updated templates
Prince Chaddha
parent
11445ea3e4
commit
d7c6e2f33d
|
|
@ -4,11 +4,11 @@ info:
|
|||
name: Privileged Containers Found in Deployments
|
||||
author: princechaddha
|
||||
severity: critical
|
||||
description: Checks for containers running in privileged mode within Kubernetes Deployments, which can pose significant security risks.
|
||||
description: Checks for containers running in privileged mode within Kubernetes Deployments, and now also checks for user privileges and privilege escalation settings.
|
||||
impact: |
|
||||
Running containers in privileged mode grants them access to host resources and could lead to security breaches if the container is compromised.
|
||||
Running containers in privileged mode, as the root user, or with privilege escalation enabled can grant them access to host resources and could lead to security breaches if the container is compromised.
|
||||
remediation: |
|
||||
Ensure that no container in Kubernetes Deployments runs in privileged mode. Modify the security context for each container to set `privileged: false`.
|
||||
Ensure that no container in Kubernetes Deployments runs in privileged mode, as the root user, or with privilege escalation enabled. Modify the security context for each container to set `privileged: false`, `runAsUser` appropriately, and `allowPrivilegeEscalation: false`.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,deployments
|
||||
|
|
@ -36,13 +36,17 @@ code:
|
|||
javascript:
|
||||
- code: |
|
||||
deployment = JSON.parse(template.deployment);
|
||||
if (deployment.spec.template.spec.containers.some(container => container.securityContext && container.securityContext.privileged)) {
|
||||
let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' is running one or more containers in privileged mode.`);
|
||||
for (let container of deployment.spec.template.spec.containers) {
|
||||
let sc = container.securityContext || {};
|
||||
if (sc.privileged || sc.runAsUser < 1000 || sc.allowPrivilegeEscalation) {
|
||||
let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' is running container '${container.name}' with insecure settings: Privileged=${sc.privileged}, runAsUser=${sc.runAsUser}, allowPrivilegeEscalation=${sc.allowPrivilegeEscalation}.`);
|
||||
Export(result);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
extractors:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- response
|
||||
# digest: 4a0a00473045022100f896dc71c39119ecfd505a21a22dfcec6e06896f4d4b528cec13cf998181dd3902203458b94c2d0bf33603b64f5aa503123505a983941b01b9d0aada0b8985666044:366f2a24c8eb519f6968bd8801c08ebe
|
||||
# digest: 490a00463044022038295a725d25b77f920cfd32a5a407220f8f9c5faa37544670696f4cea356434022027fd56a2feae1101fe03c0d2e6e2452a2a89947f5c14e9711b8a744d11368b1e:366f2a24c8eb519f6968bd8801c08ebe
|
||||
|
|
@ -4,19 +4,19 @@ info:
|
|||
name: Host Network Namespace Sharing
|
||||
author: princechaddha
|
||||
severity: high
|
||||
description: Checks if containers in Kubernetes Deployments are configured to share the host's network namespace, which can lead to security risks.
|
||||
description: Checks if containers in Kubernetes Pods are configured to share the host's network namespace, which can lead to security risks.
|
||||
impact: |
|
||||
Sharing the host's network namespace allows containers to access the host network directly. This can lead to potential security breaches as containers might bypass network policies and gain unrestricted network access on the host.
|
||||
remediation: |
|
||||
Ensure that the 'hostNetwork' field is set to false in all Kubernetes Deployments to prevent containers from sharing the host's network namespace.
|
||||
Ensure that the 'hostNetwork' field is set to false in all Kubernetes Pods to prevent containers from sharing the host's network namespace.
|
||||
reference:
|
||||
- https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces
|
||||
tags: cloud,devops,kubernetes,k8s,devsecops,namespace
|
||||
|
||||
flow: |
|
||||
code(1);
|
||||
for (let deployment of template.items) {
|
||||
set("deployment", deployment)
|
||||
for (let pod of template.items) {
|
||||
set("pod", pod)
|
||||
javascript(1);
|
||||
}
|
||||
|
||||
|
|
@ -25,7 +25,7 @@ code:
|
|||
- engine:
|
||||
- sh
|
||||
- bash
|
||||
source: kubectl get deployments --all-namespaces --output=json
|
||||
source: kubectl get pods --all-namespaces --output=json
|
||||
extractors:
|
||||
- type: json
|
||||
name: items
|
||||
|
|
@ -35,13 +35,13 @@ code:
|
|||
|
||||
javascript:
|
||||
- code: |
|
||||
deployment = JSON.parse(template.deployment);
|
||||
if (deployment.spec.template.spec.hostNetwork) {
|
||||
let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' is configured to share the host's network namespace.`);
|
||||
pod = JSON.parse(template.pod);
|
||||
if (pod.spec.hostNetwork) {
|
||||
let result = (`Pod '${pod.metadata.name}' in namespace '${pod.metadata.namespace}' is configured to share the host's network namespace.`);
|
||||
Export(result);
|
||||
}
|
||||
extractors:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- response
|
||||
# digest: 4b0a00483046022100cd66750a4f7a5b20df75d62c2f9321edc46cac18cfd5599f45adc232248d3653022100dff978e8738723e829177c98c67e250a3fa1f9f5b8fa36db590af252c936ef73:366f2a24c8eb519f6968bd8801c08ebe
|
||||
# digest: 4b0a004830460221008eef4a8e8215cf69d36f0d94aa83b3531ce19730942b461b27842147f7f39973022100dfc800230845da0fe800dac62b006dc4a27d52a9b1684e7153165782e7d3472b:366f2a24c8eb519f6968bd8801c08ebe
|
||||
Loading…
Reference in New Issue