edge

package
v1.6.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 11, 2024 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

View Source
const (
	ClusterRoleBindName = "RoleBindClusteRoleBindingbClusterRoleClusterRole"
)
View Source
const (
	RoleBindCrbCrRName = "RoleBindClusteRoleBindingbClusterRoleRole"
)
View Source
const (
	RoleBindLabel = "ROLE_BIND"
)
View Source
const (
	RoleBindspaceName = "RoleBindRoleBindingbRoleBindingRole"
)

Variables

View Source
var ProcMountList = bson.A{
	"/",
	"/proc",
	"/proc/sys",
	"/proc/sys/kernel",
}
View Source
var SafeWriteMountList = bson.A{
	"/var/run/datadog-agent",
	"/etc/datadog-agent",
	"/etc/datadog-agent/auth",
	"/opt/datadog-agent/run",
	"/etc/datadog",
	"/run/xtables\\.lock",
	"/opt/datadog/heapdumps",
	"/var/datadog/dumps",
	primitive.Regex{Pattern: "^/mnt/disks"},
	primitive.Regex{Pattern: "^/sys/kernel/debug"},
	primitive.Regex{Pattern: "^/tmp?.*"},
	primitive.Regex{Pattern: "^/var/run/.*"},
	primitive.Regex{Pattern: "^/mnt/.*"},
	primitive.Regex{Pattern: "^/var/lib/datadog-agent/.*"},
	primitive.Regex{Pattern: "^/var/tmp/datadog-agent/.*"},
	primitive.Regex{Pattern: "^/run/udev"},
	primitive.Regex{Pattern: "^/lib/udev"},
	primitive.Regex{Pattern: "^/etc/udev"},
	primitive.Regex{Pattern: "^/data/[a-zA-Z0-9\\-]*/shared"},
}

SafeWriteMountList represent common safe mounts that are deemed not exploitable. Paths are normalized by K8s to remove the trailing slash.

View Source
var TokenMountList = bson.A{
	"/",
	"/var",
	"/var/lib",
	"/var/lib/kubelet",
	"/var/lib/kubelet/pods",
	primitive.Regex{Pattern: "^/var/lib/kubelet/pods/.*"},
}

TokenMountList represent ounts that grant access to the pod service account tokens that reside in /var/lib/kubelet/pods/<uid>/volumes/kubernetes.io~projected/<name>/. Paths are normalized by K8s to remove the trailing slash.

View Source
var UnsafeReadMountlist = bson.A{
	"/",
	"/home",
	primitive.Regex{Pattern: "^/home/[a-zA-Z0-9]*/\\.ssh$"},
	"/root",
	"/root/.ssh",
	"/proc",
	"/etc",
}

UnsafeReadMountlist represents dangerous mounts that can be abused to read secrets granting execution on the host. Paths are normalized by K8s to remove the trailing slash.

Functions

func Register

func Register(edge Builder, flags RegistrationFlag)

Register loads the provided edge into the registry.

Types

type BaseContainerEscape

type BaseContainerEscape struct {
	BaseEdge
}

func (*BaseContainerEscape) Traversal

func (e *BaseContainerEscape) Traversal() types.EdgeTraversal

type BaseEdge

type BaseEdge struct {
	// contains filtered or unexported fields
}

func (*BaseEdge) BatchSize

func (e *BaseEdge) BatchSize() int

func (*BaseEdge) Initialize

func (e *BaseEdge) Initialize(cfg *config.EdgeBuilderConfig, runtime *config.DynamicConfig) error

func (*BaseEdge) Traversal

func (e *BaseEdge) Traversal() types.EdgeTraversal

type Builder

type Builder interface {
	// Initialize intializes an edge builder from the application config
	Initialize(cfg *config.EdgeBuilderConfig, runtime *config.DynamicConfig) error

	// Name returns the unique name for the edge builder. This must be unique.
	Name() string

	// Label returns the label for the edge (convention is all uppercase i.e EDGE_NAME).
	Label() string

	// BatchSize returns the batch size of bulk inserts (and threshold for triggering a flush).
	BatchSize() int

	// Traversal returns a graph traversal function that enables creating edges from an input array of TraversalInput objects.
	Traversal() types.EdgeTraversal

	// Processor transforms an object queued for writing to a format suitable for consumption by the Traversal function.
	Processor(context.Context, *converter.ObjectIDConverter, any) (any, error)

	// Stream will query the store db for the data required to create an edge and stream to graph DB via callbacks.
	// Each query result is encapsulated within an DataContainer and transformed to a TraversalInput via a call to
	// the edge's Processor function. Invoking the complete callback signals the end of the stream.
	Stream(ctx context.Context, store storedb.Provider, cache cache.CacheReader,
		process types.ProcessEntryCallback, complete types.CompleteQueryCallback) error
}

type ContainerAttach

type ContainerAttach struct {
	BaseEdge
}

func (*ContainerAttach) Label

func (e *ContainerAttach) Label() string

func (*ContainerAttach) Name

func (e *ContainerAttach) Name() string

func (*ContainerAttach) Processor

func (e *ContainerAttach) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*ContainerAttach) Stream

func (*ContainerAttach) Traversal

func (e *ContainerAttach) Traversal() types.EdgeTraversal

type DependentBuilder added in v0.2.2

type DependentBuilder interface {
	Builder

	// Dependencies returns the edge labels of all dependencies.
	Dependencies() []string
}

DependentBuilder interface defines objects used to construct edges with dependencies on other edges in the graph. Dependent edges are built last and their dependencies cannot be dependent edges themselves.

type EndpointExploitExternal

type EndpointExploitExternal struct {
	BaseEdge
}

func (*EndpointExploitExternal) Label

func (e *EndpointExploitExternal) Label() string

func (*EndpointExploitExternal) Name

func (e *EndpointExploitExternal) Name() string

func (*EndpointExploitExternal) Processor

func (e *EndpointExploitExternal) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*EndpointExploitExternal) Stream

type EndpointExploitInternal

type EndpointExploitInternal struct {
	BaseEdge
}

func (*EndpointExploitInternal) Label

func (e *EndpointExploitInternal) Label() string

func (*EndpointExploitInternal) Name

func (e *EndpointExploitInternal) Name() string

func (*EndpointExploitInternal) Processor

func (e *EndpointExploitInternal) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*EndpointExploitInternal) Stream

type EscapeCorePattern added in v1.5.1

type EscapeCorePattern struct {
	BaseContainerEscape
}

func (*EscapeCorePattern) Label added in v1.5.1

func (e *EscapeCorePattern) Label() string

func (*EscapeCorePattern) Name added in v1.5.1

func (e *EscapeCorePattern) Name() string

func (*EscapeCorePattern) Processor added in v1.5.1

func (e *EscapeCorePattern) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*EscapeCorePattern) Stream added in v1.5.1

type EscapeModuleLoad

type EscapeModuleLoad struct {
	BaseContainerEscape
}

func (*EscapeModuleLoad) Label

func (e *EscapeModuleLoad) Label() string

func (*EscapeModuleLoad) Name

func (e *EscapeModuleLoad) Name() string

func (*EscapeModuleLoad) Processor

func (e *EscapeModuleLoad) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

Processor delegates the processing tasks to the generic containerEscapeProcessor.

func (*EscapeModuleLoad) Stream

type EscapeNsenter

type EscapeNsenter struct {
	BaseContainerEscape
}

func (*EscapeNsenter) Label

func (e *EscapeNsenter) Label() string

func (*EscapeNsenter) Name

func (e *EscapeNsenter) Name() string

func (*EscapeNsenter) Processor

func (e *EscapeNsenter) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

Processor delegates the processing tasks to the generic containerEscapeProcessor.

func (*EscapeNsenter) Stream

type EscapePrivMount

type EscapePrivMount struct {
	BaseContainerEscape
}

func (*EscapePrivMount) Label

func (e *EscapePrivMount) Label() string

func (*EscapePrivMount) Name

func (e *EscapePrivMount) Name() string

func (*EscapePrivMount) Processor

func (e *EscapePrivMount) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

Processor delegates the processing tasks to the generic containerEscapeProcessor.

func (*EscapePrivMount) Stream

type EscapeSysPtrace

type EscapeSysPtrace struct {
	BaseContainerEscape
}

func (*EscapeSysPtrace) Label

func (e *EscapeSysPtrace) Label() string

func (*EscapeSysPtrace) Name

func (e *EscapeSysPtrace) Name() string

func (*EscapeSysPtrace) Processor

func (e *EscapeSysPtrace) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

Processor delegates the processing tasks to the generic containerEscapeProcessor.

