KubeArmor to protect IoT Edge containerized workloads
Open Horizon is a platform for managing the service software lifecycle of containerized workloads and related machine learning assets. It enables autonomous management of applications deployed to distributed webscale fleets of edge computing nodes and devices without requiring on-premise administrators.
KubeArmor is a runtime security engine that can protect k8s-orchestrated, or pure containerized workloads as well as VM/Bare-Metal based worloads. Open Horizon deploys the edge workloads in either containerized mode or in k8s orchestrated mode. The Open Horizon Edge Agent operates directly on the host as a systemd process.
KubeArmor running on edge node provides visibility and protection for all the processes, file or network operation in the containers as well as those running directly on the host.
Observability: KubeArmor can provide container-aware observability information about the operations happening:
- from Agent node to Management Hub (and vice-versa)
- between the containers and the agent edge node
- inside the containers running on the Agent node
Enforcement: KubeArmor can be used to apply security postures at the kernel-level (using LSMs like AppArmor, BPF-LSM). It can protect both the host and workloads running on it by enforcing either some predefined security policies or automatically generated least permissive security policies (using Discovery Engine).
KubeArmor already supports k8s-orchestrated workloads and provides KVMService that allows orchestrating security policies to VMs for non-k8s environments.
With v0.5.5 release, KubeArmor now supports standalone un-orchestrated containers. KubeArmor in this mode supports both enforcement and observability of the host and the containers running on it.
Note This guide assumes both the Open Horizon Management Hub and Agent VM are running Ubuntu 20.04.
We will first need to install Open Horizon Management Hub and Agent node components. For that please follow the Open Horizon setup guide.
We also assume that Open Horizon Home Assistant service is running on the agent edge node.
Now we will run KubeArmor as a systemd process on the Open Horizon Agent VM
- KubeArmor Installation:
- Download the latest release of KubeArmor
wget https://github.com/kubearmor/KubeArmor/releases/download/v0.5.5/kubearmor_0.5.5_linux-amd64.deb
- Install KubeArmor
sudo apt install ./kubearmor_0.5.5_linux-amd64.deb
Note that the above automatically installs
bpfcc-toolswith our package, but your distribution might have an older version of BCC. In case of errors, consider installingbccfrom source.
- Start KubeArmor
sudo systemctl start kubearmor
- To check KubeArmor running status
sudo journalctl -u kubearmor -f
- kArmor Installation:
Note kArmor should already be installed by the above KubeArmor installation. Check installation using
karmor version.
If kArmor is not installed run:
curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin
- Discovery Engine Installation:
- Download the latest release of Discovery Engine
wget https://github.com/accuknox/discovery-engine/releases/download/v0.6.3/knoxAutoPolicy_0.6.3_linux-amd64.deb
- Install Discovery Engine
sudo apt install ./knoxAutoPolicy_0.6.3_linux-amd64.deb
- Start Discovery Engine
sudo systemctl daemon-reload
sudo systemctl start knoxAutoPolicy
If you have previously installed discovery-engine, it's adviced to restart the service sudo systemctl restart knoxAutoPolicy
- To check Discovery Engine running status
sudo journalctl -u knoxAutoPolicy -f
- To see alerts on policy violation, run:
karmor log
- Now, let’s apply a sample policy: block-secrets-access.yaml using:
karmor vm policy add block-secrets-access.yaml
block-secrets-access.yaml
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: block-certificates-access
spec:
severity: 10
message: "a critical file was accessed"
tags:
- WARNING
selector:
matchLabels:
kubearmor.io/container.name: homeassistant
process:
matchPaths:
- path: /usr/sbin/update-ca-certificates
file:
matchDirectories:
- dir: /usr/share/ca-certificates/
recursive: true
- dir: /etc/ssl/
recursive: true
action:
BlockNote: More predefined policies and auto-discovered policy can be found here: https://github.com/kubearmor/openhorizon-demo/tree/main/Open-Horizon/policies
Here notice the field kubearmor.io/container.name: homeassistant homeassistant is the container name to which we want to apply the policy.
karmor log
HostName: knownymousagent-VirtualBox
NamespaceName: container_namespace
PodName: homeassistant
ContainerName: homeassistant
ContainerID: 77c3916a24f74915cd7d2eb51ff6a2425c3b4d6e72b805f735800d023d355338
Type: MatchedPolicy
PolicyName: block-certificates-access
Severity: 10
Message: a critical file was accessed
Source: /bin/bash
Resource: /usr/sbin/update-ca-certificates
Operation: Process
Action: Block
Data: syscall=SYS_EXECVE
Enforcer: AppArmor
Result: Permission denied
HostPID: 4922
HostPPID: 4912
PID: 116
PPID: 110
ParentProcessName: /bin/bash
ProcessName: /usr/sbin/update-ca-certificates
Tags: WARNINGAvailable filters
--logFilter <system|policy|all> - Filter to receive general system logs (system) or alerts on policy violation (policy) or both (all).
--logType <ContainerLog|HostLog> - Source of logs - ContainerLog: logs from containers or HostLog: logs from the host
--operation <Process|File|Network> - Type of logs based on process, file or network
--container - Specify container name to view container specific logs
This will create an apparmor profile at /etc/apparmor.d/ with the name kubearmor_<containername> (kubearmor_homeassistant here) and will load the profile to apparmor.
To run a container with KubeArmor enforcement using the apparmor profile kubearmor_homeassistant, pass --security-opt apparmor=kubearmor_homeassistant with the docker run command or if using docker-compose add:security_opts: apparmor=kubearmor_homeassistant under the container name in the docker-compose.yaml.
karmor discover tool can be used to automatically generate security policies. The output of the command can be redirected to a yaml file
karmor discover --format yaml --labels "kubearmor.io/container.name=homeassistant" > discovered_policy.yaml
This yaml file can be applied to KubeArmor to provide least permissive security posture for the homeassistant-service container.
To apply security policy discovered_policy.yaml
karmor vm policy add discovered_policy.yaml
Note: Host security policies are identified by
kind: KubeArmorHostPolicyand Container security policies havekind: KubeArmorPolicy.
To check the internal functioning of the containers and the Host, we have command line utility option
accuknox summary
**********************************************************************
Pod Name :
Namespace :
List of Processes (14) :
SOURCE DESTINATION COUNT LAST UPDATED TIME STATUS
/usr/lib/systemd/systemd /bin/* 1 8-05-2022 23:11:23 ALLOW
/usr/lib/systemd/systemd /usr/* 2 8-05-2022 23:11:23 ALLOW
/usr/sbin/sshd /usr/* 5 8-06-2022 00:13:29 ALLOW
/usr/lib/systemd/systemd-udevd /lib/* 4 8-05-2022 23:59:37 ALLOW
/usr/bin/containerd /usr/* 2 8-05-2022 23:59:46 ALLOW
/usr/bin/dockerd /usr/* 16 8-05-2022 23:59:45 ALLOW
/usr/bin/dockerd /proc/* 2 8-05-2022 23:59:50 ALLOW
/usr/bin/runc /proc/* 5 8-05-2022 23:59:49 ALLOW
/usr/bin/bash /usr/* 24 8-06-2022 00:04:14 ALLOW
/usr/bin/bash ./accuknox summary 10 8-06-2022 00:09:45 ALLOW
/usr/bin/containerd-shim-runc-v2 /usr/* 7 8-05-2022 23:59:52 ALLOW
/usr/lib/firefox/firefox /usr/* 3 8-05-2022 23:11:32 ALLOW
/usr/sbin/cron /bin/* 4 8-05-2022 23:40:06 ALLOW
/usr/lib/udisks2/udisksd /usr/* 4 8-05-2022 23:59:48 ALLOW
/usr/bin/run-parts /etc/* 7 8-06-2022 00:12:25 ALLOW
/usr/bin/run-parts /usr/* 1 8-06-2022 00:12:28 ALLOW
/usr/bin/make /usr/* 15 8-06-2022 00:04:14 ALLOW
/usr/bin/make /bin/* 3 8-05-2022 23:59:35 ALLOW
/usr/bin/dash /usr/* 40 8-06-2022 00:12:28 ALLOW
List of File-system accesses (50) :
SOURCE DESTINATION COUNT LAST UPDATED TIME STATUS
/usr/bin/logger /usr/* 39 8-05-2022 23:40:07 ALLOW
/usr/bin/logger /etc/* 3 8-05-2022 23:40:07 ALLOW
/usr/bin/cut /usr/* 9 8-06-2022 00:12:25 ALLOW
