diff --git a/rules/rule-allow-privilege-escalation/raw.rego b/rules/rule-allow-privilege-escalation/raw.rego index 9663e9dd9..47eab807b 100644 --- a/rules/rule-allow-privilege-escalation/raw.rego +++ b/rules/rule-allow-privilege-escalation/raw.rego @@ -7,17 +7,14 @@ deny[msga] { pod.kind == "Pod" container := pod.spec.containers[i] start_of_path := "spec." - result := is_allow_privilege_escalation_container(container, i, start_of_path) - failed_path := get_failed_path(result) - fixed_path := get_fixed_path(result) + is_allow_privilege_escalation_container(container) + fixPath := get_fix_path(i, start_of_path) msga := { "alertMessage": sprintf("container: %v in pod: %v allow privilege escalation", [container.name, pod.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, - "reviewPaths": failed_path, - "failedPaths": failed_path, - "fixPaths": fixed_path, + "fixPaths": fixPath, "alertObject": { "k8sApiObjects": [pod] } @@ -32,17 +29,14 @@ deny[msga] { spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] start_of_path := "spec.template.spec." - result := is_allow_privilege_escalation_container(container, i, start_of_path) - failed_path := get_failed_path(result) - fixed_path := get_fixed_path(result) + is_allow_privilege_escalation_container(container) + fixPath := get_fix_path(i, start_of_path) msga := { "alertMessage": sprintf("container :%v in %v: %v allow privilege escalation", [container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, - "reviewPaths": failed_path, - "failedPaths": failed_path, - "fixPaths": fixed_path, + "fixPaths": fixPath, "alertObject": { "k8sApiObjects": [wl] } @@ -56,17 +50,14 @@ deny[msga] { wl.kind == "CronJob" container = wl.spec.jobTemplate.spec.template.spec.containers[i] start_of_path := "spec.jobTemplate.spec.template.spec." - result := is_allow_privilege_escalation_container(container, i, start_of_path) - failed_path := get_failed_path(result) - fixed_path := get_fixed_path(result) + is_allow_privilege_escalation_container(container) + fixPath := get_fix_path(i, start_of_path) msga := { "alertMessage": sprintf("container :%v in %v: %v allow privilege escalation", [container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, - "reviewPaths": failed_path, - "failedPaths": failed_path, - "fixPaths": fixed_path, + "fixPaths": fixPath, "alertObject": { "k8sApiObjects": [wl] } @@ -75,56 +66,36 @@ deny[msga] { -is_allow_privilege_escalation_container(container, i, start_of_path) = [failed_path, fixPath] { +is_allow_privilege_escalation_container(container) { not container.securityContext.allowPrivilegeEscalation == false not container.securityContext.allowPrivilegeEscalation == true psps := [psp | psp= input[_]; psp.kind == "PodSecurityPolicy"] count(psps) == 0 - failed_path = "" - fixPath = [{"path": sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)]), "value":"false"}, - {"path": sprintf("%vcontainers[%v].securityContext.privileged", [start_of_path, format_int(i, 10)]), "value":"false"} - ] } -is_allow_privilege_escalation_container(container, i, start_of_path) = [failed_path, fixPath] { +is_allow_privilege_escalation_container(container) { not container.securityContext.allowPrivilegeEscalation == false not container.securityContext.allowPrivilegeEscalation == true psps := [psp | psp= input[_]; psp.kind == "PodSecurityPolicy"] count(psps) > 0 psp := psps[_] not psp.spec.allowPrivilegeEscalation == false - failed_path = "" - fixPath = [{"path": sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)]), "value":"false"}, - {"path": sprintf("%vcontainers[%v].securityContext.privileged", [start_of_path, format_int(i, 10)]), "value":"false"} - - ] } -is_allow_privilege_escalation_container(container, i, start_of_path) = [failed_path, fixPath] { +is_allow_privilege_escalation_container(container) { container.securityContext.allowPrivilegeEscalation == true psps := [psp | psp= input[_]; psp.kind == "PodSecurityPolicy"] count(psps) == 0 - fixPath = "" - failed_path = [sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)])] } -is_allow_privilege_escalation_container(container, i, start_of_path)= [failed_path, fixPath] { +is_allow_privilege_escalation_container(container) { container.securityContext.allowPrivilegeEscalation == true psps := [psp | psp= input[_]; psp.kind == "PodSecurityPolicy"] count(psps) > 0 psp := psps[_] not psp.spec.allowPrivilegeEscalation == false - fixPath = "" - failed_path = [sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)])] } - get_failed_path(paths) = paths[0] { - paths[0] != "" -} else = [] - - -get_fixed_path(paths) = paths[1] { - paths[1] != "" -} else = [] - +get_fix_path(i, start_of_path) = [{"path": sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, i]), "value":"false"}, + {"path": sprintf("%vcontainers[%v].securityContext.privileged", [start_of_path, i]), "value":"false"}] diff --git a/rules/rule-allow-privilege-escalation/test/cronjob/expected.json b/rules/rule-allow-privilege-escalation/test/cronjob/expected.json index e9f6ca325..c9ff558a0 100644 --- a/rules/rule-allow-privilege-escalation/test/cronjob/expected.json +++ b/rules/rule-allow-privilege-escalation/test/cronjob/expected.json @@ -1,52 +1,56 @@ -[{ - "alertMessage": "container :mysql in CronJob: hello allow privilege escalation", - "reviewPaths": [], - "failedPaths": [], - "fixPaths": [{ - "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", - "value": "false" - }, +[ { - "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.privileged", - "value": "false" - } -], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 