-
Notifications
You must be signed in to change notification settings - Fork 48
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #566 from kubescape/feature/detection-authneticate…
…d-over-privileged Adding control C-0265: detection of over-privileged system:authenticated group
- Loading branch information
Showing
11 changed files
with
269 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| { | ||
| "controlID": "C-0265", | ||
| "name": "system:authenticated user has elevated roles", | ||
| "description": "Granting permissions to the system:authenticated group is generally not recommended and can introduce security risks. This control ensures that system:authenticated users do not have cluster risking permissions.", | ||
| "remediation": "Review and modify your cluster's RBAC configuration to ensure that system:authenticated will have minimal permissions.", | ||
| "test": "Checks if ClusterRoleBinding/RoleBinding resources give permissions to system:authenticated group.", | ||
| "attributes": { | ||
| }, | ||
| "rulesNames": [ | ||
| "system-authenticated-allowed-to-take-over-cluster" | ||
| ], | ||
| "baseScore": 7, | ||
| "category": { | ||
| "name": "Control plane", | ||
| "subCategory": { | ||
| "name": "Supply chain" | ||
| } | ||
| }, | ||
| "scanningScope": { | ||
| "matches": [ | ||
| "cluster" | ||
| ] | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
65 changes: 65 additions & 0 deletions
65
rules/system-authenticated-allowed-to-take-over-cluster/raw.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| package armo_builtins | ||
|
|
||
| import future.keywords.in | ||
|
|
||
| deny[msga] { | ||
| subjectVector := input[_] | ||
|
|
||
| rolebinding := subjectVector.relatedObjects[j] | ||
| endswith(rolebinding.kind, "Binding") | ||
|
|
||
|
|
||
| subject := rolebinding.subjects[k] | ||
| # Check if the subject is gourp | ||
| subject.kind == "Group" | ||
| # Check if the subject is system:authenticated | ||
| subject.name == "system:authenticated" | ||
|
|
||
|
|
||
| # Find the bound roles | ||
| role := subjectVector.relatedObjects[i] | ||
| endswith(role.kind, "Role") | ||
|
|
||
| # Check if the role and rolebinding bound | ||
| is_same_role_and_binding(role, rolebinding) | ||
|
|
||
|
|
||
| # Check if the role has access to workloads, exec, attach, portforward | ||
| rule := role.rules[p] | ||
| rule.resources[l] in ["*","pods", "pods/exec", "pods/attach", "pods/portforward","deployments","statefulset","daemonset","jobs","cronjobs","nodes","secrets"] | ||
|
|
||
| finalpath := array.concat([""], [ | ||
| sprintf("relatedObjects[%d].subjects[%d]", [j, k]), | ||
| sprintf("relatedObjects[%d].roleRef.name", [i]), | ||
| ]) | ||
|
|
||
| msga := { | ||
| "alertMessage": "system:authenticated has sensitive roles", | ||
| "alertScore": 5, | ||
| "reviewPaths": finalpath, | ||
| "failedPaths": finalpath, | ||
| "fixPaths": [], | ||
| "packagename": "armo_builtins", | ||
| "alertObject": { | ||
| "k8sApiObjects": [], | ||
| "externalObjects" : subjectVector | ||
| }, | ||
| } | ||
| } | ||
|
|
||
| is_same_role_and_binding(role, rolebinding) { | ||
| rolebinding.kind == "RoleBinding" | ||
| role.kind == "Role" | ||
| rolebinding.metadata.namespace == role.metadata.namespace | ||
| rolebinding.roleRef.name == role.metadata.name | ||
| rolebinding.roleRef.kind == role.kind | ||
| startswith(role.apiVersion, rolebinding.roleRef.apiGroup) | ||
| } | ||
|
|
||
| is_same_role_and_binding(role, rolebinding) { | ||
| rolebinding.kind == "ClusterRoleBinding" | ||
| role.kind == "ClusterRole" | ||
| rolebinding.roleRef.name == role.metadata.name | ||
| rolebinding.roleRef.kind == role.kind | ||
| startswith(role.apiVersion, rolebinding.roleRef.apiGroup) | ||
| } |
27 changes: 27 additions & 0 deletions
27
rules/system-authenticated-allowed-to-take-over-cluster/rule.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| { | ||
| "name": "system-authenticated-allowed-to-take-over-cluster", | ||
| "attributes": { | ||
| "resourcesAggregator": "subject-role-rolebinding" | ||
| }, | ||
| "ruleLanguage": "Rego", | ||
| "match": [ | ||
| { | ||
| "apiGroups": [ | ||
| "rbac.authorization.k8s.io" | ||
| ], | ||
| "apiVersions": [ | ||
| "v1" | ||
| ], | ||
| "resources": [ | ||
| "RoleBinding", | ||
| "ClusterRoleBinding", | ||
| "Role", | ||
| "ClusterRole" | ||
| ] | ||
| } | ||
| ], | ||
| "ruleDependencies": [], | ||
| "description": "Fails in system:authenticated user has cluster takeover rbac permissions (is bound by a RoleBinding/ClusterRoleBinding)", | ||
| "remediation": "Remove any RBAC rules which allow system:authenticated users to perform actions", | ||
| "ruleQuery": "armo_builtins" | ||
| } |
74 changes: 74 additions & 0 deletions
74
rules/system-authenticated-allowed-to-take-over-cluster/test/fail/expected.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,74 @@ | ||
| [ | ||
| { | ||
| "alertMessage": "system:authenticated has sensitive roles", | ||
| "alertObject": { | ||
| "externalObjects": { | ||
| "apiGroup": "rbac.authorization.k8s.io", | ||
| "kind": "Group", | ||
| "name": "system:authenticated", | ||
| "relatedObjects": [ | ||
| { | ||
| "apiVersion": "rbac.authorization.k8s.io/v1", | ||
| "kind": "ClusterRoleBinding", | ||
| "metadata": { | ||
| "name": "system:viewer" | ||
| }, | ||
| "roleRef": { | ||
| "apiGroup": "rbac.authorization.k8s.io", | ||
| "kind": "ClusterRole", | ||
| "name": "system:viewer" | ||
| }, | ||
| "subjects": [ | ||
| { | ||
| "apiGroup": "rbac.authorization.k8s.io", | ||
| "kind": "Group", | ||
| "name": "system:authenticated" | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "apiVersion": "rbac.authorization.k8s.io/v1", | ||
| "kind": "ClusterRole", | ||
| "metadata": { | ||
| "name": "system:viewer" | ||
| }, | ||
| "rules": [ | ||
| { | ||
| "apiGroups": [ | ||
| "" | ||
| ], | ||
| "resources": [ | ||
| "nodes", | ||
| "nodes/*", | ||
| "namespaces", | ||
| "namespaces/*", | ||
| "pods", | ||
| "pods/*" | ||
| ], | ||
| "verbs": [ | ||
| "get", | ||
| "list", | ||
| "watch" | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| "k8sApiObjects": [] | ||
| }, | ||
| "alertScore": 5, | ||
| "failedPaths": [ | ||
| "", | ||
| "relatedObjects[0].subjects[0]", | ||
| "relatedObjects[1].roleRef.name" | ||
| ], | ||
| "fixPaths": [], | ||
| "packagename": "armo_builtins", | ||
| "reviewPaths": [ | ||
| "", | ||
| "relatedObjects[0].subjects[0]", | ||
| "relatedObjects[1].roleRef.name" | ||
| ] | ||
| } | ||
| ] |
18 changes: 18 additions & 0 deletions
18
rules/system-authenticated-allowed-to-take-over-cluster/test/fail/input/clusterrole.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: ClusterRole | ||
| metadata: | ||
| name: system:viewer | ||
| rules: | ||
| - apiGroups: | ||
| - "" | ||
| resources: | ||
| - nodes | ||
| - nodes/* | ||
| - namespaces | ||
| - namespaces/* | ||
| - pods | ||
| - pods/* | ||
| verbs: | ||
| - get | ||
| - list | ||
| - watch |
12 changes: 12 additions & 0 deletions
12
...system-authenticated-allowed-to-take-over-cluster/test/fail/input/clusterrolebinding.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: ClusterRoleBinding | ||
| metadata: | ||
| name: system:viewer | ||
| roleRef: | ||
| apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: system:viewer | ||
| subjects: | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Group | ||
| name: system:authenticated |
1 change: 1 addition & 0 deletions
1
rules/system-authenticated-allowed-to-take-over-cluster/test/success/expected.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| [] |
26 changes: 26 additions & 0 deletions
26
rules/system-authenticated-allowed-to-take-over-cluster/test/success/input/rolebinding.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: ClusterRoleBinding | ||
| metadata: | ||
| name: system:viewer | ||
| roleRef: | ||
| apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: system:viewer | ||
| subjects: | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Group | ||
| name: system:authenticated | ||
| --- | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: ClusterRole | ||
| metadata: | ||
| name: system:viewer | ||
| rules: | ||
| - apiGroups: | ||
| - "" | ||
| resources: | ||
| - configmaps | ||
| verbs: | ||
| - get | ||
| - list | ||
| - watch |