Merge pull request #1537 from Aryan-sharma11/logs_DP

feat : add flag for defaultposture log in Apparmor
kubearmor · Dec 13, 2023 · 085100a · 085100a
2 parents c8c1f26 + c3175cf
commit 085100a
Show file tree

Hide file tree

Showing 7 changed files with 34 additions and 13 deletions.
diff --git a/KubeArmor/config/config.go b/KubeArmor/config/config.go
@@ -43,11 +43,12 @@ type KubearmorConfig struct {
 	HostDefaultNetworkPosture      string // Default Enforcement Action in Global Network Context
 	HostDefaultCapabilitiesPosture string // Default Enforcement Action in Global Capabilities Context
 
-	CoverageTest      bool     // Enable/Disable Coverage Test
-	ConfigUntrackedNs []string // untracked namespaces
-	LsmOrder          []string // LSM order
-	BPFFsPath         string   // path to the BPF filesystem
-	EnforcerAlerts    bool     // policy enforcer
+	CoverageTest       bool     // Enable/Disable Coverage Test
+	ConfigUntrackedNs  []string // untracked namespaces
+	LsmOrder           []string // LSM order
+	BPFFsPath          string   // path to the BPF filesystem
+	EnforcerAlerts     bool     // policy enforcer
+	DefaultPostureLogs bool     // Enable/Disable Default Posture logs for AppArmor LSM
 
 }
 
@@ -82,6 +83,7 @@ const (
 	LsmOrder                             string = "lsm"
 	BPFFsPath                            string = "bpfFsPath"
 	EnforcerAlerts                       string = "enforcerAlerts"
+	ConfigDefaultPostureLogs             string = "defaultPostureLogs"
 )
 
 func readCmdLineParams() {
@@ -121,6 +123,8 @@ func readCmdLineParams() {
 	bpfFsPath := flag.String(BPFFsPath, "/sys/fs/bpf", "Path to the BPF filesystem to use for storing maps")
 	enforcerAlerts := flag.Bool(EnforcerAlerts, true, "ebpf alerts")
 
+	defaultPostureLogs := flag.Bool(ConfigDefaultPostureLogs, true, "Default Posture Alerts (for Apparmor only)")
+
 	flags := []string{}
 	flag.VisitAll(func(f *flag.Flag) {
 		kv := fmt.Sprintf("%s:%v", f.Name, f.Value)
@@ -165,6 +169,8 @@ func readCmdLineParams() {
 	viper.SetDefault(BPFFsPath, *bpfFsPath)
 
 	viper.SetDefault(EnforcerAlerts, *enforcerAlerts)
+
+	viper.SetDefault(ConfigDefaultPostureLogs, *defaultPostureLogs)
 }
 
 // LoadConfig Load configuration
@@ -245,8 +251,11 @@ func LoadConfig() error {
 	GlobalCfg.LsmOrder = strings.Split(viper.GetString(LsmOrder), ",")
 
 	GlobalCfg.BPFFsPath = viper.GetString(BPFFsPath)
+
 	GlobalCfg.EnforcerAlerts = viper.GetBool(EnforcerAlerts)
 
+	GlobalCfg.DefaultPostureLogs = viper.GetBool(ConfigDefaultPostureLogs)
+
 	kg.Printf("Final Configuration [%+v]", GlobalCfg)
 
 	return nil

diff --git a/KubeArmor/core/kubeUpdate.go b/KubeArmor/core/kubeUpdate.go
@@ -2294,6 +2294,9 @@ func (dm *KubeArmorDaemon) WatchConfigMap() {
 			if cm, ok := obj.(*corev1.ConfigMap); ok && cm.Namespace == cmNS {
 				cfg.GlobalCfg.HostVisibility = cm.Data[cfg.ConfigHostVisibility]
 				cfg.GlobalCfg.Visibility = cm.Data[cfg.ConfigVisibility]
+				if _, ok := cm.Data[cfg.ConfigDefaultPostureLogs]; ok {
+					cfg.GlobalCfg.DefaultPostureLogs = (cm.Data[cfg.ConfigDefaultPostureLogs] == "true")
+				}
 				globalPosture := tp.DefaultPosture{
 					FileAction:         cm.Data[cfg.ConfigDefaultFilePosture],
 					NetworkAction:      cm.Data[cfg.ConfigDefaultNetworkPosture],
@@ -2317,6 +2320,9 @@ func (dm *KubeArmorDaemon) WatchConfigMap() {
 			if cm, ok := new.(*corev1.ConfigMap); ok && cm.Namespace == cmNS {
 				cfg.GlobalCfg.HostVisibility = cm.Data[cfg.ConfigHostVisibility]
 				cfg.GlobalCfg.Visibility = cm.Data[cfg.ConfigVisibility]
+				if _, ok := cm.Data[cfg.ConfigDefaultPostureLogs]; ok {
+					cfg.GlobalCfg.DefaultPostureLogs = (cm.Data[cfg.ConfigDefaultPostureLogs] == "true")
+				}
 				globalPosture := tp.DefaultPosture{
 					FileAction:         cm.Data[cfg.ConfigDefaultFilePosture],
 					NetworkAction:      cm.Data[cfg.ConfigDefaultNetworkPosture],

diff --git a/KubeArmor/feeder/feeder.go b/KubeArmor/feeder/feeder.go
@@ -577,10 +577,14 @@ func (fd *Feeder) PushMessage(level, message string) {
 
 // PushLog Function
 func (fd *Feeder) PushLog(log tp.Log) {
-
-	if cfg.GlobalCfg.EnforcerAlerts && fd.Enforcer == "BPFLSM" && log.Enforcer != "BPFLSM" {
+	/* if enforcer == BPFLSM and log.Enforcer == ebpfmonitor ( block and default Posture Alerts from System
+	   monitor are converted to host/container logs)
+	   in case of enforcer = AppArmor only Default Posture logs will be converted to
+	   container/host log depending upon the defaultPostureLogs flag
+	*/
+	if (cfg.GlobalCfg.EnforcerAlerts && fd.Enforcer == "BPFLSM" && log.Enforcer != "BPFLSM") || (fd.Enforcer == "AppArmor" && !cfg.GlobalCfg.DefaultPostureLogs) {
 		log = fd.UpdateMatchedPolicy(log)
-		if (log.Type == "MatchedPolicy" || log.Type == "MatchedHostPolicy") && (strings.Contains(log.PolicyName, "DefaultPosture") || !strings.Contains(log.Action, "Audit")) {
+		if (log.Type == "MatchedPolicy" || log.Type == "MatchedHostPolicy") && ((fd.Enforcer == "BPFLSM" && (strings.Contains(log.PolicyName, "DefaultPosture") || !strings.Contains(log.Action, "Audit"))) || (fd.Enforcer == "AppArmor" && strings.Contains(log.PolicyName, "DefaultPosture"))) {
 			if log.Type == "MatchedPolicy" {
 				log.Type = "ContainerLog"
 			} else if log.Type == "MatchedHostPolicy" {

diff --git a/deployments/get/objects.go b/deployments/get/objects.go
@@ -927,6 +927,7 @@ func GetKubearmorConfigMap(namespace, name string) *corev1.ConfigMap {
 	data[cfg.ConfigDefaultFilePosture] = "audit"
 	data[cfg.ConfigDefaultCapabilitiesPosture] = "audit"
 	data[cfg.ConfigDefaultNetworkPosture] = "audit"
+	data[cfg.ConfigDefaultPostureLogs] = "true"
 
 	return &corev1.ConfigMap{
 		TypeMeta: metav1.TypeMeta{

diff --git a/deployments/go.mod b/deployments/go.mod
@@ -4,6 +4,7 @@ go 1.20
 
 replace (
 	github.com/kubearmor/KubeArmor => ../
+	github.com/kubearmor/KubeArmor/KubeArmor => ../KubeArmor
 	github.com/kubearmor/KubeArmor/pkg/KubeArmorController => ../pkg/KubeArmorController
 	k8s.io/api => k8s.io/api v0.26.4
 	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.26.4
@@ -41,7 +42,7 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.24.0 // indirect
 	golang.org/x/net v0.11.0 // indirect
-	golang.org/x/sys v0.9.0 // indirect
+	golang.org/x/sys v0.10.0 // indirect
 	golang.org/x/text v0.10.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect

diff --git a/deployments/go.sum b/deployments/go.sum
@@ -145,8 +145,6 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/kubearmor/KubeArmor/KubeArmor v0.0.0-20230626060245-4f5b8ac4f298 h1:IvqDYxqQq1M5twjbL4+mRp1jk3ky9X6d0npAYTnf8TE=
-github.com/kubearmor/KubeArmor/KubeArmor v0.0.0-20230626060245-4f5b8ac4f298/go.mod h1:cxd9uwX/DRTrohxEmFjFfc6sGYnKv/UJAChZAcXE0w8=
 github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
 github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
@@ -337,8 +335,8 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s=
-golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

diff --git a/pkg/KubeArmorOperator/common/defaults.go b/pkg/KubeArmorOperator/common/defaults.go
@@ -67,6 +67,7 @@ var (
 	ConfigDefaultFilePosture         string = "defaultFilePosture"
 	ConfigDefaultCapabilitiesPosture string = "defaultCapabilitiesPosture"
 	ConfigDefaultNetworkPosture      string = "defaultNetworkPosture"
+	ConfigDefaultPostureLogs         string = "defaultPostureLogs"
 
 	//KubearmorRelayEnvVariables
 
@@ -99,6 +100,7 @@ var ConfigMapData = map[string]string{
 	ConfigDefaultCapabilitiesPosture: "audit",
 	ConfigDefaultNetworkPosture:      "audit",
 	ConfigVisibility:                 "process,network,capabilities",
+	ConfigDefaultPostureLogs:         "true",
 }
 
 var KubearmorRelayEnvMap = map[string]string{