Merge branch 'kubearmor:main' into karmor-json-pretty

kubearmor · Jul 24, 2024 · e869d6a · e869d6a
2 parents 3796a2b + 840e0dd
commit e869d6a
Show file tree

Hide file tree

Showing 8 changed files with 150 additions and 144 deletions.
diff --git a/recommend/registry/registry.go b/recommend/registry/registry.go
@@ -213,63 +213,86 @@ func extractTar(tarname string, tempDir string) ([]string, []string) {
 		}).Fatal("os create failed")
 	}
 	defer hacks.CloseCheckErr(f, tarname)
-
-	tr := tar.NewReader(bufio.NewReader(f))
-	for {
-		hdr, err := tr.Next()
-		if err == io.EOF {
-			break // End of archive
-		}
-		if err != nil {
-			log.WithError(err).Fatal("tar next failed")
-		}
-
-		tgt, err := sanitizeArchivePath(tempDir, hdr.Name)
+	if isTarFile(f) {
+		_, err := f.Seek(0, 0)
 		if err != nil {
 			log.WithError(err).WithFields(log.Fields{
-				"file": hdr.Name,
-			}).Error("ignoring file since it could not be sanitized")
-			continue
+				"tar": tarname,
+			}).Fatal("Failed to seek to the beginning of the file")
 		}
-
-		switch hdr.Typeflag {
-		case tar.TypeDir:
-			if _, err := os.Stat(tgt); err != nil {
-				if err := os.MkdirAll(tgt, 0750); err != nil {
-					log.WithError(err).WithFields(log.Fields{
-						"target": tgt,
-					}).Fatal("tar mkdirall")
-				}
+		tr := tar.NewReader(bufio.NewReader(f))
+		for {
+			hdr, err := tr.Next()
+			if err == io.EOF {
+				break // End of archive
+			}
+			if err != nil {
+				log.WithError(err).Error("tar next failed")
+				return nil, nil
 			}
-			dl = append(dl, tgt)
-		case tar.TypeReg:
-			f, err := os.OpenFile(filepath.Clean(tgt), os.O_CREATE|os.O_RDWR, os.FileMode(hdr.Mode))
+
+			tgt, err := sanitizeArchivePath(tempDir, hdr.Name)
 			if err != nil {
 				log.WithError(err).WithFields(log.Fields{
-					"target": tgt,
-				}).Error("tar open file")
-			} else {
+					"file": hdr.Name,
+				}).Error("ignoring file since it could not be sanitized")
+				continue
+			}
 
-				// copy over contents
-				if _, err := io.CopyN(f, tr, 2e+9 /*2GB*/); err != io.EOF {
+			switch hdr.Typeflag {
+			case tar.TypeDir:
+				if _, err := os.Stat(tgt); err != nil {
+					if err := os.MkdirAll(tgt, 0750); err != nil {
+						log.WithError(err).WithFields(log.Fields{
+							"target": tgt,
+						}).Fatal("tar mkdirall")
+					}
+				}
+				dl = append(dl, tgt)
+			case tar.TypeReg:
+				f, err := os.OpenFile(filepath.Clean(tgt), os.O_CREATE|os.O_RDWR, os.FileMode(hdr.Mode))
+				if err != nil {
 					log.WithError(err).WithFields(log.Fields{
 						"target": tgt,
-					}).Fatal("tar io.Copy()")
+					}).Error("tar open file")
+				} else {
+
+					// copy over contents
+					if _, err := io.CopyN(f, tr, 2e+9 /*2GB*/); err != io.EOF {
+						log.WithError(err).WithFields(log.Fields{
+							"target": tgt,
+						}).Fatal("tar io.Copy()")
+					}
+				}
+				hacks.CloseCheckErr(f, tgt)
+				if strings.HasSuffix(tgt, "layer.tar") {
+					ifl, idl := extractTar(tgt, tempDir)
+					fl = append(fl, ifl...)
+					dl = append(dl, idl...)
+				} else if strings.HasPrefix(hdr.Name, "blobs/") {
+					ifl, idl := extractTar(tgt, tempDir)
+					fl = append(fl, ifl...)
+					dl = append(dl, idl...)
+
+				} else {
+					fl = append(fl, tgt)
 				}
-			}
-			hacks.CloseCheckErr(f, tgt)
-			if strings.HasSuffix(tgt, "layer.tar") { // deflate container image layer
-				ifl, idl := extractTar(tgt, tempDir)
-				fl = append(fl, ifl...)
-				dl = append(dl, idl...)
-			} else {
-				fl = append(fl, tgt)
 			}
 		}
+	} else {
+		log.WithFields(log.Fields{
+			"file": tarname,
+		}).Error("Not a valid tar file")
 	}
 	return fl, dl
 }
 
+func isTarFile(f *os.File) bool {
+	tr := tar.NewReader(bufio.NewReader(f))
+	_, err := tr.Next()
+	return err == nil
+}
+
 func saveImageToTar(imageName string, cli *client.Client, tempDir string) string {
 	imgdata, err := cli.ImageSave(context.Background(), []string{imageName})
 	if err != nil {

diff --git a/sysdump/sysdump.go b/sysdump/sysdump.go
@@ -97,34 +97,39 @@ func Collect(c *k8s.Client, o Options) error {
 	// KubeArmor Pod
 	errs.Go(func() error {
 		pods, err := c.K8sClientset.CoreV1().Pods("").List(context.Background(), metav1.ListOptions{
-			LabelSelector: "kubearmor-app=kubearmor",
+			LabelSelector: "kubearmor-app",
 		})
+
 		if err != nil {
 			fmt.Printf("kubearmor pod not found. (possible if kubearmor is running in process mode)\n")
 			return nil
 		}
+		fmt.Print("Checking all pods labeled with kubearmor-app\n")
 
 		for _, p := range pods.Items {
-			// KubeArmor Logs
-			fmt.Printf("getting logs from %s\n", p.Name)
-
-			v := c.K8sClientset.CoreV1().Pods(p.Namespace).GetLogs(p.Name, &corev1.PodLogOptions{})
-			s, err := v.Stream(context.Background())
-			if err != nil {
-				fmt.Printf("failed getting logs from pod=%s err=%s\n", p.Name, err)
-				continue
-			}
-			defer func() {
-				if err := s.Close(); err != nil {
-					kg.Warnf("Error closing io stream %s\n", err)
+			// Iterate over containers in the pod
+			for _, container := range p.Spec.Containers {
+
+				// KubeArmor Logs
+				fmt.Printf("getting logs from pod=%s container=%s\n", p.Name, container.Name)
+				v := c.K8sClientset.CoreV1().Pods(p.Namespace).GetLogs(p.Name, &corev1.PodLogOptions{Container: container.Name})
+				s, err := v.Stream(context.Background())
+				if err != nil {
+					fmt.Printf("failed getting logs from pod=%s err=%s\n", p.Name, err)
+					continue
+				}
+				defer func() {
+					if err := s.Close(); err != nil {
+						kg.Warnf("Error closing io stream %s\n", err)
+					}
+				}()
+				var logs bytes.Buffer
+				if _, err = io.Copy(&logs, s); err != nil {
+					return err
+				}
+				if err := writeToFile(path.Join(d, "ka-pod-"+p.Name+"-log.txt"), logs.String()); err != nil {
+					return err
 				}
-			}()
-			var logs bytes.Buffer
-			if _, err = io.Copy(&logs, s); err != nil {
-				return err
-			}
-			if err := writeToFile(path.Join(d, "ka-pod-"+p.Name+"-log.txt"), logs.String()); err != nil {
-				return err
 			}
 
 			// KubeArmor Describe
@@ -173,7 +178,7 @@ func Collect(c *k8s.Client, o Options) error {
 		return nil
 	})
 
-	// AppArmor Gzip
+	// AppArmor GzipS
 	errs.Go(func() error {
 		if err := copyFromPod("/etc/apparmor.d", d, c); err != nil {
 			return err

diff --git a/...oring-deny-write-under-bin-directory.yaml → ...untu-18-04/file-integrity-monitoring.yaml b/...oring-deny-write-under-bin-directory.yaml → ...untu-18-04/file-integrity-monitoring.yaml
@@ -1,31 +1,38 @@
 apiVersion: security.kubearmor.com/v1
 kind: KubeArmorPolicy
 metadata:
-  name: ubuntu-18-04-system-monitoring-deny-write-under-bin-directory
+  name: ubuntu-18-04-file-integrity-monitoring
 spec:
   action: Block
   file:
     matchDirectories:
-    - dir: /bin/
+    - dir: /sbin/
       readOnly: true
       recursive: true
-    - dir: /sbin/
+    - dir: /usr/bin/
+      readOnly: true
+      recursive: true
+    - dir: /usr/lib/
       readOnly: true
       recursive: true
     - dir: /usr/sbin/
       readOnly: true
       recursive: true
-    - dir: /usr/bin/
+    - dir: /bin/
+      readOnly: true
+      recursive: true
+    - dir: /boot/
       readOnly: true
       recursive: true
-  message: Alert! An attempt to write below system binary directories denied.
+  message: Detected and prevented compromise to File integrity
   selector:
     matchLabels:
       kubearmor.io/container.name: ubuntu
-  severity: 5
+  severity: 1
   tags:
   - NIST
   - NIST_800-53_AU-2
   - NIST_800-53_SI-4
   - MITRE
   - MITRE_T1036_masquerading
+  - MITRE_T1565_data_manipulation
diff --git a/...out/ubuntu-18-04/least-functionality-execute-package-management-process-in-container.yaml b/...out/ubuntu-18-04/least-functionality-execute-package-management-process-in-container.yaml
@@ -11,35 +11,17 @@ spec:
   severity: 5
   process:
     matchPaths:
-    - path: /usr/bin/apt
-    - path: /usr/bin/apt-get
-    - path: /bin/apt-get
-    - path: /sbin/apk
-    - path: /bin/apt
-    - path: /usr/bin/dpkg
-    - path: /bin/dpkg
-    - path: /usr/bin/gdebi
-    - path: /bin/gdebi
-    - path: /usr/bin/make
-    - path: /bin/make
-    - path: /usr/bin/yum
-    - path: /bin/yum
-    - path: /usr/bin/rpm
-    - path: /bin/rpm
-    - path: /usr/bin/dnf
-    - path: /bin/dnf
-    - path: /usr/bin/pacman
-    - path: /usr/sbin/pacman
-    - path: /bin/pacman
-    - path: /sbin/pacman
-    - path: /usr/bin/makepkg
-    - path: /usr/sbin/makepkg
-    - path: /bin/makepkg
-    - path: /sbin/makepkg
-    - path: /usr/bin/yaourt
-    - path: /usr/sbin/yaourt
-    - path: /bin/yaourt
-    - path: /sbin/yaourt
-    - path: /usr/bin/zypper
-    - path: /bin/zypper
+    - execname: apt
+    - execname: apt-get
+    - execname: apk
+    - execname: dpkg
+    - execname: gdebi
+    - execname: make
+    - execname: yum
+    - execname: rpm
+    - execname: dnf
+    - execname: pacman
+    - execname: makepkg
+    - execname: yaourt
+    - execname: zypper
   action: Block
diff --git a/tests/recommend/res/out/ubuntu-18-04/system-owner-discovery.yaml b/tests/recommend/res/out/ubuntu-18-04/system-owner-discovery.yaml
@@ -7,10 +7,10 @@ spec:
   message: System owner discovery command execution denied
   process:
     matchPaths:
-    - path: /usr/bin/who
-    - path: /usr/bin/w
-    - path: /usr/bin/id
-    - path: /usr/bin/whoami
+    - execname: who
+    - execname: w
+    - execname: id
+    - execname: whoami
   selector:
     matchLabels:
       kubearmor.io/container.name: ubuntu

diff --git a/...oring-deny-write-under-bin-directory.yaml → ...4-8-apache-file-integrity-monitoring.yaml b/...oring-deny-write-under-bin-directory.yaml → ...4-8-apache-file-integrity-monitoring.yaml
@@ -1,32 +1,39 @@
 apiVersion: security.kubearmor.com/v1
 kind: KubeArmorPolicy
 metadata:
-  name: wordpress-wordpress-4-8-apache-system-monitoring-deny-write-under-bin-directory
+  name: wordpress-wordpress-4-8-apache-file-integrity-monitoring
   namespace: wordpress-mysql
 spec:
   action: Block
   file:
     matchDirectories:
-    - dir: /bin/
+    - dir: /sbin/
       readOnly: true
       recursive: true
-    - dir: /sbin/
+    - dir: /usr/bin/
+      readOnly: true
+      recursive: true
+    - dir: /usr/lib/
       readOnly: true
       recursive: true
     - dir: /usr/sbin/
       readOnly: true
       recursive: true
-    - dir: /usr/bin/
+    - dir: /bin/
+      readOnly: true
+      recursive: true
+    - dir: /boot/
       readOnly: true
       recursive: true
-  message: Alert! An attempt to write below system binary directories denied.
+  message: Detected and prevented compromise to File integrity
   selector:
     matchLabels:
       app: wordpress
-  severity: 5
+  severity: 1
   tags:
   - NIST
   - NIST_800-53_AU-2
   - NIST_800-53_SI-4
   - MITRE
   - MITRE_T1036_masquerading
+  - MITRE_T1565_data_manipulation