Kubernetes check "Prevent binding to privileged ports" (AVD-KSV-0117) may be invalid

[dbowling]

IDs

AVD-KSV-0117

Description

I started to write this up as a Q&A discussion about why a check exists, but I've found it in the Kubernetes STIG as finding V-242414.

It seems that the validity of this check may not exist in a Kubernetes context; at least not from the containerPort spec that is being checked here: https://github.com/aquasecurity/trivy-checks/blame/f7972d6e5978b2d17b9aef3e0d2ccb714922fdb5/checks/kubernetes/pss/baseline/12_privileged_ports_binding.rego#L36-L39

Prevent binding to privileged ports (HIGH)
The ports which are lower than 1024 receive and transmit various sensitive and privileged data. Allowing containers to use them can bring serious implications.

There is an open issue in Kubernetes to set the privilaged port sysctl to 0 since it makes no sense in a container. It looks like Docker already did this, and it is merged into the 2.0 release for containerd.

There appears to be consensus that it is not a valid security concern in Kubernetes pods. Perhaps Trivy should not be marking it as a HIGH finding any more?

Also, as a side note, the documentation didn't make this easy to dig into.

It points to the AVD documentation that links to the pod security standards docs in the Kubernetes documentation, but provides no other sources.

The Kubernetes documentation makes no mention of this as a best practice, even though the STIG does.

Reproduction Steps

1. create a manifest that includes a pod with a `containerPort` set to an int below 1024 (say, an nginx container with `containerPort: 80`
2. Scan with default Trivy settings

When using the table output, it gives the following:


HIGH: deployment nginx in default namespace should not set spec.template.spec.containers.ports.containerPort to less than 1024
════════════════════════════════════════
The ports which are lower than 1024 receive and transmit various sensitive and privileged data. Allowing containers to use them can bring serious implications.

See https://avd.aquasec.com/misconfig/ksv117

### Target

Kubernetes

### Scanner

Misconfiguration

### Target OS

_No response_

### Debug Output

```bash
I'm running via the Github Action. Here's all the contents of the output when I run with --debug as an arg:

Run aquasecurity/[email protected]
  with:
    scan-type: config
    hide-progress: false
    format: table
    output: trivy.txt
    exit-code: 0
    severity: CRITICAL,HIGH
    args: --debug
    scan-ref: .
    ignore-unfixed: false
    vuln-type: os,library
    list-all-pkgs: false
/usr/bin/docker run --name b3dc9e330501cb77b2417fbbbb969099cffbe4_a334a4 --label b3dc9e --workdir /github/workspace --rm -e "INPUT_SCAN-TYPE" -e "INPUT_HIDE-PROGRESS" -e "INPUT_FORMAT" -e "INPUT_OUTPUT" -e "INPUT_EXIT-CODE" -e "INPUT_SEVERITY" -e "INPUT_ARGS" -e "INPUT_IMAGE-REF" -e "INPUT_INPUT" -e "INPUT_SCAN-REF" -e "INPUT_IGNORE-UNFIXED" -e "INPUT_VULN-TYPE" -e "INPUT_TEMPLATE" -e "INPUT_SKIP-DIRS" -e "INPUT_SKIP-FILES" -e "INPUT_CACHE-DIR" -e "INPUT_TIMEOUT" -e "INPUT_IGNORE-POLICY" -e "INPUT_LIST-ALL-PKGS" -e "INPUT_SCANNERS" -e "INPUT_TRIVYIGNORES" -e "INPUT_ARTIFACT-TYPE" -e "INPUT_GITHUB-PAT" -e "INPUT_TRIVY-CONFIG" -e "INPUT_TF-VARS" -e "INPUT_LIMIT-SEVERITIES-FOR-SARIF" -e "INPUT_DOCKER-HOST" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/devops/devops":"/github/workspace" b3dc9e:330501cb77b2417fbbbb969099cffbe4  "-a config" "-b table" "-c " "-d 0" "-e false" "-f os,library" "-g CRITICAL,HIGH" "-h trivy.txt" "-i " "-j ." "-k " "-l " "-m " "-n " "-o " "-p false" "-q " "-r false" "-s " "-t " "-u " "-v " "-x " "-z " "-y "
Running trivy with options: trivy config  --format table --exit-code  0 --severity  CRITICAL,HIGH --output  trivy.txt .
Global options:  
2024-10-09T18:41:16Z	INFO	Misconfiguration scanning is enabled
2024-10-09T18:41:16Z	INFO	Need to update the built-in policies
2024-10-09T18:41:16Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-10-09T18:41:19Z	INFO	Detected config files	num=10

### Version

```bash
Running via Github action, not locally, but this is the `from`: `aquasecurity/[email protected]`

The JSON output also shows this under the `runs.tool.driver.version`: `0.51.1`

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[simar7]

@afdesk could you take a look?

[afdesk]

@dbowling thanks for the report! it's really useful.
let me take a look at this check.

[afdesk]

@dbowling thanks again for the report

I've created #7737 to track it.