Skip to content

Commit

Permalink
Add HSP test suite for non-k8s mode
Browse files Browse the repository at this point in the history
Signed-off-by: Navin Chandra <navinchandra772@gmail.com>
  • Loading branch information
navin772 committed Sep 18, 2024
1 parent b6480cd commit face0b9
Show file tree
Hide file tree
Showing 13 changed files with 606 additions and 0 deletions.
16 changes: 16 additions & 0 deletions tests/nonk8s_env/hsp/hsp_suite_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright 2024 Authors of KubeArmor

package hsp_test

import (
"testing"

. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
)

func TestHsp(t *testing.T) {
RegisterFailHandler(Fail)
RunSpecs(t, "Hsp Suite")
}
304 changes: 304 additions & 0 deletions tests/nonk8s_env/hsp/hsp_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,304 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright 2024 Authors of KubeArmor

package hsp

import (
"os"
"time"

. "github.com/kubearmor/KubeArmor/tests/util"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
)

var _ = Describe("Non-k8s HSP tests", func() {

AfterEach(func() {
KarmorLogStop()
})

BeforeEach(func() {
// Set the environment variable
os.Setenv("KUBEARMOR_SERVICE", ":32767")
})

Describe("HSP file path block", func() {

It("can block access to /etc/hostname on the host", func() {

policyPath := "res/hsp-kubearmor-dev-file-path-block.yaml"
err := SendPolicy("ADDED", policyPath)
Expect(err).To(BeNil())

// Start the karmor logs
err = KarmorLogStart("policy", "", "File", "")
Expect(err).To(BeNil())

// Access the /etc/hostname file
out, err := ExecCommandHost([]string{"bash", "-c", "cat /etc/hostname"})
Expect(err).NotTo(BeNil())
Expect(out).To(MatchRegexp(".*Permission denied"))

// check policy violation alert
_, alerts, err := KarmorGetLogs(5*time.Second, 1)
Expect(err).To(BeNil())
Expect(len(alerts)).To(BeNumerically(">=", 1))
Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-file-path-block"))
Expect(alerts[0].Severity).To(Equal("5"))
Expect(alerts[0].Action).To(Equal("Block"))

// delete the policy
err = SendPolicy("DELETED", policyPath)
Expect(err).To(BeNil())

})
})

Describe("HSP Process path block", func() {

It("can block execution of diff command in host", func() {

policyPath := "res/hsp-kubearmor-dev-proc-path-block.yaml"
err := SendPolicy("ADDED", policyPath)
Expect(err).To(BeNil())

// Start the karmor logs
err = KarmorLogStart("policy", "", "Process", "")
Expect(err).To(BeNil())

// call the diff command
out, err := ExecCommandHost([]string{"bash", "-c", "diff --help"})
Expect(err).NotTo(BeNil())
Expect(out).To(MatchRegexp(".*Permission denied"))

// check policy violation alert
_, alerts, err := KarmorGetLogs(5*time.Second, 1)
Expect(err).To(BeNil())
Expect(len(alerts)).To(BeNumerically(">=", 1))
Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-proc-path-block"))
Expect(alerts[0].Severity).To(Equal("5"))
Expect(alerts[0].Action).To(Equal("Block"))

// delete the policy
err = SendPolicy("DELETED", policyPath)
Expect(err).To(BeNil())
})
})

Describe("HSP dir block from source", func() {

It("can allow access to everything except /etc/default/* from head", func() {

policyPath := "res/hsp-kubearmor-dev-file-dir-block-fromSource.yaml"
err := SendPolicy("ADDED", policyPath)
Expect(err).To(BeNil())

// Start the karmor logs
err = KarmorLogStart("policy", "", "File", "")
Expect(err).To(BeNil())

// call the head command
out, err := ExecCommandHost([]string{"bash", "-c", "head /etc/hostname"})
Expect(err).To(BeNil())
Expect(out).NotTo(MatchRegexp(".*Permission denied"))

// check policy violation alert
_, alerts, err := KarmorGetLogs(5*time.Second, 1)
Expect(err).To(BeNil())
Expect(len(alerts)).To(BeNumerically("==", 0))

// delete the policy
err = SendPolicy("DELETED", policyPath)
Expect(err).To(BeNil())
})

It("can block access to /etc/default/* from head", func() {

policyPath := "res/hsp-kubearmor-dev-file-dir-block-fromSource.yaml"
err := SendPolicy("ADDED", policyPath)
Expect(err).To(BeNil())

// Start the karmor logs
err = KarmorLogStart("policy", "", "File", "")
Expect(err).To(BeNil())

// call the head command
out, err := ExecCommandHost([]string{"bash", "-c", "head /etc/default/useradd"})
Expect(err).NotTo(BeNil())
Expect(out).To(MatchRegexp(".*Permission denied"))

// check policy violation alert
_, alerts, err := KarmorGetLogs(5*time.Second, 1)
Expect(err).To(BeNil())
Expect(len(alerts)).To(BeNumerically(">=", 1))
Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-file-dir-block-fromsource"))
Expect(alerts[0].Severity).To(Equal("5"))
Expect(alerts[0].Action).To(Equal("Block"))

// delete the policy
err = SendPolicy("DELETED", policyPath)
Expect(err).To(BeNil())
})
})

Describe("HSP file audit", func() {

It("can audit access to /etc/passwd", func() {

policyPath := "res/hsp-kubearmor-dev-file-path-audit.yaml"
err := SendPolicy("ADDED", policyPath)
Expect(err).To(BeNil())

// Start the karmor logs
err = KarmorLogStart("policy", "", "File", "")
Expect(err).To(BeNil())

// try to access the /etc/passwd file
out, err := ExecCommandHost([]string{"bash", "-c", "cat /etc/passwd"})
Expect(err).To(BeNil())
Expect(out).ToNot(MatchRegexp(".*Permission denied"))

// check audit alerts
_, alerts, err := KarmorGetLogs(5*time.Second, 1)
Expect(err).To(BeNil())
Expect(len(alerts)).To(BeNumerically(">=", 1))
Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-file-path-audit"))
Expect(alerts[0].Severity).To(Equal("5"))
Expect(alerts[0].Action).To(Equal("Audit"))

// delete the policy
err = SendPolicy("DELETED", policyPath)
Expect(err).To(BeNil())
})
})

Describe("HSP path block from source", func() {

It("It can block access to /etc/hostname from head", func() {

policyPath := "res/hsp-kubearmor-dev-file-path-block-fromSource.yaml"
err := SendPolicy("ADDED", policyPath)
Expect(err).To(BeNil())

// Start the karmor logs
err = KarmorLogStart("policy", "", "File", "")
Expect(err).To(BeNil())

// try to access the /etc/hostname file from head
out, err := ExecCommandHost([]string{"bash", "-c", "head /etc/hostname"})
Expect(err).NotTo(BeNil())
Expect(out).To(MatchRegexp(".*Permission denied"))

// check policy violation alert
_, alerts, err := KarmorGetLogs(5*time.Second, 1)
Expect(err).To(BeNil())
Expect(len(alerts)).To(BeNumerically(">=", 1))
Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-file-path-block-fromsource"))
Expect(alerts[0].Severity).To(Equal("5"))
Expect(alerts[0].Action).To(Equal("Block"))

// delete the policy
err = SendPolicy("DELETED", policyPath)
Expect(err).To(BeNil())
})
})

// Describe("HSP Process path block from source", func() {

// It("can block date command from bash", func() {

// policyPath := "res/hsp-kubearmor-dev-proc-path-block-fromSource.yaml"
// err := SendPolicy("ADDED", policyPath)
// Expect(err).To(BeNil())

// // Start the karmor logs
// err = KarmorLogStart("policy", "", "Process", "")
// Expect(err).To(BeNil())

// // call the date command from bash
// out, err := ExecCommandHost([]string{"bash", "-c", "date"})
// Expect(err).To(BeNil())
// Expect(out).To(MatchRegexp(".*Permission denied"))

// // // execute ls command from bash
// // out2, err := ExecCommandHost([]string{"bash", "-c", "ls"})
// // Expect(err).To(BeNil())
// // Expect(out2).NotTo(MatchRegexp(".*Permission denied"))

// // check policy violation alert
// _, alerts, err := KarmorGetLogs(5*time.Second, 1)
// Expect(err).To(BeNil())
// Expect(len(alerts)).To(BeNumerically(">=", 1))
// Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-proc-path-block-fromsource"))
// Expect(alerts[0].Severity).To(Equal("5"))
// Expect(alerts[0].Action).To(Equal("Block"))

// // delete the policy
// err = SendPolicy("DELETED", policyPath)
// Expect(err).To(BeNil())
// })
// })

Describe("HSP Process path block", func() {

It("can block diff command", func() {

policyPath := "res/hsp-kubearmor-dev-proc-path-block.yaml"
err := SendPolicy("ADDED", policyPath)
Expect(err).To(BeNil())

// Start the karmor logs
err = KarmorLogStart("policy", "", "Process", "")
Expect(err).To(BeNil())

// run diff command
out, err := ExecCommandHost([]string{"bash", "-c", "diff"})
Expect(err).NotTo(BeNil())
Expect(out).To(MatchRegexp(".*Permission denied"))

// check policy violation alert
_, alerts, err := KarmorGetLogs(5*time.Second, 1)
Expect(err).To(BeNil())
Expect(len(alerts)).To(BeNumerically(">=", 1))
Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-proc-path-block"))
Expect(alerts[0].Severity).To(Equal("5"))
Expect(alerts[0].Action).To(Equal("Block"))

// delete the policy
err = SendPolicy("DELETED", policyPath)
Expect(err).To(BeNil())
})
})

Describe("HSP Network path block", func() {

It("can block access to UDP protocol from curl", func() {

policyPath := "res/hsp-kubearmor-dev-udp-block.yaml"
err := SendPolicy("ADDED", policyPath)
Expect(err).To(BeNil())

// Start the karmor logs
err = KarmorLogStart("policy", "", "Network", "")
Expect(err).To(BeNil())

// run diff command
out, err := ExecCommandHost([]string{"bash", "-c", "curl google.com"})
Expect(err).NotTo(BeNil())
Expect(out).To(MatchRegexp(".*Could not resolve host: google.com"))

// check policy violation alert
_, alerts, err := KarmorGetLogs(5*time.Second, 1)
Expect(err).To(BeNil())
Expect(len(alerts)).To(BeNumerically(">=", 1))
Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-udp-block-curl"))
Expect(alerts[0].Severity).To(Equal("5"))
Expect(alerts[0].Action).To(Equal("Block"))

// delete the policy
err = SendPolicy("DELETED", policyPath)
Expect(err).To(BeNil())
})
})
})
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
name: hsp-kubearmor-dev-file-dir-allow-fromsource
spec:
nodeSelector:
matchLabels:
kubearmor.io/hostname: "*"
severity: 5
file:
matchDirectories:
- dir: /etc/default/
recursive: true
fromSource:
- path: /usr/bin/head
action:
Allow

# kubearmor-dev_test_08

# test
# $ head /etc/default/useradd
# Default values for useradd(8) ...
# $ head /etc/hostname
# head: /etc/hostname: Permission denied

# expectation
# /usr/bin/head can only access /etc/default/*
# /usr/bin/head cannot access any others
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
name: hsp-kubearmor-dev-file-dir-block-fromsource
spec:
nodeSelector:
matchLabels:
kubearmor.io/hostname: "*"
severity: 5
file:
matchDirectories:
- dir: /etc/default/
fromSource:
- path: /usr/bin/head
action:
Block

# kubearmor-dev_test_09

# test
# $ head /etc/default/useradd
# head: useradd: Permission denied
# $ head /etc/hostname
# kubearmor-dev

# expectation
# /usr/bin/head cannot access /etc/default/*
# /usr/bin/head can access any others
Loading

0 comments on commit face0b9

Please sign in to comment.