Merge pull request #1056 from nyrahul/main

zero trust policies for open5gs

5gsec/artifacthub-repo.yml

@@ -0,0 +1,19 @@
+# Artifact Hub repository metadata file
+#
+# Some settings like the verified publisher flag or the ignored packages won't
+# be applied until the next time the repository is processed. Please keep in
+# mind that the repository won't be processed if it has not changed since the
+# last time it was processed. Depending on the repository kind, this is checked
+# in a different way. For Helm http based repositories, we consider it has
+# changed if the `index.yaml` file changes. For git based repositories, it does
+# when the hash of the last commit in the branch you set up changes. This does
+# NOT apply to ownership claim operations, which are processed immediately.
+#
+repositoryID: 527b667e-7ad5-408d-8bab-9972f18272b5
+owners: # (optional, used to claim repository ownership)
+  - name: Rahul Jadhav
+    email: [email protected]
+#ignore: # (optional, packages that should not be indexed by Artifact Hub)
+#  - name: package1
+#  - name: package2 # Exact match
+#    version: beta # Regular expression (when omitted, all versions are ignored)

5gsec/open5gs/1.0.0/README.md

@@ -0,0 +1 @@
+# Open5GS Zero Trust policies

5gsec/open5gs/1.0.0/open5gs-AMF-ZeroTrust.yaml

@@ -0,0 +1,73 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  name: open5gs-amf-zero-trust
+  namespace: open5gs
+spec:
+  action: Allow
+  file:
+    matchDirectories:
+    - dir: /
+      recursive: true
+    - dir: /open5gs/
+      recursive: true
+      action: Block
+      severity: 10
+      message: unauthorized access to open5GS data
+    - dir: /open5gs/
+      recursive: true
+      fromSource:
+      - path: /usr/bin/open5gs-amfd
+  network:
+    matchProtocols:
+    - fromSource:
+      - path: /usr/bin/open5gs-amfd
+      - path: /usr/bin/perl
+      - path: /usr/lib/apt/methods/http
+      - path: /usr/lib/apt/methods/https
+      - path: /usr/lib/apt/methods/store
+      - path: /usr/sbin/usermod
+      protocol: raw
+    - fromSource:
+      - path: /usr/bin/open5gs-amfd
+      - path: /usr/bin/perl
+      - path: /usr/lib/apt/methods/http
+      - path: /usr/lib/apt/methods/https
+      - path: /usr/lib/apt/methods/store
+      - path: /usr/sbin/usermod
+      protocol: tcp
+    - fromSource:
+      - path: /usr/bin/open5gs-amfd
+      - path: /usr/bin/perl
+      - path: /usr/lib/apt/methods/https
+      - path: /usr/lib/apt/methods/store
+      - path: /usr/sbin/usermod
+      protocol: icmp
+    - fromSource:
+      - path: /usr/bin/open5gs-amfd
+      - path: /usr/bin/perl
+      - path: /usr/lib/apt/methods/https
+      - path: /usr/lib/apt/methods/store
+      - path: /usr/sbin/usermod
+      protocol: udp
+  process:
+    matchPaths:
+    - path: /bin/sh
+    - path: /usr/bin/containerd-shim-runc-v2
+    - path: /usr/bin/dash
+    - path: /usr/bin/dirname
+    - path: /usr/bin/dpkg
+    - path: /usr/bin/gpgv
+    - path: /usr/bin/mktemp
+    - path: /usr/bin/open5gs-amfd
+    - path: /usr/bin/perl
+    - path: /usr/bin/sh
+    - path: /usr/lib/apt/methods/http
+    - path: /usr/lib/apt/methods/https
+    - path: /usr/lib/apt/methods/store
+    - path: /usr/sbin/usermod
+  selector:
+    matchLabels:
+      epc-mode: amf-1
+      epc-prom: enabled
+  severity: 1

