Skip to content

Instantly share code, notes, and snippets.

@Ankurk99

Ankurk99/gist:8cc2bd7b3aebfdfd856035b3c195e3bb

Created March 27, 2023 19:03
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Ankurk99/8cc2bd7b3aebfdfd856035b3c195e3bb to your computer and use it in GitHub Desktop.
Save Ankurk99/8cc2bd7b3aebfdfd856035b3c195e3bb to your computer and use it in GitHub Desktop.
Download ZIP
karmor recommend for KubeArmor daemonset
Raw
gistfile1.txt
Deployment | kubearmor/kubearmor-relay
Container | kubearmor/kubearmor-relay-server:latest
OS | linux
Arch | amd64
Distro | alpine
Output Directory | out/kubearmor-kubearmor-relay
policy-template version | v0.1.9
+------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| POLICY | SHORT DESC | SEVERITY | ACTION | TAGS |
+------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-relay-server- | Restrict access to maintenance | 1 | Audit | PCI_DSS |
| latest-maint-tools-access.yaml | tools (apk, mii-tool, ...) | | | MITRE |
+------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-relay-server- | Restrict access to trusted | 1 | Block | MITRE |
| latest-trusted-cert-mod.yaml | certificated bundles in the OS | | | MITRE_T1552_unsecured_credentials |
| | image | | | |
+------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-relay-server- | System Information Discovery | 3 | Block | MITRE |
| latest-system-owner-discovery.yaml | - block system owner discovery | | | MITRE_T1082_system_information_discovery |
| | commands | | | |
+------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-relay-server- | System and Information | 5 | Block | NIST NIST_800-53_AU-2 |
| latest-write-under-bin-dir.yaml | Integrity - System Monitoring | | | NIST_800-53_SI-4 MITRE |
| | make directory under /bin/ | | | MITRE_T1036_masquerading |
+------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-relay-server- | System and Information | 5 | Audit | NIST NIST_800-53_AU-2 |
| latest-write-under-dev-dir.yaml | Integrity - System Monitoring | | | NIST_800-53_SI-4 MITRE |
| | make files under /dev/ | | | MITRE_T1036_masquerading |
+------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-relay-server- | System and Information | 5 | Audit | NIST SI-4 |
| latest-cronjob-cfg.yaml | Integrity - System Monitoring | | | NIST_800-53_SI-4 |
| | Detect access to cronjob files | | | CIS CIS_Linux |
| | | | | CIS_5.1_Configure_Cron |
+------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-relay-server- | System and Information | 5 | Block | NIST |
| latest-pkg-mngr-exec.yaml | Integrity - Least | | | NIST_800-53_CM-7(4) |
| | Functionality deny execution | | | SI-4 process |
| | of package manager process in | | | NIST_800-53_SI-4 |
| | container | | | |
+------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-relay-server- | Adversaries may abuse a | 5 | Block | MITRE_T1609_container_administration_command |
| latest-k8s-client-tool-exec.yaml | container administration | | | MITRE_TA0002_execution |
| | service to execute commands | | | MITRE_T1610_deploy_container |
| | within a container. | | | MITRE NIST_800-53 NIST_800-53_AU-2 |
| | | | | NIST_800-53_SI-4 NIST |
+------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-relay-server- | The adversary is trying to | 5 | Block | MITRE |
| latest-remote-file-copy.yaml | steal data. | | | MITRE_TA0008_lateral_movement |
| | | | | MITRE_TA0010_exfiltration |
| | | | | MITRE_TA0006_credential_access |
| | | | | MITRE_T1552_unsecured_credentials |
| | | | | NIST_800-53_SI-4(18) NIST |
| | | | | NIST_800-53 NIST_800-53_SC-4 |
+------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-relay-server- | The adversary is trying to | 5 | Block | MITRE_execution |
| latest-write-in-shm-dir.yaml | write under shm folder | | | MITRE |
+------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-relay-server- | The adversary is trying to | 5 | Block | NIST_800-53_SI-7 NIST |
| latest-write-etc-dir.yaml | avoid being detected. | | | NIST_800-53_SI-4 NIST_800-53 |
| | | | | MITRE_T1562.001_disable_or_modify_tools |
| | | | | MITRE_T1036.005_match_legitimate_name_or_location |
| | | | | MITRE_TA0003_persistence |
| | | | | MITRE MITRE_T1036_masquerading |
| | | | | MITRE_TA0005_defense_evasion |
+------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-relay-server- | Adversaries may delete or | 5 | Block | NIST NIST_800-53 NIST_800-53_CM-5 |
| latest-shell-history-mod.yaml | modify artifacts generated | | | NIST_800-53_AU-6(8) |
| | within systems to remove | | | MITRE_T1070_indicator_removal_on_host |
| | evidence. | | | MITRE MITRE_T1036_masquerading |
+------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-relay-server- | Command Line Warning Banners | 5 | Block | CIS CIS_Linux CIS_1.7_Warning_Banners |
| latest-cis-commandline-warning- | | | | CIS_1.7.1_Command_Line_Warning_Banners |
| banner.yaml | | | | |
+------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-relay-server- | Ensure events that modify the | 5 | Block | CIS CIS_Linux |
| latest-system-network-env-mod.yaml | system's network environment | | | CIS_4_Logging_and_Aduditing |
| | are collected | | | CIS_4.1.1_Data_Retention |
| | | | | CIS_4.1.7_system_network_environment |
+------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-relay-server- | File Integrity Monitoring | 1 | Block | NIST NIST_800-53_AU-2 |
| latest-file-integrity- | | | | NIST_800-53_SI-4 MITRE |
| monitoring.yaml | | | | MITRE_T1036_masquerading |
| | | | | MITRE_T1565_data_manipulation |
+------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
Deployment | kubearmor/kubearmor-host-policy-manager
Container | gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
OS | linux
Arch | amd64
Distro | debian
Output Directory | out/kubearmor-kubearmor-host-policy-manager
policy-template version | v0.1.9
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| POLICY | SHORT DESC | SEVERITY | ACTION | TAGS |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | Restrict access to maintenance | 1 | Audit | PCI_DSS |
| v0-8-0-maint-tools-access.yaml | tools (apk, mii-tool, ...) | | | MITRE |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | Restrict access to trusted | 1 | Block | MITRE |
| v0-8-0-trusted-cert-mod.yaml | certificated bundles in the OS | | | MITRE_T1552_unsecured_credentials |
| | image | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | System Information Discovery | 3 | Block | MITRE |
| v0-8-0-system-owner-discovery.yaml | - block system owner discovery | | | MITRE_T1082_system_information_discovery |
| | commands | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | System and Information | 5 | Block | NIST NIST_800-53_AU-2 |
| v0-8-0-write-under-bin-dir.yaml | Integrity - System Monitoring | | | NIST_800-53_SI-4 MITRE |
| | make directory under /bin/ | | | MITRE_T1036_masquerading |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | System and Information | 5 | Audit | NIST NIST_800-53_AU-2 |
| v0-8-0-write-under-dev-dir.yaml | Integrity - System Monitoring | | | NIST_800-53_SI-4 MITRE |
| | make files under /dev/ | | | MITRE_T1036_masquerading |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | System and Information | 5 | Audit | NIST SI-4 |
| v0-8-0-cronjob-cfg.yaml | Integrity - System Monitoring | | | NIST_800-53_SI-4 |
| | Detect access to cronjob files | | | CIS CIS_Linux |
| | | | | CIS_5.1_Configure_Cron |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | System and Information | 5 | Block | NIST |
| v0-8-0-pkg-mngr-exec.yaml | Integrity - Least | | | NIST_800-53_CM-7(4) |
| | Functionality deny execution | | | SI-4 process |
| | of package manager process in | | | NIST_800-53_SI-4 |
| | container | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | Adversaries may abuse a | 5 | Block | MITRE_T1609_container_administration_command |
| v0-8-0-k8s-client-tool-exec.yaml | container administration | | | MITRE_TA0002_execution |
| | service to execute commands | | | MITRE_T1610_deploy_container |
| | within a container. | | | MITRE NIST_800-53 NIST_800-53_AU-2 |
| | | | | NIST_800-53_SI-4 NIST |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | The adversary is trying to | 5 | Block | MITRE |
| v0-8-0-remote-file-copy.yaml | steal data. | | | MITRE_TA0008_lateral_movement |
| | | | | MITRE_TA0010_exfiltration |
| | | | | MITRE_TA0006_credential_access |
| | | | | MITRE_T1552_unsecured_credentials |
| | | | | NIST_800-53_SI-4(18) NIST |
