kubearmor
diff --git a/‎generic/csp/audit-network-packet-tools.yaml‎
Lines changed: 33 additions & 0 deletions b/‎generic/csp/audit-network-packet-tools.yaml‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎generic/csp/audit-pen-test-recon-tools.yaml‎
Lines changed: 33 additions & 0 deletions b/‎generic/csp/audit-pen-test-recon-tools.yaml‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎generic/csp/audit-temp-usage.yaml‎
Lines changed: 25 additions & 0 deletions b/‎generic/csp/audit-temp-usage.yaml‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎generic/csp/cronjob-cfg.yaml‎
Lines changed: 37 additions & 28 deletions b/‎generic/csp/cronjob-cfg.yaml‎
Lines changed: 37 additions & 28 deletions
diff --git a/‎generic/csp/crypto-miners.yaml‎
Lines changed: 26 additions & 25 deletions b/‎generic/csp/crypto-miners.yaml‎
Lines changed: 26 additions & 25 deletions
diff --git a/‎generic/csp/external-devices-connected.yaml‎
Lines changed: 35 additions & 0 deletions b/‎generic/csp/external-devices-connected.yaml‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎generic/csp/file-integrity-monitoring.yaml‎
Lines changed: 29 additions & 30 deletions b/‎generic/csp/file-integrity-monitoring.yaml‎
Lines changed: 29 additions & 30 deletions
diff --git a/‎generic/csp/impair-defense.yaml‎
Lines changed: 18 additions & 14 deletions b/‎generic/csp/impair-defense.yaml‎
Lines changed: 18 additions & 14 deletions
@@ -0,0 +1,33 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorClusterPolicy
+metadata:
+  name: audit-network-packet-tools
+  annotations:
+    app.accuknox.com/type: harden
+spec:
+  action: Audit
+  severity: 3
+  message: "Detected use of network packet manipulation tool"
+  process:
+    matchPaths:
+      - execname: iptables
+      - execname: ip6tables
+      - execname: nft
+      - execname: nftables
+      - execname: ip
+      - execname: iproute2
+      - execname: tc
+      - execname: brctl
+      - execname: arp
+      - execname: arptables
+      - execname: ebtables
+      - execname: ethtool
+  selector:
+    matchExpressions:
+      - key: namespace
+        operator: NotIn
+        values:
+          - kube-system   # exempt system namespace
+  tags:
+    - MITRE
+    - MITRE_T1562_IMPAIR_DEFENSE
@@ -0,0 +1,33 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorClusterPolicy
+metadata:
+  name: audit-pen-test-recon-tools
+  annotations:
+    app.accuknox.com/type: harden
+spec:
+  action: Block
+  severity: 3
+  message: "Blocked Reconnaissance or Penetration Testing tool execution"
+  selector:
+    matchExpressions:
+      - key: namespace
+        operator: NotIn
+        values:
+          - kube-system   
+  process:
+    matchPaths:
+      # Recon & Network Scanners
+      - execname: nmap
+      - execname: masscan
+      - execname: zmap
+     
+      # Password / Hash Crackers
+      - execname: hydra
+      - execname: john        
+      - execname: hashcat
+      - execname: medusa
+      - execname: patator
+  tags:
+    - MITRE
+    - MITRE_T1046_NETWORK_SERVICE_SCANNING
+    - MITRE_T1110_BRUTE_FORCE
@@ -0,0 +1,25 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorClusterPolicy
+metadata:
+  annotations:
+    app.accuknox.com/type: harden
+  name: audit-tmp-usage
+spec:
+  action: Audit
+  severity: 3
+  message: "Detected /tmp directory access"
+  file:
+    matchDirectories:
+      - dir: /tmp/
+        recursive: true
+  selector:
+    matchExpressions:
+      - key: namespace
+        operator: NotIn
+        values:
+          - kube-system
+  tags:
+    - CIS
+    - CIS_CM
+    - MITRE
+    - MITRE_T1074_DATA_STAGED
@@ -1,39 +1,48 @@
 apiVersion: security.kubearmor.com/v1
 kind: KubeArmorClusterPolicy
 metadata:
+  annotations:
+    app.accuknox.com/type: harden
   name: cronjob-cfg
 spec:
   action: Audit
+  severity: 5
+  message: "Detected access to cron job files/directories"
   file:
     matchDirectories:
-    - dir: /etc/cron.d/
-      recursive: true
-    - dir: /etc/cron.daily/
-      recursive: true
-    - dir: /etc/cron.hourly/
-      recursive: true
-    - dir: /etc/cron.monthly/
-      recursive: true
-    - dir: /etc/cron.weekly/
-      recursive: true
-    - dir: /var/cron/
-      recursive: true
-    - dir: /var/spool/cron/
-      recursive: true
-    matchPaths:
-    - path: /etc/crontab
-  message: Alert! Access to cron job files/directories detected.
