From e03f4159931747011fea81d47af9f1cb21375a5a Mon Sep 17 00:00:00 2001 From: rohitrishim <88204255+rohitrishim@users.noreply.github.com> Date: Mon, 10 Oct 2022 10:42:35 +0530 Subject: [PATCH 01/17] Create metadata.yaml --- redis/system/metadata.yaml | 101 +++++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 redis/system/metadata.yaml diff --git a/redis/system/metadata.yaml b/redis/system/metadata.yaml new file mode 100644 index 00000000..120226b9 --- /dev/null +++ b/redis/system/metadata.yaml @@ -0,0 +1,101 @@ +version: v0.1.2 +policyRules: +- name: system-recovery-and-reconstitution + precondition: + - /usr/local/bin/redis-cli + - /usr/local/bin/redis-server + - /usr/local/bin/redis + description: + refs: + - name: NIST-CP-10-2 + url: + - https://csf.tools/reference/nist-sp-800-53/r4/cp/cp-10/cp-10-2/ + tldr: Database Manager System Paths is Audited. + detailed: Transaction-based information systems include, for example, database management + systems and transaction processing systems. Mechanisms supporting transaction recovery include, for example, + transaction rollback and transaction journaling. + yaml: nist/system/ksp-cp-10-2-system-recovery-and-reconstitution-transaction-recovery.yaml +- name: system-owner-discovery + precondition: + - /usr/local/bin/redis-cli + - /usr/local/bin/redis-server + - /usr/local/bin/redis + description: + refs: + - name: MITRE-TTP-T1082 + url: + - https://attack.mitre.org/techniques/T1082/ + tldr: System Information Discovery - block system owner discovery commands + detailed: An adversary may attempt to get detailed information about the operating system and hardware, including + version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System + Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the + adversary fully infects the target and/or attempts specific actions. + yaml: mitre/system/ksp-mitre-system-owner-user-discovery.yaml +- name: system-monitoring-mkdir-under-bin-directory + precondition: + - /usr/local/bin/redis-cli + - /usr/local/bin/redis-server + - /usr/local/bin/redis + description: + refs: + - name: NIST-SI-4 + url: + - https://csf.tools/reference/nist-sp-800-53/r5/si/si-4/ + tldr: System and Information Integrity - System Monitoring make directory under /bin/ + detailed: System monitoring includes external and internal monitoring. External monitoring + includes the observation of events occurring at system boundaries. Internal monitoring + includes the observation of events occurring within the system. Organizations monitor systems, + for example, by observing audit activities in real time or by observing other system aspects + such as access patterns, characteristics of access, and other actions. + yaml: nist/system/ksp-nist-si-4-mkdir-bin-dir.yaml +- name: system-monitoring-create-file-in-dev-dir + precondition: + - /usr/local/bin/redis-cli + - /usr/local/bin/redis-server + - /usr/local/bin/redis + description: + refs: + - name: NIST-SI-4 + url: + - https://csf.tools/reference/nist-sp-800-53/r5/si/si-4/ + tldr: System and Information Integrity - System Monitoring make files under /dev/ + detailed: System monitoring includes external and internal monitoring. External monitoring + includes the observation of events occurring at system boundaries. Internal monitoring + includes the observation of events occurring within the system. Organizations monitor systems, + for example, by observing audit activities in real time or by observing other system aspects + such as access patterns, characteristics of access, and other actions. + yaml: nist/system/ksp-nist-si-4-create-file-in-dev-dir.yaml +- name: system-monitoring-detect-access-to-cronjob-files + precondition: + - /usr/local/bin/redis-cli + - /usr/local/bin/redis-server + - /usr/local/bin/redis + description: + refs: + - name: NIST-SI-4 + url: + - https://csf.tools/reference/nist-sp-800-53/r5/si/si-4/ + tldr: System and Information Integrity - System Monitoring Detect access to cronjob