From 4c2df40dbe33f3b0d339e9b0b0bab6030efe533b Mon Sep 17 00:00:00 2001 From: Ved Ratan Date: Thu, 23 May 2024 08:09:48 +0530 Subject: [PATCH] added exploit pfa intent Signed-off-by: Ved Ratan --- examples/namespaced/exploit-pfa-si-sib.yaml | 27 ++++++++++ pkg/adapter/idpool/idpool.go | 3 +- .../nimbus-kubearmor/processor/kspbuilder.go | 54 +++++++++++++++++++ 3 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 examples/namespaced/exploit-pfa-si-sib.yaml diff --git a/examples/namespaced/exploit-pfa-si-sib.yaml b/examples/namespaced/exploit-pfa-si-sib.yaml new file mode 100644 index 00000000..0cd5e7f6 --- /dev/null +++ b/examples/namespaced/exploit-pfa-si-sib.yaml @@ -0,0 +1,27 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntent +metadata: + name: exploit-pfa +spec: + intent: + id: PreventExecutionFromTempOrLogsFolders + description: "Mitigate the execution of harmful binaries which may result in exploiting public facing application" + action: Block +--- +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntentBinding +metadata: + name: exploit-pfa-binding +spec: + intents: + - name: exploit-pfa + selector: + any: + - resources: + kind: Pod + namespace: default + matchLabels: + app: nginx diff --git a/pkg/adapter/idpool/idpool.go b/pkg/adapter/idpool/idpool.go index 9f49805c..403e968f 100644 --- a/pkg/adapter/idpool/idpool.go +++ b/pkg/adapter/idpool/idpool.go @@ -19,11 +19,12 @@ const ( EscapeToHost = "escapeToHost" DisallowChRoot = "disallowChRoot" DisallowCapabilities = "disallowCapabilities" + ExploitPFA = "PreventExecutionFromTempOrLogsFolders" ) // KaIds are IDs supported by KubeArmor. var KaIds = []string{ - SwDeploymentTools, UnAuthorizedSaTokenAccess, DNSManipulation, EscapeToHost, + SwDeploymentTools, UnAuthorizedSaTokenAccess, DNSManipulation, EscapeToHost, ExploitPFA, } // list of policies which satisfies the given ID by Kubearmor diff --git a/pkg/adapter/nimbus-kubearmor/processor/kspbuilder.go b/pkg/adapter/nimbus-kubearmor/processor/kspbuilder.go index 1732ed17..180e0436 100644 --- a/pkg/adapter/nimbus-kubearmor/processor/kspbuilder.go +++ b/pkg/adapter/nimbus-kubearmor/processor/kspbuilder.go @@ -64,6 +64,8 @@ func buildKspFor(id string) kubearmorv1.KubeArmorPolicy { return disallowChRoot() case idpool.DisallowCapabilities: return disallowCapabilities() + case idpool.ExploitPFA: + return disallowBinaries() default: return kubearmorv1.KubeArmorPolicy{} } @@ -264,6 +266,58 @@ func disallowChRoot() kubearmorv1.KubeArmorPolicy { } } +func disallowBinaries() kubearmorv1.KubeArmorPolicy { + return kubearmorv1.KubeArmorPolicy{ + Spec: kubearmorv1.KubeArmorPolicySpec{ + File: kubearmorv1.FileType{ + MatchDirectories: []kubearmorv1.FileDirectoryType{ + { + Directory: "/usr/sbin/", + Recursive: true, + }, + { + Directory: "/usr/bin/", + Recursive: true, + }, + { + Directory: "/bin/", + Recursive: true, + }, + { + Directory: "/sbin/", + Recursive: true, + }, + { + Directory: "/tmp/", + Recursive: true, + }, + { + Directory: "/var/log/", + Recursive: true, + }, + { + Directory: "/app/logs/", + Recursive: true, + }, + { + Directory: "/logs/", + Recursive: true, + }, + { + Directory: "/etc/", + Recursive: true, + }, + { + Directory: "/usr/lib/", + Recursive: true, + }, + }, + Action: kubearmorv1.ActionType("block"), + }, + }, + } +} + func addManagedByAnnotation(ksp *kubearmorv1.KubeArmorPolicy) { ksp.Annotations = make(map[string]string)