/usr/bin/cut /etc/* 4 8-06-2022 00:12:25 ALLOW
/usr/bin/jq /usr/* 16 8-05-2022 23:40:10 ALLOW
/usr/bin/jq /etc/* 4 8-05-2022 23:40:09 ALLOW
/usr/bin/env /usr/* 2 8-06-2022 00:12:22 ALLOW
/usr/bin/env /etc/* 1 8-06-2022 00:12:22 ALLOW
/etc/update-motd.d/85-fwupd /usr/* 1 8-06-2022 00:12:23 ALLOW
/etc/update-motd.d/85-fwupd /etc/* 2 8-06-2022 00:12:23 ALLOW
/usr/lib/systemd/systemd-sysctl /usr/* 148 8-05-2022 23:59:42 ALLOW
/usr/lib/systemd/systemd-sysctl /etc/* 42 8-05-2022 23:59:42 ALLOW
/usr/lib/systemd/systemd-sysctl /proc/* 30 8-05-2022 23:59:42 ALLOW
/usr/lib/systemd/systemd-sysctl / 20 8-06-2022 00:01:33 ALLOW
/usr/lib/systemd/systemd-sysctl usr 11 8-06-2022 00:01:33 ALLOW
/usr/lib/systemd/systemd-sysctl local 4 8-05-2022 23:59:40 ALLOW
/usr/lib/systemd/systemd-sysctl lib 16 8-06-2022 00:01:33 ALLOW
/usr/lib/systemd/systemd-sysctl etc 4 8-05-2022 23:59:40 ALLOW
/usr/lib/systemd/systemd-sysctl sysctl.d 12 8-05-2022 23:59:41 ALLOW
/usr/lib/systemd/systemd-sysctl run 4 8-05-2022 23:59:40 ALLOW
/usr/bin/docker-proxy /etc/* 4 8-05-2022 23:59:45 ALLOW
/usr/bin/docker-proxy /usr/* 9 8-06-2022 00:00:00 ALLOW
/usr/bin/docker-proxy /sys/* 4 8-05-2022 23:59:45 ALLOW
/usr/bin/docker-proxy /proc/* 4 8-05-2022 23:59:45 ALLOW
/proc/877/exe /usr/* 32 8-05-2022 23:59:49 ALLOW
/proc/877/exe /etc/* 15 8-06-2022 00:01:36 ALLOW
/proc/877/exe /proc/* 6 8-05-2022 23:59:50 ALLOW
/proc/877/exe /sys/* 2 8-05-2022 23:59:49 ALLOW
/proc/877/exe /run/* 4 8-05-2022 23:59:49 ALLOW
/usr/bin/cat /usr/* 2 8-06-2022 00:12:24 ALLOW
/usr/bin/cat /etc/* 2 8-06-2022 00:12:24 ALLOW
/usr/bin/cat /run/* 1 8-06-2022 00:12:24 ALLOW
/usr/bin/cat /var/* 1 8-06-2022 00:12:24 ALLOW
/usr/horizon/bin/agent-auto-upgrade.sh /etc/* 4 8-05-2022 23:40:07 ALLOW
/usr/horizon/bin/agent-auto-upgrade.sh /usr/* 22 8-05-2022 23:40:07 ALLOW
/usr/horizon/bin/agent-auto-upgrade.sh /dev/* 4 8-05-2022 23:40:07 ALLOW
/usr/bin/dirname /usr/* 7 8-05-2022 23:40:08 ALLOW
/usr/bin/dirname /etc/* 4 8-05-2022 23:40:08 ALLOW
/etc/update-motd.d/50-motd-news /etc/* 2 8-06-2022 00:12:23 ALLOW
/usr/sbin/iptables /usr/* 95 8-05-2022 23:59:45 ALLOW
/usr/sbin/iptables /etc/* 72 8-05-2022 23:59:45 ALLOW
/usr/sbin/iptables /run/* 11 8-05-2022 23:59:44 ALLOW
/usr/bin/containerd-shim-runc-v2 /sys/* 6 8-05-2022 23:59:52 ALLOW
/usr/bin/containerd-shim-runc-v2 /usr/* 6 8-05-2022 23:59:46 ALLOW
/usr/bin/containerd-shim-runc-v2 /run/* 27 8-05-2022 23:59:51 ALLOW
/usr/bin/containerd-shim-runc-v2 /proc/* 41 8-05-2022 23:59:52 ALLOW
/usr/bin/containerd-shim-runc-v2 /dev/* 9 8-06-2022 00:01:38 ALLOW
/usr/bin/containerd-shim-runc-v2 log 2 8-05-2022 23:59:46 ALLOW
/usr/bin/containerd-shim-runc-v2 /var/* 12 8-06-2022 00:01:37 ALLOW
/usr/bin/containerd-shim-runc-v2 /memory/* 4 8-05-2022 23:59:52 ALLOW
/usr/bin/containerd-shim-runc-v2 /tmp/* 5 8-05-2022 23:34:26 ALLOW
/usr/bin/runc /etc/* 5 8-05-2022 23:59:52 ALLOW
/usr/bin/runc /usr/* 20 8-05-2022 23:59:52 ALLOW
