KubeArmor
  • KubeArmor
  • Quick Links
    • Getting Started
    • Support Matrix
    • Differentiation
    • VM/Bare-Metal Deployment
  • Use-Cases
    • Harden Infrastructure
    • Least Permissive Access
    • Application Behavior
    • ModelArmor Use Cases
    • Advanced
  • Documentation
    • KubeArmor Events
    • Control Telemetry/Visibility
    • Security Posture
    • Policy Spec for Containers
    • Policy Examples for Containers
    • Cluster Policy Spec for Containers
    • Cluster Policy Examples for Containers
    • Policy Spec for Nodes/VMs
    • Policy Examples for Nodes/VMs
    • FAQs
  • Contribution
    • Contribution Guide
    • Development Guide
    • Testing Guide
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Documentation

Policy Examples for Nodes/VMs

PreviousPolicy Spec for Nodes/VMsNextFAQs

Last updated 2 years ago

Was this helpful?

Here, we demonstrate how to define host security policies.

  • Process Execution Restriction

    • Block a specific executable ()

      apiVersion: security.kubearmor.com/v1
      kind: KubeArmorHostPolicy
      metadata:
        name: hsp-kubearmor-dev-proc-path-block
      spec:
        nodeSelector:
          matchLabels:
            kubernetes.io/hostname: kubearmor-dev
        severity: 5
        process:
          matchPaths:
          - path: /usr/bin/diff
        action:
          Block
      • Explanation: The purpose of this policy is to block the execution of '/usr/bin/diff' in a host whose host name is 'kubearmor-dev'. For this, we define 'kubernetes.io/hostname: kubearmor-dev' in nodeSelector -> matchLabels and the specific path ('/usr/bin/diff') in process -> matchPaths. Also, we put 'Block' as the action of this policy.

      • Verification: After applying this policy, please open a new terminal (or connect to the host with a new session) and run '/usr/bin/diff'. You will see that /usr/bin/diff is blocked.

      NOTE

      The given policy works with almost every linux distribution. If it is not working in your case, check the process location. The following location shows location of sleep binary in different ubuntu distributions:

      • In case of Ubuntu 20.04 : /usr/bin/sleep

      • In case of Ubuntu 18.04 : /bin/sleep

  • File Access Restriction

    • Audit a critical file access ()

      apiVersion: security.kubearmor.com/v1
      kind: KubeArmorHostPolicy
      metadata:
        name: hsp-kubearmor-dev-file-path-audit
      spec:
        nodeSelector:
          matchLabels:
            kubernetes.io/hostname: kubearmor-dev
        severity: 5
        file:
          matchPaths:
          - path: /etc/passwd
        action:
          Audit
      • Explanation: The purpose of this policy is to audit any accesses to a critical file (i.e., '/etc/passwd'). Since we want to audit one critical file, we use matchPaths to specify the path of '/etc/passwd'.

      • Verification: After applying this policy, please open a new terminal (or connect to the host with a new session) and run 'sudo cat /etc/passwd'. Then, check the alert logs of KubeArmor.

  • System calls alerting

    • Alert for all unlink syscalls

    apiVersion: security.kubearmor.com/v1
    kind: KubeArmorHostPolicy
    metadata:
      name: audit-all-unlink
    spec:
      severity: 3
      nodeSelector:
            matchLabels:
              kubernetes.io/hostname: vagrant
      syscalls:
        matchSyscalls:
        - syscall:
          - unlink
      action:
        Audit
Generated telemetry
{
  "Timestamp": 1661937152,
  "UpdatedTime": "2022-08-31T09:12:32.967304Z",
  "ClusterName": "default",
  "HostName": "vagrant",
  "HostPPID": 8563,
  "HostPID": 310459,
  "PPID": 8563,
  "PID": 310459,
  "UID": 1000,
  "ProcessName": "/usr/bin/unlink",
  "PolicyName": "audit-all-unlink",
  "Severity": "3",
  "Type": "MatchedHostPolicy",
  "Source": "/usr/bin/unlink /home/vagrant/secret.txt",
  "Operation": "Syscall",
  "Resource": "/home/vagrant/secret.txt",
  "Data": "syscall=SYS_UNLINK",
  "Action": "Audit",
  "Result": "Passed"
}
  • Alert on all rmdir syscalls targeting anything in /home/ directory and sub-directories

apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
  name: audit-home-rmdir
spec:
  severity: 3
  nodeSelector:
        matchLabels:
          kubernetes.io/hostname: vagrant
  syscalls:
    matchPaths:
    - syscall:
      - rmdir
      path: /home/
      recursive: true
  action:
    Audit
Generated telemetry
{
  "Timestamp": 1661936983,
  "UpdatedTime": "2022-08-31T09:09:43.894787Z",
  "ClusterName": "default",
  "HostName": "vagrant",
  "HostPPID": 308001,
  "HostPID": 308002,
  "PPID": 308001,
  "PID": 308002,
  "ProcessName": "/usr/bin/rmdir",
  "PolicyName": "audit-home-rmdir",
  "Severity": "3",
  "Type": "MatchedHostPolicy",
  "Source": "/usr/bin/rmdir jane-doe",
  "Operation": "Syscall",
  "Resource": "/home/jane-doe",
  "Data": "syscall=SYS_RMDIR",
  "Action": "Audit",
  "Result": "Passed"
}
hsp-kubearmor-dev-proc-path-block.yaml
hsp-kubearmor-dev-file-path-audit.yaml