| | | | | NIST_800-53 NIST_800-53_SC-4 |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | The adversary is trying to | 5 | Block | MITRE_execution |
| v0-8-0-write-in-shm-dir.yaml | write under shm folder | | | MITRE |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | The adversary is trying to | 5 | Block | NIST_800-53_SI-7 NIST |
| v0-8-0-write-etc-dir.yaml | avoid being detected. | | | NIST_800-53_SI-4 NIST_800-53 |
| | | | | MITRE_T1562.001_disable_or_modify_tools |
| | | | | MITRE_T1036.005_match_legitimate_name_or_location |
| | | | | MITRE_TA0003_persistence |
| | | | | MITRE MITRE_T1036_masquerading |
| | | | | MITRE_TA0005_defense_evasion |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | Adversaries may delete or | 5 | Block | NIST NIST_800-53 NIST_800-53_CM-5 |
| v0-8-0-shell-history-mod.yaml | modify artifacts generated | | | NIST_800-53_AU-6(8) |
| | within systems to remove | | | MITRE_T1070_indicator_removal_on_host |
| | evidence. | | | MITRE MITRE_T1036_masquerading |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | Ensure events that modify the | 5 | Block | CIS CIS_Linux |
| v0-8-0-system-network-env-mod.yaml | system's network environment | | | CIS_4_Logging_and_Aduditing |
| | are collected | | | CIS_4.1.1_Data_Retention |
| | | | | CIS_4.1.7_system_network_environment |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | File Integrity Monitoring | 1 | Block | NIST NIST_800-53_AU-2 |
| v0-8-0-file-integrity- | | | | NIST_800-53_SI-4 MITRE |
| monitoring.yaml | | | | MITRE_T1036_masquerading |
| | | | | MITRE_T1565_data_manipulation |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
Deployment | kubearmor/kubearmor-host-policy-manager
Container | kubearmor/kubearmor-host-policy-manager:latest
OS | linux
Arch | amd64
Distro | debian
Output Directory | out/kubearmor-kubearmor-host-policy-manager
policy-template version | v0.1.9
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| POLICY | SHORT DESC | SEVERITY | ACTION | TAGS |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-host-policy- | Restrict access to maintenance | 1 | Audit | PCI_DSS |
| manager-latest-maint-tools- | tools (apk, mii-tool, ...) | | | MITRE |
| access.yaml | | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-host-policy- | Restrict access to trusted | 1 | Block | MITRE |
| manager-latest-trusted-cert- | certificated bundles in the OS | | | MITRE_T1552_unsecured_credentials |
| mod.yaml | image | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-host-policy- | System Information Discovery | 3 | Block | MITRE |
| manager-latest-system-owner- | - block system owner discovery | | | MITRE_T1082_system_information_discovery |
| discovery.yaml | commands | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-host-policy- | System and Information | 5 | Block | NIST NIST_800-53_AU-2 |
| manager-latest-write-under-bin- | Integrity - System Monitoring | | | NIST_800-53_SI-4 MITRE |
| dir.yaml | make directory under /bin/ | | | MITRE_T1036_masquerading |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-host-policy- | System and Information | 5 | Audit | NIST NIST_800-53_AU-2 |
| manager-latest-write-under-dev- | Integrity - System Monitoring | | | NIST_800-53_SI-4 MITRE |
| dir.yaml | make files under /dev/ | | | MITRE_T1036_masquerading |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-host-policy- | System and Information | 5 | Audit | NIST SI-4 |
| manager-latest-cronjob-cfg.yaml | Integrity - System Monitoring | | | NIST_800-53_SI-4 |
| | Detect access to cronjob files | | | CIS CIS_Linux |
| | | | | CIS_5.1_Configure_Cron |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-host-policy- | System and Information | 5 | Block | NIST |
| manager-latest-pkg-mngr-exec.yaml | Integrity - Least | | | NIST_800-53_CM-7(4) |
| | Functionality deny execution | | | SI-4 process |
| | of package manager process in | | | NIST_800-53_SI-4 |
| | container | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-host-policy- | Adversaries may abuse a | 5 | Block | MITRE_T1609_container_administration_command |
| manager-latest-k8s-client-tool- | container administration | | | MITRE_TA0002_execution |
| exec.yaml | service to execute commands | | | MITRE_T1610_deploy_container |
| | within a container. | | | MITRE NIST_800-53 NIST_800-53_AU-2 |
| | | | | NIST_800-53_SI-4 NIST |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-host-policy- | The adversary is trying to | 5 | Block | MITRE |
| manager-latest-remote-file- | steal data. | | | MITRE_TA0008_lateral_movement |
| copy.yaml | | | | MITRE_TA0010_exfiltration |
| | | | | MITRE_TA0006_credential_access |
| | | | | MITRE_T1552_unsecured_credentials |
| | | | | NIST_800-53_SI-4(18) NIST |
| | | | | NIST_800-53 NIST_800-53_SC-4 |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-host-policy- | The adversary is trying to | 5 | Block | MITRE_execution |
| manager-latest-write-in-shm- | write under shm folder | | | MITRE |
| dir.yaml | | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-host-policy- | The adversary is trying to | 5 | Block | NIST_800-53_SI-7 NIST |
| manager-latest-write-etc-dir.yaml | avoid being detected. | | | NIST_800-53_SI-4 NIST_800-53 |
| | | | | MITRE_T1562.001_disable_or_modify_tools |
| | | | | MITRE_T1036.005_match_legitimate_name_or_location |
| | | | | MITRE_TA0003_persistence |
| | | | | MITRE MITRE_T1036_masquerading |
| | | | | MITRE_TA0005_defense_evasion |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-host-policy- | Adversaries may delete or | 5 | Block | NIST NIST_800-53 NIST_800-53_CM-5 |
| manager-latest-shell-history- | modify artifacts generated | | | NIST_800-53_AU-6(8) |
| mod.yaml | within systems to remove | | | MITRE_T1070_indicator_removal_on_host |
| | evidence. | | | MITRE MITRE_T1036_masquerading |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-host-policy- | Ensure events that modify the | 5 | Block | CIS CIS_Linux |
| manager-latest-system-network-env- | system's network environment | | | CIS_4_Logging_and_Aduditing |
| mod.yaml | are collected | | | CIS_4.1.1_Data_Retention |
| | | | | CIS_4.1.7_system_network_environment |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-host-policy- | File Integrity Monitoring | 1 | Block | NIST NIST_800-53_AU-2 |
| manager-latest-file-integrity- | | | | NIST_800-53_SI-4 MITRE |
| monitoring.yaml | | | | MITRE_T1036_masquerading |
| | | | | MITRE_T1565_data_manipulation |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
Deployment | kubearmor/kubearmor-policy-manager
Container | gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
OS | linux
Arch | amd64
Distro | debian
Output Directory | out/kubearmor-kubearmor-policy-manager
policy-template version | v0.1.9
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| POLICY | SHORT DESC | SEVERITY | ACTION | TAGS |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | Restrict access to maintenance | 1 | Audit | PCI_DSS |
| v0-8-0-maint-tools-access.yaml | tools (apk, mii-tool, ...) | | | MITRE |
| | | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | Restrict access to trusted | 1 | Block | MITRE |
| v0-8-0-trusted-cert-mod.yaml | certificated bundles in the OS | | | MITRE_T1552_unsecured_credentials |
| | image | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | System Information Discovery | 3 | Block | MITRE |
| v0-8-0-system-owner-discovery.yaml | - block system owner discovery | | | MITRE_T1082_system_information_discovery |
| | commands | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | System and Information | 5 | Block | NIST NIST_800-53_AU-2 |
| v0-8-0-write-under-bin-dir.yaml | Integrity - System Monitoring | | | NIST_800-53_SI-4 MITRE |
| | make directory under /bin/ | | | MITRE_T1036_masquerading |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | System and Information | 5 | Audit | NIST NIST_800-53_AU-2 |
| v0-8-0-write-under-dev-dir.yaml | Integrity - System Monitoring | | | NIST_800-53_SI-4 MITRE |
| | make files under /dev/ | | | MITRE_T1036_masquerading |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | System and Information | 5 | Audit | NIST SI-4 |
| v0-8-0-cronjob-cfg.yaml | Integrity - System Monitoring | | | NIST_800-53_SI-4 |
| | Detect access to cronjob files | | | CIS CIS_Linux |
| | | | | CIS_5.1_Configure_Cron |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | System and Information | 5 | Block | NIST |
| v0-8-0-pkg-mngr-exec.yaml | Integrity - Least | | | NIST_800-53_CM-7(4) |
