From 34412f8dabf8d6077d6491318c1522d9d254a508 Mon Sep 17 00:00:00 2001 From: rksharma95 Date: Wed, 18 Dec 2024 12:35:15 +0530 Subject: [PATCH] add recommended policies feature to operator Signed-off-by: rksharma95 --- ...erator.kubearmor.com_kubearmorconfigs.yaml | 25 +++++ deployments/operator/operator.yaml | 25 +++++ pkg/KubeArmorOperator/Dockerfile | 1 + .../v1/kubearmorconfig_types.go | 9 ++ pkg/KubeArmorOperator/cmd/operator/main.go | 5 +- pkg/KubeArmorOperator/common/defaults.go | 15 +++ ...erator.kubearmor.com_kubearmorconfigs.yaml | 25 +++++ .../internal/controller/cluster.go | 105 +++++++++++++++++- .../internal/controller/resources.go | 4 + pkg/KubeArmorOperator/k8s/client.go | 38 +++++++ .../recommend/harden-cronjob-cfg.yaml | 39 +++++++ .../recommend/harden-crypto-miners.yaml | 42 +++++++ .../harden-file-integrity-monitoring.yaml | 41 +++++++ .../recommend/harden-impair-defense.yaml | 28 +++++ .../harden-k8s-client-tool-exec.yaml | 38 +++++++ .../recommend/harden-maint-tools-access.yaml | 22 ++++ .../harden-network-service-scanning.yaml | 38 +++++++ .../recommend/harden-pkg-mngr-exec.yaml | 53 +++++++++ .../recommend/harden-remote-services.yaml | 29 +++++ .../harden-system-owner-discovery.yaml | 23 ++++ .../recommend/harden-trusted-cert-mod.yaml | 30 +++++ .../recommend/harden-write-etc-dir.yaml | 30 +++++ .../recommend/harden-write-in-shm-dir.yaml | 23 ++++ .../recommend/harden-write-under-dev-dir.yaml | 25 +++++ pkg/KubeArmorOperator/recommend/recommend.go | 11 ++ 25 files changed, 722 insertions(+), 2 deletions(-) create mode 100644 pkg/KubeArmorOperator/recommend/harden-cronjob-cfg.yaml create mode 100644 pkg/KubeArmorOperator/recommend/harden-crypto-miners.yaml create mode 100644 pkg/KubeArmorOperator/recommend/harden-file-integrity-monitoring.yaml create mode 100644 pkg/KubeArmorOperator/recommend/harden-impair-defense.yaml create mode 100644 pkg/KubeArmorOperator/recommend/harden-k8s-client-tool-exec.yaml create mode 100644 pkg/KubeArmorOperator/recommend/harden-maint-tools-access.yaml create mode 100644 pkg/KubeArmorOperator/recommend/harden-network-service-scanning.yaml create mode 100644 pkg/KubeArmorOperator/recommend/harden-pkg-mngr-exec.yaml create mode 100644 pkg/KubeArmorOperator/recommend/harden-remote-services.yaml create mode 100644 pkg/KubeArmorOperator/recommend/harden-system-owner-discovery.yaml create mode 100644 pkg/KubeArmorOperator/recommend/harden-trusted-cert-mod.yaml create mode 100644 pkg/KubeArmorOperator/recommend/harden-write-etc-dir.yaml create mode 100644 pkg/KubeArmorOperator/recommend/harden-write-in-shm-dir.yaml create mode 100644 pkg/KubeArmorOperator/recommend/harden-write-under-dev-dir.yaml create mode 100644 pkg/KubeArmorOperator/recommend/recommend.go diff --git a/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml b/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml index c45e8100c6..32ecf4d7e6 100644 --- a/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml +++ b/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml @@ -127,6 +127,31 @@ spec: - Never type: string type: object + maxAlertPerSec: + type: integer + recommendedPolicies: + properties: + enable: + type: boolean + matchExpressions: + items: + properties: + key: + enum: + - namespace + type: string + operator: + enum: + - In + - NotIn + type: string + values: + items: + type: string + type: array + type: object + type: array + type: object seccompEnabled: type: boolean alertThrottling: diff --git a/deployments/operator/operator.yaml b/deployments/operator/operator.yaml index 997f2376b7..8266402a37 100644 --- a/deployments/operator/operator.yaml +++ b/deployments/operator/operator.yaml @@ -126,6 +126,31 @@ spec: - Never type: string type: object + maxAlertPerSec: + type: integer + recommendedPolicies: + properties: + enable: + type: boolean + matchExpressions: + items: + properties: + key: + enum: + - namespace + type: string + operator: + enum: + - In + - NotIn + type: string + values: + items: + type: string + type: array + type: object + type: array + type: object seccompEnabled: type: boolean alertThrottling: diff --git a/pkg/KubeArmorOperator/Dockerfile b/pkg/KubeArmorOperator/Dockerfile index 16ccaed805..21b00423f2 100644 --- a/pkg/KubeArmorOperator/Dockerfile +++ b/pkg/KubeArmorOperator/Dockerfile @@ -35,6 +35,7 @@ COPY $OPERATOR_DIR/enforcer enforcer COPY $OPERATOR_DIR/k8s k8s COPY $OPERATOR_DIR/runtime runtime COPY $OPERATOR_DIR/seccomp seccomp +COPY $OPERATOR_DIR/recommend recommend # Build RUN CGO_ENABLED=0 GOOS=${GOOS} GOARCH=${GOARCH} GO111MODULE=on go build -a -o operator cmd/operator/main.go diff --git a/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go b/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go index c6698c2286..f473f40710 100644 --- a/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go +++ b/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go @@ -4,6 +4,7 @@ package v1 import ( + securityv1 "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/api/security.kubearmor.com/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -30,11 +31,19 @@ type Tls struct { RelayExtraIpAddresses []string `json:"extraIpAddresses,omitempty"` } +type RecommendedPolicies struct { + Enable bool `json:"enable,omitempty"` + + MatchExpressions []securityv1.MatchExpressionsType `json:"matchExpressions,omitempty"` +} + // KubeArmorConfigSpec defines the desired state of KubeArmorConfig type KubeArmorConfigSpec struct { // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster // Important: Run "make" to regenerate code after modifying this file + // +kubebuilder:validation:optional + RecommendedPolicies RecommendedPolicies `json:"recommendedPolicies,omitempty"` // +kubebuilder:validation:optional DefaultFilePosture PostureType `json:"defaultFilePosture,omitempty"` // +kubebuilder:validation:optional diff --git a/pkg/KubeArmorOperator/cmd/operator/main.go b/pkg/KubeArmorOperator/cmd/operator/main.go index 95f87fda88..8041557fab 100644 --- a/pkg/KubeArmorOperator/cmd/operator/main.go +++ b/pkg/KubeArmorOperator/cmd/operator/main.go @@ -8,6 +8,7 @@ import ( "errors" "path/filepath" + secv1client "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/client/clientset/versioned" opv1client "github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/client/clientset/versioned" controllers "github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/internal/controller" "github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/k8s" @@ -28,6 +29,7 @@ var PathPrefix string var DeploymentName string var ExtClient *apiextensionsclientset.Clientset var Opv1Client *opv1client.Clientset +var Secv1Client *secv1client.Clientset var InitDeploy bool var LogLevel string @@ -45,6 +47,7 @@ var Cmd = &cobra.Command{ K8sClient = k8s.NewClient(*Logger, KubeConfig) ExtClient = k8s.NewExtClient(*Logger, KubeConfig) Opv1Client = k8s.NewOpv1Client(*Logger, KubeConfig) + Secv1Client = k8s.NewSecv1Client(*Logger, KubeConfig) //Initialise k8sClient for all child commands to inherit if K8sClient == nil { return errors.New("couldn't create k8s client") @@ -52,7 +55,7 @@ var Cmd = &cobra.Command{ return nil }, Run: func(cmd *cobra.Command, args []string) { - nodeWatcher := controllers.NewClusterWatcher(K8sClient, Logger, ExtClient, Opv1Client, PathPrefix, DeploymentName, InitDeploy) + nodeWatcher := controllers.NewClusterWatcher(K8sClient, Logger, ExtClient, Opv1Client, Secv1Client, PathPrefix, DeploymentName, InitDeploy) go nodeWatcher.WatchConfigCrd() nodeWatcher.WatchNodes() diff --git a/pkg/KubeArmorOperator/common/defaults.go b/pkg/KubeArmorOperator/common/defaults.go index f84e360454..970780653c 100644 --- a/pkg/KubeArmorOperator/common/defaults.go +++ b/pkg/KubeArmorOperator/common/defaults.go @@ -11,6 +11,7 @@ import ( "strings" deployments "github.com/kubearmor/KubeArmor/deployments/get" + securityv1 "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/api/security.kubearmor.com/v1" opv1 "github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -124,6 +125,20 @@ var ( AlertThrottling bool = true DefaultMaxAlertPerSec string = "10" DefaultThrottleSec string = "30" + + // recommend policies + RecommendedPolicies