Merge pull request kubearmor#674 from kloudmax/main

update test scenarios

examples/host-security-policies/hsp-kubearmor-dev-file-dir-allow-fromSource.yaml

@@ -1,5 +1,3 @@
-# kubearmor-dev_test_08
-
 apiVersion: security.kubearmor.com/v1
 kind: KubeArmorHostPolicy
 metadata:
@@ -18,6 +16,8 @@ spec:
   action:
     Allow
 
+# kubearmor-dev_test_08
+
 # test
 # $ head /etc/default/useradd
 # Default values for useradd(8) ...

examples/host-security-policies/hsp-kubearmor-dev-file-dir-block-fromSource.yaml

@@ -1,5 +1,3 @@
-# kubearmor-dev_test_09
-
 apiVersion: security.kubearmor.com/v1
 kind: KubeArmorHostPolicy
 metadata:
@@ -17,8 +15,9 @@ spec:
   action:
     Block
 
-# test
+# kubearmor-dev_test_09
 
+# test
 # $ head /etc/default/useradd
 # head: useradd: Permission denied
 # $ head /etc/hostname

examples/host-security-policies/hsp-kubearmor-dev-file-path-allow-fromSource.yaml

@@ -1,5 +1,3 @@
-# kubearmor-dev_test_07
-
 apiVersion: security.kubearmor.com/v1
 kind: KubeArmorHostPolicy
 metadata:
@@ -17,6 +15,8 @@ spec:
   action:
     Allow
 
+# kubearmor-dev_test_07
+
 # test
 # $ head /etc/hostname
 # kubearmor-dev

examples/host-security-policies/hsp-kubearmor-dev-file-path-audit.yaml

@@ -1,5 +1,3 @@
-# kubearmor-dev_test_02
-
 apiVersion: security.kubearmor.com/v1
 kind: KubeArmorHostPolicy
 metadata:
@@ -15,6 +13,8 @@ spec:
   action:
     Audit
 
+# kubearmor-dev_test_02
+
 # test
 # $ cat /etc/passwd
 # ...

examples/host-security-policies/hsp-kubearmor-dev-file-path-block-fromSource.yaml

@@ -1,5 +1,3 @@
-# kubearmor-dev_test_06
-
 apiVersion: security.kubearmor.com/v1
 kind: KubeArmorHostPolicy
 metadata:
@@ -17,6 +15,8 @@ spec:
   action:
     Block
 
+# kubearmor-dev_test_06
+
 # test
 # $ head /etc/hostname
 # head: cannot open '/etc/hostname' for reading: Permission denied

examples/host-security-policies/hsp-kubearmor-dev-file-path-block.yaml

@@ -1,5 +1,3 @@
-# kubearmor-dev_test_03
-
 apiVersion: security.kubearmor.com/v1
 kind: KubeArmorHostPolicy
 metadata:
@@ -15,6 +13,8 @@ spec:
   action:
     Block
 
+# kubearmor-dev_test_03
+
 # test
 # $ cat /etc/hostname
 # cat: /etc/hostname: Permission denied

examples/host-security-policies/hsp-kubearmor-dev-proc-path-allow-fromSource.yaml

@@ -1,5 +1,3 @@
-# kubearmor-dev_test_05
-
 apiVersion: security.kubearmor.com/v1
 kind: KubeArmorHostPolicy
 metadata:
@@ -20,6 +18,8 @@ spec:
   action:
     Allow
 
+# kubearmor-dev_test_05
+
 # test
 # $ bash -c date
 # ...

examples/host-security-policies/hsp-kubearmor-dev-proc-path-block-fromSource.yaml

@@ -1,5 +1,3 @@
-# kubearmor-dev_test_04
-
 apiVersion: security.kubearmor.com/v1
 kind: KubeArmorHostPolicy
 metadata:
@@ -20,6 +18,8 @@ spec:
   action:
     Block
 
+# kubearmor-dev_test_04
+
 # test
 # (/home/vagrant/selinux-test/) $ bash -c date
 # bash: 1: date: Permission denied

examples/host-security-policies/hsp-kubearmor-dev-proc-path-block.yaml

@@ -1,5 +1,3 @@
-# kubearmor-dev_test_01
-
 apiVersion: security.kubearmor.com/v1
 kind: KubeArmorHostPolicy
 metadata:
@@ -15,6 +13,8 @@ spec:
   action:
     Block
 
+# kubearmor-dev_test_01
+
 # test
 # $ diff --help
 # -bash: /usr/bin/diff: Permission denied

examples/multiubuntu/security-policies/ksp-group-1-proc-path-block-from-source.yaml

@@ -16,3 +16,11 @@ spec:
       - path: /bin/dash
   action:
     Block
+
+# multiubuntu_test_12
+
+# test
+# $ dash -c ls
+# dash: 1: ls: Permission denied
+# $ dash -c "cat /etc/hostname"
+# ubuntu-1-deployment-5bd8d67678-4szzv

examples/multiubuntu/security-policies/ksp-group-1-proc-path-block.yaml

@@ -5,12 +5,18 @@ metadata:
   namespace: multiubuntu
 spec:
   severity: 5
-  message: "block the sleep command"
+  message: "block /bin/sleep"
   selector:
     matchLabels:
       group: group-1
   process:
     matchPaths:
-    - path: /bin/sleep # try sleep 1 (permission denied)
+    - path: /bin/sleep
   action:
     Block
+
+# multiubuntu_test_01
+
+# test
+# $ sleep 1
+# bash: /bin/sleep: Permission denied

examples/multiubuntu/security-policies/ksp-group-2-file-path-allow-from-source-path.yaml

@@ -9,16 +9,18 @@ spec:
   selector:
     matchLabels:
       group: group-2
-  process: # base bin rules
-    matchDirectories:
-    - dir: /bin/
-      recursive: true
-    - dir: /usr/bin/
-      recursive: true
   file:
     matchPaths:
-      - path: /secret.txt # /bin/cat /secret.txt (success)
-        fromSource: # /bin/cat /etc/hosts (permission denied)
-        - path: /bin/cat # /bin/head /secret.txt (permission denied)
+    - path: /secret.txt
+      fromSource:
+      - path: /bin/cat
   action:
     Allow
+
+# multiubuntu_test_17
+
+# test
+# $ cat /secret.txt
+# secret file
+# $ cat /etc/hostname
+# cat: /etc/hostname: Permission denied

examples/multiubuntu/security-policies/ksp-group-2-file-path-audit-from-source-path.yaml

@@ -5,14 +5,20 @@ metadata:
   namespace: multiubuntu
 spec:
   severity: 5
-  message: "audit /bin/cat accessing /home/user1/secret_data1.txt"
+  message: "audit /bin/cat accessing /secret.txt"
   selector:
     matchLabels:
       group: group-2
   file:
     matchPaths:
-      - path: /home/user1/secret_data1.txt # /bin/cat /home/user1/secret_data1.txt (no logs)
-        fromSource: # /bin/head /home/secret_data1.txt (logs)
-        - path: /bin/cat
+    - path: /secret.txt
+      fromSource:
+      - path: /bin/cat
   action:
     Audit
+
+# test
+# $ cat /secret.txt
+# secret file (audit)
+# $ cat /etc/hostname
+# ubuntu-4-deployment-566bf47cd7-b7f56 (no log)

examples/multiubuntu/security-policies/ksp-group-2-file-path-block-from-source-path.yaml

@@ -11,8 +11,16 @@ spec:
       group: group-2
   file:
     matchPaths:
-      - path: /secret.txt # /bin/cat /secret.txt (permission denied)
-        fromSource: # head /secret.txt (success)
-        - path: /bin/cat
+    - path: /secret.txt
+      fromSource:
+      - path: /bin/cat
   action:
     Block
+
+# multiubuntu_test_18
+
+# test
+# $ cat /secret.txt
+# cat: /secret.txt: Permission denied
+# $ cat /etc/hostname
+# ubuntu-4-deployment-566bf47cd7-b7f56

examples/multiubuntu/security-policies/ksp-group-2-file-path-owner-allow-from-source-path.yaml

@@ -8,26 +8,19 @@ spec:
   selector:
     matchLabels:
       group: group-2
-  process:
-    matchDirectories:
-    - dir: /bin/ # required to change root to user1 / try 'su - user1'
-      recursive: true
-    - dir: /usr/bin/ # used in changing accounts
-      recursive: true
   file:
     matchPaths:
-    - path: /home/user1/secret_data1.txt # su - user1 -c "head secret_data.txt" (permission denied) 
-      ownerOnly: true # su - user1 -c "/bin/cat secret_data.txt" (success)
+    - path: /home/user1/secret_data1.txt
+      ownerOnly: true
       fromSource:
-      - path: /bin/cat # /bin/cat /home/user1/secret_data.txt (permission denied)
-    - path: /run/utmp # required to change root to user1
-    - path: /root/.bashrc # used by root
-    - path: /home/user1/.profile # used by user1
-    - path: /home/user1/.bashrc # used by user1
-    matchDirectories:
-    - dir: /etc/ # required to change root to user1 (coarse-grained way)
-      recursive: true
-    - dir: /proc/ # required to change root to user1 (coarse-grained way)
-      recursive: true
+      - path: /bin/cat
   action:
     Allow
+
+# test
+# $ cat /home/user1/secret_data1.txt
+# cat: /home/user1/secret_data1.txt: Permission denied
+# $ su - user1 -c "cat secret_data1.txt"
+# secret file user1
+# $ su - user1 -c "cat /etc/hostname"
+# cat: /etc/hostname: Permission denied

examples/multiubuntu/security-policies/ksp-group-2-file-path-owner-audit-from-source-path.yaml