| | Functionality deny execution | | | SI-4 process |
| | of package manager process in | | | NIST_800-53_SI-4 |
| | container | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | Adversaries may abuse a | 5 | Block | MITRE_T1609_container_administration_command |
| v0-8-0-k8s-client-tool-exec.yaml | container administration | | | MITRE_TA0002_execution |
| | service to execute commands | | | MITRE_T1610_deploy_container |
| | within a container. | | | MITRE NIST_800-53 NIST_800-53_AU-2 |
| | | | | NIST_800-53_SI-4 NIST |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | The adversary is trying to | 5 | Block | MITRE |
| v0-8-0-remote-file-copy.yaml | steal data. | | | MITRE_TA0008_lateral_movement |
| | | | | MITRE_TA0010_exfiltration |
| | | | | MITRE_TA0006_credential_access |
| | | | | MITRE_T1552_unsecured_credentials |
| | | | | NIST_800-53_SI-4(18) NIST |
| | | | | NIST_800-53 NIST_800-53_SC-4 |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | The adversary is trying to | 5 | Block | MITRE_execution |
| v0-8-0-write-in-shm-dir.yaml | write under shm folder | | | MITRE |
| | | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | The adversary is trying to | 5 | Block | NIST_800-53_SI-7 NIST |
| v0-8-0-write-etc-dir.yaml | avoid being detected. | | | NIST_800-53_SI-4 NIST_800-53 |
| | | | | MITRE_T1562.001_disable_or_modify_tools |
| | | | | MITRE_T1036.005_match_legitimate_name_or_location |
| | | | | MITRE_TA0003_persistence |
| | | | | MITRE MITRE_T1036_masquerading |
| | | | | MITRE_TA0005_defense_evasion |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | Adversaries may delete or | 5 | Block | NIST NIST_800-53 NIST_800-53_CM-5 |
| v0-8-0-shell-history-mod.yaml | modify artifacts generated | | | NIST_800-53_AU-6(8) |
| | within systems to remove | | | MITRE_T1070_indicator_removal_on_host |
| | evidence. | | | MITRE MITRE_T1036_masquerading |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | Ensure events that modify the | 5 | Block | CIS CIS_Linux |
| v0-8-0-system-network-env-mod.yaml | system's network environment | | | CIS_4_Logging_and_Aduditing |
| | are collected | | | CIS_4.1.1_Data_Retention |
| | | | | CIS_4.1.7_system_network_environment |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | File Integrity Monitoring | 1 | Block | NIST NIST_800-53_AU-2 |
| v0-8-0-file-integrity- | | | | NIST_800-53_SI-4 MITRE |
| monitoring.yaml | | | | MITRE_T1036_masquerading |
| | | | | MITRE_T1565_data_manipulation |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
Deployment | kubearmor/kubearmor-policy-manager
Container | kubearmor/kubearmor-policy-manager:latest
OS | linux
Arch | amd64
Distro | debian
Output Directory | out/kubearmor-kubearmor-policy-manager
policy-template version | v0.1.9
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| POLICY | SHORT DESC | SEVERITY | ACTION | TAGS |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-policy-manager- | Restrict access to maintenance | 1 | Audit | PCI_DSS |
| latest-maint-tools-access.yaml | tools (apk, mii-tool, ...) | | | MITRE |
| | | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-policy-manager- | Restrict access to trusted | 1 | Block | MITRE |
| latest-trusted-cert-mod.yaml | certificated bundles in the OS | | | MITRE_T1552_unsecured_credentials |
| | image | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-policy-manager- | System Information Discovery | 3 | Block | MITRE |
| latest-system-owner-discovery.yaml | - block system owner discovery | | | MITRE_T1082_system_information_discovery |
| | commands | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-policy-manager- | System and Information | 5 | Block | NIST NIST_800-53_AU-2 |
| latest-write-under-bin-dir.yaml | Integrity - System Monitoring | | | NIST_800-53_SI-4 MITRE |
| | make directory under /bin/ | | | MITRE_T1036_masquerading |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-policy-manager- | System and Information | 5 | Audit | NIST NIST_800-53_AU-2 |
| latest-write-under-dev-dir.yaml | Integrity - System Monitoring | | | NIST_800-53_SI-4 MITRE |
| | make files under /dev/ | | | MITRE_T1036_masquerading |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-policy-manager- | System and Information | 5 | Audit | NIST SI-4 |