func (*EscapeSysPtrace) Stream

type EscapeVarLogSymlink struct {
	BaseContainerEscape
}

func (*EscapeVarLogSymlink) Dependencies added in v1.1.0

func (e *EscapeVarLogSymlink) Dependencies() []string

List of needed edges to run the traversal query

func (*EscapeVarLogSymlink) Label added in v1.1.0

func (e *EscapeVarLogSymlink) Label() string

func (*EscapeVarLogSymlink) Name added in v1.1.0

func (e *EscapeVarLogSymlink) Name() string

func (*EscapeVarLogSymlink) Processor added in v1.1.0

func (e *EscapeVarLogSymlink) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*EscapeVarLogSymlink) Stream added in v1.1.0

func (*EscapeVarLogSymlink) Traversal added in v1.1.0

func (e *EscapeVarLogSymlink) Traversal() types.EdgeTraversal

type ExploitHostRead

type ExploitHostRead struct {
	BaseEdge
}

func (*ExploitHostRead) Label

func (e *ExploitHostRead) Label() string

func (*ExploitHostRead) Name

func (e *ExploitHostRead) Name() string

func (*ExploitHostRead) Processor

func (e *ExploitHostRead) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*ExploitHostRead) Stream

type ExploitHostTraverse

type ExploitHostTraverse struct {
	BaseEdge
}

func (*ExploitHostTraverse) Label

func (e *ExploitHostTraverse) Label() string

func (*ExploitHostTraverse) Name

func (e *ExploitHostTraverse) Name() string

func (*ExploitHostTraverse) Processor

func (e *ExploitHostTraverse) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*ExploitHostTraverse) Stream

type ExploitHostWrite

type ExploitHostWrite struct {
	BaseEdge
}

func (*ExploitHostWrite) Label

func (e *ExploitHostWrite) Label() string

func (*ExploitHostWrite) Name

func (e *ExploitHostWrite) Name() string

func (*ExploitHostWrite) Processor

func (e *ExploitHostWrite) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*ExploitHostWrite) Stream

type IdentityAssumeContainer

type IdentityAssumeContainer struct {
	BaseEdge
}

func (*IdentityAssumeContainer) Label

func (e *IdentityAssumeContainer) Label() string

func (*IdentityAssumeContainer) Name

func (e *IdentityAssumeContainer) Name() string

func (*IdentityAssumeContainer) Processor

func (e *IdentityAssumeContainer) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*IdentityAssumeContainer) Stream

type IdentityAssumeNode

type IdentityAssumeNode struct {
	BaseEdge
}

func (*IdentityAssumeNode) Label

func (e *IdentityAssumeNode) Label() string

func (*IdentityAssumeNode) Name

func (e *IdentityAssumeNode) Name() string

func (*IdentityAssumeNode) Processor

func (e *IdentityAssumeNode) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*IdentityAssumeNode) Stream

type PermissionDiscover

type PermissionDiscover struct {
	BaseEdge
}

func (*PermissionDiscover) Label

func (e *PermissionDiscover) Label() string

func (*PermissionDiscover) Name

func (e *PermissionDiscover) Name() string

func (*PermissionDiscover) Processor

func (e *PermissionDiscover) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*PermissionDiscover) Stream

type PodAttach

type PodAttach struct {
	BaseEdge
}

func (*PodAttach) Label

func (e *PodAttach) Label() string

func (*PodAttach) Name

func (e *PodAttach) Name() string

func (*PodAttach) Processor

func (e *PodAttach) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*PodAttach) Stream

type PodCreate

type PodCreate struct {
	BaseEdge
}

func (*PodCreate) BatchSize

func (e *PodCreate) BatchSize() int

func (*PodCreate) Label

func (e *PodCreate) Label() string

func (*PodCreate) Name

func (e *PodCreate) Name() string

func (*PodCreate) Processor

func (e *PodCreate) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*PodCreate) Stream

Stream finds all roles that have pod/create or equivalent wildcard permissions.

func (*PodCreate) Traversal

func (e *PodCreate) Traversal() types.EdgeTraversal

type PodExec

type PodExec struct {
	BaseEdge
}

func (*PodExec) BatchSize

func (e *PodExec) BatchSize() int

func (*PodExec) Label

func (e *PodExec) Label() string

func (*PodExec) Name

func (e *PodExec) Name() string

func (*PodExec) Processor

func (e *PodExec) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*PodExec) Stream

