Summary
Limit to kpimon
- Package Management
- Root certificate folder
- Least Permissive Network Rule
- Protect sensitive assets
- secrets mounted
- service account token (disable)
1. Package Management
```json
{
"Timestamp": 1689682809,
"UpdatedTime": "2023-07-18T12:20:09.341728Z",
"ClusterName": "default",
"HostName": "5g-sdran-in-a-box",
"NamespaceName": "riab",
"Owner": {
"Ref": "Deployment",
"Name": "onos-kpimon",
"Namespace": "riab"
},
"PodName": "onos-kpimon-b7df68b85-wz55z",
"Labels": "name=onos-kpimon,resource=onos-kpimon,type=kpimon,app=onos,app.kubernetes.io/instance=sd-ran,app.kubernetes.io/name=onos-kpimon",
"ContainerID": "191562a3ae4d37b2555905dfc32cf70cf29121c728f25138687de56111650f90",
"ContainerName": "onos-kpimon",
"ContainerImage": "docker.io/onosproject/onos-kpimon:latest@sha256:3a9b328916aa6965cb4952be3e79a1649520851ea97643e6bcb7638201626079",
"HostPPID": 760296,
"HostPID": 762483,
"PPID": 34,
"PID": 42,
"UID": 65534,
"ParentProcessName": "/bin/busybox",
"ProcessName": "/sbin/apk",
"PolicyName": "onos-kpimon-onosproject-onos-kpimon-latest-pkg-mngr-exec",
"Severity": "5",
"Tags": "NIST,NIST_800-53_CM-7(4),SI-4,process,NIST_800-53_SI-4",
"ATags": [
"NIST",
"NIST_800-53_CM-7(4)",
"SI-4",
"process",
"NIST_800-53_SI-4"
],
"Message": "Alert! Execution of package management process inside container is denied",
"Type": "MatchedPolicy",
"Source": "/bin/busybox",
"Operation": "Process",
"Resource": "/sbin/apk",
"Data": "syscall=SYS_EXECVE",
"Enforcer": "AppArmor",
"Action": "Block",
"Result": "Permission denied"
}
```
2. Certs
```json
{
"Timestamp": 1689682931,
"UpdatedTime": "2023-07-18T12:22:11.322446Z",
"ClusterName": "default",
"HostName": "5g-sdran-in-a-box",
"NamespaceName": "riab",
"Owner": {
"Ref": "Deployment",
"Name": "onos-kpimon",
"Namespace": "riab"
},
"PodName": "onos-kpimon-b7df68b85-wz55z",
"Labels": "name=onos-kpimon,resource=onos-kpimon,type=kpimon,app=onos,app.kubernetes.io/instance=sd-ran,app.kubernetes.io/name=onos-kpimon",
"ContainerID": "191562a3ae4d37b2555905dfc32cf70cf29121c728f25138687de56111650f90",
"ContainerName": "onos-kpimon",
"ContainerImage": "docker.io/onosproject/onos-kpimon:latest@sha256:3a9b328916aa6965cb4952be3e79a1649520851ea97643e6bcb7638201626079",
"HostPPID": 440719,
"HostPID": 764354,
"PPID": 440719,
"PID": 43,
"UID": 65534,
"ParentProcessName": "/var/lib/rancher/rke2/data/v1.23.15-rke2r1-ed947d2740a8/bin/containerd-shim-runc-v2",
"ProcessName": "/bin/busybox",
"PolicyName": "onos-kpimon-onosproject-onos-kpimon-latest-trusted-cert-mod",
"Severity": "1",
"Tags": "MITRE,MITRE_T1552_unsecured_credentials",
"ATags": [
"MITRE",
"MITRE_T1552_unsecured_credentials"
],
"Message": "Credentials modification denied",
"Type": "MatchedPolicy",
"Source": "/bin/busybox",
"Operation": "File",
"Resource": "/etc/ssl/certs/ca-certificates.crt",
"Data": "syscall=SYS_OPEN flags=O_WRONLY|O_CREAT|O_TRUNC",
"Enforcer": "AppArmor",
"Action": "Block",
"Result": "Permission denied"
}
```
3. Least Permisive Network Policy
```yaml!
