diff --git a/docs/content/en/docs/getting-started/enforcement.md b/docs/content/en/docs/getting-started/enforcement.md index 00d9ab1747a..eec35ff50fc 100644 --- a/docs/content/en/docs/getting-started/enforcement.md +++ b/docs/content/en/docs/getting-started/enforcement.md @@ -5,41 +5,196 @@ description: "Policy Enforcement" --- This adds a network and file policy enforcement on top of execution, file tracing -and networking policy already deployed in the quick start. In this use case we -use a namespace and pod labels to limit the scope of where the network, file -and some security policies will be applied. This highlights two important concepts -of Tetragon. First in kernel filter provides performance advantages, but also allows for -enforcing policies inline with the action. Second, by including kubernetes -filters, such as namespace and labels we can segment a policy to apply to -targeted pods. For implementation details see Enforcement section and for -modifying and creating additional policies see Tracing Policies. - -# Enforcement - -To apply the policy - -{{< tabpane >}} -{{< tab header="K8s" >}} -kubectl apply -f tbd.base-enforce.yaml -{{< /tab >}} -{{< tab header="Docker" >}} -{{< /tab >}} -{{< tab header="Systemd" >}} +and networking policy already deployed in the quick start. In this use case we use +a namespace filter to limit the scope of the enforcement policy to just the 'darkstar' +cluster we installed the demo application in from the +[Quick Kubernetes Install]({{< ref "docs/getting-started/install-k8s" >}}). + +This highlights two important concepts of Tetragon. First in kernel filtering +provides a key performance improvement by limiting events from kernel to user +space. But, also allows for enforcing policies in the kernel. By issueing a +SIGKILL to the binary at this point the application will be stopped from +continuing to run. If the operation is triggered through a syscall this means +the application will not return from the syscall and will be terminated. + +Second, by including kubernetes filters, such as namespace and labels we can +segment a policy to apply to targeted namespaces and pods. This is critical +for effective policy segmentation. + +For implementation details see the [Enforcement]({{< ref "/docs/concepts/enforcement" >}}) +section. + +## Kubernetes Enforcement + +The following section is layed out with the following: A guide to promote the +network observation policy that observer all network traffic egressing the +cluster to enforce this policy. A guide to promote the file access monitoring +policy to block write and read operations to sensitive files. + +### Kubernetes Block TCP Connect outside Cluster + +First we will deploy the [Network Monitoring]({{< ref "docs/getting-started/network" >}}) +policy with enforcement on. For this case the policy is written to only apply +against the 'empire' namespace. This limits the scope of the policy for the +getting started guide. + +Ensure we have the proper Pod CIDRs + +```shell-session +export PODCIDR=`kubectl get nodes -o jsonpath='{.items[*].spec.podCIDR}'` +``` + + and Service CIDRs configured. + +{{< tabpane text=true >}} +{{% tab GKE %}} + +```shell-session +export SERVICECIDR=$(gcloud container clusters describe ${NAME} --zone ${ZONE} --project ${PROJECT} | awk '/servicesIpv4CidrBlock/ { print $2; }') +``` +{{% /tab %}} + +{{% tab Kind %}} +```shell-session +export SERVICECIDR=$(kubectl describe pod -n kube-system kube-apiserver-kind-control-plane | awk -F= '/--service-cluster-ip-range/ {print $2; }') +``` +{{< /tab >}} +{{< /tabpane >}} + +Then we can apply the egress cluster enforcement policy + +```shell-session +wget http://github.com/cilium/tetragon/quickstart/network_egress_cluster_enforce.yaml +envsubst < network_egress_cluster_enforce.yaml | kubectl apply -n default -f - +``` + +With the enforcement policy applied we can attach tetra to observe events again, + +```shell-session + kubectl exec -ti -n kube-system ds/tetragon -c tetragon -- tetra getevents -o compact --pods xwing +``` + +And once again execute a curl command in the xwing, + +```shell-session +kubectl exec -ti xwing -- bash -c 'curl https://ebpf.io/applications/#tetragon' +``` + +The command returns an error code because the egress TCP connects are blocked shown here +```shell-session +$ kubectl exec -ti xwing -- bash -c 'curl https://ebpf.io/applications/#tetragon' +command terminated with exit code 137 +``` + +connect inside the cluster will work as expected, + +```shell-session +kubectl exec -ti xwing -- bash -c 'curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing' +``` + +The Tetra CLI will print the curl and annotate that the process that was issued a Sigkill. The successful internal connect is filtered and will not be shown. + +``` shell +🚀 process default/xwing /bin/bash -c "curl https://ebpf.io/applications/#tetragon" +🚀 process default/xwing /usr/bin/curl https://ebpf.io/applications/#tetragon +🔌 connect default/xwing /usr/bin/curl tcp 10.32.0.28:45200 -> 104.198.14.52:443 +💥 exit default/xwing /usr/bin/curl https://ebpf.io/applications/#tetragon SIGKILL +🚀 process default/xwing /bin/bash -c "curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing" +🚀 process default/xwing /usr/bin/curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing +``` + +The enforces TCP connects see [Enforce Sandbox]({{< ref "#enforce-common-security-policy" >}}) below to further restrict possible +workaround such as writing through /dev devices and raw sockets application may +attempt. + +### Enforce File Access Monitoring + +The following extends the example from [File Access Monitoring]({{< ref "docs/getting-started/file-events" >}}) +with enforcement to ensure sensitive files are not read. The policy used is the +[`file-monitoring-enforce.yaml`](https://github.com/cilium/tetragon/blob/main/quickstart/file-monitoring-enforce.yaml) +it can be reviewed and extended as needed. The only difference between the +observation policy and the enforce policy is the addition of an action block +to sigkill the application and return an error on the op. + +To apply the policy. + +{{< tabpane lang=shell-session >}} + +{{< tab Kubernetes >}} +kubectl delete -f http://github.com/cilium/tetragon/quickstart/file_monitoring.yaml +kubectl apply -f http://github.com/cilium/tetragon/quickstart/file_monitoring_enforce.yaml {{< /tab >}} +{{< tab Docker >}} +wget http://github.com/cilium/tetragon/quickstart/file-monitoring.yaml +docker stop tetragon-container +docker run --name tetragon-container --rm --pull always \ + --pid=host --cgroupns=host --privileged \ + -v ${PWD}/file_monitoring.yaml:/etc/tetragon/tetragon.tp.d/file_monitoring_enforce.yaml \ + -v /sys/kernel/btf/vmlinux:/var/lib/tetragon/btf \ + quay.io/cilium/tetragon-ci:latest +{{< /tab >}} {{< /tabpane >}} With the file applied we can attach tetra to observe events again, +{{< tabpane lang=shell-session >}} +{{< tab Kubernetes >}} + kubectl exec -ti -n kube-system ds/tetragon -c tetragon -- tetra getevents -o compact --pods xwing +{{< /tab >}} +{{< tab Docker >}} +docker exec tetragon-container tetra getevents -o compact +{{< /tab >}} +{{< /tabpane >}} + +Then reading a sensitive file, + +{{< tabpane lang=shell-session >}} +{{< tab Kubernetes >}} + kubectl exec -ti xwing -- bash -c 'cat /etc/shadow' +{{< /tab >}} +{{< tab Docker >}} +cat /etc/shadow +{{< /tab >}} +{{< /tabpane >}} + +The command will fail with an error code because this is one of our sensitive files, ``` - kubectl exec -ti xwing -- bash -c 'curl https://ebpf.io/applications/#tetragon +$ kubectl exec -ti xwing -- bash -c 'cat /etc/shadow' +command terminated with exit code 137 ``` -And once again execute a curl command in the xwing, +This will generate a read event (Docker events will omit Kubernetes metadata), +```shell-session +🚀 process default/xwing /bin/bash -c "cat /etc/shadow" +🚀 process default/xwing /bin/cat /etc/shadow +📚 read default/xwing /bin/cat /etc/shadow +📚 read default/xwing /bin/cat /etc/shadow +📚 read default/xwing /bin/cat /etc/shadow +💥 exit default/xwing /bin/cat /etc/shadow SIGKILL ``` - kubectl exec -ti xwing -- bash -c 'curl https://ebpf.io/applications/#tetragon + +Writes and reads to files not part of the enforced file policy will not be +impacted. + +```shell-session +🚀 process default/xwing /bin/bash -c "echo foo >> bar; cat bar" +🚀 process default/xwing /bin/cat bar +💥 exit default/xwing /bin/cat bar 0 +💥 exit default/xwing /bin/bash -c "echo foo >> bar; cat bar" 0 ``` -The CLI will print the exec tracing and file access as before, but will additional show the network connection outside the K8s cluster. +# What's next + +The completes the quick start guides. At this point we should be able to observe +execution traces in a Kubernetes cluster and extend the base deployment of +Tetragon with policies to observe and enforce different aspects of a Kubernetes +system. + +The rest of the docs provide further documentation about installation and +using policies. Some useful links: -# +To explore details of writing and implementing policies the [Concepts]({{< ref "/docs/concepts" >}}) is a good jumping off point. +For installation into production environments we recommend reviewing [Advanced Installations]({{< ref "docs/installation" >}}). +For a more in depth discussion on Tetragon overhead and how we measure system load try [Benchmarks]({{< ref "docs/benchmarks" >}}). +Finally [Use Cases]({{< ref "docs/use-cases" >}}) and [Tutorials]({{< ref "docs/tutorials" >}}) cover different uses and deployment concerns related to Tetragon. diff --git a/docs/content/en/docs/getting-started/execution.md b/docs/content/en/docs/getting-started/execution.md index 47fd34f78c4..570ab3cd425 100644 --- a/docs/content/en/docs/getting-started/execution.md +++ b/docs/content/en/docs/getting-started/execution.md @@ -23,16 +23,21 @@ kubectl exec -ti -n kube-system ds/tetragon -c tetragon -- tetra getevents -o co {{< tab Docker >}} docker exec tetragon-container tetra getevents -o compact {{< /tab >}} -{{< tab Systemd >}} -{{< /tab >}} {{< /tabpane >}} This will print a compact form of the exec logs. For an example we do the following with the demo application. -```shell-session + +{{< tabpane lang=shell-session >}} +{{< tab Kubernetes >}} kubectl exec -ti xwing -- bash -c 'curl https://ebpf.io/applications/#tetragon -``` +{{< /tab >}} +{{< tab Docker >}} +curl https://ebpf.io/applications/#tetragon +{{< /tab >}} +{{< /tabpane >}} + The CLI will print a compact form of the event to the terminal ```shell-session @@ -53,11 +58,11 @@ kubectl exec -ti -n kube-system ds/tetragon -c tetragon -- tetra getevents {{< tab Docker >}} docker exec tetragon-container tetra getevents {{< /tab >}} -{{< tab Systemd >}} -{{< /tab >}} {{< /tabpane >}} This will include a lot more details related the binary and event. A full example of the above curl is hown here, +In a Kubernetes environment this will include the Kubernetes metadata include the Pod, Container, Namespaces, and +Labels among other useful metadata.
Process execution event

@@ -139,8 +144,9 @@ This will include a lot more details related the binary and event. A full exampl } ``` -

## What's next + +Execution events are the most basic event Tetragon can produce. To see how to use tracing policies to enable file monitoring see the [File Access Monitoring]({{< ref "/docs/getting-started/file-events" >}})quickstart. To see a network policy check the [Networking Monitoring]({{< ref "/docs/getting-started/network" >}}) quickstart. diff --git a/docs/content/en/docs/getting-started/file-events.md b/docs/content/en/docs/getting-started/file-events.md index f89ec94d9bb..690f50ce2b6 100644 --- a/docs/content/en/docs/getting-started/file-events.md +++ b/docs/content/en/docs/getting-started/file-events.md @@ -14,9 +14,11 @@ remains low even on busy systems. The following extends the example from Execution Tracing with a policy to monitor sensitive files in Linux. The policy used is the [`file-monitoring.yaml`](https://github.com/cilium/tetragon/blob/main/quickstart/file-monitoring.yaml) it can be reviewed and extended -as needed. However, files monitored here serve as a good base set of files. +as needed. Files monitored here serve as a good base set of files. -To apply the policy +To apply the policy Kubernetes uses a CRD that can be applied with kubectl. +Uses the same YAML configuration as Kuberenetes, but loaded through a file +on disk. {{< tabpane lang=shell-session >}} @@ -24,23 +26,39 @@ To apply the policy kubectl apply -f http://github.com/cilium/tetragon/quickstart/file-monitoring.yaml {{< /tab >}} {{< tab Docker >}} -{{< /tab >}} -{{< tab Systemd >}} -{{< /tab >}} +wget http://github.com/cilium/tetragon/quickstart/file-monitoring.yaml +docker stop tetragon-container +docker run --name tetragon-container --rm --pull always \ + --pid=host --cgroupns=host --privileged \ + -v ${PWD}/file_monitoring.yaml:/etc/tetragon/tetragon.tp.d/file_monitoring.yaml \ + -v /sys/kernel/btf/vmlinux:/var/lib/tetragon/btf \ + quay.io/cilium/tetragon-ci:latest +{{< /tab >}} {{< /tabpane >}} With the file applied we can attach tetra to observe events again, -```shell-session +{{< tabpane lang=shell-session >}} +{{< tab Kubernetes >}} kubectl exec -ti -n kube-system ds/tetragon -c tetragon -- tetra getevents -o compact --pods xwing -``` +{{< /tab >}} +{{< tab Docker >}} +docker exec tetragon-container tetra getevents -o compact +{{< /tab >}} +{{< /tabpane >}} + Then reading a sensitive file, -```shell-session +{{< tabpane lang=shell-session >}} +{{< tab Kubernetes >}} kubectl exec -ti xwing -- bash -c 'cat /etc/shadow' -``` +{{< /tab >}} +{{< tab Docker >}} +cat /etc/shadow +{{< /tab >}} +{{< /tabpane >}} -This will generate a read event, +This will generate a read event (Docker events will omit Kubernetes metadata), ```shell-session 🚀 process default/xwing /bin/bash -c "cat /etc/shadow" @@ -59,3 +77,6 @@ Attempts to write in sensitive directories will similar create an event. For exa ``` # What's next + +To explore tracing policies for networking try the [Networking Monitoring]({{< ref "/docs/getting-started/network" >}}) quickstart. +To dive into the details of policies and events please see [Concepts]({{< ref "docs/concepts" >}}) section. diff --git a/docs/content/en/docs/getting-started/quick-install/install-docker.md b/docs/content/en/docs/getting-started/install-docker.md similarity index 91% rename from docs/content/en/docs/getting-started/quick-install/install-docker.md rename to docs/content/en/docs/getting-started/install-docker.md index 0354a192ed1..9204a5ad878 100644 --- a/docs/content/en/docs/getting-started/quick-install/install-docker.md +++ b/docs/content/en/docs/getting-started/install-docker.md @@ -1,5 +1,5 @@ --- -title: "Try Tetragon locally " +title: "Quick Local Docker Install" weight: 1 description: "Discover and experiment with Tetragon on your local Linux host" --- @@ -30,3 +30,7 @@ docker run --name tetragon-container --rm --pull always \ This will start Tetragon in a privileged container. Priviliges are required to load and attach BPF programs. See Installation section for more details. + +## Whats Next + +[Check for execution events.]