/usr/bin/runc /sys/* 5 8-05-2022 23:59:52 ALLOW
/usr/bin/runc /proc/* 30 8-06-2022 00:01:38 ALLOW
/usr/bin/runc /run/* 18 8-05-2022 23:59:52 ALLOW
/usr/bin/runc /fs/* 2 8-05-2022 23:59:47 ALLOW
/usr/bin/runc /var/* 2 8-05-2022 23:59:47 ALLOW
/usr/bin/runc /tmp/* 1 8-05-2022 23:34:23 ALLOW
/usr/bin/runc /dev/* 3 8-05-2022 23:34:23 ALLOW
/usr/bin/curl /usr/* 111 8-06-2022 00:04:16 ALLOW
/usr/bin/curl /etc/* 6 8-06-2022 00:04:16 ALLOW
/usr/bin/id /usr/* 3 8-06-2022 00:12:28 ALLOW
/usr/bin/id /proc/* 1 8-06-2022 00:12:28 ALLOW
/proc/self/exe /etc/* 26 8-05-2022 23:59:51 ALLOW
/proc/self/exe /proc/* 17 8-05-2022 23:59:51 ALLOW
/proc/self/exe /run/* 12 8-06-2022 00:01:36 ALLOW
/proc/self/exe /usr/* 57 8-05-2022 23:59:51 ALLOW
/proc/self/exe /var/* 3 8-05-2022 23:59:47 ALLOW
/proc/self/exe /sys/* 3 8-05-2022 23:59:51 ALLOW
/proc/self/exe /docker/* 2 8-05-2022 23:59:51 ALLOW
/usr/lib/firefox/firefox /etc/* 3 8-05-2022 23:11:33 ALLOW
/usr/lib/firefox/firefox /usr/* 19 8-05-2022 23:11:33 ALLOW
/usr/lib/firefox/firefox /proc/* 4 8-05-2022 23:11:29 ALLOW
/usr/bin/xprop /usr/* 15 8-05-2022 23:59:54 ALLOW
/usr/bin/xprop /etc/* 2 8-05-2022 23:59:54 ALLOW
/usr/bin/date /usr/* 12 8-05-2022 23:40:10 ALLOW
/usr/bin/date /etc/* 4 8-05-2022 23:40:10 ALLOW
/usr/sbin/dumpe2fs /etc/* 27 8-05-2022 23:59:48 ALLOW
/usr/sbin/dumpe2fs /usr/* 26 8-05-2022 23:59:48 ALLOW
/usr/sbin/dumpe2fs /dev/* 3 8-05-2022 23:59:48 ALLOW
/usr/bin/egrep /usr/* 1 8-05-2022 23:59:55 ALLOW
/usr/bin/egrep /etc/* 1 8-05-2022 23:59:55 ALLOW
/usr/sbin/grep /usr/* 1 8-05-2022 23:59:56 ALLOW
/usr/bin/systemd-detect-virt /proc/* 5 8-06-2022 00:13:33
/usr/bin/docker /etc/* 34 8-05-2022 23:59:36 ALLOW
/usr/bin/docker /usr/* 32 8-05-2022 23:59:36 ALLOW
/usr/bin/docker /sys/* 14 8-05-2022 23:59:36 ALLOW
/bin/sh /etc/* 10 8-06-2022 00:12:22 ALLOW
/bin/sh /usr/* 10 8-06-2022 00:12:22 ALLOW
/bin/sh /dev/* 2 8-05-2022 23:59:35 ALLOW
/bin/sh /run/* 1 8-06-2022 00:12:22 ALLOW
/usr/bin/which /usr/* 4 8-05-2022 23:11:23 ALLOW
/usr/bin/which /etc/* 2 8-05-2022 23:11:23 ALLOW
/etc/update-motd.d/88-esm-announce /usr/* 1 8-06-2022 00:12:24 ALLOW
/etc/update-motd.d/88-esm-announce /etc/* 2 8-06-2022 00:12:24 ALLOW
/etc/update-motd.d/10-help-text /usr/* 1 8-06-2022 00:12:23 ALLOW
/etc/update-motd.d/10-help-text /etc/* 2 8-06-2022 00:12:23 ALLOW
/usr/bin/find /usr/* 7 8-06-2022 00:12:25 ALLOW
/usr/bin/find /etc/* 1 8-06-2022 00:12:24 ALLOW
/usr/bin/find /proc/* 1 8-06-2022 00:12:24 ALLOW
/usr/bin/find . 1 8-06-2022 00:12:24 ALLOW
/etc/update-motd.d/91-contract-ua-esm-status /usr/* 1 8-06-2022 00:12:25 ALLOW
/etc/update-motd.d/91-contract-ua-esm-status /etc/* 2 8-06-2022 00:12:25 ALLOW
/usr/bin/lsb_release /usr/* 132 8-06-2022 00:12:28 ALLOW
/usr/bin/lsb_release /etc/* 5 8-06-2022 00:12:26 ALLOW
/usr/bin/grep /etc/* 25 8-06-2022 00:12:24 ALLOW
/usr/bin/grep /usr/* 61 8-06-2022 00:12:24 ALLOW
/usr/bin/www-browser /etc/* 2 8-06-2022 00:00:00 ALLOW
/usr/bin/www-browser /usr/* 14 8-06-2022 00:00:00 ALLOW
/usr/bin/www-browser /home/* 4 8-06-2022 00:00:50 ALLOW
/home/knownymous-agent/accuknox-cli/accuknox /sys/* 10 8-06-2022 00:09:45 ALLOW
/home/knownymous-agent/accuknox-cli/accuknox /home/* 9 8-06-2022 00:09:45 ALLOW
/home/knownymous-agent/accuknox-cli/accuknox /usr/* 10 8-06-2022 00:09:45 ALLOW
/home/knownymous-agent/accuknox-cli/accuknox /etc/* 26 8-06-2022 00:09:45 ALLOW
/home/knownymous-agent/accuknox-cli/accuknox /run/* 9 8-06-2022 00:09:45 ALLOW
/usr/bin/dbus-send /usr/* 9 8-05-2022 23:59:53 ALLOW
/usr/bin/dbus-send /etc/* 1 8-05-2022 23:59:52 ALLOW
/usr/bin/run-parts /etc/* 2 8-06-2022 00:12:22 ALLOW
/usr/bin/run-parts /usr/* 1 8-06-2022 00:12:23 ALLOW
/etc/update-motd.d/00-header /etc/* 2 8-06-2022 00:12:23 ALLOW
/usr/lib/ubuntu-release-upgrader/release-upgrade-motd /usr/* 2 8-06-2022 00:12:28 ALLOW
/usr/lib/ubuntu-release-upgrader/release-upgrade-motd /etc/* 1 8-06-2022 00:12:28 ALLOW
/usr/bin/uname /usr/* 17 8-06-2022 00:12:23 ALLOW
/usr/bin/uname /etc/* 10 8-06-2022 00:12:23 ALLOW
/usr/bin/xdg-open /etc/* 2 8-05-2022 23:59:52 ALLOW
/usr/bin/xdg-open /usr/* 4 8-05-2022 23:59:52 ALLOW
/usr/bin/xdg-open /dev/* 2 8-05-2022 23:11:34 ALLOW
/usr/bin/hzn /sys/* 4 8-05-2022 23:40:08 ALLOW
/usr/bin/hzn /etc/* 20 8-05-2022 23:40:09 ALLOW
/usr/bin/hzn /usr/* 8 8-05-2022 23:40:09 ALLOW
/usr/bin/hzn /run/* 4 8-05-2022 23:40:09 ALLOW
/etc/update-motd.d/90-updates-available /etc/* 2 8-06-2022 00:12:24 ALLOW
/etc/update-motd.d/90-updates-available /usr/* 1 8-06-2022 00:12:24 ALLOW
/etc/update-motd.d/91-release-upgrade /usr/* 1 8-06-2022 00:12:25 ALLOW
/etc/update-motd.d/91-release-upgrade /etc/* 2 8-06-2022 00:12:25 ALLOW
/home/knownymous-agent/auto-policy-discovery/src/knoxAutoPolicy /home/* 3003176 8-06-2022 00:13:57 ALLOW
/home/knownymous-agent/auto-policy-discovery/src/knoxAutoPolicy /sys/* 2 8-06-2022 00:00:49 ALLOW
/home/knownymous-agent/auto-policy-discovery/src/knoxAutoPolicy /proc/* 1 8-06-2022 00:01:48 ALLOW
/usr/bin/gio /usr/* 41 8-05-2022 23:11:23 ALLOW
/usr/bin/gio /etc/* 6 8-05-2022 23:11:22 ALLOW
/usr/bin/gio /proc/* 2 8-05-2022 23:11:22 ALLOW
/usr/bin/gio /home/* 1 8-05-2022 23:11:22 ALLOW
/usr/bin/gio /var/* 2 8-05-2022 23:11:22 ALLOW
/usr/sbin/sshd /usr/* 215 8-06-2022 00:13:31 ALLOW
/usr/sbin/sshd /etc/* 351 8-06-2022 00:13:31 ALLOW
/usr/sbin/sshd /dev/* 21 8-06-2022 00:13:30 ALLOW
/usr/sbin/sshd /proc/* 24 8-06-2022 00:13:31 ALLOW
/usr/sbin/sshd /run/* 12 8-06-2022 00:13:31 ALLOW
/usr/bin/make /usr/* 18 8-06-2022 00:04:14 ALLOW
/usr/bin/make /home/* 12 8-06-2022 00:04:14 ALLOW
/usr/bin/make /etc/* 5 8-06-2022 00:04:14 ALLOW
/usr/bin/firefox /usr/* 2 8-05-2022 23:11:23 ALLOW
/usr/bin/firefox /etc/* 1 8-05-2022 23:11:23 ALLOW
List of Network connections (18) :
SOURCE Protocol COUNT LAST UPDATED TIME STATUS
/usr/lib/systemd/systemd-sysctl UDP 4 8-05-2022 23:59:40 ALLOW