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: onos-kpimon-net-tcp-from-source-allow
namespace: riab
spec:
severity: 8
selector:
matchLabels:
app: onos
app.kubernetes.io/instance: sd-ran
app.kubernetes.io/name: onos-kpimon
name: onos-kpimon
resource: onos-kpimon
type: kpimon
network:
matchProtocols:
- protocol: tcp
fromSource:
- path: /free5gc/webconsole/webconsole
- protocol: udp
fromSource:
- path: /free5gc/webconsole/webconsole
- protocol: icmp
fromSource:
- path: /free5gc/webconsole/webconsole
- protocol: raw
fromSource:
- path: /free5gc/webconsole/webconsole
action: Allow
```
4. Sensitive Assets
```yaml!
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: onos-kpimon-net-tcp-from-source-allow
namespace: riab
spec:
severity: 8
selector:
matchLabels:
app: onos
app.kubernetes.io/instance: sd-ran
app.kubernetes.io/name: onos-kpimon
name: onos-kpimon
resource: onos-kpimon
type: kpimon
file:
matchDirectories:
- dir: /etc/onos/certs/
recursive: true
action: Block
- dir: /
recursive: true
- dir: /etc/onos/certs/
recursive: true
fromSource:
- path: /usr/local/bin/onos-kpimon
process:
matchDirectories:
- dir: /
recursive: true
action: Allow
```
# Visualisations
# Transcript
Hello Folks,
Today We will see how Accuknox helps secure 5G SD-RAN Project.
SD-RAN project is an O-RAN Compliant µONOS based Cloud Native RIC and xAPPs Platform.
SD-RAN project is based on µONOS architecture so it leverages micro-services & using gRPC APIs for inter-process communication
We are going to secure RAN in the box deployment. RiaB deploys SD-RAN infrastructure including the EPC, emulated RAN and ONOS Controller services over Kubernetes.
We have a SD RAN in a Box deployment. We have ONOS Operator managing various micro ONOS control plane components and micro ONOS xAPPs running inside a Kubernetes Cluster
KubeArmor is a cloud-native runtime security enforcement system that restricts the behavior (such as process execution, file access, and networking operations) of containers and nodes (VMs) at the system level.
KubeArmor leverages eBPF for deep observability and LSM Framework for policy enforcement
KubeArmor helps with :
Analysing xAPP behaviour
Harden ONOS Control Plane Elements
Harden and Apply Zero Trust Principles to xAPPs
Let's focus on a particular xAPP and see how KubeArmor helps out securing it.
onos-kpimon is the xApplication running over ONOS SD-RAN to monitor the KPI. onos-kpimon collects KPIs reported by E2 nodes through the KPM service model version 2.0.
This is a graph generated by KubeArmor to understand how the kpimon and other microservices of the micro ONOS interact over the network. We can see here the onos cli interacts with the kpimon service to fetch the metrics result. onos-kpimon makes a subscription with E2 nodes connected to onos-e2t through onos-topo based ONOS xApplication SDK. Creating a subscription, onos-kpimon sets report interval and granularity period which are the monitoring interval parameters. Once the subscription is done successfully, each E2 node starts sending indication messages periodically to report KPIs to onos-kpimon.
KubeArmor even provides you with even granular view of what's happening inside the kpimon application itself
We can see which all processes are accessing what files and network primitives inside the kpimon pod. We can see how primarily the kpimon binary is responsible for important file accesses and network interaction.
Let's harden the kpimon app, KubeArmor provides you with recommended set of policies which will help secure based on frameworks like MITRE, PCI DSS, NIST, NSA, CIS.
We will take a look at how we can set up zero trust rules as well. We saw in the application behaviour report that how only the kpimon binary was accessing the sensitive file paths and network calls. KubeArmor auto discovers policies such that you lockdown your access to network primitives and sensitive assets to only certain known binaries.
Let's see these enforcement in action.
Applications come with all the requirements bundled with them so any package management execution is a runtime threat.
We can see here how if we try to execute package management tools, the execution is blocked and we get alerts from KubeArmor.
// Shows Alerts and talks about it
Similarly root certificates are trusted modules and they shouldn't be allowed to modify at runtime.
// Shows Policy and Alerts and talks about it
Let's take a look at some attack scenarios.
Download malicious binaries to scan other resources
Modify Trusted Root Certificates
We already looked at these in Action. Let's look how we can protect a compromised xAPP.
// Showcase kpimon trying to access onos-topo
This is a security concern because onos-topo can manage entity relationships and topology which should not be allowed to non trusted apps.
// Apply policy and show metrics still working
Malware attempted to spread over as many containers as possible using service account tokens and secrets. Service Account Tokens can be used to move laterally inside Kubernetes Cluster and compromise other SD RAN and micro ONOS Components.
// Show Policy to access secrets and service account token
Sign in with Wallet
Connect another wallet