search

accuknox / discovery-engine

Discover least permissive security posture, Network Microsegmentation, and Application behaviour based on visibility/observability data emitted from policy engines..
31 stars 36 forks source link

kubearmor blocking network operation after applying autodiscovered (process and file)policies. #627

Open salman-accuknox opened 1 year ago

salman-accuknox commented 1 year ago

Issue Report

General Information

To Reproduce

  1. Deploy MySQL

Deploying MySQL on Kubernetes

➜  ~ k get po -n mysql-ad --show-labels
NAME                     READY   STATUS    RESTARTS   AGE     LABELS
mysql-6d86c78b54-8nwkz   1/1     Running   0          2d17h   app=mysql,pod-template-hash=6d86c78b54
➜  ~ k exec -it mysql-6d86c78b54-8nwkz -n mysql-ad bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@mysql-6d86c78b54-8nwkz:/# mysql -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 29
Server version: 5.6.51 MySQL Community Server (GPL)

Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>
  1. Perform some operations on MySQL

How to Create Tables and Insert Data into SQL Databases

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| ad_test            |
| mysql              |
| performance_schema |
| recipes_database   |
+--------------------+
5 rows in set (0.00 sec)

mysql> use recipes_database;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+----------------------------+
| Tables_in_recipes_database |
+----------------------------+
| ingredients                |
| recipe_ingredients         |
| recipes                    |
+----------------------------+
3 rows in set (0.00 sec)

mysql> select * from ingredients;
+---------------+-----------------+------------------+
| ingredient_id | ingredient_name | ingredient_price |
+---------------+-----------------+------------------+
|             1 | Beef            |                5 |
|             2 | Lettuce         |                1 |
|             3 | Tomatoes        |                2 |
|             4 | Taco Shell      |                2 |
|             5 | Cheese          |                3 |
|             6 | Milk            |                1 |
|             7 | Bread           |                2 |
+---------------+-----------------+------------------+
7 rows in set (0.00 sec)

mysql> exit
Bye
root@mysql-6d86c78b54-8nwkz:/#
  1. Discover kubearmor policies 
    
karmor discover -f yaml -n mysql-ad > ad-kubearmorpolicy.yaml
```YAML
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: autopol-system-1928276615
  namespace: mysql-ad
spec:
  action: Allow
  file:
    matchDirectories:
    - dir: /etc/
      recursive: true
    - dir: /lib/x86_64-linux-gnu/
      recursive: true
    matchPaths:
    - path: /dev/tty
    - path: /lib/terminfo/x/xterm
    - path: /pts/ptmx
    - path: /root/.bash_history
    - path: /root/.bashrc
    - fromSource:
      - path: /usr/bin/mysql
      path: /root/.mysql_history.TMP
    - fromSource:
      - path: /usr/bin/mysql
      path: /root/.mysql_history
    - fromSource:
      - path: /usr/bin/mysql
      path: /usr/lib/x86_64-linux-gnu/libstdc++.so.6
    - fromSource:
      - path: /usr/bin/mysql
      path: /usr/share/mysql/charsets/Index.xml
  process:
    matchPaths:
    - path: /bin/bash
    - fromSource:
      - path: /bin/bash
      path: /usr/bin/mysql
  selector:
    matchLabels:
      app: mysql
  severity: 1
---

  1. Apply policy

    k apply -f ad-kubearmorpolicy.yaml
    ➜  mysql k get ksp,hsp -A
NAMESPACE         NAME                                                               AGE
mysql-ad          kubearmorpolicy.security.kubearmor.com/autopol-system-1928276615   59m

  2. Change DefaultPosture to block.

    kubectl annotate ns mysql-ad kubearmor-file-posture=block --overwrite=true

  3. Repeating the operations performed in step 2

    ➜  ~ k exec -it mysql-6d86c78b54-8nwkz -n mysql-ad bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@mysql-6d86c78b54-8nwkz:/# mysql -p
Enter password:
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (13)
root@mysql-6d86c78b54-8nwkz:/#

    Logs

➜  ~ karmor log --namespace mysql-ad
local port to be used for port forwarding kubearmor-relay-5656cc5bf7-nb6b4: 32767
Created a gRPC client (localhost:32767)
Checked the liveness of the gRPC server
Started to watch alerts
== Alert / 2022-12-09 03:10:32.328526 ==
ClusterName: default
HostName: aks-agentpool-31698863-vmss000000
NamespaceName: mysql-ad
PodName: mysql-6d86c78b54-8nwkz
Labels: app=mysql
ContainerName: mysql
ContainerID: 7f6392c0b8b6a2a2734dc4feb85474bd4f27d607e957a8f4bd1ba9d686411a5c
ContainerImage: docker.io/library/mysql:5.6@sha256:20575ecebe6216036d25dab5903808211f1e9ba63dc7825ac20cb975e34cfcae
Type: MatchedPolicy
PolicyName: DefaultPosture
Source: /usr/bin/mysql -p
Resource: sa_family=AF_UNIX sun_path=/var/run/mysqld/mysqld.sock
Operation: Network
Action: Block
Data: syscall=SYS_CONNECT fd=3
Enforcer: AppArmor
Result: Permission denied
HostPID: 835717
HostPPID: 754895
PID: 287
PPID: 276
ParentProcessName: /bin/bash
ProcessName: /usr/bin/mysql
Stopped WatchAlerts

Expected behavior

After applying the auto-discovered policies, it shouldn't break the application

karmor sysdump

salman-accuknox commented 1 year ago

cc: @nyrahul @seswarrajan