Getting started: Calibration
If you have never used this software, or you modified it non-trivially, these steps help to validate each component.
(Assuming your honey-stack is all running)
In the Makefile_calibrate_kubehound , choose few attacks. Ideally ones you understand.
Example: we pick EXPLOIT_CONTAINERD_SOCK and EXPLOIT_HOST_READ_TRAVERSE and uncomment those in all four occurences:
I suggest, you delete all lists and tables in Redis that you don't need. I usually delete all but the benign_logs.
Optional:
The dedup feature that vector implements is very nifty, but it can swallow logs during debugging.
To switch if off, edit /honeystack/vector/gkevalues.yaml:
make --makefile=Makefile_calibrate_kubehound calibrate
On kind, I have approx 60-70 logs appearing (w/o dedup).
Verify, that the attack pods are green. Now, delete the attacks again. This is too not interfere with the analysis, and because those pods are vulnerable (which may be quite relevant on clusters that are exposed in any form)
make --makefile=Makefile_calibrate_kubehound wipe
If you have dedup switched on and you are missing logs, or you suspect that your tracingpolicy is somehow not working, check the tetragon pod logs (both stdout for the policy logs as well as container-logs for tetragon's behaviour)
Port forward it from namespace storm and press the Reload Tetragon Logs into Redis button.
Choose the corresponding STIX 2.1 patterns, you can use the curls in this file for inspiration and/or read the grammar at https://github.com/oasis-open/cti-stix2-json-schemas/blob/master/pattern_grammar/STIXPattern.g4
Once loaded, you can edit add or delete them in the UI, as well:
For EXPLOIT_HOST_READ_TRAVERSE, which is very noisy we have the LIKE syntax to match on the kprobe arguments.
[process:extensions.function_name MATCHES 'openat' AND process:extensions.kprobe_arguments.string_arg LIKE '%kubernetes.io~projected%token%' ]
For EXPLOIT_CONTAINERD_SOCK , we need to exclude lots of containerd-sockets that are benign, so we choose to match the socket state (which may very well not work on your machine, see details in the comments of ~/traces/kubehound-verify/calibrationtraces/1-exploit-containerd-sock.yaml)
[process:extensions.function_name MATCHES 'sys_connect' AND process:command_line MATCHES 'crictl' AND process.extensions.kprobe_arguments.sock_arg.state MATCHES '110' ]
To simply upload all of them, use
./lightening-rod/testpost.sh
In the UI, now press Select All for Processing and on the right of the two-column pane, the logs will appear. If you intend to look at the details of the logs, while this UI is unfinished, you may want to select 50 in the drop-down. The drag-n-drop feature is currently not recommended.
Now, press Transform to STIX and possibly toggle the dropdowns:
You can currently choose between 2 views (future: 4) : individually transformed matches OR all transformed matches for one pattern. (additionally planned are: all matches on one attack-tree, all matches within a given time-span)
Above, we see that the pattern for EXPLOIT_HOST_READ_TRAVERSE is not sufficiently unique. It also gets picked by up the EXPLOIT_HOST_READ pattern. This may or may not be what you want.
You can click on all the visual elements to see the details.
In case, the above didnt work, you may want to inspect the logs of the lighteningrod pod and compare to the file ~/lightening-rod/manual.py
These errors are often related to patterns that match only one but not all of the conditions in an AND