Here, we demonstrate how to define host security policies.
Process Execution Restriction
Block a specific executable (hsp-kubearmor-dev-proc-path-block.yaml)
apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
name: hsp-kubearmor-dev-proc-path-block
spec:
nodeSelector:
matchLabels:
kubernetes.io/hostname: kubearmor-dev
severity: 5
process:
matchPaths:
- path: /usr/bin/diff
action:
Block
Explanation: The purpose of this policy is to block the execution of '/usr/bin/diff' in a host whose host name is 'kubearmor-dev'. For this, we define 'kubernetes.io/hostname: kubearmor-dev' in nodeSelector -> matchLabels and the specific path ('/usr/bin/diff') in process -> matchPaths. Also, we put 'Block' as the action of this policy.
Verification: After applying this policy, please open a new terminal (or connect to the host with a new session) and run '/usr/bin/diff'. You will see that /usr/bin/diff is blocked.
NOTE
The given policy works with almost every linux distribution. If it is not working in your case, check the process location. The following location shows location of sleep
binary in different ubuntu distributions:
File Access Restriction
Audit a critical file access (hsp-kubearmor-dev-file-path-audit.yaml)
apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
name: hsp-kubearmor-dev-file-path-audit
spec:
nodeSelector:
matchLabels:
kubernetes.io/hostname: kubearmor-dev
severity: 5
file:
matchPaths:
- path: /etc/passwd
action:
Audit
Explanation: The purpose of this policy is to audit any accesses to a critical file (i.e., '/etc/passwd'). Since we want to audit one critical file, we use matchPaths to specify the path of '/etc/passwd'.
Verification: After applying this policy, please open a new terminal (or connect to the host with a new session) and run 'sudo cat /etc/passwd'. Then, check the alert logs of KubeArmor.
System calls alerting
unlink
syscallsapiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
name: audit-all-unlink
spec:
severity: 3
nodeSelector:
matchLabels:
kubernetes.io/hostname: vagrant
syscalls:
matchSyscalls:
- syscall:
- unlink
action:
Audit
{
"Timestamp": 1661937152,
"UpdatedTime": "2022-08-31T09:12:32.967304Z",
"ClusterName": "default",
"HostName": "vagrant",
"HostPPID": 8563,
"HostPID": 310459,
"PPID": 8563,
"PID": 310459,
"UID": 1000,
"ProcessName": "/usr/bin/unlink",
"PolicyName": "audit-all-unlink",
"Severity": "3",
"Type": "MatchedHostPolicy",
"Source": "/usr/bin/unlink /home/vagrant/secret.txt",
"Operation": "Syscall",
"Resource": "/home/vagrant/secret.txt",
"Data": "syscall=SYS_UNLINK",
"Action": "Audit",
"Result": "Passed"
}
rmdir
syscalls targeting anything in /home/
directory and sub-directoriesapiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
name: audit-home-rmdir
spec:
severity: 3
nodeSelector:
matchLabels:
kubernetes.io/hostname: vagrant
syscalls:
matchPaths:
- syscall:
- rmdir
path: /home/
recursive: true
action:
Audit
{
"Timestamp": 1661936983,
"UpdatedTime": "2022-08-31T09:09:43.894787Z",
"ClusterName": "default",
"HostName": "vagrant",
"HostPPID": 308001,
"HostPID": 308002,
"PPID": 308001,
"PID": 308002,
"ProcessName": "/usr/bin/rmdir",
"PolicyName": "audit-home-rmdir",
"Severity": "3",
"Type": "MatchedHostPolicy",
"Source": "/usr/bin/rmdir jane-doe",
"Operation": "Syscall",
"Resource": "/home/jane-doe",
"Data": "syscall=SYS_RMDIR",
"Action": "Audit",
"Result": "Passed"
}
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。