| latest-cronjob-cfg.yaml | Integrity - System Monitoring | | | NIST_800-53_SI-4 |
| | Detect access to cronjob files | | | CIS CIS_Linux |
| | | | | CIS_5.1_Configure_Cron |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-policy-manager- | System and Information | 5 | Block | NIST |
| latest-pkg-mngr-exec.yaml | Integrity - Least | | | NIST_800-53_CM-7(4) |
| | Functionality deny execution | | | SI-4 process |
| | of package manager process in | | | NIST_800-53_SI-4 |
| | container | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-policy-manager- | Adversaries may abuse a | 5 | Block | MITRE_T1609_container_administration_command |
| latest-k8s-client-tool-exec.yaml | container administration | | | MITRE_TA0002_execution |
| | service to execute commands | | | MITRE_T1610_deploy_container |
| | within a container. | | | MITRE NIST_800-53 NIST_800-53_AU-2 |
| | | | | NIST_800-53_SI-4 NIST |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-policy-manager- | The adversary is trying to | 5 | Block | MITRE |
| latest-remote-file-copy.yaml | steal data. | | | MITRE_TA0008_lateral_movement |
| | | | | MITRE_TA0010_exfiltration |
| | | | | MITRE_TA0006_credential_access |
| | | | | MITRE_T1552_unsecured_credentials |
| | | | | NIST_800-53_SI-4(18) NIST |
| | | | | NIST_800-53 NIST_800-53_SC-4 |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-policy-manager- | The adversary is trying to | 5 | Block | MITRE_execution |
| latest-write-in-shm-dir.yaml | write under shm folder | | | MITRE |
| | | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-policy-manager- | The adversary is trying to | 5 | Block | NIST_800-53_SI-7 NIST |
| latest-write-etc-dir.yaml | avoid being detected. | | | NIST_800-53_SI-4 NIST_800-53 |
| | | | | MITRE_T1562.001_disable_or_modify_tools |
| | | | | MITRE_T1036.005_match_legitimate_name_or_location |
| | | | | MITRE_TA0003_persistence |
| | | | | MITRE MITRE_T1036_masquerading |
| | | | | MITRE_TA0005_defense_evasion |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-policy-manager- | Adversaries may delete or | 5 | Block | NIST NIST_800-53 NIST_800-53_CM-5 |
| latest-shell-history-mod.yaml | modify artifacts generated | | | NIST_800-53_AU-6(8) |
| | within systems to remove | | | MITRE_T1070_indicator_removal_on_host |
| | evidence. | | | MITRE MITRE_T1036_masquerading |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-policy-manager- | Ensure events that modify the | 5 | Block | CIS CIS_Linux |
| latest-system-network-env-mod.yaml | system's network environment | | | CIS_4_Logging_and_Aduditing |
| | are collected | | | CIS_4.1.1_Data_Retention |
| | | | | CIS_4.1.7_system_network_environment |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-policy-manager- | File Integrity Monitoring | 1 | Block | NIST NIST_800-53_AU-2 |
| latest-file-integrity- | | | | NIST_800-53_SI-4 MITRE |
| monitoring.yaml | | | | MITRE_T1036_masquerading |
| | | | | MITRE_T1565_data_manipulation |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
Deployment | kubearmor/kubearmor-annotation-manager
Container | gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
OS | linux
Arch | amd64
Distro | debian
Output Directory | out/kubearmor-kubearmor-annotation-manager
policy-template version | v0.1.9
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| POLICY | SHORT DESC | SEVERITY | ACTION | TAGS |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | Restrict access to maintenance | 1 | Audit | PCI_DSS |
| v0-8-0-maint-tools-access.yaml | tools (apk, mii-tool, ...) | | | MITRE |
| | | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | Restrict access to trusted | 1 | Block | MITRE |
| v0-8-0-trusted-cert-mod.yaml | certificated bundles in the OS | | | MITRE_T1552_unsecured_credentials |
| | image | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | System Information Discovery | 3 | Block | MITRE |
| v0-8-0-system-owner-discovery.yaml | - block system owner discovery | | | MITRE_T1082_system_information_discovery |
| | commands | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | System and Information | 5 | Block | NIST NIST_800-53_AU-2 |