opv1.RecommendedPolicies = opv1.RecommendedPolicies{ + MatchExpressions: []securityv1.MatchExpressionsType{ + { + Key: "namespace", + Operator: "NotIn", + Values: []string{ + "kube-system", + "kubearmor", + }, + }, + }, + } ) var ConfigMapData = map[string]string{ diff --git a/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml b/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml index 1e1c4434ec..366fe8e851 100644 --- a/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml +++ b/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml @@ -128,6 +128,31 @@ spec: - Never type: string type: object + maxAlertPerSec: + type: integer + recommendedPolicies: + properties: + enable: + type: boolean + matchExpressions: + items: + properties: + key: + enum: + - namespace + type: string + operator: + enum: + - In + - NotIn + type: string + values: + items: + type: string + type: array + type: object + type: array + type: object seccompEnabled: type: boolean alertThrottling: diff --git a/pkg/KubeArmorOperator/internal/controller/cluster.go b/pkg/KubeArmorOperator/internal/controller/cluster.go index fd1e5af0af..bf8bd6954c 100644 --- a/pkg/KubeArmorOperator/internal/controller/cluster.go +++ b/pkg/KubeArmorOperator/internal/controller/cluster.go @@ -7,6 +7,7 @@ import ( "bytes" "context" "fmt" + "reflect" "strconv" "strings" "sync" @@ -14,17 +15,22 @@ import ( certutil "github.com/kubearmor/KubeArmor/KubeArmor/cert" deployments "github.com/kubearmor/KubeArmor/deployments/get" + secv1 "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/api/security.kubearmor.com/v1" + secv1client "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/client/clientset/versioned" opv1 "github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1" "github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/cert" opv1client "github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/client/clientset/versioned" + "github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/client/clientset/versioned/scheme" opv1Informer "github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/client/informers/externalversions" "github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/common" + "github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/recommend" "go.uber.org/zap" corev1 "k8s.io/api/core/v1" apiextensionsclientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset" metav1errors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/client-go/informers" @@ -46,6 +52,7 @@ type ClusterWatcher struct { Client *kubernetes.Clientset ExtClient *apiextensionsclientset.Clientset Opv1Client *opv1client.Clientset + Secv1Client *secv1client.Clientset Daemonsets map[string]int DaemonsetsLock *sync.Mutex } @@ -60,7 +67,7 @@ type Node struct { Seccomp string } -func NewClusterWatcher(client *kubernetes.Clientset, log *zap.SugaredLogger, extClient *apiextensionsclientset.Clientset, opv1Client *opv1client.Clientset, pathPrefix, deploy_name string, initdeploy bool) *ClusterWatcher { +func NewClusterWatcher(client *kubernetes.Clientset, log *zap.SugaredLogger, extClient *apiextensionsclientset.Clientset, opv1Client *opv1client.Clientset, secv1Client *secv1client.Clientset, pathPrefix, deploy_name string, initdeploy bool) *ClusterWatcher { if informer == nil { informer = informers.NewSharedInformerFactory(client, 0) } @@ -86,6 +93,7 @@ func NewClusterWatcher(client *kubernetes.Clientset, log *zap.SugaredLogger, ext Client: client, ExtClient: extClient, Opv1Client: opv1Client, + Secv1Client: secv1Client, } } @@ -299,6 +307,7 @@ func (clusterWatcher *ClusterWatcher) WatchConfigCrd() { UpdateImages(&cfg.Spec) UpdatedKubearmorRelayEnv(&cfg.Spec) UpdatedSeccomp(&cfg.Spec) + UpdateRecommendedPolicyConfig(&cfg.Spec) // update status to (Installation) Created go clusterWatcher.UpdateCrdStatus(cfg.Name, common.CREATED, common.CREATED_MSG) go clusterWatcher.WatchRequiredResources() @@ -322,6 +331,7 @@ func (clusterWatcher *ClusterWatcher) WatchConfigCrd() { relayEnvUpdated := UpdatedKubearmorRelayEnv(&cfg.Spec) seccompEnabledUpdated := UpdatedSeccomp(&cfg.Spec) tlsUpdated := UpdateTlsData(&cfg.Spec) + UpdateRecommendedPolicyConfig(&cfg.Spec) // return if only status has been updated if !tlsUpdated && !relayEnvUpdated && !configChanged && cfg.Status != oldObj.