- Specifications for specific intents

intents/core/1_protectAsset.yaml

@@ -0,0 +1,28 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntent
+metadata:
+  name: [intent-name]
+  namespace: [intent-namespace]
+spec:
+  selector:
+    match:
+      any:
+        - resources:
+            names: [target-name]
+            kinds: [target-kind]
+            namespaces: [target-namespace]
+            matchLabels:
+              [key: value]
+    cel:
+    - xxxx 
+  intent:
+    group: core
+    ID: protectFile
+    params:
+        - path: /etc/shadow
+        - AllowBinary:
+          - /free5gc/webconsole
+          - /free5gc/webApp

intents/core/2_protectPort.yaml

@@ -0,0 +1,28 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntent
+metadata:
+  name: [intent-name]
+  namespace: [intent-namespace]
+spec:
+  selector:
+    match:
+      any:
+        - resources:
+            names: [target-name]
+            kinds: [target-kind]
+            namespaces: [target-namespace]
+            matchLabels:
+              [key: value]
+    cel:
+    - xxxx 
+  intent:
+    group: core
+    ID: protectPort # will generate rules for all protocols
+    params:
+        - port: 5000
+        - AllowBinary
+          - /free5gc/webconsole
+          - /free5gc/webapp

intents/core/3_ownnerOnly.yaml

@@ -0,0 +1,25 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntent
+metadata:
+  name: [intent-name]
+  namespace: [intent-namespace]
+spec:
+  selector:
+    match:
+      any:
+        - resources:
+            names: [target-name]
+            kinds: [target-kind]
+            namespaces: [target-namespace]
+            matchLabels:
+              [key: value]
+    cel:
+    - xxxx 
+  intent:
+    group: core
+    ID: ownerOnly #  The executable in the path can be invoked by ownerOnly
+    params:
+        - path: /home/5gc/myexec

intents/core/4_blockAsset.yaml

@@ -0,0 +1,25 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntent
+metadata:
+  name: [intent-name]
+  namespace: [intent-namespace]
+spec:
+  selector:
+    match:
+      any:
+        - resources:
+            names: [target-name]
+            kinds: [target-kind]
+            namespaces: [target-namespace]
+            matchLabels:
+              [key: value]
+    cel:
+    - xxxx 
+  intent:
+    group: core
+    ID: blockAsset #  Nobody can access below paths
+    params:
+        - path: /home/5gc/

intents/core/5_blockRawSocket.yaml

@@ -0,0 +1,23 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntent
+metadata:
+  name: [intent-name]
+  namespace: [intent-namespace]
+spec:
+  selector:
+    match:
+      any:
+        - resources:
+            names: [target-name]
+            kinds: [target-kind]
+            namespaces: [target-namespace]
+            matchLabels:
+              [key: value]
+    cel:
+    - xxxx 
+  intent:
+    group: core
+    ID: blockRawSocket #  No raw sockets can be accessed

intents/template-intent.yaml

@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntent
+metadata:
+  name: [intent-name]
+  namespace: [intent-namespace]
+spec:
+  selector:
+    match:
+      any:
+        - resources:
+            names: [target-name]
+            kinds: [target-kind]
+            namespaces: [target-namespace]
+            matchLabels:
+              [key: value]
+    cel:
+    - xxxx 
+  intent:
+    group: oran/core
+    ID: protectFile, protectPort, ownerOnly, blockAsset, blockRawsocket
+    params: