Skip to content

Commit

Permalink
First commit
Browse files Browse the repository at this point in the history
  • Loading branch information
Daniel-GrunbergerCA committed Sep 1, 2021
0 parents commit dab452f
Show file tree
Hide file tree
Showing 184 changed files with 7,966 additions and 0 deletions.
55 changes: 55 additions & 0 deletions .github/workflows/export.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
name: export

on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
types: [ closed ]

jobs:
once:
name: Create release
runs-on: ubuntu-latest
outputs:
upload_url: ${{ steps.create_release.outputs.upload_url }}
steps:
- name: Create a release
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: v1.0.${{ github.run_number }}
release_name: Release v1.0.${{ github.run_number }}
draft: false
prerelease: false
build:
name: Create cross-platform release build, tag and upload binaries
needs: once
runs-on: ubuntu-latest
strategy:
matrix:
framework: [ mitre, nsa, developer_framework ]
steps:
- uses: actions/checkout@v2
name: checkout repo content

- name: setup python
uses: actions/setup-python@v2
with:
python-version: 3.8 #install the python needed
- name: execute py script # run the run.py to get the latest data
run: |
python export.py
- name: Upload Release Asset
id: upload-release-asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.once.outputs.upload_url }}
asset_path: release/${{ matrix.framework }}.json
asset_name: release-${{ matrix.framework }}
asset_content_type: application/octet-stream
16 changes: 16 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# Binaries for programs and plugins
*.exe
*.exe~
*.dll
*.so
*.dylib

# Test binary, built with `go test -c`
*.test

# Output of the go coverage tool, specifically when used with LiteIDE
*.out

# Dependency directories (remove the comment below to include it)
# vendor/
.vscode/*
3 changes: 3 additions & 0 deletions .idea/.gitignore

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 18 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Regostore
Here we store regos

### [MITRE Framework](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/Matrix-1536x926.png)

| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access| Discovery | Lateral Movement | Collection | Impact |
| :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
|Using Cloud credentials|[Exec into container](/controls/execintocontainer.json)|[Backdoor container](/controls/backdoorcontainer.json)|[Privileged container](/controls/privilegedcontainer.json)|[Clear container logs](/controls/clearcontainerlogs.json)|[List k8s secrets](/controls/ListKubernetessecrets.json)|[Access the K8S API server](/controls/accessthek8sAPIserver.json)|Access cloud resources|[Image from private registery](/controls/imagefromPrivateRegistry.json)|[Data Destruction](/controls/datadestruction.json) ||
|[Compromised Image in registery](/controls/compromisedimagesinregistry.json)| [bash/cmd inside container](/controls/bash-cmdinsidecontainer.json)|[Writable hostPath mount](/controls/writablehostPathmount.json)|[Cluster-admin binding](/controls/cluster-adminbinding.json)|[Delete K8S events](/controls/deleteKubernetesevents.json)|[Mount service principal](/controls/mountserviceprincipal.json)|[Access Kubelet API](/controls/accesskubeletAPI.json)|[Container service account](/controls/accesscontainerserviceaccount.json)||[Resources Hijacking](/controls/resourcehijacking.json)||
|kubeconfig file|[New container](/controls/newcontainer.json)|[kubernetes CronJob](/controls/kubernetescronJob.json)|[hostPath mount](/controls/hostPathmount.json)|[Pod/Container name similarity](/controls/namesimilarity.json)|[Access container service account](/controls/accesscontainerserviceaccount.json)|[Network mapping](/controls/networkmapping.json)|[Cluster internal networking](/controls/clusterInternalnetworking.json)||Denial of service||
|[Application vulnerability](/controls/vulnerableapplication.json)|[Application Exploit (RCE)](/controls/applicationexploitRCE.json)|[Malicious admission controller](/controls/maliciousadmissioncontroller-mutating.json)|Access cloud resources| Connect from Proxy server| [Application credentials in configuration files](/controls/Applicationscredentialsinconfigurationfiles.json)|[Access kubernetes dashboard](/controls/accessk8sdashboard.json)|[Application credentials in configuration](/controls/Applicationscredentialsinconfigurationfiles.json)|||||
|[Exposed Dashboard](/controls/exposeddashboard.json)|[SSH server running insider container](/controls/SSHserverrunninginsidecontainer.json)||||Access managed identity credentials|[instance Metadata API](/controls/instancemetadataAPI..json)|[Writable volume mounts on the host](/controls/writablehostPathmount.json)||||
|[Exposed sensitive interface](/controls/exposedsensitiveinterfaces.json)|[Sidecar injection](/controls/sidecarinjection.json)||||[Malicious admission controller](/controls/maliciousadmissioncontroller-validating.json)||[Access kubernetes dashboard](/controls/accessk8sdashboard.json)||||
||||||||[access tiller endpoint](/controls/accesstillerendpoint.json)|||||
||||||||[CoreDNS poisoning](/controls/coreDNSpoisoning.json)|||||
||||||||ARP and IP spoofing|||||

### [NSA Framework](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/)
11 changes: 11 additions & 0 deletions controls/Applicationscredentialsinconfigurationfiles.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"name": "Applications credentials in configuration files",
"attributes": {
"armoBuiltin": true,
"microsoftMitreColumns": ["Credential access","Lateral Movement"]
},
"description": "Attackers who have access to configuration files can steal the stored secrets and use them. Checks if ConfigMaps or pods have sensitive information in configuration.",
"remediation": "Use Kubernetes secrets to store credentials. Use ARMO secret protection solution to improve your security even more.",
"rulesNames": ["rule-credentials-in-env-var", "rule-credentials-configmap"
]
}
11 changes: 11 additions & 0 deletions controls/ListKubernetessecrets.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"name": "List Kubernetes secrets",
"attributes": {
"armoBuiltin": true,
"microsoftMitreColumns": ["Credential access"]
},
"description": "Attackers who have permissions to access secrets can access sensitive information that might include credentials to various services. Determines which subjects can list/get secrets.",
"remediation": "Monitor and approve users and service accounts that can access secrets. You can also protect these secrets using ARMO runtime protection.",
"rulesNames": [ "rule-can-list-get-secrets"
]
}
11 changes: 11 additions & 0 deletions controls/SSHserverrunninginsidecontainer.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"name": "SSH server running inside container",
"attributes": {
"armoBuiltin": true,
"microsoftMitreColumns": ["Execution"]
},
"description": "An SSH server that is running inside a container may be used by attackers to get remote access to the container. Checks if pods have an open SSH port (22/2222).",
"remediation": "Remove SSH from the container image or limit the access to the SSH server using network policy (Native or ARMO runtime protection).",
"rulesNames": [ "rule-can-ssh-to-pod"
]
}
11 changes: 11 additions & 0 deletions controls/accesscontainerserviceaccount.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"name": "Access container service account",
"attributes": {
"armoBuiltin": true,
"microsoftMitreColumns": ["Credential access"]
},
"description": "Attackers who get access to a pod can access the SA and perform actions in the cluster, according to the SA permissions. Determines which service accounts can be used to access other resources in the cluster.",
"remediation": "If RBAC is not enabled, you should enable RBAC (refer to the API server documentation). If RBAC is enabled, make sure that you apply least privilege. Monitor and approve privileges of workloads which use kube-api.",
"rulesNames": [ "access-container-service-account"
]
}
11 changes: 11 additions & 0 deletions controls/accessk8sdashboard.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"name": "Access Kubernetes dashboard",
"attributes": {
"armoBuiltin": true,
"microsoftMitreColumns": ["Discovery","Lateral Movement"]
},
"description": "Attackers who gain access to the dashboard service account or have its RBAC permissions can use its network access to retrieve information about resources in the cluster or change them. Checks if subject that is not dashboard service account is bound to dashboard role/clusterrole, or - if anyone that is not dashboard pod is associated with its service account.",
"remediation": "Make sure that the “Kubernetes Dashboard” service account is only bound to the Kubernetes dashboard following the least privilege principle.",
"rulesNames": ["rule-access-dashboard"
]
}
11 changes: 11 additions & 0 deletions controls/accesskubeletAPI.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"name": "Access Kubelet API",
"attributes": {
"armoBuiltin": true,
"microsoftMitreColumns": ["Discovery"]
},
"description": "Kubelet is the Kubernetes agent that is installed on each node. Kubelet is responsible for the proper execution of pods that are assigned to the node. Kubelet exposes a read-only API service that does not require authentication (TCP port 10255). Attackers with network access to the host (for example, via running code on a compromised container) can send API requests to the Kubelet API. Specifically querying https://[NODE IP]:10255/pods/ retrieves the running pods on the node. https://[NODE IP]:10255/spec/ retrieves information about the node itself, such as CPU and memory consumption.",
"remediation": "Define network policy (native kubernetes or using ARMO runtime protection). Use ARMO runtime protection capabilities to monitor network traffic.",
"rulesNames": [
]
}
10 changes: 10 additions & 0 deletions controls/accesstillerendpoint.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"name": "Access tiller endpoint",
"attributes": {
"armoBuiltin": true,
"microsoftMitreColumns": ["Lateral movement"]
},
"description":" Attackers may run code on any container that is accessible to the tiller’s service and perform actions in the cluster, using the tiller’s service account, which often has high privileges. Checks if Tiller exists in cluster.",
"remediation": "Use version higher than 2 of Helm which doesn’t use Tiller",
"rulesNames": ["access-tiller-endpoint"]
}
10 changes: 10 additions & 0 deletions controls/allowedhostpath.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"name": "Allowed hostPath",
"attributes": {
"armoBuiltin": true
},
"description": "Mounting host directory to the container can be abused to get access to sensitive data and gain persistence on the host machine.",
"remediation": "Refrain from using host path mount.",
"rulesNames": [ "alert-rw-hostpath"
]
}
10 changes: 10 additions & 0 deletions controls/allowprivilegeescalation.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"name": "Allow privilege escalation",
"attributes": {
"armoBuiltin": true
},
"description": "Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.",
"remediation": "If your application does not need it, make sure the allowPrivilegeEscalation field of the securityContext is set to false.",
"rulesNames": [ "rule-allow-privilege-escalation"
]
}
11 changes: 11 additions & 0 deletions controls/anonymousrequests.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@

{
"name": "Anonymous requests",
"attributes": {
"armoBuiltin": true
},
"description": "In Kubernetes 1.6 and newer, anonymous requests are allowed by default. If there is no RBAC enabled, this type of requests will have authorization to do everything.",
"remediation": "Anonymous requests should be disabled by passing the --anonymous-auth=false option to the API server. Leaving anonymous requests enabled could allow a cyber actor to access cluster resources without authentication.",
"rulesNames": [ "anonymous-requests"
]
}
11 changes: 11 additions & 0 deletions controls/applicationexploitRCE.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"name": "Application exploit (RCE)",
"attributes": {
"armoBuiltin": true,
"microsoftMitreColumns": ["Execution"]
},
"description": "Applications that are vulnerable to a remote code execution vulnerability, enables attackers to run malicious code in the cluster. Determines if pods have vulnerable image with remote code execution using ARMO vulnerability scan (must run vulnerability scan before running posture scan).",
"remediation": "Patch your container with a version that does not have this vulnerability or use ARMO runtime protection (sign the workload).",
"rulesNames": [ "deny-RCE-vuln-image-pods"
]
}
10 changes: 10 additions & 0 deletions controls/automaticmappingserviceaccount.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"name": "Automatic mapping of service account",
"attributes": {
"armoBuiltin": true
},
"description": "Potential attacker may gain access to a POD and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for PODs that need to use them.",
"remediation": "Only map token to PODs that are really using them. We suggest disabling the automatic mounting of service account tokens to PODs at the service account level, by specifying the securityContext.readOnlyRootFilesystem field to true, and explicitly enabling the map for the PODs which are using it at the POD spec level.",
"rulesNames": [ "automount-service-account"
]
}
11 changes: 11 additions & 0 deletions controls/backdoorcontainer.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"name": "Backdoor container",
"attributes": {
"armoBuiltin": true,
"microsoftMitreColumns": ["Persistence"]
},
"description": "Attackers run their malicious code in a container in the cluster. By using the Kubernetes controllers such as DaemonSets or Deployments, attackers can ensure that a constant number of containers run in one, or all, the nodes in the cluster." ,
"remediation": "You should apply least privilege principle (we can point to our audit/least privilege screen). Approve the users who can create new containers.",
"rulesNames": [ "rule-can-create-modify-pod"
]
}
11 changes: 11 additions & 0 deletions controls/bash-cmdinsidecontainer.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"name": "Bash/cmd inside container",
"attributes": {
"armoBuiltin": true,
"microsoftMitreColumns": ["Execution"]
},
"description": "Attackers who can run new processes inside a container might use cmd/bash script inside a container can use it to execute malicious code. Determines which containers have bash/cmd inside it." ,
"remediation": "Remove cmd/bash from the containers you are using.",
"rulesNames": [ "rule-can-bash-cmd-inside-container"
]
}
11 changes: 11 additions & 0 deletions controls/clearcontainerlogs.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"name": "Clear container logs",
"attributes": {
"armoBuiltin": true,
"microsoftMitreColumns": ["Defense Evasion"]
},
"description": "Attackers may delete the application or OS logs on a compromised container in an attempt to prevent detection of their activity." ,
"remediation": "You should apply least privilege principle. Approve the users who can delete logs inside containers.",
"rulesNames": [ "rule-can-delete-logs"
]
}
11 changes: 11 additions & 0 deletions controls/cluster-adminbinding.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"name": "Cluster-admin binding",
"attributes": {
"armoBuiltin": true,
"microsoftMitreColumns": ["Privilege escalation"]
},
"description": "Attackers who have Cluster-admin permissions (can perform any action on any resource), can take advantage of their high privileges for malicious intentions. Determines which subjects have cluster admin permissions.",
"remediation": "You should apply least privilege principle. Monitor and approve cluster admins and make sure users that do not require cluster-admin are not assigned with this role.",
"rulesNames": [ "rule-list-all-cluster-admins"
]
}
11 changes: 11 additions & 0 deletions controls/clusterInternalnetworking.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"name": "Cluster internal networking",
"attributes": {
"armoBuiltin": true,
"microsoftMitreColumns": ["Lateral movement"]
},
"description": "If no network policy is defined, attackers who gain access to a single container may use it to probe the network. Lists namespaces in which no network policies are defined.",
"remediation": "Define network policy (native K8s or using ARMO runtime protection).",
"rulesNames": [ "internal-networking"
]
}
11 changes: 11 additions & 0 deletions controls/compromisedimagesinregistry.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"name": "Compromised images in registry",
"attributes": {
"armoBuiltin": true,
"microsoftMitreColumns": ["Initial Access"]
},
"description": "In cases where the Kubernetes cluster is deployed in a public cloud (e.g., AKS in Azure, GKE in GCP, or EKS in AWS), compromised cloud credential can lead to cluster takeover. Attackers who have access to the cloud account credentials can get access to the cluster’s management layer.",
"remediation": "Limit the registries from which you pull container images. ",
"rulesNames": ["rule-identify-blacklisted-image-registries"
]
}
10 changes: 10 additions & 0 deletions controls/configuredlivenessprobe.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"name": "Configured liveness probe",
"attributes": {
"armoBuiltin": true
},
"description": "Liveness probe is not configured.",
"remediation": "Ensure Liveness probe is configured",
"rulesNames": [ "configured-liveness-probe"
]
}
10 changes: 10 additions & 0 deletions controls/configuredreadinessprobe.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"name": "Configured readiness probe",
"attributes": {
"armoBuiltin": true
},
"description": "Readiness probe is not configured.",
"remediation": "Ensure Readiness probe is configured.",
"rulesNames": [ "configured-readiness-probe"
]
}
10 changes: 10 additions & 0 deletions controls/containerhostport.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"name": "Container hostPort",
"attributes": {
"armoBuiltin": true
},
"description": "Configuring hostPort limits you to a particular port, and if any two workloads that specify the same HostPort cannot be deployed to the same node. And if the scale of your workload is larger than the number of nodes in your Kubernetes cluster, the deployment fails.",
"remediation": "Make sure you do not configure hostPort for the container, if necessary use NodePort / ClusterIP",
"rulesNames": [ "container-hostPort"
]
}
10 changes: 10 additions & 0 deletions controls/controlplanehardening.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"name": "Control plane hardening",
"attributes": {
"armoBuiltin": true
},
"description": "Kubernetes control plane API is running with non-secure port enabled which allows attackers to gain unprotected access to the cluster.",
"remediation": "Set the insecure-port flag of the API server to zero.",
"rulesNames": ["insecure-port-flag"
]
}
11 changes: 11 additions & 0 deletions controls/coreDNSpoisoning.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"name": "CoreDNS poisoning",
"attributes": {
"armoBuiltin": true,
"microsoftMitreColumns": ["Lateral Movement"]
},
"description": "If attackers have permissions to modify the coredns ConfigMap, they can change the behavior of the cluster’s DNS, poison it, and take the network identity of other services. Determines which users can update/patch the 'coredns' configmap.",
"remediation": "You should apply least privilege principle. Monitor and approve the users who can modify the 'coredns' configmap.",
"rulesNames": [ "rule-can-update-configmap"
]
}
10 changes: 10 additions & 0 deletions controls/dangerouscapabilities.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"name": "Dangerous capabilities",
"attributes": {
"armoBuiltin": true
},
"description": "Giving dangerous and unnecessary capabilities for a container can increase the impact of a container compromise.",
"remediation": "Remove all dangerous capabilities which aren’t necessary for the container.",
"rulesNames": [ "dangerous-capabilities"
]
}
11 changes: 11 additions & 0 deletions controls/datadestruction.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"name": "Data Destruction",
"attributes": {
"armoBuiltin": true,
"microsoftMitreColumns": ["Impact"]
},
"description": "Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, storage, and compute resources. Determines which subjects can delete resources.",
"remediation": "You should apply least privilege principle. Monitor and approve the users who can delete resources.",
"rulesNames": [ "rule-excessive-delete-rights"
]
}
Loading

0 comments on commit dab452f

Please sign in to comment.