From 2ce14fbdd2e45ca57b8d5bd4953f5eca004042f1 Mon Sep 17 00:00:00 2001 From: Jaehyun Nam Date: Wed, 27 Apr 2022 15:00:37 +0000 Subject: [PATCH] fix audit mode (w/ policy matcher) Signed-off-by: Jaehyun Nam --- KubeArmor/core/kubeArmor.go | 3 +- KubeArmor/core/kubeUpdate.go | 111 +------ KubeArmor/enforcer/appArmorHostProfile.go | 22 +- KubeArmor/enforcer/appArmorProfile.go | 12 - KubeArmor/feeder/feeder.go | 12 +- KubeArmor/feeder/policyMatcher.go | 374 ++++++++++------------ KubeArmor/monitor/hostLogUpdate.go | 6 +- KubeArmor/monitor/logUpdate.go | 15 +- KubeArmor/monitor/syscallParser.go | 20 ++ KubeArmor/monitor/systemMonitor.go | 19 +- KubeArmor/monitor/systemMonitor_test.go | 6 +- KubeArmor/types/types.go | 4 +- 12 files changed, 245 insertions(+), 359 deletions(-) diff --git a/KubeArmor/core/kubeArmor.go b/KubeArmor/core/kubeArmor.go index ef696763bf..bec082353f 100644 --- a/KubeArmor/core/kubeArmor.go +++ b/KubeArmor/core/kubeArmor.go @@ -215,7 +215,7 @@ func (dm *KubeArmorDaemon) CloseLogger() bool { // InitSystemMonitor Function func (dm *KubeArmorDaemon) InitSystemMonitor() bool { - dm.SystemMonitor = mon.NewSystemMonitor(dm.Node, dm.Logger, &dm.Containers, &dm.ContainersLock, + dm.SystemMonitor = mon.NewSystemMonitor(&dm.Node, dm.Logger, &dm.Containers, &dm.ContainersLock, &dm.ActivePidMap, &dm.ActiveHostPidMap, &dm.ActivePidMapLock, &dm.ActiveHostMap, &dm.ActiveHostMapLock) if dm.SystemMonitor == nil { return false @@ -330,6 +330,7 @@ func KubeArmor() { // Enable KubeArmorHostPolicy for both VM and KVMAgent and in non-k8s env if cfg.GlobalCfg.KVMAgent || (!cfg.GlobalCfg.K8sEnv && cfg.GlobalCfg.HostPolicy) { + dm.Node.NodeName = cfg.GlobalCfg.Host dm.Node.NodeIP = kl.GetExternalIPAddr() dm.Node.Annotations = map[string]string{} diff --git a/KubeArmor/core/kubeUpdate.go b/KubeArmor/core/kubeUpdate.go index 5a32436b81..be8ebfce90 100644 --- a/KubeArmor/core/kubeUpdate.go +++ b/KubeArmor/core/kubeUpdate.go @@ -43,6 +43,13 @@ func (dm *KubeArmorDaemon) HandleNodeAnnotations(node *tp.Node) { node.Annotations["kubearmor-policy"] = "audited" } } + + if kl.IsInK8sCluster() && strings.Contains(string(lsm), "selinux") { + // exception: KubeArmor in a daemonset even though SELinux is enabled + if node.Annotations["kubearmor-policy"] == "enabled" { + node.Annotations["kubearmor-policy"] = "audited" + } + } } if node.Annotations["kubearmor-policy"] == "enabled" { @@ -94,6 +101,9 @@ func (dm *KubeArmorDaemon) WatchK8sNodes() { node := tp.Node{} + node.ClusterName = cfg.GlobalCfg.Cluster + node.NodeName = cfg.GlobalCfg.Host + for _, address := range event.Object.Status.Addresses { if address.Type == "InternalIP" { node.NodeIP = address.Address @@ -190,7 +200,6 @@ func (dm *KubeArmorDaemon) UpdateEndPointWithPod(action string, pod tp.K8sPod) { newPoint.Containers = []string{} newPoint.AppArmorProfiles = []string{} - newPoint.SELinuxProfiles = []string{} // update containers for k := range pod.Containers { @@ -236,13 +245,6 @@ func (dm *KubeArmorDaemon) UpdateEndPointWithPod(action string, pod tp.K8sPod) { } dm.DefaultPosturesLock.Unlock() - // update selinux profile names to the endpoint - for k, v := range pod.Annotations { - if strings.HasPrefix(k, "kubearmor-selinux") { - newPoint.SELinuxProfiles = append(newPoint.SELinuxProfiles, v) - } - } - // update security policies with the identities newPoint.SecurityPolicies = dm.GetSecurityPolicies(newPoint.Identities) @@ -362,13 +364,6 @@ func (dm *KubeArmorDaemon) UpdateEndPointWithPod(action string, pod tp.K8sPod) { } dm.DefaultPosturesLock.Unlock() - // update selinux profile names to the endpoint - for k, v := range pod.Annotations { - if strings.HasPrefix(k, "kubearmor-selinux") { - newEndPoint.SELinuxProfiles = append(newEndPoint.SELinuxProfiles, v) - } - } - // get security policies according to the updated identities newEndPoint.SecurityPolicies = dm.GetSecurityPolicies(newEndPoint.Identities) @@ -495,19 +490,10 @@ func (dm *KubeArmorDaemon) WatchK8sPods() { if pod.Annotations["kubearmor-policy"] == "enabled" { pod.Annotations["kubearmor-policy"] = "audited" } - } else if lsm, err := ioutil.ReadFile("/sys/kernel/security/lsm"); err == nil { - if !strings.Contains(string(lsm), "apparmor") && !strings.Contains(string(lsm), "selinux") { - // exception: neither AppArmor nor SELinux - if pod.Annotations["kubearmor-policy"] == "enabled" { - pod.Annotations["kubearmor-policy"] = "audited" - } - } - - if kl.IsInK8sCluster() && strings.Contains(string(lsm), "selinux") { - // exception: KubeArmor in a daemonset even though SELinux is enabled - if pod.Annotations["kubearmor-policy"] == "enabled" { - pod.Annotations["kubearmor-policy"] = "audited" - } + } else if dm.RuntimeEnforcer != nil && dm.RuntimeEnforcer.EnforcerType == "SELinux" { + // exception: no SELinux support for containers + if pod.Annotations["kubearmor-policy"] == "enabled" { + pod.Annotations["kubearmor-policy"] = "audited" } } @@ -542,7 +528,7 @@ func (dm *KubeArmorDaemon) WatchK8sPods() { pod.Annotations["kubearmor-visibility"] = cfg.GlobalCfg.Visibility } - // == Skip if already patched == // + // == AppArmor == // if event.Type == "ADDED" || event.Type == "MODIFIED" { exist := false @@ -563,8 +549,6 @@ func (dm *KubeArmorDaemon) WatchK8sPods() { } } - // == AppArmor == // - if dm.RuntimeEnforcer != nil && dm.RuntimeEnforcer.EnforcerType == "AppArmor" { appArmorAnnotations := map[string]string{} updateAppArmor := false @@ -633,71 +617,6 @@ func (dm *KubeArmorDaemon) WatchK8sPods() { } } - // == SELinux == // - - if dm.RuntimeEnforcer != nil && dm.RuntimeEnforcer.EnforcerType == "SELinux" { - seLinuxAnnotations := map[string]string{} - updateSELinux := false - - for k, v := range pod.Annotations { - if strings.HasPrefix(k, "kubearmor-selinux") { - containerName := strings.Split(k, "/")[1] - seLinuxAnnotations[containerName] = v - } - } - - for _, container := range event.Object.Spec.Containers { - if _, ok := seLinuxAnnotations[container.Name]; !ok { - seLinuxAnnotations[container.Name] = "kubearmor-" + pod.Metadata["namespaceName"] + "-" + container.Name - updateSELinux = true - } - } - - if event.Type == "ADDED" { - // update selinux profiles - dm.RuntimeEnforcer.UpdateSELinuxProfiles(pod.Metadata["podName"], "ADDED", seLinuxAnnotations) - - if updateSELinux && pod.Annotations["kubearmor-policy"] == "enabled" { - if deploymentName, ok := pod.Metadata["deploymentName"]; ok { - // patch the deployment with selinux annotations - if err := K8s.PatchDeploymentWithSELinuxAnnotations(pod.Metadata["namespaceName"], deploymentName, seLinuxAnnotations); err != nil { - dm.Logger.Errf("Failed to update SELinux Annotations for KubeArmor (%s/%s/%s, %s)", pod.Metadata["namespaceName"], deploymentName, pod.Metadata["podName"], err.Error()) - } else { - dm.Logger.Printf("Patched SELinux Annotations for KubeArmor (%s/%s/%s)", pod.Metadata["namespaceName"], deploymentName, pod.Metadata["podName"]) - } - pod.Annotations["kubearmor-policy"] = "patched" - } - } - } else if event.Type == "MODIFIED" { - for _, k8spod := range dm.K8sPods { - if k8spod.Metadata["namespaceName"] == pod.Metadata["namespaceName"] && k8spod.Metadata["podName"] == pod.Metadata["podName"] { - prevPolicyEnabled := "disabled" - - if val, ok := k8spod.Annotations["kubearmor-policy"]; ok { - prevPolicyEnabled = val - } - - if updateSELinux && prevPolicyEnabled != "enabled" && pod.Annotations["kubearmor-policy"] == "enabled" { - if deploymentName, ok := pod.Metadata["deploymentName"]; ok { - // patch the deployment with selinux annotations - if err := K8s.PatchDeploymentWithSELinuxAnnotations(pod.Metadata["namespaceName"], deploymentName, seLinuxAnnotations); err != nil { - dm.Logger.Errf("Failed to update SELinux Annotations for KubeArmor (%s/%s/%s, %s)", pod.Metadata["namespaceName"], deploymentName, pod.Metadata["podName"], err.Error()) - } else { - dm.Logger.Printf("Patched SELinux Annotations for KubeArmor (%s/%s/%s)", pod.Metadata["namespaceName"], deploymentName, pod.Metadata["podName"]) - } - pod.Annotations["kubearmor-policy"] = "patched" - } - } - - break - } - } - } else if event.Type == "DELETED" { - // update selinux profiles - dm.RuntimeEnforcer.UpdateSELinuxProfiles(pod.Metadata["podName"], "DELETED", seLinuxAnnotations) - } - } - dm.K8sPodsLock.Lock() if event.Type == "ADDED" { diff --git a/KubeArmor/enforcer/appArmorHostProfile.go b/KubeArmor/enforcer/appArmorHostProfile.go index 308fb6a5c9..71bb653118 100644 --- a/KubeArmor/enforcer/appArmorHostProfile.go +++ b/KubeArmor/enforcer/appArmorHostProfile.go @@ -575,8 +575,6 @@ func (ae *AppArmorEnforcer) GenerateHostProfileBody(securityPolicies []tp.HostSe for _, path := range secPolicy.Spec.Process.MatchPaths { if path.Action == "Allow" { ae.AllowedHostProcessMatchPaths(path, fromSources) - } else if path.Action == "Audit" { - // } else if path.Action == "Block" { ae.BlockedHostProcessMatchPaths(path, &processBlackList, fromSources) } @@ -586,8 +584,6 @@ func (ae *AppArmorEnforcer) GenerateHostProfileBody(securityPolicies []tp.HostSe for _, dir := range secPolicy.Spec.Process.MatchDirectories { if dir.Action == "Allow" { ae.AllowedHostProcessMatchDirectories(dir, fromSources) - } else if dir.Action == "Audit" { - // } else if dir.Action == "Block" { ae.BlockedHostProcessMatchDirectories(dir, &processBlackList, fromSources) } @@ -595,9 +591,7 @@ func (ae *AppArmorEnforcer) GenerateHostProfileBody(securityPolicies []tp.HostSe } if len(secPolicy.Spec.Process.MatchPatterns) > 0 { for _, pat := range secPolicy.Spec.Process.MatchPatterns { - if pat.Action == "Audit" { - // - } else if pat.Action == "Block" { + if pat.Action == "Block" { ae.BlockedHostProcessMatchPatterns(pat, &processBlackList) } } @@ -607,8 +601,6 @@ func (ae *AppArmorEnforcer) GenerateHostProfileBody(securityPolicies []tp.HostSe for _, path := range secPolicy.Spec.File.MatchPaths { if path.Action == "Allow" { ae.AllowedHostFileMatchPaths(path, fromSources) - } else if path.Action == "Audit" { - // } else if path.Action == "Block" { ae.BlockedHostFileMatchPaths(path, &fileBlackList, fromSources) } @@ -618,8 +610,6 @@ func (ae *AppArmorEnforcer) GenerateHostProfileBody(securityPolicies []tp.HostSe for _, dir := range secPolicy.Spec.File.MatchDirectories { if dir.Action == "Allow" { ae.AllowedHostFileMatchDirectories(dir, fromSources) - } else if dir.Action == "Audit" { - // } else if dir.Action == "Block" { ae.BlockedHostFileMatchDirectories(dir, &fileBlackList, fromSources) } @@ -627,9 +617,7 @@ func (ae *AppArmorEnforcer) GenerateHostProfileBody(securityPolicies []tp.HostSe } if len(secPolicy.Spec.File.MatchPatterns) > 0 { for _, pat := range secPolicy.Spec.File.MatchPatterns { - if pat.Action == "Audit" { - // - } else if pat.Action == "Block" { + if pat.Action == "Block" { ae.BlockedHostFileMatchPatterns(pat, &fileBlackList) } } @@ -718,15 +706,15 @@ func (ae *AppArmorEnforcer) GenerateHostProfileBody(securityPolicies []tp.HostSe file = false } - if defaultPosture.FileAction != "block" && file { + if file { bodyFromSource = bodyFromSource + " file,\n" } - if defaultPosture.FileAction != "block" && network { + if network { bodyFromSource = bodyFromSource + " network,\n" } - if defaultPosture.CapabilitiesAction != "block" && capability { + if capability { bodyFromSource = bodyFromSource + " capability,\n" } diff --git a/KubeArmor/enforcer/appArmorProfile.go b/KubeArmor/enforcer/appArmorProfile.go index 5a26da6c62..c67d2f9b0f 100644 --- a/KubeArmor/enforcer/appArmorProfile.go +++ b/KubeArmor/enforcer/appArmorProfile.go @@ -752,8 +752,6 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo for _, path := range secPolicy.Spec.Process.MatchPaths { if path.Action == "Allow" { ae.AllowedProcessMatchPaths(path, &processWhiteList, fromSources) - } else if path.Action == "Audit" { - // } else if path.Action == "Block" { ae.BlockedProcessMatchPaths(path, &processBlackList, fromSources) } @@ -763,8 +761,6 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo for _, dir := range secPolicy.Spec.Process.MatchDirectories { if dir.Action == "Allow" { ae.AllowedProcessMatchDirectories(dir, &processWhiteList, fromSources) - } else if dir.Action == "Audit" { - // } else if dir.Action == "Block" { ae.BlockedProcessMatchDirectories(dir, &processBlackList, fromSources) } @@ -774,8 +770,6 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo for _, pat := range secPolicy.Spec.Process.MatchPatterns { if pat.Action == "Allow" { ae.AllowedProcessMatchPatterns(pat, &processWhiteList) - } else if pat.Action == "Audit" { - // } else if pat.Action == "Block" { ae.BlockedProcessMatchPatterns(pat, &processBlackList) } @@ -786,8 +780,6 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo for _, path := range secPolicy.Spec.File.MatchPaths { if path.Action == "Allow" { ae.AllowedFileMatchPaths(path, &fileWhiteList, fromSources) - } else if path.Action == "Audit" { - // } else if path.Action == "Block" { ae.BlockedFileMatchPaths(path, &fileBlackList, fromSources) } @@ -797,8 +789,6 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo for _, dir := range secPolicy.Spec.File.MatchDirectories { if dir.Action == "Allow" { ae.AllowedFileMatchDirectories(dir, &fileWhiteList, fromSources) - } else if dir.Action == "Audit" { - // } else if dir.Action == "Block" { ae.BlockedFileMatchDirectories(dir, &fileBlackList, fromSources) } @@ -808,8 +798,6 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo for _, pat := range secPolicy.Spec.File.MatchPatterns { if pat.Action == "Allow" { ae.AllowedFileMatchPatterns(pat, &fileWhiteList) - } else if pat.Action == "Audit" { - // } else if pat.Action == "Block" { ae.BlockedFileMatchPatterns(pat, &fileBlackList) } diff --git a/KubeArmor/feeder/feeder.go b/KubeArmor/feeder/feeder.go index 69e5df782f..377e2c3340 100644 --- a/KubeArmor/feeder/feeder.go +++ b/KubeArmor/feeder/feeder.go @@ -538,7 +538,7 @@ func (fd *Feeder) PushMessage(level, message string) { func (fd *Feeder) PushLog(log tp.Log) { log = fd.UpdateMatchedPolicy(log) - if log.UpdatedTime == "" { + if log.Source == "" { return } @@ -571,8 +571,8 @@ func (fd *Feeder) PushLog(log tp.Log) { pbAlert.Timestamp = log.Timestamp pbAlert.UpdatedTime = log.UpdatedTime - pbAlert.ClusterName = cfg.GlobalCfg.Cluster - pbAlert.HostName = cfg.GlobalCfg.Host + pbAlert.ClusterName = fd.Node.ClusterName + pbAlert.HostName = fd.Node.NodeName pbAlert.NamespaceName = log.NamespaceName pbAlert.PodName = log.PodName @@ -634,14 +634,14 @@ func (fd *Feeder) PushLog(log tp.Log) { default: } } - } else { // ContainerLog + } else { // ContainerLog || HostLog pbLog := pb.Log{} pbLog.Timestamp = log.Timestamp pbLog.UpdatedTime = log.UpdatedTime - pbLog.ClusterName = cfg.GlobalCfg.Cluster - pbLog.HostName = cfg.GlobalCfg.Host + pbLog.ClusterName = fd.Node.ClusterName + pbLog.HostName = fd.Node.NodeName pbLog.NamespaceName = log.NamespaceName pbLog.PodName = log.PodName diff --git a/KubeArmor/feeder/policyMatcher.go b/KubeArmor/feeder/policyMatcher.go index e12b001c87..a11af109dd 100644 --- a/KubeArmor/feeder/policyMatcher.go +++ b/KubeArmor/feeder/policyMatcher.go @@ -24,11 +24,11 @@ import ( func getProtocolFromName(proto string) string { switch strings.ToLower(proto) { case "tcp": - return "type=SOCK_STREAM" + return "protocol=TCP" case "udp": - return "type=SOCK_DGRAM" + return "protocol=UDP" case "icmp": - return "type=SOCK_RAW" + return "protocol=ICMP" default: return "unknown" } @@ -51,7 +51,7 @@ func getOperationAndCapabilityFromName(capName string) (op, cap string) { switch strings.ToLower(capName) { case "net_raw": op = "Network" - cap = "type=SOCK_RAW" + cap = "SOCK_RAW" default: return "", "unknown" } @@ -77,7 +77,9 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i match.OwnerOnly = ppt.OwnerOnly - if policyEnabled == tp.KubeArmorPolicyAudited && strings.HasPrefix(ppt.Action, "Block") { + if policyEnabled == tp.KubeArmorPolicyAudited && ppt.Action == "Allow" { + match.Action = "Audit (" + ppt.Action + ")" + } else if policyEnabled == tp.KubeArmorPolicyAudited && ppt.Action == "Block" { match.Action = "Audit (" + ppt.Action + ")" } else { match.Action = ppt.Action @@ -94,7 +96,9 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i match.OwnerOnly = pdt.OwnerOnly match.Recursive = pdt.Recursive - if policyEnabled == tp.KubeArmorPolicyAudited && strings.HasPrefix(pdt.Action, "Block") { + if policyEnabled == tp.KubeArmorPolicyAudited && pdt.Action == "Allow" { + match.Action = "Audit (" + pdt.Action + ")" + } else if policyEnabled == tp.KubeArmorPolicyAudited && pdt.Action == "Block" { match.Action = "Audit (" + pdt.Action + ")" } else { match.Action = pdt.Action @@ -110,7 +114,9 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i match.OwnerOnly = ppt.OwnerOnly - if policyEnabled == tp.KubeArmorPolicyAudited && strings.HasPrefix(ppt.Action, "Block") { + if policyEnabled == tp.KubeArmorPolicyAudited && ppt.Action == "Allow" { + match.Action = "Audit (" + ppt.Action + ")" + } else if policyEnabled == tp.KubeArmorPolicyAudited && ppt.Action == "Block" { match.Action = "Audit (" + ppt.Action + ")" } else { match.Action = ppt.Action @@ -127,7 +133,9 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i match.OwnerOnly = fpt.OwnerOnly match.ReadOnly = fpt.ReadOnly - if policyEnabled == tp.KubeArmorPolicyAudited && strings.HasPrefix(fpt.Action, "Block") { + if policyEnabled == tp.KubeArmorPolicyAudited && fpt.Action == "Allow" { + match.Action = "Audit (" + fpt.Action + ")" + } else if policyEnabled == tp.KubeArmorPolicyAudited && fpt.Action == "Block" { match.Action = "Audit (" + fpt.Action + ")" } else { match.Action = fpt.Action @@ -145,7 +153,9 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i match.ReadOnly = fdt.ReadOnly match.Recursive = fdt.Recursive - if policyEnabled == tp.KubeArmorPolicyAudited && strings.HasPrefix(fdt.Action, "Block") { + if policyEnabled == tp.KubeArmorPolicyAudited && fdt.Action == "Allow" { + match.Action = "Audit (" + fdt.Action + ")" + } else if policyEnabled == tp.KubeArmorPolicyAudited && fdt.Action == "Block" { match.Action = "Audit (" + fdt.Action + ")" } else { match.Action = fdt.Action @@ -161,7 +171,9 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i match.OwnerOnly = fpt.OwnerOnly match.ReadOnly = fpt.ReadOnly - if policyEnabled == tp.KubeArmorPolicyAudited && strings.HasPrefix(fpt.Action, "Block") { + if policyEnabled == tp.KubeArmorPolicyAudited && fpt.Action == "Allow" { + match.Action = "Audit (" + fpt.Action + ")" + } else if policyEnabled == tp.KubeArmorPolicyAudited && fpt.Action == "Block" { match.Action = "Audit (" + fpt.Action + ")" } else { match.Action = fpt.Action @@ -175,9 +187,11 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i match.Resource = getProtocolFromName(npt.Protocol) match.ResourceType = "Protocol" - if policyEnabled == tp.KubeArmorPolicyEnabled && fd.IsGKE && strings.HasPrefix(npt.Action, "Block") { + if policyEnabled == tp.KubeArmorPolicyAudited && npt.Action == "Allow" { + match.Action = "Audit (" + npt.Action + ")" + } else if policyEnabled == tp.KubeArmorPolicyAudited && npt.Action == "Block" { match.Action = "Audit (" + npt.Action + ")" - } else if policyEnabled == tp.KubeArmorPolicyAudited && strings.HasPrefix(npt.Action, "Block") { + } else if policyEnabled == tp.KubeArmorPolicyEnabled && fd.IsGKE && npt.Action == "Block" { match.Action = "Audit (" + npt.Action + ")" } else { match.Action = npt.Action @@ -193,7 +207,9 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i match.Resource = cap match.ResourceType = "Capability" - if policyEnabled == tp.KubeArmorPolicyAudited && strings.HasPrefix(cct.Action, "Block") { + if policyEnabled == tp.KubeArmorPolicyAudited && cct.Action == "Allow" { + match.Action = "Audit (" + cct.Action + ")" + } else if policyEnabled == tp.KubeArmorPolicyAudited && cct.Action == "Block" { match.Action = "Audit (" + cct.Action + ")" } else { match.Action = cct.Action @@ -436,7 +452,7 @@ func (fd *Feeder) UpdateSecurityPolicies(action string, endPoint tp.EndPoint) { // UpdateHostSecurityPolicies Function func (fd *Feeder) UpdateHostSecurityPolicies(action string, secPolicies []tp.HostSecurityPolicy) { if action == "DELETED" { - delete(fd.SecurityPolicies, cfg.GlobalCfg.Host) + delete(fd.SecurityPolicies, fd.Node.NodeName) return } @@ -650,7 +666,7 @@ func (fd *Feeder) UpdateHostSecurityPolicies(action string, secPolicies []tp.Hos } fd.SecurityPoliciesLock.Lock() - fd.SecurityPolicies[cfg.GlobalCfg.Host] = matches + fd.SecurityPolicies[fd.Node.NodeName] = matches fd.SecurityPoliciesLock.Unlock() } @@ -706,6 +722,14 @@ func setLogFields(log *tp.Log, action string, considerPosture, visibility, conta // == Policy Matches == // // ==================== // +func getDirectoryPart(path string) string { + dirs := strings.Split(path, "/") + if len(dirs) > 1 { + return strings.Join(dirs[0:len(dirs)-2], "/") + } + return "__no_directory__" +} + // UpdateMatchedPolicy Function func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log { allowProcPolicy := "" @@ -740,7 +764,7 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log { firstLogSource := strings.Replace(strings.Split(log.Source, " ")[0], "./", "", 1) firstLogResource := strings.Replace(strings.Split(log.Resource, " ")[0], "./", "", 1) - if secPolicy.Action == "Allow" { + if strings.Contains(secPolicy.Action, "Allow") { if secPolicy.Source == "" || (secPolicy.IsFromSource && ((secPolicy.Operation == "Process" && (secPolicy.Source == log.ParentProcessName || secPolicy.Source == log.ProcessName)) || // ./bash -> xxx || ./bash -c xxx (secPolicy.Operation != "Process" && (secPolicy.Source == log.ProcessName || strings.Contains(secPolicy.Source, firstLogSource))))) { @@ -841,13 +865,15 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log { ((secPolicy.Operation == "Process" && (secPolicy.Source == log.ParentProcessName || secPolicy.Source == log.ProcessName)) || // ./bash -> xxx || ./bash -c xxx (secPolicy.Operation == "File" && (secPolicy.Source == log.ProcessName || strings.Contains(secPolicy.Source, firstLogSource))))) { - if matched || secPolicy.Resource == log.Resource || (secPolicy.ResourceType == "Path" && strings.HasSuffix(secPolicy.Resource, firstLogResource)) || - (secPolicy.ResourceType == "Directory" && strings.HasPrefix(firstLogResource, secPolicy.Resource) && !strings.Contains(strings.Replace(firstLogResource, secPolicy.Resource, "", 1), "/")) || - (secPolicy.ResourceType == "Directory" && secPolicy.Recursive && strings.HasPrefix(firstLogResource, secPolicy.Resource) && strings.Contains(strings.Replace(firstLogResource, secPolicy.Resource, "", 1), "/")) { + if matched || + (secPolicy.ResourceType == "Path" && secPolicy.Resource == log.Resource) || // exact path match + (secPolicy.ResourceType == "Path" && strings.HasSuffix(secPolicy.Resource, firstLogResource)) || // file name match + (secPolicy.ResourceType == "Directory" && strings.HasPrefix(log.Resource, secPolicy.Resource)) || // exact directory match (non-recursive and recursive) + (secPolicy.ResourceType == "Directory" && strings.HasSuffix(secPolicy.Resource, getDirectoryPart(firstLogResource))) { // surffix match (non-recurisve) - if secPolicy.Action == "Audit" && log.Result == "Passed" { - matchedFlags := false + matchedFlags := false + if (secPolicy.Action == "Audit" && log.Result == "Passed") || (log.PolicyEnabled == tp.KubeArmorPolicyAudited && strings.Contains(secPolicy.Action, "Allow")) { if secPolicy.ReadOnly && log.Resource != "" && secPolicy.OwnerOnly && log.MergedDir != "" { // read only && owner only if strings.Contains(log.Data, "O_RDONLY") && strconv.Itoa(int(log.UID)) == getFileProcessUID(log.MergedDir+log.Resource) { @@ -868,26 +894,54 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log { matchedFlags = true } - if matchedFlags { - log.PolicyName = secPolicy.PolicyName - log.Severity = secPolicy.Severity - - if len(secPolicy.Tags) > 0 { - log.Tags = strings.Join(secPolicy.Tags[:], ",") + } else if log.PolicyEnabled == tp.KubeArmorPolicyAudited && strings.Contains(secPolicy.Action, "Block") { + if secPolicy.ReadOnly && log.Resource != "" && secPolicy.OwnerOnly && log.MergedDir != "" { + // read only && owner only + if strings.Contains(log.Data, "O_RDONLY") && strconv.Itoa(int(log.UID)) == getFileProcessUID(log.MergedDir+log.Resource) { + matchedFlags = true } - - if len(secPolicy.Message) > 0 { - log.Message = secPolicy.Message + } else if secPolicy.ReadOnly && log.Resource != "" { + // read only + if strings.Contains(log.Data, "O_RDONLY") { + matchedFlags = true + } + } else if secPolicy.OwnerOnly && log.MergedDir != "" { + // owner only + if strconv.Itoa(int(log.UID)) == getFileProcessUID(log.MergedDir+log.Resource) { + matchedFlags = true } + } + // otherwise, being supposed to be blocked + } - log.Type = "MatchedPolicy" - log.Action = secPolicy.Action + if (matchedFlags && secPolicy.Action == "Audit" && log.Result == "Passed") || (!matchedFlags && log.PolicyEnabled == tp.KubeArmorPolicyAudited && (strings.Contains(secPolicy.Action, "Allow") || strings.Contains(secPolicy.Action, "Block"))) { + log.Type = "MatchedPolicy" + + log.PolicyName = secPolicy.PolicyName + log.Severity = secPolicy.Severity - continue + if len(secPolicy.Tags) > 0 { + log.Tags = strings.Join(secPolicy.Tags[:], ",") + } + + if len(secPolicy.Message) > 0 { + log.Message = secPolicy.Message } + + if secPolicy.Action == "Audit" || log.PolicyEnabled == tp.KubeArmorPolicyAudited { + log.Enforcer = "eBPF Monitor" + } else { + log.Enforcer = fd.Enforcer + } + + log.Action = secPolicy.Action + + continue } - if log.Result != "Passed" { + if log.PolicyEnabled == tp.KubeArmorPolicyEnabled && log.Result != "Passed" { + log.Type = "MatchedPolicy" + log.PolicyName = secPolicy.PolicyName log.Severity = secPolicy.Severity @@ -899,7 +953,7 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log { log.Message = secPolicy.Message } - log.Type = "MatchedPolicy" + log.Enforcer = fd.Enforcer log.Action = secPolicy.Action continue @@ -909,23 +963,35 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log { } case "Network": if secPolicy.Operation == log.Operation { - if (secPolicy.Source == "" || (secPolicy.IsFromSource && (secPolicy.Source == log.ProcessName || strings.Contains(secPolicy.Source, firstLogSource)))) && strings.Contains(log.Resource, secPolicy.Resource) { + if secPolicy.Source == "" || (secPolicy.IsFromSource && (secPolicy.Source == log.ProcessName || strings.Contains(secPolicy.Source, firstLogSource))) { - log.PolicyName = secPolicy.PolicyName - log.Severity = secPolicy.Severity + if strings.Contains(log.Resource, secPolicy.Resource) { - if len(secPolicy.Tags) > 0 { - log.Tags = strings.Join(secPolicy.Tags[:], ",") - } + if (log.PolicyEnabled == tp.KubeArmorPolicyEnabled && log.Result != "Passed") || (secPolicy.Action == "Audit" && log.Result == "Passed") || (log.PolicyEnabled == tp.KubeArmorPolicyAudited && strings.Contains(secPolicy.Action, "Block")) { + log.Type = "MatchedPolicy" - if len(secPolicy.Message) > 0 { - log.Message = secPolicy.Message - } + log.PolicyName = secPolicy.PolicyName + log.Severity = secPolicy.Severity + + if len(secPolicy.Tags) > 0 { + log.Tags = strings.Join(secPolicy.Tags[:], ",") + } - log.Type = "MatchedPolicy" - log.Action = secPolicy.Action + if len(secPolicy.Message) > 0 { + log.Message = secPolicy.Message + } + + if secPolicy.Action == "Audit" || log.PolicyEnabled == tp.KubeArmorPolicyAudited { + log.Enforcer = "eBPF Monitor" + } else { + log.Enforcer = fd.Enforcer + } - continue + log.Action = secPolicy.Action + + continue + } + } } } } @@ -933,7 +999,7 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log { fd.SecurityPoliciesLock.RUnlock() - if log.Result != "Passed" { + if log.Result == "Operation not permitted" || log.Result == "Permission denied" { if log.Operation == "Process" && allowProcPolicy == "" { considerFilePosture = true } else if log.Operation == "File" && allowFilePolicy == "" { @@ -946,65 +1012,10 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log { if log.ContainerID != "" { // container if log.Type == "" { - if log.PolicyEnabled == tp.KubeArmorPolicyEnabled && log.Result != "Passed" { + if (log.PolicyEnabled == tp.KubeArmorPolicyEnabled && log.Result != "Passed") || (log.PolicyEnabled == tp.KubeArmorPolicyAudited) { if log.Operation == "Process" && allowProcPolicy != "" { - log.PolicyName = allowProcPolicy - log.Severity = allowProcPolicySeverity - - if len(allowProcTags) > 0 { - log.Tags = strings.Join(allowProcTags[:], ",") - } - - if len(allowProcMessage) > 0 { - log.Message = allowProcMessage - } - - log.Type = "MatchedPolicy" - log.Enforcer = fd.Enforcer - log.Action = "Allow" - - return log - - } else if log.Operation == "File" && allowFilePolicy != "" { - log.PolicyName = allowFilePolicy - log.Severity = allowFilePolicySeverity - - if len(allowFileTags) > 0 { - log.Tags = strings.Join(allowFileTags[:], ",") - } - - if len(allowFileMessage) > 0 { - log.Message = allowFileMessage - } - - log.Type = "MatchedPolicy" - log.Enforcer = fd.Enforcer - log.Action = "Allow" - - return log - - } else if log.Operation == "Network" && allowNetworkPolicy != "" { - log.PolicyName = allowNetworkPolicy - log.Severity = allowNetworkPolicySeverity - - if len(allowNetworkTags) > 0 { - log.Tags = strings.Join(allowNetworkTags[:], ",") - } - - if len(allowNetworkMessage) > 0 { - log.Message = allowNetworkMessage - } - log.Type = "MatchedPolicy" - log.Enforcer = fd.Enforcer - log.Action = "Allow" - return log - } - } - - if log.PolicyEnabled == tp.KubeArmorPolicyAudited { - if log.Operation == "Process" && allowProcPolicy != "" { log.PolicyName = allowProcPolicy log.Severity = allowProcPolicySeverity @@ -1016,13 +1027,19 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log { log.Message = allowProcMessage } - log.Type = "MatchedPolicy" - log.Enforcer = "eBPF Monitor" - log.Action = "Audit (Allow)" + if log.PolicyEnabled == tp.KubeArmorPolicyAudited { + log.Enforcer = "eBPF Monitor" + log.Action = "Audit (Allow)" + } else { + log.Enforcer = fd.Enforcer + log.Action = "Allow" + } return log } else if log.Operation == "File" && allowFilePolicy != "" { + log.Type = "MatchedPolicy" + log.PolicyName = allowFilePolicy log.Severity = allowFilePolicySeverity @@ -1034,13 +1051,19 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log { log.Message = allowFileMessage } - log.Type = "MatchedPolicy" - log.Enforcer = "eBPF Monitor" - log.Action = "Audit (Allow)" + if log.PolicyEnabled == tp.KubeArmorPolicyAudited { + log.Enforcer = "eBPF Monitor" + log.Action = "Audit (Allow)" + } else { + log.Enforcer = fd.Enforcer + log.Action = "Allow" + } return log } else if log.Operation == "Network" && allowNetworkPolicy != "" { + log.Type = "MatchedPolicy" + log.PolicyName = allowNetworkPolicy log.Severity = allowNetworkPolicySeverity @@ -1052,9 +1075,13 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log { log.Message = allowNetworkMessage } - log.Type = "MatchedPolicy" - log.Enforcer = "eBPF Monitor" - log.Action = "Audit (Allow)" + if log.PolicyEnabled == tp.KubeArmorPolicyAudited { + log.Enforcer = "eBPF Monitor" + log.Action = "Audit (Allow)" + } else { + log.Enforcer = fd.Enforcer + log.Action = "Allow" + } return log } @@ -1091,88 +1118,17 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log { } } else if log.Type == "MatchedPolicy" { - if log.PolicyEnabled == tp.KubeArmorPolicyAudited { - if log.Action == "Block" { - log.Enforcer = "eBPF Monitor" - log.Action = "Audit (Block)" - } - } - if log.Action == "Allow" && log.Result == "Passed" { return tp.Log{} } - - if log.Enforcer == "" { - if log.Action == "Audit" { - log.Enforcer = "eBPF Monitor" - } else { - log.Enforcer = fd.Enforcer - } - } - return log } } else { // host if log.Type == "" { - if fd.Node.PolicyEnabled == tp.KubeArmorPolicyEnabled && log.Result != "Passed" { + if (log.PolicyEnabled == tp.KubeArmorPolicyEnabled && log.Result != "Passed") || (log.PolicyEnabled == tp.KubeArmorPolicyAudited) { if log.Operation == "Process" && allowProcPolicy != "" { - log.PolicyName = allowProcPolicy - log.Severity = allowProcPolicySeverity - - if len(allowProcTags) > 0 { - log.Tags = strings.Join(allowProcTags[:], ",") - } - - if len(allowProcMessage) > 0 { - log.Message = allowProcMessage - } - log.Type = "MatchedHostPolicy" - log.Enforcer = fd.Enforcer - log.Action = "Allow" - - return log - } else if log.Operation == "File" && allowFilePolicy != "" { - log.PolicyName = allowFilePolicy - log.Severity = allowFilePolicySeverity - - if len(allowFileTags) > 0 { - log.Tags = strings.Join(allowFileTags[:], ",") - } - - if len(allowFileMessage) > 0 { - log.Message = allowFileMessage - } - - log.Type = "MatchedHostPolicy" - log.Enforcer = fd.Enforcer - log.Action = "Allow" - - return log - - } else if log.Operation == "Network" && allowNetworkPolicy != "" { - log.PolicyName = allowNetworkPolicy - log.Severity = allowNetworkPolicySeverity - - if len(allowNetworkTags) > 0 { - log.Tags = strings.Join(allowNetworkTags[:], ",") - } - - if len(allowNetworkMessage) > 0 { - log.Message = allowNetworkMessage - } - - log.Type = "MatchedHostPolicy" - log.Enforcer = fd.Enforcer - log.Action = "Allow" - - return log - } - } - - if fd.Node.PolicyEnabled == tp.KubeArmorPolicyAudited { - if log.Operation == "Process" && allowProcPolicy != "" { log.PolicyName = allowProcPolicy log.Severity = allowProcPolicySeverity @@ -1184,13 +1140,19 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log { log.Message = allowProcMessage } - log.Type = "MatchedHostPolicy" - log.Enforcer = "eBPF Monitor" - log.Action = "Audit (Allow)" + if log.PolicyEnabled == tp.KubeArmorPolicyAudited { + log.Enforcer = "eBPF Monitor" + log.Action = "Audit (Allow)" + } else { + log.Enforcer = fd.Enforcer + log.Action = "Allow" + } return log } else if log.Operation == "File" && allowFilePolicy != "" { + log.Type = "MatchedHostPolicy" + log.PolicyName = allowFilePolicy log.Severity = allowFilePolicySeverity @@ -1202,13 +1164,19 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log { log.Message = allowFileMessage } - log.Type = "MatchedHostPolicy" - log.Enforcer = "eBPF Monitor" - log.Action = "Audit (Allow)" + if log.PolicyEnabled == tp.KubeArmorPolicyAudited { + log.Enforcer = "eBPF Monitor" + log.Action = "Audit (Allow)" + } else { + log.Enforcer = fd.Enforcer + log.Action = "Allow" + } return log } else if log.Operation == "Network" && allowNetworkPolicy != "" { + log.Type = "MatchedHostPolicy" + log.PolicyName = allowNetworkPolicy log.Severity = allowNetworkPolicySeverity @@ -1220,15 +1188,19 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log { log.Message = allowNetworkMessage } - log.Type = "MatchedHostPolicy" - log.Enforcer = "eBPF Monitor" - log.Action = "Audit (Allow)" + if log.PolicyEnabled == tp.KubeArmorPolicyAudited { + log.Enforcer = "eBPF Monitor" + log.Action = "Audit (Allow)" + } else { + log.Enforcer = fd.Enforcer + log.Action = "Allow" + } return log } } - if log.Result != "Passed" { + if log.Result == "Operation not permitted" || log.Result == "Permission denied" { if log.Operation == "Process" && allowProcPolicy == "" { considerFilePosture = true } else if log.Operation == "File" && allowFilePolicy == "" { @@ -1257,22 +1229,12 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log { } } else if log.Type == "MatchedPolicy" { - if log.PolicyEnabled == tp.KubeArmorPolicyAudited { - if log.Action == "Block" { - log.Enforcer = "eBPF Monitor" - log.Action = "Audit (Block)" - } - } + log.Type = "MatchedHostPolicy" if log.Action == "Allow" && log.Result == "Passed" { return tp.Log{} } - log.Type = "MatchedHostPolicy" - if log.Enforcer == "" { - log.Enforcer = fd.Enforcer - } - return log } } diff --git a/KubeArmor/monitor/hostLogUpdate.go b/KubeArmor/monitor/hostLogUpdate.go index 984747576c..6d16bfc1b2 100644 --- a/KubeArmor/monitor/hostLogUpdate.go +++ b/KubeArmor/monitor/hostLogUpdate.go @@ -92,7 +92,7 @@ func (mon *SystemMonitor) UpdateHostLogs() { var sockDomain string var sockType string - var sockProtocol string + var sockProtocol int32 if val, ok := msg.ContextArgs[0].(string); ok { sockDomain = val @@ -101,11 +101,11 @@ func (mon *SystemMonitor) UpdateHostLogs() { sockType = val } if val, ok := msg.ContextArgs[2].(int32); ok { - sockProtocol = strconv.Itoa(int(val)) + sockProtocol = val } log.Operation = "Network" - log.Resource = "domain=" + sockDomain + " type=" + sockType + " protocol=" + sockProtocol + log.Resource = "domain=" + sockDomain + " type=" + sockType + " protocol=" + getProtocol(sockProtocol) log.Data = "syscall=" + getSyscallName(int32(msg.ContextSys.EventID)) case SysConnect: // fd, sockaddr diff --git a/KubeArmor/monitor/logUpdate.go b/KubeArmor/monitor/logUpdate.go index 486bcbd68c..df4ec17a08 100644 --- a/KubeArmor/monitor/logUpdate.go +++ b/KubeArmor/monitor/logUpdate.go @@ -59,6 +59,15 @@ func (mon *SystemMonitor) BuildLogBase(msg ContextCombined) tp.Log { if log.ContainerID != "" { log = mon.UpdateContainerInfoByContainerID(log) + } else { + // update host policy flag + log.PolicyEnabled = mon.Node.PolicyEnabled + + // update host visibility flags + log.ProcessVisibilityEnabled = mon.Node.ProcessVisibilityEnabled + log.FileVisibilityEnabled = mon.Node.FileVisibilityEnabled + log.NetworkVisibilityEnabled = mon.Node.NetworkVisibilityEnabled + log.CapabilitiesVisibilityEnabled = mon.Node.CapabilitiesVisibilityEnabled } log.HostPPID = int32(msg.ContextSys.HostPPID) @@ -191,7 +200,7 @@ func (mon *SystemMonitor) UpdateLogs() { var sockDomain string var sockType string - var sockProtocol string + var sockProtocol int32 if val, ok := msg.ContextArgs[0].(string); ok { sockDomain = val @@ -200,11 +209,11 @@ func (mon *SystemMonitor) UpdateLogs() { sockType = val } if val, ok := msg.ContextArgs[2].(int32); ok { - sockProtocol = strconv.Itoa(int(val)) + sockProtocol = val } log.Operation = "Network" - log.Resource = "domain=" + sockDomain + " type=" + sockType + " protocol=" + sockProtocol + log.Resource = "domain=" + sockDomain + " type=" + sockType + " protocol=" + getProtocol(sockProtocol) log.Data = "syscall=" + getSyscallName(int32(msg.ContextSys.EventID)) case SysConnect: // fd, sockaddr diff --git a/KubeArmor/monitor/syscallParser.go b/KubeArmor/monitor/syscallParser.go index a76a8ea7bf..6744f01329 100644 --- a/KubeArmor/monitor/syscallParser.go +++ b/KubeArmor/monitor/syscallParser.go @@ -378,6 +378,26 @@ func getSocketType(st uint32) string { return strings.Join(f, "|") } +var protocols = map[int32]string{ + 1: "ICMP", + 6: "TCP", + 17: "UDP", + 58: "ICMPv6", +} + +// getProtocol Function +func getProtocol(proto int32) string { + var res string + + if protoName, ok := protocols[proto]; ok { + res = protoName + } else { + res = strconv.Itoa(int(proto)) + } + + return res +} + var capabilities = map[int32]string{ 0: "CAP_CHOWN", 1: "CAP_DAC_OVERRIDE", diff --git a/KubeArmor/monitor/systemMonitor.go b/KubeArmor/monitor/systemMonitor.go index 60ae89ed10..a1c88921d4 100644 --- a/KubeArmor/monitor/systemMonitor.go +++ b/KubeArmor/monitor/systemMonitor.go @@ -109,9 +109,8 @@ func init() { // SystemMonitor Structure type SystemMonitor struct { - // host - HostName string - KernelVersion string + // node + Node *tp.Node // logs Logger *fd.Feeder @@ -161,14 +160,12 @@ type SystemMonitor struct { } // NewSystemMonitor Function -func NewSystemMonitor(node tp.Node, logger *fd.Feeder, containers *map[string]tp.Container, containersLock **sync.RWMutex, +func NewSystemMonitor(node *tp.Node, logger *fd.Feeder, containers *map[string]tp.Container, containersLock **sync.RWMutex, activePidMap *map[string]tp.PidMap, activeHostPidMap *map[string]tp.PidMap, activePidMapLock **sync.RWMutex, activeHostMap *map[uint32]tp.PidMap, activeHostMapLock **sync.RWMutex) *SystemMonitor { mon := new(SystemMonitor) - mon.HostName = cfg.GlobalCfg.Host - mon.KernelVersion = node.KernelVersion - + mon.Node = node mon.Logger = logger mon.Containers = containers @@ -212,10 +209,10 @@ func (mon *SystemMonitor) InitBPF() error { return err } - mon.Logger.Printf("Downloaded kernel headers (%s)", mon.KernelVersion) + mon.Logger.Printf("Downloaded kernel headers (%s)", mon.Node.KernelVersion) // set a new location for kernel headers - if err := os.Setenv("BCC_KERNEL_SOURCE", homeDir+"/GKE/kernel/usr/src/linux-headers-"+mon.KernelVersion); err != nil { + if err := os.Setenv("BCC_KERNEL_SOURCE", homeDir+"/GKE/kernel/usr/src/linux-headers-"+mon.Node.KernelVersion); err != nil { mon.Logger.Err(err.Error()) } @@ -227,7 +224,7 @@ func (mon *SystemMonitor) InitBPF() error { // /media/root/usr folder in kubearmor for GKE. The following code // checks whether the /media/root/usr/src/kernel-hdrs path exists // and uses it for BCC kernel source, if present. - lklhdrpath := "/media/root/usr/src/linux-headers-" + mon.KernelVersion + lklhdrpath := "/media/root/usr/src/linux-headers-" + mon.Node.KernelVersion mon.Logger.Printf("checking if kernel headers path (%s) exists", lklhdrpath) if _, err := os.Stat(lklhdrpath); err == nil { mon.Logger.Printf("using kernel headers from (%s)", lklhdrpath) @@ -267,7 +264,7 @@ func (mon *SystemMonitor) InitBPF() error { return errors.New("bpf module is nil") } } else if cfg.GlobalCfg.Policy && cfg.GlobalCfg.HostPolicy { // container and host - if strings.HasPrefix(mon.KernelVersion, "4.") { // 4.x + if strings.HasPrefix(mon.Node.KernelVersion, "4.") { // 4.x mon.BpfModule = bcc.NewModule(bpfSource, []string{"-O2", "-DMONITOR_HOST_AND_CONTAINER"}) if mon.BpfModule == nil { return errors.New("bpf module is nil") diff --git a/KubeArmor/monitor/systemMonitor_test.go b/KubeArmor/monitor/systemMonitor_test.go index 74e2ed721b..133cbac595 100644 --- a/KubeArmor/monitor/systemMonitor_test.go +++ b/KubeArmor/monitor/systemMonitor_test.go @@ -55,7 +55,7 @@ func TestSystemMonitor(t *testing.T) { t.Log("[PASS] Created logger") // Create System Monitor - systemMonitor := NewSystemMonitor(node, logger, &Containers, &ContainersLock, + systemMonitor := NewSystemMonitor(&node, logger, &Containers, &ContainersLock, &ActivePidMap, &ActiveHostPidMap, &ActivePidMapLock, &ActiveHostMap, &ActiveHostMapLock) if systemMonitor == nil { t.Log("[FAIL] Failed to create SystemMonitor") @@ -124,7 +124,7 @@ func TestTraceSyscallWithPod(t *testing.T) { t.Log("[PASS] Created logger") // Create System Monitor - systemMonitor := NewSystemMonitor(node, logger, &Containers, &ContainersLock, + systemMonitor := NewSystemMonitor(&node, logger, &Containers, &ContainersLock, &ActivePidMap, &ActiveHostPidMap, &ActivePidMapLock, &ActiveHostMap, &ActiveHostMapLock) if systemMonitor == nil { t.Log("[FAIL] Failed to create SystemMonitor") @@ -227,7 +227,7 @@ func TestTraceSyscallWithHost(t *testing.T) { t.Log("[PASS] Created logger") // Create System Monitor - systemMonitor := NewSystemMonitor(node, logger, &Containers, &ContainersLock, + systemMonitor := NewSystemMonitor(&node, logger, &Containers, &ContainersLock, &ActivePidMap, &ActiveHostPidMap, &ActivePidMapLock, &ActiveHostMap, &ActiveHostMapLock) if systemMonitor == nil { t.Log("[FAIL] Failed to create SystemMonitor") diff --git a/KubeArmor/types/types.go b/KubeArmor/types/types.go index a2024f3a8c..d073b2fad2 100644 --- a/KubeArmor/types/types.go +++ b/KubeArmor/types/types.go @@ -70,7 +70,9 @@ type EndPoint struct { // Node Structure type Node struct { - NodeIP string `json:"nodeIP"` + ClusterName string `json:"clusterName"` + NodeName string `json:"nodeName"` + NodeIP string `json:"nodeIP"` Annotations map[string]string `json:"annotations"` Labels map[string]string `json:"labels"`