Merge branch 'master' into SUB-2528_fix-C-0077-C-0076

Signed-off-by: Meital Rudnitsky <[email protected]>
kubescape · Oct 9, 2023 · 84c1ee5 · 84c1ee5
2 parents e7f4426 + 2dc0c6c
commit 84c1ee5
Show file tree

Hide file tree

Showing 17 changed files with 218 additions and 218 deletions.
diff --git a/rules/CVE-2021-25741/raw.rego b/rules/CVE-2021-25741/raw.rego
@@ -8,8 +8,8 @@ deny[msga] {
     pod := input[_]
     pod.kind == "Pod"
 	container := pod.spec.containers[i]
-	beggining_of_path := "spec."
-    final_path := is_sub_path_container(container, i, beggining_of_path)
+	start_of_path := "spec."
+    final_path := is_sub_path_container(container, i, start_of_path)
 
 	msga := {
 			"alertMessage": sprintf("You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in pod : %v with subPath/subPathExpr", [container.name, pod.metadata.name]),
@@ -29,8 +29,8 @@ deny[msga] {
 	spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
 	spec_template_spec_patterns[wl.kind]
     container := wl.spec.template.spec.containers[i]
-	beggining_of_path := "spec.template.spec."
-    final_path := is_sub_path_container(container, i, beggining_of_path)
+	start_of_path := "spec.template.spec."
+    final_path := is_sub_path_container(container, i, start_of_path)
 
 	msga := {
 	"alertMessage": sprintf("You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in %v : %v with subPath/subPathExpr", [container.name, wl.kind, wl.metadata.name]),
@@ -50,8 +50,8 @@ deny[msga] {
     wl := input[_]
 	wl.kind == "CronJob"
 	container = wl.spec.jobTemplate.spec.template.spec.containers[i]
-	beggining_of_path := "spec.jobTemplate.spec.template.spec."
-    final_path := is_sub_path_container(container, i, beggining_of_path)
+	start_of_path := "spec.jobTemplate.spec.template.spec."
+    final_path := is_sub_path_container(container, i, start_of_path)
 
 	msga := {
 		"alertMessage": sprintf("You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in %v : %v with subPath/subPathExpr", [container.name, wl.kind, wl.metadata.name]),
@@ -64,8 +64,8 @@ deny[msga] {
 
 
 
-is_sub_path_container(container, i, beggining_of_path) = path {
-	path = [sprintf("%vcontainers[%v].volumeMounts[%v].subPath" ,[beggining_of_path, format_int(i, 10), format_int(j, 10)]) | volume_mount = container.volumeMounts[j];  volume_mount.subPath]
+is_sub_path_container(container, i, start_of_path) = path {
+	path = [sprintf("%vcontainers[%v].volumeMounts[%v].subPath" ,[start_of_path, format_int(i, 10), format_int(j, 10)]) | volume_mount = container.volumeMounts[j];  volume_mount.subPath]
 	count(path) > 0
 }
 

diff --git a/rules/CVE-2022-0492/raw.rego b/rules/CVE-2022-0492/raw.rego
@@ -14,11 +14,11 @@ deny[msga] {
     container := pod.spec.containers[i]
 
 	# Path to send
-	beggining_of_path := "spec"
+	start_of_path := "spec"
 
 	# If container is privileged or has CAP_SYS_ADMIN, pass
     not container.securityContext.privileged == true
-	not is_cap_sys_admin(container, beggining_of_path)
+	not is_cap_sys_admin(container, start_of_path)
 
 
 	is_no_SELinux_No_AppArmor_Pod(pod)
@@ -28,10 +28,10 @@ deny[msga] {
     is_no_Seccomp_Container(container)
 
 	# Check if is running as root
-    alertInfo :=  evaluate_workload_non_root_container(container, pod, beggining_of_path)
+    alertInfo :=  evaluate_workload_non_root_container(container, pod, start_of_path)
 
 	# CAP_DAC_OVERRIDE will fail on second check
-	not isCAP_DAC_OVERRIDE(container, beggining_of_path, i)
+	not isCAP_DAC_OVERRIDE(container, start_of_path, i)
 