| v0-8-0-write-under-bin-dir.yaml | Integrity - System Monitoring | | | NIST_800-53_SI-4 MITRE |
| | make directory under /bin/ | | | MITRE_T1036_masquerading |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | System and Information | 5 | Audit | NIST NIST_800-53_AU-2 |
| v0-8-0-write-under-dev-dir.yaml | Integrity - System Monitoring | | | NIST_800-53_SI-4 MITRE |
| | make files under /dev/ | | | MITRE_T1036_masquerading |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | System and Information | 5 | Audit | NIST SI-4 |
| v0-8-0-cronjob-cfg.yaml | Integrity - System Monitoring | | | NIST_800-53_SI-4 |
| | Detect access to cronjob files | | | CIS CIS_Linux |
| | | | | CIS_5.1_Configure_Cron |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | System and Information | 5 | Block | NIST |
| v0-8-0-pkg-mngr-exec.yaml | Integrity - Least | | | NIST_800-53_CM-7(4) |
| | Functionality deny execution | | | SI-4 process |
| | of package manager process in | | | NIST_800-53_SI-4 |
| | container | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | Adversaries may abuse a | 5 | Block | MITRE_T1609_container_administration_command |
| v0-8-0-k8s-client-tool-exec.yaml | container administration | | | MITRE_TA0002_execution |
| | service to execute commands | | | MITRE_T1610_deploy_container |
| | within a container. | | | MITRE NIST_800-53 NIST_800-53_AU-2 |
| | | | | NIST_800-53_SI-4 NIST |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | The adversary is trying to | 5 | Block | MITRE |
| v0-8-0-remote-file-copy.yaml | steal data. | | | MITRE_TA0008_lateral_movement |
| | | | | MITRE_TA0010_exfiltration |
| | | | | MITRE_TA0006_credential_access |
| | | | | MITRE_T1552_unsecured_credentials |
| | | | | NIST_800-53_SI-4(18) NIST |
| | | | | NIST_800-53 NIST_800-53_SC-4 |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | The adversary is trying to | 5 | Block | MITRE_execution |
| v0-8-0-write-in-shm-dir.yaml | write under shm folder | | | MITRE |
| | | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | The adversary is trying to | 5 | Block | NIST_800-53_SI-7 NIST |
| v0-8-0-write-etc-dir.yaml | avoid being detected. | | | NIST_800-53_SI-4 NIST_800-53 |
| | | | | MITRE_T1562.001_disable_or_modify_tools |
| | | | | MITRE_T1036.005_match_legitimate_name_or_location |
| | | | | MITRE_TA0003_persistence |
| | | | | MITRE MITRE_T1036_masquerading |
| | | | | MITRE_TA0005_defense_evasion |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | Adversaries may delete or | 5 | Block | NIST NIST_800-53 NIST_800-53_CM-5 |
| v0-8-0-shell-history-mod.yaml | modify artifacts generated | | | NIST_800-53_AU-6(8) |
| | within systems to remove | | | MITRE_T1070_indicator_removal_on_host |
| | evidence. | | | MITRE MITRE_T1036_masquerading |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | Ensure events that modify the | 5 | Block | CIS CIS_Linux |
| v0-8-0-system-network-env-mod.yaml | system's network environment | | | CIS_4_Logging_and_Aduditing |
| | are collected | | | CIS_4.1.1_Data_Retention |
| | | | | CIS_4.1.7_system_network_environment |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| gcr-io-kubebuilder-kube-rbac-proxy- | File Integrity Monitoring | 1 | Block | NIST NIST_800-53_AU-2 |
| v0-8-0-file-integrity- | | | | NIST_800-53_SI-4 MITRE |
| monitoring.yaml | | | | MITRE_T1036_masquerading |
| | | | | MITRE_T1565_data_manipulation |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
Deployment | kubearmor/kubearmor-annotation-manager
Container | kubearmor/kubearmor-annotation-manager:latest
OS | linux
Arch | amd64
Distro | debian
Output Directory | out/kubearmor-kubearmor-annotation-manager
policy-template version | v0.1.9
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| POLICY | SHORT DESC | SEVERITY | ACTION | TAGS |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-annotation- | Restrict access to maintenance | 1 | Audit | PCI_DSS |
| manager-latest-maint-tools- | tools (apk, mii-tool, ...) | | | MITRE |
| access.yaml | | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-annotation- | Restrict access to trusted | 1 | Block | MITRE |
| manager-latest-trusted-cert- | certificated bundles in the OS | | | MITRE_T1552_unsecured_credentials |