(*opv1.KubeArmorConfig).Status && len(imageUpdated) < 1 { return @@ -779,6 +789,99 @@ func (clusterWatcher *ClusterWatcher) UpdateTlsConfigurations(tlsEnabled bool) e return nil } +func (clusterWatcher *ClusterWatcher) WatchRecommendedPolicies() error { + switch common.RecommendedPolicies.Enable { + case true: + policies, err := recommend.CRDFs.ReadDir(".") + if err != nil { + clusterWatcher.Log.Warnf("error reading policies FS", err) + return err + } + for _, policy := range policies { + if !policy.IsDir() { + yamlBytes, err := recommend.CRDFs.ReadFile(policy.Name()) + if err != nil { + clusterWatcher.Log.Warnf("error reading csp", policy.Name()) + continue + } + csp := &secv1.KubeArmorClusterPolicy{} + if err := runtime.DecodeInto(scheme.Codecs.UniversalDeserializer(), yamlBytes, csp); err != nil { + clusterWatcher.Log.Warnf("error decoding csp", policy.Name()) + continue + } + csp.Spec.Selector.MatchExpressions = common.RecommendedPolicies.MatchExpressions + _, err = clusterWatcher.Secv1Client.SecurityV1().KubeArmorClusterPolicies().Create(context.Background(), csp, metav1.CreateOptions{}) + if err != nil && !metav1errors.IsAlreadyExists(err) { + clusterWatcher.Log.Warnf("error creating csp", csp.GetName()) + continue + } else if metav1errors.IsAlreadyExists(err) { + pol, err := clusterWatcher.Secv1Client.SecurityV1().KubeArmorClusterPolicies().Get(context.Background(), csp.GetName(), metav1.GetOptions{}) + if err != nil { + clusterWatcher.Log.Warnf("error getting csp", csp.GetName()) + continue + } + if !reflect.DeepEqual(pol.Spec.Selector.MatchExpressions, common.RecommendedPolicies.MatchExpressions) { + pol.Spec.Selector.MatchExpressions = common.RecommendedPolicies.MatchExpressions + _, err := clusterWatcher.Secv1Client.SecurityV1().KubeArmorClusterPolicies().Update(context.Background(), pol, metav1.UpdateOptions{}) + if err != nil { + clusterWatcher.Log.Warnf("error updating csp", csp.GetName()) + continue + } else { + clusterWatcher.Log.Info("updated csp", csp.GetName()) + } + } + } else { + clusterWatcher.Log.Info("created csp", csp.GetName()) + } + } + } + case false: + policies, err := recommend.CRDFs.ReadDir(".") + if err != nil { + clusterWatcher.Log.Warnf("error reading policies FS", err) + return err + } + for _, policy := range policies { + yamlBytes, err := recommend.CRDFs.ReadFile(policy.Name()) + if err != nil { + clusterWatcher.Log.Warnf("error reading csp", policy.Name()) + continue + } + csp := &secv1.KubeArmorClusterPolicy{} + if err := runtime.DecodeInto(scheme.Codecs.UniversalDeserializer(), yamlBytes, csp); err != nil { + clusterWatcher.Log.Warnf("error decoding csp", policy.Name()) + continue + } + if !policy.IsDir() { + err = clusterWatcher.Secv1Client.SecurityV1().KubeArmorClusterPolicies().Delete(context.Background(), csp.GetName(), metav1.DeleteOptions{}) + if err != nil && !metav1errors.IsNotFound(err) { + clusterWatcher.Log.Warnf("error deleting csp", csp.GetName()) + continue + } else { + clusterWatcher.Log.Info("deleted csp", csp.GetName()) + } + } + } + } + + return nil +} + +func UpdateRecommendedPolicyConfig(config *opv1.KubeArmorConfigSpec) bool { + updated := false + if config.RecommendedPolicies.Enable != common.RecommendedPolicies.Enable { + common.RecommendedPolicies.Enable = config.RecommendedPolicies.Enable + updated = true + } + if len(config.RecommendedPolicies.MatchExpressions) > 0 { + if reflect.DeepEqual(config.RecommendedPolicies.MatchExpressions, common.RecommendedPolicies.MatchExpressions) { + common.RecommendedPolicies.MatchExpressions = config.RecommendedPolicies.MatchExpressions + updated = true + } + } + return updated +} + func UpdateConfigMapData(config *opv1.KubeArmorConfigSpec) bool { updated := false if config.DefaultFilePosture != "" { diff --git a/pkg/KubeArmorOperator/internal/controller/resources.go b/pkg/KubeArmorOperator/internal/controller/resources.go index 499bf3f663..b4b8f2208c 100644 --- a/pkg/KubeArmorOperator/internal/controller/resources.go +++ b/pkg/KubeArmorOperator/internal/controller/resources.go @@ -748,6 +748,10 @@ func (clusterWatcher *ClusterWatcher) WatchRequiredResources() { clusterWatcher.Log.Error(err.Error()) } + if err := clusterWatcher.WatchRecommendedPolicies(); err != nil { + installErr = err + } + // update operatingConfigCrd status to Running if common.OperatorConfigCrd != nil { if installErr != nil { diff --git a/pkg/KubeArmorOperator/k8s/client.go b/pkg/KubeArmorOperator/k8s/client.go index 8de18717bc..de87ed2f9c 100644 --- a/pkg/KubeArmorOperator/k8s/client.go +++ b/pkg/KubeArmorOperator/k8s/client.go @@ -6,6 +6,7 @@ package k8s import ( "os" + secv1client "github.com/kubearmor/KubeArmor/pkg/KubeArmorController/client/clientset/versioned" opv1client "github.com/kubearmor/KubeArmor/pkg/KubeArmorOperator/client/clientset/versioned" "go.uber.org/zap" apiextensionsclientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset" @@ -117,3 +118,40 @@ func NewOpv1Client(log zap.SugaredLogger, kubeconfig string) *opv1client.Clients return client } + +func NewSecv1Client(log zap.SugaredLogger, kubeconfig string) *secv1client.Clientset { + var cfg *rest.Config + log.Info("Trying to load InCluster configuration") + inClusterConfig, err := rest.InClusterConfig() + if err == rest.ErrNotInCluster { + log.Info("Not inside a k8s Cluster, Loading kubeconfig") + kubeConfig, err := clientcmd.NewNonInteractiveDeferredLoadingClientConfig( + &clientcmd.ClientConfigLoadingRules{ExplicitPath: kubeconfig}, + &clientcmd.ConfigOverrides{}).ClientConfig() + if err != nil { + log.Errorf("Couldn't load configuration from kubeconfig Error=%s", err.Error()) + os.Exit(1) + } + log.Info("Loaded configuration from kubeconfig") + cfg = kubeConfig + } else if err != nil { + log.Errorf("Couldn't load inCluster configuration Error=%s", err.Error()) + os.Exit(1) + + } else { + log.Info("Loaded InCluster configuration") + cfg = inClusterConfig + } + + client, err := secv1client.NewForConfig(cfg) + if err != nil { + log.Errorf("Couldn't create operatorv1 clientset Error=%s", err.Error()) + os.Exit(1) + } + + if client == nil { + log.Warn("opv1client is nil") + } + + return client +} diff --git a/pkg/KubeArmorOperator/recommend/harden-cronjob-cfg.yaml b/pkg/KubeArmorOperator/recommend/harden-cronjob-cfg.yaml new file mode 100644 index 0000000000..92203858aa --- /dev/null +++ b/pkg/KubeArmorOperator/recommend/harden-cronjob-cfg.yaml @@ -0,0 +1,39 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorClusterPolicy +metadata: + annotations: + app.accuknox.com/source: KubeArmor Operator + app.accuknox.com/type: harden + name: harden-cronjob-cfg +spec: + action: Audit + file: + matchDirectories: + - dir: /etc/cron.d/ + recursive: true + - dir: /etc/cron.daily/ + recursive: true + - dir: /etc/cron.hourly/ + recursive: true + - dir: /etc/cron.monthly/ + recursive: true + - dir: /etc/cron.weekly/ + recursive: true + - dir: /var/cron/ + recursive: true + - dir: /var/spool/cron/ + recursive: true + matchPaths: + - path: /etc/crontab + message: Alert! Access to cron job files/directories detected. + selector: + matchExpressions: + severity: 5 + tags: + - CIS + - CIS_5.1_Configure_Cron + - CIS_Linux + - NIST + - NIST_800-53_SI-4 + - SI-4 + diff --git a/pkg/KubeArmorOperator/recommend/harden-crypto-miners.yaml b/pkg/KubeArmorOperator/recommend/harden-crypto-miners.yaml new file mode 100644 index 0000000000..6aaa329f2d --- /dev/null +++ b/pkg/KubeArmorOperator/recommend/harden-crypto-miners.yaml @@ -0,0 +1,42 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorClusterPolicy +metadata: + annotations: + app.accuknox.com/source: KubeArmor Operator + app.accuknox.com/type: harden + name: harden-crypto-miners +spec: + action: Block + file: + matchDirectories: + - dir: /bin/ + readOnly: true + recursive: true + - dir: /boot/ + readOnly: true + recursive: true + - dir: /sbin/ + readOnly: true + recursive: true + - dir: /usr/bin/ + readOnly: true + recursive: true + - dir: /usr/local/bin/ + readOnly: true + recursive: true + - dir: /var/local/bin/ + readOnly: true + recursive: true + message: cryptominer detected and blocked + process: + matchDirectories: + - dir: /tmp/ + recursive: true + selector: + matchExpressions: + severity: 10 + tags: + - MITRE + - MITRE_T1496_resource_hijacking + - cryptominer + diff --git a/pkg/KubeArmorOperator/recommend/harden-file-integrity-monitoring.yaml b/pkg/KubeArmorOperator/recommend/harden-file-integrity-monitoring.yaml new file mode 100644 index 0000000000..c74046fe3c --- /dev/null +++ b/pkg/KubeArmorOperator/recommend/harden-file-integrity-monitoring.yaml @@ -0,0 +1,41 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorClusterPolicy +metadata: + annotations: + app.accuknox.com/source: KubeArmor Operator + app.accuknox.com/type: harden + name: harden-file-integrity-monitoring +spec: + action: Block + file: + matchDirectories: + - dir: /bin/ + readOnly: true + recursive: true + - dir: /boot/ + readOnly: true + recursive: true + - dir: /sbin/ + readOnly: true + recursive: true + - dir: /usr/bin/ + readOnly: true + recursive: true + - dir: /usr/lib/ + readOnly: true + recursive: true + - dir: /usr/sbin/ + readOnly: true + recursive: true + message: Detected and prevented compromise to File integrity + selector: + matchExpressions: + severity: 1 + tags: + - MITRE + - MITRE_T1036_masquerading + - MITRE_T1565_data_manipulation + - NIST + - NIST_800-53_AU-2 + - NIST_800-53_SI-4 + diff --git a/pkg/KubeArmorOperator/recommend/harden-impair-defense.yaml b/pkg/KubeArmorOperator/recommend/harden-impair-defense.yaml new file mode 100644 index 0000000000..7d555b384d --- /dev/null +++ b/pkg/KubeArmorOperator/recommend/harden-impair-defense.yaml @@ -0,0 +1,28 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorClusterPolicy +metadata: + annotations: + app.accuknox.com/source: KubeArmor Operator + app.accuknox.com/type: harden + name: harden-impair-defense +spec: + action: Audit + file: + matchDirectories: + - dir: /etc/apparmor.d/ + recursive: true + - dir: /etc/sysconfig/selinux/ + recursive: true + matchPaths: + - path: /etc/selinux/semanage.conf + message: Selinux Files Accessed by Unknown Process + selector: + matchExpressions: + severity: 6 + tags: + - 5G + - FGT1562 + - FIGHT + - MITRE + - MITRE_T1562_Impair _Defenses + diff --git a/pkg/KubeArmorOperator/recommend/harden-k8s-client-tool-exec.yaml b/pkg/KubeArmorOperator/recommend/harden-k8s-client-tool-exec.yaml new file mode 100644 index 0000000000..a2c17d11bb --- /dev/null +++ b/pkg/KubeArmorOperator/recommend/harden-k8s-client-tool-exec.yaml @@ -0,0 +1,38 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorClusterPolicy +metadata: + annotations: + app.accuknox.com/source: KubeArmor Operator + app.accuknox.com/type: harden + name: harden-k8s-client-tool-exec +spec: + action: Block + message: Alert! k8s client tool executed inside the container. + process: + matchPaths: + - path: /usr/bin/docker + - path: /usr/bin/cri-ctl + - path: /usr/bin/kubectl + matchPatterns: + - pattern: /*/*/*/kubectl + - pattern: /*/*/kubectl + - pattern: /*/kubectl + - pattern: /*/*/*/cri-ctl + - pattern: /*/*/cri-ctl + - pattern: /*/cri-ctl + - pattern: /*/*/*/docker + - pattern: /*/*/docker + - pattern: /*/docker + selector: + matchExpressions: + severity: 5 + tags: + - MITRE + - MITRE_T1609_container_administration_command + - MITRE_T1610_deploy_container + - MITRE_TA0002_execution + - NIST + - NIST_800-53 + - NIST_800-53_AU-2 + - NIST_800-53_SI-4 + diff --git a/pkg/KubeArmorOperator/recommend/harden-maint-tools-access.yaml b/pkg/KubeArmorOperator/recommend/harden-maint-tools-access.yaml new file mode 100644 index 0000000000..0e45d0344f --- /dev/null +++ b/pkg/KubeArmorOperator/recommend/harden-maint-tools-access.yaml @@ -0,0 +1,22 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorClusterPolicy +metadata: + annotations: + app.accuknox.com/source: KubeArmor Operator + app.accuknox.com/type: harden + name: harden-maint-tools-access +spec: + action: Audit + message: restricted maintenance tool access attempt detected + process: + matchDirectories: + - dir: /sbin/ + recursive: true + selector: + matchExpressions: + severity: 1 + tags: + - MITRE + - MITRE_T1553_Subvert_Trust_Controls + - PCI_DSS + diff --git a/pkg/KubeArmorOperator/recommend/harden-network-service-scanning.yaml b/pkg/KubeArmorOperator/recommend/harden-network-service-scanning.yaml new file mode 100644 index 0000000000..48f2934cc4 --- /dev/null +++ b/pkg/KubeArmorOperator/recommend/harden-network-service-scanning.yaml @@ -0,0 +1,38 @@ +apiVersion: security.kubearmor.com/v1 +kind: kind: KubeArmorClusterPolicy +metadata: + annotations: + app.accuknox.com/source: KubeArmor Operator + app.accuknox.com/type: harden + name: harden-network-service-scanning +spec: + action: Audit + message: Network service has been scanned! + process: + matchPaths: + - path: /usr/bin/netstat + - path: /bin/netstat + - path: /usr/sbin/ip + - path: /usr/bin/ip + - path: /sbin/ip + - path: /bin/ip + - path: /usr/sbin/iw + - path: /sbin/iw + - path: /usr/sbin/ethtool + - path: /sbin/ethtool + - path: /usr/sbin/ifconfig + - path: /sbin/ifconfig + - path: /usr/sbin/arp + - path: /sbin/arp + - path: /usr/sbin/iwconfig + - path: /sbin/iwconfig + selector: + matchExpressions: + severity: 5 + tags: + - 5G + - FGT1046 + - FIGHT + - MITRE + - MITRE_T1046_Network_Service_Discovery + diff --git a/pkg/KubeArmorOperator/recommend/harden-pkg-mngr-exec.yaml b/pkg/KubeArmorOperator/recommend/harden-pkg-mngr-exec.yaml new file mode 100644 index 0000000000..cf1cdf64b3 --- /dev/null +++ b/pkg/KubeArmorOperator/recommend/harden-pkg-mngr-exec.yaml @@ -0,0 +1,53 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorClusterPolicy +metadata: + annotations: + app.accuknox.com/source: KubeArmor Operator + app.accuknox.com/type: harden + name: harden-pkg-mngr-exec +spec: + action: Block + message: Alert! Execution of package management process inside container is denied + process: + matchPaths: + - path: /usr/bin/apt + - path: /usr/bin/apt-get + - path: /bin/apt-get + - path: /bin/apt + - path: /sbin/apk + - path: /usr/bin/dpkg + - path: /bin/dpkg + - path: /usr/bin/gdebi + - path: /bin/gdebi + - path: /usr/bin/make + - path: /bin/make + - path: /usr/bin/yum + - path: /bin/yum + - path: /usr/bin/rpm + - path: /bin/rpm + - path: /usr/bin/dnf + - path: /bin/dnf + - path: /usr/bin/pacman + - path: /usr/sbin/pacman + - path: /bin/pacman + - path: /sbin/pacman + - path: /usr/bin/makepkg + - path: /usr/sbin/makepkg + - path: /bin/makepkg + - path: /sbin/makepkg + - path: /usr/bin/yaourt + - path: /usr/sbin/yaourt + - path: /bin/yaourt + - path: /sbin/yaourt + - path: /usr/bin/zypper + - path: /bin/zypper + selector: + matchExpressions: + severity: 5 + tags: + - NIST + - NIST_800-53_CM-7(4) + - NIST_800-53_SI-4 + - SI-4 + - process + diff --git a/pkg/KubeArmorOperator/recommend/harden-remote-services.yaml b/pkg/KubeArmorOperator/recommend/harden-remote-services.yaml new file mode 100644 index 0000000000..5d1e31e363 --- /dev/null +++ b/pkg/KubeArmorOperator/recommend/harden-remote-services.yaml @@ -0,0 +1,29 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorClusterPolicy +metadata: + annotations: + app.accuknox.com/source: KubeArmor Operator + app.accuknox.com/type: harden + name: harden-remote-services +spec: + action: Audit + file: + matchDirectories: + - dir: /etc/ssh/ + matchPaths: + - path: /etc/passwd + - path: /etc/shadow + - path: /var/log/auth.log + - path: /var/log/wtmp + - path: /var/run/utmp + message: Warning! access sensitive files detected + selector: + matchExpressions: + severity: 3 + tags: + - 5G + - FGT1021 + - FIGHT + - MITRE + - MITRE_T1021_Remote_Services + diff --git a/pkg/KubeArmorOperator/recommend/harden-system-owner-discovery.yaml b/pkg/KubeArmorOperator/recommend/harden-system-owner-discovery.yaml new file mode 100644 index 0000000000..dae60337ea --- /dev/null +++ b/pkg/KubeArmorOperator/recommend/harden-system-owner-discovery.yaml @@ -0,0 +1,23 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorClusterPolicy +metadata: + annotations: + app.accuknox.com/source: KubeArmor Operator + app.accuknox.com/type: harden + name: harden-system-owner-discovery +spec: + action: Block + message: System owner discovery command execution denied + process: + matchPaths: + - path: /usr/bin/who + - path: /usr/bin/w + - path: /usr/bin/id + - path: /usr/bin/whoami + selector: + matchExpressions: + severity: 3 + tags: + - MITRE + - MITRE_T1082_system_information_discovery + diff --git a/pkg/KubeArmorOperator/recommend/harden-trusted-cert-mod.yaml b/pkg/KubeArmorOperator/recommend/harden-trusted-cert-mod.yaml new file mode 100644 index 0000000000..b7e97d20b9 --- /dev/null +++ b/pkg/KubeArmorOperator/recommend/harden-trusted-cert-mod.yaml @@ -0,0 +1,30 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorClusterPolicy +metadata: + annotations: + app.accuknox.com/source: KubeArmor Operator + app.accuknox.com/type: harden + name: harden-trusted-cert-mod +spec: + action: Block + file: + matchDirectories: + - dir: /etc/pki/ + readOnly: true + recursive: true + - dir: /etc/ssl/ + readOnly: true + recursive: true + - dir: /usr/local/share/ca-certificates/ + readOnly: true + recursive: true + message: Credentials modification denied + selector: + matchExpressions: + severity: 1 + tags: + - FGT1555 + - FIGHT + - MITRE + - MITRE_T1552_unsecured_credentials + diff --git a/pkg/KubeArmorOperator/recommend/harden-write-etc-dir.yaml b/pkg/KubeArmorOperator/recommend/harden-write-etc-dir.yaml new file mode 100644 index 0000000000..2bb6a14548 --- /dev/null +++ b/pkg/KubeArmorOperator/recommend/harden-write-etc-dir.yaml @@ -0,0 +1,30 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorClusterPolicy +metadata: + annotations: + app.accuknox.com/source: KubeArmor Operator + app.accuknox.com/type: harden + name: harden-write-etc-dir +spec: + action: Block + file: + matchDirectories: + - dir: /etc/ + readOnly: true + recursive: true + message: Alert! File creation under /etc/ directory detected. + selector: + matchExpressions: + severity: 5 + tags: + - MITRE + - MITRE_T1036.005_match_legitimate_name_or_location + - MITRE_T1036_masquerading + - MITRE_T1562.001_disable_or_modify_tools + - MITRE_TA0003_persistence + - MITRE_TA0005_defense_evasion + - NIST + - NIST_800-53 + - NIST_800-53_SI-4 + - NIST_800-53_SI-7 + diff --git a/pkg/KubeArmorOperator/recommend/harden-write-in-shm-dir.yaml b/pkg/KubeArmorOperator/recommend/harden-write-in-shm-dir.yaml new file mode 100644 index 0000000000..e903d9e8a5 --- /dev/null +++ b/pkg/KubeArmorOperator/recommend/harden-write-in-shm-dir.yaml @@ -0,0 +1,23 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorClusterPolicy +metadata: + annotations: + app.accuknox.com/source: KubeArmor Operator + app.accuknox.com/type: harden + name: harden-write-in-shm-dir + namespace: gmp-system +spec: + action: Block + file: + matchDirectories: + - dir: /dev/shm/ + readOnly: true + recursive: true + message: Alert! write to /dev/shm folder prevented. + selector: + matchExpressions: + severity: 5 + tags: + - MITRE + - MITRE_TA0002_Execution + diff --git a/pkg/KubeArmorOperator/recommend/harden-write-under-dev-dir.yaml b/pkg/KubeArmorOperator/recommend/harden-write-under-dev-dir.yaml new file mode 100644 index 0000000000..b2b7c25cf2 --- /dev/null +++ b/pkg/KubeArmorOperator/recommend/harden-write-under-dev-dir.yaml @@ -0,0 +1,25 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorClusterPolicy +metadata: + annotations: + app.accuknox.com/source: KubeArmor Operator + app.accuknox.com/type: harden + name: harden-write-under-dev-dir +spec: + action: Audit + file: + matchDirectories: + - dir: /dev/ + readOnly: true + recursive: true + message: Alert! File creation under /dev/ directory detected. + selector: + matchExpressions: + severity: 5 + tags: + - MITRE + - MITRE_T1036_masquerading + - NIST + - NIST_800-53_AU-2 + - NIST_800-53_SI-4 + diff --git a/pkg/KubeArmorOperator/recommend/recommend.go b/pkg/KubeArmorOperator/recommend/recommend.go new file mode 100644 index 0000000000..eaad25b1b8 --- /dev/null +++ b/pkg/KubeArmorOperator/recommend/recommend.go @@ -0,0 +1,11 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 Authors of KubeArmor + +package recommend + +import ( + "embed" +) + +//go:embed *.yaml +var CRDFs embed.FS