Merge pull request #614 from kubescape/fix-C-0016

improve remediation - return fix path in every case
kubescape · Apr 1, 2024 · d8adc06 · d8adc06
2 parents 0e5ffeb + 4d6f5d7
commit d8adc06
Show file tree

Hide file tree

Showing 4 changed files with 154 additions and 155 deletions.
diff --git a/rules/rule-allow-privilege-escalation/raw.rego b/rules/rule-allow-privilege-escalation/raw.rego
@@ -7,17 +7,14 @@ deny[msga] {
     pod.kind == "Pod"
 	container := pod.spec.containers[i]
 	start_of_path := "spec."
-    result := is_allow_privilege_escalation_container(container, i, start_of_path)
-	failed_path := get_failed_path(result)
-    fixed_path := get_fixed_path(result)
+    is_allow_privilege_escalation_container(container)
+	fixPath := get_fix_path(i, start_of_path)
 
 	msga := {
 		"alertMessage": sprintf("container: %v in pod: %v  allow privilege escalation", [container.name, pod.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
-		"reviewPaths": failed_path,
-		"failedPaths": failed_path,
-		"fixPaths": fixed_path,
+		"fixPaths": fixPath,
 		"alertObject": {
 			"k8sApiObjects": [pod]
 		}
@@ -32,17 +29,14 @@ deny[msga] {
 	spec_template_spec_patterns[wl.kind]
     container := wl.spec.template.spec.containers[i]
 	start_of_path := "spec.template.spec."
-    result := is_allow_privilege_escalation_container(container, i, start_of_path)
-	failed_path := get_failed_path(result)
-    fixed_path := get_fixed_path(result)
+    is_allow_privilege_escalation_container(container)
+	fixPath := get_fix_path(i, start_of_path)
 
     msga := {
 		"alertMessage": sprintf("container :%v in %v: %v  allow privilege escalation", [container.name, wl.kind, wl.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
-		"reviewPaths": failed_path,
-		"failedPaths": failed_path,
-		"fixPaths": fixed_path,
+		"fixPaths": fixPath,
 		"alertObject": {
 			"k8sApiObjects": [wl]
 		}
@@ -56,17 +50,14 @@ deny[msga] {
 	wl.kind == "CronJob"
 	container = wl.spec.jobTemplate.spec.template.spec.containers[i]
 	start_of_path := "spec.jobTemplate.spec.template.spec."
-	result := is_allow_privilege_escalation_container(container, i, start_of_path)
-	failed_path := get_failed_path(result)
-    fixed_path := get_fixed_path(result)
+	is_allow_privilege_escalation_container(container)
+	fixPath := get_fix_path(i, start_of_path)
 
     msga := {
 		"alertMessage": sprintf("container :%v in %v: %v allow privilege escalation", [container.name, wl.kind, wl.metadata.name]),
 		"packagename": "armo_builtins",
 		"alertScore": 7,
-		"reviewPaths": failed_path,
-		"failedPaths": failed_path,
-		"fixPaths": fixed_path,
+		"fixPaths": fixPath,
 		"alertObject": {
 			"k8sApiObjects": [wl]
 		}
@@ -75,56 +66,36 @@ deny[msga] {
 
 
 
-is_allow_privilege_escalation_container(container, i, start_of_path) = [failed_path, fixPath] {
+is_allow_privilege_escalation_container(container) {
     not container.securityContext.allowPrivilegeEscalation == false
 	not container.securityContext.allowPrivilegeEscalation == true
 	psps := [psp |  psp= input[_]; psp.kind == "PodSecurityPolicy"]
 	count(psps) == 0
-	failed_path = ""
-	fixPath = [{"path": sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)]), "value":"false"},
-	{"path": sprintf("%vcontainers[%v].securityContext.privileged", [start_of_path, format_int(i, 10)]), "value":"false"}
-	]
 }
 
-is_allow_privilege_escalation_container(container, i, start_of_path) = [failed_path, fixPath] {
+is_allow_privilege_escalation_container(container) {
     not container.securityContext.allowPrivilegeEscalation == false
 	not container.securityContext.allowPrivilegeEscalation == true
 	psps := [psp |  psp= input[_]; psp.kind == "PodSecurityPolicy"]
 	count(psps) > 0
 	psp := psps[_]
 	not psp.spec.allowPrivilegeEscalation == false
-	failed_path = ""
-	fixPath = [{"path": sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)]), "value":"false"},
-	{"path": sprintf("%vcontainers[%v].securityContext.privileged", [start_of_path, format_int(i, 10)]), "value":"false"}
-
-	]
 }
 
 
-is_allow_privilege_escalation_container(container, i, start_of_path) = [failed_path, fixPath]  {
+is_allow_privilege_escalation_container(container) {
     container.securityContext.allowPrivilegeEscalation == true
 	psps := [psp |  psp= input[_]; psp.kind == "PodSecurityPolicy"]
 	count(psps) == 0
-	fixPath = ""
-	failed_path = [sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)])]
 }
 
-is_allow_privilege_escalation_container(container, i, start_of_path)= [failed_path, fixPath] {
+is_allow_privilege_escalation_container(container) {
     container.securityContext.allowPrivilegeEscalation == true
 	psps := [psp |  psp= input[_]; psp.kind == "PodSecurityPolicy"]
 	count(psps) > 0
 	psp := psps[_]
 	not psp.spec.allowPrivilegeEscalation == false
-	fixPath = ""
-	failed_path = [sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)])]
 }
 
- get_failed_path(paths) = paths[0] {
-	paths[0] != ""
-} else = []
-
-
-get_fixed_path(paths) = paths[1] {
-	paths[1] != ""
-} else = []
-
+get_fix_path(i, start_of_path) = [{"path": sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, i]), "value":"false"},
+	{"path": sprintf("%vcontainers[%v].securityContext.privileged", [start_of_path, i]), "value":"false"}]
diff --git a/rules/rule-allow-privilege-escalation/test/cronjob/expected.json b/rules/rule-allow-privilege-escalation/test/cronjob/expected.json
@@ -1,52 +1,56 @@
-[{
-    "alertMessage": "container :mysql in CronJob: hello allow privilege escalation",
-    "reviewPaths": [],
-    "failedPaths": [],
-    "fixPaths": [{
-        "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation",
-        "value": "false"
-    },
+[
     {
-        "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.privileged",
-        "value": "false"
-    }
-],
-    "ruleStatus": "",
-    "packagename": "armo_builtins",
-    "alertScore": 7,
-    "alertObject": {
-        "k8sApiObjects": [{
-            "apiVersion": "batch/v1beta1",
-            "kind": "CronJob",
-            "metadata": {
-                "name": "hello"
+        "alertMessage": "container :mysql in CronJob: hello allow privilege escalation",
+        "fixPaths": [
+            {
+                "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation",
+                "value": "false"
+            },
+            {
+                "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.privileged",
+                "value": "false"
             }
-        }]
-    }
-}, {
-    "alertMessage": "container :php in CronJob: hello allow privilege escalation",
-    "reviewPaths": [],
-    "failedPaths": [],
-    "fixPaths": [{
-        "path": "spec.jobTemplate.spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation",
-        "value": "false"
+        ],
+        "ruleStatus": "",
+        "packagename": "armo_builtins",
+        "alertScore": 7,
+        "alertObject": {
+            "k8sApiObjects": [
+                {
+                    "apiVersion": "batch/v1beta1",
+                    "kind": "CronJob",
+                    "metadata": {
+                        "name": "hello"
+                    }
+                }
+            ]
+        }
     },
     {
-        "path": "spec.jobTemplate.spec.template.spec.containers[1].securityContext.privileged",
-        "value": "false"
-    }
-
-],
-    "ruleStatus": "",
-    "packagename": "armo_builtins",
-    "alertScore": 7,
-    "alertObject": {
-        "k8sApiObjects": [{
-            "apiVersion": "batch/v1beta1",
-            "kind": "CronJob",
-            "metadata": {
-                "name": "hello"
+        "alertMessage": "container :php in CronJob: hello allow privilege escalation",
+        "fixPaths": [
+            {
+                "path": "spec.jobTemplate.spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation",
+                "value": "false"
+            },
+            {
+                "path": "spec.jobTemplate.spec.template.spec.containers[1].securityContext.privileged",
+                "value": "false"
             }
-        }]
+        ],
+        "ruleStatus": "",
+        "packagename": "armo_builtins",
+        "alertScore": 7,
+        "alertObject": {
+            "k8sApiObjects": [
+                {
+                    "apiVersion": "batch/v1beta1",
+                    "kind": "CronJob",
+                    "metadata": {
+                        "name": "hello"
+                    }
+                }
+            ]
+        }
     }
-}]
+]
diff --git a/rules/rule-allow-privilege-escalation/test/pod/expected.json b/rules/rule-allow-privilege-escalation/test/pod/expected.json
@@ -1,21 +1,32 @@
-[{
-    "alertMessage": "container: test-container in pod: audit-pod  allow privilege escalation",
-    "reviewPaths": ["spec.containers[0].securityContext.allowPrivilegeEscalation"],
-    "failedPaths": ["spec.containers[0].securityContext.allowPrivilegeEscalation"],
-    "fixPaths": [],
-    "ruleStatus": "",
-    "packagename": "armo_builtins",
-    "alertScore": 7,
-    "alertObject": {
-        "k8sApiObjects": [{
-            "apiVersion": "v1",
-            "kind": "Pod",
-            "metadata": {
-                "labels": {
-                    "app": "audit-pod"
-                },
-                "name": "audit-pod"
+[
+    {
+        "alertMessage": "container: test-container in pod: audit-pod  allow privilege escalation",
+        "fixPaths": [
+            {
+                "path": "spec.containers[0].securityContext.allowPrivilegeEscalation",
+                "value": "false"
+            },
+            {
+                "path": "spec.containers[0].securityContext.privileged",
+                "value": "false"
             }
-        }]
+        ],
+        "ruleStatus": "",
+        "packagename": "armo_builtins",
+        "alertScore": 7,
+        "alertObject": {
+            "k8sApiObjects": [
+                {
+                    "apiVersion": "v1",
+                    "kind": "Pod",
+                    "metadata": {
+                        "labels": {
+                            "app": "audit-pod"
+                        },
+                        "name": "audit-pod"
+                    }
+                }
+            ]
+        }
     }
-}]
+]
diff --git a/rules/rule-allow-privilege-escalation/test/workloads/expected.json b/rules/rule-allow-privilege-escalation/test/workloads/expected.json
@@ -1,49 +1,62 @@
-[{
-    "alertMessage": "container :mysql in Deployment: my-deployment  allow privilege escalation",
-    "reviewPaths": ["spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation"],
-    "failedPaths": ["spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation"],
-    "fixPaths": [],
-    "ruleStatus": "",
-    "packagename": "armo_builtins",
-    "alertScore": 7,
-    "alertObject": {
-        "k8sApiObjects": [{
-            "apiVersion": "apps/v1",
-            "kind": "Deployment",
-            "metadata": {
-                "labels": {
-                    "app": "goproxy"
-                },
-                "name": "my-deployment"
+[
+    {
+        "alertMessage": "container :mysql in Deployment: my-deployment  allow privilege escalation",
+        "fixPaths": [
+            {
+                "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation",
+                "value": "false"
+            },
+            {
+                "path": "spec.template.spec.containers[0].securityContext.privileged",
+                "value": "false"
             }
-        }]
-    }
-}, {
-    "alertMessage": "container :php in Deployment: my-deployment  allow privilege escalation",
-    "reviewPaths": [],
-    "failedPaths": [],
-    "fixPaths": [{
-        "path": "spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation",
-        "value": "false"
-
-        },
-        {
-            "path": "spec.template.spec.containers[1].securityContext.privileged",
-            "value": "false"
-        }],
-    "ruleStatus": "",
-    "packagename": "armo_builtins",
-    "alertScore": 7,
-    "alertObject": {
-        "k8sApiObjects": [{
-            "apiVersion": "apps/v1",
-            "kind": "Deployment",
-            "metadata": {
-                "labels": {
-                    "app": "goproxy"
-                },
-                "name": "my-deployment"
+        ],
+        "ruleStatus": "",
+        "packagename": "armo_builtins",
+        "alertScore": 7,
+        "alertObject": {
+            "k8sApiObjects": [
+                {
+                    "apiVersion": "apps/v1",
+                    "kind": "Deployment",
+                    "metadata": {
+                        "labels": {
+                            "app": "goproxy"
+                        },
+                        "name": "my-deployment"
+                    }
+                }
+            ]
+        }
+    },
+    {
+        "alertMessage": "container :php in Deployment: my-deployment  allow privilege escalation",
+        "fixPaths": [
+            {
+                "path": "spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation",
+                "value": "false"
+            },
+            {
+                "path": "spec.template.spec.containers[1].securityContext.privileged",
+                "value": "false"
             }
-        }]
+        ],
+        "ruleStatus": "",
+        "packagename": "armo_builtins",
+        "alertScore": 7,
+        "alertObject": {
+            "k8sApiObjects": [
+                {
+                    "apiVersion": "apps/v1",
+                    "kind": "Deployment",
+                    "metadata": {
+                        "labels": {
+                            "app": "goproxy"
+                        },
+                        "name": "my-deployment"
+                    }
+                }
+            ]
+        }
     }
-}]
+]