| mod.yaml | image | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-annotation- | System Information Discovery | 3 | Block | MITRE |
| manager-latest-system-owner- | - block system owner discovery | | | MITRE_T1082_system_information_discovery |
| discovery.yaml | commands | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-annotation- | System and Information | 5 | Block | NIST NIST_800-53_AU-2 |
| manager-latest-write-under-bin- | Integrity - System Monitoring | | | NIST_800-53_SI-4 MITRE |
| dir.yaml | make directory under /bin/ | | | MITRE_T1036_masquerading |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-annotation- | System and Information | 5 | Audit | NIST NIST_800-53_AU-2 |
| manager-latest-write-under-dev- | Integrity - System Monitoring | | | NIST_800-53_SI-4 MITRE |
| dir.yaml | make files under /dev/ | | | MITRE_T1036_masquerading |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-annotation- | System and Information | 5 | Audit | NIST SI-4 |
| manager-latest-cronjob-cfg.yaml | Integrity - System Monitoring | | | NIST_800-53_SI-4 |
| | Detect access to cronjob files | | | CIS CIS_Linux |
| | | | | CIS_5.1_Configure_Cron |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-annotation- | System and Information | 5 | Block | NIST |
| manager-latest-pkg-mngr-exec.yaml | Integrity - Least | | | NIST_800-53_CM-7(4) |
| | Functionality deny execution | | | SI-4 process |
| | of package manager process in | | | NIST_800-53_SI-4 |
| | container | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-annotation- | Adversaries may abuse a | 5 | Block | MITRE_T1609_container_administration_command |
| manager-latest-k8s-client-tool- | container administration | | | MITRE_TA0002_execution |
| exec.yaml | service to execute commands | | | MITRE_T1610_deploy_container |
| | within a container. | | | MITRE NIST_800-53 NIST_800-53_AU-2 |
| | | | | NIST_800-53_SI-4 NIST |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-annotation- | The adversary is trying to | 5 | Block | MITRE |
| manager-latest-remote-file- | steal data. | | | MITRE_TA0008_lateral_movement |
| copy.yaml | | | | MITRE_TA0010_exfiltration |
| | | | | MITRE_TA0006_credential_access |
| | | | | MITRE_T1552_unsecured_credentials |
| | | | | NIST_800-53_SI-4(18) NIST |
| | | | | NIST_800-53 NIST_800-53_SC-4 |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-annotation- | The adversary is trying to | 5 | Block | MITRE_execution |
| manager-latest-write-in-shm- | write under shm folder | | | MITRE |
| dir.yaml | | | | |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-annotation- | The adversary is trying to | 5 | Block | NIST_800-53_SI-7 NIST |
| manager-latest-write-etc-dir.yaml | avoid being detected. | | | NIST_800-53_SI-4 NIST_800-53 |
| | | | | MITRE_T1562.001_disable_or_modify_tools |
| | | | | MITRE_T1036.005_match_legitimate_name_or_location |
| | | | | MITRE_TA0003_persistence |
| | | | | MITRE MITRE_T1036_masquerading |
| | | | | MITRE_TA0005_defense_evasion |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-annotation- | Adversaries may delete or | 5 | Block | NIST NIST_800-53 NIST_800-53_CM-5 |
| manager-latest-shell-history- | modify artifacts generated | | | NIST_800-53_AU-6(8) |
| mod.yaml | within systems to remove | | | MITRE_T1070_indicator_removal_on_host |
| | evidence. | | | MITRE MITRE_T1036_masquerading |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-annotation- | Ensure events that modify the | 5 | Block | CIS CIS_Linux |
| manager-latest-system-network-env- | system's network environment | | | CIS_4_Logging_and_Aduditing |
| mod.yaml | are collected | | | CIS_4.1.1_Data_Retention |
| | | | | CIS_4.1.7_system_network_environment |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
| kubearmor-kubearmor-annotation- | File Integrity Monitoring | 1 | Block | NIST NIST_800-53_AU-2 |
| manager-latest-file-integrity- | | | | NIST_800-53_SI-4 MITRE |
| monitoring.yaml | | | | MITRE_T1036_masquerading |
| | | | | MITRE_T1565_data_manipulation |
+-------------------------------------+--------------------------------+----------+--------+---------------------------------------------------+
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment