Runtime protection of NodeJS applications using AccuKnox. how to protect NodeJS applications at runtime using Accuknox’s open-source tooling.
NPM packages can contain supply chain threats
NodeJS applications use NPM packages..and these get installed with every Node.js installation by default NPM packages are known to have supply chain issues with malicious npm packages available
Attackers typically compromise the supply chain with their own malicious packages filled with backdoor code to the public repositories and wait for others to implement them in their applications. As we’ve seen time and time again, these threats can spread quietly for months or years without being noticed, allowing the attackers access to your workloads and sensitive data.
Setting up a NodeJS app to demonstrate runtime security
In this blog, we will demonstrate how to protect your Node.js application against such threats by implementing runtime security tools from AccuKnox. These will analyze the application and generate policies that can be enforced by Linux Security Modules (LSMs) like AppArmor and SELinux.
We’ll deploy a Node.js application to a Kubernetes environment and make use of AccuKnox opensource tools to generate zero trust runtime security policies, apply them to the workload and make a comparison on the states before and after installing AccuKnox agents.
The scenario's purpose is to demonstrate how AccuKnox opensource tools can be used to implement zero trust in an environment.
Let's create a Kubernetes cluster
We will deploy a simple application that servers on port 8000 and two endpoints
/api/checkSite which checks for a running service from the input and checks for the validity of a URL respectively.
Feel free to use the below deployment file to deploy the application to your k8s environment
You can also deploy the same file from accuknox/samples GitHub repository by copy-pasting the below command:
This will create a deployment
nodejs-app and a service
nodejs-app-svc. We will take a look at whether the application is running and we have an external IP.
We have our application running and exposed to the public internet via
port 80 with
For the complete code please refer to the accuknox/samples GitHub page
Run-time protection using AccuKnox Open-source tools
Accuknox enables the ability to protect your workloads at run-time. Accuknox enables this by allowing you to configure policies (or auto-discover them) for application and network behavior using KubeArmor, Cilium and Auto Policy Discovery tools
KubeArmor, is open-source software that enables you to protect your cloud workload at run-time.
The problem that KubeArmor solves is that it can prevent cloud workloads from executing malicious activity at runtime. Malicious activity can be any activity that the workload was not designed for or is not supposed to do.
Cilium, is an open-source project to provide eBPF-based networking, security, and observability for cloud-native environments such as Kubernetes clusters and other container orchestration platforms.
Auto Policy Discovery for your Node.js Application
Even though writing KubeArmor and CIlium (System and Network) policies are not a big challenge AccuKnox opensource has it simplified one step further by introducing a new CLI tool for Auto Discovered Policies. The Auto-Discovery module helps users by identifying the flow and generating policies based on it.
Discovering policies has never been better with Auto Discovery. In two simple commands, you can set up and generate policies without having any trouble.
The auto-discovered zero trust runtime security policies can be generated using two commands. We will have to deploy Cilium and KubeArmor to the cluster and use a MySQL pod to store the discovered policies from where they can be downloaded with a single command.
First, we will use the below command to install all prerequisites.
curl -s https://raw.githubusercontent.com/accuknox/tools/main/install.sh | bash
Once the command is run successfully it will install the following components to your cluster:
- KubeArmor protection engine
- Cilium CNI
- Auto policy discovery engine
- MySQL database to keep discovered policies
- Hubble Relay and KubeArmor Relay
Once this is down we can invoke the second script file which will download the auto-discovered policies from the MySQL database and store them locally. For this we will issue the below command:
curl -s https://raw.githubusercontent.com/accuknox/tools/main/get_discovered_yamls.sh | bash
You should be able to see the following output.
In mere seconds after installing executing auto policy discovery tool, it generated 59 Cilium policies and 3 curated KubeArmor policies.
Let us take a look at some of the autodiscovery policies
CIlium Policy #1
Cilium Network Policy
Cilium Policy #2
Cilium Network Policy - 2
From Policy #1 and #2, we can see that there is only external communication from the Node.js pod via ports 53, 80, and 443, and port 53 is used to communicate to kube-dns only.
If we apply this policy it will make sure that the necessary communication via ports 53,80 and 443 are only happening thereby lowering the chances of any network-based attacks or communication happening from the Node.js pod to the external world.
KubeArmor Policy #1
The curated KubeArmor policy is a lengthy one that allows all system calls which are happing in a healthy environment ergo denying all other system calls from happening due to any external factors.
Let us apply all these auto-generated policies and safeguard our workload.
We will apply the
kubearmor_policies_default_default_nodejs-app_bycnubnu.yaml since both are related to the application
nodejs-app deployed on
Note: Policy name will change according to the environment
The Policies in action
It is time to verify whether we were able to achieve zero trust by using the auto-discovered policies generated by AccuKnox opensource tools. To test this we will scan the application with some popular scanners.
Before that let us verify that the policies are applied correctly to the cluster
Since our deployed application checks system information, there may be a chance that the application is vulnerable to 2021 Node.js vulnerabilities. One particular interest would be CVE-2021-21315 since it was a flaw targeted toward the Node.js package which uses system information checks.
The flaw, which has been assigned the number CVE-2021-21315, affects the "system information" npm component, which receives roughly 800,000 weekly downloads and has surpassed 34 million downloads since its debut.
Initiating the Attack scenario
We will initiate the attack by sending crafted requests to the application. Go to the application IP and give a query as
name=$(echo -e 'test' > pwn.txt) and watch the pod to see if any new files are created under the working directory.
The complete request would look something like
http://22.214.171.124/api/getServices?name=$(echo -e 'test' > pwn.txt)
The auto-discovered policies applied earlier are preventing the pod from creating new files under the working directory since it is not normal or safe behavior.
We will delete the KubeArmor and CIlium policy and rerun the exploit and compare the state.
Kubearmor and cilium policy
name=$(echo -e 'test' > pwn.txt)and watch the pod to see if any new files are created under the working directory.
We could see that the attack happened after we deleted the policies which were auto-discovered in a safe environment. This means applying the auto-discovered policies ensured that the workload had been protected at runtime.
Accuknox's policy templates repository
Accuknox's policy templates is an open-source repo that also contains a wide range of attack prevention techniques including MITRE, as well as hardening techniques for your workloads. Please visit
NodeJs cover animate
GitHub - kubearmor/policy-templates: Community curated list of System and Network policy templates for the KubeArmor and Cilium to download and apply policy templates.
Achieving zero trust is the next big thing everyone is trying to accomplish. With AccuKnox an organization can achieve zero trust and stay there with relative ease by making use of opensource tools.