update default posture and audit mode

Signed-off-by: Jaehyun Nam <[email protected]>
daemon1024 · Jun 10, 2022 · 9abb9d2 · 9abb9d2
1 parent fe1ccb3
commit 9abb9d2
Show file tree

Hide file tree

Showing 38 changed files with 627 additions and 504 deletions.
diff --git a/KubeArmor/config/config.go b/KubeArmor/config/config.go
@@ -35,6 +35,10 @@ type KubearmorConfig struct {
 	DefaultNetworkPosture      string // Default Enforcement Action in Global Network Context
 	DefaultCapabilitiesPosture string // Default Enforcement Action in Global Capabilities Context
 
+	HostDefaultFilePosture         string // Default Enforcement Action in Global File Context
+	HostDefaultNetworkPosture      string // Default Enforcement Action in Global Network Context
+	HostDefaultCapabilitiesPosture string // Default Enforcement Action in Global Capabilities Context
+
 	CoverageTest bool // Enable/Disable Coverage Test
 }
 
@@ -83,6 +87,15 @@ const ConfigDefaultNetworkPosture string = "defaultNetworkPosture"
 // ConfigDefaultCapabilitiesPosture KubeArmor Default Global Capabilities Posture key
 const ConfigDefaultCapabilitiesPosture string = "defaultCapabilitiesPosture"
 
+// ConfigHostDefaultFilePosture KubeArmor Default Global File Posture key
+const ConfigHostDefaultFilePosture string = "hostDefaultFilePosture"
+
+// ConfigHostDefaultNetworkPosture KubeArmor Default Global Network Posture key
+const ConfigHostDefaultNetworkPosture string = "hostDefaultNetworkPosture"
+
+// ConfigHostDefaultCapabilitiesPosture KubeArmor Default Global Capabilities Posture key
+const ConfigHostDefaultCapabilitiesPosture string = "hostDefaultCapabilitiesPosture"
+
 // ConfigCoverageTest Coverage Test key
 const ConfigCoverageTest string = "coverageTest"
 
@@ -106,9 +119,13 @@ func readCmdLineParams() {
 	kvmAgentB := flag.Bool(ConfigKubearmorVM, false, "enabling KubeArmorVM")
 	k8sEnvB := flag.Bool(ConfigK8sEnv, true, "is k8s env?")
 
-	defaultFilePosture := flag.String(ConfigDefaultFilePosture, "block", "configuring default enforcement action in global file context [audit,block]")
-	defaultNetworkPosture := flag.String(ConfigDefaultNetworkPosture, "block", "configuring default enforcement action in global network context [audit,block]")
-	defaultCapabilitiesPosture := flag.String(ConfigDefaultCapabilitiesPosture, "block", "configuring default enforcement action in global capability context [audit,block]")
+	defaultFilePosture := flag.String(ConfigDefaultFilePosture, "block", "configuring default enforcement action in global file context {allow|audit|block}")
+	defaultNetworkPosture := flag.String(ConfigDefaultNetworkPosture, "block", "configuring default enforcement action in global network context {allow|audit|block}")
+	defaultCapabilitiesPosture := flag.String(ConfigDefaultCapabilitiesPosture, "block", "configuring default enforcement action in global capability context {allow|audit|block}")
+
+	hostDefaultFilePosture := flag.String(ConfigHostDefaultFilePosture, "block", "configuring default enforcement action in global file context {allow|audit|block}")
+	hostDefaultNetworkPosture := flag.String(ConfigHostDefaultNetworkPosture, "block", "configuring default enforcement action in global network context {allow|audit|block}")
+	hostDefaultCapabilitiesPosture := flag.String(ConfigHostDefaultCapabilitiesPosture, "block", "configuring default enforcement action in global capability context {allow|audit|block}")
 
 	coverageTestB := flag.Bool(ConfigCoverageTest, false, "enabling CoverageTest")
 
@@ -140,6 +157,10 @@ func readCmdLineParams() {
 	viper.SetDefault(ConfigDefaultNetworkPosture, *defaultNetworkPosture)
 	viper.SetDefault(ConfigDefaultCapabilitiesPosture, *defaultCapabilitiesPosture)
 
+	viper.SetDefault(ConfigHostDefaultFilePosture, *hostDefaultFilePosture)
+	viper.SetDefault(ConfigHostDefaultNetworkPosture, *hostDefaultNetworkPosture)
+	viper.SetDefault(ConfigHostDefaultCapabilitiesPosture, *hostDefaultCapabilitiesPosture)
+
 	viper.SetDefault(ConfigCoverageTest, *coverageTestB)
 }
 
@@ -185,6 +206,10 @@ func LoadConfig() error {
 	GlobalCfg.DefaultNetworkPosture = viper.GetString(ConfigDefaultNetworkPosture)
 	GlobalCfg.DefaultCapabilitiesPosture = viper.GetString(ConfigDefaultCapabilitiesPosture)
 
+	GlobalCfg.HostDefaultFilePosture = viper.GetString(ConfigHostDefaultFilePosture)
+	GlobalCfg.HostDefaultNetworkPosture = viper.GetString(ConfigHostDefaultNetworkPosture)
+	GlobalCfg.HostDefaultCapabilitiesPosture = viper.GetString(ConfigHostDefaultCapabilitiesPosture)
+
 	kg.Printf("Configuration [%+v]", GlobalCfg)
 
 	if GlobalCfg.KVMAgent {

diff --git a/KubeArmor/core/kubeUpdate.go b/KubeArmor/core/kubeUpdate.go
@@ -515,15 +515,7 @@ func (dm *KubeArmorDaemon) WatchK8sPods() {
 
 				// exception: kubernetes app
 				if pod.Metadata["namespaceName"] == "kube-system" {
-					if _, ok := pod.Labels["k8s-app"]; ok {
-						pod.Annotations["kubearmor-policy"] = "audited"
-					}
-
-					if value, ok := pod.Labels["component"]; ok {
-						if value == "etcd" || value == "kube-apiserver" || value == "kube-controller-manager" || value == "kube-scheduler" {
-							pod.Annotations["kubearmor-policy"] = "audited"
-						}
-					}
+					pod.Annotations["kubearmor-policy"] = "audited"
 				}
 
 				// exception: cilium-operator
@@ -1704,15 +1696,15 @@ func (dm *KubeArmorDaemon) UpdateDefaultPosture(action string, namespace string,
 
 	dm.DefaultPostures[namespace] = defaultPosture
 
+	dm.Logger.UpdateDefaultPosture(action, namespace, defaultPosture)
+
 	for idx, endPoint := range dm.EndPoints {
 		// update a security policy
 		if namespace == endPoint.NamespaceName {
 			if dm.EndPoints[idx].DefaultPosture == defaultPosture {
 				continue
 			}
 
-			dm.Logger.UpdateDefaultPosture(action, namespace, defaultPosture)
-
 			dm.EndPoints[idx].DefaultPosture = defaultPosture
 			dm.Logger.Printf("Updating default posture for %s with %v/%v", endPoint.EndPointName, dm.EndPoints[idx].DefaultPosture, dm.DefaultPostures[namespace])
 

diff --git a/KubeArmor/enforcer/appArmorEnforcer.go b/KubeArmor/enforcer/appArmorEnforcer.go
@@ -527,9 +527,9 @@ func (ae *AppArmorEnforcer) UpdateSecurityPolicies(endPoint tp.EndPoint) {
 // UpdateAppArmorHostProfile Function
 func (ae *AppArmorEnforcer) UpdateAppArmorHostProfile(secPolicies []tp.HostSecurityPolicy) {
 	globalDefaultPosture := tp.DefaultPosture{
-		FileAction:         cfg.GlobalCfg.DefaultFilePosture,
-		NetworkAction:      cfg.GlobalCfg.DefaultNetworkPosture,
-		CapabilitiesAction: cfg.GlobalCfg.DefaultCapabilitiesPosture,
+		FileAction:         cfg.GlobalCfg.HostDefaultFilePosture,
+		NetworkAction:      cfg.GlobalCfg.HostDefaultNetworkPosture,
+		CapabilitiesAction: cfg.GlobalCfg.HostDefaultCapabilitiesPosture,
 	}
 
 	if policyCount, newProfile, ok := ae.GenerateAppArmorHostProfile(secPolicies, globalDefaultPosture); ok {

diff --git a/KubeArmor/enforcer/appArmorHostProfile.go b/KubeArmor/enforcer/appArmorHostProfile.go
@@ -685,36 +685,46 @@ func (ae *AppArmorEnforcer) GenerateHostProfileBody(securityPolicies []tp.HostSe
 		capability := true
 
 		for _, line := range lines {
-			if strings.Contains(line, "  network") {
+			if strings.Contains(line, "  network") { // matchProtocols + allow
 				network = false
 				continue
 			}
 
-			if strings.Contains(line, "  capability") {
+			if strings.Contains(line, "  capability") { // matchCapabilities + allow
 				capability = false
 				continue
 			}
 
-			if strings.Contains(line, "  owner") && strings.Contains(line, "deny") {
+			if strings.Contains(line, "  owner") && strings.Contains(line, "deny") { // ownerOnly + block
 				continue
 			}
 
-			if strings.Contains(line, "  deny") {
+			if strings.Contains(line, "  deny") { // block
 				continue
 			}
 
-			file = false
+			file = false // matchPaths or matchDirectories + allow
 		}
 
-		if file {
+		if defaultPosture.FileAction == "block" && file {
+			// if defaultPosture == block and there is at least one fromSource-based allow policy, block others (by the same source)
+			// hoever, if defaultPosture == block and there is no fromSource-based allow policy, allow others as usual
+			bodyFromSource = bodyFromSource + "    file,\n"
+		} else if defaultPosture.FileAction != "block" {
+			// if defaultPosture == audit, audit others (= allow others) (by the same source)
+			// if defaultPosture == allow, skip (ignore) allow policies while still enforcing block policies
 			bodyFromSource = bodyFromSource + "    file,\n"
 		}
 
-		if network {
+		if defaultPosture.NetworkAction == "block" && network {
+			bodyFromSource = bodyFromSource + "    network,\n"
+		} else if defaultPosture.NetworkAction != "block" {
 			bodyFromSource = bodyFromSource + "    network,\n"
 		}
 
-		if capability {
+		if defaultPosture.CapabilitiesAction == "block" && capability {
+			bodyFromSource = bodyFromSource + "    capability,\n"
+		} else if defaultPosture.CapabilitiesAction != "block" {
 			bodyFromSource = bodyFromSource + "    capability,\n"
 		}
 

diff --git a/KubeArmor/enforcer/appArmorProfile.go b/KubeArmor/enforcer/appArmorProfile.go
@@ -675,21 +675,25 @@ func (ae *AppArmorEnforcer) GenerateProfileHead(numProcessWhiteList, numFileWhit
 	profileHead := "  #include <abstractions/base>\n"
 	profileHead = profileHead + "  umount,\n"
 
-	if defaultPosture.FileAction == "block" && !(numProcessWhiteList > 0 || numFileWhiteList > 0 || !fromSourceFile) {
+	if defaultPosture.FileAction == "block" && (numProcessWhiteList+numFileWhiteList == 0 && fromSourceFile) {
+		// if defaultPosture == block and there is at least one (fromSource-based) allow policy, block others
+		// hoever, if defaultPosture == block and there is no (fromSource-based) allow policy, allow others as usual
 		profileHead = profileHead + "  file,\n"
-	} else if numProcessWhiteList == 0 && numFileWhiteList == 0 {
+	} else if defaultPosture.FileAction != "block" {
+		// if defaultPosture == audit, audit others (= allow others)
+		// if defaultPosture == allow, skip (ignore) allow policies while still enforcing block policies
 		profileHead = profileHead + "  file,\n"
 	}
 
