From f6115a4a22238370ffe379d0d30fd547a4a47a68 Mon Sep 17 00:00:00 2001 From: daemon1024 Date: Tue, 8 Feb 2022 08:09:40 +0530 Subject: [PATCH] introduce configurable default posture KubeArmor didn't have a configurable default mode of operations. This commit introduces a configurable default posture as well changes in enforcement system to act accordingly. Ref #595 Signed-off-by: daemon1024 --- KubeArmor/config/config.go | 25 +++++++++++++++++++++++++ KubeArmor/enforcer/appArmorProfile.go | 7 ++++--- 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/KubeArmor/config/config.go b/KubeArmor/config/config.go index bda3a5d421..367a8408f4 100644 --- a/KubeArmor/config/config.go +++ b/KubeArmor/config/config.go @@ -29,6 +29,10 @@ type KubearmorConfig struct { KVMAgent bool // Enable/Disable KVM Agent K8sEnv bool // Is k8s env ? + DefaultFilePosture string // Default Enforcement Action in Global File Context + DefaultNetworkPosture string // Default Enforcement Action in Global Network Context + DefaultCapabilitiesPosture string // Default Enforcement Action in Global Capabilities Context + CoverageTest bool // Enable/Disable Coverage Test } @@ -65,6 +69,15 @@ const ConfigKubearmorHostPolicy string = "enableKubeArmorHostPolicy" // ConfigKubearmorVM Kubearmor VM key const ConfigKubearmorVM string = "enableKubeArmorVm" +// ConfigDefaultFilePosture KubeArmor Default Global File Posture key +const ConfigDefaultFilePosture string = "defaultFilePosture" + +// ConfigDefaultNetworkPosture KubeArmor Default Global Network Posture key +const ConfigDefaultNetworkPosture string = "defaultNetworkPosture" + +// ConfigDefaultCapabilitiesPosture KubeArmor Default Global Capabilities Posture key +const ConfigDefaultCapabilitiesPosture string = "defaultCapabilitiesPosture" + // ConfigCoverageTest Coverage Test key const ConfigCoverageTest string = "coverageTest" @@ -88,6 +101,10 @@ func readCmdLineParams() { kvmAgentB := flag.Bool(ConfigKubearmorVM, false, "enabling KubeArmorVM") k8sEnvB := flag.Bool(ConfigK8sEnv, true, "is k8s env?") + defaultFilePosture := flag.String(ConfigDefaultFilePosture, "block", "configuring default enforcement action in global file context [audit,block]") + defaultNetworkPosture := flag.String(ConfigDefaultNetworkPosture, "block", "configuring default enforcement action in global network context [audit,block]") + defaultCapabilitiesPosture := flag.String(ConfigDefaultCapabilitiesPosture, "block", "configuring default enforcement action in global capability context [audit,block]") + coverageTestB := flag.Bool(ConfigCoverageTest, false, "enabling CoverageTest") flag.Parse() @@ -107,6 +124,10 @@ func readCmdLineParams() { viper.Set(ConfigKubearmorVM, *kvmAgentB) viper.Set(ConfigK8sEnv, *k8sEnvB) + viper.Set(ConfigDefaultFilePosture, *defaultFilePosture) + viper.Set(ConfigDefaultNetworkPosture, *defaultNetworkPosture) + viper.Set(ConfigDefaultCapabilitiesPosture, *defaultCapabilitiesPosture) + viper.Set(ConfigCoverageTest, *coverageTestB) } @@ -152,6 +173,10 @@ func LoadConfig() error { } GlobalCfg.K8sEnv = viper.GetBool(ConfigK8sEnv) + GlobalCfg.DefaultFilePosture = viper.GetString(ConfigDefaultFilePosture) + GlobalCfg.DefaultNetworkPosture = viper.GetString(ConfigDefaultNetworkPosture) + GlobalCfg.DefaultCapabilitiesPosture = viper.GetString(ConfigDefaultCapabilitiesPosture) + if GlobalCfg.HostVisibility == "" { if GlobalCfg.KVMAgent || GlobalCfg.HostPolicy { GlobalCfg.HostVisibility = "process,file,network,capabilities" diff --git a/KubeArmor/enforcer/appArmorProfile.go b/KubeArmor/enforcer/appArmorProfile.go index 5eb1c6beec..c0f46c884d 100644 --- a/KubeArmor/enforcer/appArmorProfile.go +++ b/KubeArmor/enforcer/appArmorProfile.go @@ -12,6 +12,7 @@ import ( "strings" kl "github.com/kubearmor/KubeArmor/KubeArmor/common" + cfg "github.com/kubearmor/KubeArmor/KubeArmor/config" tp "github.com/kubearmor/KubeArmor/KubeArmor/types" ) @@ -1133,15 +1134,15 @@ func (ae *AppArmorEnforcer) GenerateProfileHead(processWhiteList, fileWhiteList, profileHead := " #include \n" profileHead = profileHead + " umount,\n" - if len(processWhiteList) == 0 && len(fileWhiteList) == 0 { + if len(processWhiteList) == 0 && len(fileWhiteList) == 0 && cfg.GlobalCfg.DefaultFilePosture != "block" { profileHead = profileHead + " file,\n" } - if len(networkWhiteList) == 0 { + if len(networkWhiteList) == 0 && cfg.GlobalCfg.DefaultNetworkPosture != "block" { profileHead = profileHead + " network,\n" } - if len(capabilityWhiteList) == 0 { + if len(capabilityWhiteList) == 0 && cfg.GlobalCfg.DefaultCapabilitiesPosture != "block" { profileHead = profileHead + " capability,\n" }