daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/cloud/kubernetes/deployments/k8s-minimize-added-capabili...

51 lines
2.1 KiB
YAML
Raw Permalink Blame History

id: minimize-added-capabilities
info:
name: Minimize container added capabilities
author: princechaddha
severity: high
description: Checks for containers in Kubernetes Deployments with added capabilities beyond the default set, increasing security risks.
impact: |
Containers with additional capabilities are granted more privileges than necessary, potentially allowing them to bypass intended security restrictions. This increases the risk of exploitation and unauthorized access.
remediation: |
Ensure that no unnecessary capabilities are added to containers within Kubernetes Deployments. Use security contexts to define the minimum necessary privileges.
reference:
- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
tags: cloud,devops,kubernetes,k8s,devsecops,deployments,k8s-cluster-security
flow: |
code(1);
for (let deployment of template.items) {
set("deployment", deployment)
javascript(1);
}
self-contained: true
code:
- engine:
- sh
- bash
source: kubectl get deployments --all-namespaces --output=json
extractors:
- type: json
name: items
internal: true
json:
- '.items[]'
javascript:
- code: |
deployment = JSON.parse(template.deployment);
for (const container of deployment.spec.template.spec.containers) {
if (container.securityContext && container.securityContext.capabilities && container.securityContext.capabilities.add && container.securityContext.capabilities.add.length > 0) {
let addedCaps = container.securityContext.capabilities.add.join(', ');
let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' has added capabilities: ${addedCaps}.`);
Export(result);
}
}
extractors:
- type: dsl
dsl:
- response
# digest: 4a0a00473045022100f45040f69d006ec672d4f4c04146b729cb7c5abcba703a8bbaa2da551013400202204e9b59dbad6d6e89badbb11aa795afa27f33eea1f026085e5f926675ac6cea68:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink