Closed danielsagi closed 2 years ago
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.
Description
kube-hunter was one of the first projects that offered a Pentesting solution for kubernetes. This arose a lot of new problems as this field of "hacking" kubernetes was at it's really early stages, so we had room for innovative new ideas. We decided then to categorize kube-hunter's innovative techniques with a simple category system:
Time passed and new tools and blogs were published around the kuberentes security world. A new MITRE ATT&CK matrix was published for kubernetes environments. which did a pretty good job of covering the techniques (mostly already implemented in kube-hunter) used while hacking a kubernetes environment.
We know a good category system when we see it, So we decided to move for that system.
Code changes
core.types
sub packagecore.types.categories
which defines new categories implemented for this changeMITRECategory
-> base class for all mitre categoriesCVECategory
-> All cve vulnerabilities are not part of the new category system. so they will inherit from this base classFor every part of the threat matrix, we have a python class.
Example
CAP_NET_RAW is enabled inside a pod. The vulnerability object now looks like this:
let's take a look at:
ARPPoisoningTechnique
it inherits fromLateralMovementCategory
which inherits fromMITRECategory
Because of the class method implemented inside
MITRECategory
we can now do something like this:BEFORE
AFTER
Contribution checklist