diff --git a/intents/core/1_protectAsset.yaml b/intents/core/1_protectAsset.yaml new file mode 100644 index 00000000..9d7d6e29 --- /dev/null +++ b/intents/core/1_protectAsset.yaml @@ -0,0 +1,28 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntent +metadata: + name: [intent-name] + namespace: [intent-namespace] +spec: + selector: + match: + any: + - resources: + names: [target-name] + kinds: [target-kind] + namespaces: [target-namespace] + matchLabels: + [key: value] + cel: + - xxxx + intent: + group: core + ID: protectFile + params: + - path: /etc/shadow + - AllowBinary: + - /free5gc/webconsole + - /free5gc/webApp \ No newline at end of file diff --git a/intents/core/2_protectPort.yaml b/intents/core/2_protectPort.yaml new file mode 100644 index 00000000..6fc49d88 --- /dev/null +++ b/intents/core/2_protectPort.yaml @@ -0,0 +1,28 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntent +metadata: + name: [intent-name] + namespace: [intent-namespace] +spec: + selector: + match: + any: + - resources: + names: [target-name] + kinds: [target-kind] + namespaces: [target-namespace] + matchLabels: + [key: value] + cel: + - xxxx + intent: + group: core + ID: protectPort # will generate rules for all protocols + params: + - port: 5000 + - AllowBinary + - /free5gc/webconsole + - /free5gc/webapp \ No newline at end of file diff --git a/intents/core/3_ownnerOnly.yaml b/intents/core/3_ownnerOnly.yaml new file mode 100644 index 00000000..1c49a768 --- /dev/null +++ b/intents/core/3_ownnerOnly.yaml @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntent +metadata: + name: [intent-name] + namespace: [intent-namespace] +spec: + selector: + match: + any: + - resources: + names: [target-name] + kinds: [target-kind] + namespaces: [target-namespace] + matchLabels: + [key: value] + cel: + - xxxx + intent: + group: core + ID: ownerOnly # The executable in the path can be invoked by ownerOnly + params: + - path: /home/5gc/myexec \ No newline at end of file diff --git a/intents/core/4_blockAsset.yaml b/intents/core/4_blockAsset.yaml new file mode 100644 index 00000000..01ea1e27 --- /dev/null +++ b/intents/core/4_blockAsset.yaml @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntent +metadata: + name: [intent-name] + namespace: [intent-namespace] +spec: + selector: + match: + any: + - resources: + names: [target-name] + kinds: [target-kind] + namespaces: [target-namespace] + matchLabels: + [key: value] + cel: + - xxxx + intent: + group: core + ID: blockAsset # Nobody can access below paths + params: + - path: /home/5gc/ \ No newline at end of file diff --git a/intents/core/5_blockRawSocket.yaml b/intents/core/5_blockRawSocket.yaml new file mode 100644 index 00000000..865ec220 --- /dev/null +++ b/intents/core/5_blockRawSocket.yaml @@ -0,0 +1,23 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntent +metadata: + name: [intent-name] + namespace: [intent-namespace] +spec: + selector: + match: + any: + - resources: + names: [target-name] + kinds: [target-kind] + namespaces: [target-namespace] + matchLabels: + [key: value] + cel: + - xxxx + intent: + group: core + ID: blockRawSocket # No raw sockets can be accessed \ No newline at end of file diff --git a/intents/template-intent.yaml b/intents/template-intent.yaml new file mode 100644 index 00000000..faad72a0 --- /dev/null +++ b/intents/template-intent.yaml @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntent +metadata: + name: [intent-name] + namespace: [intent-namespace] +spec: + selector: + match: + any: + - resources: + names: [target-name] + kinds: [target-kind] + namespaces: [target-namespace] + matchLabels: + [key: value] + cel: + - xxxx + intent: + group: oran/core + ID: protectFile, protectPort, ownerOnly, blockAsset, blockRawsocket + params: \ No newline at end of file diff --git a/pkg/api/v1/securityintent_types.go b/pkg/api/v1/securityintent_types.go index 671198c1..918d5555 100644 --- a/pkg/api/v1/securityintent_types.go +++ b/pkg/api/v1/securityintent_types.go @@ -3,9 +3,7 @@ package v1 -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" // EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! // NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. @@ -15,76 +13,46 @@ type SecurityIntentSpec struct { // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster // Important: Run "make" to regenerate code after modifying this file - Intent Intent `json:"intent"` // Define the details of the security policy. + Intents []Intent `json:"intent"` // Define the details of