Host policy Matchpatterns logs

[bestgaurav]

Bug Report

General Information

• Environment description (GKE)
• Kernel version (Linux cs-143956293394-default-default-5p8pf 5.10.68+ #1 SMP Wed Dec 1 10:07:21 UTC 2021 x86_64 GNU/Linux)
• Orchestration system version in use (Client Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.4", GitCommit:"b695d79d4f967c403a96986f1750a35eb75e75f1", GitTreeState:"clean", BuildDate:"2021-11-17T15:48:33Z", GoVersion:"go1.16.10", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.5-gke.1302", GitCommit:"639f3a74abf258418493e9b75f2f98a08da29733", GitTreeState:"clean", BuildDate:"2021-10-21T21:35:48Z", GoVersion:"go1.16.7b7", Compiler:"gc", Platform:"linux/amd64"})

To Reproduce

1. Make a Kubearmor host policy with matchpatterns
2. apply that policy
3. execute that node to test policy
4. In another terminal check for kubearmor logs
5. All commands will block as expected as we applied the policy before but in another terminal logs will not come

Expected behavior

After applying the policy logs should come for the command that is blocked.

Screenshots

[h3llix]

I don't think it's a bug, Can you elaborate more on this issue?. It is working fine in my case.

Have you tried forwarding port from kubectl ? kubectl port-forward -n kube-system svc/kubearmor 32767:32767 cc @nyrahul @nam-jaehyun

[nyrahul]

This seems to be a bug.

If I apply following policy:

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: autopol-system-4153385364
  namespace: explorer
spec:
  severity: 1
  selector:
    matchLabels:
      container: knoxautopolicy
  process:
    matchPaths:
    - path: /**/chmod
  action: Block

The policy is enforced and the execution of chmod is blocked. However, the alerts are not sent.

If I simply change the - path: /**/chmod to - path: /usr/bin/chmod, the alerts work as expected. Hence confirming this as an issue.

[anu491]

I would like to work on this issue , being somewhat new to the library, could someone guide me through the file structure or rather the file which I should be looking into for a possible fix ? @nyrahul

[slayer321]

Hey @nyrahul, I applied your above policy. It is getting blocked and I'm also getting the alerts. Is this issue fixed ? or the issue is with KubeArmorHostPolicy and not the KubeArmorPolicy

[nyrahul]

Hey @nyrahul, I applied your above policy. It is getting blocked and I'm also getting the alerts. Is this issue fixed ? or the issue is with KubeArmorHostPolicy and not the KubeArmorPolicy

I havent tried. However, there were some fixes made in the context. Not sure if it fixed it. Can you try karmor install --image kubearmor/kubearmor:v0.3 and check if the same scenario works with this image? It should not.

[slayer321]

yes, I tried installing v0.3 version and can confirm that it is not working. By kubearmor/kubearmor:stable we mean the latest release version of KubeArmor right?

[nyrahul]

It would be difficult to support policy matching with rules having regex, globbing patterns. This is especially difficult to handle with BPF-LSM based enforcer since matching based on globbing patterns using constrained ebpf instruction set is not possible. We will have to redefine the problem statement.

I would suggest making the change in the spec to something like this:

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: autopol-system-4153385364
  namespace: explorer
spec:
  severity: 1
  selector:
    matchLabels:
      container: knoxautopolicy
  process:
    matchPaths:
    - endswith: /chmod     # Block all bins ending with /chmod
    - startswith: /bin/    # Block all bins in the /bin dir
    - contains: chmod      # Block all bins containing chmod in their full path
  action: Block