Add HSP test suite for non-k8s mode

Signed-off-by: Navin Chandra <[email protected]>
kubearmor · Aug 29, 2024 · efd2916 · efd2916
1 parent fa32cc6
commit efd2916
Show file tree

Hide file tree

Showing 13 changed files with 606 additions and 0 deletions.
diff --git a/tests/nonk8s_env/hsp/hsp_suite_test.go b/tests/nonk8s_env/hsp/hsp_suite_test.go
@@ -0,0 +1,16 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2024 Authors of KubeArmor
+
+package hsp_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestHsp(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Hsp Suite")
+}
diff --git a/tests/nonk8s_env/hsp/hsp_test.go b/tests/nonk8s_env/hsp/hsp_test.go
@@ -0,0 +1,304 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2024 Authors of KubeArmor
+
+package hsp
+
+import (
+	"os"
+	"time"
+
+	. "github.com/kubearmor/KubeArmor/tests/util"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Non-k8s HSP tests", func() {
+
+	AfterEach(func() {
+		KarmorLogStop()
+	})
+
+	BeforeEach(func() {
+		// Set the environment variable
+		os.Setenv("KUBEARMOR_SERVICE", ":32767")
+	})
+
+	Describe("HSP file path block", func() {
+
+		It("can block access to /etc/hostname on the host", func() {
+
+			policyPath := "res/hsp-kubearmor-dev-file-path-block.yaml"
+			err := SendPolicy("ADDED", policyPath)
+			Expect(err).To(BeNil())
+
+			// Start the karmor logs
+			err = KarmorLogStart("policy", "", "File", "")
+			Expect(err).To(BeNil())
+
+			// Access the /etc/hostname file
+			out, err := ExecCommandHost([]string{"bash", "-c", "cat /etc/hostname"})
+			Expect(err).NotTo(BeNil())
+			Expect(out).To(MatchRegexp(".*Permission denied"))
+
+			// check policy violation alert
+			_, alerts, err := KarmorGetLogs(5*time.Second, 1)
+			Expect(err).To(BeNil())
+			Expect(len(alerts)).To(BeNumerically(">=", 1))
+			Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-file-path-block"))
+			Expect(alerts[0].Severity).To(Equal("5"))
+			Expect(alerts[0].Action).To(Equal("Block"))
+
+			// delete the policy
+			err = SendPolicy("DELETED", policyPath)
+			Expect(err).To(BeNil())
+
+		})
+	})
+
+	Describe("HSP Process path block", func() {
+
+		It("can block execution of diff command in host", func() {
+
+			policyPath := "res/hsp-kubearmor-dev-proc-path-block.yaml"
+			err := SendPolicy("ADDED", policyPath)
+			Expect(err).To(BeNil())
+
+			// Start the karmor logs
+			err = KarmorLogStart("policy", "", "Process", "")
+			Expect(err).To(BeNil())
+
+			// call the diff command
+			out, err := ExecCommandHost([]string{"bash", "-c", "diff --help"})
+			Expect(err).NotTo(BeNil())
+			Expect(out).To(MatchRegexp(".*Permission denied"))
+
+			// check policy violation alert
+			_, alerts, err := KarmorGetLogs(5*time.Second, 1)
+			Expect(err).To(BeNil())
+			Expect(len(alerts)).To(BeNumerically(">=", 1))
+			Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-proc-path-block"))
+			Expect(alerts[0].Severity).To(Equal("5"))
+			Expect(alerts[0].Action).To(Equal("Block"))
+
+			// delete the policy
+			err = SendPolicy("DELETED", policyPath)
+			Expect(err).To(BeNil())
+		})
+	})
+
+	Describe("HSP dir block from source", func() {
+
+		It("can allow access to everything except /etc/default/* from head", func() {
+
+			policyPath := "res/hsp-kubearmor-dev-file-dir-block-fromSource.yaml"
+			err := SendPolicy("ADDED", policyPath)
+			Expect(err).To(BeNil())
+
+			// Start the karmor logs
+			err = KarmorLogStart("policy", "", "File", "")
+			Expect(err).To(BeNil())
+
+			// call the head command
+			out, err := ExecCommandHost([]string{"bash", "-c", "head /etc/hostname"})
+			Expect(err).To(BeNil())
+			Expect(out).NotTo(MatchRegexp(".*Permission denied"))
+
+			// check policy violation alert
+			_, alerts, err := KarmorGetLogs(5*time.Second, 1)
+			Expect(err).To(BeNil())
+			Expect(len(alerts)).To(BeNumerically("==", 0))
+
+			// delete the policy
+			err = SendPolicy("DELETED", policyPath)
+			Expect(err).To(BeNil())
+		})
+
+		It("can block access to /etc/default/* from head", func() {
+
+			policyPath := "res/hsp-kubearmor-dev-file-dir-block-fromSource.yaml"
+			err := SendPolicy("ADDED", policyPath)
+			Expect(err).To(BeNil())
+
+			// Start the karmor logs
+			err = KarmorLogStart("policy", "", "File", "")
+			Expect(err).To(BeNil())
+
+			// call the head command
+			out, err := ExecCommandHost([]string{"bash", "-c", "head /etc/default/useradd"})
+			Expect(err).NotTo(BeNil())
+			Expect(out).To(MatchRegexp(".*Permission denied"))
+
+			// check policy violation alert
+			_, alerts, err := KarmorGetLogs(5*time.Second, 1)
+			Expect(err).To(BeNil())
+			Expect(len(alerts)).To(BeNumerically(">=", 1))
+			Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-file-dir-block-fromsource"))
+			Expect(alerts[0].Severity).To(Equal("5"))
+			Expect(alerts[0].Action).To(Equal("Block"))
+
+			// delete the policy
+			err = SendPolicy("DELETED", policyPath)
+			Expect(err).To(BeNil())
+		})
+	})
+
+	Describe("HSP file audit", func() {
+
+		It("can audit access to /etc/passwd", func() {
+
+			policyPath := "res/hsp-kubearmor-dev-file-path-audit.yaml"
+			err := SendPolicy("ADDED", policyPath)
+			Expect(err).To(BeNil())
+
+			// Start the karmor logs
+			err = KarmorLogStart("policy", "", "File", "")
+			Expect(err).To(BeNil())
+
+			// try to access the /etc/passwd file
+			out, err := ExecCommandHost([]string{"bash", "-c", "cat /etc/passwd"})
+			Expect(err).To(BeNil())
+			Expect(out).ToNot(MatchRegexp(".*Permission denied"))
+
+			// check audit alerts
+			_, alerts, err := KarmorGetLogs(5*time.Second, 1)
+			Expect(err).To(BeNil())
+			Expect(len(alerts)).To(BeNumerically(">=", 1))
+			Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-file-path-audit"))
+			Expect(alerts[0].Severity).To(Equal("5"))
+			Expect(alerts[0].Action).To(Equal("Audit"))
+
+			// delete the policy
+			err = SendPolicy("DELETED", policyPath)
+			Expect(err).To(BeNil())
+		})
+	})
+
+	Describe("HSP path block from source", func() {
+
+		It("It can block access to /etc/hostname from head", func() {
+
+			policyPath := "res/hsp-kubearmor-dev-file-path-block-fromSource.yaml"
+			err := SendPolicy("ADDED", policyPath)
+			Expect(err).To(BeNil())
+
+			// Start the karmor logs
+			err = KarmorLogStart("policy", "", "File", "")
+			Expect(err).To(BeNil())
+
+			// try to access the /etc/hostname file from head
+			out, err := ExecCommandHost([]string{"bash", "-c", "head /etc/hostname"})
+			Expect(err).NotTo(BeNil())
+			Expect(out).To(MatchRegexp(".*Permission denied"))
+
+			// check policy violation alert
+			_, alerts, err := KarmorGetLogs(5*time.Second, 1)
+			Expect(err).To(BeNil())
+			Expect(len(alerts)).To(BeNumerically(">=", 1))
+			Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-file-path-block-fromsource"))
+			Expect(alerts[0].Severity).To(Equal("5"))
+			Expect(alerts[0].Action).To(Equal("Block"))
+
+			// delete the policy
+			err = SendPolicy("DELETED", policyPath)
+			Expect(err).To(BeNil())
+		})
+	})
+
+	// Describe("HSP Process path block from source", func() {
+
+	// 	It("can block date command from bash", func() {
+
+	// 		policyPath := "res/hsp-kubearmor-dev-proc-path-block-fromSource.yaml"
+	// 		err := SendPolicy("ADDED", policyPath)
+	// 		Expect(err).To(BeNil())
+
+	// 		// Start the karmor logs
+	// 		err = KarmorLogStart("policy", "", "Process", "")
+	// 		Expect(err).To(BeNil())
+
+	// 		// call the date command from bash
+	// 		out, err := ExecCommandHost([]string{"bash", "-c", "date"})
+	// 		Expect(err).To(BeNil())
+	// 		Expect(out).To(MatchRegexp(".*Permission denied"))
+
+	// 		// // execute ls command from bash
+	// 		// out2, err := ExecCommandHost([]string{"bash", "-c", "ls"})
+	// 		// Expect(err).To(BeNil())
+	// 		// Expect(out2).NotTo(MatchRegexp(".*Permission denied"))
+
+	// 		// check policy violation alert
+	// 		_, alerts, err := KarmorGetLogs(5*time.Second, 1)
+	// 		Expect(err).To(BeNil())
+	// 		Expect(len(alerts)).To(BeNumerically(">=", 1))
+	// 		Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-proc-path-block-fromsource"))
+	// 		Expect(alerts[0].Severity).To(Equal("5"))
+	// 		Expect(alerts[0].Action).To(Equal("Block"))
+
+	// 		// delete the policy
+	// 		err = SendPolicy("DELETED", policyPath)
+	// 		Expect(err).To(BeNil())
+	// 	})
+	// })
+
+	Describe("HSP Process path block", func() {
+
+		It("can block diff command", func() {
+
+			policyPath := "res/hsp-kubearmor-dev-proc-path-block.yaml"
+			err := SendPolicy("ADDED", policyPath)
+			Expect(err).To(BeNil())
+
+			// Start the karmor logs
+			err = KarmorLogStart("policy", "", "Process", "")
+			Expect(err).To(BeNil())
+
+			// run diff command
+			out, err := ExecCommandHost([]string{"bash", "-c", "diff"})
+			Expect(err).NotTo(BeNil())
+			Expect(out).To(MatchRegexp(".*Permission denied"))
+
+			// check policy violation alert
+			_, alerts, err := KarmorGetLogs(5*time.Second, 1)
+			Expect(err).To(BeNil())
+			Expect(len(alerts)).To(BeNumerically(">=", 1))
+			Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-proc-path-block"))
+			Expect(alerts[0].Severity).To(Equal("5"))
+			Expect(alerts[0].Action).To(Equal("Block"))
+
+			// delete the policy
+			err = SendPolicy("DELETED", policyPath)
+			Expect(err).To(BeNil())
+		})
+	})
+
+	Describe("HSP Network path block", func() {
+
+		It("can block access to UDP protocol from curl", func() {
+
+			policyPath := "res/hsp-kubearmor-dev-udp-block.yaml"
+			err := SendPolicy("ADDED", policyPath)
+			Expect(err).To(BeNil())
+
+			// Start the karmor logs
+			err = KarmorLogStart("policy", "", "Network", "")
+			Expect(err).To(BeNil())
+
+			// run diff command
+			out, err := ExecCommandHost([]string{"bash", "-c", "curl google.com"})
+			Expect(err).NotTo(BeNil())
+			Expect(out).To(MatchRegexp(".*Could not resolve host: google.com"))
+
+			// check policy violation alert
+			_, alerts, err := KarmorGetLogs(5*time.Second, 1)
+			Expect(err).To(BeNil())
+			Expect(len(alerts)).To(BeNumerically(">=", 1))
+			Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-udp-block-curl"))
+			Expect(alerts[0].Severity).To(Equal("5"))
+			Expect(alerts[0].Action).To(Equal("Block"))
+
+			// delete the policy
+			err = SendPolicy("DELETED", policyPath)
+			Expect(err).To(BeNil())
+		})
+	})
+})
diff --git a/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-dir-allow-fromSource.yaml b/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-dir-allow-fromSource.yaml
@@ -0,0 +1,29 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: hsp-kubearmor-dev-file-dir-allow-fromsource
+spec:
+  nodeSelector:
+    matchLabels:
+      kubearmor.io/hostname: "*"
+  severity: 5
+  file:
+    matchDirectories:
+    - dir: /etc/default/
+      recursive: true
+      fromSource:
+      - path: /usr/bin/head
+  action:
+    Allow
+
+# kubearmor-dev_test_08
+
+# test
+# $ head /etc/default/useradd
+# Default values for useradd(8) ...
+# $ head /etc/hostname
+# head: /etc/hostname: Permission denied
+
+# expectation
+# /usr/bin/head can only access /etc/default/*
+# /usr/bin/head cannot access any others
diff --git a/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-dir-block-fromSource.yaml b/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-dir-block-fromSource.yaml
@@ -0,0 +1,28 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: hsp-kubearmor-dev-file-dir-block-fromsource
+spec:
+  nodeSelector:
+    matchLabels:
+      kubearmor.io/hostname: "*"
+  severity: 5
+  file:
+    matchDirectories:
+    - dir: /etc/default/
+      fromSource:
+      - path: /usr/bin/head
+  action:
+    Block
+
+# kubearmor-dev_test_09
+
+# test
+# $ head /etc/default/useradd
+# head: useradd: Permission denied
+# $ head /etc/hostname
+# kubearmor-dev
+
+# expectation
+# /usr/bin/head cannot access /etc/default/*
+# /usr/bin/head can access any others