5gsec/open5gs/1.0.0/open5gs-AUSF-ZeroTrust.yaml

@@ -0,0 +1,44 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  name: open5gs-ausf-zero-trust
+  namespace: open5gs
+spec:
+  action: Allow
+  file:
+    matchDirectories:
+    - dir: /
+      recursive: true
+    - dir: /open5gs/
+      recursive: true
+      action: Block
+      severity: 10
+      message: unauthorized access to open5GS data
+    - dir: /open5gs/
+      recursive: true
+      fromSource:
+      - path: /usr/bin/open5gs-ausfd
+  network:
+    matchProtocols:
+    - fromSource:
+      - path: /usr/bin/open5gs-ausfd
+      protocol: icmp
+    - fromSource:
+      - path: /usr/bin/open5gs-ausfd
+      protocol: raw
+    - fromSource:
+      - path: /usr/bin/open5gs-ausfd
+      protocol: tcp
+    - fromSource:
+      - path: /usr/bin/open5gs-ausfd
+      protocol: udp
+  process:
+    matchPaths:
+    - path: /usr/bin/containerd-shim-runc-v2
+    - path: /usr/bin/open5gs-ausfd
+    - path: /usr/local/bin/wait_for.sh
+    - path: /usr/local/sbin/sh
+  selector:
+    matchLabels:
+      epc-mode: ausf
+  severity: 1

5gsec/open5gs/1.0.0/open5gs-BSF-ZeroTrust.yaml

@@ -0,0 +1,41 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  name: open5gs-bsf-zero-trust
+  namespace: open5gs
+spec:
+  action: Allow
+  file:
+    matchDirectories:
+    - dir: /
+      recursive: true
+    - dir: /open5gs/
+      recursive: true
+      action: Block
+      severity: 10
+      message: unauthorized access to open5GS data
+    - dir: /open5gs/
+      recursive: true
+      fromSource:
+      - path: /usr/bin/open5gs-bsfd
+  network:
+    matchProtocols:
+    - fromSource:
+      - path: /usr/bin/open5gs-bsfd
+      protocol: icmp
+    - fromSource:
+      - path: /usr/bin/open5gs-bsfd
+      protocol: raw
+    - fromSource:
+      - path: /usr/bin/open5gs-bsfd
+      protocol: tcp
+    - fromSource:
+      - path: /usr/bin/open5gs-bsfd
+      protocol: udp
+  process:
+    matchPaths:
+    - path: /usr/bin/open5gs-bsfd
+  selector:
+    matchLabels:
+      epc-mode: bsf
+  severity: 1

5gsec/open5gs/1.0.0/open5gs-NRF-ZeroTrust.yaml

@@ -0,0 +1,41 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  name: open5gs-nrf-zero-trust
+  namespace: open5gs
+spec:
+  action: Allow
+  file:
+    matchDirectories:
+    - dir: /
+      recursive: true
+    - dir: /open5gs/
+      recursive: true
+      action: Block
+      severity: 10
+      message: unauthorized access to open5GS data
+    - dir: /open5gs/
+      recursive: true
+      fromSource:
+      - path: /usr/bin/open5gs-nrfd
+  network:
+    matchProtocols:
+    - fromSource:
+      - path: /usr/bin/open5gs-nrfd
+      protocol: icmp
+    - fromSource:
+      - path: /usr/bin/open5gs-nrfd
+      protocol: raw
+    - fromSource:
+      - path: /usr/bin/open5gs-nrfd
+      protocol: tcp
+    - fromSource:
+      - path: /usr/bin/open5gs-nrfd
+      protocol: udp
+  process:
+    matchPaths:
+    - path: /usr/bin/open5gs-nrfd
+  selector:
+    matchLabels:
+      epc-mode: nrf
+  severity: 1

