In this tutorial we will learn about Process Whitelisting, which is part of Alcide Runtime Security (ART). We will see an Hello World example which includes sign a process in Docker image, and then simulate an attack by running an unlisted process and change the whitelisted binary file.
For this tutorial you will need a Kubernetes cluster with enough permissions to deploy resources into it.
In order to implement Alcide Runtime Security features, we will need to onboard your Kubernetes cluster into your Alcide Cloud Account
At this point you should be able to see your cluster, worker nodes, and workloads, in the Infrastructure View and the application components in your Application View
curl -O https://raw.githubusercontent.com/alcideio/codelab.github.io/master/codelabs/runtime-codelab-06/hello.go
docker run --rm -v "$PWD":/usr/src/my-app -w /usr/src/my-app golang:latest go build -o my-app -v hello.go
curl -O https://raw.githubusercontent.com/alcideio/codelab.github.io/master/codelabs/runtime-codelab-06/malicious.go
docker run --rm -v "$PWD":/usr/src/malicious-app -w /usr/src/malicious-app golang:latest go build -o malicious-app -v malicious.go
curl -O https://raw.githubusercontent.com/alcideio/codelab.github.io/master/codelabs/runtime-codelab-06/Dockerfile
vi Dockerfile
export IMG_NAME=<your_docker_account>/<your_repo>:<tag>
docker build . -t $IMG_NAME
docker push $IMG_NAME
Simply deploy to your Kubernetes cluster by copy/paste this
cat <<EOF | kubectl apply -f - && kubectl rollout status deployment/pw-demo --watch
apiVersion: apps/v1
kind: Deployment
metadata:
name: pw-demo
labels:
app: my-app
spec:
replicas: 1
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: my-app
image: $IMG_NAME
EOF
kubectl exec -it $(kubectl get pods -l app=my-app -o custom-columns=:metadata.name --no-headers) mv malicious-app my-app
you should see the next alert in your Events Feed (in Alcide UI):
Process whitelist - unlisted process
kubectl exec -it $(kubectl get pods -l app=my-app -o custom-columns=:metadata.name --no-headers) ./my-app
you should see the next alert in your Events Feed (in Alcide UI):
Process whitelist - process hash mismatch
In this codelab we covered: