From c6fafcaee9e6b2e68d42d8ad3721b742893b07fd Mon Sep 17 00:00:00 2001 From: Vishnu Soman Date: Tue, 6 Jun 2023 20:28:57 +0530 Subject: [PATCH] 5G Policies Signed-off-by: Vishnu Soman --- MySQL/system/metadata.yaml | 2 +- elastic/system/metadata.yaml | 2 +- generic/kyverno/metadata.yaml | 2 +- .../ksp-5g-network-service-scanning.yaml | 35 ++++++++++ .../system/ksp-mitre-5g-remote-services.yaml | 27 ++++++++ .../ksp-mitre-5g-tactic-impair-defense.yaml | 25 +++++++ .../ksp-unsecured_credentials_access.yaml | 2 +- generic/system/metadata.yaml | 66 ++++++++++++++++++- kibana/system/metadata.yaml | 2 +- redis/system/metadata.yaml | 2 +- 10 files changed, 157 insertions(+), 8 deletions(-) create mode 100644 generic/system/ksp-5g-network-service-scanning.yaml create mode 100644 generic/system/ksp-mitre-5g-remote-services.yaml create mode 100644 generic/system/ksp-mitre-5g-tactic-impair-defense.yaml diff --git a/MySQL/system/metadata.yaml b/MySQL/system/metadata.yaml index b5132693..ad0959e3 100644 --- a/MySQL/system/metadata.yaml +++ b/MySQL/system/metadata.yaml @@ -1,4 +1,4 @@ -version: v0.1.9 +version: v0.2.3 policyRules: - name: user-grp-mod precondition: diff --git a/elastic/system/metadata.yaml b/elastic/system/metadata.yaml index b4df9d19..8e61efce 100644 --- a/elastic/system/metadata.yaml +++ b/elastic/system/metadata.yaml @@ -1,4 +1,4 @@ -version: v0.1.9 +version: v0.2.3 policyRules: - name: elasticsearch-indices-dir precondition: diff --git a/generic/kyverno/metadata.yaml b/generic/kyverno/metadata.yaml index 2974a6f9..551cf589 100644 --- a/generic/kyverno/metadata.yaml +++ b/generic/kyverno/metadata.yaml @@ -1,4 +1,4 @@ -version: v0.1.9 +version: v0.2.3 policyRules: - name: restrict-automount-sa-token description: diff --git a/generic/system/ksp-5g-network-service-scanning.yaml b/generic/system/ksp-5g-network-service-scanning.yaml new file mode 100644 index 00000000..8c016629 --- /dev/null +++ b/generic/system/ksp-5g-network-service-scanning.yaml @@ -0,0 +1,35 @@ +# KubeArmor is an open source software that enables you to protect your cloud workload at run-time. +# To learn more about KubeArmor visit: +# https://www.accuknox.com/kubearmor/ + +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-5g-network-service-scanning + namespace: default # Change your namespace +spec: + tags: ["MITRE", "FGT1046","5G"] + message: "Network service has been scanned!" + selector: + matchLabels: + container: ubuntu-1 # Change your matchLabels + severity: 5 + process: + matchPaths: + - path: /usr/bin/netstat + - path: /bin/netstat + - path: /usr/sbin/ip + - path: /usr/bin/ip + - path: /sbin/ip + - path: /bin/ip + - path: /usr/sbin/iw + - path: /sbin/iw + - path: /usr/sbin/ethtool + - path: /sbin/ethtool + - path: /usr/sbin/ifconfig + - path: /sbin/ifconfig + - path: /usr/sbin/arp + - path: /sbin/arp + - path: /usr/sbin/iwconfig + - path: /sbin/iwconfig + action: Audit diff --git a/generic/system/ksp-mitre-5g-remote-services.yaml b/generic/system/ksp-mitre-5g-remote-services.yaml new file mode 100644 index 00000000..c9c2bcad --- /dev/null +++ b/generic/system/ksp-mitre-5g-remote-services.yaml @@ -0,0 +1,27 @@ +# KubeArmor is an open source software that enables you to protect your cloud workload at run-time. +# To learn more about KubeArmor visit: +# https://www.accuknox.com/kubearmor/ + +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-mitre-5g-remote-services + namespace: default # Change your namespace +spec: + tags: ["MITRE", "5G", "FGT1021"] + message: "Warning! access sensitive files detected" + selector: + matchLabels: + app: testpod #change with your own label + file: + matchPaths: + - path: /var/log/wtmp + - path: /var/run/utmp + - path: /var/log/auth.log + - path: /etc/passwd + - path: /etc/shadow + matchDirectories: + - dir: /etc/ssh/ + severity: 3 + action: Audit + diff --git a/generic/system/ksp-mitre-5g-tactic-impair-defense.yaml b/generic/system/ksp-mitre-5g-tactic-impair-defense.yaml new file mode 100644 index 00000000..7d9fd45b --- /dev/null +++ b/generic/system/ksp-mitre-5g-tactic-impair-defense.yaml @@ -0,0 +1,25 @@ +# KubeArmor is an open source software that enables you to protect your cloud workload at run-time. +# To learn more about KubeArmor visit: +# https://www.accuknox.com/kubearmor/ + +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-mitre-5g-tactic-impair-defense + namespace: default #change with your namespace +spec: + tags: ["MITRE", "FGT1562","5G"] + message: "Selinux Files Accessed by Unknown Process" + selector: + matchLabels: + app: testpod #change with your match label + severity: 6 + file: + matchPaths: + - path: /etc/selinux/semanage.conf + matchDirectories: + - dir: /etc/apparmor.d/ + recursive: true + - dir: /etc/sysconfig/selinux/ + recursive: true + action: Audit diff --git a/generic/system/ksp-unsecured_credentials_access.yaml b/generic/system/ksp-unsecured_credentials_access.yaml index ea2ebfb9..503c12bc 100644 --- a/generic/system/ksp-unsecured_credentials_access.yaml +++ b/generic/system/ksp-unsecured_credentials_access.yaml @@ -8,7 +8,7 @@ metadata: name: ksp-mitre-tactic-credential-access-unsecured-credentials-private-keys namespace: default # Change your namespace spec: - tags: ["MITRE", "MITRE_T1552_unsecured_credentials"] + tags: ["MITRE", "MITRE_T1552_unsecured_credentials", "FGT1555", "5G"] message: "Credentials modification denied" selector: matchLabels: diff --git a/generic/system/metadata.yaml b/generic/system/metadata.yaml index 8f0f6be7..441c9186 100644 --- a/generic/system/metadata.yaml +++ b/generic/system/metadata.yaml @@ -1,4 +1,4 @@ -version: v0.1.9 +version: v0.2.3 policyRules: - name: maint-tools-access precondition: @@ -36,6 +36,22 @@ policyRules: has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site. yaml: ksp-unsecured_credentials_access.yaml +- name: credentials-from-password-stores + precondition: + - /etc/ssl/.* + - OPTSCAN + description: + refs: + - name: MITRE-5G + url: + - https://fight.mitre.org/techniques/FGT1555 + tldr: Adversaries may search for common password storage locations to obtain user credentials. + detailed: Adversaries may search for common password storage locations to obtain user credentials. + Passwords are stored in several places on a system, depending on the operating system or application + holding the credentials. There are also specific applications that store passwords to make it easier + for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement + and access restricted information. + yaml: ksp-unsecured_credentials_access.yaml - name: system-owner-discovery precondition: - /usr/bin/who @@ -319,4 +335,50 @@ policyRules: the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact. - yaml: ksp-file-integrity-monitoring.yaml \ No newline at end of file + yaml: ksp-file-integrity-monitoring.yaml +- name: impair-defense + precondition: + - /etc/* + - OPTSCAN + description: + refs: + - name: 5g-tactic-impair-defense + url: + - https://fight.mitre.org/techniques/FGT1562 + tldr: Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. + detailed: Adversaries may maliciously modify components of a victim environment in order to hinder or + disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls + and anti-virus, but also detection capabilities that defenders can use to audit activity and identify + malicious behavior. This may also span both native defenses as well as supplemental capabilities installed + by users and administrators. + yaml: ksp-mitre-5g-tactic-impair-defense.yaml +- name: network-service-scanning + precondition: + - /bin/* + - OPTSCAN + description: + refs: + - name: 5g-tactic-network-service-scanning + url: + - https://fight.mitre.org/techniques/FGT1046 + tldr: Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. + detailed: Adversaries may attempt to get a listing of services running on remote hosts and local + network infrastructure devices, including those that may be vulnerable to remote software exploitation. + Common methods to acquire this information include port and/or vulnerability scans using tools that are + brought onto a system. + yaml: ksp-5g-network-service-scanning.yaml +- name: remote-services + precondition: + - /var/* + - OPTSCAN + description: + refs: + - name: 5g-tactic-remote-services + url: + - https://fight.mitre.org/techniques/FGT1021 + tldr: Adversaries may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. + detailed: Legitimate applications (such as Software Deployment Tools and other administrative programs) + may utilize Remote Services to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS + is native software used for remote management. ARD leverages a blend of protocols, including VNC to + send the screen and control buffers and SSH for secure file transfer. + yaml: ksp-mitre-5g-remote-services.yaml \ No newline at end of file diff --git a/kibana/system/metadata.yaml b/kibana/system/metadata.yaml index cd01283f..e1364442 100644 --- a/kibana/system/metadata.yaml +++ b/kibana/system/metadata.yaml @@ -1,4 +1,4 @@ -version: v0.1.9 +version: v0.2.3 policyRules: - name: kibana-panel precondition: diff --git a/redis/system/metadata.yaml b/redis/system/metadata.yaml index cf32c8b3..36855662 100644 --- a/redis/system/metadata.yaml +++ b/redis/system/metadata.yaml @@ -1,4 +1,4 @@ -version: v0.1.9 +version: v0.2.3 policyRules: - name: redis-sys-path precondition: