From cec2e91d94ba9277022532495dc7c91596ae15c7 Mon Sep 17 00:00:00 2001 From: Rudraksh Pareek Date: Wed, 9 Oct 2024 17:53:26 +0530 Subject: [PATCH] feat: add host hardening policies Signed-off-by: Rudraksh Pareek --- generic/system/hsp-audit-defense-control.yaml | 36 +++++++++++++++ .../system/hsp-file-integrity-protection.yaml | 35 ++++++++++++++ .../system/hsp-monitor-kernel-modules.yaml | 28 +++++++++++ .../hsp-package-management-security.yaml | 46 +++++++++++++++++++ .../hsp-protect-against-cryptojacking.yaml | 29 ++++++++++++ generic/system/hsp-protect-credentials.yaml | 40 ++++++++++++++++ generic/system/hsp-protect-system-config.yaml | 43 +++++++++++++++++ .../hsp-restrict-process-execution.yaml | 34 ++++++++++++++ 8 files changed, 291 insertions(+) create mode 100644 generic/system/hsp-audit-defense-control.yaml create mode 100644 generic/system/hsp-file-integrity-protection.yaml create mode 100644 generic/system/hsp-monitor-kernel-modules.yaml create mode 100644 generic/system/hsp-package-management-security.yaml create mode 100644 generic/system/hsp-protect-against-cryptojacking.yaml create mode 100644 generic/system/hsp-protect-credentials.yaml create mode 100644 generic/system/hsp-protect-system-config.yaml create mode 100644 generic/system/hsp-restrict-process-execution.yaml diff --git a/generic/system/hsp-audit-defense-control.yaml b/generic/system/hsp-audit-defense-control.yaml new file mode 100644 index 00000000..1f16c735 --- /dev/null +++ b/generic/system/hsp-audit-defense-control.yaml @@ -0,0 +1,36 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-audit-defense-control +spec: + action: Audit + process: + - execname: aa-enforce + - execname: aa-audit + - execname: aa-cleanprof + - execname: aa-disable + - execname: apparmor_parser + file: + matchDirectories: + - dir: /etc/apparmor.d/ + recursive: true + - dir: /etc/apparmor/ + recursive: true + - dir: /etc/sysconfig/selinux/ + recursive: true + - dir: /opt/kubearmor/ + recursive: true + fromSource: + - path: /opt/kubearmor/kubearmor + matchPaths: + - path: /etc/selinux/semanage.conf + message: "WARN! Runtime security files/processes accessed." + nodSelector: + matchLabels: + kubearmor.io/hostname: '*' + severity: 5 + tags: + - FGT1562 + - FIGHT + - MITRE + - MITRE_T1562_Impair _Defenses diff --git a/generic/system/hsp-file-integrity-protection.yaml b/generic/system/hsp-file-integrity-protection.yaml new file mode 100644 index 00000000..de992389 --- /dev/null +++ b/generic/system/hsp-file-integrity-protection.yaml @@ -0,0 +1,35 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-file-integrity-monitoring +spec: + action: Block + file: + matchDirectories: + - dir: /bin/ + readOnly: true + recursive: true + - dir: /sbin/ + readOnly: true + recursive: true + - dir: /usr/bin/ + readOnly: true + recursive: true + - dir: /usr/sbin/ + readOnly: true + recursive: true + - dir: /usr/local/bin/ + readOnly: true + recursive: true + message: "ALERT! Detected and prevented compromise to file integrity" + nodeSelector: + matchLabels: + kubearmor.io/hostname: '*' + severity: 1 + tags: + - MITRE + - MITRE_T1036_masquerading + - MITRE_T1565_data_manipulation + - NIST + - NIST_800-53_AU-2 + - NIST_800-53_SI-4 diff --git a/generic/system/hsp-monitor-kernel-modules.yaml b/generic/system/hsp-monitor-kernel-modules.yaml new file mode 100644 index 00000000..944d33a8 --- /dev/null +++ b/generic/system/hsp-monitor-kernel-modules.yaml @@ -0,0 +1,28 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-monitor-kernel-modules +spec: + action: Audit + process: + matchPaths: + - execname: kmod + file: + matchPaths: + - path: /etc/modules + readOnly: true + matchDirectories: + - dir: /etc/modprobe.d/ + recursive: true + readOnly: true + - dir: /etc/modules-load.d/ + recursive: true + readOnly: true + message: "WARN! Detected modification of Kernel modules." + nodeSelector: + matchLabels: + kubearmor.io/hostname: '*' + severity: 5 + tags: + - "STIG" + - "UBTU-20-010297" diff --git a/generic/system/hsp-package-management-security.yaml b/generic/system/hsp-package-management-security.yaml new file mode 100644 index 00000000..ac74c919 --- /dev/null +++ b/generic/system/hsp-package-management-security.yaml @@ -0,0 +1,46 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-package-management-security +spec: + action: Block + process: + matchPaths: + - execname: apt + - execname: dpkg + - execname: dnf-3 + - execname: yum + - execname: rpm + - execname: apk + - execname: gdebi + - execname: make + - execname: makepkg + - execname: pacman + - execname: yaourt + - execname: zypper + file: + matchDirectories: + - dir: /etc/apt/ + recursive: true + readOnly: true + - dir: /etc/dnf/ + recursive: true + readOnly: true + - dir: /etc/yum.repos.d/ + recursive: true + readOnly: true + - dir: /etc/apk/ + recursive: true + readOnly: true + message: "ALERT! Blocked attempt to modify system packages." + nodeSelector: + matchLabels: + kubearmor.io/hostname: '*' + severity: 5 + tags: + - "NIST" + - "CM-6-1" + - "NIST_SA" + - "NIST_SA-20" + - "NIST_SA-20-Customized Development of Critical Components" + - "sensitive asset" diff --git a/generic/system/hsp-protect-against-cryptojacking.yaml b/generic/system/hsp-protect-against-cryptojacking.yaml new file mode 100644 index 00000000..5c13a853 --- /dev/null +++ b/generic/system/hsp-protect-against-cryptojacking.yaml @@ -0,0 +1,29 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-mitre-prevent-crypto-miners +spec: + nodeSelector: + matchLabels: + kubearmor.io/hostname: '*' + action: Block + process: + matchDirectories: + - dir: /tmp/ + recursive: true + matchPaths: + - execname: xmrig + - execname: dero + - execname: dero-miner-linux-amd64 + - execname: dero-wallet-cli-linux-amd64 + - execname: derod-linux-amd64 + - execname: zgrab2 + - execname: masscan + - execname: nmap + - execname: ntpdate + message: "WARN! Cryptominer detected and blocked" + severity: 10 + tags: + - cryptominer + - MITRE_T1496_resource_hijacking + - MITRE diff --git a/generic/system/hsp-protect-credentials.yaml b/generic/system/hsp-protect-credentials.yaml new file mode 100644 index 00000000..58edee96 --- /dev/null +++ b/generic/system/hsp-protect-credentials.yaml @@ -0,0 +1,40 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-protect-credentials +spec: + action: Audit + # make block after testing + #action: Block + file: + matchPaths: + - path: /etc/passwd + readOnly: true + - path: /etc/shadow + readOnly: true + matchDirectories: + - dir: /etc/pki/ + readOnly: true + recursive: true + - dir: /etc/ssl/ + readOnly: true + recursive: true + - dir: /usr/local/share/ca-certificates/ + readOnly: true + recursive: true + - dir: /root/.ssh/ + readOnly: true + recursive: true + - dir: /root/.ssh/.gnupg/ + readOnly: true + recursive: true + message: "ALERT! Blocked modification of credentials." + nodeSelector: + matchLabels: + kubearmor.io/hostname: '*' + severity: 5 + tags: + - FGT1555 + - FIGHT + - MITRE + - MITRE_T1552_unsecured_credentials diff --git a/generic/system/hsp-protect-system-config.yaml b/generic/system/hsp-protect-system-config.yaml new file mode 100644 index 00000000..46ad1d66 --- /dev/null +++ b/generic/system/hsp-protect-system-config.yaml @@ -0,0 +1,43 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-protect-system-config +spec: + action: Audit + file: + matchPaths: + - path: /etc/sudoers + readOnly: true + - path: /etc/sudo.conf + readOnly: true + - path: /etc/fstab + readOnly: true + - path: /etc/bash.bashrc + readOnly: true + - path: /etc/default/grub + readOnly: true + matchDirectories: + - dir: /etc/sudoers.d/ + recursive: true + readOnly: true + - dir: /etc/ssh/ + recursive: true + readOnly: true + - dir: /etc/pam.d/ + recursive: true + readOnly: true + - dir: /boot/ + recursive: true + readOnly: true + message: "WARN! System configuration file modified." + nodeSelector: + matchLabels: + kubearmor.io/hostname: '*' + severity: 5 + tags: + - "NIST" + - "CM-6-1" + - "NIST_SA" + - "NIST_SA-20" + - "NIST_SA-20-Customized Development of Critical Components" + - "sensitive asset" diff --git a/generic/system/hsp-restrict-process-execution.yaml b/generic/system/hsp-restrict-process-execution.yaml new file mode 100644 index 00000000..e0f5ed94 --- /dev/null +++ b/generic/system/hsp-restrict-process-execution.yaml @@ -0,0 +1,34 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-restrict-process-execution +spec: + action: Allow + file: + Directories: + - dir: / + recursive: true + process: + matchDirectories: + - dir: / + recursive: true + action: Block + - dir: /bin/ + recursive: true + - dir: /sbin/ + recursive: true + - dir: /usr/bin/ + recursive: true + - dir: /usr/sbin/ + recursive: true + - dir: /usr/local/bin/ + recursive: true + - dir: /usr/local/sbin/ + recursive: true + - dir: /opt/ + recursive: true + message: "ALERT! Blocked process execution outside of allow list." + nodeSelector: + matchLabels: + kubearmor.io/hostname: '*' + severity: 1