Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: add control info; fix: generation time #9

Merged
merged 1 commit into from
Apr 24, 2024
Merged

chore: add control info; fix: generation time #9

merged 1 commit into from
Apr 24, 2024

Conversation

DelusionalOptimist
Copy link
Contributor

Description

  • Adds control list from kubescape cache - ensures that only those controls which were actually run are added to the JSON
  • Adds correct generationTime
	... kubescape raw result
	"summary": {
		"controls": [
			{
				"rulesIDs": [
					""
				],
				"guid": "",
				"name": "Prevent containers from allowing command execution",
				"attributes": {
					"microsoftMitreColumns": [
						"Execution"
					],
					"rbacQuery": "Show who can access into pods",
					"controlTypeTags": [
						"compliance",
						"security-impact"
					]
				},
				"controlID": "C-0002",
				"creationTime": "",
				"description": "Attackers with relevant permissions can run malicious commands in the context of legitimate containers in the cluster using "kubectl exec" command. This control determines which subjects have permissions to use this command.",
				"remediation": "It is recommended to prohibit "kubectl exec" command in production environments. It is also recommended not to use subjects with this permission for daily cluster operations.",
				"rules": [
					{
						"guid": "",
						"name": "exec-into-container-v1",
						"attributes": {
							"m$K8sThreatMatrix": "Privilege Escalation::Exec into container",
							"resourcesAggregator": "subject-role-rolebinding",
							"useFromKubescapeVersion": "v1.0.133"
						},
						"creationTime": "",
						"rule": "package armo_builtins\n\nimport future.keywords.in\n\n# input: regoResponseVectorObject\n# returns subjects that can exec into container\n\ndeny[msga] {\n\tsubjectVector := input[_]\n\trole := subjectVector.relatedObjects[i]\n\trolebinding := subjectVector.relatedObjects[j]\n\tendswith(role.kind, \"Role\")\n\tendswith(rolebinding.kind, \"Binding\")\n\n\trule := role.rules[p]\n\n\tsubject := rolebinding.subjects[k]\n\tis_same_subjects(subjectVector, subject)\n\n\trule_path := sprintf(\"relatedObjects[%d].rules[%d]\", [i, p])\n\n\tverbs := [\"create\", \"*\"]\n\tverb_path := [sprintf(\"%s.verbs[%d]\", [rule_path, l]) | verb = rule.verbs[l]; verb in verbs]\n\tcount(verb_path) > 0\n\n\tapi_groups := [\"\", \"*\"]\n\tapi_groups_path := [sprintf(\"%s.apiGroups[%d]\", [rule_path, a]) | apiGroup = rule.apiGroups[a]; apiGroup in api_groups]\n\tcount(api_groups_path) > 0\n\n\tresources := [\"pods/exec\", \"pods/*\", \"*\"]\n\tresources_path := [sprintf(\"%s.resources[%d]\", [rule_path, l]) | resource = rule.resources[l]; resource in resources]\n\tcount(resources_path) > 0\n\n\tpath := array.concat(resources_path, verb_path)\n\tpath2 := array.concat(path, api_groups_path)\n\tfinalpath := array.concat(path2, [\n\t\tsprintf(\"relatedObjects[%d].subjects[%d]\", [j, k]),\n\t\tsprintf(\"relatedObjects[%d].roleRef.name\", [j]),\n\t])\n\n\tmsga := {\n\t\t\"alertMessage\": sprintf(\"Subject: %s-%s can exec into containers\", [subjectVector.kind, subjectVector.name]),\n\t\t\"alertScore\": 9,\n\t\t\"packagename\": \"armo_builtins\",\n\t\t\"reviewPaths\": finalpath,\n\t\t\"failedPaths\": finalpath,\n\t\t\"fixPaths\": [],\n\t\t\"alertObject\": {\n\t\t\t\"k8sApiObjects\": [],\n\t\t\t\"externalObjects\": subjectVector,\n\t\t},\n\t}\n}\n\n# for service accounts\nis_same_subjects(subjectVector, subject) {\n\tsubjectVector.kind == subject.kind\n\tsubjectVector.name == subject.name\n\tsubjectVector.namespace == subject.namespace\n}\n\n# for users/ groups\nis_same_subjects(subjectVector, subject) {\n\tsubjectVector.kind == subject.kind\n\tsubjectVector.name == subject.name\n\tsubjectVector.apiGroup == subject.apiGroup\n}\n",
						"resourceEnumerator": "",
						"ruleLanguage": "Rego",
						"match": [
							{
								"apiGroups": [
									"rbac.authorization.k8s.io"
								],
								"apiVersions": [
									"v1"
								],
								"resources": [
									"RoleBinding",
									"ClusterRoleBinding",
									"Role",
									"ClusterRole"
								]
							}
						],
						"ruleDependencies": [],
						"controlConfigInputs": null,
						"description": "determines which users have permissions to exec into pods",
						"remediation": "",
						"ruleQuery": "armo_builtins",
						"relevantCloudProviders": null
					}
				],
				"baseScore": 5,
				"scanningScope": {
					"matches": [
						"cluster",
						"file"
					]
				},
				"category": {
					"name": "Access control",
					"id": "Cat-2"
				}
			},
            
            ...... so on for each control
      ]
    },
    "accuknox_metadata": {
		"cluster_name": "default",
		"label_name": "default"
	}

@DelusionalOptimist
Copy link
Contributor Author

Please don't merge right now... need to add some additional fields requested by parser team. Thanks.

@DelusionalOptimist
Copy link
Contributor Author

@Shreyas220 PR updated.

@DelusionalOptimist DelusionalOptimist merged commit 35c6335 into accuknox:main Apr 24, 2024
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Shreyas220 Shreyas220 Shreyas220 approved these changes

@nyrahul nyrahul Awaiting requested review from nyrahul

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@DelusionalOptimist @Shreyas220