5gsec/open5gs/1.0.0/open5gs-NSSF-ZeroTrust.yaml

@@ -0,0 +1,38 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  name: open5gs-nssf-zero-trust
+  namespace: open5gs
+spec:
+  action: Allow
+  file:
+    matchDirectories:
+    - dir: /
+      recursive: true
+    - dir: /open5gs/
+      recursive: true
+      action: Block
+      severity: 10
+      message: unauthorized access to open5GS data
+    - dir: /open5gs/
+      recursive: true
+      fromSource:
+      - path: /usr/bin/open5gs-nssfd
+  network:
+    matchProtocols:
+    - fromSource:
+      - path: /usr/bin/open5gs-nssfd
+      protocol: raw
+    - fromSource:
+      - path: /usr/bin/open5gs-nssfd
+      protocol: udp
+    - fromSource:
+      - path: /usr/bin/open5gs-nssfd
+      protocol: tcp
+  process:
+    matchPaths:
+    - path: /usr/bin/open5gs-nssfd
+  selector:
+    matchLabels:
+      epc-mode: nssf
+  severity: 1

5gsec/open5gs/1.0.0/open5gs-PCF-ZeroTrust.yaml

@@ -0,0 +1,41 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  name: open5gs-pcf-zero-trust
+  namespace: open5gs
+spec:
+  action: Allow
+  file:
+    matchDirectories:
+    - dir: /
+      recursive: true
+    - dir: /open5gs/
+      recursive: true
+      action: Block
+      severity: 10
+      message: unauthorized access to open5GS data
+    - dir: /open5gs/
+      recursive: true
+      fromSource:
+      - path: /usr/bin/open5gs-pcfd
+  network:
+    matchProtocols:
+    - fromSource:
+      - path: /usr/bin/open5gs-pcfd
+      protocol: icmp
+    - fromSource:
+      - path: /usr/bin/open5gs-pcfd
+      protocol: raw
+    - fromSource:
+      - path: /usr/bin/open5gs-pcfd
+      protocol: tcp
+    - fromSource:
+      - path: /usr/bin/open5gs-pcfd
+      protocol: udp
+  process:
+    matchPaths:
+    - path: /usr/bin/open5gs-pcfd
+  selector:
+    matchLabels:
+      epc-mode: pcf
+  severity: 1

5gsec/open5gs/1.0.0/open5gs-SMF-ZeroTrust.yaml

@@ -0,0 +1,39 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  name: open5gs-smf-zero-trust
+  namespace: open5gs
+spec:
+  action: Allow
+  file:
+    matchDirectories:
+    - dir: /
+      recursive: true
+    - dir: /open5gs/
+      recursive: true
+      action: Block
+      severity: 10
+      message: unauthorized access to open5GS data
+    - dir: /open5gs/
+      recursive: true
+      fromSource:
+      - path: /usr/bin/open5gs-smfd
+  network:
+    matchProtocols:
+    - fromSource:
+      - path: /usr/bin/open5gs-smfd
+      protocol: raw
+    - fromSource:
+      - path: /usr/bin/open5gs-smfd
+      protocol: tcp
+    - fromSource:
+      - path: /usr/bin/open5gs-smfd
+      protocol: udp
+  process:
+    matchPaths:
+    - path: /usr/bin/open5gs-smfd
+  selector:
+    matchLabels:
+      epc-mode: smf
+      epc-prom: enabled
+  severity: 1

5gsec/open5gs/1.0.0/open5gs-UDM-ZeroTrust.yaml

@@ -0,0 +1,38 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  name: open5gs-udm-zero-trust
+  namespace: open5gs
+spec:
+  action: Allow
+  file:
+    matchDirectories:
+    - dir: /
+      recursive: true
+    - dir: /open5gs/
+      recursive: true
+      action: Block
+      severity: 10
+      message: unauthorized access to open5GS data
+    - dir: /open5gs/
+      recursive: true
+      fromSource:
+      - path: /usr/bin/open5gs-udmd
+  network:
+    matchProtocols:
+    - fromSource:
+      - path: /usr/bin/open5gs-udmd
+      protocol: raw
+    - fromSource:
+      - path: /usr/bin/open5gs-udmd
+      protocol: udp
+    - fromSource:
+      - path: /usr/bin/open5gs-udmd
+      protocol: tcp
+  process:
+    matchPaths:
+    - path: /usr/bin/open5gs-udmd
+  selector:
+    matchLabels:
+      epc-mode: udm
+  severity: 1