From 2c854c2645d050ded669165f9736552d1d04d4bf Mon Sep 17 00:00:00 2001 From: Jaehyun Nam Date: Mon, 18 Apr 2022 05:53:34 +0000 Subject: [PATCH 1/3] update test scenarios Signed-off-by: Jaehyun Nam --- ...bearmor-dev-file-dir-allow-fromSource.yaml | 4 +- ...bearmor-dev-file-dir-block-fromSource.yaml | 5 +-- ...earmor-dev-file-path-allow-fromSource.yaml | 4 +- .../hsp-kubearmor-dev-file-path-audit.yaml | 4 +- ...earmor-dev-file-path-block-fromSource.yaml | 4 +- .../hsp-kubearmor-dev-file-path-block.yaml | 4 +- ...earmor-dev-proc-path-allow-fromSource.yaml | 4 +- ...earmor-dev-proc-path-block-fromSource.yaml | 4 +- .../hsp-kubearmor-dev-proc-path-block.yaml | 4 +- ...p-group-1-proc-path-block-from-source.yaml | 8 ++++ .../ksp-group-1-proc-path-block.yaml | 10 ++++- ...up-2-file-path-allow-from-source-path.yaml | 20 +++++---- ...up-2-file-path-audit-from-source-path.yaml | 14 +++++-- ...up-2-file-path-block-from-source-path.yaml | 14 +++++-- ...ile-path-owner-allow-from-source-path.yaml | 29 +++++-------- ...ile-path-owner-audit-from-source-path.yaml | 14 +++++-- ...ile-path-owner-block-from-source-path.yaml | 14 +++++-- .../ksp-group-2-proc-path-audit.yaml | 8 +++- .../ksp-ubuntu-1-cap-net-raw-block.yaml | 8 +++- .../ksp-ubuntu-1-file-path-audit.yaml | 14 +++++-- .../ksp-ubuntu-1-file-path-block.yaml | 14 +++++-- .../ksp-ubuntu-1-file-pattern-allow.yaml | 17 ++++++-- .../ksp-ubuntu-1-file-pattern-audit.yaml | 8 +++- .../ksp-ubuntu-1-file-pattern-block.yaml | 10 ++++- ...ksp-ubuntu-1-file-pattern-owner-allow.yaml | 20 ++++++--- ...ksp-ubuntu-1-file-pattern-owner-audit.yaml | 8 +++- ...ksp-ubuntu-1-file-pattern-owner-block.yaml | 8 +++- ...u-1-file-pattern-owner-readonly-block.yaml | 20 +++++++-- ...sp-ubuntu-1-net-tcp-from-source-allow.yaml | 27 ++++++++++++ .../ksp-ubuntu-1-proc-dir-block.yaml | 8 +++- .../ksp-ubuntu-2-file-dir-owner-allow.yaml | 12 +++++- .../ksp-ubuntu-2-file-dir-owner-audit.yaml | 6 +++ .../ksp-ubuntu-2-file-dir-owner-block.yaml | 6 +++ ...buntu-2-file-dir-owner-readonly-allow.yaml | 21 +++++++--- ...buntu-2-file-dir-owner-readonly-block.yaml | 20 +++++++-- ...-dir-recursive-allow-from-source-path.yaml | 22 +++++----- ...-dir-recursive-audit-from-source-path.yaml | 18 ++++++-- ...-dir-recursive-block-from-source-path.yaml | 16 ++++++-- ...ksp-ubuntu-2-file-dir-recursive-block.yaml | 22 ++++++++-- ...le-dir-recursive-owner-readonly-allow.yaml | 24 ++++++++--- ...le-dir-recursive-owner-readonly-audit.yaml | 18 ++++++-- ...le-dir-recursive-owner-readonly-block.yaml | 24 +++++++++-- ...ksp-ubuntu-2-proc-dir-recursive-block.yaml | 10 ++++- ...ntu-3-file-dir-allow-from-source-path.yaml | 20 ++++----- ...ntu-3-file-dir-audit-from-source-path.yaml | 12 ++++-- ...ntu-3-file-dir-block-from-source-path.yaml | 12 ++++-- ...e-dir-readonly-allow-from-source-path.yaml | 22 +++++----- .../ksp-ubuntu-3-file-dir-readonly-allow.yaml | 19 ++++++--- ...e-dir-readonly-audit-from-source-path.yaml | 14 +++++-- .../ksp-ubuntu-3-file-dir-readonly-audit.yaml | 12 ++++-- ...e-dir-readonly-block-from-source-path.yaml | 14 +++++-- .../ksp-ubuntu-3-file-dir-readonly-block.yaml | 12 ++++-- .../ksp-ubuntu-3-file-path-owner-allow.yaml | 18 ++++++-- .../ksp-ubuntu-3-file-path-owner-audit.yaml | 6 +++ .../ksp-ubuntu-3-file-path-owner-block.yaml | 12 +++++- .../ksp-ubuntu-3-proc-dir-allow.yaml | 12 +++++- .../ksp-ubuntu-3-proc-path-owner-allow.yaml | 41 ++++++++++++------- .../ksp-ubuntu-3-proc-path-owner-block.yaml | 15 +++++-- .../ksp-ubuntu-4-file-dir-allow.yaml | 22 +++++++--- .../ksp-ubuntu-4-file-dir-audit.yaml | 10 ++++- .../ksp-ubuntu-4-file-dir-block.yaml | 10 ++++- ...-path-readonly-allow-from-source-path.yaml | 32 +++++++-------- ...ksp-ubuntu-4-file-path-readonly-allow.yaml | 33 +++++++++------ ...-path-readonly-audit-from-source-path.yaml | 22 +++++++--- ...ksp-ubuntu-4-file-path-readonly-audit.yaml | 16 +++++--- ...-path-readonly-block-from-source-path.yaml | 16 ++++++-- ...ksp-ubuntu-4-file-path-readonly-block.yaml | 17 ++++---- ...ksp-ubuntu-5-file-dir-recursive-block.yaml | 8 +++- ...untu-5-file-dir-recursive-owner-allow.yaml | 24 ++++++++--- ...untu-5-file-dir-recursive-owner-audit.yaml | 18 ++++++-- ...untu-5-file-dir-recursive-owner-block.yaml | 18 ++++++-- ...u-5-file-dir-recursive-readonly-allow.yaml | 25 ++++++++--- ...u-5-file-dir-recursive-readonly-audit.yaml | 18 ++++++-- ...u-5-file-dir-recursive-readonly-block.yaml | 18 ++++++-- ...owner-readonly-allow-from-source-path.yaml | 24 ++++++----- ...untu-5-file-path-owner-readonly-allow.yaml | 22 ++++++---- ...untu-5-file-path-owner-readonly-audit.yaml | 12 +++++- ...owner-readonly-block-from-source-path.yaml | 20 +++++++-- ...untu-5-file-path-owner-readonly-block.yaml | 16 +++++++- .../ksp-ubuntu-5-net-icmp-audit.yaml | 8 +++- .../nsp-group-1-file-dir-recursive-block.yaml | 8 +++- tests/scenarios/github_test_05/cmd3 | 7 ---- tests/scenarios/multiubuntu_test_02/cmd1 | 2 +- tests/scenarios/multiubuntu_test_03/cmd1 | 6 +-- tests/scenarios/multiubuntu_test_03/cmd2 | 7 ---- tests/scenarios/multiubuntu_test_05/cmd1 | 4 +- tests/scenarios/multiubuntu_test_05/cmd2 | 4 +- tests/scenarios/multiubuntu_test_07/cmd1 | 2 +- tests/scenarios/multiubuntu_test_08/cmd1 | 4 +- tests/scenarios/multiubuntu_test_08/cmd2 | 7 ++++ tests/scenarios/multiubuntu_test_09/cmd1 | 4 +- tests/scenarios/multiubuntu_test_09/cmd2 | 2 +- tests/scenarios/multiubuntu_test_10/cmd1 | 2 +- tests/scenarios/multiubuntu_test_10/cmd2 | 2 +- tests/scenarios/multiubuntu_test_11/cmd3 | 7 ++++ tests/scenarios/multiubuntu_test_12/cmd1 | 6 +-- tests/scenarios/multiubuntu_test_12/cmd2 | 6 +-- tests/scenarios/multiubuntu_test_16/cmd1 | 6 +-- tests/scenarios/multiubuntu_test_16/cmd2 | 4 +- tests/scenarios/multiubuntu_test_16/cmd3 | 7 ---- tests/scenarios/multiubuntu_test_16/cmd4 | 7 ---- tests/scenarios/multiubuntu_test_17/cmd1 | 2 +- tests/scenarios/multiubuntu_test_17/cmd2 | 4 +- tests/scenarios/multiubuntu_test_17/cmd3 | 7 ---- tests/scenarios/multiubuntu_test_18/cmd1 | 2 +- tests/scenarios/multiubuntu_test_18/cmd2 | 2 +- tests/scenarios/multiubuntu_test_19/cmd1 | 2 +- tests/scenarios/multiubuntu_test_19/cmd2 | 2 +- tests/scenarios/multiubuntu_test_19/cmd3 | 4 +- tests/scenarios/multiubuntu_test_20/cmd2 | 2 +- tests/scenarios/multiubuntu_test_20/cmd3 | 4 +- tests/scenarios/multiubuntu_test_22/cmd1 | 2 +- tests/scenarios/multiubuntu_test_22/cmd3 | 2 +- tests/scenarios/multiubuntu_test_23/cmd1 | 4 +- tests/scenarios/multiubuntu_test_23/cmd2 | 2 +- tests/scenarios/multiubuntu_test_23/cmd3 | 2 +- tests/scenarios/multiubuntu_test_23/cmd4 | 4 +- tests/scenarios/multiubuntu_test_24/cmd3 | 2 +- tests/scenarios/multiubuntu_test_24/cmd4 | 2 +- 119 files changed, 946 insertions(+), 408 deletions(-) create mode 100644 examples/multiubuntu/security-policies/ksp-ubuntu-1-net-tcp-from-source-allow.yaml delete mode 100644 tests/scenarios/github_test_05/cmd3 delete mode 100644 tests/scenarios/multiubuntu_test_03/cmd2 create mode 100644 tests/scenarios/multiubuntu_test_08/cmd2 create mode 100644 tests/scenarios/multiubuntu_test_11/cmd3 delete mode 100644 tests/scenarios/multiubuntu_test_16/cmd3 delete mode 100644 tests/scenarios/multiubuntu_test_16/cmd4 delete mode 100644 tests/scenarios/multiubuntu_test_17/cmd3 diff --git a/examples/host-security-policies/hsp-kubearmor-dev-file-dir-allow-fromSource.yaml b/examples/host-security-policies/hsp-kubearmor-dev-file-dir-allow-fromSource.yaml index e30c87e620..69c24950e5 100644 --- a/examples/host-security-policies/hsp-kubearmor-dev-file-dir-allow-fromSource.yaml +++ b/examples/host-security-policies/hsp-kubearmor-dev-file-dir-allow-fromSource.yaml @@ -1,5 +1,3 @@ -# kubearmor-dev_test_08 - apiVersion: security.kubearmor.com/v1 kind: KubeArmorHostPolicy metadata: @@ -18,6 +16,8 @@ spec: action: Allow +# kubearmor-dev_test_08 + # test # $ head /etc/default/useradd # Default values for useradd(8) ... diff --git a/examples/host-security-policies/hsp-kubearmor-dev-file-dir-block-fromSource.yaml b/examples/host-security-policies/hsp-kubearmor-dev-file-dir-block-fromSource.yaml index 9dbec64f53..9ed122d190 100644 --- a/examples/host-security-policies/hsp-kubearmor-dev-file-dir-block-fromSource.yaml +++ b/examples/host-security-policies/hsp-kubearmor-dev-file-dir-block-fromSource.yaml @@ -1,5 +1,3 @@ -# kubearmor-dev_test_09 - apiVersion: security.kubearmor.com/v1 kind: KubeArmorHostPolicy metadata: @@ -17,8 +15,9 @@ spec: action: Block -# test +# kubearmor-dev_test_09 +# test # $ head /etc/default/useradd # head: useradd: Permission denied # $ head /etc/hostname diff --git a/examples/host-security-policies/hsp-kubearmor-dev-file-path-allow-fromSource.yaml b/examples/host-security-policies/hsp-kubearmor-dev-file-path-allow-fromSource.yaml index 381d23721c..057bcff841 100644 --- a/examples/host-security-policies/hsp-kubearmor-dev-file-path-allow-fromSource.yaml +++ b/examples/host-security-policies/hsp-kubearmor-dev-file-path-allow-fromSource.yaml @@ -1,5 +1,3 @@ -# kubearmor-dev_test_07 - apiVersion: security.kubearmor.com/v1 kind: KubeArmorHostPolicy metadata: @@ -17,6 +15,8 @@ spec: action: Allow +# kubearmor-dev_test_07 + # test # $ head /etc/hostname # kubearmor-dev diff --git a/examples/host-security-policies/hsp-kubearmor-dev-file-path-audit.yaml b/examples/host-security-policies/hsp-kubearmor-dev-file-path-audit.yaml index ba907ea111..d998ebc0b2 100644 --- a/examples/host-security-policies/hsp-kubearmor-dev-file-path-audit.yaml +++ b/examples/host-security-policies/hsp-kubearmor-dev-file-path-audit.yaml @@ -1,5 +1,3 @@ -# kubearmor-dev_test_02 - apiVersion: security.kubearmor.com/v1 kind: KubeArmorHostPolicy metadata: @@ -15,6 +13,8 @@ spec: action: Audit +# kubearmor-dev_test_02 + # test # $ cat /etc/passwd # ... diff --git a/examples/host-security-policies/hsp-kubearmor-dev-file-path-block-fromSource.yaml b/examples/host-security-policies/hsp-kubearmor-dev-file-path-block-fromSource.yaml index ee3d72f1db..6cfcc08ee9 100644 --- a/examples/host-security-policies/hsp-kubearmor-dev-file-path-block-fromSource.yaml +++ b/examples/host-security-policies/hsp-kubearmor-dev-file-path-block-fromSource.yaml @@ -1,5 +1,3 @@ -# kubearmor-dev_test_06 - apiVersion: security.kubearmor.com/v1 kind: KubeArmorHostPolicy metadata: @@ -17,6 +15,8 @@ spec: action: Block +# kubearmor-dev_test_06 + # test # $ head /etc/hostname # head: cannot open '/etc/hostname' for reading: Permission denied diff --git a/examples/host-security-policies/hsp-kubearmor-dev-file-path-block.yaml b/examples/host-security-policies/hsp-kubearmor-dev-file-path-block.yaml index 5d98d205aa..1a8515951f 100644 --- a/examples/host-security-policies/hsp-kubearmor-dev-file-path-block.yaml +++ b/examples/host-security-policies/hsp-kubearmor-dev-file-path-block.yaml @@ -1,5 +1,3 @@ -# kubearmor-dev_test_03 - apiVersion: security.kubearmor.com/v1 kind: KubeArmorHostPolicy metadata: @@ -15,6 +13,8 @@ spec: action: Block +# kubearmor-dev_test_03 + # test # $ cat /etc/hostname # cat: /etc/hostname: Permission denied diff --git a/examples/host-security-policies/hsp-kubearmor-dev-proc-path-allow-fromSource.yaml b/examples/host-security-policies/hsp-kubearmor-dev-proc-path-allow-fromSource.yaml index 86984864a4..340c50256f 100644 --- a/examples/host-security-policies/hsp-kubearmor-dev-proc-path-allow-fromSource.yaml +++ b/examples/host-security-policies/hsp-kubearmor-dev-proc-path-allow-fromSource.yaml @@ -1,5 +1,3 @@ -# kubearmor-dev_test_05 - apiVersion: security.kubearmor.com/v1 kind: KubeArmorHostPolicy metadata: @@ -20,6 +18,8 @@ spec: action: Allow +# kubearmor-dev_test_05 + # test # $ bash -c date # ... diff --git a/examples/host-security-policies/hsp-kubearmor-dev-proc-path-block-fromSource.yaml b/examples/host-security-policies/hsp-kubearmor-dev-proc-path-block-fromSource.yaml index a061b1182f..76a78e4464 100644 --- a/examples/host-security-policies/hsp-kubearmor-dev-proc-path-block-fromSource.yaml +++ b/examples/host-security-policies/hsp-kubearmor-dev-proc-path-block-fromSource.yaml @@ -1,5 +1,3 @@ -# kubearmor-dev_test_04 - apiVersion: security.kubearmor.com/v1 kind: KubeArmorHostPolicy metadata: @@ -20,6 +18,8 @@ spec: action: Block +# kubearmor-dev_test_04 + # test # (/home/vagrant/selinux-test/) $ bash -c date # bash: 1: date: Permission denied diff --git a/examples/host-security-policies/hsp-kubearmor-dev-proc-path-block.yaml b/examples/host-security-policies/hsp-kubearmor-dev-proc-path-block.yaml index cda5b3e4c9..eb03e787fe 100644 --- a/examples/host-security-policies/hsp-kubearmor-dev-proc-path-block.yaml +++ b/examples/host-security-policies/hsp-kubearmor-dev-proc-path-block.yaml @@ -1,5 +1,3 @@ -# kubearmor-dev_test_01 - apiVersion: security.kubearmor.com/v1 kind: KubeArmorHostPolicy metadata: @@ -15,6 +13,8 @@ spec: action: Block +# kubearmor-dev_test_01 + # test # $ diff --help # -bash: /usr/bin/diff: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-group-1-proc-path-block-from-source.yaml b/examples/multiubuntu/security-policies/ksp-group-1-proc-path-block-from-source.yaml index 7907d29f2a..d3b6bc1a0a 100644 --- a/examples/multiubuntu/security-policies/ksp-group-1-proc-path-block-from-source.yaml +++ b/examples/multiubuntu/security-policies/ksp-group-1-proc-path-block-from-source.yaml @@ -16,3 +16,11 @@ spec: - path: /bin/dash action: Block + +# multiubuntu_test_12 + +# test +# $ dash -c ls +# dash: 1: ls: Permission denied +# $ dash -c "cat /etc/hostname" +# ubuntu-1-deployment-5bd8d67678-4szzv diff --git a/examples/multiubuntu/security-policies/ksp-group-1-proc-path-block.yaml b/examples/multiubuntu/security-policies/ksp-group-1-proc-path-block.yaml index 6bac64cf8c..e76568a877 100644 --- a/examples/multiubuntu/security-policies/ksp-group-1-proc-path-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-group-1-proc-path-block.yaml @@ -5,12 +5,18 @@ metadata: namespace: multiubuntu spec: severity: 5 - message: "block the sleep command" + message: "block /bin/sleep" selector: matchLabels: group: group-1 process: matchPaths: - - path: /bin/sleep # try sleep 1 (permission denied) + - path: /bin/sleep action: Block + +# multiubuntu_test_01 + +# test +# $ sleep 1 +# bash: /bin/sleep: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-group-2-file-path-allow-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-group-2-file-path-allow-from-source-path.yaml index d726366ce6..b29eb5007e 100644 --- a/examples/multiubuntu/security-policies/ksp-group-2-file-path-allow-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-group-2-file-path-allow-from-source-path.yaml @@ -9,16 +9,18 @@ spec: selector: matchLabels: group: group-2 - process: # base bin rules - matchDirectories: - - dir: /bin/ - recursive: true - - dir: /usr/bin/ - recursive: true file: matchPaths: - - path: /secret.txt # /bin/cat /secret.txt (success) - fromSource: # /bin/cat /etc/hosts (permission denied) - - path: /bin/cat # /bin/head /secret.txt (permission denied) + - path: /secret.txt + fromSource: + - path: /bin/cat action: Allow + +# multiubuntu_test_17 + +# test +# $ cat /secret.txt +# secret file +# $ cat /etc/hostname +# cat: /etc/hostname: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-group-2-file-path-audit-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-group-2-file-path-audit-from-source-path.yaml index 99250af1c3..e7d9c60d63 100644 --- a/examples/multiubuntu/security-policies/ksp-group-2-file-path-audit-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-group-2-file-path-audit-from-source-path.yaml @@ -5,14 +5,20 @@ metadata: namespace: multiubuntu spec: severity: 5 - message: "audit /bin/cat accessing /home/user1/secret_data1.txt" + message: "audit /bin/cat accessing /secret.txt" selector: matchLabels: group: group-2 file: matchPaths: - - path: /home/user1/secret_data1.txt # /bin/cat /home/user1/secret_data1.txt (no logs) - fromSource: # /bin/head /home/secret_data1.txt (logs) - - path: /bin/cat + - path: /secret.txt + fromSource: + - path: /bin/cat action: Audit + +# test +# $ cat /secret.txt +# secret file (audit) +# $ cat /etc/hostname +# ubuntu-4-deployment-566bf47cd7-b7f56 (no log) diff --git a/examples/multiubuntu/security-policies/ksp-group-2-file-path-block-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-group-2-file-path-block-from-source-path.yaml index cd6da0bbe3..644b6e8a64 100644 --- a/examples/multiubuntu/security-policies/ksp-group-2-file-path-block-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-group-2-file-path-block-from-source-path.yaml @@ -11,8 +11,16 @@ spec: group: group-2 file: matchPaths: - - path: /secret.txt # /bin/cat /secret.txt (permission denied) - fromSource: # head /secret.txt (success) - - path: /bin/cat + - path: /secret.txt + fromSource: + - path: /bin/cat action: Block + +# multiubuntu_test_18 + +# test +# $ cat /secret.txt +# cat: /secret.txt: Permission denied +# $ cat /etc/hostname +# ubuntu-4-deployment-566bf47cd7-b7f56 diff --git a/examples/multiubuntu/security-policies/ksp-group-2-file-path-owner-allow-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-group-2-file-path-owner-allow-from-source-path.yaml index 017550a67d..41c1777a92 100644 --- a/examples/multiubuntu/security-policies/ksp-group-2-file-path-owner-allow-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-group-2-file-path-owner-allow-from-source-path.yaml @@ -8,26 +8,19 @@ spec: selector: matchLabels: group: group-2 - process: - matchDirectories: - - dir: /bin/ # required to change root to user1 / try 'su - user1' - recursive: true - - dir: /usr/bin/ # used in changing accounts - recursive: true file: matchPaths: - - path: /home/user1/secret_data1.txt # su - user1 -c "head secret_data.txt" (permission denied) - ownerOnly: true # su - user1 -c "/bin/cat secret_data.txt" (success) + - path: /home/user1/secret_data1.txt + ownerOnly: true fromSource: - - path: /bin/cat # /bin/cat /home/user1/secret_data.txt (permission denied) - - path: /run/utmp # required to change root to user1 - - path: /root/.bashrc # used by root - - path: /home/user1/.profile # used by user1 - - path: /home/user1/.bashrc # used by user1 - matchDirectories: - - dir: /etc/ # required to change root to user1 (coarse-grained way) - recursive: true - - dir: /proc/ # required to change root to user1 (coarse-grained way) - recursive: true + - path: /bin/cat action: Allow + +# test +# $ cat /home/user1/secret_data1.txt +# cat: /home/user1/secret_data1.txt: Permission denied +# $ su - user1 -c "cat secret_data1.txt" +# secret file user1 +# $ su - user1 -c "cat /etc/hostname" +# cat: /etc/hostname: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-group-2-file-path-owner-audit-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-group-2-file-path-owner-audit-from-source-path.yaml index e29bc7d813..eed4c3b77c 100644 --- a/examples/multiubuntu/security-policies/ksp-group-2-file-path-owner-audit-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-group-2-file-path-owner-audit-from-source-path.yaml @@ -10,9 +10,17 @@ spec: group: group-2 file: matchPaths: - - path: /home/user1/secret_data1.txt # su - user1 -c "head secret_data.txt" (no logs) - ownerOnly: true # su - user1 -c "/bin/cat secret_data.txt" (logs) + - path: /home/user1/secret_data1.txt + ownerOnly: true fromSource: - - path: /bin/cat # head /home/user1/secret_data.txt (logs) + - path: /bin/cat action: Audit + +# test +# $ cat /home/user1/secret_data1.txt +# secret file user1 (no log) +# $ su - user1 -c "cat secret_data1.txt" +# secret file user1 (audit) +# $ su - user1 -c "cat /etc/hostname" +# ubuntu-4-deployment-566bf47cd7-b7f56 (no log) diff --git a/examples/multiubuntu/security-policies/ksp-group-2-file-path-owner-block-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-group-2-file-path-owner-block-from-source-path.yaml index abad2495d3..268e05bd0c 100644 --- a/examples/multiubuntu/security-policies/ksp-group-2-file-path-owner-block-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-group-2-file-path-owner-block-from-source-path.yaml @@ -10,9 +10,17 @@ spec: group: group-2 file: matchPaths: - - path: /home/user1/secret_data1.txt # su - user1 -c "head secret_data.txt" (success) - ownerOnly: true # su - user1 -c "/bin/cat secret_data.txt" (permission denied) + - path: /home/user1/secret_data1.txt + ownerOnly: true fromSource: - - path: /bin/cat # head /home/user1/secret_data.txt (permission denied) + - path: /bin/cat action: Block + +# test +# $ cat /home/user1/secret_data1.txt +# cat: /home/user1/secret_data1.txt: Permission denied +# $ su - user1 -c "cat secret_data1.txt" +# secret file user1 +# $ su - user1 -c "cat /etc/hostname" +# ubuntu-4-deployment-566bf47cd7-b7f56 diff --git a/examples/multiubuntu/security-policies/ksp-group-2-proc-path-audit.yaml b/examples/multiubuntu/security-policies/ksp-group-2-proc-path-audit.yaml index 1f460184d4..32466d779f 100644 --- a/examples/multiubuntu/security-policies/ksp-group-2-proc-path-audit.yaml +++ b/examples/multiubuntu/security-policies/ksp-group-2-proc-path-audit.yaml @@ -10,6 +10,12 @@ spec: group: group-2 process: matchPaths: - - path: /bin/sleep # try sleep 1 + - path: /bin/sleep action: Audit + +# multiubuntu_test_02 + +# test +# $ sleep 1 +# ... sleep ... (audit) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-1-cap-net-raw-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-1-cap-net-raw-block.yaml index 5222b7b8c1..8de14c95a4 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-1-cap-net-raw-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-1-cap-net-raw-block.yaml @@ -10,6 +10,12 @@ spec: container: ubuntu-1 capabilities: matchCapabilities: - - capability: net_raw # try 'ping 8.8.8.8' (operation not permitted) and 'curl www.kubearmor.com' (success) + - capability: net_raw action: Block + +# multiubuntu_test_03 + +# test +# $ ping -c 1 127.0.0.1 +# ping: socket: Operation not permitted diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-path-audit.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-path-audit.yaml index 8b75b90f89..30b78ea85e 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-path-audit.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-path-audit.yaml @@ -13,8 +13,16 @@ spec: container: ubuntu-1 file: matchPaths: - - path: /etc/passwd # cat /etc/passwd - - path: /secret.txt # echo "test" >> /secret.txt - - path: /credentials/password # echo "test" >> /credentials/password + - path: /etc/passwd + - path: /secret.txt + - path: /credentials/password action: Audit + +# test +# $ cat /etc/passwd +# root:x:0:0:root:/root:/bin/bash (audit) +# $ echo "test" >> /secret.txt +# (nothing is displayed) (audit) +# $ echo "test" >> /credentials/password +# (nothing is displayed) (audit) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-path-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-path-block.yaml index 9613c4e63a..68423eaec6 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-path-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-path-block.yaml @@ -13,8 +13,16 @@ spec: container: ubuntu-1 file: matchPaths: - - path: /etc/passwd # cat /etc/passwd (permission denied) - - path: /secret.txt # echo "test" >> /secret.txt (permission denied) - - path: /credentials/password # echo "test" >> /credentials/password (permission denied) + - path: /etc/passwd + - path: /secret.txt + - path: /credentials/password action: Block + +# test +# $ cat /etc/passwd +# cat: /etc/passwd: Permission denied +# echo "test" >> /secret.txt +# bash: /secret.txt: Permission denied +# echo "test" >> /credentials/password +# bash: /credentials/password: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-allow.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-allow.yaml index 05a9641c70..0276a8b3d7 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-allow.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-allow.yaml @@ -11,9 +11,20 @@ spec: container: ubuntu-1 process: matchDirectories: - - dir: /bin/ + - dir: /bin/ file: - matchPatterns: # cat /etc/hosts (permission denied) - - pattern: /etc/*hado? # try open /etc/shadow or /etc/gshadow (success) + matchPaths: + - path: /root/.bashrc + - path: /root/.bash_history + matchPatterns: + - pattern: /etc/*hado? action: Allow + +# test +# $ cat /etc/hosts +# cat: /etc/hosts: Permission denied +# $ cat /etc/shadow +# root:*:18900:0:99999:7::: ... +# $ cat /etc/gshadow +# root:*:: ... diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-audit.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-audit.yaml index 6b1f8f2acd..6c24cf9807 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-audit.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-audit.yaml @@ -11,6 +11,12 @@ spec: container: ubuntu-1 file: matchPatterns: - - pattern: /etc/*hado? # try open /etc/shadow or /etc/gshadow (logs) + - pattern: /etc/*hado? action: Audit + +# test +# $ cat /etc/shadow +# root:*:18900:0:99999:7::: (audit) +# $ cat /etc/gshadow +# root:*:: (audit) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-block.yaml index 6e3d000d83..8739567eaf 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-block.yaml @@ -11,6 +11,14 @@ spec: container: ubuntu-1 file: matchPatterns: - - pattern: /etc/*hado? # try open /etc/shadow or /etc/gshadow (permission denied) + - pattern: /etc/*hado? action: Block + +# multiubuntu_test_11 + +# test +# $ cat /etc/shadow +# cat: /etc/shadow: Permission denied +# $ cat /etc/gshadow +# cat: /etc/gshadow: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-owner-allow.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-owner-allow.yaml index e9cd59e780..d36f57c40e 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-owner-allow.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-owner-allow.yaml @@ -11,23 +11,33 @@ spec: container: ubuntu-1 process: matchDirectories: - - dir: /bin/ # required to change root to user1 / try 'su - user1' + - dir: /bin/ # required to change root to user1 recursive: true - dir: /usr/bin/ # used in changing accounts recursive: true file: matchPaths: - - path: /run/utmp # required to change root to user1 - path: /root/.bashrc # used by root + - path: /root/.bash_history # used by root - path: /home/user1/.profile # used by user1 - path: /home/user1/.bashrc # used by user1 + - path: /run/utmp # required to change root to user1 + - path: /dev/tty matchDirectories: - dir: /etc/ # required to change root to user1 (coarse-grained way) recursive: true - dir: /proc/ # required to change root to user1 (coarse-grained way) recursive: true - matchPatterns: # su - user1 -c "cat /home/user1/secret_data1.txt" (success) - - pattern: /home/user1/secret_data* # su - user1 -c "cat /home/user1/otherdata.txt" (permission denied) - ownerOnly: true # cat /home/user1/secret_data1.txt (permission denied) + matchPatterns: + - pattern: /home/user1/secret_data* + ownerOnly: true action: Allow + +# test +# $ cat /home/user1/secret_data1.txt +# cat: /home/user1/secret_data1.txt: Permission denied +# $ su - user1 -c "cat /home/user1/secret_data1.txt" +# secret file user1 +# $ su - user1 -c "cat /home/user1/otherfile.txt" +# cat: /home/user1/otherfile.txt: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-owner-audit.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-owner-audit.yaml index bd22f7e448..99a5a20de6 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-owner-audit.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-owner-audit.yaml @@ -12,6 +12,12 @@ spec: file: matchPatterns: - pattern: /home/user1/secret_data* - ownerOnly: true # cat /home/user1/secret_data1.txt (logs) + ownerOnly: true action: Audit + +# test +# $ cat /home/user1/secret_data1.txt +# secret file user1 (no log) +# $ su - user1 -c "cat /home/user1/secret_data1.txt" +# secret file user1 (audit) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-owner-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-owner-block.yaml index 53d4e1fe9b..c3904d28a4 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-owner-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-owner-block.yaml @@ -12,6 +12,12 @@ spec: file: matchPatterns: - pattern: /home/user1/secret_data* - ownerOnly: true # cat /home/user1/secret_data1.txt (permission denied) + ownerOnly: true action: Block + +# test +# $ cat /home/user1/secret_data1.txt +# cat: /home/user1/secret_data1.txt: Permission denied +# $ su - user1 -c "cat /home/user1/secret_data1.txt" +# secret file user1 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-owner-readonly-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-owner-readonly-block.yaml index 32332292b9..1b809f53b9 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-owner-readonly-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-1-file-pattern-owner-readonly-block.yaml @@ -10,9 +10,21 @@ spec: matchLabels: container: ubuntu-1 file: - matchPatterns: # echo testroot >> /home/user1/secret_data1.txt (permission denied) - - pattern: /home/user1/secret_data* # su - user1 -c "echo test >> /home/user1/secret_data1.txt" (permission denied) - ownerOnly: true # cat /home/user1/secret_data1.txt (permission denied) - readOnly: true # su - user1 -c "cat /home/user1/secret_data1.txt" (success) + matchPatterns: + - pattern: /home/user1/secret_data* + ownerOnly: true + readOnly: true action: Block + +# multiubuntu_test_27 + +# test +# $ cat /home/user1/secret_data1.txt +# cat: /home/user1/secret_data1.txt: Permission denied +# $ su - user1 -c "cat /home/user1/secret_data1.txt" +# secret file user1 +# $ echo root >> /home/user1/secret_data1.txt +# bash: /home/user1/secret_data1.txt: Permission denied +# $ su - user1 -c "echo test >> /home/user1/secret_data1.txt" +# -su: /home/user1/secret_data1.txt: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-1-net-tcp-from-source-allow.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-1-net-tcp-from-source-allow.yaml new file mode 100644 index 0000000000..8c382e073c --- /dev/null +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-1-net-tcp-from-source-allow.yaml @@ -0,0 +1,27 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-ubuntu-1-net-tcp-from-source-allow + namespace: multiubuntu +spec: + severity: 8 + selector: + matchLabels: + container: ubuntu-1 + network: + matchProtocols: + - protocol: tcp + fromSource: + - path: /usr/bin/curl + action: Allow + +# test +# curl 172.217.175.36 +# +# 301 Moved +#

301 Moved

+# The document has moved +# here. +# +# $ curl www.google.com +# curl: (6) Could not resolve host: www.google.com diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-1-proc-dir-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-1-proc-dir-block.yaml index ea2a0d430d..719c9c4945 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-1-proc-dir-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-1-proc-dir-block.yaml @@ -11,6 +11,12 @@ spec: container: ubuntu-1 process: matchDirectories: - - dir: /sbin/ # try route (permission denied) + - dir: /sbin/ action: Block + +# multiubuntu_test_04 + +# test +# $ route +# bash: /sbin/route: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-owner-allow.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-owner-allow.yaml index 8fae7c5790..d34858c3b3 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-owner-allow.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-owner-allow.yaml @@ -10,16 +10,18 @@ spec: container: ubuntu-2 process: matchDirectories: - - dir: /bin/ # required to change root to user1 / try 'su - user1' + - dir: /bin/ # required to change root to user1 recursive: true - dir: /usr/bin/ # used in changing accounts recursive: true file: matchPaths: - - path: /run/utmp # required to change root to user1 - path: /root/.bashrc # used by root + - path: /root/.bash_history # used by root - path: /home/user1/.profile # used by user1 - path: /home/user1/.bashrc # used by user1 + - path: /run/utmp # required to change root to user1 + - path: /dev/tty matchDirectories: - dir: /home/user1/ ownerOnly: true @@ -29,3 +31,9 @@ spec: recursive: true action: Allow + +# test +# $ cat /home/user1/secret_data1.txt +# cat: /home/user1/secret_data1.txt: Permission denied +# $ su - user1 -c "cat /home/user1/secret_data1.txt" +# secret file user1 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-owner-audit.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-owner-audit.yaml index f579873889..cbe24ed703 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-owner-audit.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-owner-audit.yaml @@ -14,3 +14,9 @@ spec: ownerOnly: true action: Audit + +# test +# $ cat /home/user1/secret_data1.txt +# secret file user1 (no log) +# $ su - user1 -c "cat /home/user1/secret_data1.txt" +# secret file user1 (audit) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-owner-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-owner-block.yaml index 5787783cfd..8552104a64 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-owner-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-owner-block.yaml @@ -14,3 +14,9 @@ spec: ownerOnly: true action: Block + +# test +# $ cat /home/user1/secret_data1.txt +# secret file user1 // NEED-TO-FIX // +# $ su - user1 -c "cat /home/user1/secret_data1.txt" +# secret file user1 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-owner-readonly-allow.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-owner-readonly-allow.yaml index edb11a6ebe..4309fe7cf0 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-owner-readonly-allow.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-owner-readonly-allow.yaml @@ -10,19 +10,21 @@ spec: container: ubuntu-2 process: matchDirectories: - - dir: /bin/ # required to change root to user1 / try 'su - user1' + - dir: /bin/ # required to change root to user1 recursive: true - dir: /usr/bin/ # used in changing accounts recursive: true file: matchPaths: - - path: /run/utmp # required to change root to user1 - path: /root/.bashrc # used by root + - path: /root/.bash_history # used by root - path: /home/user1/.profile # used by user1 - path: /home/user1/.bashrc # used by user1 - matchDirectories: # cat /home/user1/dir1/key1.txt (permission denied) - - dir: /home/user1/ # su - user1 -c "cat /home/user1/dir1/key1.txt" (success) - ownerOnly: true # echo testroot >> /home/user1/secret_data1.txt (permission denied) + - path: /run/utmp # required to change root to user1 + - path: /dev/tty + matchDirectories: + - dir: /home/user1/ + ownerOnly: true readOnly: true - dir: /etc/ # required to change root to user1 (coarse-grained way) recursive: true @@ -31,3 +33,12 @@ spec: action: Allow +# test +# $ cat /home/user1/secret_data1.txt +# cat: /home/user1/secret_data1.txt: Permission denied +# $ echo root >> /home/user1/secret_data1.txt +# bash: /home/user1/secret_data1.txt: Permission denied +# $ su - user1 -c "cat /home/user1/secret_data1.txt" +# secret file user1 +# $ su - user1 -c "echo user1 >> /home/user1/secret_data1.txt" +# -su: /home/user1/secret_data1.txt: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-owner-readonly-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-owner-readonly-block.yaml index dc07bc5530..8c7a080272 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-owner-readonly-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-owner-readonly-block.yaml @@ -9,9 +9,21 @@ spec: matchLabels: container: ubuntu-2 file: - matchDirectories: # cat /home/user1/secret_data1.txt (permission denied) - - dir: /home/user1/ # su - user1 -c "cat /home/user1/secret_data1.txt" (success) - ownerOnly: true # echo testroot >> /home/user1/secret_data1.txt (permission denied) - readOnly: true # su - user1 -c "echo testuser1 >> /home/user1/secret_data1.txt" (permission denied) + matchDirectories: + - dir: /home/user1/ + ownerOnly: true + readOnly: true action: Block + +# multiubuntu_test_26 + +# test +# $ cat /home/user1/secret_data1.txt +# cat: /home/user1/secret_data1.txt: Permission denied +# $ su - user1 -c "cat /home/user1/secret_data1.txt" +# secret file user1 +# $ echo root >> /home/user1/secret_data1.txt +# bash: /home/user1/secret_data1.txt: Permission denied +# $ su - user1 -c "echo user1 >> /home/user1/secret_data1.txt" +# -su: /home/user1/secret_data1.txt: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-allow-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-allow-from-source-path.yaml index e0578d7e4d..d54ffaa25d 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-allow-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-allow-from-source-path.yaml @@ -11,19 +11,19 @@ spec: selector: matchLabels: container: ubuntu-2 - process: - matchDirectories: - - dir: /bin/ # need some exectuables to test file: - matchPaths: - - path: /dev/tty - readOnly: false matchDirectories: - - dir: /credentials/ # cat /credentials/password (success) - recursive: true # cat /credentials/keys/priv.key (success) - fromSource: # head /credentials/password (permission denied) - - path: /bin/cat # head /credentials/keys/priv.key (permission denied) - - dir: /dev/pts/ + - dir: /credentials/ recursive: true + fromSource: + - path: /bin/cat action: Allow + +# test +# $ cat /credentials/password +# password file +# $ cat /credentials/keys/priv.key +# key file +# $ cat /etc/hostname +# cat: /etc/hostname: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-audit-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-audit-from-source-path.yaml index a7246fd534..3c4cf76513 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-audit-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-audit-from-source-path.yaml @@ -13,9 +13,19 @@ spec: container: ubuntu-2 file: matchDirectories: - - dir: /credentials/ # cat /credentials/password (logs) - recursive: true # head /credentials/keys/priv.key (no logs) - fromSource: # head /credentials/password (no logs) - - path: /bin/cat # cat /credentials/keys/priv.key (logs) + - dir: /credentials/ + recursive: true + fromSource: + - path: /bin/cat action: Audit + +# test +# $ cat /credentials/password +# password file (audit) +# $ cat /credentials/keys/priv.key +# key file (audit) +# $ head /credentials/password +# password file (no log) +# $ head /credentials/keys/priv.key +# key file (no log) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-block-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-block-from-source-path.yaml index 55fd05eb72..3a0d4894ff 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-block-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-block-from-source-path.yaml @@ -13,9 +13,17 @@ spec: container: ubuntu-2 file: matchDirectories: - - dir: /credentials/ # cat /credentials/password (permission denied) - recursive: true # head /credentials/keys/priv.key (success) - fromSource: # head /credentials/password (success) - - path: /bin/cat # cat /credentials/keys/priv.key (permission denied) + - dir: /credentials/ + recursive: true + fromSource: + - path: /bin/cat action: Block + +# test +# $ cat /credentials/password +# cat: /credentials/password: Permission denied +# $ cat /credentials/keys/priv.key +# cat: /credentials/keys/priv.key: Permission denied +# $ cat /etc/hostname +# ubuntu-2-deployment-7664649b7d-h28wb diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-block.yaml index e640fa5749..a6b3c75612 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-block.yaml @@ -12,9 +12,23 @@ spec: matchDirectories: - dir: /run/secrets/kubernetes.io/serviceaccount/ recursive: true - - # cat /run/secrets/kubernetes.io/serviceaccount/token - # curl https://$KUBERNETES_PORT_443_TCP_ADDR/api --insecure --header "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" - action: Block + +# multiubuntu_test_13 + +# test +# $ cat /run/secrets/kubernetes.io/serviceaccount/token +# cat: /run/secrets/kubernetes.io/serviceaccount/token: Permission denied +# $ curl https://$KUBERNETES_PORT_443_TCP_ADDR/api --insecure --header "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" +# cat: /run/secrets/kubernetes.io/serviceaccount/token: Permission denied +# { +# "kind": "Status", +# "apiVersion": "v1", +# "metadata": {}, +# "status": "Failure", +# "message": "forbidden: User \"system:anonymous\" cannot get path \"/api\"", +# "reason": "Forbidden", +# "details": {}, +# "code": 403 +# } diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-owner-readonly-allow.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-owner-readonly-allow.yaml index 6f7a0d45ac..82d4cff6e1 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-owner-readonly-allow.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-owner-readonly-allow.yaml @@ -10,20 +10,22 @@ spec: container: ubuntu-2 process: matchDirectories: - - dir: /bin/ # required to change root to user1 / try 'su - user1' + - dir: /bin/ # required to change root to user1 recursive: true - dir: /usr/bin/ # used in changing accounts recursive: true file: matchPaths: - - path: /run/utmp # required to change root to user1 - path: /root/.bashrc # used by root + - path: /root/.bash_history # used by root - path: /home/user1/.profile # used by user1 - path: /home/user1/.bashrc # used by user1 - matchDirectories: # cat /home/user1/dir1/key1.txt (permission denied) - - dir: /home/user1/ # su - user1 -c "cat /home/user1/dir1/key1.txt" (success) - recursive: true # su - user1 -c "echo test >> /home/user1/secret_data1.txt" (permission denied) - ownerOnly: true # echo testroot >> /home/user1/secret_data1.txt (permission denied) + - path: /run/utmp # required to change root to user1 + - path: /dev/tty + matchDirectories: + - dir: /home/user1/ + recursive: true + ownerOnly: true readOnly: true - dir: /etc/ # required to change root to user1 (coarse-grained way) recursive: true @@ -31,3 +33,13 @@ spec: recursive: true action: Allow + +# test +# $ cat /home/user1/dir1/key1.txt +# cat: /home/user1/dir1/key1.txt: Permission denied +# $ echo root >> /home/user1/secret_data1.txt +# bash: /home/user1/secret_data1.txt: Permission denied +# $ su - user1 -c "cat /home/user1/dir1/key1.txt" +# key file 1 +# $ su - user1 -c "echo user1 >> /home/user1/secret_data1.txt" +# -su: /home/user1/secret_data1.txt: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-owner-readonly-audit.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-owner-readonly-audit.yaml index 8c9fca3fd9..7d4866dd5c 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-owner-readonly-audit.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-owner-readonly-audit.yaml @@ -9,10 +9,20 @@ spec: matchLabels: container: ubuntu-2 file: - matchDirectories: # cat /home/user1/dir1/key1.txt (logs) - - dir: /home/user1/ # su - user1 -c "cat /home/user1/dir1/key1.txt" (no logs) - recursive: true # su - user1 -c "echo test >> /home/user1/secret_data1.txt" (logs) - ownerOnly: true # echo testroot >> /home/user1/secret_data1.txt (logs) + matchDirectories: + - dir: /home/user1/ + recursive: true + ownerOnly: true readOnly: true action: Audit + +# test +# $ cat /home/user1/dir1/key1.txt +# key file 1 (no log) +# $ echo root >> /home/user1/secret_data1.txt +# (nothing is displayed) (no log) +# $ su - user1 -c "cat /home/user1/dir1/key1.txt" +# key file 1 (audit) +# $ su - user1 -c "echo user1 >> /home/user1/secret_data1.txt" +# (nothing is displayed) (no log) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-owner-readonly-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-owner-readonly-block.yaml index 2fd53c46f8..52ca1998e0 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-owner-readonly-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-owner-readonly-block.yaml @@ -9,10 +9,26 @@ spec: matchLabels: container: ubuntu-2 file: - matchDirectories: # cat /home/user1/dir1/key1.txt (permission denied) - - dir: /home/user1/ # su - user1 -c "cat /home/user1/dir1/key1.txt" (success) - recursive: true # su - user1 -c "echo test >> /home/user1/secret_data1.txt" (permission denied) - ownerOnly: true # echo testroot >> /home/user1/secret_data1.txt (permission denied) + matchDirectories: + - dir: /home/user1/ + recursive: true + ownerOnly: true readOnly: true action: Block + +# multiubuntu_test_25 + +# test +# $ cat /home/user1/dir1/key1.txt +# cat: /home/user1/dir1/key1.txt: Permission denied +# $ echo root >> /home/user1/secret_data1.txt +# bash: /home/user1/secret_data1.txt: Permission denied +# $ su - user1 -c "cat /home/user1/secret_data1.txt" +# secret file user1 +# $ su - user1 -c "cat /home/user1/dir1/key1.txt" +# key file 1 +# $ su - user1 -c "echo user1 >> /home/user1/secret_data1.txt" +# -su: /home/user1/secret_data1.txt: Permission denied +# $ su - user1 -c "echo user1 >> /home/user1/dir1/key1.txt" +# -su: /home/user1/dir1/key1.txt: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-2-proc-dir-recursive-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-2-proc-dir-recursive-block.yaml index 3e5a796622..17ca7fac54 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-2-proc-dir-recursive-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-2-proc-dir-recursive-block.yaml @@ -10,7 +10,15 @@ spec: container: ubuntu-2 process: matchDirectories: - - dir: /usr/ # try env or whoami (permission denied) + - dir: /usr/ recursive: true action: Block + +# multiubuntu_test_05 + +# test +# $ env +# bash: /usr/bin/env: Permission denied +# $ whoami +# bash: /usr/bin/whoami: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-allow-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-allow-from-source-path.yaml index de2567a6d6..377059400b 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-allow-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-allow-from-source-path.yaml @@ -11,18 +11,16 @@ spec: selector: matchLabels: container: ubuntu-3 - process: - matchDirectories: - - dir: /bin/ # need some exectuables to test file: - matchPaths: - - path: /dev/tty - readOnly: false matchDirectories: - - dir: /credentials/ # cat /credentials/password (success) - fromSource: # head /credentials/password (permission denied) - - path: /bin/cat # head /credentials/keys/priv.key (permission denied) - - dir: /dev/pts/ - recursive: true + - dir: /credentials/ + fromSource: + - path: /bin/cat action: Allow + +# test +# $ cat /credentials/password +# password file +# $ cat /etc/hostname +# cat: /etc/hostname: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-audit-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-audit-from-source-path.yaml index c102f6ccda..b6a582df9a 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-audit-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-audit-from-source-path.yaml @@ -13,8 +13,14 @@ spec: container: ubuntu-3 file: matchDirectories: - - dir: /credentials/ # cat /credentials/password (logs) - fromSource: # head /credentials/password (no logs) - - path: /bin/cat # cat /credentials/keys/priv.key (no logs) + - dir: /credentials/ + fromSource: + - path: /bin/cat action: Audit + +# test +# $ cat /credentials/password +# password file (audit) +# $ cat /etc/hostname +# ubuntu-3-deployment-754698b646-nt99p (no log) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-block-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-block-from-source-path.yaml index baec400aec..8386a15b3e 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-block-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-block-from-source-path.yaml @@ -13,8 +13,14 @@ spec: container: ubuntu-3 file: matchDirectories: - - dir: /credentials/ # cat /credentials/password (permission denied) - fromSource: # head /credentials/password (success) - - path: /bin/cat # cat /credentials/keys/priv.key (success) + - dir: /credentials/ + fromSource: + - path: /bin/cat action: Block + +# test +# $ cat /credentials/password +# cat: /credentials/password: Permission denied +# $ cat /etc/hostname +# ubuntu-3-deployment-754698b646-nt99p diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-allow-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-allow-from-source-path.yaml index 7759a84252..7c70943dcf 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-allow-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-allow-from-source-path.yaml @@ -11,19 +11,17 @@ spec: selector: matchLabels: container: ubuntu-3 - process: - matchDirectories: - - dir: /bin/ # need some exectuables to test file: - matchPaths: - - path: /dev/tty - readOnly: false matchDirectories: - - dir: /credentials/ # /bin/cat >> /credentials/password (permission denied) - readOnly: true # /bin/cat /credentials/password (success) - fromSource: # head /credentials/password (permission denied) - - path: /bin/cat # /bin/cat >> /credentials/password (permission denied) - - dir: /dev/pts/ - recursive: true + - dir: /credentials/ + readOnly: true + fromSource: + - path: /readwrite action: Allow + +# test +# $ ./readwrite -r /credentials/password +# p +# $ ./readwrite -w /credentials/password +# Error! (permission denied) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-allow.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-allow.yaml index 740f8c5334..c41938825a 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-allow.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-allow.yaml @@ -16,12 +16,19 @@ spec: - dir: /bin/ # need some exectuables to test file: matchPaths: + - path: /root/.bashrc # used by root + - path: /root/.bash_history # used by root - path: /dev/tty - readOnly: false - matchDirectories: # echo "new password" > /credentials/password (permission denied) - - dir: /credentials/ # cat /credentials/password (success) - readOnly: true # cat /credentials/keys/priv.key (permission denied) - - dir: /dev/pts/ - recursive: true + matchDirectories: + - dir: /credentials/ + readOnly: true action: Allow + +# test +# $ cat /credentials/password +# password file +# $ cat /credentials/keys/priv.key +# cat: /credentials/keys/priv.key: Permission denied +# $ echo "new password" > /credentials/password +# bash: /credentials/password: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-audit-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-audit-from-source-path.yaml index f5c9b3e1f3..21bc229d50 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-audit-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-audit-from-source-path.yaml @@ -13,9 +13,15 @@ spec: container: ubuntu-3 file: matchDirectories: - - dir: /credentials/ # cat secret.txt >> /credentials/password (logs) - readOnly: true # cat /credentials/password (logs) - fromSource: # head /credentials/password (no logs) - - path: /bin/cat # cat secret.txt >> /credentials/keys/priv.key (no logs) + - dir: /credentials/ + readOnly: true + fromSource: + - path: /readwrite action: Audit + +# test +# $ ./readwrite -r /credentials/password +# p (audit) +# $ ./readwrite -r /credentials/password +# (nothing is displayed) (no log) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-audit.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-audit.yaml index 4be41eb55b..bcf875acce 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-audit.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-audit.yaml @@ -12,8 +12,14 @@ spec: matchLabels: container: ubuntu-3 file: - matchDirectories: # echo "new password" > /credentials/password (logs) - - dir: /credentials/ # cat /credentials/password (no logs) - readOnly: true # cat /credentials/keys/priv.key (no logs) + matchDirectories: + - dir: /credentials/ + readOnly: true action: Audit + +# test +# $ cat /credentials/password +# password file (audit) +# $ echo "new password" > /credentials/password +# (nothing is displayed) (no log) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-block-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-block-from-source-path.yaml index a2b49ce254..c57f5b71c4 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-block-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-block-from-source-path.yaml @@ -13,9 +13,15 @@ spec: container: ubuntu-3 file: matchDirectories: - - dir: /credentials/ # cat secret.txt >> /credentials/password (permission denied) - readOnly: true # cat /credentials/password (permission denied) - fromSource: # head /credentials/password (success) - - path: /bin/cat # cat secret.txt >> /credentials/keys/priv.key (success) + - dir: /credentials/ + readOnly: true + fromSource: + - path: /readwrite action: Block + +# test +# $ ./readwrite -r /credentials/password +# p +# $ ./readwrite -w /credentials/password +# Error! (permission denied) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-block.yaml index d5a19c9b88..ef1accd294 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-block.yaml @@ -12,8 +12,14 @@ spec: matchLabels: container: ubuntu-3 file: - matchDirectories: # echo "new password" > /credentials/password (permission denied) - - dir: /credentials/ # cat /credentials/password (success) - readOnly: true # cat /credentials/keys/priv.key (success) + matchDirectories: + - dir: /credentials/ + readOnly: true action: Block + +# test +# $ cat /credentials/password +# password file +# $ echo "password" > /credentials/password +# bash: /credentials/password: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-path-owner-allow.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-path-owner-allow.yaml index cc5921e4ee..8d3c685f54 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-path-owner-allow.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-path-owner-allow.yaml @@ -10,18 +10,20 @@ spec: container: ubuntu-3 process: matchDirectories: - - dir: /bin/ # required to change root to user1 / try 'su - user1' + - dir: /bin/ # required to change root to user1 recursive: true - dir: /usr/bin/ # used in changing accounts recursive: true file: matchPaths: - - path: /home/user1/secret_data1.txt # + - path: /home/user1/secret_data1.txt ownerOnly: true - - path: /run/utmp # required to change root to user1 - path: /root/.bashrc # used by root + - path: /root/.bash_history # used by root - path: /home/user1/.profile # used by user1 - path: /home/user1/.bashrc # used by user1 + - path: /run/utmp # required to change root to user1 + - path: /dev/tty matchDirectories: - dir: /etc/ # required to change root to user1 (coarse-grained way) recursive: true @@ -29,3 +31,13 @@ spec: recursive: true action: Allow + +# multiubuntu_test_21 + +# test +# $ cat /home/user1/secret_data1.txt +# cat: /home/user1/secret_data1.txt: Permission denied +# $ su - user1 -c "cat /home/user1/secret_data1.txt" +# secret file user1 +# $ su - user1 -c "echo user1 >> /home/user1/secret_data1.txt" +# (nothing is displayed) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-path-owner-audit.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-path-owner-audit.yaml index 56373cbd3c..d135cf8ea9 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-path-owner-audit.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-path-owner-audit.yaml @@ -14,3 +14,9 @@ spec: ownerOnly: true action: Audit + +# test +# $ cat /home/user1/secret_data1.txt +# secret file user1 (no log) +# $ su - user1 -c "cat /home/user1/secret_data1.txt" +# secret file user1 (audit) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-path-owner-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-path-owner-block.yaml index 8fec9efe0a..abe39985e3 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-path-owner-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-path-owner-block.yaml @@ -10,7 +10,15 @@ spec: container: ubuntu-3 file: matchPaths: - - path: /home/user1/secret_data1.txt # su - user1 -c /bin/cat /home/user1/secret_data1.txt (success) - ownerOnly: true # /bin/cat /home/user1/secret_data1.txt (permission denied) + - path: /home/user1/secret_data1.txt + ownerOnly: true action: Block + +# test +# $ cat /home/user1/secret_data1.txt +# cat: /home/user1/secret_data1.txt: Permission denied +# $ su - user1 -c "cat /home/user1/secret_data1.txt" +# secret file user1 +# $ su - user1 -c "echo user1 >> /home/user1/secret_data1.txt" +# (nothing is displayed) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-proc-dir-allow.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-proc-dir-allow.yaml index 12bc41027b..5e9fa22204 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-proc-dir-allow.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-proc-dir-allow.yaml @@ -14,7 +14,15 @@ spec: - dir: /bin/ file: matchDirectories: - - dir: /credentials/ # allow accessing the files in this directory; otherwise, deny all + - dir: /credentials/ recursive: true action: - Audit + Allow + +# multiubuntu_test_08 + +# test +# $ cat /credentials/password +# password file +# $ cat /etc/hostname +# cat: /etc/hostname: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-proc-path-owner-allow.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-proc-path-owner-allow.yaml index ead83738d4..4d59f2e2df 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-proc-path-owner-allow.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-proc-path-owner-allow.yaml @@ -10,22 +10,33 @@ spec: container: ubuntu-3 process: matchPaths: - - path: /home/user1/hello - ownerOnly: true + - path: /home/user1/hello + ownerOnly: true matchDirectories: - - dir: /bin/ # required to change root to user1 / try 'su - user1' - recursive: true - - dir: /usr/bin/ # used in changing accounts - recursive: true + - dir: /bin/ # required to change root to user1 + recursive: true + - dir: /usr/bin/ # used in changing accounts + recursive: true file: matchPaths: - - path: /run/utmp # required to change root to user1 - - path: /root/.bashrc # used by root - - path: /home/user1/.profile # used by user1 - - path: /home/user1/.bashrc # used by user1 + - path: /root/.bashrc # used by root + - path: /root/.bash_history # used by root + - path: /home/user1/.profile # used by user1 + - path: /home/user1/.bashrc # used by user1 + - path: /run/utmp # required to change root to user1 + - path: /dev/tty matchDirectories: - - dir: /etc/ # required to change root to user1 (coarse-grained way) - recursive: true - - dir: /proc/ # required to change root to user1 (coarse-grained way) - recursive: true - action: Allow + - dir: /etc/ # required to change root to user1 (coarse-grained way) + recursive: true + - dir: /proc/ # required to change root to user1 (coarse-grained way) + recursive: true + action: + Allow + +# multiubuntu_test_14 + +# test +# $ /home/user1/hello +# bash: /home/user1/hello: Permission denied +# $ su - user1 -c "/home/user1/hello" +# helloworld diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-proc-path-owner-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-proc-path-owner-block.yaml index 34778ba613..833b6dd1ba 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-proc-path-owner-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-proc-path-owner-block.yaml @@ -10,6 +10,15 @@ spec: container: ubuntu-3 process: matchPaths: - - path: /home/user1/hello - ownerOnly: true - action: Block + - path: /home/user1/hello + ownerOnly: true + action: + Block + +# multiubuntu_test_15 + +# test +# $ /home/user1/hello +# bash: /home/user1/hello: Permission denied +# $ su - user1 -c "/home/user1/hello" +# helloworld diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-allow.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-allow.yaml index 783a80ea5b..1517014815 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-allow.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-allow.yaml @@ -13,14 +13,26 @@ spec: container: ubuntu-4 process: matchDirectories: - - dir: /bin/ # need some exectuables to test + - dir: /bin/ # required to change root to user1 + recursive: true + - dir: /usr/bin/ # used in changing accounts + recursive: true file: matchPaths: + - path: /root/.bashrc # used by root + - path: /root/.bash_history # used by root - path: /dev/tty - readOnly: false - matchDirectories: # cat /credentials/keys/priv.key (permission denied) - - dir: /credentials/ # cat /credentials/password (success) - - dir: /dev/pts/ + matchDirectories: + - dir: /credentials/ + - dir: /etc/ # used by root (coarse-grained way) + recursive: true + - dir: /proc/ # used by root (coarse-grained way) recursive: true action: Allow + +# test +# $ cat /credentials/password +# password file +# $ cat /credentials/keys/priv.key +# cat: /credentials/keys/priv.key: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-audit.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-audit.yaml index 6bcfff4bae..fbc71be974 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-audit.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-audit.yaml @@ -12,7 +12,13 @@ spec: matchLabels: container: ubuntu-4 file: - matchDirectories: # cat /credentials/keys/priv.key (no logs) - - dir: /credentials/ # cat /credentials/password (logs, Audit(Block)) + matchDirectories: + - dir: /credentials/ action: Audit + +# test +# $ cat /credentials/password +# password file (audit) +# $ cat /credentials/keys/priv.key +# key file (no log) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-block.yaml index 071e102c25..558f972d80 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-block.yaml @@ -12,7 +12,13 @@ spec: matchLabels: container: ubuntu-4 file: - matchDirectories: # cat /credentials/keys/priv.key (success) - - dir: /credentials/ # cat /credentials/password (permission denied) + matchDirectories: + - dir: /credentials/ action: Block + +# test +# $ cat /credentials/password +# cat: /credentials/password: Permission denied +# $ cat /credentials/keys/priv.key +# key file diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-allow-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-allow-from-source-path.yaml index 4f3ba07d33..473e2702e0 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-allow-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-allow-from-source-path.yaml @@ -11,25 +11,21 @@ spec: selector: matchLabels: container: ubuntu-4 - process: - matchDirectories: - - dir: /bin/ # need some exectuables to test - - dir: /usr/bin/ file: - matchDirectories: - - dir: /dev/pts/ - recursive: true matchPaths: - - path: /dev/tty - readOnly: false - - path: /etc/passwd - readOnly: true # ./readwrite -r /etc/passwd (success) - fromSource: # head /etc/passwd (permission denied) - - path: /readwrite # ./readwrite -w /etc/passwd (permission denied) - - path: /secret.txt # echo "test" >> /secret.txt (success) - - path: /credentials/password # echo "test" >> /credentials/password (permission denied) - readOnly: true # ./readwrite -r /credentials/password (success) - fromSource: # cat /credentials/password (permission denied) - - path: /readwrite # ./readwrite -w /credentials/password (permission denied) + - path: /credentials/password + readOnly: true + fromSource: + - path: /readwrite action: Allow + +# multiubuntu_test_19 + +# test +# $ ./readwrite -r /credentials/password +# p +# $ ./readwrite -w /credentials/password +# Error! (permission denied) +# $ ./readwrite -r /secret.txt +# Error! (permission denied) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-allow.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-allow.yaml index 2c2ef8f4ca..ad9411ef87 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-allow.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-allow.yaml @@ -13,20 +13,29 @@ spec: container: ubuntu-4 process: matchDirectories: - - dir: /bin/ # need some exectuables to test - file: - matchDirectories: - - dir: /dev/pts/ + - dir: /bin/ # used by root + recursive: true + - dir: /usr/bin/ # used by root recursive: true + file: matchPaths: - - path: /dev/tty - readOnly: false - - path: /etc/passwd - readOnly: true - - path: /etc/nsswitch.conf - readOnly: true - - path: /secret.txt # echo "test" >> /secret.txt (success) - - path: /credentials/password # echo "test" >> /credentials/password (permission denied) + - path: /credentials/password readOnly: true + - path: /root/.bashrc # used by root + - path: /root/.bash_history # used by root + - path: /dev/tty + matchDirectories: + - dir: /etc/ # used by root (coarse-grained way) + recursive: true + - dir: /proc/ # used by root (coarse-grained way) + recursive: true action: Allow + +# multiubuntu_test_09 + +# test +# $ cat /credentials/password +# password file +# $ echo "test" >> /credentials/password +# bash: /credentials/password: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-audit-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-audit-from-source-path.yaml index fe7ba9a81c..0146aff9b4 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-audit-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-audit-from-source-path.yaml @@ -14,13 +14,23 @@ spec: file: matchPaths: - path: /etc/passwd - readOnly: true # /bin/cat /etc/passwd (no logs) + readOnly: true fromSource: - - path: /bin/cat # /bin/vi /etc/passwd (logs) - - path: /secret.txt # echo "test" >> /secret.txt (no logs) - - path: /credentials/password # echo "test" >> /credentials/password (logs) - readOnly: true # /bin/cat /credentials/password (logs) + - path: /bin/cat + - path: /secret.txt + - path: /credentials/password + readOnly: true fromSource: - - path: /bin/cat # /bin/cat /credentials/password (logs) + - path: /bin/cat action: Audit + +# test +# $ cat /etc/passwd +# root:x:0:0:root:/root:/bin/bash (audit) +# $ echo "test" >> /secret.txt +# (nothing is displayed) (audit) +# $ cat /credentials/password +# password file (audit) +# $ cat /credentials/keys/priv.key +# key file (no log) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-audit.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-audit.yaml index 7fb10a0e4b..c8a12f4b03 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-audit.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-audit.yaml @@ -13,12 +13,18 @@ spec: container: ubuntu-4 file: matchPaths: - - path: /etc/passwd # cat /etc/passwd (no log) + - path: /etc/passwd readOnly: true - - path: /etc/nsswitch.conf + - path: /secret.txt readOnly: true - - path: /secret.txt # echo "test" >> /secret.txt (no log) - - path: /credentials/password # echo "test" >> /credentials/password (log, write op) - readOnly: true # cat /credentials/password (no log, read op) + - path: /credentials/password action: Audit + +# test +# $ head /etc/passwd +# root:x:0:0:root:/root:/bin/bash (audit) +# $ echo "test" >> /secret.txt +# (nothing is displayed) (no log) +# $ cat /credentials/password +# password file (audit) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-block-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-block-from-source-path.yaml index fbac00fb5b..00212a8a7a 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-block-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-block-from-source-path.yaml @@ -14,8 +14,18 @@ spec: file: matchPaths: - path: /credentials/password - readOnly: true # ./readwrite -r /credentials/password (success) - fromSource: # ./readwrite -w /credentials/password (permission denied) - - path: /readwrite # /bin/cat /credentials/password (success) + readOnly: true + fromSource: + - path: /readwrite action: Block + +# multiubuntu_test_20 + +# test +# $ ./readwrite -r /credentials/password +# p +# $ ./readwrite -w /credentials/password +# Error! (permission denied) +# $ ./readwrite -r /secret.txt +# s diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-block.yaml index 694f45247e..a49c4bbd0d 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-block.yaml @@ -13,12 +13,15 @@ spec: container: ubuntu-4 file: matchPaths: - - path: /etc/passwd # cat /etc/passwd (success) - readOnly: true # echo "newuser" >> /etc/passwd (permission denied) - - path: /etc/nsswitch.conf # head /etc/nsswitch.conf (success) - readOnly: true # /bin/vi /etc/nsswitch.conf (readonly warning:cant open file for writing) - - path: /secret.txt # cat /secret.txt (permission denied) - - path: /credentials/password # echo "test" >> /credentials/password (permission denied) - readOnly: true # cat /credentials/password (success) + - path: /credentials/password + readOnly: true action: Block + +# multiubuntu_test_16 + +# test +# $ cat /credentials/password +# password file +# $ echo "test" >> /credentials/password +# bash: /credentials/password: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-block.yaml index 21e7dbc702..b24dc2aa56 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-block.yaml @@ -10,7 +10,13 @@ spec: container: ubuntu-5 file: matchDirectories: - - dir: /credentials/ # try 'cat /credentials/password' (permission denied) + - dir: /credentials/ recursive: true action: Block + +# multiubuntu_test_06 + +# test +# $ cat /credentials/password +# cat: /credentials/password: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-owner-allow.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-owner-allow.yaml index 47f87bc2aa..eda4ae6cfe 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-owner-allow.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-owner-allow.yaml @@ -10,23 +10,35 @@ spec: container: ubuntu-5 process: matchDirectories: - - dir: /bin/ # required to change root to user1 / try 'su - user1' + - dir: /bin/ # required to change root to user1 recursive: true - dir: /usr/bin/ # used in changing accounts recursive: true file: matchPaths: - - path: /run/utmp # required to change root to user1 - path: /root/.bashrc # used by root + - path: /root/.bash_history # used by root - path: /home/user1/.profile # used by user1 - path: /home/user1/.bashrc # used by user1 - matchDirectories: # cat /home/user1/dir1/key1.txt (permission denied) - - dir: /home/user1/ # su - user1 -c "cat /home/user1/dir1/key1.txt" (success) - recursive: true # su - user1 -c "echo test >> /home/user1/secret_data1.txt" (success) - ownerOnly: true # echo testroot >> /home/user1/secret_data1.txt (permission denied) + - path: /run/utmp # required to change root to user1 + - path: /dev/tty + matchDirectories: + - dir: /home/user1/ + recursive: true + ownerOnly: true - dir: /etc/ # required to change root to user1 (coarse-grained way) recursive: true - dir: /proc/ # required to change root to user1 (coarse-grained way) recursive: true action: Allow + +# test +# $ cat /home/user1/dir1/key1.txt +# cat: /home/user1/dir1/key1.txt: Permission denied +# $ su - user1 -c "cat /home/user1/dir1/key1.txt" +# key file 1 +# $ su - user1 -c "echo user1 >> /home/user1/secret_data1.txt" +# (nothing is displayed) +# $ echo root >> /home/user1/secret_data1.txt +# bash: /home/user1/secret_data1.txt: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-owner-audit.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-owner-audit.yaml index 7e0ee84201..d0fa66c511 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-owner-audit.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-owner-audit.yaml @@ -9,9 +9,19 @@ spec: matchLabels: container: ubuntu-5 file: - matchDirectories: # cat /home/user1/dir1/key1.txt (logs) - - dir: /home/user1/ # su - user1 -c "cat /home/user1/dir1/key1.txt" (no logs) - recursive: true # su - user1 -c "echo test >> /home/user1/secret_data1.txt" (no logs) - ownerOnly: true # echo testroot >> /home/user1/secret_data1.txt (logs) + matchDirectories: + - dir: /home/user1/ + recursive: true + ownerOnly: true action: Audit + +# test +# $ cat /home/user1/dir1/key1.txt +# key file 1 (no log) +# $ su - user1 -c "cat /home/user1/dir1/key1.txt" +# key file 1 (audit) +# $ su - user1 -c "echo user1 >> /home/user1/secret_data1.txt" +# (nothing is displayed) (audit) +# $ echo root >> /home/user1/secret_data1.txt +# (nothing is displayed) (no log) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-owner-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-owner-block.yaml index c702473889..f6dc60eedc 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-owner-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-owner-block.yaml @@ -9,9 +9,19 @@ spec: matchLabels: container: ubuntu-5 file: - matchDirectories: # cat /home/user1/dir1/key1.txt (permission denied) - - dir: /home/user1/ # su - user1 -c "cat /home/user1/dir1/key1.txt" (success) - recursive: true # su - user1 -c "echo test >> /home/user1/secret_data1.txt" (success) - ownerOnly: true # echo testroot >> /home/user1/secret_data1.txt (permission denied) + matchDirectories: + - dir: /home/user1/ + recursive: true + ownerOnly: true action: Block + +# test +# $ cat /home/user1/dir1/key1.txt +# cat: /home/user1/dir1/key1.txt: Permission denied +# $ su - user1 -c "cat /home/user1/dir1/key1.txt" +# key file 1 +# $ su - user1 -c "echo user1 >> /home/user1/secret_data1.txt" +# (nothing is displayed) +# $ echo root >> /home/user1/secret_data1.txt +# bash: /home/user1/secret_data1.txt: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-allow.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-allow.yaml index 76d966ec52..0aee0630af 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-allow.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-allow.yaml @@ -16,13 +16,26 @@ spec: - dir: /bin/ # need some exectuables to test file: matchPaths: + - path: /root/.bashrc # used by root + - path: /root/.bash_history # used by root - path: /dev/tty - readOnly: false - matchDirectories: # cat /credentials/keys/priv.key (success) - - dir: /credentials/ # cat /credentials/password (success) - recursive: true # echo test >> /credentials/keys/priv.key (permission denied) - readOnly: true # echo test >> /credentials/password (permission denied) - - dir: /dev/pts/ + matchDirectories: + - dir: /credentials/ + recursive: true + readOnly: true + - dir: /etc/ # used by root (coarse-grained way) + recursive: true + - dir: /proc/ # used by root (coarse-grained way) recursive: true action: Allow + +# test +# $ cat /credentials/keys/priv.key +# key file +# $ cat /credentials/password +# password file +# $ echo test >> /credentials/keys/priv.key +# bash: /credentials/keys/priv.key: Permission denied +# $ echo test >> /credentials/password +# bash: /credentials/password: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-audit.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-audit.yaml index 8048631615..2b148f791b 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-audit.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-audit.yaml @@ -12,9 +12,19 @@ spec: matchLabels: container: ubuntu-5 file: - matchDirectories: # cat /credentials/keys/priv.key (no logs) - - dir: /credentials/ # cat /credentials/password (no logs) - recursive: true # echo test >> /credentials/keys/priv.key (logs) - readOnly: true # echo test >> /credentials/password (logs) + matchDirectories: + - dir: /credentials/ + recursive: true + readOnly: true action: Audit + +# test +# $ cat /credentials/keys/priv.key +# key file (audit) +# $ cat /credentials/password +# password file (audit) +# $ echo test >> /credentials/keys/priv.key +# (nothing is displayed) (no log) +# $ echo test >> /credentials/password +# (nothing is displayed) (no log) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-block.yaml index 29019fc184..d1065810a8 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-block.yaml @@ -12,9 +12,19 @@ spec: matchLabels: container: ubuntu-5 file: - matchDirectories: # cat /credentials/keys/priv.key (success) - - dir: /credentials/ # cat /credentials/password (success) - recursive: true # echo test >> /credentials/keys/priv.key (permission denied) - readOnly: true # echo test >> /credentials/password (permission denied) + matchDirectories: + - dir: /credentials/ + recursive: true + readOnly: true action: Block + +# test +# $ cat /credentials/keys/priv.key +# key file +# $ cat /credentials/password +# password file +# $ echo test >> /credentials/keys/priv.key +# bash: /credentials/keys/priv.key: Permission denied +# $ echo test >> /credentials/password +# bash: /credentials/password: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-path-owner-readonly-allow-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-path-owner-readonly-allow-from-source-path.yaml index 0da859747c..bf7d6dddb1 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-path-owner-readonly-allow-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-path-owner-readonly-allow-from-source-path.yaml @@ -11,18 +11,22 @@ spec: selector: matchLabels: container: ubuntu-5 - process: - matchPaths: - - path: /readwrite - matchDirectories: - - dir: /bin/ - - dir: /usr/bin/ file: matchPaths: - path: /home/user1/secret_data1.txt - readOnly: true # su - user1 -c "./readwrite -r /home/user1/secret_data1.txt" (success) - ownerOnly: true # su - user1 -c "./readwrite -w /home/user1/secret_data1.txt" (permission denied) - fromSource: # ./readwrite -r /home/user1/secret_data1.txt (permission denied) - - path: /readwrite # ./readwrite -w /home/user1/secret_data1.txt (permission denied) + readOnly: true + ownerOnly: true + fromSource: + - path: /readwrite action: Allow + +# test +# $ ./readwrite -r /home/user1/secret_data1.txt +# Error! (permission denied) +# $ ./readwrite -w /home/user1/secret_data1.txt +# Error! (permission denied) +# $ su - user1 -c "./readwrite -r /home/user1/secret_data1.txt" +# s +# $ su - user1 -c "./readwrite -w /home/user1/secret_data1.txt" +# (nothing is displayed) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-path-owner-readonly-allow.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-path-owner-readonly-allow.yaml index ad8088aaf7..44fd0c9d29 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-path-owner-readonly-allow.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-path-owner-readonly-allow.yaml @@ -19,21 +19,29 @@ spec: recursive: true file: matchPaths: - - path: /dev/tty - readOnly: false - path: /home/user1/secret_data1.txt - readOnly: true # su - user1 -c /bin/cat /home/user1/secret_data1.txt (success) - ownerOnly: true # su - user1 -c echo "test" >> /home/user1/secret_data1.txt (permission denied) - - path: /run/utmp # required to change root to user1 + readOnly: true + ownerOnly: true - path: /root/.bashrc # used by root + - path: /root/.bash_history # used by root - path: /home/user1/.profile # used by user1 - path: /home/user1/.bashrc # used by user1 + - path: /run/utmp # required to change root to user1 + - path: /dev/tty matchDirectories: - dir: /etc/ # required to change root to user1 (coarse-grained way) recursive: true - dir: /proc/ # required to change root to user1 (coarse-grained way) recursive: true - - dir: /dev/pts/ - recursive: true action: Allow + +# multiubuntu_test_22 + +# test +# $ cat /home/user1/secret_data1.txt +# cat: /home/user1/secret_data1.txt: Permission denied +# $ su - user1 -c "cat /home/user1/secret_data1.txt" +# secret file user1 +# $ su - user1 -c "cat /home/user1/otherfile.txt" +# cat: /home/user1/otherfile.txt: Permission denied diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-path-owner-readonly-audit.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-path-owner-readonly-audit.yaml index 7898eebe03..341db7db33 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-path-owner-readonly-audit.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-path-owner-readonly-audit.yaml @@ -15,6 +15,16 @@ spec: matchPaths: - path: /home/user1/secret_data1.txt readOnly: true - ownerOnly: true # su - user1 -c echo "test" >> /home/user1/secret_data1.txt (log) + ownerOnly: true action: Audit + +# test +# $ cat /home/user1/secret_data1.txt +# secret file user1 (no log) +# $ su - user1 -c "cat /home/user1/secret_data1.txt" +# secret file user1 (audit) +# $ su - user1 -c "echo test >> /home/user1/secret_data1.txt" +# (nothing is displayed) (no log) +# $ su - user1 -c "cat /home/user1/otherfile.txt" +# other file (no log) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-path-owner-readonly-block-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-path-owner-readonly-block-from-source-path.yaml index 40679934a4..60a7979ce6 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-path-owner-readonly-block-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-path-owner-readonly-block-from-source-path.yaml @@ -14,9 +14,21 @@ spec: file: matchPaths: - path: /home/user1/secret_data1.txt - readOnly: true # su - user1 -c "/readwrite -r /home/user1/secret_data1.txt" (success) - ownerOnly: true # su - user1 -c "/readwrite -w /home/user1/secret_data1.txt" (permission denied) - fromSource: # /readwrite -r /home/user1/secret_data1.txt (permission denied) - - path: /readwrite # /readwrite -w /home/user1/secret_data1.txt (permission denied) + readOnly: true + ownerOnly: true + fromSource: + - path: /readwrite action: Block + +# multiubuntu_test_24 + +# test +# $ su - user1 -c "/readwrite -r /home/user1/secret_data1.txt" +# s +# $ su - user1 -c "/readwrite -w /home/user1/secret_data1.txt" +# Error! (permission denied) +# $ ./readwrite -r /home/user1/secret_data1.txt +# Error! (permission denied) +# $ ./readwrite -w /home/user1/secret_data1.txt +# Error! (permission denied) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-path-owner-readonly-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-path-owner-readonly-block.yaml index e8ff1b14b7..9dc8ad43bc 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-path-owner-readonly-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-path-owner-readonly-block.yaml @@ -14,7 +14,19 @@ spec: file: matchPaths: - path: /home/user1/secret_data1.txt - readOnly: true # su - user1 -c /bin/cat /home/user1/secret_data1.txt (success) - ownerOnly: true # su - user1 -c echo "test" >> /home/user1/secret_data1.txt (permission denied) + readOnly: true + ownerOnly: true action: Block + +# multiubuntu_test_23 + +# test +# $ su - user1 -c "cat /home/user1/secret_data1.txt" +# secret file user1 +# $ su - user1 -c "/readwrite -w /home/user1/secret_data1.txt" +# Error! (permission denied) +# $ cat /home/user1/secret_data1.txt +# cat: /home/user1/secret_data1.txt: Permission denied +# $ ./readwrite -w /home/user1/secret_data1.txt +# Error! (permission denied) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-5-net-icmp-audit.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-5-net-icmp-audit.yaml index 5010dbdcf1..b3f1dbdce0 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-5-net-icmp-audit.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-5-net-icmp-audit.yaml @@ -10,6 +10,12 @@ spec: container: ubuntu-5 network: matchProtocols: - - protocol: icmp # try 'ping 8.8.8.8' + - protocol: icmp action: Audit + +# multiubuntu_test_07 + +# test +# $ ping -c 1 127.0.0.1 +# PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. (audit) diff --git a/examples/multiubuntu/security-policies/nsp-group-1-file-dir-recursive-block.yaml b/examples/multiubuntu/security-policies/nsp-group-1-file-dir-recursive-block.yaml index 86318a8e86..42cf6d82fb 100644 --- a/examples/multiubuntu/security-policies/nsp-group-1-file-dir-recursive-block.yaml +++ b/examples/multiubuntu/security-policies/nsp-group-1-file-dir-recursive-block.yaml @@ -1,7 +1,7 @@ apiVersion: security.kubearmor.com/v1 kind: KubeArmorPolicy metadata: - name: nap-group-1-file-dir-recursive-block + name: nsp-group-1-file-dir-recursive-block namespace: multiubuntu spec: selector: @@ -9,3 +9,9 @@ spec: group: group-1 apparmor: | deny /etc/{*,**} rw, + +# multiubuntu_test_10 + +# test +# $ cat /etc/hostname +# cat: /etc/hostname: Permission denied (defaultPosture) diff --git a/tests/scenarios/github_test_05/cmd3 b/tests/scenarios/github_test_05/cmd3 deleted file mode 100644 index 1f271a269b..0000000000 --- a/tests/scenarios/github_test_05/cmd3 +++ /dev/null @@ -1,7 +0,0 @@ -source: ubuntu-1-deployment -cmd: /bin/cat /etc/hosts -result: failed ---- -operation: File -condition: /etc/hosts -action: Allow diff --git a/tests/scenarios/multiubuntu_test_02/cmd1 b/tests/scenarios/multiubuntu_test_02/cmd1 index b7119048af..cfb2459a47 100644 --- a/tests/scenarios/multiubuntu_test_02/cmd1 +++ b/tests/scenarios/multiubuntu_test_02/cmd1 @@ -4,4 +4,4 @@ result: passed --- operation: Process condition: sleep -action: Audit \ No newline at end of file +action: Audit diff --git a/tests/scenarios/multiubuntu_test_03/cmd1 b/tests/scenarios/multiubuntu_test_03/cmd1 index 8bbdff53f2..d3241f23c4 100644 --- a/tests/scenarios/multiubuntu_test_03/cmd1 +++ b/tests/scenarios/multiubuntu_test_03/cmd1 @@ -1,7 +1,7 @@ source: ubuntu-1-deployment -cmd: curl www.accuknox.com -result: passed +cmd: ping -c 1 127.0.0.1 +result: failed --- operation: Network -condition: SOCK_STREAM +condition: SOCK_RAW action: Block diff --git a/tests/scenarios/multiubuntu_test_03/cmd2 b/tests/scenarios/multiubuntu_test_03/cmd2 deleted file mode 100644 index 377b08f655..0000000000 --- a/tests/scenarios/multiubuntu_test_03/cmd2 +++ /dev/null @@ -1,7 +0,0 @@ -source: ubuntu-1-deployment -cmd: ping -c 1 8.8.8.8 -result: failed ---- -operation: Network -condition: SOCK_RAW -action: Block diff --git a/tests/scenarios/multiubuntu_test_05/cmd1 b/tests/scenarios/multiubuntu_test_05/cmd1 index b150d3cf66..22f57c02ff 100644 --- a/tests/scenarios/multiubuntu_test_05/cmd1 +++ b/tests/scenarios/multiubuntu_test_05/cmd1 @@ -1,7 +1,7 @@ source: ubuntu-2-deployment -cmd: whoami +cmd: env result: failed --- operation: Process -condition: whoami +condition: env action: Block diff --git a/tests/scenarios/multiubuntu_test_05/cmd2 b/tests/scenarios/multiubuntu_test_05/cmd2 index 22f57c02ff..b150d3cf66 100644 --- a/tests/scenarios/multiubuntu_test_05/cmd2 +++ b/tests/scenarios/multiubuntu_test_05/cmd2 @@ -1,7 +1,7 @@ source: ubuntu-2-deployment -cmd: env +cmd: whoami result: failed --- operation: Process -condition: env +condition: whoami action: Block diff --git a/tests/scenarios/multiubuntu_test_07/cmd1 b/tests/scenarios/multiubuntu_test_07/cmd1 index f20ee234da..691297244a 100644 --- a/tests/scenarios/multiubuntu_test_07/cmd1 +++ b/tests/scenarios/multiubuntu_test_07/cmd1 @@ -1,5 +1,5 @@ source: ubuntu-5-deployment -cmd: ping -c 1 8.8.8.8 +cmd: ping -c 1 127.0.0.1 result: passed --- operation: Network diff --git a/tests/scenarios/multiubuntu_test_08/cmd1 b/tests/scenarios/multiubuntu_test_08/cmd1 index 2d20609c20..5746201e7f 100644 --- a/tests/scenarios/multiubuntu_test_08/cmd1 +++ b/tests/scenarios/multiubuntu_test_08/cmd1 @@ -3,5 +3,5 @@ cmd: cat /credentials/password result: passed --- operation: File -condition: password -action: Audit +condition: /credentials/password +action: Allow diff --git a/tests/scenarios/multiubuntu_test_08/cmd2 b/tests/scenarios/multiubuntu_test_08/cmd2 new file mode 100644 index 0000000000..dc6786608a --- /dev/null +++ b/tests/scenarios/multiubuntu_test_08/cmd2 @@ -0,0 +1,7 @@ +source: ubuntu-3-deployment +cmd: cat /etc/hostname +result: failed +--- +operation: File +condition: /etc/hostname +action: Allow diff --git a/tests/scenarios/multiubuntu_test_09/cmd1 b/tests/scenarios/multiubuntu_test_09/cmd1 index 38fe70aa6a..dce9b296f8 100644 --- a/tests/scenarios/multiubuntu_test_09/cmd1 +++ b/tests/scenarios/multiubuntu_test_09/cmd1 @@ -1,7 +1,7 @@ source: ubuntu-4-deployment -cmd: echo test >> /secret.txt +cmd: cat /credentials/password result: passed --- operation: File -condition: secret.txt +condition: /credentials/password action: Allow diff --git a/tests/scenarios/multiubuntu_test_09/cmd2 b/tests/scenarios/multiubuntu_test_09/cmd2 index f9635ee2f6..6029c362ee 100644 --- a/tests/scenarios/multiubuntu_test_09/cmd2 +++ b/tests/scenarios/multiubuntu_test_09/cmd2 @@ -3,5 +3,5 @@ cmd: echo test >> /credentials/password result: failed --- operation: File -condition: password +condition: /credentials/password action: Allow diff --git a/tests/scenarios/multiubuntu_test_10/cmd1 b/tests/scenarios/multiubuntu_test_10/cmd1 index e11ee3b33c..bc9f59c016 100644 --- a/tests/scenarios/multiubuntu_test_10/cmd1 +++ b/tests/scenarios/multiubuntu_test_10/cmd1 @@ -3,5 +3,5 @@ cmd: cat /etc/shells result: failed --- operation: File -condition: "/etc/shells" +condition: /etc/shells action: Block diff --git a/tests/scenarios/multiubuntu_test_10/cmd2 b/tests/scenarios/multiubuntu_test_10/cmd2 index 3021eaae39..d33134c6bc 100644 --- a/tests/scenarios/multiubuntu_test_10/cmd2 +++ b/tests/scenarios/multiubuntu_test_10/cmd2 @@ -3,5 +3,5 @@ cmd: cat /etc/hostname result: failed --- operation: File -condition: "/etc/hostname" +condition: /etc/hostname action: Block diff --git a/tests/scenarios/multiubuntu_test_11/cmd3 b/tests/scenarios/multiubuntu_test_11/cmd3 new file mode 100644 index 0000000000..2b533505d0 --- /dev/null +++ b/tests/scenarios/multiubuntu_test_11/cmd3 @@ -0,0 +1,7 @@ +source: ubuntu-1-deployment +cmd: cat /etc/hostname +result: passed +--- +operation: File +condition: /etc/hostname +action: Block diff --git a/tests/scenarios/multiubuntu_test_12/cmd1 b/tests/scenarios/multiubuntu_test_12/cmd1 index c3d2e24e4a..8c2b82cadd 100644 --- a/tests/scenarios/multiubuntu_test_12/cmd1 +++ b/tests/scenarios/multiubuntu_test_12/cmd1 @@ -1,7 +1,7 @@ source: ubuntu-2-deployment -cmd: dash -c "sleep 1" -result: passed +cmd: dash -c "ls" +result: failed --- operation: Process -condition: sleep +condition: ls action: Block diff --git a/tests/scenarios/multiubuntu_test_12/cmd2 b/tests/scenarios/multiubuntu_test_12/cmd2 index 8c2b82cadd..da3423d9aa 100644 --- a/tests/scenarios/multiubuntu_test_12/cmd2 +++ b/tests/scenarios/multiubuntu_test_12/cmd2 @@ -1,7 +1,7 @@ source: ubuntu-2-deployment -cmd: dash -c "ls" -result: failed +cmd: dash -c "cat /etc/hostname" +result: passed --- operation: Process -condition: ls +condition: cat action: Block diff --git a/tests/scenarios/multiubuntu_test_16/cmd1 b/tests/scenarios/multiubuntu_test_16/cmd1 index 6610982745..802e410888 100644 --- a/tests/scenarios/multiubuntu_test_16/cmd1 +++ b/tests/scenarios/multiubuntu_test_16/cmd1 @@ -1,7 +1,7 @@ source: ubuntu-4-deployment -cmd: cat /secret.txt -result: failed +cmd: cat /credentials/password +result: passed --- operation: File -condition: secret.txt +condition: /credentials/password action: Block diff --git a/tests/scenarios/multiubuntu_test_16/cmd2 b/tests/scenarios/multiubuntu_test_16/cmd2 index 802e410888..da7b118928 100644 --- a/tests/scenarios/multiubuntu_test_16/cmd2 +++ b/tests/scenarios/multiubuntu_test_16/cmd2 @@ -1,6 +1,6 @@ source: ubuntu-4-deployment -cmd: cat /credentials/password -result: passed +cmd: echo "test" >> /credentials/password +result: failed --- operation: File condition: /credentials/password diff --git a/tests/scenarios/multiubuntu_test_16/cmd3 b/tests/scenarios/multiubuntu_test_16/cmd3 deleted file mode 100644 index 0e29339016..0000000000 --- a/tests/scenarios/multiubuntu_test_16/cmd3 +++ /dev/null @@ -1,7 +0,0 @@ -source: ubuntu-4-deployment -cmd: echo test >> /credentials/password -result: failed ---- -operation: File -condition: /credentials/password -action: Block diff --git a/tests/scenarios/multiubuntu_test_16/cmd4 b/tests/scenarios/multiubuntu_test_16/cmd4 deleted file mode 100644 index 599699edb7..0000000000 --- a/tests/scenarios/multiubuntu_test_16/cmd4 +++ /dev/null @@ -1,7 +0,0 @@ -source: ubuntu-4-deployment -cmd: cat /etc/hosts -result: passed ---- -operation: File -condition: /etc/hosts -action: Block diff --git a/tests/scenarios/multiubuntu_test_17/cmd1 b/tests/scenarios/multiubuntu_test_17/cmd1 index aa8f3cca83..64e80aaaa3 100644 --- a/tests/scenarios/multiubuntu_test_17/cmd1 +++ b/tests/scenarios/multiubuntu_test_17/cmd1 @@ -1,5 +1,5 @@ source: ubuntu-4-deployment -cmd: /bin/cat /secret.txt +cmd: cat /secret.txt result: passed --- operation: File diff --git a/tests/scenarios/multiubuntu_test_17/cmd2 b/tests/scenarios/multiubuntu_test_17/cmd2 index d2f876c50d..17a593924c 100644 --- a/tests/scenarios/multiubuntu_test_17/cmd2 +++ b/tests/scenarios/multiubuntu_test_17/cmd2 @@ -1,7 +1,7 @@ source: ubuntu-4-deployment -cmd: head /secret.txt +cmd: cat /etc/hosts result: failed --- operation: File -condition: /secret.txt +condition: /etc/hosts action: Allow diff --git a/tests/scenarios/multiubuntu_test_17/cmd3 b/tests/scenarios/multiubuntu_test_17/cmd3 deleted file mode 100644 index eff9b52e4f..0000000000 --- a/tests/scenarios/multiubuntu_test_17/cmd3 +++ /dev/null @@ -1,7 +0,0 @@ -source: ubuntu-4-deployment -cmd: /bin/cat /etc/hosts -result: failed ---- -operation: File -condition: /etc/hosts -action: Allow diff --git a/tests/scenarios/multiubuntu_test_18/cmd1 b/tests/scenarios/multiubuntu_test_18/cmd1 index 24fc88e548..07dc9e9b20 100644 --- a/tests/scenarios/multiubuntu_test_18/cmd1 +++ b/tests/scenarios/multiubuntu_test_18/cmd1 @@ -1,5 +1,5 @@ source: ubuntu-4-deployment -cmd: head /secret.txt +cmd: head /secret.txt result: passed --- operation: File diff --git a/tests/scenarios/multiubuntu_test_18/cmd2 b/tests/scenarios/multiubuntu_test_18/cmd2 index e6bf595d99..982069aa37 100644 --- a/tests/scenarios/multiubuntu_test_18/cmd2 +++ b/tests/scenarios/multiubuntu_test_18/cmd2 @@ -1,5 +1,5 @@ source: ubuntu-4-deployment -cmd: cat /secret.txt +cmd: cat /secret.txt result: failed --- operation: File diff --git a/tests/scenarios/multiubuntu_test_19/cmd1 b/tests/scenarios/multiubuntu_test_19/cmd1 index 77a926bed5..033bee0ee1 100644 --- a/tests/scenarios/multiubuntu_test_19/cmd1 +++ b/tests/scenarios/multiubuntu_test_19/cmd1 @@ -1,5 +1,5 @@ source: ubuntu-4-deployment -cmd: /readwrite -r /credentials/password +cmd: /readwrite -r /credentials/password result: passed --- operation: File diff --git a/tests/scenarios/multiubuntu_test_19/cmd2 b/tests/scenarios/multiubuntu_test_19/cmd2 index 8419a44662..e280688287 100644 --- a/tests/scenarios/multiubuntu_test_19/cmd2 +++ b/tests/scenarios/multiubuntu_test_19/cmd2 @@ -1,5 +1,5 @@ source: ubuntu-4-deployment -cmd: /readwrite -w /credentials/password +cmd: /readwrite -w /credentials/password result: failed --- operation: File diff --git a/tests/scenarios/multiubuntu_test_19/cmd3 b/tests/scenarios/multiubuntu_test_19/cmd3 index cd7e766408..a516d5ad02 100644 --- a/tests/scenarios/multiubuntu_test_19/cmd3 +++ b/tests/scenarios/multiubuntu_test_19/cmd3 @@ -1,7 +1,7 @@ source: ubuntu-4-deployment -cmd: cat /credentials/password +cmd: /readwrite -r /secret.txt result: failed --- operation: File -condition: /credentials/password +condition: /secret.txt action: Allow diff --git a/tests/scenarios/multiubuntu_test_20/cmd2 b/tests/scenarios/multiubuntu_test_20/cmd2 index e376d1a425..eaa24cb8c0 100644 --- a/tests/scenarios/multiubuntu_test_20/cmd2 +++ b/tests/scenarios/multiubuntu_test_20/cmd2 @@ -1,5 +1,5 @@ source: ubuntu-4-deployment -cmd: /readwrite -w /credentials/password +cmd: /readwrite -w /credentials/password result: failed --- operation: File diff --git a/tests/scenarios/multiubuntu_test_20/cmd3 b/tests/scenarios/multiubuntu_test_20/cmd3 index 9cfc62a797..258c5e1b8a 100644 --- a/tests/scenarios/multiubuntu_test_20/cmd3 +++ b/tests/scenarios/multiubuntu_test_20/cmd3 @@ -1,7 +1,7 @@ source: ubuntu-4-deployment -cmd: head /credentials/password +cmd: /readwrite -r /secret.txt result: passed --- operation: File -condition: /credentials/password +condition: /secret.txt action: Block diff --git a/tests/scenarios/multiubuntu_test_22/cmd1 b/tests/scenarios/multiubuntu_test_22/cmd1 index 11c53c06a9..5735c8fdbd 100644 --- a/tests/scenarios/multiubuntu_test_22/cmd1 +++ b/tests/scenarios/multiubuntu_test_22/cmd1 @@ -1,5 +1,5 @@ source: ubuntu-5-deployment -cmd: su - user1 -c "/bin/cat /home/user1/secret_data1.txt" +cmd: su - user1 -c "cat /home/user1/secret_data1.txt" result: passed --- operation: File diff --git a/tests/scenarios/multiubuntu_test_22/cmd3 b/tests/scenarios/multiubuntu_test_22/cmd3 index 626e47c91c..cbfdb0cd67 100644 --- a/tests/scenarios/multiubuntu_test_22/cmd3 +++ b/tests/scenarios/multiubuntu_test_22/cmd3 @@ -1,5 +1,5 @@ source: ubuntu-5-deployment -cmd: /bin/cat /home/user1/secret_data1.txt +cmd: cat /home/user1/secret_data1.txt result: failed --- operation: File diff --git a/tests/scenarios/multiubuntu_test_23/cmd1 b/tests/scenarios/multiubuntu_test_23/cmd1 index bb5c2a8013..1735c792a5 100644 --- a/tests/scenarios/multiubuntu_test_23/cmd1 +++ b/tests/scenarios/multiubuntu_test_23/cmd1 @@ -1,6 +1,6 @@ source: ubuntu-5-deployment -cmd: echo test >> /home/user1/secret_data1.txt -result: failed +cmd: su - user1 -c "cat /home/user1/secret_data1.txt" +result: passed --- operation: File condition: /home/user1/secret_data1.txt diff --git a/tests/scenarios/multiubuntu_test_23/cmd2 b/tests/scenarios/multiubuntu_test_23/cmd2 index e7e5b20003..37668c985c 100644 --- a/tests/scenarios/multiubuntu_test_23/cmd2 +++ b/tests/scenarios/multiubuntu_test_23/cmd2 @@ -1,5 +1,5 @@ source: ubuntu-5-deployment -cmd: cat /home/user1/secret_data1.txt +cmd: su - user1 -c "/readwrite -w /home/user1/secret_data1.txt" result: failed --- operation: File diff --git