KubeArmor icon indicating copy to clipboard operation
KubeArmor copied to clipboard

Published 20 hours ago verified publisher icon kubearmor

No MatchedPolicy log for rm,rmdir,unlink process executions

Open salman-accuknox opened this issue 2 years ago • 1 comments

General Information

  • Environment: GKE cluster (Image type: Container-Optimized OS with containerd (cos_containerd))
  • karmor and KubeArmor version:
➜  ~ karmor version
karmor version 0.7.6 linux/amd64 BuildDate=2022-06-29T03:58:05Z
current version is the latest
kubearmor image (running) version kubearmor/kubearmor:stable

Steps to reproduce:

  1. Deploy sample ubuntu pod
cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    app: ubuntu
  name: ubuntu
  namespace: test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ubuntu
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: ubuntu
    spec:
      containers:
      - image: ubuntu
        name: ubuntu
        command: ["/bin/sleep", "3650d"]
        resources: {}
EOF
  1. Apply Policy
cat <<EOF | kubectl apply -f -
# KubeArmor is an open source software that enables you to protect your cloud workload at run-time.
# To learn more about KubeArmor visit:
# https://www.accuknox.com/kubearmor/

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-block-deletion-of-log-files
spec:
  tags: ["NIST","NIST-800","AU-11","File"]
  message: "Alert! Deletion of log files are blocked."
  selector:
    matchLabels:
      app: ubuntu                     #change to your labels
  file:
    severity: 5
    matchDirectories:
    - dir: /var/log/
      recursive: true
      fromSource:
      - path: /usr/bin/cat
      - path: /bin/cat
      - path: /usr/bin/rm
      - path: /bin/rm
      - path: /usr/bin/rmdir
      - path: /usr/bin/unlink
    action: Block
EOF
  1. Violate the policy
➜  ~ k exec -it ubuntu-6c6d9795f4-mlw6t -n test -- bash
root@ubuntu-6c6d9795f4-mlw6t:/# touch /var/log/temp.log
root@ubuntu-6c6d9795f4-mlw6t:/# rm /var/log/temp.log
rm: cannot remove '/var/log/temp.log': Permission denied
root@ubuntu-6c6d9795f4-mlw6t:/# cat /var/log/temp.log
cat: /var/log/temp.log: Permission denied
root@ubuntu-6c6d9795f4-mlw6t:/#
  1. KubeArmor Logs
➜  ~ karmor log
gRPC server: localhost:32767
Created a gRPC client (localhost:32767)
Checked the liveness of the gRPC server
Started to watch alerts
== Alert / 2022-07-01 06:41:12.745813 ==
Cluster Name: default
Host Name: gke-cys-july1-default-pool-eaa0df1b-d24b
Namespace Name: test
Pod Name: ubuntu-6c6d9795f4-mlw6t
Container ID: e6a014b3ffd2e0d790faf336a8d45defc093e2702ccf4af13c3fdb5d175c5cde
Container Name: ubuntu
Labels: app=ubuntu
Policy Name: ksp-block-deletion-of-log-files
Severity: 5
Tags: NIST,NIST-800,AU-11,File
Message: Alert! Deletion of log files are blocked.
Type: MatchedPolicy
Source: /usr/bin/cat /var/log/temp.log
Operation: File
Resource: /var/log/temp.log
Data: syscall=SYS_OPENAT fd=-100 flags=O_RDONLY
Action: Block
Result: Permission denied
Stopped WatchAlerts

Current behavior No Matched Policy log for rm, rmdir, unlink processes

Expected behavior

MatchedPolicy Log for rm, rmdir, unlink processes

Screenshots

image

salman-accuknox avatar Jul 01 '22 07:07 salman-accuknox

WIP @ #737

daemon1024 avatar Jul 01 '22 07:07 daemon1024