From 67d840965abbbf903d89743f220f848bebdb728f Mon Sep 17 00:00:00 2001 From: Rahul Jadhav Date: Sun, 14 Jul 2024 23:31:58 +0530 Subject: [PATCH] zero trust policies for open5gs Signed-off-by: Rahul Jadhav --- 5gsec/artifacthub-repo.yml | 19 +++++ 5gsec/open5gs/1.0.0/README.md | 1 + .../open5gs/1.0.0/open5gs-AMF-ZeroTrust.yaml | 73 +++++++++++++++++++ .../open5gs/1.0.0/open5gs-AUSF-ZeroTrust.yaml | 44 +++++++++++ .../open5gs/1.0.0/open5gs-BSF-ZeroTrust.yaml | 41 +++++++++++ .../open5gs/1.0.0/open5gs-NRF-ZeroTrust.yaml | 41 +++++++++++ .../open5gs/1.0.0/open5gs-NSSF-ZeroTrust.yaml | 38 ++++++++++ .../open5gs/1.0.0/open5gs-PCF-ZeroTrust.yaml | 41 +++++++++++ .../open5gs/1.0.0/open5gs-SMF-ZeroTrust.yaml | 39 ++++++++++ .../open5gs/1.0.0/open5gs-UDM-ZeroTrust.yaml | 38 ++++++++++ .../open5gs/1.0.0/open5gs-UDR-ZeroTrust.yaml | 38 ++++++++++ .../open5gs/1.0.0/open5gs-UPF-ZeroTrust.yaml | 42 +++++++++++ 5gsec/open5gs/1.0.0/open5gs-webui.yaml | 36 +++++++++ 13 files changed, 491 insertions(+) create mode 100644 5gsec/artifacthub-repo.yml create mode 100644 5gsec/open5gs/1.0.0/README.md create mode 100755 5gsec/open5gs/1.0.0/open5gs-AMF-ZeroTrust.yaml create mode 100755 5gsec/open5gs/1.0.0/open5gs-AUSF-ZeroTrust.yaml create mode 100755 5gsec/open5gs/1.0.0/open5gs-BSF-ZeroTrust.yaml create mode 100755 5gsec/open5gs/1.0.0/open5gs-NRF-ZeroTrust.yaml create mode 100755 5gsec/open5gs/1.0.0/open5gs-NSSF-ZeroTrust.yaml create mode 100755 5gsec/open5gs/1.0.0/open5gs-PCF-ZeroTrust.yaml create mode 100755 5gsec/open5gs/1.0.0/open5gs-SMF-ZeroTrust.yaml create mode 100755 5gsec/open5gs/1.0.0/open5gs-UDM-ZeroTrust.yaml create mode 100755 5gsec/open5gs/1.0.0/open5gs-UDR-ZeroTrust.yaml create mode 100755 5gsec/open5gs/1.0.0/open5gs-UPF-ZeroTrust.yaml create mode 100755 5gsec/open5gs/1.0.0/open5gs-webui.yaml diff --git a/5gsec/artifacthub-repo.yml b/5gsec/artifacthub-repo.yml new file mode 100644 index 00000000..34b06e78 --- /dev/null +++ b/5gsec/artifacthub-repo.yml @@ -0,0 +1,19 @@ +# Artifact Hub repository metadata file +# +# Some settings like the verified publisher flag or the ignored packages won't +# be applied until the next time the repository is processed. Please keep in +# mind that the repository won't be processed if it has not changed since the +# last time it was processed. Depending on the repository kind, this is checked +# in a different way. For Helm http based repositories, we consider it has +# changed if the `index.yaml` file changes. For git based repositories, it does +# when the hash of the last commit in the branch you set up changes. This does +# NOT apply to ownership claim operations, which are processed immediately. +# +repositoryID: 527b667e-7ad5-408d-8bab-9972f18272b5 +owners: # (optional, used to claim repository ownership) + - name: Rahul Jadhav + email: nyrahul@gmail.com +#ignore: # (optional, packages that should not be indexed by Artifact Hub) +# - name: package1 +# - name: package2 # Exact match +# version: beta # Regular expression (when omitted, all versions are ignored) diff --git a/5gsec/open5gs/1.0.0/README.md b/5gsec/open5gs/1.0.0/README.md new file mode 100644 index 00000000..58736542 --- /dev/null +++ b/5gsec/open5gs/1.0.0/README.md @@ -0,0 +1 @@ +# Open5GS Zero Trust policies diff --git a/5gsec/open5gs/1.0.0/open5gs-AMF-ZeroTrust.yaml b/5gsec/open5gs/1.0.0/open5gs-AMF-ZeroTrust.yaml new file mode 100755 index 00000000..4f864a5f --- /dev/null +++ b/5gsec/open5gs/1.0.0/open5gs-AMF-ZeroTrust.yaml @@ -0,0 +1,73 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: open5gs-amf-zero-trust + namespace: open5gs +spec: + action: Allow + file: + matchDirectories: + - dir: / + recursive: true + - dir: /open5gs/ + recursive: true + action: Block + severity: 10 + message: unauthorized access to open5GS data + - dir: /open5gs/ + recursive: true + fromSource: + - path: /usr/bin/open5gs-amfd + network: + matchProtocols: + - fromSource: + - path: /usr/bin/open5gs-amfd + - path: /usr/bin/perl + - path: /usr/lib/apt/methods/http + - path: /usr/lib/apt/methods/https + - path: /usr/lib/apt/methods/store + - path: /usr/sbin/usermod + protocol: raw + - fromSource: + - path: /usr/bin/open5gs-amfd + - path: /usr/bin/perl + - path: /usr/lib/apt/methods/http + - path: /usr/lib/apt/methods/https + - path: /usr/lib/apt/methods/store + - path: /usr/sbin/usermod + protocol: tcp + - fromSource: + - path: /usr/bin/open5gs-amfd + - path: /usr/bin/perl + - path: /usr/lib/apt/methods/https + - path: /usr/lib/apt/methods/store + - path: /usr/sbin/usermod + protocol: icmp + - fromSource: + - path: /usr/bin/open5gs-amfd + - path: /usr/bin/perl + - path: /usr/lib/apt/methods/https + - path: /usr/lib/apt/methods/store + - path: /usr/sbin/usermod + protocol: udp + process: + matchPaths: + - path: /bin/sh + - path: /usr/bin/containerd-shim-runc-v2 + - path: /usr/bin/dash + - path: /usr/bin/dirname + - path: /usr/bin/dpkg + - path: /usr/bin/gpgv + - path: /usr/bin/mktemp + - path: /usr/bin/open5gs-amfd + - path: /usr/bin/perl + - path: /usr/bin/sh + - path: /usr/lib/apt/methods/http + - path: /usr/lib/apt/methods/https + - path: /usr/lib/apt/methods/store + - path: /usr/sbin/usermod + selector: + matchLabels: + epc-mode: amf-1 + epc-prom: enabled + severity: 1 diff --git a/5gsec/open5gs/1.0.0/open5gs-AUSF-ZeroTrust.yaml b/5gsec/open5gs/1.0.0/open5gs-AUSF-ZeroTrust.yaml new file mode 100755 index 00000000..04f4228b --- /dev/null +++ b/5gsec/open5gs/1.0.0/open5gs-AUSF-ZeroTrust.yaml @@ -0,0 +1,44 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: open5gs-ausf-zero-trust + namespace: open5gs +spec: + action: Allow + file: + matchDirectories: + - dir: / + recursive: true + - dir: /open5gs/ + recursive: true + action: Block + severity: 10 + message: unauthorized access to open5GS data + - dir: /open5gs/ + recursive: true + fromSource: + - path: /usr/bin/open5gs-ausfd + network: + matchProtocols: + - fromSource: + - path: /usr/bin/open5gs-ausfd + protocol: icmp + - fromSource: + - path: /usr/bin/open5gs-ausfd + protocol: raw + - fromSource: + - path: /usr/bin/open5gs-ausfd + protocol: tcp + - fromSource: + - path: /usr/bin/open5gs-ausfd + protocol: udp + process: + matchPaths: + - path: /usr/bin/containerd-shim-runc-v2 + - path: /usr/bin/open5gs-ausfd + - path: /usr/local/bin/wait_for.sh + - path: /usr/local/sbin/sh + selector: + matchLabels: + epc-mode: ausf + severity: 1 diff --git a/5gsec/open5gs/1.0.0/open5gs-BSF-ZeroTrust.yaml b/5gsec/open5gs/1.0.0/open5gs-BSF-ZeroTrust.yaml new file mode 100755 index 00000000..5199cdab --- /dev/null +++ b/5gsec/open5gs/1.0.0/open5gs-BSF-ZeroTrust.yaml @@ -0,0 +1,41 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: open5gs-bsf-zero-trust + namespace: open5gs +spec: + action: Allow + file: + matchDirectories: + - dir: / + recursive: true + - dir: /open5gs/ + recursive: true + action: Block + severity: 10 + message: unauthorized access to open5GS data + - dir: /open5gs/ + recursive: true + fromSource: + - path: /usr/bin/open5gs-bsfd + network: + matchProtocols: + - fromSource: + - path: /usr/bin/open5gs-bsfd + protocol: icmp + - fromSource: + - path: /usr/bin/open5gs-bsfd + protocol: raw + - fromSource: + - path: /usr/bin/open5gs-bsfd + protocol: tcp + - fromSource: + - path: /usr/bin/open5gs-bsfd + protocol: udp + process: + matchPaths: + - path: /usr/bin/open5gs-bsfd + selector: + matchLabels: + epc-mode: bsf + severity: 1 diff --git a/5gsec/open5gs/1.0.0/open5gs-NRF-ZeroTrust.yaml b/5gsec/open5gs/1.0.0/open5gs-NRF-ZeroTrust.yaml new file mode 100755 index 00000000..8ec12e6c --- /dev/null +++ b/5gsec/open5gs/1.0.0/open5gs-NRF-ZeroTrust.yaml @@ -0,0 +1,41 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: open5gs-nrf-zero-trust + namespace: open5gs +spec: + action: Allow + file: + matchDirectories: + - dir: / + recursive: true + - dir: /open5gs/ + recursive: true + action: Block + severity: 10 + message: unauthorized access to open5GS data + - dir: /open5gs/ + recursive: true + fromSource: + - path: /usr/bin/open5gs-nrfd + network: + matchProtocols: + - fromSource: + - path: /usr/bin/open5gs-nrfd + protocol: icmp + - fromSource: + - path: /usr/bin/open5gs-nrfd + protocol: raw + - fromSource: + - path: /usr/bin/open5gs-nrfd + protocol: tcp + - fromSource: + - path: /usr/bin/open5gs-nrfd + protocol: udp + process: + matchPaths: + - path: /usr/bin/open5gs-nrfd + selector: + matchLabels: + epc-mode: nrf + severity: 1 diff --git a/5gsec/open5gs/1.0.0/open5gs-NSSF-ZeroTrust.yaml b/5gsec/open5gs/1.0.0/open5gs-NSSF-ZeroTrust.yaml new file mode 100755 index 00000000..4661bf62 --- /dev/null +++ b/5gsec/open5gs/1.0.0/open5gs-NSSF-ZeroTrust.yaml @@ -0,0 +1,38 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: open5gs-nssf-zero-trust + namespace: open5gs +spec: + action: Allow + file: + matchDirectories: + - dir: / + recursive: true + - dir: /open5gs/ + recursive: true + action: Block + severity: 10 + message: unauthorized access to open5GS data + - dir: /open5gs/ + recursive: true + fromSource: + - path: /usr/bin/open5gs-nssfd + network: + matchProtocols: + - fromSource: + - path: /usr/bin/open5gs-nssfd + protocol: raw + - fromSource: + - path: /usr/bin/open5gs-nssfd + protocol: udp + - fromSource: + - path: /usr/bin/open5gs-nssfd + protocol: tcp + process: + matchPaths: + - path: /usr/bin/open5gs-nssfd + selector: + matchLabels: + epc-mode: nssf + severity: 1 diff --git a/5gsec/open5gs/1.0.0/open5gs-PCF-ZeroTrust.yaml b/5gsec/open5gs/1.0.0/open5gs-PCF-ZeroTrust.yaml new file mode 100755 index 00000000..012475af --- /dev/null +++ b/5gsec/open5gs/1.0.0/open5gs-PCF-ZeroTrust.yaml @@ -0,0 +1,41 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: open5gs-pcf-zero-trust + namespace: open5gs +spec: + action: Allow + file: + matchDirectories: + - dir: / + recursive: true + - dir: /open5gs/ + recursive: true + action: Block + severity: 10 + message: unauthorized access to open5GS data + - dir: /open5gs/ + recursive: true + fromSource: + - path: /usr/bin/open5gs-pcfd + network: + matchProtocols: + - fromSource: + - path: /usr/bin/open5gs-pcfd + protocol: icmp + - fromSource: + - path: /usr/bin/open5gs-pcfd + protocol: raw + - fromSource: + - path: /usr/bin/open5gs-pcfd + protocol: tcp + - fromSource: + - path: /usr/bin/open5gs-pcfd + protocol: udp + process: + matchPaths: + - path: /usr/bin/open5gs-pcfd + selector: + matchLabels: + epc-mode: pcf + severity: 1 diff --git a/5gsec/open5gs/1.0.0/open5gs-SMF-ZeroTrust.yaml b/5gsec/open5gs/1.0.0/open5gs-SMF-ZeroTrust.yaml new file mode 100755 index 00000000..c9f4521b --- /dev/null +++ b/5gsec/open5gs/1.0.0/open5gs-SMF-ZeroTrust.yaml @@ -0,0 +1,39 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: open5gs-smf-zero-trust + namespace: open5gs +spec: + action: Allow + file: + matchDirectories: + - dir: / + recursive: true + - dir: /open5gs/ + recursive: true + action: Block + severity: 10 + message: unauthorized access to open5GS data + - dir: /open5gs/ + recursive: true + fromSource: + - path: /usr/bin/open5gs-smfd + network: + matchProtocols: + - fromSource: + - path: /usr/bin/open5gs-smfd + protocol: raw + - fromSource: + - path: /usr/bin/open5gs-smfd + protocol: tcp + - fromSource: + - path: /usr/bin/open5gs-smfd + protocol: udp + process: + matchPaths: + - path: /usr/bin/open5gs-smfd + selector: + matchLabels: + epc-mode: smf + epc-prom: enabled + severity: 1 diff --git a/5gsec/open5gs/1.0.0/open5gs-UDM-ZeroTrust.yaml b/5gsec/open5gs/1.0.0/open5gs-UDM-ZeroTrust.yaml new file mode 100755 index 00000000..11442364 --- /dev/null +++ b/5gsec/open5gs/1.0.0/open5gs-UDM-ZeroTrust.yaml @@ -0,0 +1,38 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: open5gs-udm-zero-trust + namespace: open5gs +spec: + action: Allow + file: + matchDirectories: + - dir: / + recursive: true + - dir: /open5gs/ + recursive: true + action: Block + severity: 10 + message: unauthorized access to open5GS data + - dir: /open5gs/ + recursive: true + fromSource: + - path: /usr/bin/open5gs-udmd + network: + matchProtocols: + - fromSource: + - path: /usr/bin/open5gs-udmd + protocol: raw + - fromSource: + - path: /usr/bin/open5gs-udmd + protocol: udp + - fromSource: + - path: /usr/bin/open5gs-udmd + protocol: tcp + process: + matchPaths: + - path: /usr/bin/open5gs-udmd + selector: + matchLabels: + epc-mode: udm + severity: 1 diff --git a/5gsec/open5gs/1.0.0/open5gs-UDR-ZeroTrust.yaml b/5gsec/open5gs/1.0.0/open5gs-UDR-ZeroTrust.yaml new file mode 100755 index 00000000..89e79ebc --- /dev/null +++ b/5gsec/open5gs/1.0.0/open5gs-UDR-ZeroTrust.yaml @@ -0,0 +1,38 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: open5gs-udr-zero-trust + namespace: open5gs +spec: + action: Allow + file: + matchDirectories: + - dir: / + recursive: true + - dir: /open5gs/ + recursive: true + action: Block + severity: 10 + message: unauthorized access to open5GS data + - dir: /open5gs/ + recursive: true + fromSource: + - path: /usr/bin/open5gs-udrd + network: + matchProtocols: + - fromSource: + - path: /usr/bin/open5gs-udrd + protocol: raw + - fromSource: + - path: /usr/bin/open5gs-udrd + protocol: udp + - fromSource: + - path: /usr/bin/open5gs-udrd + protocol: tcp + process: + matchPaths: + - path: /usr/bin/open5gs-udrd + selector: + matchLabels: + epc-mode: udr + severity: 1 diff --git a/5gsec/open5gs/1.0.0/open5gs-UPF-ZeroTrust.yaml b/5gsec/open5gs/1.0.0/open5gs-UPF-ZeroTrust.yaml new file mode 100755 index 00000000..3c494942 --- /dev/null +++ b/5gsec/open5gs/1.0.0/open5gs-UPF-ZeroTrust.yaml @@ -0,0 +1,42 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: open5gs-upf-zero-trust + namespace: open5gs +spec: + action: Allow + file: + matchDirectories: + - dir: / + recursive: true + - dir: /open5gs/ + recursive: true + action: Block + severity: 10 + message: unauthorized access to open5GS data + - dir: /open5gs/ + recursive: true + fromSource: + - path: /usr/bin/open5gs-upfd + process: + matchDirectories: + - dir: /usr/bin/ + recursive: true + - dir: /usr/sbin/ + recursive: true + - dir: /bin/ + recursive: true + - dir: /sbin/ + recursive: true + matchPaths: + - path: /usr/lib/apt/methods/gpgv + - path: /usr/lib/apt/methods/http + - path: /usr/lib/apt/methods/https + - path: /usr/lib/apt/methods/store + - path: /var/lib/dpkg/info/libc-bin.postinst + - path: /var/lib/dpkg/tmp.ci/preinst + selector: + matchLabels: + epc-mode: upf + epc-prom: enabled + severity: 1 \ No newline at end of file diff --git a/5gsec/open5gs/1.0.0/open5gs-webui.yaml b/5gsec/open5gs/1.0.0/open5gs-webui.yaml new file mode 100755 index 00000000..8dcd98b6 --- /dev/null +++ b/5gsec/open5gs/1.0.0/open5gs-webui.yaml @@ -0,0 +1,36 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: open5gs-weubui-zero-trust + namespace: open5gs +spec: + action: Allow + file: + matchDirectories: + - dir: / + recursive: true + network: + matchProtocols: + - fromSource: + - path: /bin/bash + - path: /usr/local/bin/node + protocol: icmp + - fromSource: + - path: /bin/bash + - path: /usr/local/bin/node + protocol: udp + - fromSource: + - path: /usr/local/bin/node + protocol: raw + - fromSource: + - path: /bin/bash + - path: /usr/local/bin/node + protocol: tcp + process: + matchPaths: + - path: /bin/bash + - path: /usr/local/bin/node + selector: + matchLabels: + epc-mode: webui + severity: 1