From 2a0b564a82d01287e5f2c7fc506ac307a3478c91 Mon Sep 17 00:00:00 2001 From: Rowena Zuniga Date: Wed, 11 Oct 2023 12:29:49 -0600 Subject: [PATCH 1/2] Add DAC_READ_SEARCH for CIDR cert expiry attacks --- gremlin/Chart.yaml | 2 +- gremlin/values.yaml | 39 ++++++++++++++++++++------------------- 2 files changed, 21 insertions(+), 20 deletions(-) diff --git a/gremlin/Chart.yaml b/gremlin/Chart.yaml index b133c6c..79b8c0a 100644 --- a/gremlin/Chart.yaml +++ b/gremlin/Chart.yaml @@ -1,5 +1,5 @@ name: gremlin -version: 0.10.0 +version: 0.11.0 description: The Gremlin Inc client application apiVersion: v1 home: https://www.gremlin.com diff --git a/gremlin/values.yaml b/gremlin/values.yaml index 29160eb..12a4207 100644 --- a/gremlin/values.yaml +++ b/gremlin/values.yaml @@ -126,32 +126,33 @@ gremlin: # Daemonset as well as any pod security resource that governs it. Capabilities that are required for specific # attacks can be removed from this list if running such attacks are not desired. capabilities: - - KILL # Required to run Process Killer attacks - - NET_ADMIN # Required to run network attacks - - SYS_BOOT # Required to run Shutdown attacks - - SYS_TIME # Required to run Time Travel attacks + - KILL # Required to run Process Killer attacks + - NET_ADMIN # Required to run network attacks + - SYS_BOOT # Required to run Shutdown attacks + - SYS_TIME # Required to run Time Travel attacks + - DAC_READ_SEARCH # Required to run Certificate Expiry attacks - - SYS_ADMIN # Required by container drivers: docker-runc, crio-runc, containerd-runc - # to run attacks against running containers + - SYS_ADMIN # Required by container drivers: docker-runc, crio-runc, containerd-runc + # to run attacks against running containers - - SYS_PTRACE # Required by container drivers: docker-runc, crio-runc, containerd-runc - # to determine if Gremlin is in the host's pid namespace + - SYS_PTRACE # Required by container drivers: docker-runc, crio-runc, containerd-runc + # to determine if Gremlin is in the host's pid namespace - - SETFCAP # Required by container drivers: docker-runc, crio-runc, containerd-runc - # to set capabilities on Gremlin attack sidecars + - SETFCAP # Required by container drivers: docker-runc, crio-runc, containerd-runc + # to set capabilities on Gremlin attack sidecars - - AUDIT_WRITE # Required by container drivers: docker-runc, crio-runc, containerd-runc - # to write to the Kernel's audit log + - AUDIT_WRITE # Required by container drivers: docker-runc, crio-runc, containerd-runc + # to write to the Kernel's audit log - - MKNOD # Required by container drivers: docker-runc, crio-runc, containerd-runc - # to create new devices for Gremlin attack sidecars + - MKNOD # Required by container drivers: docker-runc, crio-runc, containerd-runc + # to create new devices for Gremlin attack sidecars - - SYS_CHROOT # Required by container drivers: docker-runc, crio-runc, containerd-runc - # to create and enter new namespaces for Gremlin attack sidecars + - SYS_CHROOT # Required by container drivers: docker-runc, crio-runc, containerd-runc + # to create and enter new namespaces for Gremlin attack sidecars - - NET_RAW # Required by container drivers: docker-runc, crio-runc, containerd-runc - # Not actively used by Gremlin but requested by sidecars - # This capability will be removed in a later release + - NET_RAW # Required by container drivers: docker-runc, crio-runc, containerd-runc + # Not actively used by Gremlin but requested by sidecars + # This capability will be removed in a later release # gremlin.podSecurity.seLinuxOptions - # Specifies SELinux options to apply to the Gremlin Daemonset container securityContext. From 4992ee3143e9bef309d4dbf02d0e8030f3184a3f Mon Sep 17 00:00:00 2001 From: rowezuniga Date: Wed, 11 Oct 2023 13:21:32 -0600 Subject: [PATCH 2/2] Update gremlin/values.yaml Co-authored-by: Phil Gebhardt --- gremlin/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gremlin/values.yaml b/gremlin/values.yaml index 12a4207..164dee3 100644 --- a/gremlin/values.yaml +++ b/gremlin/values.yaml @@ -130,7 +130,7 @@ gremlin: - NET_ADMIN # Required to run network attacks - SYS_BOOT # Required to run Shutdown attacks - SYS_TIME # Required to run Time Travel attacks - - DAC_READ_SEARCH # Required to run Certificate Expiry attacks + - DAC_READ_SEARCH # Required to run Certificate Expiry attacks, and dependency discovery features - SYS_ADMIN # Required by container drivers: docker-runc, crio-runc, containerd-runc # to run attacks against running containers