From c2aef7b3e38a365fd3a679fd17b2e1a84dfdfc19 Mon Sep 17 00:00:00 2001 From: YiscahLevySilas1 Date: Thu, 20 Jul 2023 17:45:49 +0300 Subject: [PATCH] add check for env values for wl Signed-off-by: YiscahLevySilas1 --- rules/rule-credentials-in-env-var/raw.rego | 95 ++++++++++++++++++- .../test/deployment/expected.json | 26 +++++ .../test/deployment/input/deployment.yaml | 36 +++++++ .../test/pod/expected.json | 2 +- .../test/pod/input/pod.yaml | 4 +- 5 files changed, 158 insertions(+), 5 deletions(-) create mode 100644 rules/rule-credentials-in-env-var/test/deployment/expected.json create mode 100644 rules/rule-credentials-in-env-var/test/deployment/input/deployment.yaml diff --git a/rules/rule-credentials-in-env-var/raw.rego b/rules/rule-credentials-in-env-var/raw.rego index 44db0c4c2..e3a2e586c 100644 --- a/rules/rule-credentials-in-env-var/raw.rego +++ b/rules/rule-credentials-in-env-var/raw.rego @@ -9,7 +9,7 @@ container := pod.spec.containers[i] env := container.env[j] - contains(lower(env.name), key_name) + contains(lower(env.name), lower(key_name)) env.value != "" # check that value wasn't allowed by user not is_allowed_value(env.value) @@ -41,7 +41,7 @@ container := wl.spec.template.spec.containers[i] env := container.env[j] - contains(lower(env.name), key_name) + contains(lower(env.name), lower(key_name)) env.value != "" # check that value wasn't allowed by user not is_allowed_value(env.value) @@ -71,7 +71,7 @@ container := wl.spec.jobTemplate.spec.template.spec.containers[i] env := container.env[j] - contains(lower(env.name), key_name) + contains(lower(env.name), lower(key_name)) env.value != "" # check that value wasn't allowed by user @@ -93,6 +93,95 @@ } } +# check sensitive values +deny[msga] { + pod := input[_] + pod.kind == "Pod" + # see default-config-inputs.json for list values + sensitive_values := data.postureControlInputs.sensitiveValues + value := sensitive_values[_] + container := pod.spec.containers[i] + env := container.env[j] + + # check that value wasn't allowed by user + not is_allowed_value(env.value) + contains(lower(env.value), lower(value)) + + is_not_reference(env) + + path := sprintf("spec.containers[%v].env[%v].name", [format_int(i, 10), format_int(j, 10)]) + + msga := { + "alertMessage": sprintf("Pod: %v has sensitive information in environment variables", [pod.metadata.name]), + "alertScore": 9, + "fixPaths": [], + "failedPaths": [path], + "packagename": "armo_builtins", + "alertObject": { + "k8sApiObjects": [pod] + } + } + } + + deny[msga] { + wl := input[_] + spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} + spec_template_spec_patterns[wl.kind] + + # see default-config-inputs.json for list values + sensitive_values := data.postureControlInputs.sensitiveValues + value := sensitive_values[_] + container := wl.spec.template.spec.containers[i] + env := container.env[j] + + not is_allowed_value(env.value) + contains(lower(env.value), lower(value)) + # check that value wasn't allowed by user + + is_not_reference(env) + + path := sprintf("spec.template.spec.containers[%v].env[%v].name", [format_int(i, 10), format_int(j, 10)]) + + msga := { + "alertMessage": sprintf("%v: %v has sensitive information in environment variables", [wl.kind, wl.metadata.name]), + "alertScore": 9, + "fixPaths": [], + "failedPaths": [path], + "packagename": "armo_builtins", + "alertObject": { + "k8sApiObjects": [wl] + } + } + } + + deny[msga] { + wl := input[_] + wl.kind == "CronJob" + # see default-config-inputs.json for list values + sensitive_values := data.postureControlInputs.sensitiveValues + value := sensitive_values[_] + container := wl.spec.jobTemplate.spec.template.spec.containers[i] + env := container.env[j] + + # check that value wasn't allowed by user + not is_allowed_value(env.value) + contains(lower(env.value), lower(value)) + + is_not_reference(env) + + path := sprintf("spec.jobTemplate.spec.template.spec.containers[%v].env[%v].name", [format_int(i, 10), format_int(j, 10)]) + + msga := { + "alertMessage": sprintf("Cronjob: %v has sensitive information in environment variables", [wl.metadata.name]), + "alertScore": 9, + "fixPaths": [], + "failedPaths": [path], + "packagename": "armo_builtins", + "alertObject": { + "k8sApiObjects": [wl] + } + } + } is_not_reference(env) diff --git a/rules/rule-credentials-in-env-var/test/deployment/expected.json b/rules/rule-credentials-in-env-var/test/deployment/expected.json new file mode 100644 index 000000000..5895545cc --- /dev/null +++ b/rules/rule-credentials-in-env-var/test/deployment/expected.json @@ -0,0 +1,26 @@ +[ + { + "alertMessage": "Deployment: test2 has sensitive information in environment variables", + "failedPaths": [ + "spec.template.spec.containers[1].env[1].name" + ], + "fixPaths": [], + "ruleStatus": "", + "packagename": "armo_builtins", + "alertScore": 9, + "alertObject": { + "k8sApiObjects": [ + { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "labels": { + "app": "audit-pod" + }, + "name": "test2" + } + } + ] + } + } +] \ No newline at end of file diff --git a/rules/rule-credentials-in-env-var/test/deployment/input/deployment.yaml b/rules/rule-credentials-in-env-var/test/deployment/input/deployment.yaml new file mode 100644 index 000000000..7755f24fb --- /dev/null +++ b/rules/rule-credentials-in-env-var/test/deployment/input/deployment.yaml @@ -0,0 +1,36 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: default + name: test2 + labels: + app: audit-pod +spec: + replicas: 3 + selector: + matchLabels: + app: audit-pod + template: + metadata: + labels: + app: audit-pod + spec : + containers : + - + name : test-container + env : + - + name : random + value : "Hello from the environment" + image : hashicorp/http-echo:0.2.3 + securityContext : + allowPrivilegeEscalation : true + - + name : test-container2 + env : + - + name : bla + value : "Hello from the environment" + - name : some-name + value : JWT + image : hashicorp/http-echo:0.2.3 \ No newline at end of file diff --git a/rules/rule-credentials-in-env-var/test/pod/expected.json b/rules/rule-credentials-in-env-var/test/pod/expected.json index 4d85f771c..9324ba1a3 100644 --- a/rules/rule-credentials-in-env-var/test/pod/expected.json +++ b/rules/rule-credentials-in-env-var/test/pod/expected.json @@ -2,7 +2,7 @@ { "alertMessage": "Pod: audit-pod has sensitive information in environment variables", "failedPaths": [ - "spec.containers[0].env[0].name" + "spec.containers[0].env[1].name" ], "fixPaths": [], "ruleStatus": "", diff --git a/rules/rule-credentials-in-env-var/test/pod/input/pod.yaml b/rules/rule-credentials-in-env-var/test/pod/input/pod.yaml index b70071bf6..b0cfb0df0 100644 --- a/rules/rule-credentials-in-env-var/test/pod/input/pod.yaml +++ b/rules/rule-credentials-in-env-var/test/pod/input/pod.yaml @@ -8,8 +8,10 @@ spec: containers: - name: test-container env : - - name : azure_batch_key + - name : random value : "Hello from the environment" + - name: some-name + value: my_key_value image: hashicorp/http-echo:0.2.3 securityContext: allowPrivilegeEscalation: true