[feat]: added exploit pfa intent (#120)

* added exploit pfa intent

Signed-off-by: Ved Ratan <[email protected]>

* added caldera documentation

Signed-off-by: Ved Ratan <[email protected]>

---------

Signed-off-by: Ved Ratan <[email protected]>

docs/attack-emulation/README.md

@@ -37,10 +37,16 @@ Before installing Caldera, ensure you have the following prerequisites:
    ```bash
    sudo apt-get install python3-pip
    ```
+6 **npm and node**: Install Node and Node Package Manager
+
+```bash
+curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash
+nvm install node
+```
 
 ## Installation Steps
 
-Follow these steps to install and set up Caldera:
+Follow these steps to install and set up Caldera, you can skip step:4 and step:5 :
 
 1. **Clone the Caldera Repository**:
    ```bash

docs/attack-emulation/escape-to-host/README.md

@@ -9,7 +9,7 @@ Commands
 
 
 ```bash
-kubectl create -f https://raw.githubusercontent.com/5GSEC/nimbus/main/docs/attack-emulation/escape-to-host/pod.yaml
+kubectl create -f https://raw.githubusercontent.com/5GSEC/nimbus/main/docs/attack-emulation/pod.yaml
 ```
 
 ```bash

docs/attack-emulation/exploit-pfa/README.md

@@ -0,0 +1,87 @@
+
+## Defining Abilities
+
+Since exploit-pfa doesn't pre-exist in caldera abilities so we need to define the abilities by ourselves.
+
+### Create abilities
+
+Commands
+
+
+```bash
+kubectl create -f https://raw.githubusercontent.com/5GSEC/nimbus/main/docs/attack-emulation/pod.yaml
+```
+
+```bash
+kubectl get pods nginx 
+```
+
+```bash
+kubectl exec -it nginx -- /bin/bash -c "apt-get update && apt-get install -y git"
+```
+
+```bash
+kubectl exec -it nginx -- /bin/bash -c "cp /usr/bin/git /tmp/"
+```
+
+```bash
+kubectl exec -it nginx -- /bin/bash -c "/tmp/git clone https://github.com/thockin/test.git"
+```
+
+```bash
+kubectl delete pod nginx
+```
+
+### Create test pod
+
+![alt text](images/create-test-pod.png)
+
+### Get the pod
+
+![alt text](images/get-pod.png)
+
+### Install git
+
+![alt text](images/install-git.png)
+
+### Move git binary
+
+![alt text](images/move-git.png)
+
+## Clone a github repo
+
+![alt text](images/clone-repo.png)
+
+## Delete the test pod
+
+![alt text](images/delete-test-pod.png)
+
+## Create Adversary
+
+- `+` New Profile
+- `+` Add Ability
+
+![alt text](images/create-adversary.png)
+
+## Create Operation
+
+- `+` New Operation
+- set Adversary
+
+![alt text](images/operation.png)
+
+
+## Attack Emulation
+
+After creating the operation click on start to start the attack, optionally you can also check locally in your terminal that whether the caldera agent is working as expected or not.
+
+![alt text](images/emulation.png)
+
+
+
+## Mitigation
+
+For the mitigation of `Exploit-PFA` we need nimbus-kuberamor adapter to be in-place:
+- First we need to install nimbus, you can do so by following the steps over [here](../../docs/getting-started.md#nimbus).
+- Now you can follow the guide [here](../../docs/getting-started.md#nimbus-kubearmor) to install nimbus-kubearmor adapter.
+- Now apply the escape-host-intent in your cluster as defined [here](../../examples/namespaced/exploit-pfa-si

docs/attack-emulation/escape-to-host/pod.yaml → docs/attack-emulation/pod.yaml

@@ -2,6 +2,8 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: nginx
+  labels:
+    app: nginx
 spec:
   containers:
   - image: nginx

examples/namespaced/exploit-pfa-si-sib.yaml

@@ -0,0 +1,27 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntent
+metadata:
+  name: exploit-pfa
+spec:
+  intent:
+    id: PreventExecutionFromTempOrLogsFolders
+    description: "Mitigate the execution of harmful binaries which may result in exploiting public facing application"
+    action: Block
+---
+apiVersion: intent.security.nimbus.com/v1
+kind: SecurityIntentBinding
+metadata:
+  name: exploit-pfa-binding
+spec:
+  intents:
+    - name: exploit-pfa
+  selector:
+    any:
+      - resources:
+          kind: Pod
+          namespace: default
+          matchLabels:
+            app: nginx

pkg/adapter/idpool/idpool.go

@@ -19,11 +19,12 @@ const (
 	EscapeToHost              = "escapeToHost"
 	DisallowChRoot            = "disallowChRoot"
 	DisallowCapabilities      = "disallowCapabilities"
+	ExploitPFA                = "PreventExecutionFromTempOrLogsFolders"
 )
 
 // KaIds are IDs supported by KubeArmor.
 var KaIds = []string{
-	SwDeploymentTools, UnAuthorizedSaTokenAccess, DNSManipulation, EscapeToHost,
+	SwDeploymentTools, UnAuthorizedSaTokenAccess, DNSManipulation, EscapeToHost, ExploitPFA,
 }
 
 // list of policies which satisfies the given ID by Kubearmor

pkg/adapter/nimbus-kubearmor/processor/kspbuilder.go

@@ -64,6 +64,8 @@ func buildKspFor(id string) kubearmorv1.KubeArmorPolicy {
 		return disallowChRoot()
 	case idpool.DisallowCapabilities:
 		return disallowCapabilities()
+	case idpool.ExploitPFA:
+		return disallowBinaries()
 	default:
 		return kubearmorv1.KubeArmorPolicy{}
 	}
@@ -265,6 +267,47 @@ func disallowChRoot() kubearmorv1.KubeArmorPolicy {
 }
 
 
+func disallowBinaries() kubearmorv1.KubeArmorPolicy { // ref: https://www.tenable.com/audits/items/search?q=noexec&sort=&page=1
+	return kubearmorv1.KubeArmorPolicy{
+		Spec: kubearmorv1.KubeArmorPolicySpec{
+			File: kubearmorv1.FileType{
+				MatchDirectories: []kubearmorv1.FileDirectoryType{
+					{
+						Directory: "/var/tmp/",
+						Recursive: true,
+					},
+					{
+						Directory: "/tmp/",
+						Recursive: true,
+					},
+					{
+						Directory: "/var/log/",
+						Recursive: true,
+					},
+					{
+						Directory: "/app/logs/",
+						Recursive: true,
+					},
+					{
+						Directory: "/logs/",
+						Recursive: true,
+					},
+					{
+						Directory: "/etc/",
+						Recursive: true,
+					},
+					{
+						Directory: "/usr/lib/",
+						Recursive: true,
+					},
+				},
+				Action: kubearmorv1.ActionType("Block"),
+			},
+		},
+	}
+}
+
+
 func addManagedByAnnotation(ksp *kubearmorv1.KubeArmorPolicy) {
 	ksp.Annotations = make(map[string]string)
 	ksp.Annotations["app.kubernetes.io/managed-by"] = "nimbus-kubearmor"