From 441a380c951f1a49a65b08dab66af579352c223c Mon Sep 17 00:00:00 2001 From: Jaehyun Nam Date: Wed, 27 Apr 2022 14:39:51 +0000 Subject: [PATCH] update test scenarios Signed-off-by: Jaehyun Nam --- examples/multiubuntu/build/Dockerfile | 2 +- .../ksp-ubuntu-1-cap-net-raw-block.yaml | 4 +-- .../ksp-ubuntu-3-proc-path-owner-allow.yaml | 6 ++++ .../kubearmor-dev-next_test_01/cmd1 | 7 +++++ ...sp-kubearmor-dev-next-proc-path-block.yaml | 23 ++++++++++++++ .../kubearmor-dev-next_test_02/cmd1 | 7 +++++ .../kubearmor-dev-next_test_02/cmd2 | 7 +++++ ...sp-kubearmor-dev-next-file-path-audit.yaml | 25 +++++++++++++++ .../kubearmor-dev-next_test_03/cmd1 | 7 +++++ ...sp-kubearmor-dev-next-file-path-block.yaml | 23 ++++++++++++++ .../kubearmor-dev-next_test_04/cmd1 | 7 +++++ .../kubearmor-dev-next_test_04/cmd2 | 7 +++++ ...r-dev-next-proc-path-block-fromSource.yaml | 31 +++++++++++++++++++ .../kubearmor-dev-next_test_05/cmd1 | 7 +++++ .../kubearmor-dev-next_test_05/cmd2 | 7 +++++ ...r-dev-next-proc-path-allow-fromSource.yaml | 31 +++++++++++++++++++ .../kubearmor-dev-next_test_06/cmd1 | 7 +++++ .../kubearmor-dev-next_test_06/cmd2 | 7 +++++ ...r-dev-next-file-path-block-fromSource.yaml | 28 +++++++++++++++++ .../kubearmor-dev-next_test_07/cmd1 | 7 +++++ .../kubearmor-dev-next_test_07/cmd2 | 7 +++++ ...r-dev-next-file-path-allow-fromSource.yaml | 28 +++++++++++++++++ .../kubearmor-dev-next_test_08/cmd1 | 7 +++++ .../kubearmor-dev-next_test_08/cmd2 | 7 +++++ ...or-dev-next-file-dir-allow-fromSource.yaml | 29 +++++++++++++++++ .../kubearmor-dev-next_test_09/cmd1 | 7 +++++ .../kubearmor-dev-next_test_09/cmd2 | 7 +++++ ...or-dev-next-file-dir-block-fromSource.yaml | 28 +++++++++++++++++ tests/scenarios/multiubuntu_test_03/cmd1 | 2 +- tests/scenarios/multiubuntu_test_07/cmd1 | 2 +- tests/scenarios/multiubuntu_test_13/cmd1 | 2 +- 31 files changed, 370 insertions(+), 6 deletions(-) create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_01/cmd1 create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_01/hsp-kubearmor-dev-next-proc-path-block.yaml create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_02/cmd1 create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_02/cmd2 create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_02/hsp-kubearmor-dev-next-file-path-audit.yaml create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_03/cmd1 create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_03/hsp-kubearmor-dev-next-file-path-block.yaml create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_04/cmd1 create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_04/cmd2 create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_04/hsp-kubearmor-dev-next-proc-path-block-fromSource.yaml create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_05/cmd1 create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_05/cmd2 create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_05/hsp-kubearmor-dev-next-proc-path-allow-fromSource.yaml create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_06/cmd1 create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_06/cmd2 create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_06/hsp-kubearmor-dev-next-file-path-block-fromSource.yaml create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_07/cmd1 create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_07/cmd2 create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_07/hsp-kubearmor-dev-next-file-path-allow-fromSource.yaml create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_08/cmd1 create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_08/cmd2 create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_08/hsp-kubearmor-dev-next-file-dir-allow-fromSource.yaml create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_09/cmd1 create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_09/cmd2 create mode 100644 tests/host_scenarios/kubearmor-dev-next_test_09/hsp-kubearmor-dev-next-file-dir-block-fromSource.yaml diff --git a/examples/multiubuntu/build/Dockerfile b/examples/multiubuntu/build/Dockerfile index ca46fcd0d7..e0114c7466 100644 --- a/examples/multiubuntu/build/Dockerfile +++ b/examples/multiubuntu/build/Dockerfile @@ -5,7 +5,7 @@ FROM ubuntu:18.04 RUN apt-get update -RUN apt-get install -y net-tools iputils-ping telnet ssh tcpdump nmap dsniff +RUN apt-get install -y net-tools iputils-ping telnet ssh tcpdump nmap dsniff arping RUN apt-get install -y curl iperf3 netperf ethtool python-scapy python-pip RUN apt-get install -y iptables bridge-utils apache2 vim diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-1-cap-net-raw-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-1-cap-net-raw-block.yaml index 8de14c95a4..1b6a72edb4 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-1-cap-net-raw-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-1-cap-net-raw-block.yaml @@ -17,5 +17,5 @@ spec: # multiubuntu_test_03 # test -# $ ping -c 1 127.0.0.1 -# ping: socket: Operation not permitted +# $ arping -c 1 127.0.0.1 +# arping: libnet_init(LIBNET_LINK, ): libnet_open_link(): UID/EUID 0 or capability CAP_NET_RAW required diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-proc-path-owner-allow.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-proc-path-owner-allow.yaml index 4d59f2e2df..78ba4723cf 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-proc-path-owner-allow.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-proc-path-owner-allow.yaml @@ -30,6 +30,12 @@ spec: recursive: true - dir: /proc/ # required to change root to user1 (coarse-grained way) recursive: true + - dir: /lib/ # used by root and user1 + recursive: true + - dir: /sys/ # used by root and user1 + recursive: true + - dir: /pts/ # used by root and user1 + recursive: true action: Allow diff --git a/tests/host_scenarios/kubearmor-dev-next_test_01/cmd1 b/tests/host_scenarios/kubearmor-dev-next_test_01/cmd1 new file mode 100644 index 0000000000..f3bd9b2c68 --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_01/cmd1 @@ -0,0 +1,7 @@ +source: kubearmor-dev +cmd: diff --help +result: failed +--- +operation: Process +condition: diff +action: Block diff --git a/tests/host_scenarios/kubearmor-dev-next_test_01/hsp-kubearmor-dev-next-proc-path-block.yaml b/tests/host_scenarios/kubearmor-dev-next_test_01/hsp-kubearmor-dev-next-proc-path-block.yaml new file mode 100644 index 0000000000..7599a5d1c9 --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_01/hsp-kubearmor-dev-next-proc-path-block.yaml @@ -0,0 +1,23 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-next-proc-path-block +spec: + nodeSelector: + matchLabels: + kubernetes.io/hostname: kubearmor-dev-next + severity: 5 + process: + matchPaths: + - path: /usr/bin/diff + action: + Block + +# kubearmor-dev-next_test_01 + +# test +# $ diff --help +# -bash: /usr/bin/diff: Permission denied + +# expectation +# anyone cannot execute /usr/bin/diff diff --git a/tests/host_scenarios/kubearmor-dev-next_test_02/cmd1 b/tests/host_scenarios/kubearmor-dev-next_test_02/cmd1 new file mode 100644 index 0000000000..a072031462 --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_02/cmd1 @@ -0,0 +1,7 @@ +source: kubearmor-dev +cmd: cat /etc/passwd +result: passed +--- +operation: File +condition: /etc/passwd +action: Audit diff --git a/tests/host_scenarios/kubearmor-dev-next_test_02/cmd2 b/tests/host_scenarios/kubearmor-dev-next_test_02/cmd2 new file mode 100644 index 0000000000..5c32e4b864 --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_02/cmd2 @@ -0,0 +1,7 @@ +source: kubearmor-dev +cmd: head -n 1 /etc/passwd +result: passed +--- +operation: File +condition: /etc/passwd +action: Audit diff --git a/tests/host_scenarios/kubearmor-dev-next_test_02/hsp-kubearmor-dev-next-file-path-audit.yaml b/tests/host_scenarios/kubearmor-dev-next_test_02/hsp-kubearmor-dev-next-file-path-audit.yaml new file mode 100644 index 0000000000..19a190bae8 --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_02/hsp-kubearmor-dev-next-file-path-audit.yaml @@ -0,0 +1,25 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-next-file-path-audit +spec: + nodeSelector: + matchLabels: + kubernetes.io/hostname: kubearmor-dev-next + severity: 5 + file: + matchPaths: + - path: /etc/passwd + action: + Audit + +# kubearmor-dev-next_test_02 + +# test +# $ cat /etc/passwd +# ... +# $ head /etc/passwd +# ... + +# expectation +# anyone can access /etc/passwd, but the access would be audited diff --git a/tests/host_scenarios/kubearmor-dev-next_test_03/cmd1 b/tests/host_scenarios/kubearmor-dev-next_test_03/cmd1 new file mode 100644 index 0000000000..14697005d3 --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_03/cmd1 @@ -0,0 +1,7 @@ +source: kubearmor-dev +cmd: cat /etc/hostname +result: failed +--- +operation: File +condition: /etc/hostname +action: Block diff --git a/tests/host_scenarios/kubearmor-dev-next_test_03/hsp-kubearmor-dev-next-file-path-block.yaml b/tests/host_scenarios/kubearmor-dev-next_test_03/hsp-kubearmor-dev-next-file-path-block.yaml new file mode 100644 index 0000000000..c1cf7d2eb8 --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_03/hsp-kubearmor-dev-next-file-path-block.yaml @@ -0,0 +1,23 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-next-file-path-block +spec: + nodeSelector: + matchLabels: + kubernetes.io/hostname: kubearmor-dev-next + severity: 5 + file: + matchPaths: + - path: /etc/hostname + action: + Block + +# kubearmor-dev-next_test_03 + +# test +# $ cat /etc/hostname +# cat: /etc/hostname: Permission denied + +# expectation +# anyone cannot access /etc/hostname diff --git a/tests/host_scenarios/kubearmor-dev-next_test_04/cmd1 b/tests/host_scenarios/kubearmor-dev-next_test_04/cmd1 new file mode 100644 index 0000000000..b81b464c94 --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_04/cmd1 @@ -0,0 +1,7 @@ +source: kubearmor-dev +cmd: bash -c date +result: failed +--- +operation: Process +condition: date +action: Block diff --git a/tests/host_scenarios/kubearmor-dev-next_test_04/cmd2 b/tests/host_scenarios/kubearmor-dev-next_test_04/cmd2 new file mode 100644 index 0000000000..dadb72c76c --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_04/cmd2 @@ -0,0 +1,7 @@ +source: kubearmor-dev +cmd: bash -c ls +result: passed +--- +operation: Process +condition: ls +action: Block diff --git a/tests/host_scenarios/kubearmor-dev-next_test_04/hsp-kubearmor-dev-next-proc-path-block-fromSource.yaml b/tests/host_scenarios/kubearmor-dev-next_test_04/hsp-kubearmor-dev-next-proc-path-block-fromSource.yaml new file