diff --git a/KubeArmor/feeder/policyMatcher.go b/KubeArmor/feeder/policyMatcher.go index cdee436c26..af5c1c27cc 100644 --- a/KubeArmor/feeder/policyMatcher.go +++ b/KubeArmor/feeder/policyMatcher.go @@ -99,6 +99,8 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i match.Resource = fpt.Path match.ResourceType = "Path" + match.ReadOnly = fpt.ReadOnly + if policyEnabled == tp.KubeArmorPolicyAudited && strings.HasPrefix(fpt.Action, "Block") { match.Action = "Audit (" + fpt.Action + ")" } else { @@ -113,6 +115,8 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i match.Resource = fdt.Directory match.ResourceType = "Directory" + match.ReadOnly = fdt.ReadOnly + if policyEnabled == tp.KubeArmorPolicyAudited && strings.HasPrefix(fdt.Action, "Block") { match.Action = "Audit (" + fdt.Action + ")" } else { @@ -126,6 +130,8 @@ func (fd *Feeder) newMatchPolicy(policyEnabled int, policyName, src string, mp i match.Resource = fpt.Pattern match.ResourceType = "" // to be defined based on the pattern matching syntax + match.ReadOnly = fpt.ReadOnly + if policyEnabled == tp.KubeArmorPolicyAudited && strings.HasPrefix(fpt.Action, "Block") { match.Action = "Audit (" + fpt.Action + ")" } else { @@ -791,6 +797,12 @@ func (fd *Feeder) UpdateMatchedPolicy(log tp.Log) tp.Log { log.Type = "MatchedPolicy" log.Action = secPolicy.Action + + if log.Operation == "File" { + if secPolicy.ReadOnly && log.Data != "" && (strings.Contains(log.Data, "O_RDWR") || strings.Contains(log.Data, "O_WRONLY")) { + log.Action = "Audit (Block)" + } + } } } } diff --git a/KubeArmor/types/types.go b/KubeArmor/types/types.go index 7ece79f871..faa742c327 100644 --- a/KubeArmor/types/types.go +++ b/KubeArmor/types/types.go @@ -200,8 +200,9 @@ type MatchPolicy struct { Resource string ResourceType string - Regexp *regexp.Regexp - Native bool + Regexp *regexp.Regexp + Native bool + ReadOnly bool Action string }