--- tags: OWASP cloud-native-application-security --- # OWASP Cloud-Native Application Security Top 10 CNAS 01 and 02 ** CNAS-1: Insecure cloud, container or orchestration configuration ** ** CNAS-2: Injection flaws (app layer, cloud events, cloud services) ** | Risk | Result of Successful Exploit Execution | Aqua Demo | | -------- | -------- | -------- | | Insecure cloud, container or orchestration configuration | Container runs as root | Demo Runtime Policy Demo | | Risk | Result of Successful Exploit Execution | Aqua Demo | | -------- | -------- | -------- | | Injection flaws (app layer, cloud events, cloud services) | Command injection, Container runs as root | Demo - Runtime Policy Demo | **Table of Contents** [TOC] # 1. Preparation Create a new Demo env for the presentation at the same day you present. This ensures that all things are working well, no pod resets etc required. Change the Runtime Policy `Demo Cluster` to `audit` ## 2. Add "Audit all process activity" to the Forensics control Forensics 0 Include the events selected below in the audit log: - [x] Audit all process activity - [x] Audit full command arguments - [x] Audit all network activity ## 3. ssh into you demo vm0 `ssh -i ~/.ssh/aqua.key ubuntu@demo3000-vm0.aquaseclabs.com` `Kubens` to see all of the namespaces and select sock-shop `kubens sock-shop` ## 4. Enter the queue-master container > ./sock-shop-exec.bash (./sock--) >  ## 5. Enter to run the script and then Or put following command into your clipboard: `cd /tmp && echo ZWNobyAiKysrKysrIEkgYW0gb3duaW5nIHlvdXIgc3lzdGVtIG5vdyArKysrKyIK > drop && base64 -d drop > evil.bin && chmod +x evil.bin && ./evil.bin`  (cd..) ## 6. Prepare the Aqua console in two tabs 1st Tab showing the risk explorer 2nd Tab showing the 'Demo Cluster' runtime policy # 7. Run Demo: Start with the Terminal, explain that this is a session in a container and you are simulating an attack. Pasting the code from step 5. You should see `"++++++ I am owning your system now +++++"` #### 8. Jump over to the Aqua Console and open the risk explorer #### 9. Select the `queue-master` or `rabbitmq` from the sock shop and drill down into the container. Describe what you are doing. What information is provided. #### 10. Select the container and click the container name (not one of the event counters below, otherwise you run into a display bug and you can't change the filter of the audit events.) In the container view give a short overview what information we provide. #### 11. Then jump over to the audit view to show the details. (Don't click a an item on the risk view. Display bug) In the audit view select the detect event, explain the details on the right hand. * Lffectlve User: * root * Effective User ID; * Category: * Action: * exec * Process ID: * 76 * Parent Process ID: * 52 * Process Name: * /bin/sh * Resource: * /tmp/evil.bin * Resource Digest: * dfea9ed1101 S4976bc6c908a8542eee89694b71369208S * b5bOe392f447bb748f * ./evil.bin * Aqua Response: * Detect * Aqua Policy * Aqua default runtime policy * Drift Prevention - Prevent running executable not in * original image * Privilege Escalation * Hijack Execution ow, Process Injection * Details * Unauthorized file lockdown by runtime policy If time permit show also the success event before, the show that we record surrounding events to give better context for the incident response. #### 12. Switch to the Tab with the Runtime policy open #### 13. Set policy to enforce and save it #### 14. Switch back to the terminal and recall the command. You should see a permission denied, as per the image.  #### 15. Switch back to the Audit view and refresh show the block event. #### 16. Finally add sh to the commands and enforce, back to the command line and repeat  #### shell exec denied:  Recording for the Demo https://aquasecurity.sharepoint.com/:v:/s/EventsMarketing-Global/EVR156yc501LhlwcymJtIeoBRk2PieinWdCwcWeG06Neww?e=bgH3RP