+      - dir: /etc/cron.d/
+        recursive: true
+      - dir: /etc/cron.daily/
+        recursive: true
+      - dir: /etc/cron.hourly/
+        recursive: true
+      - dir: /etc/cron.monthly/
+        recursive: true
+      - dir: /etc/cron.weekly/
+        recursive: true
+      - dir: /var/cron/
+        recursive: true
+      - dir: /var/spool/cron/
+        recursive: true
+    matchPaths: 
+      - path: /etc/crontab
+        readOnly: true
+      - path: /etc/anacrontab   # Runs scheduled tasks (cron jobs) that were missed while the system was off.
+        readOnly: true
+      - path: /etc/cron.allow
+        readOnly: true
+      - path: /etc/cron.deny
+        readOnly: true
   selector:
     matchExpressions:
-    - key: namespace
-      operator: NotIn
-      values:
-      - kube-system
-  severity: 5
+      - key: namespace
+        operator: NotIn
+        values:
+          - kube-system
   tags:
-  - CIS
-  - CIS_5.1_Configure_Cron
-  - CIS_Linux
-  - NIST
-  - NIST_800-53_SI-4
-  - SI-4
+    - CIS
+    - CIS_5.1_CONFIGURE_CRON
+    - CIS_LINUX
+    - NIST
+    - NIST_800-53_SI-4
+    - SI-4
@@ -1,34 +1,35 @@
 apiVersion: security.kubearmor.com/v1
 kind: KubeArmorClusterPolicy
 metadata:
+  annotations:
+    app.accuknox.com/type: harden
   name: crypto-miners
 spec:
   action: Block
-  message: cryptominer detected and blocked
-  process:
-    matchDirectories:
-    - dir: /tmp/
-      recursive: true
-    matchPaths:
-    - execname: apk
-    - execname: apt
-    - execname: dero-miner-linux-amd64
-    - execname: dero-wallet-cli-linux-amd64
-    - execname: dero
-    - execname: derod-linux-amd64
-    - execname: masscan
-    - execname: nmap
-    - execname: ntpdate
-    - execname: xmrig
-    - execname: zgrab2
+  severity: 3
+  message: "Blocked Cryptominer"
   selector:
     matchExpressions:
-    - key: namespace
-      operator: NotIn
-      values:
-      - kube-system
-  severity: 10
+      - key: namespace
+        operator: NotIn
+        values:
+          - kube-system   
+  process:
+    matchPaths:
+      # DERO cryptominers
+      - execname: dero-miner-linux-amd64
+      - execname: dero-wallet-cli-linux-amd64
+      - execname: dero
+      - execname: derod-linux-amd64
+
+      # Monero CPU/GPU miners
+      - execname: xmrig
+      - execname: xmrig-stak
+      - execname: minerd
+      - execname: mminerd
+      - execname: cpuminer
+      - execname: sgminer
+      - execname: ccminer
   tags:
-  - MITRE
-  - MITRE_T1496_resource_hijacking
-  - cryptominer
+    - MITRE
+    - MITRE_T1496_RESOURCE_HIJACKING
@@ -0,0 +1,35 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorClusterPolicy
+metadata:
+  name: audit-external-device
+  annotations:
+    app.accuknox.com/type: harden
+spec:
+  action: Audit
+  severity: 3
+  message: "Detected modification of external device access"
+  selector:
+    matchExpressions:
+      - key: namespace
+        operator: NotIn
+        values:
+          - kube-system   
+  process:
+    matchPaths:
+      - execname: mount
+      - execname: umount
+      - execname: fdisk
+      - execname: cfdisk
+      - execname: sfdisk
+      - execname: parted
+      - execname: mkfs
+      - execname: fsck
+      - execname: lsblk
+      - execname: blkid
+      - execname: losetup
+      - execname: kpartx
+      - execname: qemu-nbd
+      - execname: mountpoint
+  tags:
+    - MITRE
+    - MITRE_T1091_REPLICATION_THROUGH_REMOVABLE_MEDIA
@@ -1,41 +1,40 @@
 apiVersion: security.kubearmor.com/v1
 kind: KubeArmorClusterPolicy
 metadata:
+  annotations:
+    app.accuknox.com/type: harden
   name: file-integrity-monitoring
 spec:
-  action: Block
+  action: Audit
+  message: "Detected attempted modification of core system binary/library directories (file integrity)"
   file:
     matchDirectories:
-    - dir: /bin/
-      readOnly: true
-      recursive: true
-    - dir: /boot/
-      readOnly: true
-      recursive: true
-    - dir: /sbin/
-      readOnly: true
-      recursive: true
-    - dir: /usr/bin/
-      readOnly: true
-      recursive: true
-    - dir: /usr/lib/
-      readOnly: true
-      recursive: true
-    - dir: /usr/sbin/
-      readOnly: true
-      recursive: true
-  message: Detected and prevented compromise to File integrity
+      - dir: /bin/
+        recursive: true
+        readOnly: true
+      - dir: /sbin/
+        recursive: true
+        readOnly: true
+      - dir: /usr/bin/
+        recursive: true
+        readOnly: true
+      - dir: /usr/sbin/
+        recursive: true
+        readOnly: true
+      - dir: /boot/
+        recursive: true
+        readOnly: true
   selector:
     matchExpressions:
-    - key: namespace
-      operator: NotIn
-      values:
-      - kube-system
+      - key: namespace
+        operator: NotIn
+        values:
+          - kube-system
   severity: 1
   tags:
-  - MITRE
-  - MITRE_T1036_masquerading
-  - MITRE_T1565_data_manipulation
-  - NIST
-  - NIST_800-53_AU-2
-  - NIST_800-53_SI-4
+    - MITRE
+    - MITRE_T1036_MASQUERADING
+    - MITRE_T1565_DATA_MANIPULATION
+    - NIST
+    - NIST_800-53_AU-2
+    - NIST_800-53_SI
@@ -2,25 +2,29 @@ apiVersion: security.kubearmor.com/v1
 kind: KubeArmorClusterPolicy
 metadata:
   name: impair-defense
+  annotations:
+    app.accuknox.com/type: harden
 spec:
-  action: Audit
+  action: Block
   file:
     matchDirectories:
-    - dir: /etc/apparmor.d/
-      recursive: true
-    - dir: /etc/sysconfig/selinux/
-      recursive: true
+      - dir: /etc/apparmor.d/
+        recursive: true
+        readOnly: true
+      - dir: /etc/sysconfig/selinux/
+        recursive: true
+        readOnly: true
     matchPaths:
-    - path: /etc/selinux/semanage.conf
-  message: Selinux Files Accessed by Unknown Process
+      - path: /etc/selinux/semanage.conf
+        readOnly: true
+  message: "Detected unauthorized attempt to modify SELinux/AppArmor policy files"
   selector:
     matchExpressions:
-    - key: namespace
-      operator: NotIn
-      values:
-      - kube-system
+      - key: namespace
+        operator: NotIn
+        values:
+          - kubearmor
+          - agents
   severity: 6
   tags:
-  - FGT1562
-  - FIGHT
-  - MITRE
+    - FGT1562