feat: add host hardening policies

generic/system/hsp-audit-defense-control.yaml

@@ -0,0 +1,36 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: hsp-audit-defense-control
+spec:
+  action: Audit
+  process:
+    - execname: aa-enforce
+    - execname: aa-audit
+    - execname: aa-cleanprof
+    - execname: aa-disable
+    - execname: apparmor_parser
+  file:
+    matchDirectories:
+    - dir: /etc/apparmor.d/
+      recursive: true
+    - dir: /etc/apparmor/
+      recursive: true
+    - dir: /etc/sysconfig/selinux/
+      recursive: true
+    - dir: /opt/kubearmor/
+      recursive: true
+      fromSource:
+        - path: /opt/kubearmor/kubearmor
+    matchPaths:
+    - path: /etc/selinux/semanage.conf
+  message: "WARN! Runtime security files/processes accessed."
+  nodSelector:
+    matchLabels:
+      kubearmor.io/hostname: '*'
+  severity: 5
+  tags:
+  - FGT1562
+  - FIGHT
+  - MITRE
+  - MITRE_T1562_Impair _Defenses

generic/system/hsp-file-integrity-protection.yaml

@@ -0,0 +1,35 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: hsp-file-integrity-monitoring
+spec:
+  action: Block
+  file:
+    matchDirectories:
+    - dir: /bin/
+      readOnly: true
+      recursive: true
+    - dir: /sbin/
+      readOnly: true
+      recursive: true
+    - dir: /usr/bin/
+      readOnly: true
+      recursive: true
+    - dir: /usr/sbin/
+      readOnly: true
+      recursive: true
+    - dir: /usr/local/bin/
+      readOnly: true
+      recursive: true
+  message: "ALERT! Detected and prevented compromise to file integrity"
+  nodeSelector:
+    matchLabels:
+      kubearmor.io/hostname: '*'
+  severity: 1
+  tags:
+  - MITRE
+  - MITRE_T1036_masquerading
+  - MITRE_T1565_data_manipulation
+  - NIST
+  - NIST_800-53_AU-2
+  - NIST_800-53_SI-4

generic/system/hsp-monitor-kernel-modules.yaml

@@ -0,0 +1,28 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: hsp-monitor-kernel-modules
+spec:
+  action: Audit
+  process:
+    matchPaths:
+    - execname: kmod
+  file:
+    matchPaths:
+    - path: /etc/modules
+      readOnly: true
+    matchDirectories:
+    - dir: /etc/modprobe.d/
+      recursive: true
+      readOnly: true
+    - dir: /etc/modules-load.d/
+      recursive: true
+      readOnly: true
+  message: "WARN! Detected modification of Kernel modules."
+  nodeSelector:
+    matchLabels:
+      kubearmor.io/hostname: '*'
+  severity: 5
+  tags:
+    - "STIG"
+    - "UBTU-20-010297"

generic/system/hsp-package-management-security.yaml

@@ -0,0 +1,46 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: hsp-package-management-security
+spec:
+  action: Block
+  process:
+    matchPaths:
+    - execname: apt
+    - execname: dpkg
+    - execname: dnf-3
+    - execname: yum
+    - execname: rpm
+    - execname: apk
+    - execname: gdebi
+    - execname: make
+    - execname: makepkg
+    - execname: pacman
+    - execname: yaourt
+    - execname: zypper
+  file:
+    matchDirectories:
+    - dir: /etc/apt/
+      recursive: true
+      readOnly: true
+    - dir: /etc/dnf/
+      recursive: true
+      readOnly: true
+    - dir: /etc/yum.repos.d/
+      recursive: true
+      readOnly: true
+    - dir: /etc/apk/
+      recursive: true
+      readOnly: true
+  message: "ALERT! Blocked attempt to modify system packages."
+  nodeSelector:
+    matchLabels:
+      kubearmor.io/hostname: '*'
+  severity: 5
+  tags:
+    - "NIST"
+    - "CM-6-1"
+    - "NIST_SA"
+    - "NIST_SA-20"
+    - "NIST_SA-20-Customized Development of Critical Components"
+    - "sensitive asset"

generic/system/hsp-protect-against-cryptojacking.yaml

@@ -0,0 +1,29 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: hsp-mitre-prevent-crypto-miners
+spec:
+  nodeSelector:
+    matchLabels:
+      kubearmor.io/hostname: '*'
+  action: Block
+  process:
+    matchDirectories:
+    - dir: /tmp/
+      recursive: true
+    matchPaths:
+    - execname: xmrig
+    - execname: dero
+    - execname: dero-miner-linux-amd64
+    - execname: dero-wallet-cli-linux-amd64
+    - execname: derod-linux-amd64
+    - execname: zgrab2
+    - execname: masscan
+    - execname: nmap
+    - execname: ntpdate
+  message: "WARN! Cryptominer detected and blocked"
+  severity: 10
+  tags:
+    - cryptominer
+    - MITRE_T1496_resource_hijacking
+    - MITRE

generic/system/hsp-protect-credentials.yaml

@@ -0,0 +1,40 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: hsp-protect-credentials
+spec:
+  action: Audit
+  # make block after testing
+  #action: Block
+  file:
+    matchPaths:
+    - path: /etc/passwd
+      readOnly: true
+    - path: /etc/shadow
+      readOnly: true
+    matchDirectories:
+    - dir: /etc/pki/
+      readOnly: true
+      recursive: true
+    - dir: /etc/ssl/
+      readOnly: true
+      recursive: true
+    - dir: /usr/local/share/ca-certificates/
+      readOnly: true
+      recursive: true
+    - dir: /root/.ssh/
+      readOnly: true
+      recursive: true
+    - dir: /root/.ssh/.gnupg/
+      readOnly: true
+      recursive: true
+  message: "ALERT! Blocked modification of credentials."
+  nodeSelector:
+    matchLabels:
+      kubearmor.io/hostname: '*'
+  severity: 5
+  tags:
+  - FGT1555
+  - FIGHT
+  - MITRE
+  - MITRE_T1552_unsecured_credentials

generic/system/hsp-protect-system-config.yaml

@@ -0,0 +1,43 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: hsp-protect-system-config
+spec:
+  action: Audit
+  file:
+    matchPaths:
+    - path: /etc/sudoers
+      readOnly: true
+    - path: /etc/sudo.conf
+      readOnly: true
+    - path: /etc/fstab
+      readOnly: true
+    - path: /etc/bash.bashrc
+      readOnly: true
+    - path: /etc/default/grub
+      readOnly: true
+    matchDirectories:
+    - dir: /etc/sudoers.d/
+      recursive: true
+      readOnly: true
+    - dir: /etc/ssh/
+      recursive: true
+      readOnly: true
+    - dir: /etc/pam.d/
+      recursive: true
+      readOnly: true
+    - dir: /boot/
+      recursive: true
+      readOnly: true
+  message: "WARN! System configuration file modified."
+  nodeSelector:
+    matchLabels:
+      kubearmor.io/hostname: '*'
+  severity: 5
+  tags:
+    - "NIST"
+    - "CM-6-1"
+    - "NIST_SA"
+    - "NIST_SA-20"
+    - "NIST_SA-20-Customized Development of Critical Components"
+    - "sensitive asset"

generic/system/hsp-restrict-process-execution.yaml

@@ -0,0 +1,34 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: hsp-restrict-process-execution
+spec:
+  action: Allow
+  file:
+    Directories:
+    - dir: /
+      recursive: true
+  process:
+    matchDirectories:
+    - dir: /
+      recursive: true
+      action: Block
+    - dir: /bin/
+      recursive: true
+    - dir: /sbin/
+      recursive: true
+    - dir: /usr/bin/
+      recursive: true
+    - dir: /usr/sbin/
+      recursive: true
+    - dir: /usr/local/bin/
+      recursive: true
+    - dir: /usr/local/sbin/
+      recursive: true
+    - dir: /opt/
+      recursive: true
+  message: "ALERT! Blocked process execution outside of allow list."
+  nodeSelector:
+    matchLabels:
+      kubearmor.io/hostname: '*'
+  severity: 1