edge

package
v0.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 11, 2023 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var P = gremlin.P
View Source 
var SafeWriteMountList = []primitive.Regex{
	{Pattern: "^/var/run/datadog-agent$"},
	{Pattern: "^/etc/datadog-agent$"},
	{Pattern: "^/etc/datadog-agent/auth$"},
	{Pattern: "^/etc/datadog$"},
	{Pattern: "^/run/xtables\\.lock$"},
	{Pattern: "^/mnt/disks"},
	{Pattern: "^/opt/datadog-agent/run"},
	{Pattern: "^/sys/kernel/debug"},
	{Pattern: "^/tmp?.*"},
	{Pattern: "^/var/run/.*"},
	{Pattern: "^/mnt/.*"},
	{Pattern: "^/mnt/.*"},
	{Pattern: "^/var/lib/datadog-agent/.*"},
	{Pattern: "^/var/tmp/datadog-agent/.*"},
	{Pattern: "^/run/udev"},
	{Pattern: "^/lib/udev"},
	{Pattern: "^/etc/udev"},
	{Pattern: "^/data/[a-zA-Z0-9\\-]*/shared"},
	{Pattern: "^/opt/datadog/heapdumps"},
	{Pattern: "^/var/datadog/dumps"},
}

Common safe mounts that are deemed not exploitable

View Source 
var TokenMountList = []primitive.Regex{
	{Pattern: "^/$"},
	{Pattern: "^/var$"},
	{Pattern: "^/var/lib$"},
	{Pattern: "^/var/lib/kubelet$"},
	{Pattern: "^/var/lib/kubelet/pods$"},
	{Pattern: "^/var/lib/kubelet/pods/.*"},
}

Mounts that grant access to the pod service account tokens that reside in /var/lib/kubelet/pods/<uid>/volumes/kubernetes.io~projected/<name>/

View Source 
var UnsafeReadMountlist = []primitive.Regex{
	{Pattern: "^/$"},
	{Pattern: "^/home$"},
	{Pattern: "^/home/[a-zA-Z0-9]*/\\.ssh"},
	{Pattern: "^/root$"},
	{Pattern: "^/root/\\.ssh"},
	{Pattern: "^/proc$"},
	{Pattern: "^/etc$"},
}

Dangerous mounts that can be abused to read secrets granting execution on the host

Functions

func Register 

func Register(edge Builder, flags RegistrationFlag)

Register loads the provided edge into the registry.

Types

type BaseContainerEscape 

type BaseContainerEscape struct {
	BaseEdge
}

func (*BaseContainerEscape) Traversal 

func (e *BaseContainerEscape) Traversal() types.EdgeTraversal

type BaseEdge 

type BaseEdge struct {
	// contains filtered or unexported fields
}

func (*BaseEdge) BatchSize 

func (e *BaseEdge) BatchSize() int

func (*BaseEdge) Initialize 

func (e *BaseEdge) Initialize(cfg *config.EdgeBuilderConfig) error

func (*BaseEdge) Traversal 

func (e *BaseEdge) Traversal() types.EdgeTraversal

type Builder 

type Builder interface {
	// Initialize intializes an edge builder from the application config
	Initialize(cfg *config.EdgeBuilderConfig) error

	// Name returns the unique name for the edge builder. This must be unique.
	Name() string

	// Label returns the label for the edge (convention is all uppercase i.e EDGE_NAME).
	Label() string

	// BatchSize returns the batch size of bulk inserts (and threshold for triggering a flush).
	BatchSize() int

	// Traversal returns a graph traversal function that enables creating edges from an input array of TraversalInput objects.
	Traversal() types.EdgeTraversal

	// Processor transforms an object queued for writing to a format suitable for consumption by the Traversal function.
	Processor(context.Context, *converter.ObjectIDConverter, any) (any, error)