files + detailed: System monitoring includes external and internal monitoring. External monitoring + includes the observation of events occurring at system boundaries. Internal monitoring + includes the observation of events occurring within the system. Organizations monitor systems, + for example, by observing audit activities in real time or by observing other system aspects + such as access patterns, characteristics of access, and other actions. + yaml: nist/system/ksp-nist-si-4-detect-acess-to-cron-job-files.yaml +- name: least-functionality-execute-package-management-process-in-container + precondition: + - /usr/local/bin/redis-cli + - /usr/local/bin/redis-server + - /usr/local/bin/redis + description: + refs: + - name: NIST-CM-7-5 + url: + - https://csf.tools/reference/nist-sp-800-53/r5/cm/cm-7/cm-7-5/ + tldr: System and Information Integrity - Least Functionality deny execution of package manager process in container + detailed: Authorized software programs can be limited to specific versions or from a specific source. To facilitate + a comprehensive authorized software process and increase the strength of protection for attacks that bypass + application level authorized software, software programs may be decomposed into and monitored at different + levels of detail. These levels include applications, application programming interfaces, application modules, + scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. + yaml: nist/system/ksp-nist-si-4-execute-package-management-process-in-container.yaml From fae629ff5c54cd74a79d41f4db20b2971bc690cd Mon Sep 17 00:00:00 2001 From: rohitrishim <88204255+rohitrishim@users.noreply.github.com> Date: Mon, 10 Oct 2022 10:45:52 +0530 Subject: [PATCH 02/17] Update metadata.yaml --- redis/system/metadata.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/redis/system/metadata.yaml b/redis/system/metadata.yaml index 120226b9..3b6da273 100644 --- a/redis/system/metadata.yaml +++ b/redis/system/metadata.yaml @@ -14,7 +14,7 @@ policyRules: detailed: Transaction-based information systems include, for example, database management systems and transaction processing systems. Mechanisms supporting transaction recovery include, for example, transaction rollback and transaction journaling. - yaml: nist/system/ksp-cp-10-2-system-recovery-and-reconstitution-transaction-recovery.yaml + yaml: ksp-cp-10-2-system-recovery-and-reconstitution-transaction-recovery.yaml - name: system-owner-discovery precondition: - /usr/local/bin/redis-cli @@ -30,7 +30,7 @@ policyRules: version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. - yaml: mitre/system/ksp-mitre-system-owner-user-discovery.yaml + yaml: ksp-mitre-system-owner-user-discovery.yaml - name: system-monitoring-mkdir-under-bin-directory precondition: - /usr/local/bin/redis-cli @@ -47,7 +47,7 @@ policyRules: includes the observation of events occurring within the system. Organizations monitor systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. - yaml: nist/system/ksp-nist-si-4-mkdir-bin-dir.yaml + yaml: ksp-nist-si-4-mkdir-bin-dir.yaml - name: system-monitoring-create-file-in-dev-dir precondition: - /usr/local/bin/redis-cli @@ -64,7 +64,7 @@ policyRules: includes the observation of events occurring within the system. Organizations monitor systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. - yaml: nist/system/ksp-nist-si-4-create-file-in-dev-dir.yaml + yaml: ksp-nist-si-4-create-file-in-dev-dir.yaml - name: system-monitoring-detect-access-to-cronjob-files precondition: - /usr/local/bin/redis-cli @@ -81,7 +81,7 @@ policyRules: includes the observation of events occurring within the system. Organizations monitor systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. - yaml: nist/system/ksp-nist-si-4-detect-acess-to-cron-job-files.yaml + yaml: ksp-nist-si-4-detect-acess-to-cron-job-files.yaml - name: least-functionality-execute-package-management-process-in-container precondition: - /usr/local/bin/redis-cli @@ -98,4 +98,4 @@ policyRules: application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. - yaml: nist/system/ksp-nist-si-4-execute-package-management-process-in-container.yaml + yaml: ksp-nist-si-4-execute-package-management-process-in-container.yaml From 1947afaeef56dd8498ce9a0a0d51a9d922f759a8 Mon Sep 17 00:00:00 2001 From: rohitrishim <88204255+rohitrishim@users.noreply.github.com> Date: Mon, 10 Oct 2022 10:47:54 +0530 Subject: [PATCH 03/17] Create ksp-cp-10-2-system-recovery-and-reconstitution.yaml --- ...-2-system-recovery-and-reconstitution.yaml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 redis/system/ksp-cp-10-2-system-recovery-and-reconstitution.yaml diff --git a/redis/system/ksp-cp-10-2-system-recovery-and-reconstitution.yaml b/redis/system/ksp-cp-10-2-system-recovery-and-reconstitution.yaml new file mode 100644 index 00000000..451bebcf --- /dev/null +++ b/redis/system/ksp-cp-10-2-system-recovery-and-reconstitution.yaml @@ -0,0 +1,42 @@ +# KubeArmor is an open source software that enables you to protect your cloud workload at run-time. +# To learn more about KubeArmor visit: +# https://www.accuknox.com/kubearmor/ + +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-cp-10-2-system-recovery-and-reconstitution + namespace: default # Change your namespace +spec: + tags: ["NIST", "Cp-10-2", "MySQL","Redis","Cassandra","Postgresql"] + message: "Database Manager System Paths is Audited" + selector: + matchLabels: + pod: test #change pod: test to match your label + file: + severity: 5 + matchDirectories: + - dir: /var/lib/mysql/ + recursive: true + - dir: /var/lib/postgresql/ + recursive: true + - dir: /var/lib/redis/ + recursive: true + - dir: /var/lib/cassandra/ + recursive: true + - dir: /etc/mysql/ + recursive: true + - dir: /etc/postgres/ + recursive: true + - dir: /etc/redis/ + recursive: true + - dir: /var/log/mysql/ + recursive: true + - dir: /var/log/postgresql/ + recursive: true + - dir: /var/log/redis/ + recursive: true + - dir: /var/log/cassandra/ + recursive: true + action: + Audit From 0a9416efd41379be4288c4c5e58780c011404e08 Mon Sep 17 00:00:00 2001 From: rohitrishim <88204255+rohitrishim@users.noreply.github.com> Date: Mon, 10 Oct 2022 10:48:35 +0530 Subject: [PATCH 04/17] Create ksp-mitre-t1082-tactic-discovery-system-owner-user-discovery.yaml --- ...discovery-system-owner-user-discovery.yaml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 redis/system/ksp-mitre-t1082-tactic-discovery-system-owner-user-discovery.yaml diff --git a/redis/system/ksp-mitre-t1082-tactic-discovery-system-owner-user-discovery.yaml b/redis/system/ksp-mitre-t1082-tactic-discovery-system-owner-user-discovery.yaml new file mode 100644 index 00000000..138a2cd6 --- /dev/null +++ b/redis/system/ksp-mitre-t1082-tactic-discovery-system-owner-user-discovery.yaml @@ -0,0 +1,23 @@ +# KubeArmor is an open source software that enables you to protect your cloud workload at run-time. +# To learn more about KubeArmor visit: +# https://www.accuknox.com/kubearmor/ + +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-mitre-t1082-tactic-discovery-system-owner-user-discovery + namespace: default # Change your namespace +spec: + tags: ["MITRE", "T1082"] + message: "System owner discovery command is blocked" + selector: + matchLabels: + app: nginx # use your own label here + process: + severity: 3 + matchPaths: + - path: /usr/bin/who + - path: /usr/bin/w + - path: /usr/bin/id + - path: /usr/bin/whoami + action: Block From 5f3be804309d7e84d7dedb0a3033fb7f5145788f Mon Sep 17 00:00:00 2001 From: rohitrishim <88204255+rohitrishim@users.noreply.github.com> Date: Mon, 10 Oct 2022 10:49:12 +0530 Subject: [PATCH 05/17] Create ksp-nist-si-4-mkdir-bin-dir.yaml --- redis/system/ksp-nist-si-4-mkdir-bin-dir.yaml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 redis/system/ksp-nist-si-4-mkdir-bin-dir.yaml diff --git a/redis/system/ksp-nist-si-4-mkdir-bin-dir.yaml b/redis/system/ksp-nist-si-4-mkdir-bin-dir.yaml