     # Get paths
 	fixPath := get_fixed_path(alertInfo, i)
@@ -55,14 +55,14 @@ deny[msga] {
     wl := input[_]
 	spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
 	spec_template_spec_patterns[wl.kind]
-	beggining_of_path := "spec.template.spec"
+	start_of_path := "spec.template.spec"
 
     pod := wl.spec.template
     container := pod.spec.containers[i]
 
     # If container is privileged or has CAP_SYS_ADMIN, pass
     not container.securityContext.privileged == true
-	not is_cap_sys_admin(container, beggining_of_path)
+	not is_cap_sys_admin(container, start_of_path)
 
 
 	is_no_SELinux_No_AppArmor_Pod(pod)
@@ -72,10 +72,10 @@ deny[msga] {
     is_no_Seccomp_Container(container)
 
 	# Check if is running as root
-    alertInfo :=  evaluate_workload_non_root_container(container, pod, beggining_of_path)
+    alertInfo :=  evaluate_workload_non_root_container(container, pod, start_of_path)
 
 	# CAP_DAC_OVERRIDE will fail on second check
-	not isCAP_DAC_OVERRIDE(container, beggining_of_path, i)
+	not isCAP_DAC_OVERRIDE(container, start_of_path, i)
 
     # Get paths
 	fixPath := get_fixed_path(alertInfo, i)
@@ -98,14 +98,14 @@ deny[msga] {
 deny[msga] {
   	wl := input[_]
 	wl.kind == "CronJob"
-	beggining_of_path := "spec.jobTemplate.spec.template.spec"
+	start_of_path := "spec.jobTemplate.spec.template.spec"
 
 	pod := wl.spec.jobTemplate.spec.template
     container = pod.spec.containers[i]
 
    	# If container is privileged or has CAP_SYS_ADMIN, pass
     not container.securityContext.privileged == true
-	not is_cap_sys_admin(container, beggining_of_path)
+	not is_cap_sys_admin(container, start_of_path)
 
 
 	is_no_SELinux_No_AppArmor_Pod(pod)
@@ -115,10 +115,10 @@ deny[msga] {
     is_no_Seccomp_Container(container)
 
 	# Check if is running as root
-    alertInfo :=  evaluate_workload_non_root_container(container, pod, beggining_of_path)
+    alertInfo :=  evaluate_workload_non_root_container(container, pod, start_of_path)
 
 	# CAP_DAC_OVERRIDE will fail on second check
-	not isCAP_DAC_OVERRIDE(container, beggining_of_path, i)
+	not isCAP_DAC_OVERRIDE(container, start_of_path, i)
 
     # Get paths
 	fixPath := get_fixed_path(alertInfo, i)
@@ -150,13 +150,13 @@ deny[msga] {
     pod.kind == "Pod"
     container := pod.spec.containers[i]
 
-	beggining_of_path := "spec."
+	start_of_path := "spec."
 
-    result := isCAP_DAC_OVERRIDE(container, beggining_of_path, i)
+    result := isCAP_DAC_OVERRIDE(container, start_of_path, i)
 
 	# If container is privileged or has CAP_SYS_ADMIN, pass
     not container.securityContext.privileged == true
-	not is_cap_sys_admin(container, beggining_of_path)
+	not is_cap_sys_admin(container, start_of_path)
 
 	is_no_SELinux_No_AppArmor_Pod(pod)
     is_no_SELinux_container(container)
@@ -182,13 +182,13 @@ deny[msga] {
     pod := wl.spec.template
     container := pod.spec.containers[i]
 
-	beggining_of_path := "spec.template.spec."
+	start_of_path := "spec.template.spec."
 
-    result := isCAP_DAC_OVERRIDE(container, beggining_of_path, i)
+    result := isCAP_DAC_OVERRIDE(container, start_of_path, i)
 
 	# If container is privileged or has CAP_SYS_ADMIN, pass
     not container.securityContext.privileged == true
-	not is_cap_sys_admin(container, beggining_of_path)
+	not is_cap_sys_admin(container, start_of_path)
 
 	is_no_SELinux_No_AppArmor_Pod(pod)
     is_no_SELinux_container(container)
@@ -213,13 +213,13 @@ deny[msga] {
     pod := wl.spec.jobTemplate.spec.template
     container = pod.spec.containers[i]
 
-	beggining_of_path := "spec.jobTemplate.spec.template.spec."
+	start_of_path := "spec.jobTemplate.spec.template.spec."
 
