armosec / kubecop Goto Github PK
View Code? Open in Web Editor NEWRuntime detection and response for malicious events in Kubernetes workloads
License: Apache License 2.0
Runtime detection and response for malicious events in Kubernetes workloads
License: Apache License 2.0
We need to decide what to do in case of collisions between bindings.
For severity we can take the highest.
What should we do with the parameters? How to merge them?
@slashben
we now able to use rule ID/rule tags in binding
Exclude the following namespaces in the default bindings the chart installs:
replace the current use of the annotation "kapprofiler.kubescape.io/final"
with some checksum mechanism in order to prevent tampering of CRD's.
Looks like we are leaking in the ARMO Dev environment.
~100Mb per node agent per 6h
The Rules readme.md consistently uses the term whitelist
. This needs to be replaced with allowlist
.
In the event the term blacklist
is used, it should be replaced with denylist
When recording application profiles, KubeCop needs to discard:
/proc
They cause inflated application profiles
Must be able to control it from Helm chart.
Control both:
As a SecOps engineer, when I see an alret, I want to silent it or silent similar alerts by similar labels
Point to the README of the specific rule so when the user clicks he will see description of the rule
We want to include the fix proposal in the AlertManager message:
Goal of the test is to make sure that
Therefore the test scenario that is needed is:
E1220 09:49:38.038858 89254 portforward.go:409] an error occurred forwarding 6060 -> 6060: error forwarding port 6060 to pod e52a0f5cfdbcc82342666c3d7292e7409646728b10a6497a8c4ca20e93fe3aea, uid : exit status 1: 2023/12/20 07:49:38 socat[57476] E connect(5, AF=2 127.0.0.1:6060, 16): Connection refused error: lost connection to pod Exception in thread Thread-2 (record): Traceback (most recent call last): File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 700, in urlopen httplib_response = self._make_request( File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 446, in _make_request six.raise_from(e, None) File "<string>", line 3, in raise_from File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 441, in _make_request httplib_response = conn.getresponse() File "/usr/lib/python3.10/http/client.py", line 1375, in getresponse response.begin() File "/usr/lib/python3.10/http/client.py", line 318, in begin version, status, reason = self._read_status() File "/usr/lib/python3.10/http/client.py", line 287, in _read_status raise RemoteDisconnected("Remote end closed connection without" http.client.RemoteDisconnected: Remote end closed connection without response During handling of the above exception, another exception occurred: Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 756, in urlopen
retries = retries.increment(
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 532, in increment
raise six.reraise(type(error), error, _stacktrace)
File "/usr/lib/python3/dist-packages/six.py", line 718, in reraise
raise value.with_traceback(tb)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 700, in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 446, in _make_request
six.raise_from(e, None)
File "<string>", line 3, in raise_from
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 441, in _make_request
httplib_response = conn.getresponse()
File "/usr/lib/python3.10/http/client.py", line 1375, in getresponse
response.begin()
File "/usr/lib/python3.10/http/client.py", line 318, in begin
version, status, reason = self._read_status()
File "/usr/lib/python3.10/http/client.py", line 287, in _read_status
raise RemoteDisconnected("Remote end closed connection without"
urllib3.exceptions.ProtocolError: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.10/threading.py", line 1016, in _bootstrap_inner
self.run()
File "/usr/lib/python3.10/threading.py", line 953, in run
self._target(*self._args, **self._kwargs)
File "/home/amit/armo/kubecop/system-tests/pprof.py", line 29, in record
response = requests.get(url)
File "/usr/lib/python3/dist-packages/requests/api.py", line 76, in get
return request('get', url, params=params, **kwargs)
File "/usr/lib/python3/dist-packages/requests/api.py", line 61, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 544, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 657, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 498, in send
raise ConnectionError(err, request=request)
requests.exceptions.ConnectionError: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))
Created file 100 times
Created file 600 times
Created file 1100 times
Created file 1600 times
Created file 2100 times
Created file 2600 times
Created file 3100 times
Created file 3600 times
Created file 4100 times
Created file 4600 times
Created file 5100 times
Created file 5600 times
Created file 6100 times
Created file 6600 times
Created file 7100 times
Created file 7600 times
Created file 8100 times
Created file 8600 times
Created file 9100 times
Created file 9600 times
Waiting 300 seconds to GC to run
This is needed to validate the rule - R0006
The goal of this test is to make sure both rules that need application profile and others that does not are enforced after a new application install:
Open whitelisting rule should be configurable to skip validation on file open events that are happening in a path that is mounted from a volume.
This is an optional feature (by default on)
~50% of the time when container starts the application profile does not include exec or other data (except syscalls).
Steps to reproduce
On every PRs
On release
5. Run unit tests
6. Run component tests
7. Build image and push
ClamAV team has just released a new docker image that is built for multi arch systems:
https://blog.clamav.net/2024/01/clamav-debian-multi-arch-docker-images.html
Add a rule that alerts when the container accesses service account token (/run/secrets/kubernetes.io/serviceaccount
) when the application profile does not show access to it
It should be critical issue
Add build support for ARM linux images in the release process
We need to get not just the syscall but also the params, so we can tell for example if ptrace attach occurred.
Implement alert sink that can channel alerts to AlertManager
Current state is that we filter out unnecessary container events at the user space side. This not leads to good performance. Use IG to filter ebpf event streams based on the kernel side mechanisms
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.