	// Stream will query the store db for the data required to create an edge and stream to graph DB via callbacks.
	// Each query result is encapsulated within an DataContainer and transformed to a TraversalInput via a call to
	// the edge's Processor function. Invoking the complete callback signals the end of the stream.
	Stream(ctx context.Context, store storedb.Provider, cache cache.CacheReader,
		process types.ProcessEntryCallback, complete types.CompleteQueryCallback) error
}

type ContainerAttach 

type ContainerAttach struct {
	BaseEdge
}

func (*ContainerAttach) Label 

func (e *ContainerAttach) Label() string

func (*ContainerAttach) Name 

func (e *ContainerAttach) Name() string

func (*ContainerAttach) Processor 

func (e *ContainerAttach) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*ContainerAttach) Stream 

func (e *ContainerAttach) Stream(ctx context.Context, store storedb.Provider, _ cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

func (*ContainerAttach) Traversal 

func (e *ContainerAttach) Traversal() types.EdgeTraversal

type EndpointExploitExternal 

type EndpointExploitExternal struct {
	BaseEdge
}

func (*EndpointExploitExternal) Label 

func (e *EndpointExploitExternal) Label() string

func (*EndpointExploitExternal) Name 

func (e *EndpointExploitExternal) Name() string

func (*EndpointExploitExternal) Processor 

func (e *EndpointExploitExternal) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*EndpointExploitExternal) Stream 

func (e *EndpointExploitExternal) Stream(ctx context.Context, store storedb.Provider, c cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

type EndpointExploitInternal 

type EndpointExploitInternal struct {
	BaseEdge
}

func (*EndpointExploitInternal) Label 

func (e *EndpointExploitInternal) Label() string

func (*EndpointExploitInternal) Name 

func (e *EndpointExploitInternal) Name() string

func (*EndpointExploitInternal) Processor 

func (e *EndpointExploitInternal) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*EndpointExploitInternal) Stream 

func (e *EndpointExploitInternal) Stream(ctx context.Context, store storedb.Provider, c cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

type EscapeModuleLoad 

type EscapeModuleLoad struct {
	BaseContainerEscape
}

func (*EscapeModuleLoad) Label 

func (e *EscapeModuleLoad) Label() string

func (*EscapeModuleLoad) Name 

func (e *EscapeModuleLoad) Name() string

func (*EscapeModuleLoad) Processor 

func (e *EscapeModuleLoad) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

Processor delegates the processing tasks to to the generic containerEscapeProcessor.

func (*EscapeModuleLoad) Stream 

func (e *EscapeModuleLoad) Stream(ctx context.Context, store storedb.Provider, _ cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

type EscapeNsenter 

type EscapeNsenter struct {
	BaseContainerEscape
}

func (*EscapeNsenter) Label 

func (e *EscapeNsenter) Label() string

func (*EscapeNsenter) Name 

func (e *EscapeNsenter) Name() string

func (*EscapeNsenter) Processor 

func (e *EscapeNsenter) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

Processor delegates the processing tasks to to the generic containerEscapeProcessor.

func (*EscapeNsenter) Stream 

func (e *EscapeNsenter) Stream(ctx context.Context, store storedb.Provider, _ cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

type EscapePrivMount 

type EscapePrivMount struct {
	BaseContainerEscape
}

func (*EscapePrivMount) Label 

func (e *EscapePrivMount) Label() string

func (*EscapePrivMount) Name 

func (e *EscapePrivMount) Name() string

func (*EscapePrivMount) Processor 

func (e *EscapePrivMount) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

Processor delegates the processing tasks to to the generic containerEscapeProcessor.

func (*EscapePrivMount) Stream 

func (e *EscapePrivMount) Stream(ctx context.Context, store storedb.Provider, _ cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

type EscapeSysPtrace 

type EscapeSysPtrace struct {
	BaseContainerEscape
}

func (*EscapeSysPtrace) Label 

func (e *EscapeSysPtrace) Label() string

func (*EscapeSysPtrace) Name 

func (e *EscapeSysPtrace) Name() string

func (*EscapeSysPtrace) Processor 

func (e *EscapeSysPtrace) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

Processor delegates the processing tasks to to the generic containerEscapeProcessor.

func (*EscapeSysPtrace) Stream 

func (e *EscapeSysPtrace) Stream(ctx context.Context, store storedb.Provider, _ cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

type ExploitHostRead 

type ExploitHostRead struct {
	BaseEdge
}

func (*ExploitHostRead) Label 

func (e *ExploitHostRead) Label() string

func (*ExploitHostRead) Name 

func (e *ExploitHostRead) Name() string

func (*ExploitHostRead) Processor 

func (e *ExploitHostRead) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*ExploitHostRead) Stream 

func (e *ExploitHostRead) Stream(ctx context.Context, store storedb.Provider, _ cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

type ExploitHostTraverse 

type ExploitHostTraverse struct {
	BaseEdge
}

func (*ExploitHostTraverse) Label 

func (e *ExploitHostTraverse) Label() string

func (*ExploitHostTraverse) Name 

func (e *ExploitHostTraverse) Name() string

func (*ExploitHostTraverse) Processor 

func (e *ExploitHostTraverse) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*ExploitHostTraverse) Stream 

func (e *ExploitHostTraverse) Stream(ctx context.Context, store storedb.Provider, c cache.CacheReader,
	process types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

type ExploitHostWrite 

type ExploitHostWrite struct {
	BaseEdge
}

func (*ExploitHostWrite) Label 

func (e *ExploitHostWrite) Label() string

func (*ExploitHostWrite) Name 

func (e *ExploitHostWrite) Name() string

func (*ExploitHostWrite) Processor 

func (e *ExploitHostWrite) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*ExploitHostWrite) Stream 

func (e *ExploitHostWrite) Stream(ctx context.Context, store storedb.Provider, _ cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

type IdentityAssumeContainer 

type IdentityAssumeContainer struct {
	BaseEdge
}

func (*IdentityAssumeContainer) Label 

func (e *IdentityAssumeContainer) Label() string

func (*IdentityAssumeContainer) Name 

func (e *IdentityAssumeContainer) Name() string

func (*IdentityAssumeContainer) Processor 

func (e *IdentityAssumeContainer) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*IdentityAssumeContainer) Stream 

func (e *IdentityAssumeContainer) Stream(ctx context.Context, store storedb.Provider, _ cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

type IdentityAssumeNode 

type IdentityAssumeNode struct {
	BaseEdge
}

func (*IdentityAssumeNode) Label 

func (e *IdentityAssumeNode) Label() string

func (*IdentityAssumeNode) Name 

func (e *IdentityAssumeNode) Name() string

func (*IdentityAssumeNode) Processor 

func (e *IdentityAssumeNode) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*IdentityAssumeNode) Stream 

func (e *IdentityAssumeNode) Stream(ctx context.Context, store storedb.Provider, c cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

type PermissionDiscover 

type PermissionDiscover struct {
	BaseEdge
}

func (*PermissionDiscover) Label 

func (e *PermissionDiscover) Label() string

func (*PermissionDiscover) Name 

func (e *PermissionDiscover) Name() string

func (*PermissionDiscover) Processor 

func (e *PermissionDiscover) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*PermissionDiscover) Stream 

func (e *PermissionDiscover) Stream(ctx context.Context, store storedb.Provider, c cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

type PodAttach 

type PodAttach struct {
	BaseEdge
}

func (*PodAttach) Label 

func (e *PodAttach) Label() string

func (*PodAttach) Name 

func (e *PodAttach) Name() string

func (*PodAttach) Processor 

func (e *PodAttach) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*PodAttach) Stream 

func (e *PodAttach) Stream(ctx context.Context, store storedb.Provider, _ cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

type PodCreate 

type PodCreate struct {
	BaseEdge
}

func (*PodCreate) BatchSize 

func (e *PodCreate) BatchSize() int

func (*PodCreate) Label 

func (e *PodCreate) Label() string

func (*PodCreate) Name 

func (e *PodCreate) Name() string

func (*PodCreate) Processor 

func (e *PodCreate) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*PodCreate) Stream 

func (e *PodCreate) Stream(ctx context.Context, store storedb.Provider, _ cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

Stream finds all roles that have pod/create or equivalent wildcard permissions.

func (*PodCreate) Traversal 

func (e *PodCreate) Traversal() types.EdgeTraversal

type PodExec 

type PodExec struct {
	BaseEdge
}

func (*PodExec) BatchSize 

func (e *PodExec) BatchSize() int

func (*PodExec) Label 

func (e *PodExec) Label() string

func (*PodExec) Name 

func (e *PodExec) Name() string

func (*PodExec) Processor 

func (e *PodExec) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*PodExec) Stream 

func (e *PodExec) Stream(ctx context.Context, store storedb.Provider, _ cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

Stream finds all roles that are NOT namespaced and have pod/exec or equivalent wildcard permissions.

func (*PodExec) Traversal 

func (e *PodExec) Traversal() types.EdgeTraversal

type PodExecNamespace 

type PodExecNamespace struct {
	BaseEdge
}

func (*PodExecNamespace) Label 

func (e *PodExecNamespace) Label() string

func (*PodExecNamespace) Name 

func (e *PodExecNamespace) Name() string

func (*PodExecNamespace) Processor 

func (e *PodExecNamespace) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*PodExecNamespace) Stream 

func (e *PodExecNamespace) Stream(ctx context.Context, store storedb.Provider, _ cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

Stream finds all roles that are namespaced and have pod/exec or equivalent wildcard permissions and matching pods. Matching pods are defined as all pods that share the role namespace or non-namespaced pods.

type PodPatch 

type PodPatch struct {
	BaseEdge
}

func (*PodPatch) BatchSize 

func (e *PodPatch) BatchSize() int

func (*PodPatch) Label 

func (e *PodPatch) Label() string

func (*PodPatch) Name 

func (e *PodPatch) Name() string

func (*PodPatch) Processor 

func (e *PodPatch) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*PodPatch) Stream 

func (e *PodPatch) Stream(ctx context.Context, store storedb.Provider, _ cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

Stream finds all roles that have pod/patch or equivalent wildcard permissions.

func (*PodPatch) Traversal 

func (e *PodPatch) Traversal() types.EdgeTraversal

type PodPatchNamespace 

type PodPatchNamespace struct {
	BaseEdge
}

func (*PodPatchNamespace) Label 

func (e *PodPatchNamespace) Label() string

func (*PodPatchNamespace) Name 

func (e *PodPatchNamespace) Name() string

func (*PodPatchNamespace) Processor 

func (e *PodPatchNamespace) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*PodPatchNamespace) Stream 

func (e *PodPatchNamespace) Stream(ctx context.Context, store storedb.Provider, _ cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

Stream finds all roles that are namespaced and have pod/exec or equivalent wildcard permissions and matching pods. Matching pods are defined as all pods that share the role namespace or non-namespaced pods.

type RegistrationFlag 

type RegistrationFlag uint8
const (
	RegisterDefault       RegistrationFlag = 1 << iota // Default edge
	RegisterGraphMutation                              // Edge can mutate the graph
)

type Registry 

type Registry struct {
	// contains filtered or unexported fields
}

Registry holds details of edges (i.e attacks) registered in KubeHound.

func Registered 

func Registered() *Registry

Registered returns the edge registry singleton.

func (*Registry) Mutating 

func (r *Registry) Mutating() map[string]Builder

Mutating returns the map of registered mutating edge builders.

func (*Registry) Simple 

func (r *Registry) Simple() map[string]Builder

Simple returns the map of registered edge builders.

type TokenBruteforce 

type TokenBruteforce struct {
	BaseEdge
}

func (*TokenBruteforce) BatchSize 

func (e *TokenBruteforce) BatchSize() int

func (*TokenBruteforce) Label 

func (e *TokenBruteforce) Label() string

func (*TokenBruteforce) Name 

func (e *TokenBruteforce) Name() string

func (*TokenBruteforce) Processor 

func (e *TokenBruteforce) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*TokenBruteforce) Stream 

func (e *TokenBruteforce) Stream(ctx context.Context, store storedb.Provider, _ cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

