From 91f9e12ef5ced3dcca2363e252fceffff9783390 Mon Sep 17 00:00:00 2001 From: Shiv Bhagavatula Date: Thu, 21 Dec 2023 17:45:43 +0530 Subject: [PATCH] - Specifications for specific intents --- intents/core/1_protectAsset.yaml | 28 ++++++++++++++++++++++++++++ intents/core/2_protectPort.yaml | 28 ++++++++++++++++++++++++++++ intents/core/3_ownnerOnly.yaml | 25 +++++++++++++++++++++++++ intents/core/4_blockAsset.yaml | 25 +++++++++++++++++++++++++ intents/core/5_blockRawSocket.yaml | 23 +++++++++++++++++++++++ intents/template-intent.yaml | 24 ++++++++++++++++++++++++ 6 files changed, 153 insertions(+) create mode 100644 intents/core/1_protectAsset.yaml create mode 100644 intents/core/2_protectPort.yaml create mode 100644 intents/core/3_ownnerOnly.yaml create mode 100644 intents/core/4_blockAsset.yaml create mode 100644 intents/core/5_blockRawSocket.yaml create mode 100644 intents/template-intent.yaml diff --git a/intents/core/1_protectAsset.yaml b/intents/core/1_protectAsset.yaml new file mode 100644 index 00000000..9d7d6e29 --- /dev/null +++ b/intents/core/1_protectAsset.yaml @@ -0,0 +1,28 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntent +metadata: + name: [intent-name] + namespace: [intent-namespace] +spec: + selector: + match: + any: + - resources: + names: [target-name] + kinds: [target-kind] + namespaces: [target-namespace] + matchLabels: + [key: value] + cel: + - xxxx + intent: + group: core + ID: protectFile + params: + - path: /etc/shadow + - AllowBinary: + - /free5gc/webconsole + - /free5gc/webApp \ No newline at end of file diff --git a/intents/core/2_protectPort.yaml b/intents/core/2_protectPort.yaml new file mode 100644 index 00000000..6fc49d88 --- /dev/null +++ b/intents/core/2_protectPort.yaml @@ -0,0 +1,28 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntent +metadata: + name: [intent-name] + namespace: [intent-namespace] +spec: + selector: + match: + any: + - resources: + names: [target-name] + kinds: [target-kind] + namespaces: [target-namespace] + matchLabels: + [key: value] + cel: + - xxxx + intent: + group: core + ID: protectPort # will generate rules for all protocols + params: + - port: 5000 + - AllowBinary + - /free5gc/webconsole + - /free5gc/webapp \ No newline at end of file diff --git a/intents/core/3_ownnerOnly.yaml b/intents/core/3_ownnerOnly.yaml new file mode 100644 index 00000000..1c49a768 --- /dev/null +++ b/intents/core/3_ownnerOnly.yaml @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntent +metadata: + name: [intent-name] + namespace: [intent-namespace] +spec: + selector: + match: + any: + - resources: + names: [target-name] + kinds: [target-kind] + namespaces: [target-namespace] + matchLabels: + [key: value] + cel: + - xxxx + intent: + group: core + ID: ownerOnly # The executable in the path can be invoked by ownerOnly + params: + - path: /home/5gc/myexec \ No newline at end of file diff --git a/intents/core/4_blockAsset.yaml b/intents/core/4_blockAsset.yaml new file mode 100644 index 00000000..01ea1e27 --- /dev/null +++ b/intents/core/4_blockAsset.yaml @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntent +metadata: + name: [intent-name] + namespace: [intent-namespace] +spec: + selector: + match: + any: + - resources: + names: [target-name] + kinds: [target-kind] + namespaces: [target-namespace] + matchLabels: + [key: value] + cel: + - xxxx + intent: + group: core + ID: blockAsset # Nobody can access below paths + params: + - path: /home/5gc/ \ No newline at end of file diff --git a/intents/core/5_blockRawSocket.yaml b/intents/core/5_blockRawSocket.yaml new file mode 100644 index 00000000..865ec220 --- /dev/null +++ b/intents/core/5_blockRawSocket.yaml @@ -0,0 +1,23 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntent +metadata: + name: [intent-name] + namespace: [intent-namespace] +spec: + selector: + match: + any: + - resources: + names: [target-name] + kinds: [target-kind] + namespaces: [target-namespace] + matchLabels: + [key: value] + cel: + - xxxx + intent: + group: core + ID: blockRawSocket # No raw sockets can be accessed \ No newline at end of file diff --git a/intents/template-intent.yaml b/intents/template-intent.yaml new file mode 100644 index 00000000..faad72a0 --- /dev/null +++ b/intents/template-intent.yaml @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntent +metadata: + name: [intent-name] + namespace: [intent-namespace] +spec: + selector: + match: + any: + - resources: + names: [target-name] + kinds: [target-kind] + namespaces: [target-namespace] + matchLabels: + [key: value] + cel: + - xxxx + intent: + group: oran/core + ID: protectFile, protectPort, ownerOnly, blockAsset, blockRawsocket + params: \ No newline at end of file