Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

5G Policies #1041

Merged
merged 1 commit into from
Jun 6, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion MySQL/system/metadata.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
version: v0.1.9
version: v0.2.3
policyRules:
- name: user-grp-mod
precondition:
Expand Down
2 changes: 1 addition & 1 deletion elastic/system/metadata.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
version: v0.1.9
version: v0.2.3
policyRules:
- name: elasticsearch-indices-dir
precondition:
Expand Down
2 changes: 1 addition & 1 deletion generic/kyverno/metadata.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
version: v0.1.9
version: v0.2.3
policyRules:
- name: restrict-automount-sa-token
description:
Expand Down
35 changes: 35 additions & 0 deletions generic/system/ksp-5g-network-service-scanning.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# KubeArmor is an open source software that enables you to protect your cloud workload at run-time.
# To learn more about KubeArmor visit:
# https://www.accuknox.com/kubearmor/

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-5g-network-service-scanning
raviknox marked this conversation as resolved.
Show resolved Hide resolved
namespace: default # Change your namespace
spec:
tags: ["MITRE", "FGT1046","5G"]
message: "Network service has been scanned!"
selector:
matchLabels:
container: ubuntu-1 # Change your matchLabels
severity: 5
process:
matchPaths:
- path: /usr/bin/netstat
- path: /bin/netstat
- path: /usr/sbin/ip
- path: /usr/bin/ip
- path: /sbin/ip
- path: /bin/ip
- path: /usr/sbin/iw
- path: /sbin/iw
- path: /usr/sbin/ethtool
- path: /sbin/ethtool
- path: /usr/sbin/ifconfig
- path: /sbin/ifconfig
- path: /usr/sbin/arp
- path: /sbin/arp
- path: /usr/sbin/iwconfig
- path: /sbin/iwconfig
action: Audit
27 changes: 27 additions & 0 deletions generic/system/ksp-mitre-5g-remote-services.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# KubeArmor is an open source software that enables you to protect your cloud workload at run-time.
# To learn more about KubeArmor visit:
# https://www.accuknox.com/kubearmor/

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-mitre-5g-remote-services
namespace: default # Change your namespace
spec:
tags: ["MITRE", "5G", "FGT1021"]
message: "Warning! access sensitive files detected"
selector:
matchLabels:
app: testpod #change with your own label
file:
matchPaths:
- path: /var/log/wtmp
- path: /var/run/utmp
- path: /var/log/auth.log
- path: /etc/passwd
- path: /etc/shadow
matchDirectories:
- dir: /etc/ssh/
severity: 3
action: Audit

25 changes: 25 additions & 0 deletions generic/system/ksp-mitre-5g-tactic-impair-defense.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# KubeArmor is an open source software that enables you to protect your cloud workload at run-time.
# To learn more about KubeArmor visit:
# https://www.accuknox.com/kubearmor/

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-mitre-5g-tactic-impair-defense
namespace: default #change with your namespace
spec:
tags: ["MITRE", "FGT1562","5G"]
message: "Selinux Files Accessed by Unknown Process"
selector:
matchLabels:
app: testpod #change with your match label
severity: 6
file:
matchPaths:
- path: /etc/selinux/semanage.conf
matchDirectories:
- dir: /etc/apparmor.d/
recursive: true
- dir: /etc/sysconfig/selinux/
recursive: true
action: Audit
2 changes: 1 addition & 1 deletion generic/system/ksp-unsecured_credentials_access.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ metadata:
name: ksp-mitre-tactic-credential-access-unsecured-credentials-private-keys
namespace: default # Change your namespace
spec:
tags: ["MITRE", "MITRE_T1552_unsecured_credentials"]
tags: ["MITRE", "MITRE_T1552_unsecured_credentials", "FGT1555", "5G"]
message: "Credentials modification denied"
selector:
matchLabels:
Expand Down
66 changes: 64 additions & 2 deletions generic/system/metadata.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
version: v0.1.9
version: v0.2.3
policyRules:
- name: maint-tools-access
precondition:
Expand Down Expand Up @@ -36,6 +36,22 @@ policyRules:
has an attribute set from being downloaded from the Internet, or getting an
indication that you are about to connect to an untrusted site.
yaml: ksp-unsecured_credentials_access.yaml
- name: credentials-from-password-stores
precondition:
- /etc/ssl/.*
- OPTSCAN
description:
refs:
- name: MITRE-5G
url:
- https://fight.mitre.org/techniques/FGT1555
tldr: Adversaries may search for common password storage locations to obtain user credentials.
detailed: Adversaries may search for common password storage locations to obtain user credentials.
Passwords are stored in several places on a system, depending on the operating system or application
holding the credentials. There are also specific applications that store passwords to make it easier
for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement
and access restricted information.
yaml: ksp-unsecured_credentials_access.yaml
- name: system-owner-discovery
precondition:
- /usr/bin/who
Expand Down Expand Up @@ -319,4 +335,50 @@ policyRules:
the goals and objectives of the adversary. For complex systems, an adversary would likely need special
expertise and possibly access to specialized software related to the system that would typically be gained
through a prolonged information gathering campaign in order to have the desired impact.
yaml: ksp-file-integrity-monitoring.yaml
yaml: ksp-file-integrity-monitoring.yaml
- name: impair-defense
precondition:
- /etc/*
- OPTSCAN
description:
refs:
- name: 5g-tactic-impair-defense
url:
- https://fight.mitre.org/techniques/FGT1562
tldr: Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.
detailed: Adversaries may maliciously modify components of a victim environment in order to hinder or
disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls
and anti-virus, but also detection capabilities that defenders can use to audit activity and identify
malicious behavior. This may also span both native defenses as well as supplemental capabilities installed
by users and administrators.
yaml: ksp-mitre-5g-tactic-impair-defense.yaml
- name: network-service-scanning
precondition:
- /bin/*
- OPTSCAN
description:
refs:
- name: 5g-tactic-network-service-scanning
url:
- https://fight.mitre.org/techniques/FGT1046
tldr: Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation.
detailed: Adversaries may attempt to get a listing of services running on remote hosts and local
network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Common methods to acquire this information include port and/or vulnerability scans using tools that are
brought onto a system.
yaml: ksp-5g-network-service-scanning.yaml
- name: remote-services
precondition:
- /var/*
- OPTSCAN
description:
refs:
- name: 5g-tactic-remote-services
url:
- https://fight.mitre.org/techniques/FGT1021
tldr: Adversaries may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC.
detailed: Legitimate applications (such as Software Deployment Tools and other administrative programs)
may utilize Remote Services to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS
is native software used for remote management. ARD leverages a blend of protocols, including VNC to
send the screen and control buffers and SSH for secure file transfer.
yaml: ksp-mitre-5g-remote-services.yaml
2 changes: 1 addition & 1 deletion kibana/system/metadata.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
version: v0.1.9
version: v0.2.3
policyRules:
- name: kibana-panel
precondition:
Expand Down
2 changes: 1 addition & 1 deletion redis/system/metadata.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
version: v0.1.9
version: v0.2.3
policyRules:
- name: redis-sys-path
precondition:
Expand Down