # Docker image labels labels: - org.opencontainers.image.title: "admission-controller-5.3" + org.opencontainers.image.title: "admission-controller-3.2.0" ## Human-readable description of the software packaged in the image org.opencontainers.image.description: "Sysdig - Admission Controller" ## License(s) under which contained software is distributed @@ -28,16 +32,9 @@ labels: ## This value can be "opensource" or "commercial" mil.dso.ironbank.image.type: "commercial" ## Product the image belongs to for grouping multiple images - # mil.dso.ironbank.product.name: "FIXME" + mil.dso.ironbank.product.name: "sysdig-secure/admission-controller" + - com.sysdig.builddate: "2021-06-16T06:38:36" - com.sysdig.commit: "7ba1422" - com.sysdig.component: "admission-controller" - com.sysdig.release: "3.2.0" - com.sysdig.version: "3.2.0" - com.sysdig.dod.commit: "2dd05a9" - com.sysdig.dod.builddate: "2021-06-16T07:38:00" - com.sysdig.baseimage: "registry1.dsop.io/ironbank/redhat/ubi/ubi8-minimal:8.4" # List of resources to make available to the offline build context resources: - filename: webhook-v3.2.0 @@ -47,8 +44,6 @@ resources: value: 767d3ceeac6a255b30442e4f2834e765e98f02c9a645b0483a0db76fb6a973c5 # List of project maintainers -# FIXME: Fill in the following details for the current container owner in the whitelist -# FIXME: Include any other vendor information if applicable maintainers: - email: "aitor.acedo@sysdig.com" # # The name of the current container owner -- GitLab From 0fc5d7560af31a7ae0b0954e6c38ec6766f95fce Mon Sep 17 00:00:00 2001 From: Aitor Acedo Date: Thu, 24 Jun 2021 08:48:39 +0000 Subject: [PATCH 7/7] Include microdnf update command --- Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index d7ccc6b..1f692de 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,7 +11,8 @@ FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} ENV REQIRED_PACKAGES="shadow-utils libsemanage" -RUN microdnf --setopt=tsflags=nodocs install $REQIRED_PACKAGES \ +RUN microdnf update -y --setopt=install_weak_deps=0 --nodocs \ + && microdnf --setopt=tsflags=nodocs install $REQIRED_PACKAGES \ && useradd sysdig -u 1000 \ && microdnf remove $REQIRED_PACKAGES \ && microdnf clean all \ @@ -24,4 +25,4 @@ COPY ${BINARY} /bin/webhook EXPOSE 5000 HEALTHCHECK --start-period=30s CMD curl -f 127.0.0.1:5000 || exit 1 USER 1000 -ENTRYPOINT ["/bin/webhook"] \ No newline at end of file +ENTRYPOINT ["/bin/webhook"] -- GitLab