({{< ref "/docs/getting-started/execution" >}}). diff --git a/docs/content/en/docs/getting-started/quick-install/install-k8s.md b/docs/content/en/docs/getting-started/install-k8s.md similarity index 98% rename from docs/content/en/docs/getting-started/quick-install/install-k8s.md rename to docs/content/en/docs/getting-started/install-k8s.md index 752a3501262..100a40251d8 100644 --- a/docs/content/en/docs/getting-started/quick-install/install-k8s.md +++ b/docs/content/en/docs/getting-started/install-k8s.md @@ -1,5 +1,5 @@ --- -title: "Try Tetragon on Kubernetes" +title: "Quick Kubernetes Install" weight: 1 description: "Discover and experiment with Tetragon in a kubernetes environment" --- diff --git a/docs/content/en/docs/getting-started/network.md b/docs/content/en/docs/getting-started/network.md index c986b4d9c1a..7b35bb068bd 100644 --- a/docs/content/en/docs/getting-started/network.md +++ b/docs/content/en/docs/getting-started/network.md @@ -9,7 +9,7 @@ already deployed in the quick start. In this case we monitor all network traffic outside the Kubernetes pod CIDR and service CIDR. -# Network Access Monitoring +# Kubernetes Cluster Network Access Monitoring First we must find the pod CIDR and service CIDR in use. The pod IP CIDR can be found relatively easily in many cases. @@ -45,11 +45,7 @@ to avoid filter out cluster local traffic. To apply the policy, {{< tab Kubernetes >}} wget http://github.com/cilium/tetragon/quickstart/network_egress_cluster.yaml envsubst < network_egress_cluster.yaml | kubectl apply -f - -{{< /tab >}} -{{< tab Docker >}} -{{< /tab >}} -{{< tab Systemd >}} -{{< /tab >}} +{{< /tab >}} {{< /tabpane >}} With the file applied we can attach tetra to observe events again, @@ -90,4 +86,60 @@ And as expected no new events, 💥 exit default/xwing /usr/bin/curl https://ebpf.io/applications/#tetragon 60 ``` +# Docker/Baremetal Network Access Monitoring + +This example also works easily for local docker users as well except it is not as +obvious to the quickstart authors what IP address CIDR will be useful. The policy +by default will filter all local IPs '127.0.0.1' from the event log. So we can +demo that here. + +Set env variables to local loopback IP. +```shell-session +export PODCIDR="127.0.0.1/32" +export SERVICECIDR="127.0.0.1/32" +``` + +To create the policy, +```shell-session +wget http://github.com/cilium/tetragon/quickstart/network_egress_cluster.yaml +envsubst < network_egress_cluster.yaml > network_egress_cluster_subst.yaml +``` +Start Tetragon with the new policy, +```shell-session +docker stop tetragon-container +docker run --name tetragon-container --rm --pull always \ + --pid=host --cgroupns=host --privileged \ + -v ${PWD}/network_egress_cluster_subst.yaml:/etc/tetragon/tetragon.tp.d/network_egress_cluster_subst.yaml \ + -v /sys/kernel/btf/vmlinux:/var/lib/tetragon/btf \ + quay.io/cilium/tetragon-ci:latest + +``` +Attach to the tetragon output +```shell-session +docker exec tetragon-container tetra getevents -o compact +``` +Now remote TCP connections will be logged and local IPs filters. Executing a curl +to generate a remote TCP connect. +```shell-session +curl https://ebpf.io/applications/#tetragon +``` +Produces the following output: +```shell-session +🚀 process /usr/bin/curl https://ebpf.io/applications/#tetragon +🔌 connect /usr/bin/curl tcp 192.168.1.190:36124 -> 104.198.14.52:443 +💥 exit /usr/bin/curl https://ebpf.io/applications/#tetragon 0 +``` + # Whats Next + +So far we have installed Tetragon and shown a couple policies to monitor +sensitive files and provide network auditing for connections outside our own +cluster and node. Both these cases highlight the value of in kernel filtering. +Another benefit of in-kernel filtering is we can add +[enforcement]({{< ref "/docs/getting-started/enforcement" >}}) to the policies +to not only alert, but block the operation in kernel and/or kill the +application attempting the operation. + +To learn more about policies and events Tetragon can implement review the +[Concepts]({{< ref "/docs/concepts" >}}) section. + diff --git a/docs/content/en/docs/getting-started/quick-install/_index.md b/docs/content/en/docs/getting-started/quick-install/_index.md deleted file mode 100644 index f79f2785f7c..00000000000 --- a/docs/content/en/docs/getting-started/quick-install/_index.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -title: "Quick Install Tetragon" -linkTitle: "Quick Install" -isShownInList: false -weight: 1 -description: > - Quick install quide for Tetragon. ---- - diff --git a/docs/content/en/docs/installation/Docker/_index.md b/docs/content/en/docs/installation/Docker/_index.md new file mode 100644 index 00000000000..14152f0c34a --- /dev/null +++ b/docs/content/en/docs/installation/Docker/_index.md @@ -0,0 +1,9 @@ +--- +title: "Docker" +linkTitle: "Docker" +isShownInList: false +weight: 3 +description: > + Tetragon instructions for running from Docker container, +--- + diff --git a/docs/content/en/docs/installation/Kubernetes/_index.md b/docs/content/en/docs/installation/Kubernetes/_index.md new file mode 100644 index 00000000000..f05b5d74314 --- /dev/null +++ b/docs/content/en/docs/installation/Kubernetes/_index.md @@ -0,0 +1,9 @@ +--- +title: "Kubernetes" +linkTitle: "Kubernetes" +isShownInList: false +weight: 1 +description: > + Tetragon installation instructions for Kubernetes, +--- + diff --git a/docs/content/en/docs/installation/Systemd/_index.md b/docs/content/en/docs/installation/Systemd/_index.md new file mode 100644 index 00000000000..bdcbfcb0922 --- /dev/null +++ b/docs/content/en/docs/installation/Systemd/_index.md @@ -0,0 +1,9 @@ +--- +title: "Systemd" +linkTitle: "Systemd" +isShownInList: false +weight: 2 +description: > + Tetragon installation instructions for Systemd deployments. +--- + diff --git a/docs/content/en/docs/installation/_index.md b/docs/content/en/docs/installation/_index.md new file mode 100644 index 00000000000..045a6b32214 --- /dev/null +++ b/docs/content/en/docs/installation/_index.md @@ -0,0 +1,9 @@ +--- +title: "Installion" +linkTitle: "Installion" +isShownInList: false +weight: 2 +description: > + Installation instructions and guides. +--- + diff --git a/quickstart/file_monitoring_enforce.yaml b/quickstart/file_monitoring_enforce.yaml new file mode 100644 index 00000000000..03d53c5885d --- /dev/null +++ b/quickstart/file_monitoring_enforce.yaml @@ -0,0 +1,188 @@ +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicyNamespaced +metadata: + name: "file-monitoring-filtered" +spec: + kprobes: + - call: "security_file_permission" + syscall: false + return: true + args: + - index: 0 + type: "file" # (struct file *) used for getting the path + - index: 1 + type: "int" # 0x04 is MAY_READ, 0x02 is MAY_WRITE + returnArg: + index: 0 + type: "int" + returnArgAction: "Post" + selectors: + - matchArgs: + - index: 0 + operator: "Prefix" + values: + - "/boot" # Reads to sensitive directories + - "/root/.ssh" # Reads to sensitive files we want to know about + - "/etc/shadow" + - "/etc/profile" + - "/etc/sudoers" + - "/etc/pam.conf" # Reads global shell configs bash/csh supported + - "/etc/bashrc" + - "/etc/csh.cshrc" + - "/etc/csh.login" # Add additional sensitive files here + - index: 1 + operator: "Equal" + values: + - "4" # MAY_READ + matchActions: + - action: Sigkill + - matchArgs: + - index: 0 + operator: "Postfix" + values: + - ".bashrc" # Reads to shell config files bash, csh supported + - ".bash_profile" # add any other shell support here. + - ".bash_login" + - ".bash_logout" + - ".cshrc" + - ".cshdirs" + - ".profile" # Reads to common environments files + - ".login" + - ".logout" + - ".history" # Add additional sensitive files here + - index: 1 + operator: "Equal" + values: + - "4" # MAY_READ + matchActions: + - action: Sigkill + - matchArgs: + - index: 0 + operator: "Prefix" + values: + - "/etc" # Writes to sensitive directories + - "/boot" + - "/lib" + - "/lib64" + - "/bin" + - "/usr/lib" + - "/usr/local/lib" + - "/usr/local/sbin" + - "/usr/local/bin" + - "/usr/bin" + - "/usr/sbin" + - "/var/log" # Writes to logs + - "/dev/log" + - "/root/.ssh" # Writes to sensitive files add here. + - index: 1 + operator: "Equal" + values: + - "2" # MAY_WRITE + matchActions: + - action: Sigkill + - call: "security_mmap_file" + syscall: false + return: true + args: + - index: 0 + type: "file" # (struct file *) used for getting the path + - index: 1 + type: "uint32" # the prot flags PROT_READ(0x01), PROT_WRITE(0x02), PROT_EXEC(0x04) + - index: 2 + type: "uint32" # the mmap flags (i.e. MAP_SHARED, ...) + returnArg: + index: 0 + type: "int" + returnArgAction: "Post" + selectors: + - matchArgs: + - index: 0 + operator: "Prefix" + values: + - "/boot" # Reads to sensitive directories + - "/root/.ssh" # Reads to sensitive files we want to know about + - "/etc/shadow" + - "/etc/sudoers" + - "/etc/pam.conf" # Reads global shell configs bash/csh supported + - "/etc/profile" + - "/etc/bashrc" + - "/etc/csh.cshrc" + - "/etc/csh.login" + - ".bashrc" # Reads to shell config files bash, csh supported + - ".bash_profile" # add any other shell support here. + - ".bash_login" + - ".bash_logout" + - ".cshrc" + - ".cshdirs" + - ".profile" # Reads to common environments files + - ".login" + - ".logout" + - ".history" # Add additional sensitive mmap files here + - index: 1 + operator: "Equal" + values: + - "1" # MAY_READ + - index: 2 + operator: "Mask" + values: + - "1" # MAP_SHARED + matchActions: + - action: Sigkill + - matchArgs: + - index: 0 + operator: "Prefix" + values: + - "/etc" # Writes to sensitive directories + - "/boot" + - "/lib" + - "/lib64" + - "/bin" + - "/usr/lib" + - "/usr/local/lib" + - "/usr/local/sbin" + - "/usr/local/bin" + - "/usr/bin" + - "/usr/sbin" + - "/var/log" # Writes to logs + - "/dev/log" + - "/root/.ssh" # Writes to sensitive files add here. + - index: 1 + operator: "Mask" + values: + - "2" # PROT_WRITE + - index: 2 + operator: "Mask" + values: + - "1" # MAP_SHARED + matchActions: + - action: Sigkill + - call: "security_path_truncate" + syscall: false + return: true + args: + - index: 0 + type: "path" # (struct path *) used for getting the path + returnArg: + index: 0 + type: "int" + returnArgAction: "Post" + selectors: + - matchArgs: + - index: 0 + operator: "Prefix" + values: + - "/etc" # Truncate to sensitive directories + - "/boot" + - "/lib" + - "/lib64" + - "/usr/lib" + - "/usr/local/lib" + - "/usr/local/sbin" + - "/usr/local/bin" + - "/usr/bin" + - "/usr/sbin" + - "/var/log" # Truncate to logs + - "/dev/log" + - "/root/.ssh" # Truncate to sensitive files add here. + matchActions: + - action: Sigkill diff --git a/quickstart/network_egress_cluster.yaml b/quickstart/network_egress_cluster.yaml index fdad47d2f0a..2f16a0e98d8 100644 --- a/quickstart/network_egress_cluster.yaml +++ b/quickstart/network_egress_cluster.yaml @@ -23,5 +23,6 @@ spec: - index: 0 operator: "NotDAddr" values: + - 127.0.0.1 - ${PODCIDR} - ${SERVICECIDR} diff --git a/quickstart/network_egress_cluster_enforce.yaml b/quickstart/network_egress_cluster_enforce.yaml new file mode 100644 index 00000000000..af2794fbbdc --- /dev/null +++ b/quickstart/network_egress_cluster_enforce.yaml @@ -0,0 +1,21 @@ +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicyNamespaced +metadata: + name: "monitor-network-activity-outside-cluster-cidr-range" +spec: + kprobes: + - call: "tcp_connect" + syscall: false + args: + - index: 0 + type: "sock" + selectors: + - matchArgs: + - index: 0 + operator: "NotDAddr" + values: + - 127.0.0.1 + - ${PODCIDR} + - ${SERVICECIDR} + matchActions: + - action: Sigkill