@@ -10,9 +10,17 @@ spec:
       group: group-2
   file:
     matchPaths:
-    - path: /home/user1/secret_data1.txt # su - user1 -c "head secret_data.txt" (no logs)
-      ownerOnly: true # su - user1 -c "/bin/cat secret_data.txt" (logs)
+    - path: /home/user1/secret_data1.txt
+      ownerOnly: true
       fromSource:
-      - path: /bin/cat # head /home/user1/secret_data.txt (logs)
+      - path: /bin/cat
   action:
     Audit
+
+# test
+# $ cat /home/user1/secret_data1.txt
+# secret file user1 (no log)
+# $ su - user1 -c "cat secret_data1.txt"
+# secret file user1 (audit)
+# $ su - user1 -c "cat /etc/hostname"
+# ubuntu-4-deployment-566bf47cd7-b7f56 (no log)

examples/multiubuntu/security-policies/ksp-group-2-file-path-owner-block-from-source-path.yaml

@@ -10,9 +10,17 @@ spec:
       group: group-2
   file:
     matchPaths:
-    - path: /home/user1/secret_data1.txt # su - user1 -c "head secret_data.txt" (success)
-      ownerOnly: true # su - user1 -c "/bin/cat secret_data.txt" (permission denied)
+    - path: /home/user1/secret_data1.txt
+      ownerOnly: true
       fromSource:
-      - path: /bin/cat # head /home/user1/secret_data.txt (permission denied)
+      - path: /bin/cat
   action:
     Block
+
+# test
+# $ cat /home/user1/secret_data1.txt
+# cat: /home/user1/secret_data1.txt: Permission denied
+# $ su - user1 -c "cat secret_data1.txt"
+# secret file user1
+# $ su - user1 -c "cat /etc/hostname"
+# ubuntu-4-deployment-566bf47cd7-b7f56

examples/multiubuntu/security-policies/ksp-group-2-proc-path-audit.yaml

@@ -10,6 +10,12 @@ spec:
       group: group-2
   process:
     matchPaths:
-    - path: /bin/sleep # try sleep 1
+    - path: /bin/sleep
   action:
     Audit
+
+# multiubuntu_test_02
+
+# test
+# $ sleep 1
+# ... sleep ... (audit)

examples/multiubuntu/security-policies/ksp-ubuntu-1-cap-net-raw-block.yaml

@@ -10,6 +10,12 @@ spec:
       container: ubuntu-1
   capabilities:
     matchCapabilities:
-    - capability: net_raw # try 'ping 8.8.8.8' (operation not permitted) and 'curl www.kubearmor.com' (success)
+    - capability: net_raw
   action:
     Block
+
+# multiubuntu_test_03
+
+# test
+# $ ping -c 1 127.0.0.1
+# ping: socket: Operation not permitted

examples/multiubuntu/security-policies/ksp-ubuntu-1-file-path-audit.yaml

@@ -13,8 +13,16 @@ spec:
       container: ubuntu-1
   file:
     matchPaths:
-    - path: /etc/passwd # cat /etc/passwd
-    - path: /secret.txt # echo "test" >> /secret.txt
-    - path: /credentials/password # echo "test" >> /credentials/password
+    - path: /etc/passwd
+    - path: /secret.txt
+    - path: /credentials/password
   action:
     Audit
+
+# test
+# $ cat /etc/passwd
+# root:x:0:0:root:/root:/bin/bash (audit)
+# $ echo "test" >> /secret.txt
+# (nothing is displayed) (audit)
+# $ echo "test" >> /credentials/password
+# (nothing is displayed) (audit)

examples/multiubuntu/security-policies/ksp-ubuntu-1-file-path-block.yaml

@@ -13,8 +13,16 @@ spec:
       container: ubuntu-1
   file:
     matchPaths:
-    - path: /etc/passwd # cat /etc/passwd (permission denied)
-    - path: /secret.txt # echo "test" >> /secret.txt (permission denied)
-    - path: /credentials/password # echo "test" >> /credentials/password (permission denied)
+    - path: /etc/passwd
+    - path: /secret.txt
+    - path: /credentials/password
   action:
     Block
+
+# test
+# $ cat /etc/passwd
+# cat: /etc/passwd: Permission denied
+# echo "test" >> /secret.txt
+# bash: /secret.txt: Permission denied
+# echo "test" >> /credentials/password
+# bash: /credentials/password: Permission denied