File forensics¶
Get granular details of all the accessed files within the target workloads.
Narrative¶
Changes to system binary folders, configuration paths, and credentials paths need to be monitored for change.
Attack Scenario¶
An attacker might want to update the configuration so as to disable security controls or access logs.
Compliance¶
- CISv1
- Control-Id-Linux 4.1.12
Policy¶
File Forensics¶
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: audit-for-system-paths
namespace: wordpress-mysql
spec:
action: Allow
file:
matchDirectories:
- dir: /bin/
readOnly: true
recursive: true
action: Audit
- dir: /sbin/
readOnly: true
recursive: true
action: Audit
- dir: /usr/sbin/
readOnly: true
action: Audit
recursive: true
- dir: /usr/bin/
readOnly: true
recursive: true
action: Audit
- dir: /etc/
readOnly: true
recursive: true
action: Audit
severity: 5
tags:
- NIST
- PCI-DSS
message: Access to network files detected. Possible violation of NIST Controls
selector:
matchLabels:
app: mysql
Simulation¶
kubectl exec -it mysql-74775b4bf4-mg7np -n wordpress-mysql -- bash
root@mysql-74775b4bf4-mg7np:/# cd /usr/bin
root@mysql-74775b4bf4-mg7np:/usr/bin# touch malicious-file
Expected Alert¶
ClusterName: default
HostName: gke-cluster-1-default-pool-37f4c896-m209
NamespaceName: wordpress-mysql
PodName: mysql-74775b4bf4-mg7np
Labels: app=mysql
ContainerName: mysql
ContainerID: 6020fc7ad3489630e5d67b7a4615edefecc59cb1bbda826611c349a0a553ef60
ContainerImage: docker.io/library/mysql:5.6@sha256:20575ecebe6216036d25dab5903808211f1e9ba63dc7825ac20cb975e34cfcae
Type: MatchedPolicy
PolicyName: audit-for-system-paths
Severity: 5
Message: Access to network files detected. Possible violation of NIST Controls
Source: /usr/bin/touch malicious-file
Resource: /etc/ld.so.cache
Operation: File
Action: Audit
Data: syscall=SYS_OPEN flags=O_RDONLY|O_CLOEXEC
Enforcer: eBPF Monitor
Result: Passed
ATags: [NIST PCI-DSS]
HostPID: 2.562504e+06
HostPPID: 2.56229e+06
Owner: map[Name:mysql Namespace:wordpress-mysql Ref:Deployment]
PID: 167
PPID: 160
ParentProcessName: /bin/bash
ProcessName: /bin/touch
Tags: NIST,PCI-DSS