the security policy. } // Intent defines the security policy details type Intent struct { - Description string `json:"description,omitempty"` // Define the description - Action string `json:"action"` // Define the action of the policy - Type string `json:"type"` // Defines the type of the policy - Resource []Resource `json:"resource"` // Define the resources to which the security policy applies + Description string `json:"description,omitempty"` // Define the description + Group string `json:"type"` // Defines the type of the policy + ID string `json:"resource"` // Define the resources to which the security policy applies + Params IntentParams `json:"params"` } // Resource defines the resources that the security policy applies to -type Resource struct { - Network []Network `json:"network,omitempty"` - Process []Process `json:"process,omitempty"` - File []File `json:"file,omitempty"` - Capabilities []Capabilities `json:"capabilities,omitempty"` - Syscalls []Syscalls `json:"syscalls,omitempty"` - FromCIDRSet []CIDRSet `json:"fromCIDRSet,omitempty"` - ToPorts []ToPort `json:"toPorts,omitempty"` -} - -// Network defines the network-related policies -type Network struct { - MatchProtocols []MatchProtocol `json:"matchProtocols,omitempty"` -} - -// Process defines the process-related policies -type Process struct { - MatchPaths []MatchPath `json:"matchPaths,omitempty"` - MatchDirectories []MatchDirectory `json:"matchDirectories,omitempty"` - MatchPatterns []MatchPattern `json:"matchPatterns,omitempty"` -} - -// File defines the file-related policies -type File struct { - MatchPaths []MatchPath `json:"matchPaths,omitempty"` - MatchDirectories []MatchDirectory `json:"matchDirectories,omitempty"` -} +type IntentParams struct { + File ProtectFile `json:"protectFile,omitempty"` + Port ProtectPort `json:"protectPort,omitempty"` -// Capabilities defines the capabilities-related policies -type Capabilities struct { - MatchCapabilities []MatchCapability `json:"matchCapabilities,omitempty"` -} + // Only Owner can access file + OwnerOnly File `json:"ownerOnly,omitempty"` -// Syscalls defines the syscalls-related policies -type Syscalls struct { - MatchSyscalls []MatchSyscall `json:"matchSyscalls,omitempty"` -} + // File cannot be accessed by anybody + BlockAsset File -// CIDRSet defines CIDR ranges for network policies -type CIDRSet struct { - CIDR string `json:"cidr,omitempty"` + // BlockRawSocket: does not have parameters } -// ToPort defines ports and protocols for network policies -type ToPort struct { - Ports []Port `json:"ports,omitempty"` +// ProtectFile will ensure only AllowBinaries can access the File +type ProtectFile struct { + File string `json:"port,omitempty"` + AllowBinaries File `json:"allowBinaries,omitempty"` } -// Port defines a network port and its protocol -type Port struct { - Port string `json:"port,omitempty"` - Protocol string `json:"protocol,omitempty"` +// ProtectPort will ensure only AllowBinaries can access Port +type ProtectPort struct { + Port string `json:"port,omitempty"` + AllowBinaries File `json:"allowBinaries,omitempty"` } -// MatchProtocol defines a protocol for network policies -type MatchProtocol struct { - Protocol string `json:"protocol,omitempty"` - FromSource []FromSource `json:"fromSource,omitempty"` +// File defines the file-related policies +type File struct { + MatchPaths []MatchPath `json:"matchPaths,omitempty"` } // MatchPath defines a path for process or file policies @@ -92,33 +60,6 @@ type MatchPath struct { Path string `json:"path,omitempty"` } -// MatchDirectory defines a directory for process or file policies -type MatchDirectory struct { - Directory string `json:"dir,omitempty"` - Recursive bool `json:"recursive,omitempty"` - FromSource []FromSource `json:"fromSource,omitempty"` -} - -// MatchPattern defines a pattern for process policies -type MatchPattern struct { - Pattern string `json:"pattern,omitempty"` -} - -// MatchSyscall defines a syscall for syscall policies -type MatchSyscall struct { - Syscalls []string `json:"syscalls,omitempty"` -} - -// MatchCapability defines a capability for capabilities policies -type MatchCapability struct { - Capability string `json:"capability,omitempty"` -} - -// FromSource defines a source path for directory-based policies -type FromSource struct { - Path string `json:"path,omitempty"` -} - // SecurityIntentStatus defines the observed state of SecurityIntent type SecurityIntentStatus struct { // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster