Skip to content

Commit

Permalink
Updated the static policies under res/out and updated kubearmor depen…
Browse files Browse the repository at this point in the history 
…dency

Signed-off-by: Ishaan Jain <ishaan454@gmail.com>

updated extract tar function to be compatible with docker v26

Signed-off-by: Ishaan Jain <ishaan454@gmail.com>

fixed error handling of f.Seek()

Signed-off-by: Ishaan Jain <ishaan454@gmail.com>

Removed write-under-bin-dir type policy and instead added file-integrity-monitoring policy to res/out

Signed-off-by: Ishaan Jain <ishaan454@gmail.com>

fixed minor changes

Signed-off-by: Ishaan Jain <ishaan454@gmail.com>
  • Loading branch information
@Ishaanj18
Ishaanj18 committed Jul 22, 2024
1 parent a64b744 commit 95c50ea
Show file tree
Hide file tree
Showing 7 changed files with 124 additions and 123 deletions.
105 changes: 64 additions & 41 deletions recommend/registry/registry.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -213,63 +213,86 @@ func extractTar(tarname string, tempDir string) ([]string, []string) {
}).Fatal("os create failed")
}
defer hacks.CloseCheckErr(f, tarname)

tr := tar.NewReader(bufio.NewReader(f))
for {
hdr, err := tr.Next()
if err == io.EOF {
break // End of archive
}
if err != nil {
log.WithError(err).Fatal("tar next failed")
}

tgt, err := sanitizeArchivePath(tempDir, hdr.Name)
if isTarFile(f) {
_, err := f.Seek(0, 0)
if err != nil {
log.WithError(err).WithFields(log.Fields{
"file": hdr.Name,
}).Error("ignoring file since it could not be sanitized")
continue
"tar": tarname,
}).Fatal("Failed to seek to the beginning of the file")
}

switch hdr.Typeflag {
case tar.TypeDir:
if _, err := os.Stat(tgt); err != nil {
if err := os.MkdirAll(tgt, 0750); err != nil {
log.WithError(err).WithFields(log.Fields{
"target": tgt,
}).Fatal("tar mkdirall")
}
tr := tar.NewReader(bufio.NewReader(f))
for {
hdr, err := tr.Next()
if err == io.EOF {
break // End of archive
}
if err != nil {
log.WithError(err).Error("tar next failed")
return nil, nil
}
dl = append(dl, tgt)
case tar.TypeReg:
f, err := os.OpenFile(filepath.Clean(tgt), os.O_CREATE|os.O_RDWR, os.FileMode(hdr.Mode))

tgt, err := sanitizeArchivePath(tempDir, hdr.Name)
if err != nil {
log.WithError(err).WithFields(log.Fields{
"target": tgt,
}).Error("tar open file")
} else {
"file": hdr.Name,
}).Error("ignoring file since it could not be sanitized")
continue
}

// copy over contents
if _, err := io.CopyN(f, tr, 2e+9 /*2GB*/); err != io.EOF {
switch hdr.Typeflag {
case tar.TypeDir:
if _, err := os.Stat(tgt); err != nil {
if err := os.MkdirAll(tgt, 0750); err != nil {
log.WithError(err).WithFields(log.Fields{
"target": tgt,
}).Fatal("tar mkdirall")
}
}
dl = append(dl, tgt)
case tar.TypeReg:
f, err := os.OpenFile(filepath.Clean(tgt), os.O_CREATE|os.O_RDWR, os.FileMode(hdr.Mode))
if err != nil {
log.WithError(err).WithFields(log.Fields{
"target": tgt,
}).Fatal("tar io.Copy()")
}).Error("tar open file")
} else {

// copy over contents
if _, err := io.CopyN(f, tr, 2e+9 /*2GB*/); err != io.EOF {
log.WithError(err).WithFields(log.Fields{
"target": tgt,
}).Fatal("tar io.Copy()")
}
}
hacks.CloseCheckErr(f, tgt)
if strings.HasSuffix(tgt, "layer.tar") {
ifl, idl := extractTar(tgt, tempDir)
fl = append(fl, ifl...)
dl = append(dl, idl...)
} else if strings.HasPrefix(hdr.Name, "blobs/") {
ifl, idl := extractTar(tgt, tempDir)
fl = append(fl, ifl...)
dl = append(dl, idl...)

} else {
fl = append(fl, tgt)
}
}
hacks.CloseCheckErr(f, tgt)
if strings.HasSuffix(tgt, "layer.tar") { // deflate container image layer
ifl, idl := extractTar(tgt, tempDir)
fl = append(fl, ifl...)
dl = append(dl, idl...)
} else {
fl = append(fl, tgt)
}
}
} else {
log.WithFields(log.Fields{
"file": tarname,
}).Error("Not a valid tar file")
}
return fl, dl
}

func isTarFile(f *os.File) bool {
tr := tar.NewReader(bufio.NewReader(f))
_, err := tr.Next()
return err == nil
}