/usr/bin/docker-proxy TCP 11 8-06-2022 00:04:17 ALLOW
/proc/self/exe TCP 10 8-06-2022 00:01:36 ALLOW
/proc/self/exe UDP 6 8-06-2022 00:01:37 ALLOW
/usr/bin/logger UDP 4 8-05-2022 23:40:07 ALLOW
/usr/sbin/dumpe2fs TCP 40 8-06-2022 00:01:35 ALLOW
/usr/bin/dbus-send TCP 1 8-05-2022 23:59:53 ALLOW
/usr/bin/curl UDP 3 8-06-2022 00:04:16 ALLOW
/usr/bin/curl TCP 3 8-06-2022 00:04:16 ALLOW
/usr/bin/docker TCP 31 8-06-2022 00:01:32 ALLOW
/usr/bin/containerd-shim-runc-v2 TCP 5 8-05-2022 23:59:52 ALLOW
/proc/877/exe TCP 11 8-06-2022 00:01:36 ALLOW
/proc/877/exe UDP 5 8-06-2022 00:01:36 ALLOW
/usr/bin/runc TCP 1 8-05-2022 23:34:23 ALLOW
/usr/bin/www-browser TCP 5 8-06-2022 00:01:39 ALLOW
/usr/sbin/sshd TCP 100 8-06-2022 00:13:58 ALLOW
/usr/sbin/sshd RAW 56 8-06-2022 00:13:58 ALLOW
/usr/sbin/sshd UDP 21 8-06-2022 00:13:31 ALLOW
/usr/bin/lsb_release TCP 1 8-06-2022 00:12:26 ALLOW
/usr/sbin/iptables RAW 53 8-06-2022 00:01:35 ALLOW
/usr/bin/gio TCP 1 8-05-2022 23:11:23 ALLOW
/usr/bin/hzn TCP 14 8-05-2022 23:40:32 ALLOW
/home/knownymous-agent/accuknox-cli/accuknox TCP 8 8-06-2022 00:09:45 ALLOW
List of Incoming connections (4) :
PROTOCOL COMMAND IP/PATH PORT LABELS NAMESPACE
TCP /usr/horizon/bin/anax 127.0.0.1 8510
TCPv6 /home/knownymous-agent/auto-policy-discovery/src/knoxAutoPolicy 127.0.0.1 9089
TCP /usr/bin/docker-proxy 127.0.0.1 8123
TCP /usr/sbin/sshd 192.168.1.37 22
List of Outgoing connections (22) :
PROTOCOL COMMAND IP/PATH PORT LABELS NAMESPACE
UNIX /usr/bin/docker /var/run/docker.sock
UNIX /usr/lib/systemd/systemd-sysctl /run/systemd/journal/socket
UNIX /proc/877/exe /run/systemd/userdb/io.systemd.DynamicUser
UNIX /proc/877/exe /run/systemd/journal/socket
UNIX /proc/877/exe /var/run/docker/libnetwork/6b49694abdc5.sock
UNIX /proc/self/exe /run/systemd/userdb/io.systemd.DynamicUser
UNIX /proc/self/exe /run/systemd/journal/socket
UNIX /usr/bin/containerd-shim-runc-v2 /run/containerd/containerd.sock.ttrpc
UNIX /usr/bin/gio /run/user/1000/bus
UNIX /usr/bin/logger /dev/log
TCP /usr/bin/hzn 127.0.0.1 8510
TCP /home/knownymous-agent/accuknox-cli/accuknox 127.0.0.1 9089
TCP /usr/sbin/NetworkManager 34.122.121.32 80
UNIX /usr/bin/runc /tmp/pty2330463424/pty.sock
TCP /usr/sbin/NetworkManager 35.224.170.84 80
UNIX /usr/bin/dbus-send /run/user/1000/bus
TCP /usr/bin/www-browser 127.0.0.1 8123
TCP /usr/bin/docker-proxy 172.17.0.2 8123
TCP /usr/bin/curl 127.0.0.1 8123
UNIX /usr/sbin/sshd /run/systemd/userdb/io.systemd.DynamicUser
UNIX /usr/sbin/sshd /dev/log
UNIX /usr/sbin/sshd /run/dbus/system_bus_socket
**********************************************************************
Pod Name : homeassistant
Namespace :
List of Processes (15) :
SOURCE DESTINATION COUNT LAST UPDATED TIME STATUS
/package/admin/s6-2.11.1.0/command/s6-svscan /package/* 5 8-06-2022 00:00:08 ALLOW
/package/admin/s6-2.11.1.0/command/s6-svscan /run/* 1 8-05-2022 23:59:58 ALLOW
