-
Notifications
You must be signed in to change notification settings - Fork 47
/
metadata.yaml
132 lines (132 loc) · 4.94 KB
/
metadata.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
version: v0.1.2
policyRules:
- name: maintenance-tool-access
precondition:
- /sbin/*
description:
refs:
- name: MITRE-TTP
url:
- https://attack.mitre.org/techniques/T1553/
tldr: Restrict access to maintenance tools (apk, mii-tool, ...)
detailed: Container images might contain maintenance tools which should ideally
never be used in prod env, or if used, should be used only in certain time frames.
Examples include, dynamic package management tools, mii-tool, iptables etc
spec:
action: Audit
file:
matchDirectories:
- dir: /sbin/
recursive: true
message: restricted maintenance tool access attempted
selector:
matchLabels:
kubearmor.io/container.name: alpine
severity: 1
tags:
- PCI-DSS
- MITRE
- name: mysql-mysqldump-access
precondition:
- /etc/mysql/*
- /usr/bin/mysqldump
description:
refs:
- name: MITRE-TTP
url:
- https://attack.mitre.org/techniques/T1074/001/
tldr: Deny access to mysqldump process
detailed: Adversaries may stage collected data in a central location or directory
on the local system prior to Exfiltration. Data may be kept in separate files or
combined into one file through techniques such as Archive Collected Data.
Interactive command shells may be used, and common functionality within cmd and
bash may be used to copy data into a staging location.
spec:
action: Block
process:
matchPaths:
- path: /usr/bin/mysqldump
message: mysqldump tool action denied
severity: 1
tags:
- MySQL
- MITRE
- name: deny-package-tool-access
precondition:
- /usr/bin/apt
- /usr/bin/apt-get
description:
refs:
- name: MITRE-TTP
url:
- https://attack.mitre.org/techniques/T1059/004/
tldr: Deny package manager execution
detailed: Adversaries may abuse Unix shell commands and scripts for execution.
Unix shells are the primary command prompt on Linux and macOS systems, though many
variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific
OS or distribution.[1][2] Unix shells can control every aspect of a system, with certain
commands requiring elevated privileges.
spec:
action: Block
process:
matchPaths:
- path: /usr/bin/apt
- path: /usr/bin/apt-get
message: package manager action denied
severity: 1
tags:
- Package Manager
- MITRE
- Linux
- name: block-serviceaccount-access
precondition:
- /run/secrets/kubernetes.io/serviceaccount
description:
refs:
- name: "Unsecured Credentials: Container API"
url:
- "https://attack.mitre.org/techniques/T1552/007/"
tldr: Deny access to serviceaccount files
detailed: Adversaries may gather credentials via APIs within a containers environment.
APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to
remotely manage their container resources and cluster components. An adversary may access the
Docker API to collect logs that contain credentials to cloud, container, and various
other resources in the environment. An adversary with sufficient permissions, such as
via a pod's service account, may also use the Kubernetes API to retrieve credentials from
the Kubernetes API server. These credentials may include those needed for Docker API
authentication or secrets from Kubernetes cluster components.
spec:
severity: 7
selector:
matchLabels:
app: wordpress
file:
matchDirectories:
- dir: /run/secrets/kubernetes.io/serviceaccount/
recursive: true
action:
Block
tags:
- Kubernetes
- serviceaccount
- name: cert-access
precondition:
- /etc/ssl/.*
description:
refs:
- name: MITRE-TTP
url:
- https://attack.mitre.org/techniques/T1553/
tldr: Restrict access to trusted certificated bundles in the OS image
detailed: Operating systems maintain a list of trusted certificates (often called
trust bundles) in file system. These bundles decides which authorities are trusted.
Subverting these trust controls would essentially allow an adversary to operate
as a trusted entity. Adversaries may undermine security controls that will either
warn users of untrusted activity or prevent execution of untrusted programs.
Operating systems and security products may contain mechanisms to identify programs
or websites as possessing some level of trust. Examples of such features would
include a program being allowed to run because it is signed by a valid code
signing certificate, a program prompting the user with a warning because it
has an attribute set from being downloaded from the Internet, or getting an
indication that you are about to connect to an untrusted site.
yaml: mitre/system/ksp-unsecured_credentials_access.yaml