Merge pull request #189 from seungsoo-lee/dev

Update configuration manager for system policy operations (i.e., file and process)

src/conf/local.yaml

@@ -8,7 +8,7 @@ application:
     network-policy-to: "db|file"              # db, file
     network-policy-dir: "./"
   system:
-    operation-mode: 1                         # 1: cronjob | 2: one-time-job
+    operation-mode: 2                         # 1: cronjob | 2: one-time-job
     cron-job-time-interval: "0h0m5s"          # format: XhYmZs 
     system-log-from: "db"                     # db|kubearmor
     system-log-file: "./log.json"             # file path
@@ -25,7 +25,7 @@ database:
   port: 3306
   user: root
   password: password
-  dbname: knoxautopolicy
+  dbname: accuknox
   table-configuration: auto_policy_config
   table-network-log: network_log
   table-network-policy: network_policy
@@ -52,4 +52,4 @@ logging:
 
 cilium-hubble:
   url: 10.4.41.240
-  port: 80
+  port: 80

src/config/configManager.go

@@ -27,6 +27,11 @@ import (
 //                       fromEntities : 256
 //                       all        : 511
 
+// system policy types: process     : 1
+//                      file        : 2
+//                      network     : 4
+//                      all		    : 7
+
 // ====================== //
 // == Global Variables == //
 // ====================== //
@@ -125,6 +130,8 @@ func LoadDefaultConfig() {
 		CronJobTimeInterval:     "@every " + viper.GetString("application.system.cron-job-time-interval"),
 		OneTimeJobTimeSelection: "", // e.g., 2021-01-20 07:00:23|2021-01-20 07:00:25
 
+		SysPolicyTypes: 7,
+
 		SystemLogFrom:   viper.GetString("application.system.system-log-from"),
 		SystemLogFile:   viper.GetString("application.system.system-log-file"),
 		SystemPolicyTo:  viper.GetString("application.system.system-policy-to"),
@@ -319,6 +326,10 @@ func GetCfgSystemPolicyDir() string {
 	return CurrentCfg.ConfigSysPolicy.SystemPolicyDir
 }
 
+func GetCfgSystemkPolicyTypes() int {
+	return CurrentCfg.ConfigSysPolicy.SysPolicyTypes
+}
+
 func GetCfgSystemLogFilters() []types.SystemLogFilter {
 	return CurrentCfg.ConfigSysPolicy.SystemLogFilters
 }

src/libs/mysqlHandler.go

@@ -766,14 +766,15 @@ func AddConfiguration(cfg types.ConfigDB, newConfig types.Configuration) error {
 		"system_log_file," +
 		"system_policy_to," +
 		"system_policy_dir," +
+		"system_policy_types," +
 		"system_policy_log_filters," +
 		"system_policy_proc_fromsource," +
 		"system_policy_file_fromsource," +
 
 		"cluster_info_from," +
 		"cluster_mgmt_url) " +
 
-		"values(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)")
+		"values(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)")
 
 	if err != nil {
 		return err
@@ -835,6 +836,7 @@ func AddConfiguration(cfg types.ConfigDB, newConfig types.Configuration) error {
 		newConfig.ConfigSysPolicy.SystemLogFile,
 		newConfig.ConfigSysPolicy.SystemPolicyTo,
 		newConfig.ConfigSysPolicy.SystemPolicyDir,
+		newConfig.ConfigSysPolicy.SysPolicyTypes,
 		sysLogFilters,
 		newConfig.ConfigSysPolicy.ProcessFromSource,
 		newConfig.ConfigSysPolicy.FileFromSource,
@@ -924,6 +926,7 @@ func GetConfigurations(cfg types.ConfigDB, configName string) ([]types.Configura
 			&cfg.ConfigSysPolicy.SystemLogFile,
 			&cfg.ConfigSysPolicy.SystemPolicyTo,
 			&cfg.ConfigSysPolicy.SystemPolicyDir,
+			&cfg.ConfigSysPolicy.SysPolicyTypes,
 			&sysLogFiltersByte,
 			&cfg.ConfigSysPolicy.ProcessFromSource,
 			&cfg.ConfigSysPolicy.FileFromSource,
@@ -997,6 +1000,7 @@ func UpdateConfiguration(cfg types.ConfigDB, configName string, updateConfig typ
 		"system_log_file=?," +
 		"system_policy_to=?," +
 		"system_policy_dir=?," +
+		"system_policy_types=?," +
 		"system_policy_log_filters=?," +
 		"system_policy_proc_fromsource=?," +
 		"system_policy_file_fromsource=?," +
@@ -1061,6 +1065,7 @@ func UpdateConfiguration(cfg types.ConfigDB, configName string, updateConfig typ
 		updateConfig.ConfigSysPolicy.SystemLogFile,
 		updateConfig.ConfigSysPolicy.SystemPolicyTo,
 		updateConfig.ConfigSysPolicy.SystemPolicyDir,
+		updateConfig.ConfigSysPolicy.SysPolicyTypes,
 		sysLogFilters,
 		updateConfig.ConfigSysPolicy.ProcessFromSource,
 		updateConfig.ConfigSysPolicy.FileFromSource,
@@ -1168,7 +1173,7 @@ func CreateTableConfigurationMySQL(cfg types.ConfigDB) error {
 
 	tableName := cfg.TableConfiguration
 
-	// the number of column --> 28
+	// the number of column --> 29
 	query :=
 		"CREATE TABLE IF NOT EXISTS `" + tableName + "` ( " +
 			"	`id` int NOT NULL AUTO_INCREMENT, " +
@@ -1199,6 +1204,7 @@ func CreateTableConfigurationMySQL(cfg types.ConfigDB) error {
 			"	`system_log_file` varchar(50) DEFAULT NULL, " +
 			"	`system_policy_to` varchar(50) DEFAULT NULL, " +
 			"	`system_policy_dir` varchar(50) DEFAULT NULL, " +
+			"	`system_policy_types` int DEFAULT NULL, " +
 			"	`system_policy_log_filters` JSON DEFAULT NULL, " +
 			"	`system_policy_proc_fromsource` tinyint(1) DEFAULT '0', " +
 			"	`system_policy_file_fromsource` tinyint(1) DEFAULT '0', " +

src/systempolicy/systemPolicy.go

@@ -37,6 +37,9 @@ const (
 	SYS_OP_PROCESS = "Process"
 	SYS_OP_FILE    = "File"
 
+	SYS_OP_PROCESS_INT = 1
+	SYS_OP_FILE_INT    = 2
+
 	SOURCE_ALL = "ALL" // for fromSource 'off'
 )
 
@@ -60,6 +63,8 @@ var SystemLogFrom string
 var SystemLogFile string
 var SystemPolicyTo string
 
+var SystemPolicyTypes int
+
 var SystemLogFilters []types.SystemLogFilter
 
 var ProcessFromSource bool
@@ -407,6 +412,8 @@ func initSysPolicyDiscoveryConfiguration() {
 	SystemLogFile = cfg.GetCfgSystemLogFile()
 	SystemPolicyTo = cfg.GetCfgSystemPolicyTo()
 
+	SystemPolicyTypes = cfg.GetCfgSystemkPolicyTypes()
+
 	SystemLogFilters = cfg.GetCfgSystemLogFilters()
 
 	ProcessFromSource = cfg.GetCfgSystemProcFromSource()
@@ -459,12 +466,16 @@ func DiscoverSystemPolicyMain() {
 			}
 
 			// 1. discover file operation system policy
-			fileOpLogs := getOperationLogs(SYS_OP_FILE, perPodlogs)
-			discoveredSysPolicies = discoverFileOperationPolicy(discoveredSysPolicies, pod, fileOpLogs)
+			if SystemPolicyTypes&SYS_OP_FILE_INT > 0 {
+				fileOpLogs := getOperationLogs(SYS_OP_FILE, perPodlogs)
+				discoveredSysPolicies = discoverFileOperationPolicy(discoveredSysPolicies, pod, fileOpLogs)
+			}
 
 			// 2. discover process operation system policy
-			procOpLogs := getOperationLogs(SYS_OP_PROCESS, perPodlogs)
-			discoveredSysPolicies = discoverProcessOperationPolicy(discoveredSysPolicies, pod, procOpLogs)
+			if SystemPolicyTypes&SYS_OP_PROCESS_INT > 0 {
+				procOpLogs := getOperationLogs(SYS_OP_PROCESS, perPodlogs)
+				discoveredSysPolicies = discoverProcessOperationPolicy(discoveredSysPolicies, pod, procOpLogs)
+			}
 
 			// 3. update selector
 			discoveredSysPolicies = updateSysPolicySelector(clusterName, pod, discoveredSysPolicies)

src/types/configData.go

@@ -123,6 +123,8 @@ type ConfigSystemPolicy struct {
 	SystemPolicyTo  string `json:"system_policy_to,omitempty" bson:"system_policy_to,omitempty"`
 	SystemPolicyDir string `json:"system_policy_dir,omitempty" bson:"system_policy_dir,omitempty"`
 
+	SysPolicyTypes int `json:"system_policy_types,omitempty" bson:"system_policy_types,omitempty"`
+
 	SystemLogFilters []SystemLogFilter `json:"system_policy_log_filters,omitempty" bson:"system_policy_log_filters,omitempty"`
 
 	ProcessFromSource bool `json:"system_policy_proc_fromsource,omitempty" bson:"system_policy_proc_fromsource,omitempty"`

tests/mysql/init/autopolicy.sql

@@ -1,2 +1,2 @@
-CREATE DATABASE IF NOT EXISTS `knoxautopolicy`;
-USE `knoxautopolicy`;
+CREATE DATABASE IF NOT EXISTS `accuknox`;
+USE `accuknox`;