new file mode 100644 index 00000000..d1ecde0c --- /dev/null +++ b/redis/system/ksp-nist-si-4-mkdir-bin-dir.yaml @@ -0,0 +1,25 @@ +# KubeArmor is an open source software that enables you to protect your cloud workload at run-time. +# To learn more about KubeArmor visit: +# https://www.accuknox.com/kubearmor/ + +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-nist-si-4-mkdir-bin-dir + namespace: default # Change your namespace +spec: + tags: ["NIST", "SI-4", "binary dir"] + message: "Alert! An attempt to create a directory below a binary directory is detected. Possible violation of NIST SI-4" + selector: + matchLabels: + app: nginx-test #change this label with your label + process: + severity: 5 + matchDirectories: + - dir: /bin/ + - dir: /sbin/ + - dir: /usr/sbin/ + - dir: /usr/bin/ + fromSource: + - path: /bin/mkdir + action: Block From bb065f57102328372afaa86735401f36d1b0eca2 Mon Sep 17 00:00:00 2001 From: rohitrishim <88204255+rohitrishim@users.noreply.github.com> Date: Mon, 10 Oct 2022 10:49:47 +0530 Subject: [PATCH 06/17] Create ksp-nist-si-4-create-file-in-dev-dir.yaml --- .../ksp-nist-si-4-create-file-in-dev-dir.yaml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 redis/system/ksp-nist-si-4-create-file-in-dev-dir.yaml diff --git a/redis/system/ksp-nist-si-4-create-file-in-dev-dir.yaml b/redis/system/ksp-nist-si-4-create-file-in-dev-dir.yaml new file mode 100644 index 00000000..80675f83 --- /dev/null +++ b/redis/system/ksp-nist-si-4-create-file-in-dev-dir.yaml @@ -0,0 +1,24 @@ +# KubeArmor is an open source software that enables you to protect your cloud workload at run-time. +# To learn more about KubeArmor visit: +# https://www.accuknox.com/kubearmor/ + +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-nist-si-4-create-file-in-dev-dir + namespace: default +spec: + tags: ["NIST","NIST-800","SI-4","File","/dev"] + message: "Alert! File creation in /dev/ dir is detected. Possible violation of NIST SI-4" + selector: + matchLabels: + app: nginx-test #change to your labels + file: + severity: 5 + matchDirectories: + - dir: /dev/ + recursive: true + fromSource: + - path: /usr/bin/touch + - path: /bin/touch + action: audit From c315c54634f3df18e1fbc9933481872356c71454 Mon Sep 17 00:00:00 2001 From: rohitrishim <88204255+rohitrishim@users.noreply.github.com> Date: Mon, 10 Oct 2022 10:50:20 +0530 Subject: [PATCH 07/17] Create ksp-nist-si-4-detect-acess-to-cron-job-files.yaml --- ...t-si-4-detect-acess-to-cron-job-files.yaml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 redis/system/ksp-nist-si-4-detect-acess-to-cron-job-files.yaml diff --git a/redis/system/ksp-nist-si-4-detect-acess-to-cron-job-files.yaml b/redis/system/ksp-nist-si-4-detect-acess-to-cron-job-files.yaml new file mode 100644 index 00000000..10182413 --- /dev/null +++ b/redis/system/ksp-nist-si-4-detect-acess-to-cron-job-files.yaml @@ -0,0 +1,29 @@ +# KubeArmor is an open source software that enables you to protect your cloud workload at run-time. +# To learn more about KubeArmor visit: +# https://www.accuknox.com/kubearmor/ + +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-nist-si-4-detect-acess-to-cron-job-files + namespace: default # Change your namespace +spec: + tags: ["NIST", "SI-4", "cron job"] + message: "Alert! Access to cron job files/directories detected." + selector: + matchLabels: + app: nginx-test #change this label with your label + file: + severity: 5 + matchDirectories: + - dir: /var/spool/cron/ + recursive: true + - dir: /var/cron/ + - dir: /etc/cron.d/ + - dir: /etc/cron.daily/ + - dir: /etc/cron.hourly/ + - dir: /etc/cron.monthly/ + - dir: /etc/cron.weekly/ + matchPaths: + - path: /etc/crontab + action: Audit From 01d2d1cbd08a790d6315b08369dd786e4823564a Mon Sep 17 00:00:00 2001 From: rohitrishim <88204255+rohitrishim@users.noreply.github.com> Date: Mon, 10 Oct 2022 10:50:54 +0530 Subject: [PATCH 08/17] Create ksp-nist-execute-package-management-process-in-container.yaml --- ...ckage-management-process-in-container.yaml | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 redis/system/ksp-nist-execute-package-management-process-in-container.yaml diff --git a/redis/system/ksp-nist-execute-package-management-process-in-container.yaml b/redis/system/ksp-nist-execute-package-management-process-in-container.yaml new file mode 100644 index 00000000..957d009f --- /dev/null +++ b/redis/system/ksp-nist-execute-package-management-process-in-container.yaml @@ -0,0 +1,49 @@ +# KubeArmor is an open source software that enables you to protect your cloud workload at run-time. +# To learn more about KubeArmor visit: +# https://www.accuknox.com/kubearmor/ + +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-nist-execute-package-management-process-in-container + namespace: default # Change your namespace +spec: + tags: ["NIST", "CM-7(5)", "SI-4", "Package Manager"] + message: "Alert! Execution of package management process inside container is detected" + selector: + matchLabels: + pod: testpod #change this label with your label + process: + severity: 5 + matchPaths: + - path: /usr/bin/apt + - path: /usr/bin/apt-get + - path: /bin/apt-get + - path: /bin/apt + - path: /usr/bin/dpkg + - path: /bin/dpkg + - path: /usr/bin/gdebi + - path: /bin/gdebi + - path: /usr/bin/make + - path: /bin/make + - path: /usr/bin/yum + - path: /bin/yum + - path: /usr/bin/rpm + - path: /bin/rpm + - path: /usr/bin/dnf + - path: /bin/dnf + - path: /usr/bin/pacman + - path: /usr/sbin/pacman + - path: /bin/pacman + - path: /sbin/pacman + - path: /usr/bin/makepkg + - path: /usr/sbin/makepkg + - path: /bin/makepkg + - path: /sbin/makepkg + - path: /usr/bin/yaourt + - path: /usr/sbin/yaourt + - path: /bin/yaourt + - path: /sbin/yaourt + - path: /usr/bin/zypper + - path: /bin/zypper + action: Audit From 4989d57e5af8c7aa6412ff9f171d23d8fb8d1c99 Mon Sep 17 00:00:00 2001 From: rohitrishim <88204255+rohitrishim@users.noreply.github.com> Date: Wed, 12 Oct 2022 10:17:45 +0530 Subject: [PATCH 09/17] Update ksp-nist-si-4-mkdir-bin-dir.yaml --- redis/system/ksp-nist-si-4-mkdir-bin-dir.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/redis/system/ksp-nist-si-4-mkdir-bin-dir.yaml b/redis/system/ksp-nist-si-4-mkdir-bin-dir.yaml index d1ecde0c..c020051c 100644 --- a/redis/system/ksp-nist-si-4-mkdir-bin-dir.yaml +++ b/redis/system/ksp-nist-si-4-mkdir-bin-dir.yaml @@ -17,8 +17,14 @@ spec: severity: 5 matchDirectories: - dir: /bin/ + fromSource: + - path: /bin/mkdir - dir: /sbin/ + fromSource: + - path: /bin/mkdir - dir: /usr/sbin/ + fromSource: + - path: /bin/mkdir - dir: /usr/bin/ fromSource: - path: /bin/mkdir From 4e3a49ee28c54ff4c9fd41e22f2b528253687278 Mon Sep 17 00:00:00 2001 From: rohitrishim <88204255+rohitrishim@users.noreply.github.com> Date: Wed, 12 Oct 2022 10:18:20 +0530 Subject: [PATCH 10/17] Update ksp-nist-execute-package-management-process-in-container.yaml --- ...sp-nist-execute-package-management-process-in-container.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/redis/system/ksp-nist-execute-package-management-process-in-container.yaml b/redis/system/ksp-nist-execute-package-management-process-in-container.yaml index 957d009f..0accc809 100644 --- a/redis/system/ksp-nist-execute-package-management-process-in-container.yaml +++ b/redis/system/ksp-nist-execute-package-management-process-in-container.yaml @@ -46,4 +46,4 @@ spec: - path: /sbin/yaourt - path: /usr/bin/zypper - path: /bin/zypper - action: Audit + action: Block From ff9f3a437fc4277afcfa74fcf434388c2428d71f Mon Sep 17 00:00:00 2001 From: rohitrishim <88204255+rohitrishim@users.noreply.github.com> Date: Thu, 13 Oct 2022 09:39:28 +0530 Subject: [PATCH 11/17] Update ksp-cp-10-2-system-recovery-and-reconstitution.yaml --- ...-2-system-recovery-and-reconstitution.yaml | 20 ++----------------- 1 file changed, 2 insertions(+), 18 deletions(-) diff --git a/redis/system/ksp-cp-10-2-system-recovery-and-reconstitution.yaml b/redis/system/ksp-cp-10-2-system-recovery-and-reconstitution.yaml index 451bebcf..f2dec60d 100644 --- a/redis/system/ksp-cp-10-2-system-recovery-and-reconstitution.yaml +++ b/redis/system/ksp-cp-10-2-system-recovery-and-reconstitution.yaml @@ -8,7 +8,7 @@ metadata: name: ksp-cp-10-2-system-recovery-and-reconstitution namespace: default # Change your namespace spec: - tags: ["NIST", "Cp-10-2", "MySQL","Redis","Cassandra","Postgresql"] + tags: ["NIST", "Cp-10-2", "Redis"] message: "Database Manager System Paths is Audited" selector: matchLabels: @@ -16,27 +16,11 @@ spec: file: severity: 5 matchDirectories: - - dir: /var/lib/mysql/ - recursive: true - - dir: /var/lib/postgresql/ - recursive: true - dir: /var/lib/redis/ - recursive: true - - dir: /var/lib/cassandra/ - recursive: true - - dir: /etc/mysql/ - recursive: true - - dir: /etc/postgres/ - recursive: true + recursive: true - dir: /etc/redis/ recursive: true - - dir: /var/log/mysql/ - recursive: true - - dir: /var/log/postgresql/ - recursive: true - dir: /var/log/redis/ recursive: true - - dir: /var/log/cassandra/ - recursive: true action: Audit From 3e2769d5568b8cab1368bf950d108543a162a480 Mon Sep 17 00:00:00 2001 From: rohitrishim <88204255+rohitrishim@users.noreply.github.com> Date: Thu, 13 Oct 2022 09:40:41 +0530 Subject: [PATCH 12/17] Update metadata.yaml --- redis/system/metadata.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/redis/system/metadata.yaml b/redis/system/metadata.yaml index 3b6da273..77118636 100644 --- a/redis/system/metadata.yaml +++ b/redis/system/metadata.yaml @@ -14,7 +14,7 @@ policyRules: detailed: Transaction-based information systems include, for example, database management systems and transaction processing systems. Mechanisms supporting transaction recovery include, for example, transaction rollback and transaction journaling. - yaml: ksp-cp-10-2-system-recovery-and-reconstitution-transaction-recovery.yaml + yaml: ksp-cp-10-2-system-recovery-and-reconstitution.yaml - name: system-owner-discovery precondition: - /usr/local/bin/redis-cli @@ -30,7 +30,7 @@ policyRules: version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. - yaml: ksp-mitre-system-owner-user-discovery.yaml + yaml: generic/system/ksp-mitre-system-owner-user-discovery.yaml - name: system-monitoring-mkdir-under-bin-directory precondition: - /usr/local/bin/redis-cli @@ -47,7 +47,7 @@ policyRules: includes the observation of events occurring within the system. Organizations monitor systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. - yaml: ksp-nist-si-4-mkdir-bin-dir.yaml + yaml: generic/system/ksp-nist-si-4-mkdir-bin-dir.yaml - name: system-monitoring-create-file-in-dev-dir precondition: - /usr/local/bin/redis-cli @@ -64,7 +64,7 @@ policyRules: includes the observation of events occurring within the system. Organizations monitor systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. - yaml: ksp-nist-si-4-create-file-in-dev-dir.yaml + yaml: generic/system/ksp-nist-si-4-create-file-in-dev-dir.yaml - name: system-monitoring-detect-access-to-cronjob-files precondition: - /usr/local/bin/redis-cli @@ -81,7 +81,7 @@ policyRules: includes the observation of events occurring within the system. Organizations monitor systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. - yaml: ksp-nist-si-4-detect-acess-to-cron-job-files.yaml + yaml: generic/system/ksp-nist-si-4-detect-access-to-cron-job-files.yaml - name: least-functionality-execute-package-management-process-in-container precondition: - /usr/local/bin/redis-cli @@ -98,4 +98,4 @@ policyRules: application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. - yaml: ksp-nist-si-4-execute-package-management-process-in-container.yaml + yaml: generic/system/ksp-nist-si-4-execute-package-management-process-in-container.yaml From 274beb21271c6ce4c47358ca9dda885cebf4cc20 Mon Sep 17 00:00:00 2001 From: rohitrishim <88204255+rohitrishim@users.noreply.github.com> Date: Thu, 13 Oct 2022 09:41:13 +0530 Subject: [PATCH 13/17] Delete ksp-mitre-t1082-tactic-discovery-system-owner-user-discovery.yaml --- ...discovery-system-owner-user-discovery.yaml | 23 ------------------- 1 file changed, 23 deletions(-) delete mode 100644 redis/system/ksp-mitre-t1082-tactic-discovery-system-owner-user-discovery.yaml diff --git a/redis/system/ksp-mitre-t1082-tactic-discovery-system-owner-user-discovery.yaml b/redis/system/ksp-mitre-t1082-tactic-discovery-system-owner-user-discovery.yaml deleted file mode 100644 index 138a2cd6..00000000 --- a/redis/system/ksp-mitre-t1082-tactic-discovery-system-owner-user-discovery.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# KubeArmor is an open source software that enables you to protect your cloud workload at run-time. -# To learn more about KubeArmor visit: -# https://www.accuknox.com/kubearmor/ - -apiVersion: security.kubearmor.com/v1 -kind: KubeArmorPolicy -metadata: - name: ksp-mitre-t1082-tactic-discovery-system-owner-user-discovery - namespace: default # Change your namespace -spec: - tags: ["MITRE", "T1082"] - message: "System owner discovery command is blocked" - selector: - matchLabels: - app: nginx # use your own label here - process: - severity: 3 - matchPaths: - - path: /usr/bin/who - - path: /usr/bin/w - - path: /usr/bin/id - - path: /usr/bin/whoami - action: Block From 7d415b176a62a8c035f9ca5b4ff93f1253f9e300 Mon Sep 17 00:00:00 2001 From: rohitrishim <88204255+rohitrishim@users.noreply.github.com> Date: Thu, 13 Oct 2022 09:41:22 +0530 Subject: [PATCH 14/17] Delete ksp-nist-execute-package-management-process-in-container.yaml --- ...ckage-management-process-in-container.yaml | 49 ------------------- 1 file changed, 49 deletions(-) delete mode 100644 redis/system/ksp-nist-execute-package-management-process-in-container.yaml diff --git a/redis/system/ksp-nist-execute-package-management-process-in-container.yaml b/redis/system/ksp-nist-execute-package-management-process-in-container.yaml deleted file mode 100644 index 0accc809..00000000 --- a/redis/system/ksp-nist-execute-package-management-process-in-container.yaml +++ /dev/null @@ -1,49 +0,0 @@ -# KubeArmor is an open source software that enables you to protect your cloud workload at run-time. -# To learn more about KubeArmor visit: -# https://www.accuknox.com/kubearmor/ - -apiVersion: security.kubearmor.com/v1 -kind: KubeArmorPolicy -metadata: - name: ksp-nist-execute-package-management-process-in-container - namespace: default # Change your namespace -spec: - tags: ["NIST", "CM-7(5)", "SI-4", "Package Manager"] - message: "Alert! Execution of package management process inside container is detected" - selector: - matchLabels: - pod: testpod #change this label with your label - process: - severity: 5 - matchPaths: - - path: /usr/bin/apt - - path: /usr/bin/apt-get - - path: /bin/apt-get - - path: /bin/apt - - path: /usr/bin/dpkg - - path: /bin/dpkg - - path: /usr/bin/gdebi - - path: /bin/gdebi - - path: /usr/bin/make - - path: /bin/make - - path: /usr/bin/yum - - path: /bin/yum - - path: /usr/bin/rpm - - path: /bin/rpm - - path: /usr/bin/dnf - - path: /bin/dnf - - path: /usr/bin/pacman - - path: /usr/sbin/pacman - - path: /bin/pacman - - path: /sbin/pacman - - path: /usr/bin/makepkg - - path: /usr/sbin/makepkg - - path: /bin/makepkg - - path: /sbin/makepkg - - path: /usr/bin/yaourt - - path: /usr/sbin/yaourt - - path: /bin/yaourt - - path: /sbin/yaourt - - path: /usr/bin/zypper - - path: /bin/zypper - action: Block From 00901b8e8250e4f36f3c7ee0f844242653e195c5 Mon Sep 17 00:00:00 2001 From: rohitrishim <88204255+rohitrishim@users.noreply.github.com> Date: Thu, 13 Oct 2022 09:41:33 +0530 Subject: [PATCH 15/17] Delete ksp-nist-si-4-create-file-in-dev-dir.yaml --- .../ksp-nist-si-4-create-file-in-dev-dir.yaml | 24 ------------------- 1 file changed, 24 deletions(-) delete mode 100644 redis/system/ksp-nist-si-4-create-file-in-dev-dir.yaml diff --git a/redis/system/ksp-nist-si-4-create-file-in-dev-dir.yaml b/redis/system/ksp-nist-si-4-create-file-in-dev-dir.yaml deleted file mode 100644 index 80675f83..00000000 --- a/redis/system/ksp-nist-si-4-create-file-in-dev-dir.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# KubeArmor is an open source software that enables you to protect your cloud workload at run-time. -# To learn more about KubeArmor visit: -# https://www.accuknox.com/kubearmor/ - -apiVersion: security.kubearmor.com/v1 -kind: KubeArmorPolicy -metadata: - name: ksp-nist-si-4-create-file-in-dev-dir - namespace: default -spec: - tags: ["NIST","NIST-800","SI-4","File","/dev"] - message: "Alert! File creation in /dev/ dir is detected. Possible violation of NIST SI-4" - selector: - matchLabels: - app: nginx-test #change to your labels - file: - severity: 5 - matchDirectories: - - dir: /dev/ - recursive: true - fromSource: - - path: /usr/bin/touch - - path: /bin/touch - action: audit From 5f8e06496d7bdda31e824385799757f5cfadd0c2 Mon Sep 17 00:00:00 2001 From: rohitrishim <88204255+rohitrishim@users.noreply.github.com> Date: Thu, 13 Oct 2022 09:41:43 +0530 Subject: [PATCH 16/17] Delete ksp-nist-si-4-detect-acess-to-cron-job-files.yaml --- ...t-si-4-detect-acess-to-cron-job-files.yaml | 29 ------------------- 1 file changed, 29 deletions(-) delete mode 100644 redis/system/ksp-nist-si-4-detect-acess-to-cron-job-files.yaml diff --git a/redis/system/ksp-nist-si-4-detect-acess-to-cron-job-files.yaml b/redis/system/ksp-nist-si-4-detect-acess-to-cron-job-files.yaml deleted file mode 100644 index 10182413..00000000 --- a/redis/system/ksp-nist-si-4-detect-acess-to-cron-job-files.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# KubeArmor is an open source software that enables you to protect your cloud workload at run-time. -# To learn more about KubeArmor visit: -# https://www.accuknox.com/kubearmor/ - -apiVersion: security.kubearmor.com/v1 -kind: KubeArmorPolicy -metadata: - name: ksp-nist-si-4-detect-acess-to-cron-job-files - namespace: default # Change your namespace -spec: - tags: ["NIST", "SI-4", "cron job"] - message: "Alert! Access to cron job files/directories detected." - selector: - matchLabels: - app: nginx-test #change this label with your label - file: - severity: 5 - matchDirectories: - - dir: /var/spool/cron/ - recursive: true - - dir: /var/cron/ - - dir: /etc/cron.d/ - - dir: /etc/cron.daily/ - - dir: /etc/cron.hourly/ - - dir: /etc/cron.monthly/ - - dir: /etc/cron.weekly/ - matchPaths: - - path: /etc/crontab - action: Audit From bac3fa987c14795cab9706f2379dde01d8ff5a10 Mon Sep 17 00:00:00 2001 From: rohitrishim <88204255+rohitrishim@users.noreply.github.com> Date: Thu, 13 Oct 2022 09:41:53 +0530 Subject: [PATCH 17/17] Delete ksp-nist-si-4-mkdir-bin-dir.yaml --- redis/system/ksp-nist-si-4-mkdir-bin-dir.yaml | 31 ------------------- 1 file changed, 31 deletions(-) delete mode 100644 redis/system/ksp-nist-si-4-mkdir-bin-dir.yaml diff --git a/redis/system/ksp-nist-si-4-mkdir-bin-dir.yaml b/redis/system/ksp-nist-si-4-mkdir-bin-dir.yaml deleted file mode 100644 index c020051c..00000000 --- a/redis/system/ksp-nist-si-4-mkdir-bin-dir.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# KubeArmor is an open source software that enables you to protect your cloud workload at run-time. -# To learn more about KubeArmor visit: -# https://www.accuknox.com/kubearmor/ - -apiVersion: security.kubearmor.com/v1 -kind: KubeArmorPolicy -metadata: - name: ksp-nist-si-4-mkdir-bin-dir - namespace: default # Change your namespace -spec: - tags: ["NIST", "SI-4", "binary dir"] - message: "Alert! An attempt to create a directory below a binary directory is detected. Possible violation of NIST SI-4" - selector: - matchLabels: - app: nginx-test #change this label with your label - process: - severity: 5 - matchDirectories: - - dir: /bin/ - fromSource: - - path: /bin/mkdir - - dir: /sbin/ - fromSource: - - path: /bin/mkdir - - dir: /usr/sbin/ - fromSource: - - path: /bin/mkdir - - dir: /usr/bin/ - fromSource: - - path: /bin/mkdir - action: Block