Alcide Runtime Security | Process Whitelist

In this tutorial we will learn about Process Whitelisting, which is part of Alcide Runtime Security (ART). We will see an Hello World example which includes sign a process in Docker image, and then simulate an attack by running an unlisted process and change the whitelisted binary file.

Alcide Runtime (ART)

For this tutorial you will need a Kubernetes cluster with enough permissions to deploy resources into it.

Install and Set Up kubectl.
Install Minikube, or any working Kubernetes Cluster
Alcide Cloud Account

Alcide Code-to-production security

In order to implement Alcide Runtime Security features, we will need to onboard your Kubernetes cluster into your Alcide Cloud Account

Login to your account: https://yourcompany.cloud.alcide.io
On the left hand side menu, click on Create Data Center/Cluster
Follow the steps in the UI wizard.

At this point you should be able to see your cluster, worker nodes, and workloads, in the Infrastructure View and the application components in your Application View

Alcide Code-to-production security

first let's create a simple binary to represent our app

curl -O https://raw.githubusercontent.com/alcideio/codelab.github.io/master/codelabs/runtime-codelab-06/hello.go
docker run --rm -v "$PWD":/usr/src/my-app -w /usr/src/my-app golang:latest go build -o my-app -v hello.go

and another binary to represent a malicious app

curl -O https://raw.githubusercontent.com/alcideio/codelab.github.io/master/codelabs/runtime-codelab-06/malicious.go
docker run --rm -v "$PWD":/usr/src/malicious-app -w /usr/src/malicious-app golang:latest go build -o malicious-app -v malicious.go

now download the next Dockerfile, edit, and set your ALCIDE_KEY

curl -O https://raw.githubusercontent.com/alcideio/codelab.github.io/master/codelabs/runtime-codelab-06/Dockerfile
vi Dockerfile

Make sure you have ‘generator' binary in your working directory. If not, you can download it as so:

wget https://alcide.blob.core.windows.net/generic/whitelist-generator/generator

build your docker image and upload to your image repo

export IMG_NAME=<your_docker_account>/<your_repo>:<tag>
docker build . -t $IMG_NAME
docker push $IMG_NAME

Simply deploy to your Kubernetes cluster by copy/paste this

cat <<EOF | kubectl apply -f - && kubectl rollout status deployment/pw-demo --watch
apiVersion: apps/v1
kind: Deployment
metadata:
  name: pw-demo
  labels:
    app: my-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
      - name: my-app
        image: $IMG_NAME
EOF

first let's run an unlisted process (the process "mv")

kubectl exec -it $(kubectl get pods -l app=my-app -o custom-columns=:metadata.name --no-headers) mv malicious-app my-app

you should see the next alert in your Events Feed (in Alcide UI):
Process whitelist - unlisted process

If you don't see this alert, make sure you enabled the "Process Whitelist Hash Key" in the Settings/keys part of the UI.

now let's try to run the malicious-app (that we just renamed to my-app)

kubectl exec -it $(kubectl get pods -l app=my-app -o custom-columns=:metadata.name --no-headers) ./my-app

you should see the next alert in your Events Feed (in Alcide UI):
Process whitelist - process hash mismatch

In this codelab we covered:

A generation of a docker image with a whitelisted process
Simulation of process whitelist violation

Alcide Code-to-production security