Stream finds all roles that are NOT namespaced and have pod/exec or equivalent wildcard permissions.

func (*PodExec) Traversal

func (e *PodExec) Traversal() types.EdgeTraversal

type PodExecNamespace

type PodExecNamespace struct {
	BaseEdge
}

func (*PodExecNamespace) Label

func (e *PodExecNamespace) Label() string

func (*PodExecNamespace) Name

func (e *PodExecNamespace) Name() string

func (*PodExecNamespace) Processor

func (e *PodExecNamespace) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*PodExecNamespace) Stream

Stream finds all roles that are namespaced and have pod/exec or equivalent wildcard permissions and matching pods. Matching pods are defined as all pods that share the role namespace or non-namespaced pods.

type PodPatch

type PodPatch struct {
	BaseEdge
}

func (*PodPatch) BatchSize

func (e *PodPatch) BatchSize() int

func (*PodPatch) Label

func (e *PodPatch) Label() string

func (*PodPatch) Name

func (e *PodPatch) Name() string

func (*PodPatch) Processor

func (e *PodPatch) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*PodPatch) Stream

Stream finds all roles that have pod/patch or equivalent wildcard permissions.

func (*PodPatch) Traversal

func (e *PodPatch) Traversal() types.EdgeTraversal

type PodPatchNamespace

type PodPatchNamespace struct {
	BaseEdge
}

func (*PodPatchNamespace) Label

func (e *PodPatchNamespace) Label() string

func (*PodPatchNamespace) Name

func (e *PodPatchNamespace) Name() string

func (*PodPatchNamespace) Processor

func (e *PodPatchNamespace) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*PodPatchNamespace) Stream

Stream finds all roles that are namespaced and have pod/exec or equivalent wildcard permissions and matching pods. Matching pods are defined as all pods that share the role namespace or non-namespaced pods.

type RegistrationFlag

type RegistrationFlag uint8
const (
	RegisterDefault         RegistrationFlag = 1 << iota // Default edge
	RegisterGraphMutation                                // Edge can mutate the graph
	RegisterGraphDependency                              // Edge has a dependency on default/mutating edges
)

type Registry

type Registry struct {
	// contains filtered or unexported fields
}

Registry holds details of edges (i.e attacks) registered in KubeHound.

func Registered

func Registered() *Registry

Registered returns the edge registry singleton.

func (*Registry) Dependent added in v0.2.2

func (r *Registry) Dependent() map[string]DependentBuilder

Dependent returns the map of registered edge builders with default edge dependencies.

func (*Registry) Mutating

func (r *Registry) Mutating() map[string]Builder

Mutating returns the map of registered mutating edge builders.

func (*Registry) Simple

func (r *Registry) Simple() map[string]Builder

Simple returns the map of registered edge builders.

func (*Registry) Verify added in v0.2.2

func (r *Registry) Verify() error

Verify verifies the integrity and consistency of the registry. Function should only be called once all edges have been registered via init() calls.

type RoleBindCrbCrCr added in v1.2.0

type RoleBindCrbCrCr struct {
	BaseEdge
}

func (*RoleBindCrbCrCr) Label added in v1.2.0

func (e *RoleBindCrbCrCr) Label() string

func (*RoleBindCrbCrCr) Name added in v1.2.0

func (e *RoleBindCrbCrCr) Name() string

func (*RoleBindCrbCrCr) Processor added in v1.2.0

func (e *RoleBindCrbCrCr) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*RoleBindCrbCrCr) Stream added in v1.2.0

func (*RoleBindCrbCrCr) Traversal added in v1.2.0

func (e *RoleBindCrbCrCr) Traversal() types.EdgeTraversal

type RoleBindCrbCrR added in v1.2.0

type RoleBindCrbCrR struct {
	BaseEdge
}

func (*RoleBindCrbCrR) Label added in v1.2.0

func (e *RoleBindCrbCrR) Label() string

func (*RoleBindCrbCrR) Name added in v1.2.0

func (e *RoleBindCrbCrR) Name() string

func (*RoleBindCrbCrR) Processor added in v1.2.0

func (e *RoleBindCrbCrR) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*RoleBindCrbCrR) Stream added in v1.2.0

func (*RoleBindCrbCrR) Traversal added in v1.2.0

func (e *RoleBindCrbCrR) Traversal() types.EdgeTraversal

type RoleBindRbRbR added in v1.2.0

type RoleBindRbRbR struct {
	BaseEdge
}

func (*RoleBindRbRbR) Label added in v1.2.0

func (e *RoleBindRbRbR) Label() string

func (*RoleBindRbRbR) Name added in v1.2.0

func (e *RoleBindRbRbR) Name() string

func (*RoleBindRbRbR) Processor added in v1.2.0

func (e *RoleBindRbRbR) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*RoleBindRbRbR) Stream added in v1.2.0

type SharePSNamespace added in v0.2.2

type SharePSNamespace struct {
	BaseEdge
}

func (*SharePSNamespace) Label added in v0.2.2

func (e *SharePSNamespace) Label() string

func (*SharePSNamespace) Name added in v0.2.2

func (e *SharePSNamespace) Name() string

func (*SharePSNamespace) Processor added in v0.2.2

func (e *SharePSNamespace) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

Processor delegates the processing tasks to the generic containerEscapeProcessor.

func (*SharePSNamespace) Stream added in v0.2.2

type TokenBruteforce

type TokenBruteforce struct {
	BaseEdge
}

func (*TokenBruteforce) BatchSize

func (e *TokenBruteforce) BatchSize() int

func (*TokenBruteforce) Label

func (e *TokenBruteforce) Label() string

func (*TokenBruteforce) Name

func (e *TokenBruteforce) Name() string

func (*TokenBruteforce) Processor

func (e *TokenBruteforce) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*TokenBruteforce) Stream

Stream finds all roles that are NOT namespaced and have secrets/get or equivalent wildcard permissions.

func (*TokenBruteforce) Traversal

func (e *TokenBruteforce) Traversal() types.EdgeTraversal

type TokenBruteforceNamespace

type TokenBruteforceNamespace struct {
	BaseEdge
}

func (*TokenBruteforceNamespace) Label

func (e *TokenBruteforceNamespace) Label() string

func (*TokenBruteforceNamespace) Name

func (e *TokenBruteforceNamespace) Name() string

func (*TokenBruteforceNamespace) Processor

func (e *TokenBruteforceNamespace) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*TokenBruteforceNamespace) Stream

Stream finds all roles that are namespaced and have secrets/get or equivalent wildcard permissions and matching identities. Matching identities are defined as namespaced identities that share the role namespace or non-namespaced identities.

type TokenList

type TokenList struct {
	BaseEdge
}

func (*TokenList) BatchSize

func (e *TokenList) BatchSize() int

func (*TokenList) Label

func (e *TokenList) Label() string

func (*TokenList) Name

func (e *TokenList) Name() string

func (*TokenList) Processor

func (e *TokenList) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*TokenList) Stream

Stream finds all roles that are NOT namespaced and have secrets/list or equivalent wildcard permissions.

func (*TokenList) Traversal

func (e *TokenList) Traversal() types.EdgeTraversal

type TokenListNamespace

type TokenListNamespace struct {
	BaseEdge
}

func (*TokenListNamespace) Label

func (e *TokenListNamespace) Label() string

func (*TokenListNamespace) Name

func (e *TokenListNamespace) Name() string

func (*TokenListNamespace) Processor

func (e *TokenListNamespace) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*TokenListNamespace) Stream

Stream finds all roles that are namespaced and have secrets/list or equivalent wildcard permissions and matching identities. Matching identities are defined as namespaced identities that share the role namespace or non-namespaced identities.

type TokenSteal

type TokenSteal struct {
	BaseEdge
}

func (*TokenSteal) Label

func (e *TokenSteal) Label() string

func (*TokenSteal) Name

func (e *TokenSteal) Name() string

func (*TokenSteal) Processor

func (e *TokenSteal) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*TokenSteal) Stream

type VolumeAccess

type VolumeAccess struct {
	BaseEdge
}

func (*VolumeAccess) Label

func (e *VolumeAccess) Label() string

func (*VolumeAccess) Name

func (e *VolumeAccess) Name() string

func (*VolumeAccess) Processor

func (e *VolumeAccess) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*VolumeAccess) Stream

type VolumeDiscover

type VolumeDiscover struct {
	BaseEdge
}

func (*VolumeDiscover) Label

func (e *VolumeDiscover) Label() string

func (*VolumeDiscover) Name

func (e *VolumeDiscover) Name() string

func (*VolumeDiscover) Processor

func (e *VolumeDiscover) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*VolumeDiscover) Stream

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL