diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..dacd155 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,36 @@ +name: Docker + +on: + push: + branches: + - main + +env: + IMAGE_TAG: latest + IMAGE_NAME: k8s-attack-simulation + +jobs: + build_and_push: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: export branch name + run: echo "BRANCH=${GITHUB_REF##*/}" >> $GITHUB_ENV + + - name: Login to GHCR + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GH_TOKEN }} + + - name: Build image and push + uses: docker/build-push-action@v3 + with: + file: Dockerfile + push: true + tags: | + ghcr.io/${{ github.repository }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }} + ghcr.io/${{ github.repository }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} + labels: + org.opencontainers.image.source=https://github.com/${{ github.repository }} diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..6ed2b2a --- /dev/null +++ b/Dockerfile @@ -0,0 +1,7 @@ +FROM ubuntu:latest + +RUN apt-get -y update + +COPY src /src/ + +RUN chmod -R +x /src/ \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..b703025 --- /dev/null +++ b/README.md @@ -0,0 +1,53 @@ +# Light K8S Attack Simulations + +This repository contains cases to simulate an unusual/malicious behavior in linux containers. These simulations triggers alerts for new advanced Falco rules, used in Lightspin K8s runtime protection solution. + +Every case has a Dockerfile that build an image for the relevant simulation and yaml file to apply Pod inside the cluster that monitor by Falco. +When the pod is running the container inside runs a bash script, this script contains the relevant command to trigger the Falco alert. + +## Use Cases + +Technique Name | Rule Name | Description| +----------|-------------|------------------| +modify-password-files | Modify Password Files |Attempts to modify /etc/passwd and /etc/shadow files | +dump-process-memory | Dump Process Memory | Gathering credentials from information stored in the Proc filesystem | +modify-ssh-authorized-keys | Modify SSH Authorized Keys | Editing of SSH authorized_keys file to maintain persistence on compromised environment | +logs-removal | Logs Removal | Delete of system and audit logs | +mount-cgroups-into-container | Mount Cgroups Into Container | Detect mount of cgroups into container (used to container escapes) | + +## Get Started + +1. Connect the K8s cluster to Lightspin and enable the runtime protection option. +2. Connect to the cluster using kubectl cli. +3. Clone the repository and change directory to the main folder +```console +git clone https://github.com/lightspin-tech/light-k8s-attack-simulations.git +cd light-k8s-attack-simulations +``` +4. Choose use case (Technique name) from the above table. +5. Run the following command: +```console +./light-attack-simulation.sh run [Technique Name] +``` + +## Uninstall + +Run the following command: +```console +./light-attack-simulation.sh delete [Technique Name] +``` + +## Usage + +```bash +Syntax: ./light-attack-simulation.sh [-h] [run|delete] [techniqueName] [-n|--namspace] + +required arguments: +run run technique simulation +delete delete technique simulation +techniqueName name of use-case + +other arguments: +-h --help show this help message and exit +-n --namespcae install pod on spesific namespace + ``` diff --git a/build.yml b/build.yml new file mode 100644 index 0000000..dacd155 --- /dev/null +++ b/build.yml @@ -0,0 +1,36 @@ +name: Docker + +on: + push: + branches: + - main + +env: + IMAGE_TAG: latest + IMAGE_NAME: k8s-attack-simulation + +jobs: + build_and_push: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: export branch name + run: echo "BRANCH=${GITHUB_REF##*/}" >> $GITHUB_ENV + + - name: Login to GHCR + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GH_TOKEN }} + + - name: Build image and push + uses: docker/build-push-action@v3 + with: + file: Dockerfile + push: true + tags: | + ghcr.io/${{ github.repository }}/${{ env.IMAGE_NAME }}:${{ env.BRANCH }} + ghcr.io/${{ github.repository }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} + labels: + org.opencontainers.image.source=https://github.com/${{ github.repository }} diff --git a/light-attack-simulation.sh b/light-attack-simulation.sh new file mode 100755 index 0000000..18f16ba --- /dev/null +++ b/light-attack-simulation.sh @@ -0,0 +1,51 @@ +#!/bin/bash + +Help() +{ + # Display Help + echo "" + echo "Syntax: ./light-attack-simulation.sh [-h] [run|delete] [techniqueName] [-n|--namspace]" + echo "" + echo "required arguments:" + echo "run run technique simulation" + echo "delete delete technique simulation" + echo "techniqueName name of the use-case" + echo "" + echo "other arguments:" + echo "-h --help show this help message and exit" + echo "-n --namespcae install pod on spesific namespace" +} + +namespace="default" + +while test $# -gt 0; do + case "$1" in + run) + shift + operation="run" + yaml="$1.yaml" + shift + ;; + delete) + shift + operation="delete" + yaml="$1" + shift + ;; + -h|--help) + Help + exit 0 + ;; + -n|--namespace) + shift + namespace=$1 + shift + ;; + esac +done +if [ $operation == "run" ]; then + kubectl apply -f ./manifests/$yaml -n $namespace +else + kubectl delete pods $yaml -n $namespace +fi +exit 0 diff --git a/manifests/dump-process-memory.yaml b/manifests/dump-process-memory.yaml new file mode 100644 index 0000000..34274ab --- /dev/null +++ b/manifests/dump-process-memory.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: dump-process-memory + labels: + app: ubuntu +spec: + containers: + - image: ghcr.io/lightspin-tech/light-k8s-attack-simulations/k8s-attack-simulation:latest + command: ["src/shell-dump-process-memory.sh"] + imagePullPolicy: Always + name: simulation + securityContext: + capabilities: + add: ["SYS_PTRACE"] diff --git a/manifests/logs-removal.yaml b/manifests/logs-removal.yaml new file mode 100644 index 0000000..d23737d --- /dev/null +++ b/manifests/logs-removal.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: logs-removal + labels: + app: ubuntu +spec: + containers: + - image: ghcr.io/lightspin-tech/light-k8s-attack-simulations/k8s-attack-simulation:latest + command: ["src/shell-logs-removal.sh"] + imagePullPolicy: Always + name: simulation diff --git a/manifests/modify-password-files.yaml b/manifests/modify-password-files.yaml new file mode 100644 index 0000000..2623feb --- /dev/null +++ b/manifests/modify-password-files.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: modify-password-files + labels: + app: ubuntu +spec: + containers: + - image: ghcr.io/lightspin-tech/light-k8s-attack-simulations/k8s-attack-simulation:latest + command: ["src/shell-modify-password-files.sh"] + imagePullPolicy: Always + name: simulation diff --git a/manifests/modify-ssh-authorized-keys.yaml b/manifests/modify-ssh-authorized-keys.yaml new file mode 100644 index 0000000..e0de7ca --- /dev/null +++ b/manifests/modify-ssh-authorized-keys.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: modify-ssh-authorized-keys + labels: + app: ubuntu +spec: + containers: + - image: ghcr.io/lightspin-tech/light-k8s-attack-simulations/k8s-attack-simulation:latest + command: ["src/shell-modify-ssh-authorized-keys.sh"] + imagePullPolicy: Always + name: simulation diff --git a/manifests/mount-cgroups-into-container.yaml b/manifests/mount-cgroups-into-container.yaml new file mode 100644 index 0000000..4993012 --- /dev/null +++ b/manifests/mount-cgroups-into-container.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: mount-cgroups-into-container + labels: + app: ubuntu + annotations: + container.apparmor.security.beta.kubernetes.io/simulation: unconfined +spec: + containers: + - image: ghcr.io/lightspin-tech/light-k8s-attack-simulations/k8s-attack-simulation:latest + command: ["src/shell-mount-cgroups-into-container.sh"] + imagePullPolicy: Always + name: simulation + securityContext: + capabilities: + add: ["SYS_ADMIN"] diff --git a/src/shell-dump-process-memory.sh b/src/shell-dump-process-memory.sh new file mode 100644 index 0000000..5d08836 --- /dev/null +++ b/src/shell-dump-process-memory.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +PID=$$ +HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1) +MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1)))) +MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2)))) +MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START))) +dd if=/proc/"${PID}"/mem of="/home/test.dd" ibs=1 skip="$MEM_START" count="$MEM_SIZE" + +/bin/bash -c "sleep 6045d" diff --git a/src/shell-logs-removal.sh b/src/shell-logs-removal.sh new file mode 100644 index 0000000..0633392 --- /dev/null +++ b/src/shell-logs-removal.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +rm -rf /private/var/audit/* +rm -rf /private/var/log/system.log* + +/bin/bash -c "sleep 6045d" diff --git a/src/shell-modify-password-files.sh b/src/shell-modify-password-files.sh new file mode 100644 index 0000000..854b9b4 --- /dev/null +++ b/src/shell-modify-password-files.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +echo 'mak:$y$j9T$sN9jH1Sc4Y0RR1v2oGJi9/$vwoBEO9buQ6ITqZDcV78Y8UHo/NfT9byc.iT5QgP2Y4:19197:0:99999:7:::' >> /etc/shadow + +/bin/bash -c "sleep 6045d" \ No newline at end of file diff --git a/src/shell-modify-ssh-authorized-keys.sh b/src/shell-modify-ssh-authorized-keys.sh new file mode 100644 index 0000000..9456512 --- /dev/null +++ b/src/shell-modify-ssh-authorized-keys.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +mkdir ~/.ssh +echo 'blabla' > ~/.ssh/authorized_keys +if [ -f ~/.ssh/authorized_keys ]; then ssh_authorized_keys="blablabla"; echo $ssh_authorized_keys > ~/.ssh/authorized_keys; fi; +unset ssh_authorized_keys + +/bin/bash -c "sleep 6045d" diff --git a/src/shell-mount-cgroups-into-container.sh b/src/shell-mount-cgroups-into-container.sh new file mode 100644 index 0000000..956609b --- /dev/null +++ b/src/shell-mount-cgroups-into-container.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +mkdir /tmp/cgrp +mount -t cgroup -o rdma cgroup /tmp/cgrp + +/bin/bash -c "sleep 6045d"