-   	result := isCAP_DAC_OVERRIDE(container, beggining_of_path, i)
+   	result := isCAP_DAC_OVERRIDE(container, start_of_path, i)
 
 	# If container is privileged or has CAP_SYS_ADMIN, pass
     not container.securityContext.privileged == true
-	not is_cap_sys_admin(container, beggining_of_path)
+	not is_cap_sys_admin(container, start_of_path)
 
 	is_no_SELinux_No_AppArmor_Pod(pod)
     is_no_SELinux_container(container)
@@ -240,15 +240,15 @@ deny[msga] {
 
 
 
-is_cap_sys_admin(container, beggining_of_path) {
+is_cap_sys_admin(container, start_of_path) {
 	capability = container.securityContext.capabilities.add[k]
     capability == "SYS_ADMIN"
 }
 
-isCAP_DAC_OVERRIDE(container, beggining_of_path, i) = path {
+isCAP_DAC_OVERRIDE(container, start_of_path, i) = path {
 	capability = container.securityContext.capabilities.add[k]
     capability == "DAC_OVERRIDE"
-    path = sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [beggining_of_path, format_int(i, 10), format_int(k, 10)]) 
+    path = sprintf("%vcontainers[%v].securityContext.capabilities.add[%v]", [start_of_path, format_int(i, 10), format_int(k, 10)]) 
 }
 
 
@@ -300,16 +300,16 @@ is_no_Seccomp_Container(container) {
 #################################################################################
 # Workload evaluation 
 
-evaluate_workload_non_root_container(container, pod, beggining_of_path) = alertInfo {
-	runAsNonRootValue := get_run_as_non_root_value(container, pod, beggining_of_path)
+evaluate_workload_non_root_container(container, pod, start_of_path) = alertInfo {
+	runAsNonRootValue := get_run_as_non_root_value(container, pod, start_of_path)
 	runAsNonRootValue.value == false
 
-	runAsUserValue := get_run_as_user_value(container, pod, beggining_of_path)
+	runAsUserValue := get_run_as_user_value(container, pod, start_of_path)
 	runAsUserValue.value == 0
 
 	alertInfo := choose_first_if_defined(runAsUserValue, runAsNonRootValue)
 } else = alertInfo {
-    allowPrivilegeEscalationValue := get_allow_privilege_escalation(container, pod, beggining_of_path)
+    allowPrivilegeEscalationValue := get_allow_privilege_escalation(container, pod, start_of_path)
     allowPrivilegeEscalationValue.value == true
 
     alertInfo := allowPrivilegeEscalationValue
@@ -319,48 +319,48 @@ evaluate_workload_non_root_container(container, pod, beggining_of_path) = alertI
 #################################################################################
 
 # Checking for non-root and allowPrivilegeEscalation enabled
-get_run_as_non_root_value(container, pod, beggining_of_path) = runAsNonRoot {
-    failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]) 
+get_run_as_non_root_value(container, pod, start_of_path) = runAsNonRoot {
+    failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) 
     runAsNonRoot := {"value" : container.securityContext.runAsNonRoot, "failed_path" : failed_path, "fixPath": [] ,"defined" : true}
 } else = runAsNonRoot {
-	failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]) 
+	failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) 
     runAsNonRoot := {"value" : pod.spec.securityContext.runAsNonRoot,  "failed_path" : failed_path, "fixPath": [], "defined" : true}
 } else = {"value" : false,  "failed_path" : "", "fixPath": [{"path": "spec.securityContext.runAsNonRoot", "value":"true"}], "defined" : false} {
 	is_allow_privilege_escalation_field(container, pod)
-} else = {"value" : false,  "failed_path" : "", "fixPath": [{"path":  sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]) , "value":"true"}, {"path":sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}], "defined" : false}
+} else = {"value" : false,  "failed_path" : "", "fixPath": [{"path":  sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) , "value":"true"}, {"path":sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false}
 
