Added KubeArmorSystemPolicy structure type

Added a function to discover system policy (operation: "File") Added a function to aggregate the multiple file paths for the file operation policies Added a function to build discovered kubearmor system policies
accuknox · May 24, 2021 · 92ea561 · 92ea561
1 parent 04aa677
commit 92ea561
Show file tree

Hide file tree

Showing 10 changed files with 713 additions and 73 deletions.
diff --git a/src/config/configManager.go b/src/config/configManager.go
@@ -29,8 +29,8 @@ import (
 // Cfg ...
 var Cfg types.Configuration
 
-// IgnoringNamespaces ...
-var IgnoringNamespaces []string
+// IgnoringNetworkNamespaces ...
+var IgnoringNetworkNamespaces []string
 
 // HTTPUrlThreshold ...
 var HTTPUrlThreshold int
@@ -111,7 +111,7 @@ func LoadDefaultConfig() {
 	Cfg.NetPolicyCIDRBits = 32
 
 	igNamespaces := viper.GetString("application.network-policy-ignoring-namespaces")
-	IgnoringNamespaces = strings.Split(igNamespaces, "|")
+	IgnoringNetworkNamespaces = strings.Split(igNamespaces, "|")
 
 	// aggregation level
 	Cfg.NetPolicyL3Level = 3
@@ -252,7 +252,7 @@ func GetCfgNetworkHTTPThreshold() int {
 }
 
 func GetCfgNetworkSkipNamespaces() []string {
-	return IgnoringNamespaces
+	return IgnoringNetworkNamespaces
 }
 
 func GetCfgNetworkIgnoreFlows() []types.IgnoringFlows {

diff --git a/src/libs/clusterHandler.go b/src/libs/clusterHandler.go
@@ -3,7 +3,6 @@ package libs
 import (
 	"bytes"
 	"encoding/json"
-	"fmt"
 	"io/ioutil"
 	"net/http"
 	"strconv"
@@ -288,8 +287,6 @@ func GetEndpointsFromCluster(cluster types.Cluster) []types.Endpoint {
 		epCluster := types.EndpointCluster{}
 		b, _ := json.Marshal(v)
 		json.Unmarshal(b, &epCluster)
-
-		fmt.Println(epCluster)
 	}
 
 	return results
@@ -310,6 +307,8 @@ func GetPodsFromCluster(cluster types.Cluster) []types.Pod {
 		"Time":        0,
 	}
 
+	skippedLabelKeys := []string{"pod-template-hash"}
+
 	res := getResponseBytes("POST", url, data)
 	pods := []map[string]interface{}{}
 	if res != nil {
@@ -328,8 +327,14 @@ func GetPodsFromCluster(cluster types.Cluster) []types.Pod {
 		}
 
 		for _, label := range podCluster.Labels {
+			if ContainsElement(skippedLabelKeys, label["name"]) {
+				continue
+			}
+
 			pod.Labels = append(pod.Labels, label["name"]+"="+label["value"])
 		}
+
+		results = append(results, pod)
 	}
 
 	return results

diff --git a/src/libs/common.go b/src/libs/common.go
@@ -145,8 +145,8 @@ func longestCommonXfix(strs []string, pre bool) string {
 // == Print Pretty == //
 // ================== //
 
-// PrintKnoxPolicyJSON function
-func PrintKnoxPolicyJSON(data interface{}) (string, error) {
+// PrintPolicyJSON function
+func PrintPolicyJSON(data interface{}) (string, error) {
 	empty := ""
 	tab := "  "
 
@@ -160,6 +160,13 @@ func PrintKnoxPolicyJSON(data interface{}) (string, error) {
 	}
 
 	return buffer.String(), nil
+
+}
+
+// PrintPolicyYaml function
+func PrintPolicyYaml(data interface{}) (string, error) {
+	b, _ := yaml.Marshal(&data)
+	return string(b), nil
 }
 
 // ============= //

diff --git a/src/networkpolicy/httpAggregator.go b/src/networkpolicy/httpAggregator.go
@@ -188,18 +188,19 @@ func (n *Node) aggregateChildNodes() {
 		childNode.aggregateChildNodes()
 	}
 
-	// step 1: #child nodes > threshold
+	// #child nodes > threshold
 	if len(n.childNodes) > HTTPThreshold {
 		childPaths := []string{}
 		for _, childNode := range n.childNodes {
 			childPaths = append(childPaths, childNode.path)
 		}
 
-		// step 2: check path length
+		// check path length
 		if !checkSamePathLength(childPaths) {
 			return
 		}
 
+		// replace with wild card path
 		wildPath := ""
 		if checkDigitsOnly(childPaths) {
 			wildPath = WildPathDigit
@@ -214,7 +215,7 @@ func (n *Node) aggregateChildNodes() {
 		}
 
 		//   a     --->   a
-		// b   c         temp
+		// b   c        [temp]
 		// d   e         d  e
 		for _, childNode := range n.childNodes {
 			tempChild.touchCount = tempChild.touchCount + childNode.touchCount
@@ -378,13 +379,18 @@ func checkDigitsOnly(paths []string) bool {
 func buildPathTree(treeMap map[string]*Node, paths []string) {
 	pattern, _ := regexp.Compile("(/.[^/]*)")
 
+	// sorting paths
 	sort.Strings(paths)
 
+	// iterate paths
 	for _, path := range paths {
 		if path == "/" { // rootpath
 			continue
 		}
 
+		// example: /usr/lib/python2.7/UserDict.py
+		// 			--> '/usr', '/lib', '/python2.7', '/UserDict.py'
+		//			in this case, '/usr' is rootNode
 		tokenizedPaths := pattern.FindAllString(path, -1)
 		rootPath := tokenizedPaths[0]
 
@@ -496,52 +502,56 @@ func AggregateHTTPRule(aggregatedSrcPerAggregatedDst map[string][]MergedPortDst)
 	for aggregatedSrc, dsts := range aggregatedSrcPerAggregatedDst {
 		for i, dst := range dsts {
 			// check if dst is for HTTP rules
-			if libs.CheckSpecHTTP(dst.Additionals) {
-				httpTree := getHTTPTree(aggregatedSrc, dst)
-				if httpTree == nil {
-					httpTree = map[string]map[string]*Node{}
-				}
-
-				updatedAdditionals := []string{}
+			if !libs.CheckSpecHTTP(dst.Additionals) {
+				continue
+			}
 
-				methodToPaths := map[string][]string{}
+			// httpTree = key: METHOD - val: Tree
+			httpTree := getHTTPTree(aggregatedSrc, dst)
+			if httpTree == nil {
+				httpTree = map[string]map[string]*Node{}
+			}
 
-				for _, http := range dst.Additionals {
-					if len(strings.Split(http, "|")) != 2 {
-						continue
-					}
+			updatedAdditionals := []string{}
 
-					method := strings.Split(http, "|")[0]
-					path := strings.Split(http, "|")[1]
+			methodToPaths := map[string][]string{}
 
-					if val, ok := methodToPaths[method]; ok {
-						if !libs.ContainsElement(val, path) {
-							val = append(val, path)
-						}
-						methodToPaths[method] = val
-					} else {
-						methodToPaths[method] = []string{path}
-					}
+			for _, http := range dst.Additionals {
+				// http = method + path
+				if len(strings.Split(http, "|")) != 2 {
+					continue
 				}
 
-				for method, paths := range methodToPaths {
-					httpPathTree := map[string]*Node{}
-					if existed, ok := httpTree[method]; ok {
-						httpPathTree = existed
-					}
+				method := strings.Split(http, "|")[0]
+				path := strings.Split(http, "|")[1]
 
-					aggreatedPaths := AggregatePaths(httpPathTree, paths)
-					for _, aggPath := range aggreatedPaths {
-						updatedAdditionals = append(updatedAdditionals, method+"|"+aggPath)
+				if val, ok := methodToPaths[method]; ok {
+					if !libs.ContainsElement(val, path) {
+						val = append(val, path)
 					}
+					methodToPaths[method] = val
+				} else {
+					methodToPaths[method] = []string{path}
+				}
+			}
 
-					httpTree[method] = httpPathTree
+			for method, paths := range methodToPaths {
+				httpPathTree := map[string]*Node{}
+				if existed, ok := httpTree[method]; ok {
+					httpPathTree = existed
 				}
 
-				dsts[i].Additionals = updatedAdditionals
+				aggreatedPaths := AggregatePaths(httpPathTree, paths)
+				for _, aggPath := range aggreatedPaths {
+					updatedAdditionals = append(updatedAdditionals, method+"|"+aggPath)
+				}
 
-				setHTTPTree(aggregatedSrc, dst, httpTree)
+				httpTree[method] = httpPathTree
 			}
+
+			dsts[i].Additionals = updatedAdditionals
+
+			setHTTPTree(aggregatedSrc, dst, httpTree)
 		}
 
 		aggregatedSrcPerAggregatedDst[aggregatedSrc] = dsts

diff --git a/src/networkpolicy/networkPolicy.go b/src/networkpolicy/networkPolicy.go
@@ -1520,7 +1520,7 @@ func DiscoverNetworkPolicy(namespace string,
 	return networkPolicies
 }
 
-func initDiscoveryConfiguration() {
+func initNetPolicyDiscoveryConfiguration() {
 	CfgDB = cfg.GetCfgDB()
 
 	OneTimeJobTime = cfg.GetCfgOneTime()
@@ -1553,7 +1553,7 @@ func DiscoverNetworkPolicyMain() {
 	}()
 
 	// init the configuration related to the network policy
-	initDiscoveryConfiguration()
+	initNetPolicyDiscoveryConfiguration()
 
 	// get network logs
 	allNetworkLogs := getNetworkLogs()

diff --git a/src/plugin/kubearmor.go b/src/plugin/kubearmor.go
@@ -2,6 +2,7 @@ package plugin
 
 import (
 	"encoding/json"
+	"strings"
 
 	"github.com/accuknox/knoxAutoPolicy/src/types"
 )
@@ -23,16 +24,23 @@ func ConvertMySQLKubeArmorLogsToKnoxSystemLogs(docs []map[string]interface{}) []
 			log.Error().Msg(err.Error())
 		}
 
+		sources := strings.Split(syslog.Source, " ")
+		source := ""
+		if len(sources) >= 1 {
+			source = sources[0]
+		}
+
 		knoxSysLog := types.KnoxSystemLog{
-			ClusterName: syslog.ClusterName,
-			HostName:    syslog.HostName,
-			Namespace:   syslog.NamespaceName,
-			PodName:     syslog.PodName,
-			Source:      syslog.Source,
-			Operation:   syslog.Operation,
-			Resource:    syslog.Resource,
-			Data:        syslog.Data,
-			Result:      syslog.Result,
+			ClusterName:  syslog.ClusterName,
+			HostName:     syslog.HostName,
+			Namespace:    syslog.NamespaceName,
+			PodName:      syslog.PodName,
+			Source:       source,
+			SourceOrigin: syslog.Source,
+			Operation:    syslog.Operation,
+			Resource:     syslog.Resource,
+			Data:         syslog.Data,
+			Result:       syslog.Result,
 		}
 
 		results = append(results, knoxSysLog)