---
tags: OWASP cloud-native-application-security
---
# OWASP Cloud-Native Application Security Top 10 CNAS 01 and 02
** CNAS-1: Insecure cloud, container or orchestration configuration **
** CNAS-2: Injection flaws (app layer, cloud events, cloud services) **
| Risk | Result of Successful Exploit Execution | Aqua Demo |
| -------- | -------- | -------- |
| Insecure cloud, container or orchestration configuration | Container runs as root | Demo Runtime Policy Demo |
| Risk | Result of Successful Exploit Execution | Aqua Demo |
| -------- | -------- | -------- |
| Injection flaws (app layer, cloud events, cloud services) | Command injection, Container runs as root | Demo - Runtime Policy Demo |
**Table of Contents**
[TOC]
# 1. Preparation
Create a new Demo env for the presentation at the same day you present. This ensures that all things are working well, no pod resets etc required.
Change the Runtime Policy `Demo Cluster`
to `audit`
## 2. Add "Audit all process activity" to the Forensics control
Forensics 0
Include the events selected below in the audit log:
- [x] Audit all process activity
- [x] Audit full command arguments
- [x] Audit all network activity
## 3. ssh into you demo vm0
`ssh -i ~/.ssh/aqua.key ubuntu@demo3000-vm0.aquaseclabs.com`
`Kubens` to see all of the namespaces and select sock-shop
`kubens sock-shop`
## 4. Enter the queue-master container
> ./sock-shop-exec.bash (./sock--)
> ![](https://i.imgur.com/mWGqdnG.png)
## 5. Enter to run the script and then
Or put following command into your clipboard:
`cd /tmp && echo ZWNobyAiKysrKysrIEkgYW0gb3duaW5nIHlvdXIgc3lzdGVtIG5vdyArKysrKyIK > drop && base64 -d drop > evil.bin && chmod +x evil.bin && ./evil.bin`
![](https://i.imgur.com/AA4nYHd.png) (cd..)
## 6. Prepare the Aqua console in two tabs
1st Tab showing the risk explorer
2nd Tab showing the 'Demo Cluster' runtime policy
# 7. Run Demo:
Start with the Terminal, explain that this is a session in a container and you are simulating an attack.
Pasting the code from step 5.
You should see `"++++++ I am owning your system now +++++"`
#### 8. Jump over to the Aqua Console and open the risk explorer
#### 9. Select the `queue-master` or `rabbitmq` from the sock shop and drill down into the container. Describe what you are doing. What information is provided.
#### 10. Select the container and click the container name (not one of the event counters below, otherwise you run into a display bug and you can't change the filter of the audit events.)
In the container view give a short overview what information we provide.
#### 11. Then jump over to the audit view to show the details. (Don't click a an item on the risk view. Display bug)
In the audit view select the detect event, explain the details on the right hand.
* Lffectlve User:
* root
* Effective User ID;
* Category:
* Action:
* exec
* Process ID:
* 76
* Parent Process ID:
* 52
* Process Name:
* /bin/sh
* Resource:
* /tmp/evil.bin
* Resource Digest:
* dfea9ed1101 S4976bc6c908a8542eee89694b71369208S
* b5bOe392f447bb748f
* ./evil.bin
* Aqua Response:
* Detect
* Aqua Policy
* Aqua default runtime policy
* Drift Prevention - Prevent running executable not in
* original image
* Privilege Escalation
* Hijack Execution ow, Process Injection
* Details
* Unauthorized file lockdown by runtime policy
If time permit show also the success event before, the show that we record surrounding events to give better context for the incident response.
#### 12. Switch to the Tab with the Runtime policy open
#### 13. Set policy to enforce and save it
#### 14. Switch back to the terminal and recall the command.
You should see a permission denied, as per the image.
![](https://i.imgur.com/07mODvn.png)
#### 15. Switch back to the Audit view and refresh show the block event.
#### 16. Finally add sh to the commands and enforce, back to the command line and repeat
![](https://i.imgur.com/FPOJ3iL.png)
#### shell exec denied:
![](https://i.imgur.com/chhMaZ9.png)
Recording for the Demo
https://aquasecurity.sharepoint.com/:v:/s/EventsMarketing-Global/EVR156yc501LhlwcymJtIeoBRk2PieinWdCwcWeG06Neww?e=bgH3RP