/bin/busybox /command/* 26 8-06-2022 00:00:10 ALLOW
/package/admin/s6-2.11.1.0/command/s6-supervise ./run 3 8-06-2022 00:00:08 ALLOW
/package/admin/s6-2.11.1.0/command/s6-supervise /package/* 6 8-06-2022 00:00:05 ALLOW
/package/admin/s6-2.11.1.0/command/s6-supervise /command/* 3 8-06-2022 00:00:10 ALLOW
/package/admin/s6-2.11.1.0/command/s6-supervise /bin/* 1 8-06-2022 00:00:10 ALLOW
/package/admin/s6-2.11.1.0/command/s6-supervise /usr/* 2 8-06-2022 00:00:11 ALLOW
/package/admin/s6-rc-0.5.3.0/command/s6-rc /package/* 11 8-06-2022 00:00:07 ALLOW
/package/admin/s6-2.11.1.0/command/s6-svwait /package/* 1 8-06-2022 00:00:10 ALLOW
/package/admin/s6-2.11.1.0/command/s6-ipcserverd /package/* 6 8-06-2022 00:00:07 ALLOW
/package/admin/s6-2.11.1.0/command/s6-sudod /package/* 6 8-06-2022 00:00:07 ALLOW
/package/admin/s6-overlay-3.1.0.1/etc/s6-rc/scripts/fix-attrs /command/* 1 8-06-2022 00:00:06 ALLOW
/package/admin/s6/command/s6-svscan /run/* 1 8-05-2022 23:11:29 ALLOW
/usr/bin/containerd-shim-runc-v2 /package/* 2 8-05-2022 23:59:57 ALLOW
/usr/bin/runc /bin/* 1 8-05-2022 23:34:26 ALLOW
/package/admin/s6-2.11.1.0/command/s6-svlisten1 /package/* 1 8-06-2022 00:00:04 ALLOW
/package/admin/execline-2.8.3.0/command/ifelse /command/* 2 8-06-2022 00:00:09 ALLOW
/package/admin/s6-rc-0.5.3.0/command/s6-rc-init /package/* 1 8-06-2022 00:00:03 ALLOW
/bin/bash /usr/* 3 8-06-2022 00:00:10 ALLOW
List of File-system accesses (28) :
SOURCE DESTINATION COUNT LAST UPDATED TIME STATUS
/package/admin/s6/command/s6-svscan /dev/* 2 8-05-2022 23:59:57 ALLOW
/package/admin/s6/command/s6-svscan /run/* 10 8-05-2022 23:59:58 ALLOW
/package/admin/s6-overlay-3.1.0.1/command/printcontenv /package/* 7 8-06-2022 00:00:10 ALLOW
/package/admin/s6-overlay-3.1.0.1/command/printcontenv /dev/* 7 8-06-2022 00:00:09 ALLOW
/package/admin/s6-overlay-3.1.0.1/command/printcontenv /run/* 3 8-06-2022 00:00:09 ALLOW
/package/admin/s6/command/s6-ipcserver-socketbinder /run/* 1 8-06-2022 00:00:05 ALLOW
/package/admin/s6-linux-init-1.0.7.3/command/s6-linux-init /run/* 20 8-05-2022 23:59:57 ALLOW
/run/s6/basedir/scripts/rc.init /run/* 2 8-05-2022 23:59:58 ALLOW
/command/printcontenv /dev/* 1 8-05-2022 23:59:58 ALLOW
/command/printcontenv /package/* 1 8-05-2022 23:59:58 ALLOW
/package/admin/s6-2.11.1.0/command/s6-svc /run/* 1 8-06-2022 00:00:04 ALLOW
/package/admin/s6-2.11.1.0/command/s6-svscanctl /run/* 1 8-06-2022 00:00:08 ALLOW
/package/admin/s6-rc-0.5.3.0/command/s6-rc /run/* 12 8-06-2022 00:01:40 ALLOW
/package/admin/s6-rc/command/s6-rc-oneshot-run /run/* 12 8-06-2022 00:00:07 ALLOW
/package/admin/s6-portable-utils-2.2.4.0/command/s6-ls /dev/* 3 8-06-2022 00:00:08 ALLOW
/package/admin/s6-portable-utils-2.2.4.0/command/s6-ls /etc/* 1 8-06-2022 00:00:06 ALLOW
/run/s6/legacy-services/home-assistant/run /package/* 1 8-06-2022 00:00:08 ALLOW
/usr/local/bin/python3.10 /usr/* 1986 8-06-2022 00:02:00 ALLOW
/usr/local/bin/python3.10 /sys/* 1 8-06-2022 00:00:12 ALLOW