Stream finds all roles that are NOT namespaced and have secrets/get or equivalent wildcard permissions.

func (*TokenBruteforce) Traversal 

func (e *TokenBruteforce) Traversal() types.EdgeTraversal

type TokenBruteforceNamespace 

type TokenBruteforceNamespace struct {
	BaseEdge
}

func (*TokenBruteforceNamespace) Label 

func (e *TokenBruteforceNamespace) Label() string

func (*TokenBruteforceNamespace) Name 

func (e *TokenBruteforceNamespace) Name() string

func (*TokenBruteforceNamespace) Processor 

func (e *TokenBruteforceNamespace) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*TokenBruteforceNamespace) Stream 

func (e *TokenBruteforceNamespace) Stream(ctx context.Context, store storedb.Provider, _ cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

Stream finds all roles that are namespaced and have secrets/get or equivalent wildcard permissions and matching identities. Matching identities are defined as namespaced identities that share the role namespace or non-namespaced identities.

type TokenList 

type TokenList struct {
	BaseEdge
}

func (*TokenList) BatchSize 

func (e *TokenList) BatchSize() int

func (*TokenList) Label 

func (e *TokenList) Label() string

func (*TokenList) Name 

func (e *TokenList) Name() string

func (*TokenList) Processor 

func (e *TokenList) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*TokenList) Stream 

func (e *TokenList) Stream(ctx context.Context, store storedb.Provider, _ cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

Stream finds all roles that are NOT namespaced and have secrets/list or equivalent wildcard permissions.

func (*TokenList) Traversal 

func (e *TokenList) Traversal() types.EdgeTraversal

type TokenListNamespace 

type TokenListNamespace struct {
	BaseEdge
}

func (*TokenListNamespace) Label 

func (e *TokenListNamespace) Label() string

func (*TokenListNamespace) Name 

func (e *TokenListNamespace) Name() string

func (*TokenListNamespace) Processor 

func (e *TokenListNamespace) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*TokenListNamespace) Stream 

func (e *TokenListNamespace) Stream(ctx context.Context, store storedb.Provider, _ cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

Stream finds all roles that are namespaced and have secrets/list or equivalent wildcard permissions and matching identities. Matching identities are defined as namespaced identities that share the role namespace or non-namespaced identities.

type TokenSteal 

type TokenSteal struct {
	BaseEdge
}

func (*TokenSteal) Label 

func (e *TokenSteal) Label() string

func (*TokenSteal) Name 

func (e *TokenSteal) Name() string

func (*TokenSteal) Processor 

func (e *TokenSteal) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*TokenSteal) Stream 

func (e *TokenSteal) Stream(ctx context.Context, sdb storedb.Provider, c cache.CacheReader,
	process types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

type VolumeAccess 

type VolumeAccess struct {
	BaseEdge
}

func (*VolumeAccess) Label 

func (e *VolumeAccess) Label() string

func (*VolumeAccess) Name 

func (e *VolumeAccess) Name() string

func (*VolumeAccess) Processor 

func (e *VolumeAccess) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*VolumeAccess) Stream 

func (e *VolumeAccess) Stream(ctx context.Context, store storedb.Provider, _ cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

type VolumeDiscover 

type VolumeDiscover struct {
	BaseEdge
}

func (*VolumeDiscover) Label 

func (e *VolumeDiscover) Label() string

func (*VolumeDiscover) Name 

func (e *VolumeDiscover) Name() string

func (*VolumeDiscover) Processor 

func (e *VolumeDiscover) Processor(ctx context.Context, oic *converter.ObjectIDConverter, entry any) (any, error)

func (*VolumeDiscover) Stream 

func (e *VolumeDiscover) Stream(ctx context.Context, store storedb.Provider, _ cache.CacheReader,
	callback types.ProcessEntryCallback, complete types.CompleteQueryCallback) error

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.