Fix constraint yaml, better policy descriptions

PaloAltoNetworks · May 23, 2022 · 64f22c1 · 64f22c1
1 parent 8630599
commit 64f22c1
Show file tree

Hide file tree

Showing 8 changed files with 13 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -64,8 +64,8 @@ Or:
 ```
 
 ## Documentation
- - [Eval command](docs/eval.md)
  - [Policies](docs/policies.md)
+ - [Eval command](docs/eval.md)
  - [Collect command](docs/collect.md)
  - [Expand command](docs/expand.md)
 

diff --git a/docs/policies.md b/docs/policies.md
@@ -43,7 +43,7 @@ The above options implemetned by a Rego [wrapper](../lib/utils/wrapper.rego). If
 - Severity: `Critical`
 - Violation types: `serviceAccounts, nodes, combined`
 ### [assign_sa](../lib/assign_sa.rego)
-- Description: `SAs and nodes that can create pods or create, update or patch pod controllers (e.g. DaemonSets, Deployments, Jobs) in privileged namespaces, may assign admin-equivalent SA to a pod in their control`
+- Description: `SAs and nodes that can create pods or create, update or patch pod controllers (e.g. DaemonSets, Deployments, Jobs) in privileged namespaces, may assign an admin-equivalent SA to a pod in their control`
 - Severity: `Critical`
 - Violation types: `serviceAccounts, nodes`
 ### [bind_roles](../lib/bind_roles.rego)
@@ -83,7 +83,7 @@ The above options implemetned by a Rego [wrapper](../lib/utils/wrapper.rego). If
 - Severity: `Low`
 - Violation types: `serviceAccounts, nodes`
 ### [modify_pods](../lib/modify_pods.rego)
-- Description: `SAs and nodes that can update and patch pods in privileged namespaces can gain code execution on pods that are likey to be privileged`
+- Description: `SAs and nodes that can update or patch pods in privileged namespaces can gain code execution on pods that are likey to be powerful`
 - Severity: `High`
 - Violation types: `serviceAccounts, nodes`
 ### [modify_service_status_cve_2020_8554](../lib/modify_service_status_cve_2020_8554.rego)
@@ -95,7 +95,7 @@ The above options implemetned by a Rego [wrapper](../lib/utils/wrapper.rego). If
 - Severity: `High`
 - Violation types: `serviceAccounts, nodes`
 ### [obtain_token_weak_ns](../lib/obtain_token_weak_ns.rego)
-- Description: `SAs and nodes that can obtain serviceaccount tokens in unprivileged namespaces could potentially escalate privileges`
+- Description: `SAs and nodes that can retrieve or a issue SA tokens in unprivileged namespaces could potentially obtain tokens with broader permissions over the cluster`
 - Severity: `Low`
 - Violation types: `serviceAccounts, nodes`
 ### [pods_ephemeral_ctrs](../lib/pods_ephemeral_ctrs.rego)
@@ -119,10 +119,10 @@ The above options implemetned by a Rego [wrapper](../lib/utils/wrapper.rego). If
 - Severity: `Critical`
 - Violation types: `serviceAccounts, nodes`
 ### [steal_pods](../lib/steal_pods.rego)
-- Description: `SAs and nodes that can delete or evict a pod in privileged namespaces and make other nodes unschedulable can steal powerful pods from other nodes onto a compromised one`
+- Description: `SAs and nodes that can delete or evict pods in privileged namespaces and also make other nodes unschedulable can steal powerful pods from other nodes onto a compromised one`
 - Severity: `High`
 - Violation types: `serviceAccounts, nodes, combined`
 ### [token_request](../lib/token_request.rego)
-- Description: `SAs and nodes that can create TokenRequests (serviceaccounts/token) in privileged namespaces can create tokens of admin-equivalent SAs`
+- Description: `SAs and nodes that can create TokenRequests (serviceaccounts/token) in privileged namespaces can issue tokens for admin-equivalent SAs`
 - Severity: `Critical`
 - Violation types: `serviceAccounts, nodes`
diff --git a/lib/assign_sa.rego b/lib/assign_sa.rego
@@ -2,7 +2,7 @@ package policy
 import data.police_builtins as pb
 
 describe[{"desc": desc, "severity": severity}] {
-  desc := sprintf("SAs and nodes that can create pods or create, update or patch pod controllers (e.g. DaemonSets, Deployments, Jobs) in privileged namespaces (%v), may assign admin-equivalent SA to a pod in their control", [concat(", ", pb.privileged_namespaces)])
+  desc := sprintf("SAs and nodes that can create pods or create, update or patch pod controllers (e.g. DaemonSets, Deployments, Jobs) in privileged namespaces (%v), may assign an admin-equivalent SA to a pod in their control", [concat(", ", pb.privileged_namespaces)])
   severity := "Critical"
 }
 checkServiceAccounts := true

diff --git a/lib/modify_pods.rego b/lib/modify_pods.rego
@@ -2,7 +2,7 @@ package policy
 import data.police_builtins as pb
 
 describe[{"desc": desc, "severity": severity}] {
-  desc := sprintf("SAs and nodes that can update and patch pods in privileged namespaces (%v) can gain code execution on pods that are likey to be privileged", [concat(", ", pb.privileged_namespaces)])
+  desc := sprintf("SAs and nodes that can update or patch pods in privileged namespaces (%v) can gain code execution on pods that are likey to be powerful", [concat(", ", pb.privileged_namespaces)])
   severity := "High"
 }
 checkServiceAccounts := true

diff --git a/lib/obtain_token_weak_ns.rego b/lib/obtain_token_weak_ns.rego
@@ -2,7 +2,7 @@ package policy
 import data.police_builtins as pb
 
 describe[{"desc": desc, "severity": severity}] {
-  desc := "SAs and nodes that can obtain serviceaccount tokens in unprivileged namespaces could potentially escalate privileges"
+  desc := "SAs and nodes that can retrieve or a issue SA tokens in unprivileged namespaces could potentially obtain tokens with broader permissions over the cluster"
   severity := "Low"
 }
 checkServiceAccounts := true

diff --git a/lib/steal_pods.rego b/lib/steal_pods.rego
@@ -2,7 +2,7 @@ package policy
 import data.police_builtins as pb
 
 describe[{"desc": desc, "severity": severity}] {
-  desc := sprintf("SAs and nodes that can delete or evict a pod in privileged namespaces (%v) and make other nodes unschedulable can steal powerful pods from other nodes onto a compromised one", [concat(", ", pb.privileged_namespaces)])
+  desc := sprintf("SAs and nodes that can delete or evict pods in privileged namespaces (%v) and also make other nodes unschedulable can steal powerful pods from other nodes onto a compromised one", [concat(", ", pb.privileged_namespaces)])
   severity := "High"
 }
 checkCombined := true

diff --git a/lib/token_request.rego b/lib/token_request.rego
@@ -2,7 +2,7 @@ package policy
 import data.police_builtins as pb
 
 describe[{"desc": desc, "severity": severity}] {
-  desc := sprintf("SAs and nodes that can create TokenRequests (serviceaccounts/token) in privileged namespaces (%v) can create tokens of admin-equivalent SAs", [concat(", ", pb.privileged_namespaces)])
+  desc := sprintf("SAs and nodes that can create TokenRequests (serviceaccounts/token) in privileged namespaces (%v) can issue tokens for admin-equivalent SAs", [concat(", ", pb.privileged_namespaces)])
   severity := "Critical"
 }
 checkServiceAccounts := true

diff --git a/prevent/suspicious_self_subject_review/constraint.yaml b/prevent/suspicious_self_subject_review/constraint.yaml
@@ -12,6 +12,6 @@ spec:
           - SelfSubjectAccessReview
   parameters:
     # Allow requests from certain users, e.g. "system:serviceaccount:my-priv-ns:my-priv-sa" or "system:node:nodename"
-    allowedUsers: [""] 
+    allowedUsers: [] 
     # Allow requests from users in certain groups, e.g. "system:nodes", "system:serviceaccounts:privileged-ns"
-    allowedGroups: [""] 
+    allowedGroups: []