-
Notifications
You must be signed in to change notification settings - Fork 342
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Navin Chandra <navinchandra772@gmail.com>
- Loading branch information
Showing
13 changed files
with
606 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
// SPDX-License-Identifier: Apache-2.0 | ||
// Copyright 2024 Authors of KubeArmor | ||
|
||
package hsp_test | ||
|
||
import ( | ||
"testing" | ||
|
||
. "github.com/onsi/ginkgo/v2" | ||
. "github.com/onsi/gomega" | ||
) | ||
|
||
func TestHsp(t *testing.T) { | ||
RegisterFailHandler(Fail) | ||
RunSpecs(t, "Hsp Suite") | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,304 @@ | ||
// SPDX-License-Identifier: Apache-2.0 | ||
// Copyright 2024 Authors of KubeArmor | ||
|
||
package hsp | ||
|
||
import ( | ||
"os" | ||
"time" | ||
|
||
. "github.com/kubearmor/KubeArmor/tests/util" | ||
. "github.com/onsi/ginkgo/v2" | ||
. "github.com/onsi/gomega" | ||
) | ||
|
||
var _ = Describe("Non-k8s HSP tests", func() { | ||
|
||
AfterEach(func() { | ||
KarmorLogStop() | ||
}) | ||
|
||
BeforeEach(func() { | ||
// Set the environment variable | ||
os.Setenv("KUBEARMOR_SERVICE", ":32767") | ||
}) | ||
|
||
Describe("HSP file path block", func() { | ||
|
||
It("can block access to /etc/hostname on the host", func() { | ||
|
||
policyPath := "res/hsp-kubearmor-dev-file-path-block.yaml" | ||
err := SendPolicy("ADDED", policyPath) | ||
Expect(err).To(BeNil()) | ||
|
||
// Start the karmor logs | ||
err = KarmorLogStart("policy", "", "File", "") | ||
Expect(err).To(BeNil()) | ||
|
||
// Access the /etc/hostname file | ||
out, err := ExecCommandHost([]string{"bash", "-c", "cat /etc/hostname"}) | ||
Expect(err).NotTo(BeNil()) | ||
Expect(out).To(MatchRegexp(".*Permission denied")) | ||
|
||
// check policy violation alert | ||
_, alerts, err := KarmorGetLogs(5*time.Second, 1) | ||
Expect(err).To(BeNil()) | ||
Expect(len(alerts)).To(BeNumerically(">=", 1)) | ||
Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-file-path-block")) | ||
Expect(alerts[0].Severity).To(Equal("5")) | ||
Expect(alerts[0].Action).To(Equal("Block")) | ||
|
||
// delete the policy | ||
err = SendPolicy("DELETED", policyPath) | ||
Expect(err).To(BeNil()) | ||
|
||
}) | ||
}) | ||
|
||
Describe("HSP Process path block", func() { | ||
|
||
It("can block execution of diff command in host", func() { | ||
|
||
policyPath := "res/hsp-kubearmor-dev-proc-path-block.yaml" | ||
err := SendPolicy("ADDED", policyPath) | ||
Expect(err).To(BeNil()) | ||
|
||
// Start the karmor logs | ||
err = KarmorLogStart("policy", "", "Process", "") | ||
Expect(err).To(BeNil()) | ||
|
||
// call the diff command | ||
out, err := ExecCommandHost([]string{"bash", "-c", "diff --help"}) | ||
Expect(err).NotTo(BeNil()) | ||
Expect(out).To(MatchRegexp(".*Permission denied")) | ||
|
||
// check policy violation alert | ||
_, alerts, err := KarmorGetLogs(5*time.Second, 1) | ||
Expect(err).To(BeNil()) | ||
Expect(len(alerts)).To(BeNumerically(">=", 1)) | ||
Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-proc-path-block")) | ||
Expect(alerts[0].Severity).To(Equal("5")) | ||
Expect(alerts[0].Action).To(Equal("Block")) | ||
|
||
// delete the policy | ||
err = SendPolicy("DELETED", policyPath) | ||
Expect(err).To(BeNil()) | ||
}) | ||
}) | ||
|
||
Describe("HSP dir block from source", func() { | ||
|
||
It("can allow access to everything except /etc/default/* from head", func() { | ||
|
||
policyPath := "res/hsp-kubearmor-dev-file-dir-block-fromSource.yaml" | ||
err := SendPolicy("ADDED", policyPath) | ||
Expect(err).To(BeNil()) | ||
|
||
// Start the karmor logs | ||
err = KarmorLogStart("policy", "", "File", "") | ||
Expect(err).To(BeNil()) | ||
|
||
// call the head command | ||
out, err := ExecCommandHost([]string{"bash", "-c", "head /etc/hostname"}) | ||
Expect(err).To(BeNil()) | ||
Expect(out).NotTo(MatchRegexp(".*Permission denied")) | ||
|
||
// check policy violation alert | ||
_, alerts, err := KarmorGetLogs(5*time.Second, 1) | ||
Expect(err).To(BeNil()) | ||
Expect(len(alerts)).To(BeNumerically("==", 0)) | ||
|
||
// delete the policy | ||
err = SendPolicy("DELETED", policyPath) | ||
Expect(err).To(BeNil()) | ||
}) | ||
|
||
It("can block access to /etc/default/* from head", func() { | ||
|
||
policyPath := "res/hsp-kubearmor-dev-file-dir-block-fromSource.yaml" | ||
err := SendPolicy("ADDED", policyPath) | ||
Expect(err).To(BeNil()) | ||
|
||
// Start the karmor logs | ||
err = KarmorLogStart("policy", "", "File", "") | ||
Expect(err).To(BeNil()) | ||
|
||
// call the head command | ||
out, err := ExecCommandHost([]string{"bash", "-c", "head /etc/default/useradd"}) | ||
Expect(err).NotTo(BeNil()) | ||
Expect(out).To(MatchRegexp(".*Permission denied")) | ||
|
||
// check policy violation alert | ||
_, alerts, err := KarmorGetLogs(5*time.Second, 1) | ||
Expect(err).To(BeNil()) | ||
Expect(len(alerts)).To(BeNumerically(">=", 1)) | ||
Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-file-dir-block-fromsource")) | ||
Expect(alerts[0].Severity).To(Equal("5")) | ||
Expect(alerts[0].Action).To(Equal("Block")) | ||
|
||
// delete the policy | ||
err = SendPolicy("DELETED", policyPath) | ||
Expect(err).To(BeNil()) | ||
}) | ||
}) | ||
|
||
Describe("HSP file audit", func() { | ||
|
||
It("can audit access to /etc/passwd", func() { | ||
|
||
policyPath := "res/hsp-kubearmor-dev-file-path-audit.yaml" | ||
err := SendPolicy("ADDED", policyPath) | ||
Expect(err).To(BeNil()) | ||
|
||
// Start the karmor logs | ||
err = KarmorLogStart("policy", "", "File", "") | ||
Expect(err).To(BeNil()) | ||
|
||
// try to access the /etc/passwd file | ||
out, err := ExecCommandHost([]string{"bash", "-c", "cat /etc/passwd"}) | ||
Expect(err).To(BeNil()) | ||
Expect(out).ToNot(MatchRegexp(".*Permission denied")) | ||
|
||
// check audit alerts | ||
_, alerts, err := KarmorGetLogs(5*time.Second, 1) | ||
Expect(err).To(BeNil()) | ||
Expect(len(alerts)).To(BeNumerically(">=", 1)) | ||
Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-file-path-audit")) | ||
Expect(alerts[0].Severity).To(Equal("5")) | ||
Expect(alerts[0].Action).To(Equal("Audit")) | ||
|
||
// delete the policy | ||
err = SendPolicy("DELETED", policyPath) | ||
Expect(err).To(BeNil()) | ||
}) | ||
}) | ||
|
||
Describe("HSP path block from source", func() { | ||
|
||
It("It can block access to /etc/hostname from head", func() { | ||
|
||
policyPath := "res/hsp-kubearmor-dev-file-path-block-fromSource.yaml" | ||
err := SendPolicy("ADDED", policyPath) | ||
Expect(err).To(BeNil()) | ||
|
||
// Start the karmor logs | ||
err = KarmorLogStart("policy", "", "File", "") | ||
Expect(err).To(BeNil()) | ||
|
||
// try to access the /etc/hostname file from head | ||
out, err := ExecCommandHost([]string{"bash", "-c", "head /etc/hostname"}) | ||
Expect(err).NotTo(BeNil()) | ||
Expect(out).To(MatchRegexp(".*Permission denied")) | ||
|
||
// check policy violation alert | ||
_, alerts, err := KarmorGetLogs(5*time.Second, 1) | ||
Expect(err).To(BeNil()) | ||
Expect(len(alerts)).To(BeNumerically(">=", 1)) | ||
Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-file-path-block-fromsource")) | ||
Expect(alerts[0].Severity).To(Equal("5")) | ||
Expect(alerts[0].Action).To(Equal("Block")) | ||
|
||
// delete the policy | ||
err = SendPolicy("DELETED", policyPath) | ||
Expect(err).To(BeNil()) | ||
}) | ||
}) | ||
|
||
// Describe("HSP Process path block from source", func() { | ||
|
||
// It("can block date command from bash", func() { | ||
|
||
// policyPath := "res/hsp-kubearmor-dev-proc-path-block-fromSource.yaml" | ||
// err := SendPolicy("ADDED", policyPath) | ||
// Expect(err).To(BeNil()) | ||
|
||
// // Start the karmor logs | ||
// err = KarmorLogStart("policy", "", "Process", "") | ||
// Expect(err).To(BeNil()) | ||
|
||
// // call the date command from bash | ||
// out, err := ExecCommandHost([]string{"bash", "-c", "date"}) | ||
// Expect(err).To(BeNil()) | ||
// Expect(out).To(MatchRegexp(".*Permission denied")) | ||
|
||
// // // execute ls command from bash | ||
// // out2, err := ExecCommandHost([]string{"bash", "-c", "ls"}) | ||
// // Expect(err).To(BeNil()) | ||
// // Expect(out2).NotTo(MatchRegexp(".*Permission denied")) | ||
|
||
// // check policy violation alert | ||
// _, alerts, err := KarmorGetLogs(5*time.Second, 1) | ||
// Expect(err).To(BeNil()) | ||
// Expect(len(alerts)).To(BeNumerically(">=", 1)) | ||
// Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-proc-path-block-fromsource")) | ||
// Expect(alerts[0].Severity).To(Equal("5")) | ||
// Expect(alerts[0].Action).To(Equal("Block")) | ||
|
||
// // delete the policy | ||
// err = SendPolicy("DELETED", policyPath) | ||
// Expect(err).To(BeNil()) | ||
// }) | ||
// }) | ||
|
||
Describe("HSP Process path block", func() { | ||
|
||
It("can block diff command", func() { | ||
|
||
policyPath := "res/hsp-kubearmor-dev-proc-path-block.yaml" | ||
err := SendPolicy("ADDED", policyPath) | ||
Expect(err).To(BeNil()) | ||
|
||
// Start the karmor logs | ||
err = KarmorLogStart("policy", "", "Process", "") | ||
Expect(err).To(BeNil()) | ||
|
||
// run diff command | ||
out, err := ExecCommandHost([]string{"bash", "-c", "diff"}) | ||
Expect(err).NotTo(BeNil()) | ||
Expect(out).To(MatchRegexp(".*Permission denied")) | ||
|
||
// check policy violation alert | ||
_, alerts, err := KarmorGetLogs(5*time.Second, 1) | ||
Expect(err).To(BeNil()) | ||
Expect(len(alerts)).To(BeNumerically(">=", 1)) | ||
Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-proc-path-block")) | ||
Expect(alerts[0].Severity).To(Equal("5")) | ||
Expect(alerts[0].Action).To(Equal("Block")) | ||
|
||
// delete the policy | ||
err = SendPolicy("DELETED", policyPath) | ||
Expect(err).To(BeNil()) | ||
}) | ||
}) | ||
|
||
Describe("HSP Network path block", func() { | ||
|
||
It("can block access to UDP protocol from curl", func() { | ||
|
||
policyPath := "res/hsp-kubearmor-dev-udp-block.yaml" | ||
err := SendPolicy("ADDED", policyPath) | ||
Expect(err).To(BeNil()) | ||
|
||
// Start the karmor logs | ||
err = KarmorLogStart("policy", "", "Network", "") | ||
Expect(err).To(BeNil()) | ||
|
||
// run diff command | ||
out, err := ExecCommandHost([]string{"bash", "-c", "curl google.com"}) | ||
Expect(err).NotTo(BeNil()) | ||
Expect(out).To(MatchRegexp(".*Could not resolve host: google.com")) | ||
|
||
// check policy violation alert | ||
_, alerts, err := KarmorGetLogs(5*time.Second, 1) | ||
Expect(err).To(BeNil()) | ||
Expect(len(alerts)).To(BeNumerically(">=", 1)) | ||
Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-udp-block-curl")) | ||
Expect(alerts[0].Severity).To(Equal("5")) | ||
Expect(alerts[0].Action).To(Equal("Block")) | ||
|
||
// delete the policy | ||
err = SendPolicy("DELETED", policyPath) | ||
Expect(err).To(BeNil()) | ||
}) | ||
}) | ||
}) |
29 changes: 29 additions & 0 deletions
29
tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-dir-allow-fromSource.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
apiVersion: security.kubearmor.com/v1 | ||
kind: KubeArmorHostPolicy | ||
metadata: | ||
name: hsp-kubearmor-dev-file-dir-allow-fromsource | ||
spec: | ||
nodeSelector: | ||
matchLabels: | ||
kubearmor.io/hostname: "*" | ||
severity: 5 | ||
file: | ||
matchDirectories: | ||
- dir: /etc/default/ | ||
recursive: true | ||
fromSource: | ||
- path: /usr/bin/head | ||
action: | ||
Allow | ||
|
||
# kubearmor-dev_test_08 | ||
|
||
# test | ||
# $ head /etc/default/useradd | ||
# Default values for useradd(8) ... | ||
# $ head /etc/hostname | ||
# head: /etc/hostname: Permission denied | ||
|
||
# expectation | ||
# /usr/bin/head can only access /etc/default/* | ||
# /usr/bin/head cannot access any others |
28 changes: 28 additions & 0 deletions
28
tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-dir-block-fromSource.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
apiVersion: security.kubearmor.com/v1 | ||
kind: KubeArmorHostPolicy | ||
metadata: | ||
name: hsp-kubearmor-dev-file-dir-block-fromsource | ||
spec: | ||
nodeSelector: | ||
matchLabels: | ||
kubearmor.io/hostname: "*" | ||
severity: 5 | ||
file: | ||
matchDirectories: | ||
- dir: /etc/default/ | ||
fromSource: | ||
- path: /usr/bin/head | ||
action: | ||
Block | ||
|
||
# kubearmor-dev_test_09 | ||
|
||
# test | ||
# $ head /etc/default/useradd | ||
# head: useradd: Permission denied | ||
# $ head /etc/hostname | ||
# kubearmor-dev | ||
|
||
# expectation | ||
# /usr/bin/head cannot access /etc/default/* | ||
# /usr/bin/head can access any others |
Oops, something went wrong.