-	if defaultPosture.NetworkAction == "block" && !(numNetworkWhiteList > 0 || !fromSourceNetwork) {
+	if defaultPosture.NetworkAction == "block" && (numNetworkWhiteList == 0 && fromSourceNetwork) {
 		profileHead = profileHead + "  network,\n"
-	} else if numNetworkWhiteList == 0 {
+	} else if defaultPosture.NetworkAction != "block" {
 		profileHead = profileHead + "  network,\n"
 	}
 
-	if defaultPosture.CapabilitiesAction == "block" && !(numCapabilityWhiteList > 0 || !fromSourceCapability) {
+	if defaultPosture.CapabilitiesAction == "block" && (numCapabilityWhiteList == 0 && fromSourceCapability) {
 		profileHead = profileHead + "  capability,\n"
-	} else if numCapabilityWhiteList == 0 {
+	} else if defaultPosture.CapabilitiesAction != "block" {
 		profileHead = profileHead + "  capability,\n"
 	}
 
@@ -762,7 +766,7 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo
 
 		if len(secPolicy.Spec.Process.MatchPaths) > 0 {
 			for _, path := range secPolicy.Spec.Process.MatchPaths {
-				if path.Action == "Allow" {
+				if path.Action == "Allow" && defaultPosture.FileAction == "block" {
 					ae.AllowedProcessMatchPaths(path, &processWhiteList, fromSources)
 				} else if path.Action == "Block" {
 					ae.BlockedProcessMatchPaths(path, &processBlackList, fromSources)
@@ -771,7 +775,7 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo
 		}
 		if len(secPolicy.Spec.Process.MatchDirectories) > 0 {
 			for _, dir := range secPolicy.Spec.Process.MatchDirectories {
-				if dir.Action == "Allow" {
+				if dir.Action == "Allow" && defaultPosture.FileAction == "block" {
 					ae.AllowedProcessMatchDirectories(dir, &processWhiteList, fromSources)
 				} else if dir.Action == "Block" {
 					ae.BlockedProcessMatchDirectories(dir, &processBlackList, fromSources)
@@ -780,7 +784,7 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo
 		}
 		if len(secPolicy.Spec.Process.MatchPatterns) > 0 {
 			for _, pat := range secPolicy.Spec.Process.MatchPatterns {
-				if pat.Action == "Allow" {
+				if pat.Action == "Allow" && defaultPosture.FileAction == "block" {
 					ae.AllowedProcessMatchPatterns(pat, &processWhiteList)
 				} else if pat.Action == "Block" {
 					ae.BlockedProcessMatchPatterns(pat, &processBlackList)
@@ -790,7 +794,7 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo
 
 		if len(secPolicy.Spec.File.MatchPaths) > 0 {
 			for _, path := range secPolicy.Spec.File.MatchPaths {
-				if path.Action == "Allow" {
+				if path.Action == "Allow" && defaultPosture.FileAction == "block" {
 					ae.AllowedFileMatchPaths(path, &fileWhiteList, fromSources)
 				} else if path.Action == "Block" {
 					ae.BlockedFileMatchPaths(path, &fileBlackList, fromSources)
@@ -799,7 +803,7 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo
 		}
 		if len(secPolicy.Spec.File.MatchDirectories) > 0 {
 			for _, dir := range secPolicy.Spec.File.MatchDirectories {
-				if dir.Action == "Allow" {
+				if dir.Action == "Allow" && defaultPosture.FileAction == "block" {
 					ae.AllowedFileMatchDirectories(dir, &fileWhiteList, fromSources)
 				} else if dir.Action == "Block" {
 					ae.BlockedFileMatchDirectories(dir, &fileBlackList, fromSources)
@@ -808,7 +812,7 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo
 		}
 		if len(secPolicy.Spec.File.MatchPatterns) > 0 {
 			for _, pat := range secPolicy.Spec.File.MatchPatterns {
-				if pat.Action == "Allow" {
+				if pat.Action == "Allow" && defaultPosture.FileAction == "block" {
 					ae.AllowedFileMatchPatterns(pat, &fileWhiteList)
 				} else if pat.Action == "Block" {
 					ae.BlockedFileMatchPatterns(pat, &fileBlackList)
@@ -818,7 +822,7 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo
 
 		if len(secPolicy.Spec.Network.MatchProtocols) > 0 {
 			for _, proto := range secPolicy.Spec.Network.MatchProtocols {
-				if proto.Action == "Allow" {
+				if proto.Action == "Allow" && defaultPosture.NetworkAction == "block" {
 					ae.AllowedNetworkMatchProtocols(proto, &networkWhiteList, fromSources)
 				} else if proto.Action == "Block" {
 					ae.BlockedNetworkMatchProtocols(proto, &networkBlackList, fromSources)
@@ -828,7 +832,7 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo
 
 		if len(secPolicy.Spec.Capabilities.MatchCapabilities) > 0 {
 			for _, cap := range secPolicy.Spec.Capabilities.MatchCapabilities {
-				if cap.Action == "Allow" {
+				if cap.Action == "Allow" && defaultPosture.CapabilitiesAction == "block" {
 					ae.AllowedCapabilitiesMatchCapabilities(cap, &capabilityWhiteList, fromSources)
 				} else if cap.Action == "Block" {
 					ae.BlockedCapabilitiesMatchCapabilities(cap, &capabilityBlackList, fromSources)
@@ -916,45 +920,49 @@ func (ae *AppArmorEnforcer) GenerateProfileBody(securityPolicies []tp.SecurityPo
 		capability := true
 
 		for _, line := range lines {
-			if strings.Contains(line, "  network") {
+			if strings.Contains(line, "  network") { // matchProtocols + allow
 				network = false
 				fromSourceNetwork = false
 				continue
 			}
 
-			if strings.Contains(line, "  capability") {
+			if strings.Contains(line, "  capability") { // matchCapabilities + allow
 				capability = false
 				fromSourceCapability = false
 				continue
 			}
 
-			if strings.Contains(line, "  owner") && strings.Contains(line, "deny") {
+			if strings.Contains(line, "  owner") && strings.Contains(line, "deny") { // ownerOnly + block
 				continue
 			}
 
-			if strings.Contains(line, "  deny") {
+			if strings.Contains(line, "  deny") { // block
 				continue
 			}
 
-			file = false
+			file = false // matchPaths or matchDirectories + allow
 			fromSourceFile = false
 		}
 
-		if defaultPosture.FileAction == "block" && !(numProcessWhiteList > 0 || numFileWhiteList > 0 || !file) {
+		if defaultPosture.FileAction == "block" && (numProcessWhiteList == 0 && numFileWhiteList == 0 && file) {
+			// if defaultPosture == block and there is at least one (fromSource-based) allow policy, block others
+			// hoever, if defaultPosture == block and there is no (fromSource-based) allow policy, allow others as usual
 			bodyFromSource = bodyFromSource + "    file,\n"
-		} else if file {
+		} else if defaultPosture.FileAction != "block" {
+			// if defaultPosture == audit, audit others (= allow others)
+			// if defaultPosture == allow, skip (ignore) allow policies while still enforcing block policies
 			bodyFromSource = bodyFromSource + "    file,\n"
 		}
 
-		if defaultPosture.NetworkAction == "block" && !(numNetworkWhiteList > 0 || !network) {
+		if defaultPosture.NetworkAction == "block" && (numNetworkWhiteList == 0 && network) {
 			bodyFromSource = bodyFromSource + "    network,\n"
-		} else if network {
+		} else if defaultPosture.NetworkAction != "block" {
 			bodyFromSource = bodyFromSource + "    network,\n"
 		}
 
-		if defaultPosture.CapabilitiesAction == "block" && !(numCapabilityWhiteList > 0 || !capability) {
+		if defaultPosture.CapabilitiesAction == "block" && (numCapabilityWhiteList == 0 && capability) {
 			bodyFromSource = bodyFromSource + "    capability,\n"
-		} else if capability {
+		} else if defaultPosture.CapabilitiesAction != "block" {
 			bodyFromSource = bodyFromSource + "    capability,\n"
 		}