-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: VedRatan <[email protected]>
- Loading branch information
Showing
2 changed files
with
106 additions
and
38 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,38 +1,103 @@ | ||
| ## Objective | ||
|
|
||
| - The `exploit-pfa` (Prevent Exploitation of Public-Facing Applications) intent is focused on securing applications that are exposed to the internet. This intent aims to mitigate risks associated with malicious actors potentially exploiting vulnerabilities in public-facing applications, such as web servers, to execute harmful actions. | ||
|
|
||
| - The main goal of the exploit-pfa intent is to prevent the execution of unauthorized or harmful binaries that could be uploaded to or executed from temporary or log directories. This is particularly relevant for applications like nginx, which may handle external requests and could be targets for exploitation. | ||
|
|
||
| **Note** : For the exploit-pfa intent one needs to have [nimbus-kubearmor](../../deployments/nimbus-kubearmor/Readme.md) adapter running in their cluster. | ||
|
|
||
| ## Policy Creation | ||
|
|
||
| The exploit-pfa intent results in `KubeArmorPolicy`. Below is the behaviour of intent in terms of policy: | ||
|
|
||
| ### KubeArmorPolicy | ||
|
|
||
| #### Prereq | ||
|
|
||
| - For the `KubeArmorPolicy` to work, one should have a [BPF-LSM](https://github.com/kubearmor/KubeArmor/blob/main/getting-started/FAQ.md#checking-and-enabling-support-for-bpf-lsm) enabled for each node in their cluster. | ||
|
|
||
| #### Policy Description | ||
|
|
||
| - The KubeArmorPolicy created here implements strict controls on where executables can be run within the containerized environment | ||
|
|
||
| - The policy is set to Block, any attempts to execute binaries from specified directories will be denied. | ||
|
|
||
| - Process Matching: | ||
|
|
||
| - `/var/tmp/` | ||
| - `/tmp/` | ||
| - `/var/log/` | ||
| - `/app/logs/` | ||
| - `/logs/` | ||
| - `/etc/` | ||
|
|
||
| - All these directories are marked as recursive, meaning that the policy applies to all files and subdirectories within them. This comprehensive approach helps ensure that any harmful binaries, regardless of their specific location, cannot be executed. | ||
|
|
||
| - By blocking execution from these critical directories, the policy significantly reduces the attack surface for the application. This prevents attackers from executing potentially malicious scripts or binaries that could lead to data breaches or further compromises. | ||
|
|
||
| - This policy serves as an additional layer of defense, particularly important for applications exposed to the internet, which are more vulnerable to exploitation. | ||
| **Attack vectors**: Exploiting a public-facing application is a cyberattack technique that involves taking advantage of vulnerabilities in software applications to gain unauthorized access to systems or networks. Attackers can use online tools to scan the internet for open ports and services to find publicly exposed applications. T | ||
|
|
||
| **Mitigation**: The `exploitPFA` `SecurityIntent` helps us prevent these attacks by: | ||
|
|
||
| - Restricting external network access for specific applications, such as those labeled with selectors. This intent aims to ensure that these applications can only communicate with trusted internal resources while preventing unauthorized access from external networks. | ||
|
|
||
| - Limiting both ingress and egress traffic, this policy significantly reduces the risk of data exfiltration and unauthorized access | ||
|
|
||
| ## Tutorial | ||
|
|
||
| ### Prerequisites | ||
|
|
||
| **Nimbus suite**: Follow [this](../../deployments/nimbus/Readme.md) guide to install complete suite. | ||
|
|
||
| **Calico-CNI**: For the `NetworkPolicy` to work, one should have a [Calico-CNI](https://docs.tigera.io/calico/latest/getting-started/kubernetes/self-managed-onprem/onpremises) installed in their cluster. | ||
|
|
||
| #### 1. Create the SecurityIntent and SecurityIntentBinding to prevent Exploit Public Facing Application. | ||
|
|
||
| ```shell | ||
| cat << EOF | kubectl apply -f - | ||
| apiVersion: intent.security.nimbus.com/v1alpha1 | ||
| kind: SecurityIntent | ||
| metadata: | ||
| name: exploit-pfa | ||
| annotations: | ||
| intent.security.nimbus.com/title: DNS Manipulation Prevention | ||
| # Severity should be a standard threat severity level (e.g., Low, Medium, High, Critical) | ||
| intent.security.nimbus.com/severity: Medium | ||
| # Description should clearly explain the intent and its security implications | ||
| intent.security.nimbus.com/description: | | ||
| This SecurityIntent aims to prevent adversaries from ex-filtration, | ||
| redirecting network traffic and potentially reveal end user activity. | ||
| spec: | ||
| intent: | ||
| id: exploit-pfa | ||
| action: Block | ||
| --- | ||
| apiVersion: intent.security.nimbus.com/v1alpha1 | ||
| kind: SecurityIntentBinding | ||
| metadata: | ||
| name: exploit-pfa-binding | ||
| spec: | ||
| intents: | ||
| - name: exploit-pfa # Reference the intended SecurityIntent resource | ||
| selector: | ||
| workloadSelector: | ||
| matchLabels: | ||
| app: web # Replace with the label that identifies your workload (e.g., app: database) | ||
| EOF | ||
| ``` | ||
|
|
||
| #### 2. Verifying Resources creation: | ||
|
|
||
| After applying the `SecurityIntent` and `SecurityIntentBinding`, use the following commands to verify security engine | ||
| policies creation: | ||
|
|
||
| ```shell | ||
| # Check SecurityIntent, and SecurityIntentBinding creation | ||
| $ kubectl get si,sib | ||
| NAME STATUS AGE | ||
| securityintent.intent.security.nimbus.com/exploit-pfa Created 3m18s | ||
|
|
||
| NAME STATUS AGE INTENTS NIMBUSPOLICY | ||
| securityintentbinding.intent.security.nimbus.com/exploit-pfa-binding Created 3m18s 1 exploit-pfa-binding | ||
|
|
||
| # Check NimbusPolicy creation for the binding | ||
| $ kubectl get np exploit-pfa-binding | ||
| NAME STATUS AGE POLICIES | ||
| exploit-pfa-binding Created 3m34s 2 | ||
|
|
||
| # Check details of the NimbusPolicy to know about actual policies | ||
| $ kubectl describe np dns-manipulation-binding | ||
| Name: exploit-pfa-binding | ||
| ... | ||
| # Fields omitted for brevity | ||
| ... | ||
| Status: | ||
| Adapter Policies: | ||
| NetworkPolicy/exploit-pfa-binding-dnsmanipulation | ||
| Last Updated: 2024-10-07T14:25:17Z | ||
| Number Of Adapter Policies: 1 | ||
| Status: Created | ||
| Events: <none> | ||
| ``` | ||
|
|
||
| From the `ExploitPFA` SecurityIntent one security policy will be generated to satisfy the SecurityIntent: | ||
|
|
||
| - **Kubernetes Network Policy**: This policy allows DNS requests only to `kube-dns` pods within the `kube-system` | ||
| namespace. The policy also specifies that only traffic from defined internal IP ranges can reach the pods, ensuring that only trusted sources can communicate with them. | ||
|
|
||
|
|
||
| _**Enforcement is handled by the relevant security engines. In this case, [Kubernetes NetworkPolicy](https://kubernetes.io/docs/concepts/services-networking/network-policies/).** | ||
|
|
||
| #### 3. Cleanup | ||
|
|
||
| Once done, delete the created resources: | ||
|
|
||
| ```shell | ||
| kubectl delete si dns-manipulation | ||
| kubectl delete sib dns-manipulation-binding | ||
| ``` |