Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

system monitor policyMatcher allows telemetry with empty processName #1931

Closed
rksharma95 opened this issue Jan 3, 2025 · 0 comments · May be fixed by #1932
Closed

system monitor policyMatcher allows telemetry with empty processName #1931

rksharma95 opened this issue Jan 3, 2025 · 0 comments · May be fixed by #1932
Assignees
@rksharma95
Labels
bug Something isn't working

Comments

@rksharma95
Copy link
Collaborator

rksharma95 commented Jan 3, 2025
edited
Loading

Bug Report

General Information

  • Environment description: k3s v1.30.6+k3s1
  • Kernel version (run uname -a): 6.6.63-1-lts
  • Orchestration system version in use (e.g. kubectl version, ...) 
    Client Version: v1.30.6+k3s1
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.30.6+k3s1
  • Link to relevant artifacts (policies, deployments scripts, ...)
  • Target containers/pods

To Reproduce

  • to replicate the behaviour modify kubearmor to ignore /usr/bin/date 
    if path == "/usr/bin/date" {
  return ""
}

KubeArmor/KubeArmor/monitor/processTree.go

Line 273 in f390269

return path

KubeArmor/KubeArmor/monitor/processTree.go

Line 300 in f390269

return path

  • deploy nginx deployment 
    kubectl create deployment nginx --image=nginx
  • apply ksp 
    apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-nginx-allow-bin-dir-process
spec:
  action: Allow
  process:
    matchDirectories:
    - dir: /bin/
      recursive: true
  selector:
    matchLabels:
      app: nginx
  • observe kubearmor telemetry in a seperate terminal 
    karmor logs
  • execute inside nginx pod 
    /usr/bin/date +%Y-%m-%d %H:%M:%S

Expected behavior

if processName is empty, telemetry should use source information as processName

Screenshots
Screenshot From 2025-01-03 10-11-26

ProcessName is not present in the telemetry.
@rksharma95 rksharma95 added the bug Something isn't working label Jan 3, 2025
@rksharma95 rksharma95 self-assigned this Jan 3, 2025
@rksharma95 rksharma95 moved this to Todo in Release v1.5 Jan 3, 2025
@rksharma95 rksharma95 mentioned this issue Jan 3, 2025
Open
7 tasks
@rksharma95 rksharma95 moved this from Todo to P2 - PR Ready for review in Release v1.5 Jan 6, 2025
@daemon1024 daemon1024 moved this from P2 - PR Ready for review to P0 - PR Ready for review in Release v1.5 Jan 6, 2025
@daemon1024 daemon1024 closed this as completed by moving to P0 - PR Ready for review in Release v1.5 Jan 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rksharma95 rksharma95

Labels
bug Something isn't working
Projects
Release v1.5
Status: P0 - PR Ready for review
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(monitor): use source if process name is empty rksharma95/KubeArmor
2 participants
@daemon1024 @rksharma95