You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+14-6Lines changed: 14 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,9 +15,17 @@ GitHub Actions Goat incorporates best practices from the [CISA/ NSA guidance on
15
15
16
16
## Puzzle Time
17
17
18
-
Lets kick things off with a challenge designed to get your analytical gears turning. Take a close look at the [publish.yml](.github/workflows/publish.yml) GitHub Actions workflow. This simple workflow builds and pushes a Docker image, and uses the [Harden-Runner GitHub Action](https://github.com/step-security/harden-runner), which provides Security Observability and Runtime Enforcement for GitHub Actions workflows. Now, we present you with the puzzle. Check out these [network events monitored during a workflow run](https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/5517140370) of this workflow. Notice anything odd? **Why is there an outbound call to `stepsecurity.io` during the workflow run?** Is this expected, or something more nefarious?
18
+
Lets kick things off with a challenge designed to get your analytical gears turning:
- Take a look at the [publish.yml](.github/workflows/publish.yml) GitHub Actions workflow.
21
+
- This workflow uses the [Harden-Runner GitHub Action](https://github.com/step-security/harden-runner), which provides Security Observability and Runtime Enforcement for GitHub Actions workflows.
22
+
- Now, we present you with the puzzle. Check out these [network events monitored during a workflow run](https://app.stepsecurity.io/github/step-security/github-actions-goat/actions/runs/6285441645) of this workflow. Notice anything odd?
23
+
24
+
**Why is there an outbound call to `pastebin.com` during the workflow run?** Is this expected, or something more nefarious?
25
+
26
+
> For the answer of the puzzle, check out the first hands-on tutorial on [Filtering Egress Network Traffic](./docs/Solutions/RestrictOutboundTraffic.md) from a GitHub Actions workflow run.
27
+
28
+
<imgsrc="./images/Puzzle3.png"alt="Puzzle showing outbound call to pastebin.com" >
21
29
22
30
## Threat Scenarios
23
31
@@ -53,7 +61,7 @@ If a workflow is compromised it can potentially be used to push changes to the r
53
61
54
62
> **Real-world incidents**: For examples of real-world incidents in which `GITHUB_TOKEN` was compromised, refer to [Compromise of the GITHUB_TOKEN](./docs/Vulnerabilities/OverprivilegedGITHUB_TOKEN.md)
3. Click on a link in the `Countermeasure` column below and follow the tutorials.
74
+
3. Click on a link in the `Countermeasure` column below and follow the hands-on tutorials.
67
75
68
76
## Vulnerabilities and Countermeasures
69
77
70
78
GitHub Actions Goat not only demonstrates vulnerabilities but also presents solutions and references to best practices for each issue. In each scenario, we demonstrate how a particular threat can be mitigated.
| 1. | Lack of Network Traffic Filtering can lead to Exfiltration of source code and CI/CD Credentials |[GitHub Actions Runtime Security - Filter Network Traffic](docs/Solutions/RestrictOutboundTraffic.md)|["Implement network segmentation and traffic filtering" in CISA/NSA guide](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF)|
82
+
| 1. | Lack of Network Traffic Filtering can lead to Exfiltration of source code and CI/CD Credentials |[GitHub Actions Runtime Security - Filter Egress Network Traffic](docs/Solutions/RestrictOutboundTraffic.md)|["Implement network segmentation and traffic filtering" in CISA/NSA guide](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF)|
75
83
| 2. | Lack of CI/CD Runtime Security can lead to Tampering of Source Code or Artifacts during Build |[GitHub Actions Runtime Security - Detect File Tampering](docs/Solutions/MonitorSourceCode.md)|["Implement endpoint detection and response (EDR) tools" in CISA/NSA guide](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF)|
76
84
| 3. | Lack of Detailed Audit Logs for CI/CD Activities |[Trace deployments to CI/CD pipeline and commit](docs/Solutions/Provenance.md)|["Keep audit logs" section in CISA/NSA guide](https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF)|
77
85
| 4. | Overprivileged GITHUB_TOKEN Permissions can lead to tampering of repository contents or container images |[Update workflows to use least privileged GITHUB_TOKEN permissions](docs/Solutions/FixGITHUB_TOKENPermissions.md)|["Use credentials that are minimally scoped" in GitHub's Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-secrets)|
Copy file name to clipboardExpand all lines: docs/Solutions/RestrictOutboundTraffic.md
+41-9Lines changed: 41 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -35,9 +35,19 @@ As we will see next, one of these steps is making an unexpected outbound call, b
35
35
36
36
You can now see that the `npm install` step is making a call to `pastebin.com`, which is not expected.
37
37
38
+
### Answer to the puzzle
39
+
40
+
There is a [Puzzle in the README](../../README.md#puzzle-time) about a call to `pastebin.com`. To understand why this call is being made:
41
+
42
+
- Check out the `package.json` file of the [exfiltration-demo](../../src/exfiltration-demo/package.json) folder.
43
+
- It has a dependency called `@step-security/malware-simulator`
44
+
- This dependency simulates a malicious package. Its [package.json](../../src/malware-simulators/exfiltration-simulator/package.json) has a `pre-install` step that calls [compile.js](../../src/malware-simulators/exfiltration-simulator/compile.js)
45
+
- The compile.js file makes an outbound call to `pastebin.com`
46
+
- As a result, when `npm install` is run in the workflow, the `pre-install` step of the dependency is run, which makes the outbound call.
47
+
38
48
### Network Filtering with Harden-Runner
39
49
40
-
In the insights page, you will see a recommended policy to filter egress traffic to allowed destinations.
50
+
Now lets see how to filter traffic to expected destinations and block everything else.
41
51
42
52
1. Go to the `Actions` tab and run the `Hosted: Network Filtering with Harden-Runner` workflow.
43
53
@@ -71,28 +81,50 @@ For a demo of a workflow running on ARC with Harden Runner integrated, follow th
71
81
Notice that `harden-runner` Action is not added to this workflow, and that this workflow runs on a `self-hosted` runner.
72
82
73
83
2. Check out an example run of this workflow here:
You can apply a secure-by-default ARC Cluster Level Network Policy that restricts outbound traffic for any job that is run on the ARC managed runners. This ensures that all workflows have a baseline restrictive policy applied.
Notice that `harden-runner` Action is not added to this workflow. This workflow has two jobs. One runs on a `self-hosted` runner secured by ARC Harden-Runner and the other on a GitHub-Hosted runner. Both jobs make an outbound call to a direct IP address.
102
+
103
+
2. Check out an example run of this workflow here:
The call to the direct IP address succeeds for the GitHub-Hosted runner, but is blocked for the self-hosted runner.
107
+
This is because ARC Harden-Runner does not allow calls to direct IP addresses in the secure-by-default policy.
108
+
Typically workflows do not need to make calls to direct IP addresses, but compromised tools or dependencies sometimes make calls to direct IP addresses to avoid detection from DNS monitoring.
You will see that the call to the direct IP address has been blocked.
114
+
82
115
### Network Filtering with Harden Runner
83
116
84
-
To filter traffic in self-hosted ARC runner, you use the `harden-runner` GitHub Action in `block` mode.
117
+
While there is a secure-by-default policy, to filter traffic to specific destinations in a job run in self-hosted ARC runner, you use the `harden-runner` GitHub Action in `block` mode.
0 commit comments