# KubeArmor is an open source software that enables you to protect your cloud workload at run-time.
# To learn more about KubeArmor visit: 
# https://www.accuknox.com/kubearmor/ 

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-mitre-t1548-001-setuid-setgid
  namespace: default # Change your namespace
spec:
  message: "Blocked the setuid or setgid flag"
  tags : ["MITRE","T1548.001","Privilege Escalation","S-Bit"]
  selector:
    matchLabels:
        container: ubuntu  # use your own label here
  process:
    matchPaths: 
    - path: /usr/sbin/groupdel
    - path: /usr/sbin/userdel
    - path: /usr/sbin/chgpasswd
    - path: /usr/sbin/groupmod0o
    - path: /usr/sbin/groupadd
    - path: /usr/sbin/newusers
    - path: /usr/sbin/chpasswd
    - path: /usr/sbin/usermod    
    severity: 2 # Higher severity for processes 
    action: Block