/usr/local/bin/python3.10 /proc/* 1 8-06-2022 00:00:12 ALLOW
/usr/local/bin/python3.10 /config 3 8-06-2022 00:01:48 ALLOW
/usr/local/bin/python3.10 /lib/* 4 8-06-2022 00:00:28 ALLOW
/package/admin/s6-rc-0.5.3.0/command/s6-rc-init /run/* 69 8-06-2022 00:00:03 ALLOW
/package/admin/s6-overlay-3.1.0.1/etc/s6-rc/scripts/cont-init /package/* 1 8-06-2022 00:00:06 ALLOW
/package/admin/s6-overlay-3.1.0.1/etc/s6-rc/scripts/services-up /package/* 1 8-06-2022 00:00:07 ALLOW
/package/admin/s6-rc-0.5.3.0/command/s6-rc-compile /etc/* 8 8-05-2022 23:59:58 ALLOW
/package/admin/s6-rc-0.5.3.0/command/s6-rc-compile /package/* 37 8-05-2022 23:59:59 ALLOW
/package/admin/s6-rc-0.5.3.0/command/s6-rc-compile /run/* 33 8-06-2022 00:00:01 ALLOW
/bin/bash /proc/* 3 8-05-2022 23:34:26 ALLOW
/bin/bash /etc/* 10 8-06-2022 00:00:10 ALLOW
/bin/bash /usr/* 34 8-06-2022 00:00:11 ALLOW
/bin/bash /dev/* 2 8-06-2022 00:00:10 ALLOW
/bin/bash /run/* 1 8-06-2022 00:00:11 ALLOW
/package/admin/s6-2.11.1.0/command/s6-svlisten1 /run/* 1 8-06-2022 00:00:04 ALLOW
/package/admin/s6-overlay-3.1.0.1/etc/s6-rc/scripts/fix-attrs /package/* 1 8-06-2022 00:00:06 ALLOW
/run/service/s6-linux-init-shutdownd/run /run/* 1 8-05-2022 23:11:30 ALLOW
/package/admin/s6/command/s6-ftrigrd /run/* 12 8-06-2022 00:00:10 ALLOW
/package/admin/s6-2.11.1.0/command/s6-supervise /run/* 46 8-06-2022 00:00:09 ALLOW
./stage /run/* 5 8-05-2022 23:59:58 ALLOW
/run/s6-rc:s6-rc-init:oPcBnl/servicedirs/s6rc-oneshot-runner/run /run/* 1 8-06-2022 00:00:05 ALLOW
/package/admin/s6-2.11.1.0/command/s6-envdir /run/* 7 8-06-2022 00:00:09 ALLOW
/command/bashio /run/* 6 8-06-2022 00:00:10 ALLOW
/package/admin/s6-portable-utils-2.2.4.0/command/s6-hiercopy /etc/* 3 8-06-2022 00:00:08 ALLOW
/package/admin/s6-portable-utils-2.2.4.0/command/s6-hiercopy /run/* 2 8-06-2022 00:00:08 ALLOW
List of Network connections (2) :
SOURCE Protocol COUNT LAST UPDATED TIME STATUS
/package/admin/s6/command/s6-ipcserver-socketbinder TCP 1 8-06-2022 00:00:05 ALLOW
/package/admin/s6-2.11.1.0/command/s6-ipcclient TCP 3 8-06-2022 00:00:07 ALLOW
List of Incoming connections (1) :
PROTOCOL COMMAND IP/PATH PORT LABELS NAMESPACE
TCP /usr/local/bin/python3.10 172.17.0.1 8123
List of Outgoing connections (2) :
PROTOCOL COMMAND IP/PATH PORT LABELS NAMESPACE
UNIX /package/admin/s6-2.11.1.0/command/s6-sudoc /run/s6-rc/servicedirs/s6rc-oneshot-runner/s
UNIX /package/admin/s6-2.11.1.0/command/s6-ipcclient /run/s6-rc/servicedirs/s6rc-oneshot-runner/s
It displays information about the processes running, file accesses and network connections made in both the containers and the Host. This information can then be used to apply predefined security policies.
We will first stop the KubeArmor and Discovery Engine system service and then will uninstall the packages.
sudo systemctl stop kubearmor knoxAutoPolicy
sudo apt remove --purge kubearmor knoxautopolicy karmor
