discovery-engine icon indicating copy to clipboard operation
discovery-engine copied to clipboard

Published 20 hours ago verified publisher icon accuknox

Permission Denied for Allowed Paths [As a result it breaking the application]

Open salman-accuknox opened this issue 2 years ago • 0 comments

Steps to reproduce:

  • Environment: GKE cluster
  • Install dependencies using accuknox install command
  • Deployed Java sample application https://raw.githubusercontent.com/accuknox/samples/main/log4j-demo/k8s.yaml
  • Auto-generated policies after application up and running
  • Auto discovered policy
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: autopol-system-3052580576
  namespace: java-ms
spec:
  action: Allow
  file:
    matchDirectories:
    - dir: /sys/
      fromSource:
      - path: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
      recursive: true
    - dir: /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/
      fromSource:
      - path: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
      recursive: true
    - dir: /usr/local/tomcat/
      fromSource:
      - path: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
      recursive: true
    matchPaths:
    - fromSource:
      - path: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
      path: /dev/random
    - fromSource:
      - path: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
      path: /dev/urandom
    - fromSource:
      - path: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
      path: /etc/java-8-openjdk/content-types.properties
    - fromSource:
      - path: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
      path: /etc/java-8-openjdk/security/java.security
    - fromSource:
      - path: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
      path: /etc/resolv.conf
    - fromSource:
      - path: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
      path: /lib/x86_64-linux-gnu/libcrypt-2.19.so
    - fromSource:
      - path: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
      path: /lib/x86_64-linux-gnu/libuuid.so.1.3.0
    - fromSource:
      - path: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
      path: /usr/lib/x86_64-linux-gnu/libapr-1.so.0.5.1
    - fromSource:
      - path: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
      path: /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
  network:
    matchProtocols:
    - fromSource:
      - path: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
      protocol: raw
    - fromSource:
      - path: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
      protocol: tcp
    - fromSource:
      - path: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
      protocol: udp
  process:
    matchPaths:
    - path: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
  selector:
    matchLabels:
      app: java-ms
  severity: 1
  • KubeArmor Log
== Alert / 2022-07-11 11:25:08.460270 ==
Cluster Name: default
Host Name: gke-cys-july11-default-pool-2ad12d4f-khmc
Namespace Name: java-ms
Pod Name: java-ms-56b9c47579-8k2xc
Container ID: 54e42aef9c0bbaf8e231395af12d1ada0d5838dce7ac179b3c993ff8beee2ee0
Container Name: java-ms
Labels: app=java-ms
Policy Name: DefaultPosture
Type: MatchedPolicy
Source: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
Operation: File
Resource: /usr/local/tomcat/webapps/ROOT/index.jsp
Data: syscall=SYS_OPEN flags=O_RDONLY
Action: Block
Result: Permission denied
== Alert / 2022-07-11 11:25:08.463747 ==
Cluster Name: default
Host Name: gke-cys-july11-default-pool-2ad12d4f-khmc
Namespace Name: java-ms
Pod Name: java-ms-56b9c47579-8k2xc
Container ID: 54e42aef9c0bbaf8e231395af12d1ada0d5838dce7ac179b3c993ff8beee2ee0
Container Name: java-ms
Labels: app=java-ms
Policy Name: DefaultPosture
Type: MatchedPolicy
Source: /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
Operation: File
Resource: /usr/local/tomcat/webapps/ROOT/index.jsp
Data: syscall=SYS_OPEN flags=O_RDONLY
Action: Block
Result: Permission denied

salman-accuknox avatar Jul 13 '22 04:07 salman-accuknox