diff --git a/rules/CVE-2021-25741/raw.rego b/rules/CVE-2021-25741/raw.rego index 76bde3f26..c32498a33 100644 --- a/rules/CVE-2021-25741/raw.rego +++ b/rules/CVE-2021-25741/raw.rego @@ -8,8 +8,8 @@ deny[msga] { pod := input[_] pod.kind == "Pod" container := pod.spec.containers[i] - beggining_of_path := "spec." - final_path := is_sub_path_container(container, i, beggining_of_path) + start_of_path := "spec." + final_path := is_sub_path_container(container, i, start_of_path) msga := { "alertMessage": sprintf("You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in pod : %v with subPath/subPathExpr", [container.name, pod.metadata.name]), @@ -29,8 +29,8 @@ deny[msga] { spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] - beggining_of_path := "spec.template.spec." - final_path := is_sub_path_container(container, i, beggining_of_path) + start_of_path := "spec.template.spec." + final_path := is_sub_path_container(container, i, start_of_path) msga := { "alertMessage": sprintf("You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in %v : %v with subPath/subPathExpr", [container.name, wl.kind, wl.metadata.name]), @@ -50,8 +50,8 @@ deny[msga] { wl := input[_] wl.kind == "CronJob" container = wl.spec.jobTemplate.spec.template.spec.containers[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec." - final_path := is_sub_path_container(container, i, beggining_of_path) + start_of_path := "spec.jobTemplate.spec.template.spec." + final_path := is_sub_path_container(container, i, start_of_path) msga := { "alertMessage": sprintf("You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in %v : %v with subPath/subPathExpr", [container.name, wl.kind, wl.metadata.name]), @@ -64,8 +64,8 @@ deny[msga] { -is_sub_path_container(container, i, beggining_of_path) = path { - path = [sprintf("%vcontainers[%v].volumeMounts[%v].subPath" ,[beggining_of_path, format_int(i, 10), format_int(j, 10)]) | volume_mount = container.volumeMounts[j]; volume_mount.subPath] +is_sub_path_container(container, i, start_of_path) = path { + path = [sprintf("%vcontainers[%v].volumeMounts[%v].subPath" ,[start_of_path, format_int(i, 10), format_int(j, 10)]) | volume_mount = container.volumeMounts[j]; volume_mount.subPath] count(path) > 0 } diff --git a/rules/CVE-2022-0492/raw.rego b/rules/CVE-2022-0492/raw.rego index b6c4925af..64c2a42bb 100644 --- a/rules/CVE-2022-0492/raw.rego +++ b/rules/CVE-2022-0492/raw.rego @@ -14,11 +14,11 @@ deny[msga] { container := pod.spec.containers[i] # Path to send - beggining_of_path := "spec" + start_of_path := "spec" # If container is privileged or has CAP_SYS_ADMIN, pass not container.securityContext.privileged == true - not is_cap_sys_admin(container, beggining_of_path) + not is_cap_sys_admin(container, start_of_path) is_no_SELinux_No_AppArmor_Pod(pod) @@ -28,10 +28,10 @@ deny[msga] { is_no_Seccomp_Container(container) # Check if is running as root - alertInfo := evaluate_workload_non_root_container(container, pod, beggining_of_path) + alertInfo := evaluate_workload_non_root_container(container, pod, start_of_path) # CAP_DAC_OVERRIDE will fail on second check - not isCAP_DAC_OVERRIDE(container, beggining_of_path, i) + not isCAP_DAC_OVERRIDE(container, start_of_path, i) # Get paths fixPath := get_fixed_path(alertInfo, i) @@ -55,14 +55,14 @@ deny[msga] { wl := input[_] spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[wl.kind] - beggining_of_path := "spec.template.spec" + start_of_path := "spec.template.spec" pod := wl.spec.template container := pod.spec.containers[i] # If container is privileged or has CAP_SYS_ADMIN, pass not container.securityContext.privileged == true - not is_cap_sys_admin(container, beggining_of_path) + not is_cap_sys_admin(container, start_of_path) is_no_SELinux_No_AppArmor_Pod(pod) @@ -72,10 +72,10 @@ deny[msga] { is_no_Seccomp_Container(container) # Check if is running as root - alertInfo := evaluate_workload_non_root_container(container, pod, beggining_of_path) + alertInfo := evaluate_workload_non_root_container(container, pod, start_of_path) # CAP_DAC_OVERRIDE will fail on second check - not isCAP_DAC_OVERRIDE(container, beggining_of_path, i) + not isCAP_DAC_OVERRIDE(container, start_of_path, i) # Get paths fixPath := get_fixed_path(alertInfo, i) @@ -98,14 +98,14 @@ deny[msga] { deny[msga] { wl := input[_] wl.kind == "CronJob" - beggining_of_path := "spec.jobTemplate.spec.template.spec" + start_of_path := "spec.jobTemplate.spec.template.spec" pod := wl.spec.jobTemplate.spec.template container = pod.spec.containers[i] # If container is privileged or has CAP_SYS_ADMIN, pass not container.securityContext.privileged == true - not is_cap_sys_admin(container, beggining_of_path) + not is_cap_sys_admin(container, start_of_path) is_no_SELinux_No_AppArmor_Pod(pod) @@ -115,10 +115,10 @@ deny[msga] { is_no_Seccomp_Container(container) # Check if is running as root - alertInfo := evaluate_workload_non_root_container(container, pod, beggining_of_path) + alertInfo := evaluate_workload_non_root_container(container, pod, start_of_path) # CAP_DAC_OVERRIDE will fail on second check - not isCAP_DAC_OVERRIDE(container, beggining_of_path, i) + not isCAP_DAC_OVERRIDE(container, start_of_path, i) # Get paths fixPath := get_fixed_path(alertInfo, i) @@ -150,13 +150,13 @@ deny[msga] { pod.kind == "Pod" container := pod.spec.containers[i] - beggining_of_path := "spec." + start_of_path := "spec." - result := isCAP_DAC_OVERRIDE(container, beggining_of_path, i) + result := isCAP_DAC_OVERRIDE(container, start_of_path, i) # If container is privileged or has CAP_SYS_ADMIN, pass not container.securityContext.privileged == true - not is_cap_sys_admin(container, beggining_of_path) + not is_cap_sys_admin(container, start_of_path) is_no_SELinux_No_AppArmor_Pod(pod) is_no_SELinux_container(container) @@ -182,13 +182,13 @@ deny[msga] { pod := wl.spec.template container := pod.spec.containers[i] - beggining_of_path := "spec.template.spec." + start_of_path := "spec.template.spec." - result := isCAP_DAC_OVERRIDE(container, beggining_of_path, i) + result := isCAP_DAC_OVERRIDE(container, start_of_path, i) # If container is privileged or has CAP_SYS_ADMIN, pass not container.securityContext.privileged == true - not is_cap_sys_admin(container, beggining_of_path) + not is_cap_sys_admin(container, start_of_path) is_no_SELinux_No_AppArmor_Pod(pod) is_no_SELinux_container(container) @@ -213,13 +213,13 @@ deny[msga] { pod := wl.spec.jobTemplate.spec.template container = pod.spec.containers[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec." + start_of_path := "spec.jobTemplate.spec.template.spec." - result := isCAP_DAC_OVERRIDE(container, beggining_of_path, i) + result := isCAP_DAC_OVERRIDE(container, start_of_path, i) # If container is privileged or has CAP_SYS_ADMIN, pass not container.securityContext.privileged == true - not is_cap_sys_admin(container, beggining_of_path) + not is_cap_sys_admin(container, start_of_path) is_no_SELinux_No_AppArmor_Pod(pod) is_no_SELinux_container(container) @@ -240,15 +240,15 @@ deny[msga] { -is_cap_sys_admin(container, beggining_of_path) { +is_cap_sys_admin(container, start_of_path) { capability = container.securityContext.capabilities.add[k] capability == "SYS_ADMIN" } -isCAP_DAC_OVERRIDE(container, beggining_of_path, i) = path { +isCAP_DAC_OVERRIDE(container, start_of_path, i) = path { capability = container.securityContext.capabilities.add[k] capability == "DAC_OVERRIDE" - path = sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) + path = sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [start_of_path, format_int(i, 10), format_int(k, 10)]) } @@ -300,16 +300,16 @@ is_no_Seccomp_Container(container) { ################################################################################# # Workload evaluation -evaluate_workload_non_root_container(container, pod, beggining_of_path) = alertInfo { - runAsNonRootValue := get_run_as_non_root_value(container, pod, beggining_of_path) +evaluate_workload_non_root_container(container, pod, start_of_path) = alertInfo { + runAsNonRootValue := get_run_as_non_root_value(container, pod, start_of_path) runAsNonRootValue.value == false - runAsUserValue := get_run_as_user_value(container, pod, beggining_of_path) + runAsUserValue := get_run_as_user_value(container, pod, start_of_path) runAsUserValue.value == 0 alertInfo := choose_first_if_defined(runAsUserValue, runAsNonRootValue) } else = alertInfo { - allowPrivilegeEscalationValue := get_allow_privilege_escalation(container, pod, beggining_of_path) + allowPrivilegeEscalationValue := get_allow_privilege_escalation(container, pod, start_of_path) allowPrivilegeEscalationValue.value == true alertInfo := allowPrivilegeEscalationValue @@ -319,48 +319,48 @@ evaluate_workload_non_root_container(container, pod, beggining_of_path) = alertI ################################################################################# # Checking for non-root and allowPrivilegeEscalation enabled -get_run_as_non_root_value(container, pod, beggining_of_path) = runAsNonRoot { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]) +get_run_as_non_root_value(container, pod, start_of_path) = runAsNonRoot { + failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) runAsNonRoot := {"value" : container.securityContext.runAsNonRoot, "failed_path" : failed_path, "fixPath": [] ,"defined" : true} } else = runAsNonRoot { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]) + failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) runAsNonRoot := {"value" : pod.spec.securityContext.runAsNonRoot, "failed_path" : failed_path, "fixPath": [], "defined" : true} } else = {"value" : false, "failed_path" : "", "fixPath": [{"path": "spec.securityContext.runAsNonRoot", "value":"true"}], "defined" : false} { is_allow_privilege_escalation_field(container, pod) -} else = {"value" : false, "failed_path" : "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]) , "value":"true"}, {"path":sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}], "defined" : false} +} else = {"value" : false, "failed_path" : "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) , "value":"true"}, {"path":sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false} -get_run_as_user_value(container, pod, beggining_of_path) = runAsUser { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [beggining_of_path]) +get_run_as_user_value(container, pod, start_of_path) = runAsUser { + failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [start_of_path]) runAsUser := {"value" : container.securityContext.runAsUser, "failed_path" : failed_path, "fixPath": [], "defined" : true} } else = runAsUser { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [beggining_of_path]) + failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [start_of_path]) runAsUser := {"value" : pod.spec.securityContext.runAsUser, "failed_path" : failed_path, "fixPath": [],"defined" : true} -} else = {"value" : 0, "failed_path": "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]), "value":"true"}],"defined" : false}{ +} else = {"value" : 0, "failed_path": "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}],"defined" : false}{ is_allow_privilege_escalation_field(container, pod) } else = {"value" : 0, "failed_path": "", - "fixPath": [{"path": sprintf("%v.securityContext.containers[container_ndx].runAsNonRoot", [beggining_of_path]), "value":"true"},{"path": sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}], + "fixPath": [{"path": sprintf("%v.securityContext.containers[container_ndx].runAsNonRoot", [start_of_path]), "value":"true"},{"path": sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false} -get_run_as_group_value(container, pod, beggining_of_path) = runAsGroup { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [beggining_of_path]) +get_run_as_group_value(container, pod, start_of_path) = runAsGroup { + failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path]) runAsGroup := {"value" : container.securityContext.runAsGroup, "failed_path" : failed_path, "fixPath": [],"defined" : true} } else = runAsGroup { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [beggining_of_path]) + failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path]) runAsGroup := {"value" : pod.spec.securityContext.runAsGroup, "failed_path" : failed_path, "fixPath":[], "defined" : true} } else = {"value" : 0, "failed_path": "", "fixPath": [{"path": "spec.securityContext.runAsNonRoot", "value":"true"}], "defined" : false}{ is_allow_privilege_escalation_field(container, pod) } else = {"value" : 0, "failed_path": "", - "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]), "value":"true"},{"path": sprintf("%v.securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}], + "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"},{"path": sprintf("%v.securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false } -get_allow_privilege_escalation(container, pod, beggining_of_path) = allowPrivilegeEscalation { - failed_path := sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [beggining_of_path]) +get_allow_privilege_escalation(container, pod, start_of_path) = allowPrivilegeEscalation { + failed_path := sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]) allowPrivilegeEscalation := {"value" : container.securityContext.allowPrivilegeEscalation, "failed_path" : failed_path, "fixPath": [],"defined" : true} } else = allowPrivilegeEscalation { - failed_path := sprintf("%v.securityContext.allowPrivilegeEscalation", [beggining_of_path]) + failed_path := sprintf("%v.securityContext.allowPrivilegeEscalation", [start_of_path]) allowPrivilegeEscalation := {"value" : pod.spec.securityContext.allowPrivilegeEscalation, "failed_path" : failed_path, "fixPath": [],"defined" : true} -} else = {"value" : true, "failed_path": "", "fixPath": [{"path": sprintf("%v.securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}], "defined" : false} +} else = {"value" : true, "failed_path": "", "fixPath": [{"path": sprintf("%v.securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false} choose_first_if_defined(l1, l2) = c { l1.defined diff --git a/rules/K8s common labels usage/raw.rego b/rules/K8s common labels usage/raw.rego index 5531a1742..d9adb28e4 100644 --- a/rules/K8s common labels usage/raw.rego +++ b/rules/K8s common labels usage/raw.rego @@ -84,21 +84,21 @@ no_K8s_label_usage(wl, podSpec, beggining_of_pod_path) = path{ path := no_K8s_label_or_no_K8s_label_usage(wl, "") } -no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{ +no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{ not wl.metadata.labels - path = [{"path": sprintf("%vmetadata.labels", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] } -no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{ +no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{ metadata := wl.metadata not metadata.labels - path = [{"path": sprintf("%vmetadata.labels", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] } -no_K8s_label_or_no_K8s_label_usage(wl, beggining_of_path) = path{ +no_K8s_label_or_no_K8s_label_usage(wl, start_of_path) = path{ labels := wl.metadata.labels not all_kubernetes_labels(labels) - path = [{"path": sprintf("%vmetadata.labels", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] } all_kubernetes_labels(labels){ diff --git a/rules/alert-any-hostpath/raw.rego b/rules/alert-any-hostpath/raw.rego index 1815c20b5..581e43660 100644 --- a/rules/alert-any-hostpath/raw.rego +++ b/rules/alert-any-hostpath/raw.rego @@ -6,8 +6,8 @@ deny[msga] { pod.kind == "Pod" volumes := pod.spec.volumes volume := volumes[i] - beggining_of_path := "spec." - result := is_dangerous_volume(volume, beggining_of_path, i) + start_of_path := "spec." + result := is_dangerous_volume(volume, start_of_path, i) podname := pod.metadata.name @@ -31,8 +31,8 @@ deny[msga] { spec_template_spec_patterns[wl.kind] volumes := wl.spec.template.spec.volumes volume := volumes[i] - beggining_of_path := "spec.template.spec." - result := is_dangerous_volume(volume, beggining_of_path, i) + start_of_path := "spec.template.spec." + result := is_dangerous_volume(volume, start_of_path, i) msga := { @@ -54,8 +54,8 @@ deny[msga] { wl.kind == "CronJob" volumes := wl.spec.jobTemplate.spec.template.spec.volumes volume := volumes[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec." - result := is_dangerous_volume(volume, beggining_of_path, i) + start_of_path := "spec.jobTemplate.spec.template.spec." + result := is_dangerous_volume(volume, start_of_path, i) msga := { "alertMessage": sprintf("%v: %v has: %v as hostPath volume", [wl.kind, wl.metadata.name, volume.name]), "packagename": "armo_builtins", @@ -69,7 +69,7 @@ deny[msga] { } } -is_dangerous_volume(volume, beggining_of_path, i) = path { +is_dangerous_volume(volume, start_of_path, i) = path { volume.hostPath.path - path = sprintf("%vvolumes[%v].hostPath.path", [beggining_of_path, format_int(i, 10)]) + path = sprintf("%vvolumes[%v].hostPath.path", [start_of_path, format_int(i, 10)]) } \ No newline at end of file diff --git a/rules/alert-mount-potential-credentials-paths/raw.rego b/rules/alert-mount-potential-credentials-paths/raw.rego index 04fcc13e0..f28c15776 100644 --- a/rules/alert-mount-potential-credentials-paths/raw.rego +++ b/rules/alert-mount-potential-credentials-paths/raw.rego @@ -9,8 +9,8 @@ deny[msga] { volumes_data := get_volumes(resources) volumes := volumes_data["volumes"] volume := volumes[i] - beggining_of_path := volumes_data["beggining_of_path"] - result := is_unsafe_paths(volume, beggining_of_path, provider,i) + start_of_path := volumes_data["start_of_path"] + result := is_unsafe_paths(volume, start_of_path, provider,i) msga := { "alertMessage": sprintf("%v: %v has: %v as volume with potential credentials access.", [resources.kind, resources.metadata.name, volume.name]), @@ -30,27 +30,27 @@ deny[msga] { get_volumes(resources) := result { resources_kinds := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} resources_kinds[resources.kind] - result = {"volumes": resources.spec.template.spec.volumes, "beggining_of_path": "spec.template.spec."} + result = {"volumes": resources.spec.template.spec.volumes, "start_of_path": "spec.template.spec."} } # get_volume - get resource volumes paths for "Pod" get_volumes(resources) := result { resources.kind == "Pod" - result = {"volumes": resources.spec.volumes, "beggining_of_path": "spec."} + result = {"volumes": resources.spec.volumes, "start_of_path": "spec."} } # get_volume - get resource volumes paths for "CronJob" get_volumes(resources) := result { resources.kind == "CronJob" - result = {"volumes": resources.spec.jobTemplate.spec.template.spec.volumes, "beggining_of_path": "spec.jobTemplate.spec.template.spec."} + result = {"volumes": resources.spec.jobTemplate.spec.template.spec.volumes, "start_of_path": "spec.jobTemplate.spec.template.spec."} } # is_unsafe_paths - looking for cloud provider (eks/gke/aks) paths that have the potential of accessing credentials -is_unsafe_paths(volume, beggining_of_path, provider, i) = result { +is_unsafe_paths(volume, start_of_path, provider, i) = result { unsafe := unsafe_paths(provider) unsafe[_] == fix_path(volume.hostPath.path) - result= sprintf("%vvolumes[%d].hostPath.path", [beggining_of_path, i]) + result= sprintf("%vvolumes[%d].hostPath.path", [start_of_path, i]) } diff --git a/rules/alert-rw-hostpath/raw.rego b/rules/alert-rw-hostpath/raw.rego index fb5fdc2c2..96195abb3 100644 --- a/rules/alert-rw-hostpath/raw.rego +++ b/rules/alert-rw-hostpath/raw.rego @@ -11,8 +11,8 @@ deny[msga] { container := pod.spec.containers[i] volume_mount := container.volumeMounts[k] volume_mount.name == volume.name - beggining_of_path := "spec." - result := is_rw_mount(volume_mount, beggining_of_path, i, k) + start_of_path := "spec." + result := is_rw_mount(volume_mount, start_of_path, i, k) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -42,8 +42,8 @@ deny[msga] { container := wl.spec.template.spec.containers[i] volume_mount := container.volumeMounts[k] volume_mount.name == volume.name - beggining_of_path := "spec.template.spec." - result := is_rw_mount(volume_mount, beggining_of_path, i, k) + start_of_path := "spec.template.spec." + result := is_rw_mount(volume_mount, start_of_path, i, k) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -72,8 +72,8 @@ deny[msga] { container = wl.spec.jobTemplate.spec.template.spec.containers[i] volume_mount := container.volumeMounts[k] volume_mount.name == volume.name - beggining_of_path := "spec.jobTemplate.spec.template.spec." - result := is_rw_mount(volume_mount, beggining_of_path, i, k) + start_of_path := "spec.jobTemplate.spec.template.spec." + result := is_rw_mount(volume_mount, start_of_path, i, k) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -101,15 +101,15 @@ get_fixed_path(paths) = [paths[1]] { } else = [] -is_rw_mount(mount, beggining_of_path, i, k) = [failed_path, fix_path] { +is_rw_mount(mount, start_of_path, i, k) = [failed_path, fix_path] { not mount.readOnly == true not mount.readOnly == false failed_path = "" - fix_path = {"path": sprintf("%vcontainers[%v].volumeMounts[%v].readOnly", [beggining_of_path, format_int(i, 10), format_int(k, 10)]), "value":"true"} + fix_path = {"path": sprintf("%vcontainers[%v].volumeMounts[%v].readOnly", [start_of_path, format_int(i, 10), format_int(k, 10)]), "value":"true"} } -is_rw_mount(mount, beggining_of_path, i, k) = [failed_path, fix_path] { +is_rw_mount(mount, start_of_path, i, k) = [failed_path, fix_path] { mount.readOnly == false - failed_path = sprintf("%vcontainers[%v].volumeMounts[%v].readOnly", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) + failed_path = sprintf("%vcontainers[%v].volumeMounts[%v].readOnly", [start_of_path, format_int(i, 10), format_int(k, 10)]) fix_path = "" } \ No newline at end of file diff --git a/rules/automount-service-account/raw.rego b/rules/automount-service-account/raw.rego index 5a5d7a1a1..8b065df79 100644 --- a/rules/automount-service-account/raw.rego +++ b/rules/automount-service-account/raw.rego @@ -30,9 +30,9 @@ deny [msga]{ pod := input[_] pod.kind == "Pod" - beggining_of_path := "spec." + start_of_path := "spec." wl_namespace := pod.metadata.namespace - result := is_sa_auto_mounted(pod.spec, beggining_of_path, wl_namespace) + result := is_sa_auto_mounted(pod.spec, start_of_path, wl_namespace) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -54,10 +54,10 @@ deny[msga] { wl := input[_] spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[wl.kind] - beggining_of_path := "spec.template.spec." + start_of_path := "spec.template.spec." wl_namespace := wl.metadata.namespace - result := is_sa_auto_mounted(wl.spec.template.spec, beggining_of_path, wl_namespace) + result := is_sa_auto_mounted(wl.spec.template.spec, start_of_path, wl_namespace) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -79,10 +79,10 @@ deny[msga] { wl := input[_] wl.kind == "CronJob" container = wl.spec.jobTemplate.spec.template.spec.containers[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec." + start_of_path := "spec.jobTemplate.spec.template.spec." wl_namespace := wl.metadata.namespace - result := is_sa_auto_mounted(wl.spec.jobTemplate.spec.template.spec, beggining_of_path, wl.metadata) + result := is_sa_auto_mounted(wl.spec.jobTemplate.spec.template.spec, start_of_path, wl.metadata) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -102,7 +102,7 @@ deny[msga] { # -- ---- For workloads -- ---- -is_sa_auto_mounted(spec, beggining_of_path, wl_metadata) = [failed_path, fix_path] { +is_sa_auto_mounted(spec, start_of_path, wl_metadata) = [failed_path, fix_path] { # automountServiceAccountToken not in pod spec not spec.automountServiceAccountToken == false not spec.automountServiceAccountToken == true @@ -114,7 +114,7 @@ is_sa_auto_mounted(spec, beggining_of_path, wl_metadata) = [failed_path, fix_pat not sa.automountServiceAccountToken == false # path is pod spec - fix_path = { "path": sprintf("%vautomountServiceAccountToken", [beggining_of_path]), "value": "false"} + fix_path = { "path": sprintf("%vautomountServiceAccountToken", [start_of_path]), "value": "false"} failed_path = "" } @@ -127,7 +127,7 @@ get_fixed_path(paths) = [paths[1]] { paths[1] != "" } else = [] -is_sa_auto_mounted(spec, beggining_of_path, wl_namespace) = [failed_path, fix_path] { +is_sa_auto_mounted(spec, start_of_path, wl_namespace) = [failed_path, fix_path] { # automountServiceAccountToken set to true in pod spec spec.automountServiceAccountToken == true @@ -139,18 +139,18 @@ is_sa_auto_mounted(spec, beggining_of_path, wl_namespace) = [failed_path, fix_p is_same_namespace(sa.metadata , wl_namespace) not sa.automountServiceAccountToken == false - failed_path = sprintf("%vautomountServiceAccountToken", [beggining_of_path]) + failed_path = sprintf("%vautomountServiceAccountToken", [start_of_path]) fix_path = "" } -is_sa_auto_mounted(spec, beggining_of_path, wl_namespace) = [failed_path, fix_path] { +is_sa_auto_mounted(spec, start_of_path, wl_namespace) = [failed_path, fix_path] { # automountServiceAccountToken set to true in pod spec spec.automountServiceAccountToken == true # No SA (yaml scan) service_accounts := [service_account | service_account = input[_]; service_account.kind == "ServiceAccount"] count(service_accounts) == 0 - failed_path = sprintf("%vautomountServiceAccountToken", [beggining_of_path]) + failed_path = sprintf("%vautomountServiceAccountToken", [start_of_path]) fix_path = "" } diff --git a/rules/container-hostPort/raw.rego b/rules/container-hostPort/raw.rego index 736e42ce9..5892b9520 100644 --- a/rules/container-hostPort/raw.rego +++ b/rules/container-hostPort/raw.rego @@ -6,8 +6,8 @@ deny[msga] { pod := input[_] pod.kind == "Pod" container := pod.spec.containers[i] - beggining_of_path := "spec." - path := is_host_port(container, i, beggining_of_path) + start_of_path := "spec." + path := is_host_port(container, i, start_of_path) msga := { "alertMessage": sprintf("Container: %v has Host-port", [ container.name]), "packagename": "armo_builtins", @@ -27,8 +27,8 @@ deny[msga] { spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] - beggining_of_path := "spec.template.spec." - path := is_host_port(container, i, beggining_of_path) + start_of_path := "spec.template.spec." + path := is_host_port(container, i, start_of_path) msga := { "alertMessage": sprintf("Container: %v in %v: %v has Host-port", [ container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", @@ -47,8 +47,8 @@ deny[msga] { wl := input[_] wl.kind == "CronJob" container = wl.spec.jobTemplate.spec.template.spec.containers[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec." - path := is_host_port(container, i, beggining_of_path) + start_of_path := "spec.jobTemplate.spec.template.spec." + path := is_host_port(container, i, start_of_path) msga := { "alertMessage": sprintf("Container: %v in %v: %v has Host-port", [ container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", @@ -64,7 +64,7 @@ deny[msga] { -is_host_port(container, i, beggining_of_path) = path { - path = [sprintf("%vcontainers[%v].ports[%v].hostPort", [beggining_of_path, format_int(i, 10), format_int(j, 10)]) | port = container.ports[j]; port.hostPort] +is_host_port(container, i, start_of_path) = path { + path = [sprintf("%vcontainers[%v].ports[%v].hostPort", [start_of_path, format_int(i, 10), format_int(j, 10)]) | port = container.ports[j]; port.hostPort] count(path) > 0 } diff --git a/rules/immutable-container-filesystem/raw.rego b/rules/immutable-container-filesystem/raw.rego index f6fe8a320..6f2d9aaff 100644 --- a/rules/immutable-container-filesystem/raw.rego +++ b/rules/immutable-container-filesystem/raw.rego @@ -6,8 +6,8 @@ deny[msga] { pod := input[_] pod.kind == "Pod" container := pod.spec.containers[i] - beggining_of_path := "spec." - result := is_mutable_filesystem(container, beggining_of_path, i) + start_of_path := "spec." + result := is_mutable_filesystem(container, start_of_path, i) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) msga := { @@ -28,8 +28,8 @@ deny[msga] { spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] - beggining_of_path := "spec.template.spec." - result := is_mutable_filesystem(container, beggining_of_path, i) + start_of_path := "spec.template.spec." + result := is_mutable_filesystem(container, start_of_path, i) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) msga := { @@ -50,8 +50,8 @@ deny[msga] { wl := input[_] wl.kind == "CronJob" container = wl.spec.jobTemplate.spec.template.spec.containers[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec." - result := is_mutable_filesystem(container, beggining_of_path, i) + start_of_path := "spec.jobTemplate.spec.template.spec." + result := is_mutable_filesystem(container, start_of_path, i) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -68,16 +68,16 @@ deny[msga] { } # Default of readOnlyRootFilesystem is false. This field is only in container spec and not pod spec -is_mutable_filesystem(container, beggining_of_path, i) = [failed_path, fixPath] { +is_mutable_filesystem(container, start_of_path, i) = [failed_path, fixPath] { container.securityContext.readOnlyRootFilesystem == false - failed_path = sprintf("%vcontainers[%v].securityContext.readOnlyRootFilesystem", [beggining_of_path, format_int(i, 10)]) + failed_path = sprintf("%vcontainers[%v].securityContext.readOnlyRootFilesystem", [start_of_path, format_int(i, 10)]) fixPath = "" } - is_mutable_filesystem(container, beggining_of_path, i) = [failed_path, fixPath] { + is_mutable_filesystem(container, start_of_path, i) = [failed_path, fixPath] { not container.securityContext.readOnlyRootFilesystem == false not container.securityContext.readOnlyRootFilesystem == true - fixPath = {"path": sprintf("%vcontainers[%v].securityContext.readOnlyRootFilesystem", [beggining_of_path, format_int(i, 10)]), "value": "true"} + fixPath = {"path": sprintf("%vcontainers[%v].securityContext.readOnlyRootFilesystem", [start_of_path, format_int(i, 10)]), "value": "true"} failed_path = "" } diff --git a/rules/insecure-capabilities/raw.rego b/rules/insecure-capabilities/raw.rego index c7e07f372..ed946ce7f 100644 --- a/rules/insecure-capabilities/raw.rego +++ b/rules/insecure-capabilities/raw.rego @@ -6,8 +6,8 @@ deny[msga] { pod := input[_] pod.kind == "Pod" container := pod.spec.containers[i] - beggining_of_path := "spec." - result := is_dangerous_capabilities(container, beggining_of_path, i) + start_of_path := "spec." + result := is_dangerous_capabilities(container, start_of_path, i) msga := { "alertMessage": sprintf("container: %v in pod: %v have dangerous capabilities", [container.name, pod.metadata.name]), "packagename": "armo_builtins", @@ -26,8 +26,8 @@ deny[msga] { spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] - beggining_of_path := "spec.template.spec." - result := is_dangerous_capabilities(container, beggining_of_path, i) + start_of_path := "spec.template.spec." + result := is_dangerous_capabilities(container, start_of_path, i) msga := { "alertMessage": sprintf("container: %v in workload: %v have dangerous capabilities", [container.name, wl.metadata.name]), "packagename": "armo_builtins", @@ -45,8 +45,8 @@ deny[msga] { wl := input[_] wl.kind == "CronJob" container := wl.spec.jobTemplate.spec.template.spec.containers[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec." - result := is_dangerous_capabilities(container, beggining_of_path, i) + start_of_path := "spec.jobTemplate.spec.template.spec." + result := is_dangerous_capabilities(container, start_of_path, i) msga := { "alertMessage": sprintf("container: %v in cronjob: %v have dangerous capabilities", [container.name, wl.metadata.name]), "packagename": "armo_builtins", @@ -60,9 +60,9 @@ deny[msga] { } } -is_dangerous_capabilities(container, beggining_of_path, i) = path { +is_dangerous_capabilities(container, start_of_path, i) = path { # see default-config-inputs.json for list values insecureCapabilities := data.postureControlInputs.insecureCapabilities - path = [sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) | capability = container.securityContext.capabilities.add[k]; cautils.list_contains(insecureCapabilities, capability)] + path = [sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [start_of_path, format_int(i, 10), format_int(k, 10)]) | capability = container.securityContext.capabilities.add[k]; cautils.list_contains(insecureCapabilities, capability)] count(path) > 0 } \ No newline at end of file diff --git a/rules/label-usage-for-resources/raw.rego b/rules/label-usage-for-resources/raw.rego index 9c32ec293..e059dc7e1 100644 --- a/rules/label-usage-for-resources/raw.rego +++ b/rules/label-usage-for-resources/raw.rego @@ -82,21 +82,21 @@ no_label_usage(wl, podSpec, beggining_of_pod_path) = path{ path := no_label_or_no_label_usage(wl, "") } -no_label_or_no_label_usage(wl, beggining_of_path) = path{ +no_label_or_no_label_usage(wl, start_of_path) = path{ not wl.metadata - path = [{"path": sprintf("%vmetadata.labels", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] } -no_label_or_no_label_usage(wl, beggining_of_path) = path{ +no_label_or_no_label_usage(wl, start_of_path) = path{ metadata := wl.metadata not metadata.labels - path = [{"path": sprintf("%vmetadata.labels", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] } -no_label_or_no_label_usage(wl, beggining_of_path) = path{ +no_label_or_no_label_usage(wl, start_of_path) = path{ labels := wl.metadata.labels not is_desired_label(labels) - path = [{"path": sprintf("%vmetadata.labels", [beggining_of_path]), "value": "YOUR_VALUE"}] + path = [{"path": sprintf("%vmetadata.labels", [start_of_path]), "value": "YOUR_VALUE"}] } is_desired_label(labels) { diff --git a/rules/non-root-containers/raw.rego b/rules/non-root-containers/raw.rego index 33cdf29d2..08c6e74ae 100644 --- a/rules/non-root-containers/raw.rego +++ b/rules/non-root-containers/raw.rego @@ -8,8 +8,8 @@ deny[msga] { pod.kind == "Pod" container := pod.spec.containers[i] - beggining_of_path := "spec" - alertInfo := evaluate_workload_non_root_container(container, pod, beggining_of_path) + start_of_path := "spec" + alertInfo := evaluate_workload_non_root_container(container, pod, start_of_path) fixPath := get_fixed_path(alertInfo, i) failed_path := get_failed_path(alertInfo, i) @@ -33,8 +33,8 @@ deny[msga] { spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] - beggining_of_path := "spec.template.spec" - alertInfo := evaluate_workload_non_root_container(container, wl.spec.template, beggining_of_path) + start_of_path := "spec.template.spec" + alertInfo := evaluate_workload_non_root_container(container, wl.spec.template, start_of_path) fixPath := get_fixed_path(alertInfo, i) failed_path := get_failed_path(alertInfo, i) msga := { @@ -56,8 +56,8 @@ deny[msga] { wl.kind == "CronJob" container = wl.spec.jobTemplate.spec.template.spec.containers[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec" - alertInfo := evaluate_workload_non_root_container(container, wl.spec.jobTemplate.spec.template, beggining_of_path) + start_of_path := "spec.jobTemplate.spec.template.spec" + alertInfo := evaluate_workload_non_root_container(container, wl.spec.jobTemplate.spec.template, start_of_path) fixPath := get_fixed_path(alertInfo, i) failed_path := get_failed_path(alertInfo, i) @@ -89,16 +89,16 @@ get_fixed_path(alertInfo, i) = [{"path":replace(alertInfo.fixPath[0].path,"conta ################################################################################# # Workload evaluation -evaluate_workload_non_root_container(container, pod, beggining_of_path) = alertInfo { - runAsNonRootValue := get_run_as_non_root_value(container, pod, beggining_of_path) +evaluate_workload_non_root_container(container, pod, start_of_path) = alertInfo { + runAsNonRootValue := get_run_as_non_root_value(container, pod, start_of_path) runAsNonRootValue.value == false - runAsUserValue := get_run_as_user_value(container, pod, beggining_of_path) + runAsUserValue := get_run_as_user_value(container, pod, start_of_path) runAsUserValue.value == 0 alertInfo := choose_first_if_defined(runAsUserValue, runAsNonRootValue) } else = alertInfo { - allowPrivilegeEscalationValue := get_allow_privilege_escalation(container, pod, beggining_of_path) + allowPrivilegeEscalationValue := get_allow_privilege_escalation(container, pod, start_of_path) allowPrivilegeEscalationValue.value == true alertInfo := allowPrivilegeEscalationValue @@ -109,48 +109,48 @@ evaluate_workload_non_root_container(container, pod, beggining_of_path) = alertI # Value resolution functions -get_run_as_non_root_value(container, pod, beggining_of_path) = runAsNonRoot { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]) +get_run_as_non_root_value(container, pod, start_of_path) = runAsNonRoot { + failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) runAsNonRoot := {"value" : container.securityContext.runAsNonRoot, "failed_path" : failed_path, "fixPath": [] ,"defined" : true} } else = runAsNonRoot { - failed_path := sprintf("%v.securityContext.runAsNonRoot", [beggining_of_path]) + failed_path := sprintf("%v.securityContext.runAsNonRoot", [start_of_path]) runAsNonRoot := {"value" : pod.spec.securityContext.runAsNonRoot, "failed_path" : failed_path, "fixPath": [], "defined" : true} -} else = {"value" : false, "failed_path" : "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]), "value":"true"}], "defined" : false} { +} else = {"value" : false, "failed_path" : "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}], "defined" : false} { is_allow_privilege_escalation_field(container, pod) -} else = {"value" : false, "failed_path" : "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]) , "value":"true"}, {"path":sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}], "defined" : false} +} else = {"value" : false, "failed_path" : "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) , "value":"true"}, {"path":sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false} -get_run_as_user_value(container, pod, beggining_of_path) = runAsUser { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [beggining_of_path]) +get_run_as_user_value(container, pod, start_of_path) = runAsUser { + failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [start_of_path]) runAsUser := {"value" : container.securityContext.runAsUser, "failed_path" : failed_path, "fixPath": [], "defined" : true} } else = runAsUser { - failed_path := sprintf("%v.securityContext.runAsUser", [beggining_of_path]) + failed_path := sprintf("%v.securityContext.runAsUser", [start_of_path]) runAsUser := {"value" : pod.spec.securityContext.runAsUser, "failed_path" : failed_path, "fixPath": [],"defined" : true} -} else = {"value" : 0, "failed_path": "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]), "value":"true"}],"defined" : false}{ +} else = {"value" : 0, "failed_path": "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}],"defined" : false}{ is_allow_privilege_escalation_field(container, pod) } else = {"value" : 0, "failed_path": "", - "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]), "value":"true"},{"path": sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}], + "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"},{"path": sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false} -get_run_as_group_value(container, pod, beggining_of_path) = runAsGroup { - failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [beggining_of_path]) +get_run_as_group_value(container, pod, start_of_path) = runAsGroup { + failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path]) runAsGroup := {"value" : container.securityContext.runAsGroup, "failed_path" : failed_path, "fixPath": [],"defined" : true} } else = runAsGroup { - failed_path := sprintf("%v.securityContext.runAsGroup", [beggining_of_path]) + failed_path := sprintf("%v.securityContext.runAsGroup", [start_of_path]) runAsGroup := {"value" : pod.spec.securityContext.runAsGroup, "failed_path" : failed_path, "fixPath":[], "defined" : true} -} else = {"value" : 0, "failed_path": "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]), "value":"true"}], "defined" : false}{ +} else = {"value" : 0, "failed_path": "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}], "defined" : false}{ is_allow_privilege_escalation_field(container, pod) } else = {"value" : 0, "failed_path": "", - "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]), "value":"true"},{"path": sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}], + "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"},{"path": sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false } -get_allow_privilege_escalation(container, pod, beggining_of_path) = allowPrivilegeEscalation { - failed_path := sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [beggining_of_path]) +get_allow_privilege_escalation(container, pod, start_of_path) = allowPrivilegeEscalation { + failed_path := sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]) allowPrivilegeEscalation := {"value" : container.securityContext.allowPrivilegeEscalation, "failed_path" : failed_path, "fixPath": [],"defined" : true} } else = allowPrivilegeEscalation { - failed_path := sprintf("%v.securityContext.allowPrivilegeEscalation", [beggining_of_path]) + failed_path := sprintf("%v.securityContext.allowPrivilegeEscalation", [start_of_path]) allowPrivilegeEscalation := {"value" : pod.spec.securityContext.allowPrivilegeEscalation, "failed_path" : failed_path, "fixPath": [],"defined" : true} -} else = {"value" : true, "failed_path": "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}], "defined" : false} +} else = {"value" : true, "failed_path": "", "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false} choose_first_if_defined(l1, l2) = c { l1.defined diff --git a/rules/resource-policies/raw.rego b/rules/resource-policies/raw.rego index 8b0e52c4e..b7859719e 100644 --- a/rules/resource-policies/raw.rego +++ b/rules/resource-policies/raw.rego @@ -8,8 +8,8 @@ deny[msga] { container := pod.spec.containers[i] - beggining_of_path := "spec." - fixPath := is_no_cpu_and_memory_limits_defined(container, beggining_of_path, i) + start_of_path := "spec." + fixPath := is_no_cpu_and_memory_limits_defined(container, start_of_path, i) msga := { @@ -34,8 +34,8 @@ deny[msga] { spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] - beggining_of_path := "spec.template.spec." - fixPath := is_no_cpu_and_memory_limits_defined(container, beggining_of_path, i) + start_of_path := "spec.template.spec." + fixPath := is_no_cpu_and_memory_limits_defined(container, start_of_path, i) @@ -60,8 +60,8 @@ deny [msga] { wl.kind == "CronJob" container := wl.spec.jobTemplate.spec.template.spec.containers[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec." - fixPath := is_no_cpu_and_memory_limits_defined(container, beggining_of_path, i) + start_of_path := "spec.jobTemplate.spec.template.spec." + fixPath := is_no_cpu_and_memory_limits_defined(container, start_of_path, i) msga := { "alertMessage": sprintf("there are no cpu and memory limits defined for container : %v", [container.name]), @@ -76,31 +76,31 @@ deny [msga] { } # no limits at all -is_no_cpu_and_memory_limits_defined(container, beggining_of_path, i) = fixPath { +is_no_cpu_and_memory_limits_defined(container, start_of_path, i) = fixPath { not container.resources.limits - fixPath = [{"path": sprintf("%vcontainers[%v].resources.limits.cpu", [beggining_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}, {"path": sprintf("%vcontainers[%v].resources.limits.memory", [beggining_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}] + fixPath = [{"path": sprintf("%vcontainers[%v].resources.limits.cpu", [start_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}, {"path": sprintf("%vcontainers[%v].resources.limits.memory", [start_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}] } # only memory limit -is_no_cpu_and_memory_limits_defined(container, beggining_of_path, i) = fixPath { +is_no_cpu_and_memory_limits_defined(container, start_of_path, i) = fixPath { container.resources.limits not container.resources.limits.cpu container.resources.limits.memory - fixPath = [{"path": sprintf("%vcontainers[%v].resources.limits.cpu", [beggining_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}] + fixPath = [{"path": sprintf("%vcontainers[%v].resources.limits.cpu", [start_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}] } # only cpu limit -is_no_cpu_and_memory_limits_defined(container, beggining_of_path, i) =fixPath { +is_no_cpu_and_memory_limits_defined(container, start_of_path, i) =fixPath { container.resources.limits not container.resources.limits.memory container.resources.limits.cpu - fixPath = [{"path": sprintf("%vcontainers[%v].resources.limits.memory", [beggining_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}] + fixPath = [{"path": sprintf("%vcontainers[%v].resources.limits.memory", [start_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}] failed_path = "" } # limits but without capu and memory -is_no_cpu_and_memory_limits_defined(container, beggining_of_path, i) = fixPath { +is_no_cpu_and_memory_limits_defined(container, start_of_path, i) = fixPath { container.resources.limits not container.resources.limits.memory not container.resources.limits.cpu - fixPath = [{"path": sprintf("%vcontainers[%v].resources.limits.cpu", [beggining_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}, {"path": sprintf("%vcontainers[%v].resources.limits.memory", [beggining_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}] + fixPath = [{"path": sprintf("%vcontainers[%v].resources.limits.cpu", [start_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}, {"path": sprintf("%vcontainers[%v].resources.limits.memory", [start_of_path, format_int(i, 10)]), "value":"YOUR_VALUE"}] } \ No newline at end of file diff --git a/rules/rule-allow-privilege-escalation/raw.rego b/rules/rule-allow-privilege-escalation/raw.rego index 6b2a4c7d1..41cf0a6f2 100644 --- a/rules/rule-allow-privilege-escalation/raw.rego +++ b/rules/rule-allow-privilege-escalation/raw.rego @@ -6,8 +6,8 @@ deny[msga] { pod := input[_] pod.kind == "Pod" container := pod.spec.containers[i] - beggining_of_path := "spec." - result := is_allow_privilege_escalation_container(container, i, beggining_of_path) + start_of_path := "spec." + result := is_allow_privilege_escalation_container(container, i, start_of_path) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -31,8 +31,8 @@ deny[msga] { spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] - beggining_of_path := "spec.template.spec." - result := is_allow_privilege_escalation_container(container, i, beggining_of_path) + start_of_path := "spec.template.spec." + result := is_allow_privilege_escalation_container(container, i, start_of_path) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -55,8 +55,8 @@ deny[msga] { wl := input[_] wl.kind == "CronJob" container = wl.spec.jobTemplate.spec.template.spec.containers[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec." - result := is_allow_privilege_escalation_container(container, i, beggining_of_path) + start_of_path := "spec.jobTemplate.spec.template.spec." + result := is_allow_privilege_escalation_container(container, i, start_of_path) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -75,16 +75,16 @@ deny[msga] { -is_allow_privilege_escalation_container(container, i, beggining_of_path) = [failed_path, fixPath] { +is_allow_privilege_escalation_container(container, i, start_of_path) = [failed_path, fixPath] { not container.securityContext.allowPrivilegeEscalation == false not container.securityContext.allowPrivilegeEscalation == true psps := [psp | psp= input[_]; psp.kind == "PodSecurityPolicy"] count(psps) == 0 failed_path = "" - fixPath = {"path": sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [beggining_of_path, format_int(i, 10)]), "value":"false"} + fixPath = {"path": sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)]), "value":"false"} } -is_allow_privilege_escalation_container(container, i, beggining_of_path) = [failed_path, fixPath] { +is_allow_privilege_escalation_container(container, i, start_of_path) = [failed_path, fixPath] { not container.securityContext.allowPrivilegeEscalation == false not container.securityContext.allowPrivilegeEscalation == true psps := [psp | psp= input[_]; psp.kind == "PodSecurityPolicy"] @@ -92,26 +92,26 @@ is_allow_privilege_escalation_container(container, i, beggining_of_path) = [fail psp := psps[_] not psp.spec.allowPrivilegeEscalation == false failed_path = "" - fixPath = {"path": sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [beggining_of_path, format_int(i, 10)]), "value":"false"} + fixPath = {"path": sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)]), "value":"false"} } -is_allow_privilege_escalation_container(container, i, beggining_of_path) = [failed_path, fixPath] { +is_allow_privilege_escalation_container(container, i, start_of_path) = [failed_path, fixPath] { container.securityContext.allowPrivilegeEscalation == true psps := [psp | psp= input[_]; psp.kind == "PodSecurityPolicy"] count(psps) == 0 fixPath = "" - failed_path = sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [beggining_of_path, format_int(i, 10)]) + failed_path = sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)]) } -is_allow_privilege_escalation_container(container, i, beggining_of_path)= [failed_path, fixPath] { +is_allow_privilege_escalation_container(container, i, start_of_path)= [failed_path, fixPath] { container.securityContext.allowPrivilegeEscalation == true psps := [psp | psp= input[_]; psp.kind == "PodSecurityPolicy"] count(psps) > 0 psp := psps[_] not psp.spec.allowPrivilegeEscalation == false fixPath = "" - failed_path = sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [beggining_of_path, format_int(i, 10)]) + failed_path = sprintf("%vcontainers[%v].securityContext.allowPrivilegeEscalation", [start_of_path, format_int(i, 10)]) } get_failed_path(paths) = [paths[0]] { diff --git a/rules/rule-privileged-container/raw.rego b/rules/rule-privileged-container/raw.rego index 93369d29a..d48eef6c9 100644 --- a/rules/rule-privileged-container/raw.rego +++ b/rules/rule-privileged-container/raw.rego @@ -8,8 +8,8 @@ deny[msga] { pod := input[_] pod.kind == "Pod" container := pod.spec.containers[i] - beggining_of_path := "spec." - path := isPrivilegedContainer(container, i, beggining_of_path) + start_of_path := "spec." + path := isPrivilegedContainer(container, i, start_of_path) msga := { "alertMessage": sprintf("the following pods are defined as privileged: %v", [pod.metadata.name]), @@ -31,8 +31,8 @@ deny[msga] { spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] - beggining_of_path := "spec.template.spec." - path := isPrivilegedContainer(container, i, beggining_of_path) + start_of_path := "spec.template.spec." + path := isPrivilegedContainer(container, i, start_of_path) msga := { "alertMessage": sprintf("%v: %v is defined as privileged:", [wl.kind, wl.metadata.name]), @@ -52,8 +52,8 @@ deny[msga] { wl := input[_] wl.kind == "CronJob" container := wl.spec.jobTemplate.spec.template.spec.containers[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec." - path := isPrivilegedContainer(container, i, beggining_of_path) + start_of_path := "spec.jobTemplate.spec.template.spec." + path := isPrivilegedContainer(container, i, start_of_path) msga := { "alertMessage": sprintf("the following cronjobs are defined as privileged: %v", [wl.metadata.name]), @@ -70,24 +70,24 @@ deny[msga] { # Only SYS_ADMIN capabilite -isPrivilegedContainer(container, i, beggining_of_path) = path { +isPrivilegedContainer(container, i, start_of_path) = path { not container.securityContext.privileged == true - path = [sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) | capabilite = container.securityContext.capabilities.add[k]; capabilite == "SYS_ADMIN"] + path = [sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [start_of_path, format_int(i, 10), format_int(k, 10)]) | capabilite = container.securityContext.capabilities.add[k]; capabilite == "SYS_ADMIN"] count(path) > 0 } # Only securityContext.privileged == true -isPrivilegedContainer(container, i, beggining_of_path) = path { +isPrivilegedContainer(container, i, start_of_path) = path { container.securityContext.privileged == true - path1 = [sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) | capabilite = container.securityContext.capabilities.add[k]; capabilite == "SYS_ADMIN"] + path1 = [sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [start_of_path, format_int(i, 10), format_int(k, 10)]) | capabilite = container.securityContext.capabilities.add[k]; capabilite == "SYS_ADMIN"] count(path1) < 1 - path = [sprintf("%vcontainers[%v].securityContext.privileged", [beggining_of_path, format_int(i, 10)])] + path = [sprintf("%vcontainers[%v].securityContext.privileged", [start_of_path, format_int(i, 10)])] } # SYS_ADMIN capabilite && securityContext.privileged == true -isPrivilegedContainer(container, i, beggining_of_path) = path { - path1 = [sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) | capabilite = container.securityContext.capabilities.add[k]; capabilite == "SYS_ADMIN"] +isPrivilegedContainer(container, i, start_of_path) = path { + path1 = [sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [start_of_path, format_int(i, 10), format_int(k, 10)]) | capabilite = container.securityContext.capabilities.add[k]; capabilite == "SYS_ADMIN"] count(path1) > 0 container.securityContext.privileged == true - path = array.concat(path1, [sprintf("%vcontainers[%v].securityContext.privileged", [beggining_of_path, format_int(i, 10)])]) + path = array.concat(path1, [sprintf("%vcontainers[%v].securityContext.privileged", [start_of_path, format_int(i, 10)])]) } \ No newline at end of file diff --git a/rules/serviceaccount-token-mount/filter.rego b/rules/serviceaccount-token-mount/filter.rego index 86fd95247..a0037a65d 100644 --- a/rules/serviceaccount-token-mount/filter.rego +++ b/rules/serviceaccount-token-mount/filter.rego @@ -2,7 +2,7 @@ package armo_builtins deny[msga] { wl := input[_] - beggining_of_path := get_beginning_of_path(wl) + start_of_path := get_beginning_of_path(wl) msga := { "alertMessage": sprintf("%v: %v in the following namespace: %v mounts service account tokens by default", [wl.kind, wl.metadata.name, wl.metadata.namespace]), @@ -15,18 +15,18 @@ deny[msga] { } -get_beginning_of_path(workload) = beggining_of_path { +get_beginning_of_path(workload) = start_of_path { spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[workload.kind] - beggining_of_path := ["spec", "template", "spec"] + start_of_path := ["spec", "template", "spec"] } -get_beginning_of_path(workload) = beggining_of_path { +get_beginning_of_path(workload) = start_of_path { workload.kind == "Pod" - beggining_of_path := ["spec"] + start_of_path := ["spec"] } -get_beginning_of_path(workload) = beggining_of_path { +get_beginning_of_path(workload) = start_of_path { workload.kind == "CronJob" - beggining_of_path := ["spec", "jobTemplate", "spec", "template", "spec"] + start_of_path := ["spec", "jobTemplate", "spec", "template", "spec"] } \ No newline at end of file diff --git a/rules/serviceaccount-token-mount/raw.rego b/rules/serviceaccount-token-mount/raw.rego index 6ac6610af..ed77b666d 100644 --- a/rules/serviceaccount-token-mount/raw.rego +++ b/rules/serviceaccount-token-mount/raw.rego @@ -2,15 +2,15 @@ package armo_builtins deny[msga] { wl := input[_] - beggining_of_path := get_beginning_of_path(wl) - spec := object.get(wl, beggining_of_path, []) + start_of_path := get_beginning_of_path(wl) + spec := object.get(wl, start_of_path, []) sa := input[_] sa.kind == "ServiceAccount" is_same_sa(spec, sa.metadata.name) is_same_namespace(sa.metadata , wl.metadata) has_service_account_binding(sa) - result := is_sa_auto_mounted_and_bound(spec, beggining_of_path, sa) + result := is_sa_auto_mounted_and_bound(spec, start_of_path, sa) failed_path := get_failed_path(result) fixed_path := get_fixed_path(result) @@ -32,40 +32,40 @@ deny[msga] { } -get_beginning_of_path(workload) = beggining_of_path { +get_beginning_of_path(workload) = start_of_path { spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[workload.kind] - beggining_of_path := ["spec", "template", "spec"] + start_of_path := ["spec", "template", "spec"] } -get_beginning_of_path(workload) = beggining_of_path { +get_beginning_of_path(workload) = start_of_path { workload.kind == "Pod" - beggining_of_path := ["spec"] + start_of_path := ["spec"] } -get_beginning_of_path(workload) = beggining_of_path { +get_beginning_of_path(workload) = start_of_path { workload.kind == "CronJob" - beggining_of_path := ["spec", "jobTemplate", "spec", "template", "spec"] + start_of_path := ["spec", "jobTemplate", "spec", "template", "spec"] } # -- ---- For workloads -- ---- -is_sa_auto_mounted_and_bound(spec, beggining_of_path, sa) = [failed_path, fix_path] { +is_sa_auto_mounted_and_bound(spec, start_of_path, sa) = [failed_path, fix_path] { # automountServiceAccountToken not in pod spec not spec.automountServiceAccountToken == false not spec.automountServiceAccountToken == true not sa.automountServiceAccountToken == false - fix_path = { "path": sprintf("%v.automountServiceAccountToken", [concat(".", beggining_of_path)]), "value": "false"} + fix_path = { "path": sprintf("%v.automountServiceAccountToken", [concat(".", start_of_path)]), "value": "false"} failed_path = "" } -is_sa_auto_mounted_and_bound(spec, beggining_of_path, sa) = [failed_path, fix_path] { +is_sa_auto_mounted_and_bound(spec, start_of_path, sa) = [failed_path, fix_path] { # automountServiceAccountToken set to true in pod spec spec.automountServiceAccountToken == true - failed_path = sprintf("%v.automountServiceAccountToken", [concat(".", beggining_of_path)]) + failed_path = sprintf("%v.automountServiceAccountToken", [concat(".", start_of_path)]) fix_path = "" } diff --git a/rules/sudo-in-container-entrypoint/raw.rego b/rules/sudo-in-container-entrypoint/raw.rego index 460ed0f20..097f36bc7 100644 --- a/rules/sudo-in-container-entrypoint/raw.rego +++ b/rules/sudo-in-container-entrypoint/raw.rego @@ -5,8 +5,8 @@ deny[msga] { pod := input[_] pod.kind == "Pod" container := pod.spec.containers[i] - beggining_of_path := "spec." - result := is_sudo_entrypoint(container, beggining_of_path, i) + start_of_path := "spec." + result := is_sudo_entrypoint(container, start_of_path, i) msga := { "alertMessage": sprintf("container: %v in pod: %v have sudo in entrypoint", [container.name, pod.metadata.name]), "packagename": "armo_builtins", @@ -25,8 +25,8 @@ deny[msga] { spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"} spec_template_spec_patterns[wl.kind] container := wl.spec.template.spec.containers[i] - beggining_of_path := "spec.template.spec." - result := is_sudo_entrypoint(container, beggining_of_path, i) + start_of_path := "spec.template.spec." + result := is_sudo_entrypoint(container, start_of_path, i) msga := { "alertMessage": sprintf("container: %v in %v: %v have sudo in entrypoint", [container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", @@ -44,8 +44,8 @@ deny[msga] { wl := input[_] wl.kind == "CronJob" container := wl.spec.jobTemplate.spec.template.spec.containers[i] - beggining_of_path := "spec.jobTemplate.spec.template.spec." - result := is_sudo_entrypoint(container, beggining_of_path, i) + start_of_path := "spec.jobTemplate.spec.template.spec." + result := is_sudo_entrypoint(container, start_of_path, i) msga := { "alertMessage": sprintf("container: %v in cronjob: %v have sudo in entrypoint", [container.name, wl.metadata.name]), "packagename": "armo_builtins", @@ -59,7 +59,7 @@ deny[msga] { } } -is_sudo_entrypoint(container, beggining_of_path, i) = path { - path = [sprintf("%vcontainers[%v].command[%v]", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) | command = container.command[k]; contains(command, "sudo")] +is_sudo_entrypoint(container, start_of_path, i) = path { + path = [sprintf("%vcontainers[%v].command[%v]", [start_of_path, format_int(i, 10), format_int(k, 10)]) | command = container.command[k]; contains(command, "sudo")] count(path) > 0 }