mode 100644 index 0000000000..e23048de0d --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_04/hsp-kubearmor-dev-next-proc-path-block-fromSource.yaml @@ -0,0 +1,31 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-next-proc-path-block-fromsource +spec: + nodeSelector: + matchLabels: + kubernetes.io/hostname: kubearmor-dev-next + severity: 5 + process: + matchPaths: + - path: /bin/date + fromSource: + - path: /bin/bash # ubuntu + - path: /usr/bin/date + fromSource: + - path: /usr/bin/bash # centos + action: + Block + +# kubearmor-dev-next_test_04 + +# test +# (/home/vagrant/selinux-test/) $ bash -c date +# bash: 1: date: Permission denied +# (/home/vagrant/selinux-test/) $ bash -c ls +# ls ... + +# expectation +# (/usr)/bin/bash cannot execute (/usr)/bin/date +# (/usr)/bin/bash can execute any others diff --git a/tests/host_scenarios/kubearmor-dev-next_test_05/cmd1 b/tests/host_scenarios/kubearmor-dev-next_test_05/cmd1 new file mode 100644 index 0000000000..2e77e1110f --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_05/cmd1 @@ -0,0 +1,7 @@ +source: kubearmor-dev +cmd: bash -c date +result: passed +--- +operation: Process +condition: date +action: Allow diff --git a/tests/host_scenarios/kubearmor-dev-next_test_05/cmd2 b/tests/host_scenarios/kubearmor-dev-next_test_05/cmd2 new file mode 100644 index 0000000000..62c3a70041 --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_05/cmd2 @@ -0,0 +1,7 @@ +source: kubearmor-dev +cmd: bash -c ls +result: failed +--- +operation: Process +condition: ls +action: Allow diff --git a/tests/host_scenarios/kubearmor-dev-next_test_05/hsp-kubearmor-dev-next-proc-path-allow-fromSource.yaml b/tests/host_scenarios/kubearmor-dev-next_test_05/hsp-kubearmor-dev-next-proc-path-allow-fromSource.yaml new file mode 100644 index 0000000000..49d6766f11 --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_05/hsp-kubearmor-dev-next-proc-path-allow-fromSource.yaml @@ -0,0 +1,31 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-next-proc-path-allow-fromsource +spec: + nodeSelector: + matchLabels: + kubernetes.io/hostname: kubearmor-dev-next + severity: 5 + process: + matchPaths: + - path: /bin/date + fromSource: + - path: /bin/bash # ubuntu + - path: /usr/bin/date + fromSource: + - path: /usr/bin/bash # centos + action: + Allow + +# kubearmor-dev-next_test_05 + +# test +# $ bash -c date +# ... +# $ bash -c ls +# bash: /usr/bin/ls: Permission denied + +# expectation +# (/usr)/bin/bash can only execute (/usr)/bin/date +# (/usr)/bin/bash cannot execute any others diff --git a/tests/host_scenarios/kubearmor-dev-next_test_06/cmd1 b/tests/host_scenarios/kubearmor-dev-next_test_06/cmd1 new file mode 100644 index 0000000000..66a5e30b61 --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_06/cmd1 @@ -0,0 +1,7 @@ +source: kubearmor-dev +cmd: head -n 1 /etc/hostname +result: failed +--- +operation: File +condition: /etc/hostname +action: Block diff --git a/tests/host_scenarios/kubearmor-dev-next_test_06/cmd2 b/tests/host_scenarios/kubearmor-dev-next_test_06/cmd2 new file mode 100644 index 0000000000..2f64370806 --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_06/cmd2 @@ -0,0 +1,7 @@ +source: kubearmor-dev +cmd: head -n 1 /etc/hosts +result: passed +--- +operation: File +condition: /etc/hosts +action: Block diff --git a/tests/host_scenarios/kubearmor-dev-next_test_06/hsp-kubearmor-dev-next-file-path-block-fromSource.yaml b/tests/host_scenarios/kubearmor-dev-next_test_06/hsp-kubearmor-dev-next-file-path-block-fromSource.yaml new file mode 100644 index 0000000000..fca1025782 --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_06/hsp-kubearmor-dev-next-file-path-block-fromSource.yaml @@ -0,0 +1,28 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-next-file-path-block-fromsource +spec: + nodeSelector: + matchLabels: + kubernetes.io/hostname: kubearmor-dev-next + severity: 5 + file: + matchPaths: + - path: /etc/hostname + fromSource: + - path: /usr/bin/head + action: + Block + +# kubearmor-dev-next_test_06 + +# test +# $ head /etc/hostname +# head: cannot open '/etc/hostname' for reading: Permission denied +# $ head /etc/hosts +# ... + +# expectation +# /usr/bin/head cannot access /etc/hostname +# /usr/bin/head can access any others diff --git a/tests/host_scenarios/kubearmor-dev-next_test_07/cmd1 b/tests/host_scenarios/kubearmor-dev-next_test_07/cmd1 new file mode 100644 index 0000000000..325aa7da65 --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_07/cmd1 @@ -0,0 +1,7 @@ +source: kubearmor-dev +cmd: head -n 1 /etc/hostname +result: passed +--- +operation: File +condition: /etc/hostname +action: Allow diff --git a/tests/host_scenarios/kubearmor-dev-next_test_07/cmd2 b/tests/host_scenarios/kubearmor-dev-next_test_07/cmd2 new file mode 100644 index 0000000000..6100c04e54 --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_07/cmd2 @@ -0,0 +1,7 @@ +source: kubearmor-dev +cmd: head -n 1 /etc/hosts +result: failed +--- +operation: File +condition: /etc/hosts +action: Allow diff --git a/tests/host_scenarios/kubearmor-dev-next_test_07/hsp-kubearmor-dev-next-file-path-allow-fromSource.yaml b/tests/host_scenarios/kubearmor-dev-next_test_07/hsp-kubearmor-dev-next-file-path-allow-fromSource.yaml new file mode 100644 index 0000000000..96742ad752 --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_07/hsp-kubearmor-dev-next-file-path-allow-fromSource.yaml @@ -0,0 +1,28 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-next-file-path-allow-fromsource +spec: + nodeSelector: + matchLabels: + kubernetes.io/hostname: kubearmor-dev-next + severity: 5 + file: + matchPaths: + - path: /etc/hostname + fromSource: + - path: /usr/bin/head + action: + Allow + +# kubearmor-dev-next_test_07 + +# test +# $ head /etc/hostname +# kubearmor-dev +# $ head /etc/hosts +# head: /etc/hosts: Permission denied + +# expectation +# /usr/bin/head can only access /etc/hostname +# /usr/bin/head cannot access any others diff --git a/tests/host_scenarios/kubearmor-dev-next_test_08/cmd1 b/tests/host_scenarios/kubearmor-dev-next_test_08/cmd1 new file mode 100644 index 0000000000..8f4b637c92 --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_08/cmd1 @@ -0,0 +1,7 @@ +source: kubearmor-dev +cmd: head -n 1 /etc/default/useradd +result: passed +--- +operation: File +condition: /etc/default/useradd +action: Allow diff --git a/tests/host_scenarios/kubearmor-dev-next_test_08/cmd2 b/tests/host_scenarios/kubearmor-dev-next_test_08/cmd2 new file mode 100644 index 0000000000..0d8373bec6 --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_08/cmd2 @@ -0,0 +1,7 @@ +source: kubearmor-dev +cmd: head -n 1 /etc/hostname +result: failed +--- +operation: File +condition: /etc/hostname +action: Allow diff --git a/tests/host_scenarios/kubearmor-dev-next_test_08/hsp-kubearmor-dev-next-file-dir-allow-fromSource.yaml b/tests/host_scenarios/kubearmor-dev-next_test_08/hsp-kubearmor-dev-next-file-dir-allow-fromSource.yaml new file mode 100644 index 0000000000..19af3a0c42 --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_08/hsp-kubearmor-dev-next-file-dir-allow-fromSource.yaml @@ -0,0 +1,29 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-next-file-dir-allow-fromsource +spec: + nodeSelector: + matchLabels: + kubernetes.io/hostname: kubearmor-dev-next + severity: 5 + file: + matchDirectories: + - dir: /etc/default/ + recursive: true + fromSource: + - path: /usr/bin/head + action: + Allow + +# kubearmor-dev-next_test_08 + +# test +# $ head /etc/default/useradd +# Default values for useradd(8) ... +# $ head /etc/hostname +# head: /etc/hostname: Permission denied + +# expectation +# /usr/bin/head can only access /etc/default/* +# /usr/bin/head cannot access any others diff --git a/tests/host_scenarios/kubearmor-dev-next_test_09/cmd1 b/tests/host_scenarios/kubearmor-dev-next_test_09/cmd1 new file mode 100644 index 0000000000..b9abb14bb8 --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_09/cmd1 @@ -0,0 +1,7 @@ +source: kubearmor-dev +cmd: head -n 1 /etc/default/useradd +result: failed +--- +operation: File +condition: /etc/default/useradd +action: Block diff --git a/tests/host_scenarios/kubearmor-dev-next_test_09/cmd2 b/tests/host_scenarios/kubearmor-dev-next_test_09/cmd2 new file mode 100644 index 0000000000..3acc041aec --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_09/cmd2 @@ -0,0 +1,7 @@ +source: kubearmor-dev +cmd: head -n 1 /etc/hostname +result: passed +--- +operation: File +condition: /etc/hostname +action: Block diff --git a/tests/host_scenarios/kubearmor-dev-next_test_09/hsp-kubearmor-dev-next-file-dir-block-fromSource.yaml b/tests/host_scenarios/kubearmor-dev-next_test_09/hsp-kubearmor-dev-next-file-dir-block-fromSource.yaml new file mode 100644 index 0000000000..53a84836c7 --- /dev/null +++ b/tests/host_scenarios/kubearmor-dev-next_test_09/hsp-kubearmor-dev-next-file-dir-block-fromSource.yaml @@ -0,0 +1,28 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-next-file-dir-block-fromsource +spec: + nodeSelector: + matchLabels: + kubernetes.io/hostname: kubearmor-dev-next + severity: 5 + file: + matchDirectories: + - dir: /etc/default/ + fromSource: + - path: /usr/bin/head + action: + Block + +# kubearmor-dev-next_test_09 + +# test +# $ head /etc/default/useradd +# head: useradd: Permission denied +# $ head /etc/hostname +# kubearmor-dev + +# expectation +# /usr/bin/head cannot access /etc/default/* +# /usr/bin/head can access any others diff --git a/tests/scenarios/multiubuntu_test_03/cmd1 b/tests/scenarios/multiubuntu_test_03/cmd1 index d3241f23c4..9264401795 100644 --- a/tests/scenarios/multiubuntu_test_03/cmd1 +++ b/tests/scenarios/multiubuntu_test_03/cmd1 @@ -1,5 +1,5 @@ source: ubuntu-1-deployment -cmd: ping -c 1 127.0.0.1 +cmd: arping -c 1 127.0.0.1 result: failed --- operation: Network diff --git a/tests/scenarios/multiubuntu_test_07/cmd1 b/tests/scenarios/multiubuntu_test_07/cmd1 index 691297244a..6af1ca9e25 100644 --- a/tests/scenarios/multiubuntu_test_07/cmd1 +++ b/tests/scenarios/multiubuntu_test_07/cmd1 @@ -3,5 +3,5 @@ cmd: ping -c 1 127.0.0.1 result: passed --- operation: Network -condition: SOCK_RAW +condition: protocol=ICMP action: Audit diff --git a/tests/scenarios/multiubuntu_test_13/cmd1 b/tests/scenarios/multiubuntu_test_13/cmd1 index 323dc25d2e..6e343e5d9b 100644 --- a/tests/scenarios/multiubuntu_test_13/cmd1 +++ b/tests/scenarios/multiubuntu_test_13/cmd1 @@ -3,5 +3,5 @@ cmd: cat /run/secrets/kubernetes.io/serviceaccount/token result: failed --- operation: File -condition: serviceaccount/token +condition: serviceaccount action: Block