daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/cloud/kubernetes/pods/k8s-readonly-fs.yaml

47 lines
1.7 KiB
YAML
Raw Blame History

id: k8s-readonly-fs
info:
name: Enforce Read-Only Filesystem for Containers
author: princechaddha
severity: critical
description: Checks for containers that do not use a read-only filesystem, which can prevent malicious write operations at runtime
impact: |
Not using a read-only filesystem can expose containers to risks of malicious modifications at runtime, compromising the container's integrity and security.
remediation: Configure containers to use read-only filesystems where possible to enhance security and minimize risk of unauthorized data modification
reference:
- https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation
tags: cloud,devops,kubernetes,k8s,devsecops,pods,k8s-cluster-security
flow: |
code(1);
for (let container of template.items) {
set("container", container)
javascript(1);
}
self-contained: true
code:
- engine:
- sh
- bash
source: kubectl get pods --all-namespaces --output=json
extractors:
- type: json
name: items
internal: true
json:
- '.items[].spec.containers[]'
javascript:
- code: |
container = JSON.parse(template.container);
if (!container.securityContext || container.securityContext.readOnlyRootFilesystem !== true) {
let result = (`Container '${container.name}' in pod '${container.metadata.name}' in namespace '${container.metadata.namespace}' does not use a read-only filesystem.`);
Export(result);
}
extractors:
- type: dsl
dsl:
- response
# digest: 4b0a004830460221008d29bff5a9ee8436cbd007be3e8ea7d9adde22d7ba56b153dad3a298636f379e022100857902d59b4dc2849a6618197e3062762c537f08d7ff3b8b5c38e030bd054c2a:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink