diff --git a/.github/workflows/self-hosted-file-monitor-with-hr.yml b/.github/workflows/self-hosted-file-monitor-with-hr.yml new file mode 100644 index 00000000..a5360856 --- /dev/null +++ b/.github/workflows/self-hosted-file-monitor-with-hr.yml @@ -0,0 +1,24 @@ +name: "Self-Hosted (VM): File Monitoring with Harden-Runner" +on: + workflow_dispatch: + +jobs: + build: + runs-on: [self-hosted, ec2] + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 + with: + node-version: 18 + - name: npm install + run: | + cd ./src/backdoor-demo + npm install + - name: Publish to Registry + uses: elgohr/Publish-Docker-Github-Action@v5 + with: + name: ${{ github.repository }}/prod:latest + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + registry: ghcr.io + workdir: ./src/backdoor-demo diff --git a/.github/workflows/self-hosted-network-filtering-hr.yml b/.github/workflows/self-hosted-network-filtering-hr.yml new file mode 100644 index 00000000..d430f1a1 --- /dev/null +++ b/.github/workflows/self-hosted-network-filtering-hr.yml @@ -0,0 +1,33 @@ +name: "Self-Hosted (VM): Network Filtering with Harden-Runner" +on: + workflow_dispatch: + +jobs: + build: + runs-on: [self-hosted, ec2] + steps: + - name: Harden Runner + uses: step-security/harden-runner@self-hosted + with: + egress-policy: block + allowed-endpoints: > + *.docker.io:443 + ghcr.io:443 + github.com:443 + registry.npmjs.org:443 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 + with: + node-version: 18 + - name: npm install + run: | + cd ./src/exfiltration-demo + npm install + - name: Publish to Registry + uses: elgohr/Publish-Docker-Github-Action@v5 + with: + name: ${{ github.repository }}/prod:latest + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + registry: ghcr.io + workdir: ./src/exfiltration-demo diff --git a/.github/workflows/self-hosted-network-monitoring-hr.yml b/.github/workflows/self-hosted-network-monitoring-hr.yml new file mode 100644 index 00000000..5f0ba232 --- /dev/null +++ b/.github/workflows/self-hosted-network-monitoring-hr.yml @@ -0,0 +1,24 @@ +name: "Self-Hosted (VM): Network Monitoring with Harden-Runner" +on: + workflow_dispatch: + +jobs: + build: + runs-on: [self-hosted, ec2] + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 + with: + node-version: 18 + - name: npm install + run: | + cd ./src/exfiltration-demo + npm install + - name: Publish to Registry + uses: elgohr/Publish-Docker-Github-Action@v5 + with: + name: ${{ github.repository }}/prod:latest + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + registry: ghcr.io + workdir: ./src/exfiltration-demo diff --git a/docs/Solutions/MonitorSourceCode.md b/docs/Solutions/MonitorSourceCode.md index eb320d2c..e305f367 100644 --- a/docs/Solutions/MonitorSourceCode.md +++ b/docs/Solutions/MonitorSourceCode.md @@ -6,6 +6,7 @@ 1. [Detect File Tampering (GitHub-Hosted Runner)](#detect-file-tampering-github-hosted-runner) 2. [Detect File Tampering (Actions Runner Controller)](#detect-file-tampering-actions-runner-controller) +3. [Detect File Tampering (Self-Hosted VM Runners e.g. on EC2)](#detect-file-tampering-self-hosted-vm-runners-eg-on-ec2) ## Detect File Tampering (GitHub-Hosted Runner) @@ -60,3 +61,30 @@ For a demo of a workflow running on ARC with Harden Runner integrated, follow th https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/6285439163 You can see that the file overwrite event is detected, without the need to add `harden-runner` to each job. + +## Detect File Tampering (Self-Hosted VM Runners e.g. on EC2) + +- Instead of adding the Harden-Runner GitHub Action in each workflow, you'll need to install the Harden-Runner agent on your runner image (e.g. AMI). This is typically done using packer. + +- The Harden-Runner agent monitors file events and correlates them with each step of the workflow. + +- Both ephemeral and persistent VM runners are supported. + +- You can access security insights and runtime detections under the Runtime Security tab in your dashboard. + +For a demo of a workflow running on self-hosted EC2 with Harden Runner integrated, follow this tutorial: + +### File Monitoring + +1. View this workflow file: + https://github.com/step-security/github-actions-goat/blob/main/.github/workflows/arc-solarwinds-simulation.yml + + Notice that `harden-runner` Action is not added to this workflow, and that this workflow runs on a `self-hosted` runner. + +2. Check out an example run of this workflow here: + https://github.com/step-security/github-actions-goat/actions/runs/6285439163 + +3. Visit the workflow insights for this run here: + https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/6285439163 + + You can see that the file overwrite event is detected, without the need to add `harden-runner` to each job. diff --git a/docs/Solutions/RestrictOutboundTraffic.md b/docs/Solutions/RestrictOutboundTraffic.md index 50a5807b..815b8205 100644 --- a/docs/Solutions/RestrictOutboundTraffic.md +++ b/docs/Solutions/RestrictOutboundTraffic.md @@ -6,6 +6,7 @@ 1. [Filter Network Traffic (GitHub-hosted Runner)](#filter-network-traffic-github-hosted-runner) 2. [Filter Network Traffic (Actions Runner Controller)](#filter-network-traffic-actions-runner-controller) +3. [Filter Network Traffic (Self-Hosted VM Runners e.g. on EC2)](#filter-network-traffic-self-hosted-vm-runners-eg-on-ec2) ## Filter Network Traffic (GitHub-hosted Runner) @@ -128,3 +129,48 @@ While there is a secure-by-default policy, to filter traffic to specific destina https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/6292614301 You will notice that the call to `attacker.com` was blocked in this case. + +## Filter Network Traffic (Self-Hosted VM Runners e.g. on EC2) + +- Instead of adding the Harden-Runner GitHub Action in each workflow, you'll need to install the Harden-Runner agent on your runner image (e.g. AMI). This is typically done using packer. + +- The Harden-Runner agent monitors each job run on the VM; you do NOT need to add the Harden-Runner GitHub Action to each job for audit mode. You do need to add the Harden-Runner GitHub Action for block mode. + +- Both ephemeral and persistent VM runners are supported. + +- You can access security insights and runtime detections under the Runtime Security tab in your dashboard. + +For a demo of a workflow running on self-hosted EC2 with Harden Runner integrated, follow this tutorial: + +### Network Monitoring + +1. View this workflow file: + https://github.com/step-security/github-actions-goat/blob/main/.github/workflows/arc-zero-effort-observability.yml + + Notice that `harden-runner` Action is not added to this workflow, and that this workflow runs on a `self-hosted` EC2 runner. + +2. Check out an example run of this workflow here: + https://github.com/step-security/github-actions-goat/actions/runs/6292615173 + +3. Visit the workflow insights for this run here: + https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/6292615173 + You can see the outbound traffic for each of the steps, without the need to add `harden-runner` to each job. + +Even though you do not need to add Harden-Runner Action, the insights are exactly the same as with GitHub-Hosted runner. + +### Network Filtering with Harden Runner + +To filter traffic to specific destinations in a job run in self-hosted VM runner, you use the `harden-runner` GitHub Action in `block` mode. + +1. View the workflow file: + https://github.com/step-security/github-actions-goat/blob/main/.github/workflows/arc-codecov-simulation.yml + + Notice that `harden-runner` Action is added and there is a list of allowed endpoints. + +2. Check out an example run of this workflow here: + https://github.com/step-security/github-actions-goat/actions/runs/6292614301 + +3. Visit the workflow insights for this run here: + https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/6292614301 + + You will notice that the call to `attacker.com` was blocked in this case.