Skip to content

Commit

Permalink
Merge branch 'master' into doc-update
Browse files Browse the repository at this point in the history
  • Loading branch information
yuleib authored Oct 2, 2023
2 parents c6fb844 + 5d37795 commit 5a37e9c
Show file tree
Hide file tree
Showing 67 changed files with 83 additions and 0 deletions.
1 change: 1 addition & 0 deletions rules/CVE-2021-25742/raw.rego
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ deny[msga] {
path := sprintf("spec.template.spec.containers[%v].image", [format_int(i, 10)])
msga := {
"alertMessage": sprintf("You may be vulnerable to CVE-2021-25742. Deployment %v", [deployment.metadata.name]),
"reviewPaths": [path],
"failedPaths": [path],
"fixPaths":[],
"alertObject": {"k8SApiObjects": [deployment]},
Expand Down
1 change: 1 addition & 0 deletions rules/CVE-2022-0185/raw.rego
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ deny[msga] {
"alertObject": {
"externalObjects": external_vector
},
"reviewPaths": ["kernelVersion"],
"failedPaths": ["kernelVersion"],
"fixPaths":[],
}
Expand Down
6 changes: 6 additions & 0 deletions rules/CVE-2022-0492/raw.rego
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ deny[msga] {
"alertMessage": "You may be vulnerable to CVE-2022-0492",
"packagename": "armo_builtins",
"alertScore": 4,
"reviewPaths": failed_path,
"failedPaths": failed_path,
"fixPaths": fixPath,
"alertObject": {
Expand Down Expand Up @@ -85,6 +86,7 @@ deny[msga] {
"alertMessage": "You may be vulnerable to CVE-2022-0492",
"packagename": "armo_builtins",
"alertScore": 4,
"reviewPaths": failed_path,
"failedPaths": failed_path,
"fixPaths": fixPath,
"alertObject": {
Expand Down Expand Up @@ -126,6 +128,7 @@ deny[msga] {
"alertMessage": "You may be vulnerable to CVE-2022-0492",
"packagename": "armo_builtins",
"alertScore": 4,
"reviewPaths": failed_path,
"failedPaths": failed_path,
"fixPaths": fixPath,
"alertObject": {
Expand Down Expand Up @@ -162,6 +165,7 @@ deny[msga] {
"alertMessage": "You may be vulnerable to CVE-2022-0492",
"packagename": "armo_builtins",
"alertScore": 4,
"deletePaths": [result],
"failedPaths": [result],
"fixPaths": [],
"alertObject": {
Expand Down Expand Up @@ -193,6 +197,7 @@ deny[msga] {
"alertMessage": "You may be vulnerable to CVE-2022-0492",
"packagename": "armo_builtins",
"alertScore": 4,
"deletePaths": [result],
"failedPaths": [result],
"fixPaths": [],
"alertObject": {
Expand Down Expand Up @@ -223,6 +228,7 @@ deny[msga] {
"alertMessage": "You may be vulnerable to CVE-2022-0492",
"packagename": "armo_builtins",
"alertScore": 4,
"deletePaths": [result],
"failedPaths": [result],
"fixPaths": [],
"alertObject": {
Expand Down
1 change: 1 addition & 0 deletions rules/CVE-2022-23648/raw.rego
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ deny[msga] {
"alertObject": {
"k8SApiObjects": [node]
},
"reviewPaths": [path],
"failedPaths": [path],
"fixPaths":[],
}
Expand Down
1 change: 1 addition & 0 deletions rules/CVE-2022-24348/raw.rego
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msga] {
path := sprintf("spec.template.spec.containers[%v].image", [format_int(i, 10)])
msga := {
"alertMessage": "You may be vulnerable to CVE-2022-24348",
"reviewPaths": [path],
"failedPaths": [path],
"fixPaths":[],
"alertObject": {
Expand Down
1 change: 1 addition & 0 deletions rules/CVE-2022-39328/raw.rego
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msga] {
path := sprintf("spec.template.spec.containers[%v].image", [format_int(i, 10)])
msga := {
"alertMessage": "You may be vulnerable to CVE-2022-39328",
"reviewPaths": [path],
"failedPaths": [path],
"fixPaths":[],
"alertObject": {
Expand Down
1 change: 1 addition & 0 deletions rules/CVE-2022-47633/raw.rego
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msga] {
path := sprintf("spec.template.spec.containers[%v].image", [format_int(i, 10)])
msga := {
"alertMessage": "You may be vulnerable to CVE-2022-47633",
"reviewPaths": [path],
"failedPaths": [path],
"fixPaths":[],
"alertObject": {
Expand Down
3 changes: 3 additions & 0 deletions rules/drop-capability-netraw/raw.rego
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ deny[msga] {
"alertMessage": sprintf("Pod: %s does not drop the capability NET_RAW", [wl.metadata.name]),
"packagename": "armo_builtins",
"alertScore": 7,
"deletePaths": failedPaths,
"failedPaths": failedPaths,
"fixPaths": fixPaths,
"alertObject": {"k8sApiObjects": [wl]},
Expand All @@ -43,6 +44,7 @@ deny[msga] {
"alertMessage": sprintf("Workload: %v does not drop the capability NET_RAW", [wl.metadata.name]),
"packagename": "armo_builtins",
"alertScore": 7,
"deletePaths": failedPaths,
"failedPaths": failedPaths,
"fixPaths": fixPaths,
"alertObject": {"k8sApiObjects": [wl]},
Expand All @@ -66,6 +68,7 @@ deny[msga] {
"alertMessage": sprintf("Cronjob: %v does not drop the capability NET_RAW", [wl.metadata.name]),
"packagename": "armo_builtins",
"alertScore": 7,
"deletePaths": failedPaths,
"failedPaths": failedPaths,
"fixPaths": fixPaths,
"alertObject": {"k8sApiObjects": [wl]},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ deny[msga] {
"alertMessage": "Ingress object has 'spec.tls' value not set.",
"packagename": "armo_builtins",
"alertScore": 7,
"reviewPaths": ["spec.tls"],
"failedPaths": ["spec.tls"],
"fixPaths":[],
"alertObject": {
Expand Down
1 change: 1 addition & 0 deletions rules/endpoints-in-default-namespace/raw.rego
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msga] {
"alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]),
"packagename": "armo_builtins",
"alertScore": 3,
"reviewPaths": failed_path,
"failedPaths": failed_path,
"fixPaths": fixed_path,
"alertObject": {
Expand Down
1 change: 1 addition & 0 deletions rules/endpointslice-in-default-namespace/raw.rego
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msga] {
"alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]),
"packagename": "armo_builtins",
"alertScore": 3,
"reviewPaths": failed_path,
"failedPaths": failed_path,
"fixPaths": fixed_path,
"alertObject": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ deny[msga] {
msga := {
"alertMessage": "kubelet client TLS authentication is not enabled",
"alertScore": 6,
"reviewPaths": ["authentication.x509.clientCAFile"],
"failedPaths": ["authentication.x509.clientCAFile"],
"fixPaths": [],
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ deny[msga] {
msga := {
"alertMessage": sprintf("%s: %v has for ServiceAccount 'default' rules bound to it that are not defaults", [wl.kind, wl.metadata.name]),
"packagename": "armo_builtins",
"deletePaths": [sprintf("subjects[%d]", [i])],
"failedPaths": [sprintf("subjects[%d]", [i])],
"fixPaths":[],
"alertScore": 7,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ deny[msg] {
msg := {
"alertMessage": "The API server is not configured to use strong cryptographic ciphers",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "admission control plugin AlwaysAdmit is enabled. This is equal to turning off all admission controllers",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "Admission control policy is not set to AlwaysPullImages",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ deny[msg] {
msg := {
"alertMessage": "The API server is not configured to limit the rate at which it accepts requests. This could lead to a denial of service attack",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "admission control plugin AlwaysAdmit is enabled. This is equal to turning off all admission controllers",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "NodeRestriction is not enabled",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage":"The SecurityContextDeny addmission controller is not enabled. This could allow for privilege escalation in the cluster",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "admission control plugin AlwaysAdmit is enabled. This is equal to turning off all admission controllers",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "admission control plugin DenyServiceExternalIPs is enabled. This is equal to turning off all admission controllers",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "anonymous requests is enabled",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": result.alert,
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": result.alert,
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": result.alert,
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "kubernetes API Server is not audited",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "kubelet nodes can read objects that are not associated with them",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "RBAC is not enabled",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "AlwaysAllow authorization mode is enabled",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "API server communication is not encrypted properly",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "API server is not configured to use SSL Certificate Authority file for etcd",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "etcd is not configured to use TLS properly",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "TLS certificate authority file is not specified",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "certificate based kubelet authentication is not enabled",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "profiling is enabled. This could potentially be exploited to uncover system and program details.",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": result.alert,
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "the secure port is disabled",
"alertScore": 2,
"reviewPaths": [sprintf("spec.containers[0].command[%v]", [i])],
"failedPaths": [sprintf("spec.containers[0].command[%v]", [i])],
"fixPaths": [],
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "TLS certificate authority",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "anonymous requests is enabled",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "API server is not configured to serve only HTTPS traffic",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "API server TLS is not configured",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ deny[msg] {
msg := {
"alertMessage": "`RotateKubeletServerCertificate` is set to false on the controller manager",
"alertScore": 2,
"reviewPaths": result.failed_paths,
"failedPaths": result.failed_paths,
"fixPaths": result.fix_paths,
"packagename": "armo_builtins",
Expand Down
Loading

0 comments on commit 5a37e9c

Please sign in to comment.