# KubeArmor is an open source software that enables you to protect your cloud workload at run-time. # To learn more about KubeArmor visit: # https://www.accuknox.com/kubearmor/ apiVersion: security.kubearmor.com/v1 kind: KubeArmorPolicy metadata: name: ksp-mitre-t1548-001-setuid-setgid namespace: default # Change your namespace spec: message: "Blocked the setuid or setgid flag" tags : ["MITRE","T1548.001","Privilege Escalation","S-Bit"] selector: matchLabels: container: ubuntu # use your own label here process: matchPaths: - path: /usr/sbin/groupdel - path: /usr/sbin/userdel - path: /usr/sbin/chgpasswd - path: /usr/sbin/groupmod0o - path: /usr/sbin/groupadd - path: /usr/sbin/newusers - path: /usr/sbin/chpasswd - path: /usr/sbin/usermod severity: 2 # Higher severity for processes action: Block