50 lines
1.9 KiB
YAML
50 lines
1.9 KiB
YAML
id: k8s-allow-privilege-escalation-set
|
|
|
|
info:
|
|
name: Containers run with allowPrivilegeEscalation enabled
|
|
author: princechaddha
|
|
severity: critical
|
|
description: Checks for containers running with the allowPrivilegeEscalation flag enabled, which can increase security risks by allowing privileges to be escalated
|
|
impact: |
|
|
Enabling allowPrivilegeEscalation in container deployments can result in elevated privileges, potentially allowing attackers to gain further access to host resources. This poses significant security risks.
|
|
remediation: Ensure that the allowPrivilegeEscalation flag is set to false in all container configurations to minimize security risks
|
|
reference:
|
|
- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
|
tags: cloud,devops,kubernetes,security,devsecops,containers,k8s,k8s-cluster-security
|
|
|
|
flow: |
|
|
code(1);
|
|
for (let container of template.items) {
|
|
set("container", container)
|
|
javascript(1);
|
|
}
|
|
|
|
self-contained: true
|
|
code:
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: kubectl get pods --all-namespaces --output=json
|
|
extractors:
|
|
- type: json
|
|
name: items
|
|
internal: true
|
|
json:
|
|
- '.items[] | {pod: .metadata.name, containers: .spec.containers}'
|
|
|
|
javascript:
|
|
- code: |
|
|
let podData = JSON.parse(template.container);
|
|
podData.containers.forEach(container => {
|
|
if (container.securityContext && container.securityContext.allowPrivilegeEscalation === true) {
|
|
let result = (`Container '${container.name}' in pod '${podData.pod}' running with allowPrivilegeEscalation enabled.`);
|
|
Export(result);
|
|
}
|
|
});
|
|
|
|
|
|
extractors:
|
|
- type: dsl
|
|
dsl:
|
|
- response
|
|
# digest: 4a0a00473045022100b82b8a61d07a1fd3eb1d4c0e294e1c0ad03620d317280f0708493d3422a9654002207d8421e313c2d1eb9c5c6e0f5efc9193088d15ebe536aa77e70a0104ced336c4:922c64590222798bb761d5b6d8e72950 |