discovery-engine
discovery-engine copied to clipboard
Published
20 hours ago •
accuknox
accuknox
kubearmor blocking network operation after applying autodiscovered (process and file)policies.
Issue Report
General Information
- Environment:
AKS - Orchestration system version in use (e.g.
kubectl version, ...)
Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.5", GitCommit:"c285e781331a3785a7f436042c65c5641ce8a9e9", GitTreeState:"clean", BuildDate:"2022-03-16T15:58:47Z", GoVersion:"go1.17.8", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.12", GitCommit:"f941a31f4515c5ac03f5fc7ccf9a330e3510b80d", GitTreeState:"clean", BuildDate:"2022-11-09T17:12:33Z", GoVersion:"go1.17.13", Compiler:"gc", Platform:"linux/amd64"}
- Target :
pods
To Reproduce
- Deploy MySQL
➜ ~ k get po -n mysql-ad --show-labels
NAME READY STATUS RESTARTS AGE LABELS
mysql-6d86c78b54-8nwkz 1/1 Running 0 2d17h app=mysql,pod-template-hash=6d86c78b54
➜ ~ k exec -it mysql-6d86c78b54-8nwkz -n mysql-ad bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@mysql-6d86c78b54-8nwkz:/# mysql -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 29
Server version: 5.6.51 MySQL Community Server (GPL)
Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
- Perform some operations on MySQL
How to Create Tables and Insert Data into SQL Databases
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| ad_test |
| mysql |
| performance_schema |
| recipes_database |
+--------------------+
5 rows in set (0.00 sec)
mysql> use recipes_database;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+----------------------------+
| Tables_in_recipes_database |
+----------------------------+
| ingredients |
| recipe_ingredients |
| recipes |
+----------------------------+
3 rows in set (0.00 sec)
mysql> select * from ingredients;
+---------------+-----------------+------------------+
| ingredient_id | ingredient_name | ingredient_price |
+---------------+-----------------+------------------+
| 1 | Beef | 5 |
| 2 | Lettuce | 1 |
| 3 | Tomatoes | 2 |
| 4 | Taco Shell | 2 |
| 5 | Cheese | 3 |
| 6 | Milk | 1 |
| 7 | Bread | 2 |
+---------------+-----------------+------------------+
7 rows in set (0.00 sec)
mysql> exit
Bye
root@mysql-6d86c78b54-8nwkz:/#
- Discover kubearmor policies
karmor discover -f yaml -n mysql-ad > ad-kubearmorpolicy.yaml
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: autopol-system-1928276615
namespace: mysql-ad
spec:
action: Allow
file:
matchDirectories:
- dir: /etc/
recursive: true
- dir: /lib/x86_64-linux-gnu/
recursive: true
matchPaths:
- path: /dev/tty
- path: /lib/terminfo/x/xterm
- path: /pts/ptmx
- path: /root/.bash_history
- path: /root/.bashrc
- fromSource:
- path: /usr/bin/mysql
path: /root/.mysql_history.TMP
- fromSource:
- path: /usr/bin/mysql
path: /root/.mysql_history
- fromSource:
- path: /usr/bin/mysql
path: /usr/lib/x86_64-linux-gnu/libstdc++.so.6
- fromSource:
- path: /usr/bin/mysql
path: /usr/share/mysql/charsets/Index.xml
process:
matchPaths:
- path: /bin/bash
- fromSource:
- path: /bin/bash
path: /usr/bin/mysql
selector:
matchLabels:
app: mysql
severity: 1
---
- Apply policy
k apply -f ad-kubearmorpolicy.yaml
➜ mysql k get ksp,hsp -A
NAMESPACE NAME AGE
mysql-ad kubearmorpolicy.security.kubearmor.com/autopol-system-1928276615 59m
- Change DefaultPosture to block.
kubectl annotate ns mysql-ad kubearmor-file-posture=block --overwrite=true
- Repeating the operations performed in step 2
➜ ~ k exec -it mysql-6d86c78b54-8nwkz -n mysql-ad bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@mysql-6d86c78b54-8nwkz:/# mysql -p
Enter password:
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (13)
root@mysql-6d86c78b54-8nwkz:/#
Logs
➜ ~ karmor log --namespace mysql-ad
local port to be used for port forwarding kubearmor-relay-5656cc5bf7-nb6b4: 32767
Created a gRPC client (localhost:32767)
Checked the liveness of the gRPC server
Started to watch alerts
== Alert / 2022-12-09 03:10:32.328526 ==
ClusterName: default
HostName: aks-agentpool-31698863-vmss000000
NamespaceName: mysql-ad
PodName: mysql-6d86c78b54-8nwkz
Labels: app=mysql
ContainerName: mysql
ContainerID: 7f6392c0b8b6a2a2734dc4feb85474bd4f27d607e957a8f4bd1ba9d686411a5c
ContainerImage: docker.io/library/mysql:5.6@sha256:20575ecebe6216036d25dab5903808211f1e9ba63dc7825ac20cb975e34cfcae
Type: MatchedPolicy
PolicyName: DefaultPosture
Source: /usr/bin/mysql -p
Resource: sa_family=AF_UNIX sun_path=/var/run/mysqld/mysqld.sock
Operation: Network
Action: Block
Data: syscall=SYS_CONNECT fd=3
Enforcer: AppArmor
Result: Permission denied
HostPID: 835717
HostPPID: 754895
PID: 287
PPID: 276
ParentProcessName: /bin/bash
ProcessName: /usr/bin/mysql
Stopped WatchAlerts
Expected behavior
After applying the auto-discovered policies, it shouldn't break the application