7, - "alertObject": { - "k8sApiObjects": [{ - "apiVersion": "batch/v1beta1", - "kind": "CronJob", - "metadata": { - "name": "hello" + "alertMessage": "container :mysql in CronJob: hello allow privilege escalation", + "fixPaths": [ + { + "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + }, + { + "path": "spec.jobTemplate.spec.template.spec.containers[0].securityContext.privileged", + "value": "false" } - }] - } -}, { - "alertMessage": "container :php in CronJob: hello allow privilege escalation", - "reviewPaths": [], - "failedPaths": [], - "fixPaths": [{ - "path": "spec.jobTemplate.spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation", - "value": "false" + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "batch/v1beta1", + "kind": "CronJob", + "metadata": { + "name": "hello" + } + } + ] + } }, { - "path": "spec.jobTemplate.spec.template.spec.containers[1].securityContext.privileged", - "value": "false" - } - -], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 7, - "alertObject": { - "k8sApiObjects": [{ - "apiVersion": "batch/v1beta1", - "kind": "CronJob", - "metadata": { - "name": "hello" + "alertMessage": "container :php in CronJob: hello allow privilege escalation", + "fixPaths": [ + { + "path": "spec.jobTemplate.spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation", + "value": "false" + }, + { + "path": "spec.jobTemplate.spec.template.spec.containers[1].securityContext.privileged", + "value": "false" } - }] + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "batch/v1beta1", + "kind": "CronJob", + "metadata": { + "name": "hello" + } + } + ] + } } -}] \ No newline at end of file +] \ No newline at end of file diff --git a/rules/rule-allow-privilege-escalation/test/pod/expected.json b/rules/rule-allow-privilege-escalation/test/pod/expected.json index 9ecc18440..98f507449 100644 --- a/rules/rule-allow-privilege-escalation/test/pod/expected.json +++ b/rules/rule-allow-privilege-escalation/test/pod/expected.json @@ -1,21 +1,32 @@ -[{ - "alertMessage": "container: test-container in pod: audit-pod allow privilege escalation", - "reviewPaths": ["spec.containers[0].securityContext.allowPrivilegeEscalation"], - "failedPaths": ["spec.containers[0].securityContext.allowPrivilegeEscalation"], - "fixPaths": [], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 7, - "alertObject": { - "k8sApiObjects": [{ - "apiVersion": "v1", - "kind": "Pod", - "metadata": { - "labels": { - "app": "audit-pod" - }, - "name": "audit-pod" +[ + { + "alertMessage": "container: test-container in pod: audit-pod allow privilege escalation", + "fixPaths": [ + { + "path": "spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + }, + { + "path": "spec.containers[0].securityContext.privileged", + "value": "false" } - }] + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "labels": { + "app": "audit-pod" + }, + "name": "audit-pod" + } + } + ] + } } -}] \ No newline at end of file +] \ No newline at end of file diff --git a/rules/rule-allow-privilege-escalation/test/workloads/expected.json b/rules/rule-allow-privilege-escalation/test/workloads/expected.json index f4cdaff01..065b97d20 100644 --- a/rules/rule-allow-privilege-escalation/test/workloads/expected.json +++ b/rules/rule-allow-privilege-escalation/test/workloads/expected.json @@ -1,49 +1,62 @@ -[{ - "alertMessage": "container :mysql in Deployment: my-deployment allow privilege escalation", - "reviewPaths": ["spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation"], - "failedPaths": ["spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation"], - "fixPaths": [], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 7, - "alertObject": { - "k8sApiObjects": [{ - "apiVersion": "apps/v1", - "kind": "Deployment", - "metadata": { - "labels": { - "app": "goproxy" - }, - "name": "my-deployment" +[ + { + "alertMessage": "container :mysql in Deployment: my-deployment allow privilege escalation", + "fixPaths": [ + { + "path": "spec.template.spec.containers[0].securityContext.allowPrivilegeEscalation", + "value": "false" + }, + { + "path": "spec.template.spec.containers[0].securityContext.privileged", + "value": "false" } - }] - } -}, { - "alertMessage": "container :php in Deployment: my-deployment allow privilege escalation", - "reviewPaths": [], - "failedPaths": [], - "fixPaths": [{ - "path": "spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation", - "value": "false" - - }, - { - "path": "spec.template.spec.containers[1].securityContext.privileged", - "value": "false" - }], - "ruleStatus": "", - "packagename": "armo_builtins", - "alertScore": 7, - "alertObject": { - "k8sApiObjects": [{ - "apiVersion": "apps/v1", - "kind": "Deployment", - "metadata": { - "labels": { - "app": "goproxy" - }, - "name": "my-deployment" + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "app": "goproxy" + }, + "name": "my-deployment" + } + } + ] + } + }, + { + "alertMessage": "container :php in Deployment: my-deployment allow privilege escalation", + "fixPaths": [ + { + "path": "spec.template.spec.containers[1].securityContext.allowPrivilegeEscalation", + "value": "false" + }, + { + "path": "spec.template.spec.containers[1].securityContext.privileged", + "value": "false" } - }] + ], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 7, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "app": "goproxy" + }, + "name": "my-deployment" + } + } + ] + } } -}] \ No newline at end of file +] \ No newline at end of file