func saveImageToTar(imageName string, cli *client.Client, tempDir string) string {
imgdata, err := cli.ImageSave(context.Background(), []string{imageName})
if err != nil {
Expand Down
19 changes: 13 additions & 6 deletions ...oring-deny-write-under-bin-directory.yaml → ...untu-18-04/file-integrity-monitoring.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,31 +1,38 @@
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ubuntu-18-04-system-monitoring-deny-write-under-bin-directory
name: ubuntu-18-04-file-integrity-monitoring
spec:
action: Block
file:
matchDirectories:
- dir: /bin/
- dir: /sbin/
readOnly: true
recursive: true
- dir: /sbin/
- dir: /usr/bin/
readOnly: true
recursive: true
- dir: /usr/lib/
readOnly: true
recursive: true
- dir: /usr/sbin/
readOnly: true
recursive: true
- dir: /usr/bin/
- dir: /bin/
readOnly: true
recursive: true
- dir: /boot/
readOnly: true
recursive: true
message: Alert! An attempt to write below system binary directories denied.
message: Detected and prevented compromise to File integrity
selector:
matchLabels:
kubearmor.io/container.name: ubuntu
severity: 5
severity: 1
tags:
- NIST
- NIST_800-53_AU-2
- NIST_800-53_SI-4
- MITRE
- MITRE_T1036_masquerading
- MITRE_T1565_data_manipulation
44 changes: 13 additions & 31 deletions ...out/ubuntu-18-04/least-functionality-execute-package-management-process-in-container.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,35 +11,17 @@ spec:
severity: 5
process:
matchPaths:
- path: /usr/bin/apt
- path: /usr/bin/apt-get
- path: /bin/apt-get
- path: /sbin/apk
- path: /bin/apt
- path: /usr/bin/dpkg
- path: /bin/dpkg
- path: /usr/bin/gdebi
- path: /bin/gdebi
- path: /usr/bin/make
- path: /bin/make
- path: /usr/bin/yum
- path: /bin/yum
- path: /usr/bin/rpm
- path: /bin/rpm
- path: /usr/bin/dnf
- path: /bin/dnf
- path: /usr/bin/pacman
- path: /usr/sbin/pacman
- path: /bin/pacman
- path: /sbin/pacman
- path: /usr/bin/makepkg
- path: /usr/sbin/makepkg
- path: /bin/makepkg
- path: /sbin/makepkg
- path: /usr/bin/yaourt
- path: /usr/sbin/yaourt
- path: /bin/yaourt
- path: /sbin/yaourt
- path: /usr/bin/zypper
- path: /bin/zypper
- execname: apt
- execname: apt-get
- execname: apk
- execname: dpkg
- execname: gdebi
- execname: make
- execname: yum
- execname: rpm
- execname: dnf
- execname: pacman
- execname: makepkg
- execname: yaourt
- execname: zypper
action: Block
8 changes: 4 additions & 4 deletions tests/recommend/res/out/ubuntu-18-04/system-owner-discovery.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,10 @@ spec:
message: System owner discovery command execution denied
process:
matchPaths:
- path: /usr/bin/who
- path: /usr/bin/w
- path: /usr/bin/id
- path: /usr/bin/whoami
- execname: who
- execname: w
- execname: id
- execname: whoami
selector:
matchLabels:
kubearmor.io/container.name: ubuntu
Expand Down
19 changes: 13 additions & 6 deletions ...oring-deny-write-under-bin-directory.yaml → ...4-8-apache-file-integrity-monitoring.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,32 +1,39 @@
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: wordpress-wordpress-4-8-apache-system-monitoring-deny-write-under-bin-directory
name: wordpress-wordpress-4-8-apache-file-integrity-monitoring
namespace: wordpress-mysql
spec:
action: Block
file:
matchDirectories:
- dir: /bin/
- dir: /sbin/
readOnly: true
recursive: true
- dir: /sbin/
- dir: /usr/bin/
readOnly: true
recursive: true
- dir: /usr/lib/
readOnly: true
recursive: true
- dir: /usr/sbin/
readOnly: true
recursive: true
- dir: /usr/bin/
- dir: /bin/
readOnly: true
recursive: true
- dir: /boot/
readOnly: true
recursive: true
message: Alert! An attempt to write below system binary directories denied.
message: Detected and prevented compromise to File integrity
selector:
matchLabels:
app: wordpress
severity: 5
severity: 1
tags:
- NIST
- NIST_800-53_AU-2
- NIST_800-53_SI-4
- MITRE
- MITRE_T1036_masquerading
- MITRE_T1565_data_manipulation
44 changes: 13 additions & 31 deletions ...press-4-8-apache-least-functionality-execute-package-management-process-in-container.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,35 +12,17 @@ spec:
severity: 5
process:
matchPaths:
- path: /usr/bin/apt
- path: /usr/bin/apt-get
- path: /bin/apt-get
- path: /sbin/apk
- path: /bin/apt
- path: /usr/bin/dpkg
- path: /bin/dpkg
- path: /usr/bin/gdebi
- path: /bin/gdebi
- path: /usr/bin/make
- path: /bin/make
- path: /usr/bin/yum
- path: /bin/yum
- path: /usr/bin/rpm
- path: /bin/rpm
- path: /usr/bin/dnf
- path: /bin/dnf
- path: /usr/bin/pacman
- path: /usr/sbin/pacman
- path: /bin/pacman
- path: /sbin/pacman
- path: /usr/bin/makepkg
- path: /usr/sbin/makepkg
- path: /bin/makepkg
- path: /sbin/makepkg
- path: /usr/bin/yaourt
- path: /usr/sbin/yaourt
- path: /bin/yaourt
- path: /sbin/yaourt
- path: /usr/bin/zypper
- path: /bin/zypper
- execname: apt
- execname: apt-get
- execname: apk
- execname: dpkg
- execname: gdebi
- execname: make
- execname: yum
- execname: rpm
- execname: dnf
- execname: pacman
- execname: makepkg
- execname: yaourt
- execname: zypper
action: Block
8 changes: 4 additions & 4 deletions ...ommend/res/out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-owner-discovery.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,10 @@ spec:
message: System owner discovery command execution denied
process:
matchPaths:
- path: /usr/bin/who
- path: /usr/bin/w
- path: /usr/bin/id
- path: /usr/bin/whoami
- execname: who
- execname: w
- execname: id
- execname: whoami
selector:
matchLabels:
app: wordpress
Expand Down

0 comments on commit 95c50ea

Please sign in to comment.