-get_run_as_user_value(container, pod, beggining_of_path) = runAsUser {
-	failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [beggining_of_path]) 
+get_run_as_user_value(container, pod, start_of_path) = runAsUser {
+	failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [start_of_path]) 
     runAsUser := {"value" : container.securityContext.runAsUser,  "failed_path" : failed_path,  "fixPath": [], "defined" : true}
 } else = runAsUser {
-	failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [beggining_of_path]) 
+	failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [start_of_path]) 
     runAsUser := {"value" : pod.spec.securityContext.runAsUser,  "failed_path" : failed_path, "fixPath": [],"defined" : true}
-} else = {"value" : 0, "failed_path": "", "fixPath": [{"path":  sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]), "value":"true"}],"defined" : false}{
+} else = {"value" : 0, "failed_path": "", "fixPath": [{"path":  sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}],"defined" : false}{
 	is_allow_privilege_escalation_field(container, pod)
 } else = {"value" : 0, "failed_path": "", 
-	"fixPath": [{"path":  sprintf("%v.securityContext.containers[container_ndx].runAsNonRoot", [beggining_of_path]), "value":"true"},{"path":  sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}],
+	"fixPath": [{"path":  sprintf("%v.securityContext.containers[container_ndx].runAsNonRoot", [start_of_path]), "value":"true"},{"path":  sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}],
 	"defined" : false}
 
-get_run_as_group_value(container, pod, beggining_of_path) = runAsGroup {
-	failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [beggining_of_path])
+get_run_as_group_value(container, pod, start_of_path) = runAsGroup {
+	failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path])
     runAsGroup := {"value" : container.securityContext.runAsGroup,  "failed_path" : failed_path, "fixPath": [],"defined" : true}
 } else = runAsGroup {
-	failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [beggining_of_path])
+	failed_path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path])
     runAsGroup := {"value" : pod.spec.securityContext.runAsGroup,  "failed_path" : failed_path, "fixPath":[], "defined" : true}
 } else = {"value" : 0, "failed_path": "", "fixPath": [{"path": "spec.securityContext.runAsNonRoot", "value":"true"}], "defined" : false}{
 	is_allow_privilege_escalation_field(container, pod)
 } else = {"value" : 0, "failed_path": "", 
-	"fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [beggining_of_path]), "value":"true"},{"path": sprintf("%v.securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}],
+	"fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"},{"path": sprintf("%v.securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}],
  	"defined" : false
 }
 
-get_allow_privilege_escalation(container, pod, beggining_of_path) = allowPrivilegeEscalation {
-	failed_path := sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [beggining_of_path])
+get_allow_privilege_escalation(container, pod, start_of_path) = allowPrivilegeEscalation {
+	failed_path := sprintf("%v.containers[container_ndx].securityContext.allowPrivilegeEscalation", [start_of_path])
     allowPrivilegeEscalation := {"value" : container.securityContext.allowPrivilegeEscalation,  "failed_path" : failed_path, "fixPath": [],"defined" : true}
 } else = allowPrivilegeEscalation {
-	failed_path := sprintf("%v.securityContext.allowPrivilegeEscalation", [beggining_of_path])
+	failed_path := sprintf("%v.securityContext.allowPrivilegeEscalation", [start_of_path])
     allowPrivilegeEscalation := {"value" : pod.spec.securityContext.allowPrivilegeEscalation,  "failed_path" : failed_path, "fixPath": [],"defined" : true}
-} else = {"value" : true, "failed_path": "", "fixPath": [{"path": sprintf("%v.securityContext.allowPrivilegeEscalation", [beggining_of_path]), "value":"false"}], "defined" : false}
+} else = {"value" : true, "failed_path": "", "fixPath": [{"path": sprintf("%v.securityContext.allowPrivilegeEscalation", [start_of_path]), "value":"false"}], "defined" : false}
 
 choose_first_if_defined(l1, l2) = c {
     l1.defined

diff --git a/rules/alert-any-hostpath/raw.rego b/rules/alert-any-hostpath/raw.rego
@@ -6,8 +6,8 @@ deny[msga] {
     pod.kind == "Pod"
     volumes := pod.spec.volumes
     volume := volumes[i]
-	beggining_of_path := "spec."
-	result  := is_dangerous_volume(volume, beggining_of_path, i)
+	start_of_path := "spec."
+	result  := is_dangerous_volume(volume, start_of_path, i)
     podname := pod.metadata.name
 
 
@@ -31,8 +31,8 @@ deny[msga] {
 	spec_template_spec_patterns[wl.kind]
     volumes := wl.spec.template.spec.volumes
     volume := volumes[i]
-	beggining_of_path := "spec.template.spec."
-    result  := is_dangerous_volume(volume, beggining_of_path, i)
+	start_of_path := "spec.template.spec."
+    result  := is_dangerous_volume(volume, start_of_path, i)
 
 
 	msga := {
@@ -54,8 +54,8 @@ deny[msga] {
 	wl.kind == "CronJob"
     volumes := wl.spec.jobTemplate.spec.template.spec.volumes
     volume := volumes[i]
-	beggining_of_path := "spec.jobTemplate.spec.template.spec."
-    result  := is_dangerous_volume(volume, beggining_of_path, i)
+	start_of_path := "spec.jobTemplate.spec.template.spec."
+    result  := is_dangerous_volume(volume, start_of_path, i)
 	msga := {
 		"alertMessage": sprintf("%v: %v has: %v as hostPath volume", [wl.kind, wl.metadata.name, volume.name]),
 		"packagename": "armo_builtins",
@@ -69,7 +69,7 @@ deny[msga] {
 	}
 }
 
-is_dangerous_volume(volume, beggining_of_path, i) = path {
+is_dangerous_volume(volume, start_of_path, i) = path {
     volume.hostPath.path
-    path = sprintf("%vvolumes[%v].hostPath.path", [beggining_of_path, format_int(i, 10)])
+    path = sprintf("%vvolumes[%v].hostPath.path", [start_of_path, format_int(i, 10)])
 }
diff --git a/rules/alert-mount-potential-credentials-paths/raw.rego b/rules/alert-mount-potential-credentials-paths/raw.rego
@@ -9,8 +9,8 @@ deny[msga] {
 	volumes_data := get_volumes(resources)
     volumes := volumes_data["volumes"]
     volume := volumes[i]
-	beggining_of_path := volumes_data["beggining_of_path"]
-    result := is_unsafe_paths(volume, beggining_of_path, provider,i)
+	start_of_path := volumes_data["start_of_path"]
+    result := is_unsafe_paths(volume, start_of_path, provider,i)
 
 	msga := {
 		"alertMessage": sprintf("%v: %v has: %v as volume with potential credentials access.", [resources.kind, resources.metadata.name, volume.name]),
@@ -30,27 +30,27 @@ deny[msga] {
 get_volumes(resources) := result {
 	resources_kinds := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
 	resources_kinds[resources.kind]
-	result = {"volumes": resources.spec.template.spec.volumes, "beggining_of_path": "spec.template.spec."}
+	result = {"volumes": resources.spec.template.spec.volumes, "start_of_path": "spec.template.spec."}
 }
 
 # get_volume - get resource volumes paths for "Pod"
 get_volumes(resources) := result {
 	resources.kind == "Pod"
-	result = {"volumes": resources.spec.volumes, "beggining_of_path": "spec."}
+	result = {"volumes": resources.spec.volumes, "start_of_path": "spec."}
 }
 
 # get_volume - get resource volumes paths for "CronJob"
 get_volumes(resources) := result {
 	resources.kind == "CronJob"
-	result = {"volumes": resources.spec.jobTemplate.spec.template.spec.volumes, "beggining_of_path": "spec.jobTemplate.spec.template.spec."}
+	result = {"volumes": resources.spec.jobTemplate.spec.template.spec.volumes, "start_of_path": "spec.jobTemplate.spec.template.spec."}
 }
 
 
 # is_unsafe_paths - looking for cloud provider (eks/gke/aks) paths that have the potential of accessing credentials
-is_unsafe_paths(volume, beggining_of_path, provider, i) = result {
+is_unsafe_paths(volume, start_of_path, provider, i) = result {
 	unsafe :=  unsafe_paths(provider)
 	unsafe[_] == fix_path(volume.hostPath.path)
-	result= sprintf("%vvolumes[%d].hostPath.path", [beggining_of_path, i])
+	result= sprintf("%vvolumes[%d].hostPath.path", [start_of_path, i])
 }