added exploit pfa intent

Signed-off-by: Ved Ratan <[email protected]>
5GSEC · May 27, 2024 · 4c2df40 · 4c2df40
1 parent b6dd9b6
commit 4c2df40
Show file tree

Hide file tree

Showing 3 changed files with 83 additions and 1 deletion.
diff --git a/examples/namespaced/exploit-pfa-si-sib.yaml b/examples/namespaced/exploit-pfa-si-sib.yaml
@@ -0,0 +1,27 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntent
+metadata:
+  name: exploit-pfa
+spec:
+  intent:
+    id: PreventExecutionFromTempOrLogsFolders
+    description: "Mitigate the execution of harmful binaries which may result in exploiting public facing application"
+    action: Block
+---
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntentBinding
+metadata:
+  name: exploit-pfa-binding
+spec:
+  intents:
+    - name: exploit-pfa
+  selector:
+    any:
+      - resources:
+          kind: Pod
+          namespace: default
+          matchLabels:
+            app: nginx
diff --git a/pkg/adapter/idpool/idpool.go b/pkg/adapter/idpool/idpool.go
@@ -19,11 +19,12 @@ const (
 	EscapeToHost              = "escapeToHost"
 	DisallowChRoot            = "disallowChRoot"
 	DisallowCapabilities      = "disallowCapabilities"
+	ExploitPFA                = "PreventExecutionFromTempOrLogsFolders"
 )
 
 // KaIds are IDs supported by KubeArmor.
 var KaIds = []string{
-	SwDeploymentTools, UnAuthorizedSaTokenAccess, DNSManipulation, EscapeToHost,
+	SwDeploymentTools, UnAuthorizedSaTokenAccess, DNSManipulation, EscapeToHost, ExploitPFA,
 }
 
 // list of policies which satisfies the given ID by Kubearmor

diff --git a/pkg/adapter/nimbus-kubearmor/processor/kspbuilder.go b/pkg/adapter/nimbus-kubearmor/processor/kspbuilder.go
@@ -64,6 +64,8 @@ func buildKspFor(id string) kubearmorv1.KubeArmorPolicy {
 		return disallowChRoot()
 	case idpool.DisallowCapabilities:
 		return disallowCapabilities()
+	case idpool.ExploitPFA:
+		return disallowBinaries()
 	default:
 		return kubearmorv1.KubeArmorPolicy{}
 	}
@@ -264,6 +266,58 @@ func disallowChRoot() kubearmorv1.KubeArmorPolicy {
 	}
 }
 
+func disallowBinaries() kubearmorv1.KubeArmorPolicy {
+	return kubearmorv1.KubeArmorPolicy{
+		Spec: kubearmorv1.KubeArmorPolicySpec{
+			File: kubearmorv1.FileType{
+				MatchDirectories: []kubearmorv1.FileDirectoryType{
+					{
+						Directory: "/usr/sbin/",
+						Recursive: true,
+					},
+					{
+						Directory: "/usr/bin/",
+						Recursive: true,
+					},
+					{
+						Directory: "/bin/",
+						Recursive: true,
+					},
+					{
+						Directory: "/sbin/",
+						Recursive: true,
+					},
+					{
+						Directory: "/tmp/",
+						Recursive: true,
+					},
+					{
+						Directory: "/var/log/",
+						Recursive: true,
+					},
+					{
+						Directory: "/app/logs/",
+						Recursive: true,
+					},
+					{
+						Directory: "/logs/",
+						Recursive: true,
+					},
+					{
+						Directory: "/etc/",
+						Recursive: true,
+					},
+					{
+						Directory: "/usr/lib/",
+						Recursive: true,
+					},
+				},
+				Action: kubearmorv1.ActionType("block"),
+			},
+		},
+	}
+}
+
 
 func addManagedByAnnotation(ksp *kubearmorv1.KubeArmorPolicy) {
 	ksp.Annotations = make(map[string]string)