a/tests/scenarios/multiubuntu_test_23/cmd3 b/tests/scenarios/multiubuntu_test_23/cmd3 index 895d78d228..e7e5b20003 100644 --- a/tests/scenarios/multiubuntu_test_23/cmd3 +++ b/tests/scenarios/multiubuntu_test_23/cmd3 @@ -1,5 +1,5 @@ source: ubuntu-5-deployment -cmd: su - user1 -c "echo test >> /home/user1/secret_data1.txt" +cmd: cat /home/user1/secret_data1.txt result: failed --- operation: File diff --git a/tests/scenarios/multiubuntu_test_23/cmd4 b/tests/scenarios/multiubuntu_test_23/cmd4 index 1735c792a5..330ca2ea96 100644 --- a/tests/scenarios/multiubuntu_test_23/cmd4 +++ b/tests/scenarios/multiubuntu_test_23/cmd4 @@ -1,6 +1,6 @@ source: ubuntu-5-deployment -cmd: su - user1 -c "cat /home/user1/secret_data1.txt" -result: passed +cmd: /readwrite -w /home/user1/secret_data1.txt +result: failed --- operation: File condition: /home/user1/secret_data1.txt diff --git a/tests/scenarios/multiubuntu_test_24/cmd3 b/tests/scenarios/multiubuntu_test_24/cmd3 index 330ca2ea96..b30200d28a 100644 --- a/tests/scenarios/multiubuntu_test_24/cmd3 +++ b/tests/scenarios/multiubuntu_test_24/cmd3 @@ -1,5 +1,5 @@ source: ubuntu-5-deployment -cmd: /readwrite -w /home/user1/secret_data1.txt +cmd: /readwrite -r /home/user1/secret_data1.txt result: failed --- operation: File diff --git a/tests/scenarios/multiubuntu_test_24/cmd4 b/tests/scenarios/multiubuntu_test_24/cmd4 index b30200d28a..330ca2ea96 100644 --- a/tests/scenarios/multiubuntu_test_24/cmd4 +++ b/tests/scenarios/multiubuntu_test_24/cmd4 @@ -1,5 +1,5 @@ source: ubuntu-5-deployment -cmd: /readwrite -r /home/user1/secret_data1.txt +cmd: /readwrite -w /home/user1/secret_data1.txt result: failed --- operation: File From 8c2848edc83cbd185a1a91ff4d4db97627d2c586 Mon Sep 17 00:00:00 2001 From: Jaehyun Nam Date: Mon, 18 Apr 2022 05:54:39 +0000 Subject: [PATCH 2/3] update documents Signed-off-by: Jaehyun Nam --- getting-started/default_posture.md | 2 +- getting-started/security_policy_examples.md | 121 ++++++++++++-------- 2 files changed, 76 insertions(+), 47 deletions(-) diff --git a/getting-started/default_posture.md b/getting-started/default_posture.md index 22394b95b0..0f42e5da19 100644 --- a/getting-started/default_posture.md +++ b/getting-started/default_posture.md @@ -157,4 +157,4 @@ Labels: kubernetes.io/metadata.name=multiubuntu Annotations: kubearmor-network-posture: audit Status: Active ``` -We can see that, annotation value was automatically updated to audit since that was global mode of operation for network in the KubeArmor configuration. \ No newline at end of file +We can see that, annotation value was automatically updated to audit since that was global mode of operation for network in the KubeArmor configuration. diff --git a/getting-started/security_policy_examples.md b/getting-started/security_policy_examples.md index fb67fa045c..fc19f9f586 100644 --- a/getting-started/security_policy_examples.md +++ b/getting-started/security_policy_examples.md @@ -24,7 +24,7 @@ Here, we demonstrate how to define security policies using our example microserv * Explanation: The purpose of this policy is to block the execution of '/bin/sleep' in the containers with the 'group-1' label. For this, we define the 'group-1' label in selector -> matchLabels and the specific path \('/bin/sleep'\) in process -> matchPaths. Also, we put 'Block' as the action of this policy. - * Verification: After applying this policy, please get into one of the containers with the 'group-1' \(using "kubectl -n multiubuntu exec -it ubuntu-X-deployment-... -- bash"\) and run '/bin/sleep'. You will see that /bin/sleep is blocked. + * Verification: After applying this policy, please get into one of the containers with the 'group-1' \(using "kubectl -n multiubuntu exec -it ubuntu-X-deployment-... -- bash"\) and run '/bin/sleep'. You will see that /bin/sleep is blocked. * Block all executables in a specific directory \([ksp-ubuntu-1-proc-dir-block.yaml](../examples/multiubuntu/security-policies/ksp-ubuntu-1-proc-dir-block.yaml)\) @@ -47,7 +47,7 @@ Here, we demonstrate how to define security policies using our example microserv * Explanation: The purpose of this policy is to block all executables in the '/sbin' directory. Since we want to block all executables rather than a specific executable, we use matchDirectories to specify the executables in the '/sbin' directory at once. - * Verification: After applying this policy, please get into the container with the 'ubuntu-1' label and run '/sbin/route' to see if this command is allowed \(this command will be blocked\). + * Verification: After applying this policy, please get into the container with the 'ubuntu-1' label and run '/sbin/route' to see if this command is allowed \(this command will be blocked\). * Block all executables in a specific directory and its subdirectories \([ksp-ubuntu-2-proc-dir-recursive-block.yaml](../examples/multiubuntu/security-policies/ksp-ubuntu-2-proc-dir-recursive-block.yaml)\) @@ -71,36 +71,38 @@ Here, we demonstrate how to define security policies using our example microserv * Explanation: As the extension of the previous policy, we want to block all executables in the '/usr' directory and its subdirectories \(e.g., '/usr/bin', '/usr/sbin', and '/usr/local/bin'\). Thus, we add 'recursive: true' to extend the scope of the policy. - * Verification: After applying this policy, please get into the container with the 'ubuntu-2' label and run '/usr/bin/env' or '/usr/bin/whoami'. You will see that those commands are blocked. + * Verification: After applying this policy, please get into the container with the 'ubuntu-2' label and run '/usr/bin/env' or '/usr/bin/whoami'. You will see that those commands are blocked. - * Allow specific executables only \([ksp-ubuntu-3-proc-dir-allow.yaml](../examples/multiubuntu/security-policies/ksp-ubuntu-3-proc-dir-allow.yaml)\) + * Allow specific executables to access certain files only \([ksp-ubuntu-3-file-dir-allow-from-source-path.yaml](../examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-allow-from-source-path.yaml)\) ```text apiVersion: security.kubearmor.com/v1 kind: KubeArmorPolicy metadata: - name: ksp-ubuntu-3-proc-dir-allow + name: ksp-ubuntu-3-file-dir-allow-from-source-path namespace: multiubuntu spec: + severity: 10 + message: "a critical directory was accessed" + tags: + - WARNNING selector: matchLabels: container: ubuntu-3 - process: - matchDirectories: - - dir: /bin/ file: matchDirectories: - - dir: /credentials/ # some files to test - recursive: true + - dir: /credentials/ + fromSource: + - path: /bin/cat action: Allow ``` - * Explanation: Unlike the previous policies, we want the container with the 'ubuntu-3' label only to execute specific executables. To achieve this goal, we first define the scope of this policy using matchDirectories \(you can also use matchPaths\). Then, we define the 'Allow' action instead of the 'Block' action. + * Explanation: Here, we want the container with the 'ubuntu-3' label only to access certain files by specific executables. Otherwise, we want to block any other file accesses. To achieve this goal, we define the scope of this policy using matchDirectories with fromSource and use the 'Allow' action. - * Verification: In this policy, we allow some files \(i.e., /credentials/\*\) for verification. After applying this policy, please get into the container with the 'ubuntu-3' label and run 'cd /credentials', 'ls', and 'cat /credentials/password'. You will see that all of the binaries in /bin work well. Now, please simply run 'awk' or 'diff'. Then, those commands will be blocked since they are in /usr/bin. + * Verification: In this policy, we allow /bin/cat to access the files in /credentials only. After applying this policy, please get into the container with the 'ubuntu-3' label and run 'cat /credentials/password'. This command will be allowed with no errors. Now, please run 'cat /etc/hostname'. Then, this command will be blocked since /bin/cat is only allowed to access /credentials/\*. - * Allow a specific executable to be launched by its owner only \([ksp-ubuntu-3-proc-path-owner-only.yaml](../examples/multiubuntu/security-policies/ksp-ubuntu-3-proc-path-owner-only.yaml)\) + * Allow a specific executable to be launched by its owner only \([ksp-ubuntu-3-proc-path-owner-allow.yaml](../examples/multiubuntu/security-policies/ksp-ubuntu-3-proc-path-owner-allow.yaml)\) ```text apiVersion: security.kubearmor.com/v1 @@ -109,6 +111,7 @@ Here, we demonstrate how to define security policies using our example microserv name: ksp-ubuntu-3-proc-path-owner-allow namespace: multiubuntu spec: + severity: 7 selector: matchLabels: container: ubuntu-3 @@ -116,22 +119,31 @@ Here, we demonstrate how to define security policies using our example microserv matchPaths: - path: /home/user1/hello ownerOnly: true - - path: /bin/su # need to change users - file: - matchDirectories: # some files are used by /bin/su (coarse-grained way) - - dir: /etc/ + matchDirectories: + - dir: /bin/ # required to change root to user1 recursive: true - - dir: /proc/ + - dir: /usr/bin/ # used in changing accounts recursive: true + file: matchPaths: - - path: /run/utmp # used by /bin/su + - path: /root/.bashrc # used by root + - path: /root/.bash_history # used by root + - path: /home/user1/.profile # used by user1 + - path: /home/user1/.bashrc # used by user1 + - path: /run/utmp # required to change root to user1 + - path: /dev/tty + matchDirectories: + - dir: /etc/ # required to change root to user1 (coarse-grained way) + recursive: true + - dir: /proc/ # required to change root to user1 (coarse-grained way) + recursive: true action: Allow ``` - * Explanation: This policy aims to allow a specific user \(i.e., user1\) only to launch its own executable \(i.e., hello\), which means that we do not want for the root user to even launch /home/user1/hello. For this, we define a security policy similar to the above ones, but we specifically add 'ownerOnly: true'. + * Explanation: This policy aims to allow a specific user \(i.e., user1\) only to launch its own executable \(i.e., hello\), which means that we do not want for the root user to even launch /home/user1/hello. For this, we define a security policy with matchPaths and 'ownerOnly: ture'. - * Verification: For verification, we allow /bin/su and some files used by /bin/su to change users \(from 'root' to 'user1'\) in the policy. After applying this policy, please get into the container with the 'ubuntu-3' label and run '/home/user1/hello' first. This command will be blocked even though you are the 'root' user. Then, please run 'su - user1'. Now, you are the 'user1' user. Please run '/home/user1/hello' again. You will see that it works now. + * Verification: For verification, we also allow several directories and files to change users \(from 'root' to 'user1'\) in the policy. After applying this policy, please get into the container with the 'ubuntu-3' label and run '/home/user1/hello' first. This command will be blocked even though you are the 'root' user. Then, please run 'su - user1'. Now, you are the 'user1' user. Please run '/home/user1/hello' again. You will see that it works now. * File Access Restriction * Allow accessing specific files only \([ksp-ubuntu-4-file-path-readonly-allow.yaml](../examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-allow.yaml)\) @@ -143,24 +155,38 @@ Here, we demonstrate how to define security policies using our example microserv name: ksp-ubuntu-4-file-path-readonly-allow namespace: multiubuntu spec: + severity: 10 + message: "a critical file was accessed" + tags: + - WARNNING selector: matchLabels: container: ubuntu-4 - process: # some exectuables to test + process: matchDirectories: - - dir: /bin/ + - dir: /bin/ # used by root + recursive: true + - dir: /usr/bin/ # used by root + recursive: true file: matchPaths: - - path: /secret.txt - path: /credentials/password readOnly: true + - path: /root/.bashrc # used by root + - path: /root/.bash_history # used by root + - path: /dev/tty + matchDirectories: + - dir: /etc/ # used by root (coarse-grained way) + recursive: true + - dir: /proc/ # used by root (coarse-grained way) + recursive: true action: Allow ``` - * Explanation: The purpose of this policy is to allow the container with the 'ubuntu-4' label to access '/secret.txt' and '/credentials/password' only. We also want the container to read '/credentials/password' only \(the write operation is blocked\) while allowing the container to read and write '/secret.txt'. + * Explanation: The purpose of this policy is to allow the container with the 'ubuntu-4' label to read '/credentials/password' only \(the write operation is blocked\). - * Verification: For testing, we allow binaries in /bin. After applying this policy, please get into the container with the 'ubuntu-4' label and run 'cat /secret.txt' and 'cat /credentials/password'. You can see the contents in those files. Now, please run 'echo \"test\" >> /secret.txt'. This command will work fine. Please run 'echo \"test\" >> /credentials/password'. You will see that the write operation will be blocked. + * Verification: After applying this policy, please get into the container with the 'ubuntu-4' label and run 'cat /credentials/password'. You can see the contents in the file. Now, please run 'echo \"test\" >> /credentials/password'. You will see that the write operation will be blocked. * Block all file accesses in a specific directory and its subdirectories \([ksp-ubuntu-5-file-dir-recursive-block.yaml](../examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-block.yaml)\) @@ -182,33 +208,34 @@ Here, we demonstrate how to define security policies using our example microserv Block ``` - * Explanation: In this policy, we do not want the container with the 'ubuntu-5' label to access any files in the '/credentials' directory and subdirectories. Thus, we use 'matchDirectories' and 'recursive: true' to define all files in the '/credentials' directory and its subdirectories. + * Explanation: In this policy, we do not want the container with the 'ubuntu-5' label to access any files in the '/credentials' directory and its subdirectories. Thus, we use 'matchDirectories' and 'recursive: true' to define all files in the '/credentials' directory and its subdirectories. - * Verification: After applying this policy, please get into the container with the 'ubuntu-5' label and run 'cat /secret.txt'. You will see the contents of /secret.txt. Then, please run 'cat /credentials/password'. This command will be blocked due to the security policy. + * Verification: After applying this policy, please get into the container with the 'ubuntu-5' label and run 'cat /secret.txt'. You will see the contents of /secret.txt. Then, please run 'cat /credentials/password'. This command will be blocked due to the security policy. * Network Operation Restriction - * Block ICMP packets \([ksp-ubuntu-5-net-icmp-block](../examples/multiubuntu/security-policies/ksp-ubuntu-5-net-icmp-block.yaml)\) + * Audit ICMP packets \([ksp-ubuntu-5-net-icmp-audit](../examples/multiubuntu/security-policies/ksp-ubuntu-5-net-icmp-audit.yaml)\) ```text - apiVersion: security.kubearmor.com/v1 - kind: KubeArmorPolicy - metadata: - name: ksp-ubuntu-5-net-icmp-block - namespace: multiubuntu - spec: - selector: - matchLabels: - container: ubuntu-5 - network: - matchProtocols: - - protocol: icmp - action: - Block + apiVersion: security.kubearmor.com/v1 + kind: KubeArmorPolicy + metadata: + name: ksp-ubuntu-5-net-icmp-audit + namespace: multiubuntu + spec: + severity: 8 + selector: + matchLabels: + container: ubuntu-5 + network: + matchProtocols: + - protocol: icmp + action: + Audit ``` - * Explanation: We want to block sending ICMP packets from the containers with the 'ubuntu-5' label while allowing packets for the other protocols \(e.g., TCP and UDP\). For this, we use 'matchProtocols' to define the protocol \(i.e., ICMP\) that we want to block. + * Explanation: We want to audit sending ICMP packets from the containers with the 'ubuntu-5' label while allowing packets for the other protocols \(e.g., TCP and UDP\). For this, we use 'matchProtocols' to define the protocol \(i.e., ICMP\) that we want to block. - * Verification: After applying this policy, please get into the container with the 'ubuntu-5' label and run 'curl https://kubernetes.io/'. This will work fine. Then, run 'ping 8.8.8.8'. You will see 'permission denied' since the 'ping' command internally uses the ICMP protocol. + * Verification: After applying this policy, please get into the container with the 'ubuntu-5' label and run 'curl https://kubernetes.io/'. This will work fine. Then, run 'ping 8.8.8.8'. You will see 'Permission denied' since the 'ping' command internally uses the ICMP protocol. * Capabilities Restriction * Block Raw Sockets \(i.e., non-TCP/UDP packets\) \([ksp-ubuntu-1-cap-net-raw-block.yaml](../examples/multiubuntu/security-policies/ksp-ubuntu-1-cap-net-raw-block.yaml)\) @@ -220,6 +247,7 @@ Here, we demonstrate how to define security policies using our example microserv name: ksp-ubuntu-1-cap-net-raw-block namespace: multiubuntu spec: + severity: 1 selector: matchLabels: container: ubuntu-1 @@ -232,4 +260,5 @@ Here, we demonstrate how to define security policies using our example microserv * Explanation: We want to block any network operations using raw sockets from the containers with the 'ubuntu-1' label, meaning that containers cannot send non-TCP/UDP packets \(e.g., ICMP echo request or reply\) to other containers. To achieve this, we use matchCapabilities and specify the 'CAP\_NET\_RAW' capability to block raw socket creations inside the containers. Here, since we use the stream and datagram sockets to TCP and UDP packets respectively, we can still send those packets to others. - * Verification: After applying this policy, please get into the container with the 'ubuntu-1' label and run 'curl https://kubernetes.io/'. This will work fine. Then, run 'ping 8.8.8.8'. You will see 'operation not permitted' since the 'ping' command internally requires a raw socket to send ICMP packets. + * Verification: After applying this policy, please get into the container with the 'ubuntu-1' label and run 'curl https://kubernetes.io/'. This will work fine. Then, run 'ping 8.8.8.8'. You will see 'Operation not permitted' since the 'ping' command internally requires a raw socket to send ICMP packets. + \ No newline at end of file From e774bef0c2770275192bbea82bf43b53dddbf4af Mon Sep 17 00:00:00 2001 From: Jaehyun Nam Date: Fri, 22 Apr 2022 05:23:27 +0000 Subject: [PATCH 3/3] fix typo Signed-off-by: Jaehyun Nam --- ...sp-ubuntu-2-file-dir-recursive-allow-from-source-path.yaml | 2 +- ...sp-ubuntu-2-file-dir-recursive-audit-from-source-path.yaml | 2 +- ...sp-ubuntu-2-file-dir-recursive-block-from-source-path.yaml | 2 +- .../ksp-ubuntu-3-file-dir-allow-from-source-path.yaml | 2 +- .../ksp-ubuntu-3-file-dir-audit-from-source-path.yaml | 2 +- .../ksp-ubuntu-3-file-dir-block-from-source-path.yaml | 2 +- ...ksp-ubuntu-3-file-dir-readonly-allow-from-source-path.yaml | 2 +- .../ksp-ubuntu-3-file-dir-readonly-allow.yaml | 2 +- ...ksp-ubuntu-3-file-dir-readonly-audit-from-source-path.yaml | 2 +- .../ksp-ubuntu-3-file-dir-readonly-audit.yaml | 2 +- ...ksp-ubuntu-3-file-dir-readonly-block-from-source-path.yaml | 2 +- .../ksp-ubuntu-3-file-dir-readonly-block.yaml | 2 +- .../security-policies/ksp-ubuntu-4-file-dir-allow.yaml | 2 +- .../security-policies/ksp-ubuntu-4-file-dir-audit.yaml | 2 +- .../security-policies/ksp-ubuntu-4-file-dir-block.yaml | 2 +- ...sp-ubuntu-4-file-path-readonly-allow-from-source-path.yaml | 2 +- .../ksp-ubuntu-4-file-path-readonly-allow.yaml | 2 +- ...sp-ubuntu-4-file-path-readonly-audit-from-source-path.yaml | 2 +- .../ksp-ubuntu-4-file-path-readonly-audit.yaml | 2 +- ...sp-ubuntu-4-file-path-readonly-block-from-source-path.yaml | 2 +- .../ksp-ubuntu-4-file-path-readonly-block.yaml | 2 +- .../ksp-ubuntu-5-file-dir-recursive-readonly-allow.yaml | 2 +- .../ksp-ubuntu-5-file-dir-recursive-readonly-audit.yaml | 2 +- .../ksp-ubuntu-5-file-dir-recursive-readonly-block.yaml | 2 +- getting-started/host_security_policy_specification.md | 2 +- getting-started/security_policy_examples.md | 4 ++-- getting-started/security_policy_specification.md | 2 +- 27 files changed, 28 insertions(+), 28 deletions(-) diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-allow-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-allow-from-source-path.yaml index d54ffaa25d..7bdacf5940 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-allow-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-allow-from-source-path.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical directory was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-2 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-audit-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-audit-from-source-path.yaml index 3c4cf76513..75c85f7860 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-audit-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-audit-from-source-path.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical directory was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-2 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-block-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-block-from-source-path.yaml index 3a0d4894ff..6b938826a0 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-block-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-2-file-dir-recursive-block-from-source-path.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical directory was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-2 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-allow-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-allow-from-source-path.yaml index 377059400b..8be4dacb0b 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-allow-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-allow-from-source-path.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical directory was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-3 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-audit-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-audit-from-source-path.yaml index b6a582df9a..5d59f3d082 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-audit-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-audit-from-source-path.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical directory was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-3 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-block-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-block-from-source-path.yaml index 8386a15b3e..4ab5c8ec26 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-block-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-block-from-source-path.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical directory was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-3 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-allow-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-allow-from-source-path.yaml index 7c70943dcf..100746b4c9 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-allow-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-allow-from-source-path.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical directory was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-3 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-allow.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-allow.yaml index c41938825a..6928b36b16 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-allow.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-allow.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical directory was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-3 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-audit-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-audit-from-source-path.yaml index 21bc229d50..a5b340fd43 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-audit-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-audit-from-source-path.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical directory was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-3 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-audit.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-audit.yaml index bcf875acce..71feed4be2 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-audit.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-audit.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical directory was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-3 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-block-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-block-from-source-path.yaml index c57f5b71c4..28c4f2a472 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-block-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-block-from-source-path.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical directory was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-3 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-block.yaml index ef1accd294..d98c378d28 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-3-file-dir-readonly-block.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical directory was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-3 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-allow.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-allow.yaml index 1517014815..e5c6bec3e2 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-allow.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-allow.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical directory was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-4 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-audit.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-audit.yaml index fbc71be974..1867215892 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-audit.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-audit.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical directory was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-4 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-block.yaml index 558f972d80..86ced272fb 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-dir-block.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical directory was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-4 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-allow-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-allow-from-source-path.yaml index 473e2702e0..e906d66b0a 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-allow-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-allow-from-source-path.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical file was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-4 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-allow.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-allow.yaml index ad9411ef87..141aaffbf2 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-allow.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-allow.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical file was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-4 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-audit-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-audit-from-source-path.yaml index 0146aff9b4..79275444af 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-audit-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-audit-from-source-path.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical file was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-4 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-audit.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-audit.yaml index c8a12f4b03..61c1f7789a 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-audit.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-audit.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical file was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-4 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-block-from-source-path.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-block-from-source-path.yaml index 00212a8a7a..e8b9a8a2d1 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-block-from-source-path.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-block-from-source-path.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical file was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-4 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-block.yaml index a49c4bbd0d..6b1fa53410 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-4-file-path-readonly-block.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical file was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-4 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-allow.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-allow.yaml index 0aee0630af..4625fea252 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-allow.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-allow.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical directory was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-5 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-audit.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-audit.yaml index 2b148f791b..a94116961b 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-audit.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-audit.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical directory was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-5 diff --git a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-block.yaml b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-block.yaml index d1065810a8..6d41496845 100644 --- a/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-block.yaml +++ b/examples/multiubuntu/security-policies/ksp-ubuntu-5-file-dir-recursive-readonly-block.yaml @@ -7,7 +7,7 @@ spec: severity: 10 message: "a critical directory was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-5 diff --git a/getting-started/host_security_policy_specification.md b/getting-started/host_security_policy_specification.md index c3fc0864f3..f68d71db0e 100644 --- a/getting-started/host_security_policy_specification.md +++ b/getting-started/host_security_policy_specification.md @@ -100,7 +100,7 @@ Now, we will briefly explain how to define a host security policy. * Tags - The tags part is optional. You can define multiple tags (e.g., WARNNING, SENSITIVE, MITRE, STIG, etc.) to categorize security policies. + The tags part is optional. You can define multiple tags (e.g., WARNING, SENSITIVE, MITRE, STIG, etc.) to categorize security policies. ```text tags: ["tag1", ..., "tagN"] diff --git a/getting-started/security_policy_examples.md b/getting-started/security_policy_examples.md index fc19f9f586..8a1f71638a 100644 --- a/getting-started/security_policy_examples.md +++ b/getting-started/security_policy_examples.md @@ -85,7 +85,7 @@ Here, we demonstrate how to define security policies using our example microserv severity: 10 message: "a critical directory was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-3 @@ -158,7 +158,7 @@ Here, we demonstrate how to define security policies using our example microserv severity: 10 message: "a critical file was accessed" tags: - - WARNNING + - WARNING selector: matchLabels: container: ubuntu-4 diff --git a/getting-started/security_policy_specification.md b/getting-started/security_policy_specification.md index 5cb2ed1145..4097d67440 100644 --- a/getting-started/security_policy_specification.md +++ b/getting-started/security_policy_specification.md @@ -99,7 +99,7 @@ Now, we will briefly explain how to define a security policy. * Tags - The tags part is optional. You can define multiple tags (e.g., WARNNING, SENSITIVE, MITRE, STIG, etc.) to categorize security policies. + The tags part is optional. You can define multiple tags (e.g., WARNING, SENSITIVE, MITRE, STIG, etc.) to categorize security policies. ```text tags: ["tag1", ..., "tagN"]