-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add rule for checking for presence of known GTFOBins on filesystems #315
Conversation
Signed-off-by: Karanjot Singh <drquark@duck.com>
Signed-off-by: Karanjot Singh <drquark@duck.com>
@alegrey91 Could you review this PR ? |
@alegrey91 I think you closed this instead of merging? |
Hello @0xquark, and thanks a lot for your contribution! We really appreciate your effort :) |
Yes, sorry 😅 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @0xquark and still thanks for your contribution!
I just checked the code that you submitted.
It looks good, but I realized that we don't have as much information available in order to have a deep overview about the GTFOBins present.
What I mean is that we should be able to extract for each container the whole list of binaries inside them and use this list to effectively check their presence.
In your implementation (the only possible at the moment), we can only have a limited knowledge about them, since we don't have enough data.
I'm going to schedule an internal call with the team in order to take a decision on how to provide these data and allow you to implement a better and more complete rule.
I'll keep you updated :)
If you have any doubt feel free to ask. I'll try to make you understand better the point.
@0xquark , sorry for my confusion. Is this rule connected to a control? |
Signed-off-by: Karanjot Singh <drquark@duck.com>
Adding to this, I think that we will have access to image SBOMs within a few weeks. This means we can look for packages containing these binaries in Kubescape API SBOM objects |
Thanks for the review @alegrey91 and @slashben. I first thought of implementing it by iterating over all the present binaries in a container but i was not able to find a way to do that ( Is it possible if i use find on |
|
…tainer Signed-off-by: Karanjot Singh <drquark@duck.com>
My Implementation of above rule using find : https://pastebin.com/1ef61nTP |
@alegrey91 , @0xquark - hey guys, what is the status with this PR ? |
Fixes #310
Summary
The rule checks for the presence of known GTFOBins binaries on the file system. It uses a set of file paths for the binaries and checks if any of those paths match the file path of any file on the system. If a match is found, a violation is generated.
Test Cases
Comments
There are standard Unix binaries that are commonly installed on many systems, and they can be used for legitimate purposes as well so i wasn't sure if to include them or not. Please let me know what all gtfobins files would be a good standard for this rule. I've added the most common ones.