update test scenarios

Signed-off-by: Jaehyun Nam <[email protected]>

examples/multiubuntu/build/Dockerfile

@@ -5,7 +5,7 @@ FROM ubuntu:18.04
 
 RUN apt-get update
 
-RUN apt-get install -y net-tools iputils-ping telnet ssh tcpdump nmap dsniff
+RUN apt-get install -y net-tools iputils-ping telnet ssh tcpdump nmap dsniff arping
 RUN apt-get install -y curl iperf3 netperf ethtool python-scapy python-pip
 RUN apt-get install -y iptables bridge-utils apache2 vim
 

examples/multiubuntu/security-policies/ksp-ubuntu-1-cap-net-raw-block.yaml

@@ -17,5 +17,5 @@ spec:
 # multiubuntu_test_03
 
 # test
-# $ ping -c 1 127.0.0.1
-# ping: socket: Operation not permitted
+# $ arping -c 1 127.0.0.1
+# arping: libnet_init(LIBNET_LINK, <null>): libnet_open_link(): UID/EUID 0 or capability CAP_NET_RAW required

examples/multiubuntu/security-policies/ksp-ubuntu-3-proc-path-owner-allow.yaml

@@ -30,6 +30,12 @@ spec:
       recursive: true
     - dir: /proc/ # required to change root to user1 (coarse-grained way)
       recursive: true
+    - dir: /lib/ # used by root and user1
+      recursive: true
+    - dir: /sys/ # used by root and user1
+      recursive: true
+    - dir: /pts/ # used by root and user1
+      recursive: true
   action:
     Allow
 

tests/host_scenarios/kubearmor-dev-next_test_01/cmd1

@@ -0,0 +1,7 @@
+source: kubearmor-dev
+cmd: diff --help
+result: failed
+---
+operation: Process
+condition: diff
+action: Block

tests/host_scenarios/kubearmor-dev-next_test_01/hsp-kubearmor-dev-next-proc-path-block.yaml

@@ -0,0 +1,23 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: hsp-kubearmor-dev-next-proc-path-block
+spec:
+  nodeSelector:
+    matchLabels:
+      kubernetes.io/hostname: kubearmor-dev-next
+  severity: 5
+  process:
+    matchPaths:
+    - path: /usr/bin/diff
+  action:
+    Block
+
+# kubearmor-dev-next_test_01
+
+# test
+# $ diff --help
+# -bash: /usr/bin/diff: Permission denied
+
+# expectation
+# anyone cannot execute /usr/bin/diff

tests/host_scenarios/kubearmor-dev-next_test_02/cmd1

@@ -0,0 +1,7 @@
+source: kubearmor-dev
+cmd: cat /etc/passwd
+result: passed 
+---
+operation: File
+condition: /etc/passwd
+action: Audit

tests/host_scenarios/kubearmor-dev-next_test_02/cmd2

@@ -0,0 +1,7 @@
+source: kubearmor-dev
+cmd: head -n 1 /etc/passwd
+result: passed 
+---
+operation: File
+condition: /etc/passwd
+action: Audit

tests/host_scenarios/kubearmor-dev-next_test_02/hsp-kubearmor-dev-next-file-path-audit.yaml

@@ -0,0 +1,25 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: hsp-kubearmor-dev-next-file-path-audit
+spec:
+  nodeSelector:
+    matchLabels:
+      kubernetes.io/hostname: kubearmor-dev-next
+  severity: 5
+  file:
+    matchPaths:
+    - path: /etc/passwd
+  action:
+    Audit
+
+# kubearmor-dev-next_test_02
+
+# test
+# $ cat /etc/passwd
+# ...
+# $ head /etc/passwd
+# ...
+
+# expectation
+# anyone can access /etc/passwd, but the access would be audited

tests/host_scenarios/kubearmor-dev-next_test_03/cmd1

@@ -0,0 +1,7 @@
+source: kubearmor-dev
+cmd: cat /etc/hostname
+result: failed
+---
+operation: File
+condition: /etc/hostname
+action: Block

tests/host_scenarios/kubearmor-dev-next_test_03/hsp-kubearmor-dev-next-file-path-block.yaml

@@ -0,0 +1,23 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: hsp-kubearmor-dev-next-file-path-block
+spec:
+  nodeSelector:
+    matchLabels:
+      kubernetes.io/hostname: kubearmor-dev-next
+  severity: 5
+  file:
+    matchPaths:
+    - path: /etc/hostname
+  action:
+    Block
+
+# kubearmor-dev-next_test_03
+
+# test
+# $ cat /etc/hostname
+# cat: /etc/hostname: Permission denied
+
+# expectation
+# anyone cannot access /etc/hostname

tests/host_scenarios/kubearmor-dev-next_test_04/cmd1

@@ -0,0 +1,7 @@
+source: kubearmor-dev
+cmd: bash -c date
+result: failed
+---
+operation: Process
+condition: date
+action: Block

tests/host_scenarios/kubearmor-dev-next_test_04/cmd2

@@ -0,0 +1,7 @@
+source: kubearmor-dev
+cmd: bash -c ls
+result: passed
+---
+operation: Process
+condition: ls
+action: Block

tests/host_scenarios/kubearmor-dev-next_test_04/hsp-kubearmor-dev-next-proc-path-block-fromSource.yaml

@@ -0,0 +1,31 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: hsp-kubearmor-dev-next-proc-path-block-fromsource
+spec:
+  nodeSelector:
+    matchLabels:
+      kubernetes.io/hostname: kubearmor-dev-next
+  severity: 5
+  process:
+    matchPaths:
+    - path: /bin/date
+      fromSource:
+      - path: /bin/bash # ubuntu
+    - path: /usr/bin/date
+      fromSource:
+      - path: /usr/bin/bash # centos
+  action:
+    Block
+
+# kubearmor-dev-next_test_04
+
+# test
+# (/home/vagrant/selinux-test/) $ bash -c date
+# bash: 1: date: Permission denied
+# (/home/vagrant/selinux-test/) $ bash -c ls
+# ls ...
+
+# expectation
+# (/usr)/bin/bash cannot execute (/usr)/bin/date
+# (/usr)/bin/bash can execute any others

tests/host_scenarios/kubearmor-dev-next_test_05/cmd1

@@ -0,0 +1,7 @@
+source: kubearmor-dev
+cmd: bash -c date
+result: passed
+---
+operation: Process
+condition: date
+action: Allow

tests/host_scenarios/kubearmor-dev-next_test_05/cmd2

@@ -0,0 +1,7 @@
+source: kubearmor-dev
+cmd: bash -c ls
+result: failed
+---
+operation: Process
+condition: ls
+action: Allow

tests/host_scenarios/kubearmor-dev-next_test_05/hsp-kubearmor-dev-next-proc-path-allow-fromSource.yaml

@@ -0,0 +1,31 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: hsp-kubearmor-dev-next-proc-path-allow-fromsource
+spec:
+  nodeSelector:
+    matchLabels:
+      kubernetes.io/hostname: kubearmor-dev-next
+  severity: 5
+  process:
+    matchPaths:
+    - path: /bin/date
+      fromSource:
+      - path: /bin/bash # ubuntu
+    - path: /usr/bin/date
+      fromSource:
+      - path: /usr/bin/bash # centos
+  action:
+    Allow
+
+# kubearmor-dev-next_test_05
+
+# test
+# $ bash -c date
+# ...
+# $ bash -c ls
+# bash: /usr/bin/ls: Permission denied
+
+# expectation
+# (/usr)/bin/bash can only execute (/usr)/bin/date
+# (/usr)/bin/bash cannot execute any others

tests/host_scenarios/kubearmor-dev-next_test_06/cmd1

@@ -0,0 +1,7 @@
+source: kubearmor-dev
+cmd: head -n 1 /etc/hostname
+result: failed
+---
+operation: File
+condition: /etc/hostname
+action: Block

tests/host_scenarios/kubearmor-dev-next_test_06/cmd2

@@ -0,0 +1,7 @@
+source: kubearmor-dev
+cmd: head -n 1 /etc/hosts
+result: passed
+---
+operation: File
+condition: /etc/hosts
+action: Block

tests/host_scenarios/kubearmor-dev-next_test_06/hsp-kubearmor-dev-next-file-path-block-fromSource.yaml

@@ -0,0 +1,28 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: hsp-kubearmor-dev-next-file-path-block-fromsource
+spec:
+  nodeSelector:
+    matchLabels:
+      kubernetes.io/hostname: kubearmor-dev-next
+  severity: 5
+  file:
+    matchPaths:
+    - path: /etc/hostname
+      fromSource:
+      - path: /usr/bin/head
+  action:
+    Block
+
+# kubearmor-dev-next_test_06
+
+# test
+# $ head /etc/hostname
+# head: cannot open '/etc/hostname' for reading: Permission denied
+# $ head /etc/hosts
+# ...
+
+# expectation
+# /usr/bin/head cannot access /etc/hostname
+# /usr/bin/head can access any others

tests/host_scenarios/kubearmor-dev-next_test_07/cmd1

@@ -0,0 +1,7 @@
+source: kubearmor-dev
+cmd: head -n 1 /etc/hostname
+result: passed
+---
+operation: File
+condition: /etc/hostname
+action: Allow

tests/host_scenarios/kubearmor-dev-next_test_07/cmd2

@@ -0,0 +1,7 @@
+source: kubearmor-dev
+cmd: head -n 1 /etc/hosts
+result: failed
+---
+operation: File
+condition: /etc/hosts
+action: Allow

tests/host_scenarios/kubearmor-dev-next_test_07/hsp-kubearmor-dev-next-file-path-allow-fromSource.yaml

@@ -0,0 +1,28 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: hsp-kubearmor-dev-next-file-path-allow-fromsource
+spec:
+  nodeSelector:
+    matchLabels:
+      kubernetes.io/hostname: kubearmor-dev-next
+  severity: 5
+  file:
+    matchPaths:
+    - path: /etc/hostname
+      fromSource:
+      - path: /usr/bin/head
+  action:
+    Allow
+
+# kubearmor-dev-next_test_07
+
+# test
+# $ head /etc/hostname
+# kubearmor-dev
+# $ head /etc/hosts
+# head: /etc/hosts: Permission denied
+
+# expectation
+# /usr/bin/head can only access /etc/hostname
+# /usr/bin/head cannot access any others

tests/host_scenarios/kubearmor-dev-next_test_08/cmd1

@@ -0,0 +1,7 @@
+source: kubearmor-dev
+cmd: head -n 1 /etc/default/useradd
+result: passed
+---
+operation: File
+condition: /etc/default/useradd
+action: Allow

tests/host_scenarios/kubearmor-dev-next_test_08/cmd2

@@ -0,0 +1,7 @@
+source: kubearmor-dev
+cmd: head -n 1 /etc/hostname
+result: failed
+---
+operation: File
+condition: /etc/hostname
+action: Allow

tests/host_scenarios/kubearmor-dev-next_test_08/hsp-kubearmor-dev-next-file-dir-allow-fromSource.yaml

@@ -0,0 +1,29 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: hsp-kubearmor-dev-next-file-dir-allow-fromsource
+spec:
+  nodeSelector:
+    matchLabels:
+      kubernetes.io/hostname: kubearmor-dev-next
+  severity: 5
+  file:
+    matchDirectories:
+    - dir: /etc/default/
+      recursive: true
+      fromSource:
+      - path: /usr/bin/head
+  action:
+    Allow
+
+# kubearmor-dev-next_test_08
+
+# test
+# $ head /etc/default/useradd
+# Default values for useradd(8) ...
+# $ head /etc/hostname
+# head: /etc/hostname: Permission denied
+
+# expectation
+# /usr/bin/head can only access /etc/default/*
+# /usr/bin/head cannot access any others

tests/host_scenarios/kubearmor-dev-next_test_09/cmd1

@@ -0,0 +1,7 @@
+source: kubearmor-dev
+cmd: head -n 1 /etc/default/useradd
+result: failed
+---
+operation: File
+condition: /etc/default/useradd
+action: Block

tests/host_scenarios/kubearmor-dev-next_test_09/cmd2

@@ -0,0 +1,7 @@
+source: kubearmor-dev
+cmd: head -n 1 /etc/hostname
+result: passed
+---
+operation: File
+condition: /etc/hostname
+action: Block