Skip to content

Commit

Permalink
Improvements to control C-0262 (#519)
Browse files Browse the repository at this point in the history
* SUB-2185 - improve C-0262

Signed-off-by: YiscahLevySilas1 <yiscahls@armosec.io>

* minor fix

Signed-off-by: YiscahLevySilas1 <yiscahls@armosec.io>

---------

Signed-off-by: YiscahLevySilas1 <yiscahls@armosec.io>
  • Loading branch information
YiscahLevySilas1 authored Oct 9, 2023
1 parent a9b037a commit 46cdc49
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 14 deletions.
5 changes: 2 additions & 3 deletions controls/C-0262-anonymousaccessisenabled.json
Original file line number Diff line number Diff line change
@@ -1,17 +1,16 @@
{
"controlID": "C-0262",
"name": "Anonymous access enabled",
"name": "Anonymous user has RoleBinding",
"description": "Granting permissions to the system:unauthenticated or system:anonymous user is generally not recommended and can introduce security risks. Allowing unauthenticated access to your Kubernetes cluster can lead to unauthorized access, potential data breaches, and abuse of cluster resources.",
"remediation": "Review and modify your cluster's RBAC configuration to ensure that only authenticated and authorized users have appropriate permissions based on their roles and responsibilities within your system.",
"test": "Checks if ClusterRoleBinding/RoleBinding resources give permissions to anonymous user. Also checks in the apiserver if the --anonymous-auth flag is set to false",
"attributes": {
"armoBuiltin": true
},
"rulesNames": [
"ensure-that-the-api-server-anonymous-auth-argument-is-set-to-false",
"anonymous-access-enabled"
],
"baseScore": 5,
"baseScore": 7,
"category": {
"name": "Control plane",
"subCategory": {
Expand Down
15 changes: 7 additions & 8 deletions rules/anonymous-access-enabled/raw.rego
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,14 @@ package armo_builtins
deny[msga] {
rolebindings := [rolebinding | rolebinding = input[_]; endswith(rolebinding.kind, "Binding")]
rolebinding := rolebindings[_]

isAnonymous(rolebinding)

subject := rolebinding.subjects[i]
isAnonymous(subject)
delete_path := sprintf("subjects[%d]", [i])
msga := {
"alertMessage": sprintf("the following RoleBinding: %v gives permissions to anonymous users", [rolebinding.metadata.name]),
"alertScore": 9,
"deletePaths": [delete_path],
"failedPaths": [delete_path],
"packagename": "armo_builtins",
"alertObject": {
"k8sApiObjects": [rolebinding]
Expand All @@ -18,13 +20,10 @@ deny[msga] {
}


isAnonymous(binding) {
subject := binding.subjects[_]
isAnonymous(subject) {
subject.name == "system:anonymous"
}


isAnonymous(binding) {
subject := binding.subjects[_]
isAnonymous(subject) {
subject.name == "system:unauthenticated"
}
4 changes: 2 additions & 2 deletions rules/anonymous-access-enabled/rule.metadata.json
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
}
],
"ruleDependencies": [],
"description": "Fails in case anonymous access is enabled on the cluster",
"remediation": "Disable anonymous access by passing the --anonymous-auth=false flag to the kube-apiserver component, or if it's a managed cluster, you can remove any RBAC rules which allow anonymous users to perform actions",
"description": "Fails in case anonymous or unauthenticated user has any rbac permissions (is bound by a RoleBinding/ClusterRoleBinding)",
"remediation": "Remove any RBAC rules which allow anonymous users to perform actions",
"ruleQuery": "armo_builtins"
}
2 changes: 1 addition & 1 deletion rules/anonymous-access-enabled/test/fail/expected.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[
{
"alertMessage": "the following RoleBinding: system:public-info-viewer gives permissions to anonymous users",
"failedPaths": null,
"failedPaths": ["subjects[1]"],
"fixPaths": null,
"ruleStatus": "",
"packagename": "armo_builtins",
Expand Down

0 comments on commit 46cdc49

Please sign in to comment.