Adding ClamAV demo (#132)

* Adding ClamAV demo

Signed-off-by: Amit Schendel <[email protected]>

* Adding table of content

Signed-off-by: Amit Schendel <[email protected]>

* Updating readme

Signed-off-by: Amit Schendel <[email protected]>

* Updating readme

Signed-off-by: Amit Schendel <[email protected]>

* Updating image

Signed-off-by: Amit Schendel <[email protected]>

* Update README.md

---------

Signed-off-by: Amit Schendel <[email protected]>
Co-authored-by: Ben Hirschberg <[email protected]>

README.md

@@ -38,6 +38,12 @@ A standout feature of KubeCop is its anomaly detection mechanism, which is groun
 
 Additionally, KubeCop is equipped with rules designed to identify well-known attack signatures. These rules are adept at uncovering various threats, such as unauthorized software executions that deviate from the original container image, detection of unpackers in memory, reverse shell activities, and more. Users have the flexibility to create 'Rule Bindings'—specific instructions that direct KubeCop on which rules should be applied to which Pods. This level of customization ensures that security measures are tailored to the unique needs of each Kubernetes deployment, enhancing the overall security posture and responsiveness of the system.
 
+### Host malware scanning
+
+KubeCop can scan the nodes for malware using ClamAV as an engine, a popular open-source antivirus engine. ClamAV supports scanning of files, directories, and volumes, and can be configured to scan the entire node or only specific directories. You can read more about ClamAV [here](https://www.clamav.net/). <br>
+
+KubeCop uses its own virus database which is a subset of the latest ClamAV virus database release but adopted to Kubernetes environment to save resources.
+
 ### Rules
 
 See [here](/pkg/engine/rule/README.md) more about our rules
@@ -105,6 +111,11 @@ These metrics can be useful to understand the load on the system how it behaves.
 
 You can enable the exported with `kubecop.prometheusExporter.enabled=true`.
 
+### ClamAV Scanning
+
+To enable ClamAV scanning, you need to use the following parameter in Helm: `kubecop.clamav.enabled=true`. <br>
+Please note that ClamAV scanning is not enabled by default, and it is not recommended for low-resource environments.
+
 #### Bindings
 
 KubeCop applies alert rules on Kubernetes workloads based on rule-binding configuration.

demo/README.md

@@ -3,7 +3,8 @@ This is a walkthrough of KubeCop, in this demo we will do the following:
 1. Install KubeCop.
 2. Deploy a sample web application and attack it.
 3. Deploy fileless malware.
-4. See how KubeCop detects the attacks.
+4. Deploy a container with malicious image that contains malwares.
+5. See how KubeCop detects the attacks.
 
 With this demo you will be able to see how KubeCop works and how it can be used to detect and prevent attacks.
 To learn more about KubeCop, see [here](../README.md).
@@ -14,6 +15,7 @@ To learn more about KubeCop, see [here](../README.md).
 - [Deploy Web Application](#deploy-web-application)
 - [Attack Web Application](#attack-web-application)
 - [Attack Fileless Malware](#attack-fileless-malware)
+- [Attack Malicious Image](#attack-malicious-image)
 - [Conclusion](#conclusion)
 
 
@@ -155,6 +157,34 @@ Let's see what has popped up in AlertManager.
 We can see that KubeCop detected that an exec syscall was made from `/proc/self/fd/3` which is the file descriptor of the malware that resides in the container's memory.
 This is a fileless malware, so we don't have any files to scan, but KubeCop still detected it.
 
+## Attack Malicious Image
+Let's deploy a container with malicious image that contains malwares such as [cryptominer](https://www.crowdstrike.com/blog/what-is-cryptomining/) and [webshell](https://owasp.org/www-community/attacks/Web_Shell).
+
+We are going to be using [ruzickap malwares container](https://github.com/ruzickap/malware-cryptominer-container) to deploy a container with malwares.
+To deploy the container, run the following command:
+```bash
+kubectl run malware-cryptominer --image=quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2
+```
+Or, alternatively, you can build the image yourself by running the following commands:
+```bash
+docker build -t malware-cryptominer -f malwares_image/Containerfile .
+docker tag malware-cryptominer quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2
+# If you are using minikube
+minikube image load quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2
+# If you are using kind
+kind load docker-image quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2
+```
+
+Let's see what has popped up in AlertManager.
+![malwares](assets/malwares.png)
+We can see that KubeCop detected that the container is running a malicious image that contains malwares.
+It also supplies the path to the malwares in the node's filesystem as well as the signatures of the malwares.
+KubeCop uses [ClamAV](https://www.clamav.net/) to scan the images for malwares.
+ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats, it supports a wide range of signature languages including YARA and bytecode signatures.
+
+Please note that KubeCop doesn't scan the images by default, you need to enable it by setting `kubecop.clamav.enabled=true` in the helm chart. See [here](../README.md#clamav-scanning) for more information.
+
+
 ## Conclusion
 In this demo we saw how KubeCop can be used to detect and prevent attacks in Kubernetes.
 We covered a few attacks, but KubeCop can detect many more attacks, see [here](../pkg/engine/rule/README.md) for the full list of supported rules and detection methods.

demo/general_attack/webapp/ping-app.yaml

@@ -8,8 +8,8 @@ spec:
 
   containers:
   - name: ping-app
-    image: docker.io/library/ping-app:latest # Replace with quay.io/armosec/ping-app:latest
-    imagePullPolicy: IfNotPresent
+    image: amitschendel/ping-app:latest
+    imagePullPolicy: Always
     ports:
     - containerPort: 80
 ---
@@ -49,4 +49,4 @@ subjects:
 roleRef:
   kind: Role
   name: ping-app-role
-  apiGroup: rbac.authorization.k8s.io
+  apiGroup: rbac.authorization.k8s.io

demo/malwares_image/Containerfile

@@ -0,0 +1,114 @@
+# Credit - https://github.com/ruzickap/malware-cryptominer-container
+FROM python:3.12.0-alpine3.17 as build
+
+ENV XMRIG_VERSION="6.20.0"
+
+# xmrig
+RUN set -eux && \
+    # ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), static-pie linked, stripped
+    mkdir -p /mnt/xmrig && \
+    wget -q "https://github.com/xmrig/xmrig/releases/download/v${XMRIG_VERSION}/xmrig-${XMRIG_VERSION}-linux-static-x64.tar.gz" -O /mnt/xmrig/xmrig-linux-static-x64.tar.gz && \
+    tar xvzf /mnt/xmrig/xmrig-linux-static-x64.tar.gz -C /mnt/xmrig/ --strip-components=1 "xmrig-${XMRIG_VERSION}/xmrig"
+
+# Compile own version of xmrig cryptominer
+RUN set -eux && \
+    if [ "$(uname -m)" = "x86_64" ]; then \
+      apk add --no-cache git make cmake libstdc++ gcc g++ libuv-dev openssl-dev hwloc-dev && \
+      git clone --branch "v${XMRIG_VERSION}" https://github.com/xmrig/xmrig && \
+      sed -i \
+        -e 's/APP_ID.*/APP_ID "myxmrig"/' \
+        -e 's/APP_NAME.*/APP_NAME "My XMRig"/' \
+        -e 's/APP_DESC.*/APP_DESC "My XMRig miner"/' \
+        -e 's/APP_VERSION.*"\(.*\)"/APP_VERSION "\1-my"/' \
+        xmrig/src/version.h && \
+      cmake -S xmrig -B xmrig/build && make -C xmrig/build -j"$(nproc)" && \
+      ./xmrig/build/xmrig --version && \
+      mv ./xmrig/build/xmrig /mnt/xmrig/my-xmrig ; \
+    fi
+
+# eicar
+RUN set -eux && \
+    # EICAR virus test files
+    mkdir -p /mnt/eicar && \
+    wget -q -P /mnt/eicar https://secure.eicar.org/eicar.com https://secure.eicar.org/eicar.com.txt https://secure.eicar.org/eicarcom2.zip
+
+# windows/macos malware + ransomware for different architectures
+RUN set -eux && \
+    # C source, ASCII text
+    wget -q "https://github.com/Da2dalus/The-MALWARE-Repo/raw/e8ddc517b4ecd80728e0acef1c558fad9a1c888a/Email-Worm/ILOVEYOU.vbs"                                                                                           -O /mnt/ILOVEYOU.vbs && \
+    # ASCII text, with very long lines (361)
+    wget -q "https://github.com/antonioCoco/ConPtyShell/raw/f5c00d4d37b656092d20447b127eb0774efca96a/Invoke-ConPtyShell.ps1"                                                                                              -O /mnt/Invoke-ConPtyShell.ps1 && \
+    # DOS batch file, ASCII text
+    wget -q "https://github.com/Da2dalus/The-MALWARE-Repo/raw/e8ddc517b4ecd80728e0acef1c558fad9a1c888a/Trojan/L0Lz.bat"                                                                                                   -O /mnt/L0Lz.bat && \
+    # MS-DOS executable
+    wget -q "https://github.com/Da2dalus/The-MALWARE-Repo/raw/e8ddc517b4ecd80728e0acef1c558fad9a1c888a/Virus/MadMan.exe"                                                                                                  -O /mnt/MadMan.exe && \
+    # Composite Document File V2 Document, Little Endian, Os: Windows, Version 4.10, Code page: 1252, Title: Password List for March 26th 1999, Subject: Adult Website Passwords, Author: John Holmes, Keywords: 73 sites in this list, Comments: Password List for March 26th 1999, Template: Normal.dot, Last Saved By: Him, Revision Number: 2, Name of Creating Application: Microsoft Word 8.0, Create Time/Date: Fri Mar 26 11:39:00 1999, Last Saved Time/Date: Fri Mar 26 11:39:00 1999, Number of Pages: 2, Number of Words: 745, Number of Characters: 4249, Security: 0
+    wget -q "https://github.com/Da2dalus/The-MALWARE-Repo/raw/e8ddc517b4ecd80728e0acef1c558fad9a1c888a/Virus/Melissa.doc"                                                                                                 -O /mnt/Melissa.doc && \
+    # Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE>
+    wget -q "https://github.com/Da2dalus/The-MALWARE-Repo/raw/e8ddc517b4ecd80728e0acef1c558fad9a1c888a/Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.6614978ab256f922d7b6dbd7cc15c6136819f4bcfb5a0fead480561f0df54ca6" -O /mnt/TrojanSpy.MacOS.XCSSET.A && \
+    # DOS executable (COM)
+    wget -q "https://github.com/Da2dalus/The-MALWARE-Repo/raw/e8ddc517b4ecd80728e0acef1c558fad9a1c888a/Virus/Walker.com"                                                                                                  -O /mnt/Walker.com && \
+    # PE32 executable (GUI) Intel 80386, for MS Windows
+    wget -q "https://github.com/Da2dalus/The-MALWARE-Repo/raw/e8ddc517b4ecd80728e0acef1c558fad9a1c888a/Ransomware/WannaCry.exe"                                                                                           -O /mnt/WannaCry.exe && \
+    # Microsoft Excel 2007+
+    wget -q "https://github.com/Da2dalus/The-MALWARE-Repo/raw/e8ddc517b4ecd80728e0acef1c558fad9a1c888a/Banking-Malware/Zloader.xlsm"                                                                                      -O /mnt/Zloader.xlsm
+
+# linux malware + ransomware for different architectures
+RUN set -eux && \
+    # ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, with debug_info, not stripped
+    wget -q "https://github.com/timb-machine/linux-malware/raw/ca4750299f0090242a3d31da1f8d8764cdb97269/malware/binaries/Linux.Trojan.Multiverze/0a5a7008fa1a17c8ee32ea4e2f7e25d7302f9dfc4201c16d793a1d03f95b9fa5.elf.x86" -O /mnt/Linux.Trojan.Multiverze.elf.x86 && \
+    # ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
+    wget -q "https://github.com/timb-machine/linux-malware/raw/ca4750299f0090242a3d31da1f8d8764cdb97269/malware/binaries/Unix.Trojan.Mirai/40e8d9d82800728a5f1cfc2c2e156d5ee72fb44c54c26a86cfd35e95ea737e37.elf.x86_64"    -O /mnt/Unix.Trojan.Mirai.elf.x86_64 && \
+    # ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, Go BuildID=9fdmXJhReUX31Gj9ZEYg/ufudXOOpAambiyMItr13/otwZTTTdWsnO_OuvAAn-/qn6mMLxbKwGft_Ecoum6, stripped
+    wget -q "https://github.com/timb-machine/linux-malware/raw/ca4750299f0090242a3d31da1f8d8764cdb97269/malware/binaries/Unix.Malware.Kaiji/3e68118ad46b9eb64063b259fca5f6682c5c2cb18fd9a4e7d97969226b2e6fb4.elf.arm"      -O /mnt/Unix.Malware.Kaiji.elf.arm && \
+    # ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.16, with debug_info, not stripped
+    wget -q "https://github.com/timb-machine/linux-malware/raw/ca4750299f0090242a3d31da1f8d8764cdb97269/malware/binaries/Unix.Trojan.Spike/04d88a0f5ffa8da57cfd9b1ae6e4fd9758610a3de72688516b258b5564735476.elf.arm"       -O /mnt/Unix.Trojan.Spike.elf.arm && \
+    # ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped
+    wget -q "https://github.com/timb-machine/linux-malware/raw/ca4750299f0090242a3d31da1f8d8764cdb97269/malware/binaries/Unix.Trojan.Mirai/faa0deaba42ba76192609c5d2f59664e871c7bc68ebb5d99c91bf8ea4ddb8ea5.elf.mips"      -O /mnt/Unix.Trojan.Mirai.elf.mips && \
+    # ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
+    wget -q "https://github.com/timb-machine/linux-malware/raw/ca4750299f0090242a3d31da1f8d8764cdb97269/malware/binaries/Unix.Trojan.Mirai/11242cdb5dac9309a2f330bd0dad96efba9ccc9b9d46f2361e8bf8e4cde543c1.elf.m68k"      -O /mnt/Unix.Trojan.Mirai.elf.m68k && \
+    # ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped
+    wget -q "https://github.com/timb-machine/linux-malware/raw/ca4750299f0090242a3d31da1f8d8764cdb97269/malware/binaries/Unix.Trojan.Mirai/d5230c95c4af4e1fcddf9660070932b7876a9569dc3a2baedf762abbe37b1ad5.elf.ppc"       -O /mnt/Unix.Trojan.Mirai.elf.ppc && \
+    # ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, not stripped
+    wget -q "https://github.com/timb-machine/linux-malware/raw/ca4750299f0090242a3d31da1f8d8764cdb97269/malware/binaries/Unix.Trojan.Mirai/190333b93af51f9a3e3dc4186e4f1bdb4f92c05d3ce047fbe5c3670d1b5a87b4.elf.sparc"     -O /mnt/Unix.Trojan.Mirai.elf.sparc && \
+    # POSIX shell script, ASCII text executable
+    wget -q "https://github.com/timb-machine/linux-malware/raw/ca4750299f0090242a3d31da1f8d8764cdb97269/malware/binaries/Unix.Downloader.Rocke/228ec858509a928b21e88d582cb5cfaabc03f72d30f2179ef6fb232b6abdce97.sh"        -O /mnt/Unix.Downloader.Rocke.sh && \
+    # Bourne-Again shell script, ASCII text executable
+    wget -q "https://github.com/timb-machine/linux-malware/raw/ca4750299f0090242a3d31da1f8d8764cdb97269/malware/binaries/Txt.Malware.Sustes/0e77291955664d2c25d5bfe617cec12a388e5389f82dee5ae4fd5c5d1f1bdefe.sh"           -O /mnt/Txt.Malware.Sustes.sh && \
+    # Perl script text executable
+    wget -q "https://github.com/timb-machine/linux-malware/raw/ca4750299f0090242a3d31da1f8d8764cdb97269/malware/binaries/Win.Trojan.Perl/9aed7ab8806a90aa9fac070fbf788466c6da3d87deba92a25ac4dd1d63ce4c44.perl"            -O /mnt/Win.Trojan.Perl.perl && \
+    # Python script, ASCII text executable, with very long lines (4330), with CRLF line terminators
+    wget -q "https://github.com/timb-machine/linux-malware/raw/ca4750299f0090242a3d31da1f8d8764cdb97269/malware/binaries/Py.Trojan.NecroBot/0e600095a3c955310d27c08f98a012720caff698fe24303d7e0dcb4c5e766322.py"           -O /mnt/Py.Trojan.NecroBot.py && \
+    # Java archive data (JAR)
+    wget -q "https://github.com/HonbraDev/fractureiser-samples/raw/221bcc4bf45d5896f8908b21d5a8f3e7fcbc2875/stage-0-infected-DisplayEntityEditor-1.0.4.jar"                                                                -O /mnt/Trojan.Java.Fractureiser.MTB.jar
+
+COPY img /mnt/img
+COPY README.md /mnt/
+
+RUN set -eux && \
+    # Bug with versions: https://github.com/joeyespo/grip/issues/377
+    # renovate: datasource=pypi depName=grip
+    GRIP_VERSION="4.6.1" && \
+    pip install --no-cache-dir grip=="${GRIP_VERSION}" flask==2.3.3 werkzeug==2.3.7 && \
+    grip /mnt/README.md --export /mnt/index.html
+
+################################################################################
+
+FROM nginxinc/nginx-unprivileged:1.25.3-alpine-slim
+
+COPY --from=build /mnt/ /usr/share/nginx/html/
+
+RUN printf '%s\n' > /etc/nginx/conf.d/health.conf \
+    'server {' \
+    '    listen 8081;' \
+    '    location / {' \
+    '        access_log off;' \
+    '        add_header Content-Type text/plain;' \
+    '        return 200 "healthy\n";' \
+    '    }' \
+    '}'
+
+USER nginx
+
+# Healthcheck to make sure container is ready
+HEALTHCHECK --interval=5m --timeout=3s CMD curl --fail http://localhost:8081 || exit 1

dev/devpod-clamav.yaml

@@ -114,7 +114,9 @@ spec:
           - name: CLAMAV_SCAN_INTERVAL
             value: "60s"
           - name: CLAMAV_SCAN_PATH
-            value: "/host"
+            value: "/host/var/lib/docker"
+          - name: ALERTMANAGER_URL
+            value: "alertmanager-operated.monitoring.svc.cluster.local:9093"
         securityContext:
           privileged: true
           capabilities:
@@ -136,13 +138,6 @@ spec:
       - name: clamd
         image: quay.io/armosec/klamav:beta4
         imagePullPolicy: Always
-        resources:
-          requests:
-            memory: "64Mi"
-            cpu: "100m"
-          limits:
-            memory: "200Mi"
-            cpu: "200m"
         volumeMounts:
         - name: clamdb
           mountPath: /host/tmp/clamav-db