Skip to content

Commit

Permalink
Update default rule binding
Browse files Browse the repository at this point in the history 
Signed-off-by: Afek Berger <afekb@armosec.io>
  • Loading branch information
@afek854
afek854 committed Nov 17, 2024
1 parent def694f commit 101ebc4
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 111 deletions.
125 changes: 28 additions & 97 deletions tests/chart/crds/runtime-rule-binding.crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,155 +13,86 @@ spec:
scope: Cluster
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
namespaceSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
type: string
values:
type: array
items:
type: string
type: array
type: object
type: array
matchLabels:
type: object
additionalProperties:
type: string
type: object
type: object
podSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
type: string
values:
type: array
items:
type: string
type: array
type: object
type: array
matchLabels:
type: object
additionalProperties:
type: string
type: object
type: object
rules:
type: array
items:
type: object
oneOf:
- not:
anyOf:
- required:
- ruleID
- required:
- ruleName
required:
- ruleTags
- required: ["ruleID"]
- required: ["ruleName"]
required: ["ruleTags"]
- not:
anyOf:
- required:
- ruleTags
- required:
- ruleName
required:
- ruleID
- required: ["ruleTags"]
- required: ["ruleName"]
required: ["ruleID"]
- not:
anyOf:
- required:
- ruleTags
- required:
- ruleID
required:
- ruleName
- required: ["ruleTags"]
- required: ["ruleID"]
required: ["ruleName"]
properties:
parameters:
additionalProperties: true
type: object
additionalProperties: true
ruleID:
enum:
- R0001
- R0002
- R0003
- R0004
- R0005
- R0006
- R0007
- R1000
- R1001
- R1002
- R1003
- R1004
- R1005
- R1006
- R1007
- R1008
- R1009
type: string
ruleName:
enum:
- Unexpected process launched
- Unexpected file access
- Unexpected system call
- Unexpected capability used
- Unexpected domain request
- Unexpected Service Account Token Access
- Kubernetes Client Executed
- Exec from malicious source
- Exec Binary Not In Base Image
- Kernel Module Load
- Malicious SSH Connection
- Exec from mount
- Fileless Execution
- Unshare System Call usage
- XMR Crypto Mining Detection
- Crypto Mining Domain Communication
- Crypto Mining Related Port Communication
type: string
ruleTags:
type: array
items:
enum:
- base image
- binary
- capabilities
- connection
- crypto
- dns
- escape
- exec
- kernel
- load
- malicious
- miners
- module
- mount
- network
- open
- port
- signature
- ssh
- syscall
- token
- unshare
- whitelisted
type: string
type: array
severity:
type: string
type: object
type: array
type: object
type: object
served: true
storage: true
type: string
11 changes: 10 additions & 1 deletion tests/chart/templates/node-agent/default-rule-binding.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,4 +32,13 @@ spec:
- ruleName: "XMR Crypto Mining Detection"
- ruleName: "Exec from mount"
- ruleName: "Crypto Mining Related Port Communication"
- ruleName: "Crypto Mining Domain Communication"
- ruleName: "Crypto Mining Domain Communication"
- ruleName: "Read Environment Variables from procfs"
- ruleName: "eBPF Program Load"
- ruleName: "Symlink Created Over Sensitive File"
- ruleName: "Unexpected Sensitive File Access"
- ruleName: "Hardlink Created Over Sensitive File"
- ruleName: "Exec to pod"
- ruleName: "Port forward"
- ruleName: "Unexpected Egress Network Traffic"
- ruleName: "Malicious Ptrace Usage"
13 changes: 0 additions & 13 deletions tests/component_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -399,19 +399,6 @@ func Test_07_RuleBindingApplyTest(t *testing.T) {
assert.Equal(t, 0, exitCode, "Error applying valid rule binding")
_ = testutils.RunCommand("kubectl", "delete", "-f", ruleBindingPath("all-valid.yaml"))

// invalid fields
file := ruleBindingPath("invalid-name.yaml")
exitCode = testutils.RunCommand("kubectl", "apply", "-f", file)
assert.NotEqualf(t, 0, exitCode, "Expected error when applying rule binding '%s'", file)

file = ruleBindingPath("invalid-id.yaml")
exitCode = testutils.RunCommand("kubectl", "apply", "-f", file)
assert.NotEqualf(t, 0, exitCode, "Expected error when applying rule binding '%s'", file)

file = ruleBindingPath("invalid-tag.yaml")
exitCode = testutils.RunCommand("kubectl", "apply", "-f", file)
assert.NotEqualf(t, 0, exitCode, "Expected error when applying rule binding '%s'", file)

// duplicate fields
file = ruleBindingPath("dup-fields-name-tag.yaml")
exitCode = testutils.RunCommand("kubectl", "apply", "-f", file)
Expand Down

0 comments on commit 101ebc4

Please sign in to comment.