From 26f2a878e4307d72b8a58f3c55f13f0d08b878e9 Mon Sep 17 00:00:00 2001 From: YiscahLevySilas1 Date: Sun, 1 Oct 2023 23:37:00 +0300 Subject: [PATCH 1/3] add delete / review paths Signed-off-by: YiscahLevySilas1 --- rules/CVE-2021-25742/raw.rego | 1 + rules/CVE-2022-0185/raw.rego | 1 + rules/CVE-2022-0492/raw.rego | 6 ++++++ rules/CVE-2022-23648/raw.rego | 1 + rules/CVE-2022-24348/raw.rego | 1 + rules/CVE-2022-39328/raw.rego | 1 + rules/CVE-2022-47633/raw.rego | 1 + rules/drop-capability-netraw/raw.rego | 3 +++ .../raw.rego | 1 + rules/endpoints-in-default-namespace/raw.rego | 1 + rules/endpointslice-in-default-namespace/raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + .../raw.rego | 1 + rules/etcd-auto-tls-disabled/raw.rego | 1 + rules/etcd-client-auth-cert/raw.rego | 1 + rules/etcd-peer-auto-tls-disabled/raw.rego | 1 + rules/etcd-peer-client-auth-cert/raw.rego | 1 + rules/etcd-peer-tls-enabled/raw.rego | 1 + rules/etcd-tls-enabled/raw.rego | 1 + rules/etcd-unique-ca/raw.rego | 1 + rules/excessive_amount_of_vulnerabilities_pods/raw.rego | 1 + rules/exec-into-container-v1/raw.rego | 1 + rules/exec-into-container/raw.rego | 1 + rules/exposed-critical-pods/raw.rego | 1 + rules/exposed-rce-pods/raw.rego | 1 + rules/exposed-sensitive-interfaces-v1/raw.rego | 3 +++ rules/exposed-sensitive-interfaces/raw.rego | 3 +++ 65 files changed, 76 insertions(+) diff --git a/rules/CVE-2021-25742/raw.rego b/rules/CVE-2021-25742/raw.rego index 0b1cb9105..70f3e2371 100644 --- a/rules/CVE-2021-25742/raw.rego +++ b/rules/CVE-2021-25742/raw.rego @@ -18,6 +18,7 @@ deny[msga] { path := sprintf("spec.template.spec.containers[%v].image", [format_int(i, 10)]) msga := { "alertMessage": sprintf("You may be vulnerable to CVE-2021-25742. Deployment %v", [deployment.metadata.name]), + "reviewPaths": [path], "failedPaths": [path], "fixPaths":[], "alertObject": {"k8SApiObjects": [deployment]}, diff --git a/rules/CVE-2022-0185/raw.rego b/rules/CVE-2022-0185/raw.rego index 99e3d8c8c..d2ceb85d1 100644 --- a/rules/CVE-2022-0185/raw.rego +++ b/rules/CVE-2022-0185/raw.rego @@ -34,6 +34,7 @@ deny[msga] { "alertObject": { "externalObjects": external_vector }, + "reviewPaths": ["kernelVersion"], "failedPaths": ["kernelVersion"], "fixPaths":[], } diff --git a/rules/CVE-2022-0492/raw.rego b/rules/CVE-2022-0492/raw.rego index c60062a2a..b6c4925af 100644 --- a/rules/CVE-2022-0492/raw.rego +++ b/rules/CVE-2022-0492/raw.rego @@ -42,6 +42,7 @@ deny[msga] { "alertMessage": "You may be vulnerable to CVE-2022-0492", "packagename": "armo_builtins", "alertScore": 4, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixPath, "alertObject": { @@ -85,6 +86,7 @@ deny[msga] { "alertMessage": "You may be vulnerable to CVE-2022-0492", "packagename": "armo_builtins", "alertScore": 4, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixPath, "alertObject": { @@ -126,6 +128,7 @@ deny[msga] { "alertMessage": "You may be vulnerable to CVE-2022-0492", "packagename": "armo_builtins", "alertScore": 4, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixPath, "alertObject": { @@ -162,6 +165,7 @@ deny[msga] { "alertMessage": "You may be vulnerable to CVE-2022-0492", "packagename": "armo_builtins", "alertScore": 4, + "deletePaths": [result], "failedPaths": [result], "fixPaths": [], "alertObject": { @@ -193,6 +197,7 @@ deny[msga] { "alertMessage": "You may be vulnerable to CVE-2022-0492", "packagename": "armo_builtins", "alertScore": 4, + "deletePaths": [result], "failedPaths": [result], "fixPaths": [], "alertObject": { @@ -223,6 +228,7 @@ deny[msga] { "alertMessage": "You may be vulnerable to CVE-2022-0492", "packagename": "armo_builtins", "alertScore": 4, + "deletePaths": [result], "failedPaths": [result], "fixPaths": [], "alertObject": { diff --git a/rules/CVE-2022-23648/raw.rego b/rules/CVE-2022-23648/raw.rego index a2b603fae..d532fa76c 100644 --- a/rules/CVE-2022-23648/raw.rego +++ b/rules/CVE-2022-23648/raw.rego @@ -20,6 +20,7 @@ deny[msga] { "alertObject": { "k8SApiObjects": [node] }, + "reviewPaths": [path], "failedPaths": [path], "fixPaths":[], } diff --git a/rules/CVE-2022-24348/raw.rego b/rules/CVE-2022-24348/raw.rego index 313b6690f..fc377eb88 100644 --- a/rules/CVE-2022-24348/raw.rego +++ b/rules/CVE-2022-24348/raw.rego @@ -9,6 +9,7 @@ deny[msga] { path := sprintf("spec.template.spec.containers[%v].image", [format_int(i, 10)]) msga := { "alertMessage": "You may be vulnerable to CVE-2022-24348", + "reviewPaths": [path], "failedPaths": [path], "fixPaths":[], "alertObject": { diff --git a/rules/CVE-2022-39328/raw.rego b/rules/CVE-2022-39328/raw.rego index 3f00195a6..23de03547 100644 --- a/rules/CVE-2022-39328/raw.rego +++ b/rules/CVE-2022-39328/raw.rego @@ -9,6 +9,7 @@ deny[msga] { path := sprintf("spec.template.spec.containers[%v].image", [format_int(i, 10)]) msga := { "alertMessage": "You may be vulnerable to CVE-2022-39328", + "reviewPaths": [path], "failedPaths": [path], "fixPaths":[], "alertObject": { diff --git a/rules/CVE-2022-47633/raw.rego b/rules/CVE-2022-47633/raw.rego index e34d887dc..b4a81a57d 100644 --- a/rules/CVE-2022-47633/raw.rego +++ b/rules/CVE-2022-47633/raw.rego @@ -9,6 +9,7 @@ deny[msga] { path := sprintf("spec.template.spec.containers[%v].image", [format_int(i, 10)]) msga := { "alertMessage": "You may be vulnerable to CVE-2022-47633", + "reviewPaths": [path], "failedPaths": [path], "fixPaths":[], "alertObject": { diff --git a/rules/drop-capability-netraw/raw.rego b/rules/drop-capability-netraw/raw.rego index 4268e3e75..549f5ecc9 100644 --- a/rules/drop-capability-netraw/raw.rego +++ b/rules/drop-capability-netraw/raw.rego @@ -19,6 +19,7 @@ deny[msga] { "alertMessage": sprintf("Pod: %s does not drop the capability NET_RAW", [wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "deletePaths": failedPaths, "failedPaths": failedPaths, "fixPaths": fixPaths, "alertObject": {"k8sApiObjects": [wl]}, @@ -43,6 +44,7 @@ deny[msga] { "alertMessage": sprintf("Workload: %v does not drop the capability NET_RAW", [wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "deletePaths": failedPaths, "failedPaths": failedPaths, "fixPaths": fixPaths, "alertObject": {"k8sApiObjects": [wl]}, @@ -66,6 +68,7 @@ deny[msga] { "alertMessage": sprintf("Cronjob: %v does not drop the capability NET_RAW", [wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "deletePaths": failedPaths, "failedPaths": failedPaths, "fixPaths": fixPaths, "alertObject": {"k8sApiObjects": [wl]}, diff --git a/rules/encrypt-traffic-to-https-load-balancers-with-tls-certificates/raw.rego b/rules/encrypt-traffic-to-https-load-balancers-with-tls-certificates/raw.rego index f58245d85..27f199b6d 100644 --- a/rules/encrypt-traffic-to-https-load-balancers-with-tls-certificates/raw.rego +++ b/rules/encrypt-traffic-to-https-load-balancers-with-tls-certificates/raw.rego @@ -73,6 +73,7 @@ deny[msga] { "alertMessage": "Ingress object has 'spec.tls' value not set.", "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": ["spec.tls"], "failedPaths": ["spec.tls"], "fixPaths":[], "alertObject": { diff --git a/rules/endpoints-in-default-namespace/raw.rego b/rules/endpoints-in-default-namespace/raw.rego index 716352f01..de13fc0b6 100644 --- a/rules/endpoints-in-default-namespace/raw.rego +++ b/rules/endpoints-in-default-namespace/raw.rego @@ -9,6 +9,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]), "packagename": "armo_builtins", "alertScore": 3, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixed_path, "alertObject": { diff --git a/rules/endpointslice-in-default-namespace/raw.rego b/rules/endpointslice-in-default-namespace/raw.rego index 716352f01..de13fc0b6 100644 --- a/rules/endpointslice-in-default-namespace/raw.rego +++ b/rules/endpointslice-in-default-namespace/raw.rego @@ -9,6 +9,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]), "packagename": "armo_builtins", "alertScore": 3, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixed_path, "alertObject": { diff --git a/rules/enforce-kubelet-client-tls-authentication-updated/raw.rego b/rules/enforce-kubelet-client-tls-authentication-updated/raw.rego index e63ef3daa..1a02aa859 100644 --- a/rules/enforce-kubelet-client-tls-authentication-updated/raw.rego +++ b/rules/enforce-kubelet-client-tls-authentication-updated/raw.rego @@ -18,6 +18,7 @@ deny[msga] { msga := { "alertMessage": "kubelet client TLS authentication is not enabled", "alertScore": 6, + "reviewPaths": ["authentication.x509.clientCAFile"], "failedPaths": ["authentication.x509.clientCAFile"], "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/ensure-default-service-accounts-has-only-default-roles/raw.rego b/rules/ensure-default-service-accounts-has-only-default-roles/raw.rego index 7da55af19..b9a7cbc0a 100644 --- a/rules/ensure-default-service-accounts-has-only-default-roles/raw.rego +++ b/rules/ensure-default-service-accounts-has-only-default-roles/raw.rego @@ -20,6 +20,7 @@ deny[msga] { msga := { "alertMessage": sprintf("%s: %v has for ServiceAccount 'default' rules bound to it that are not defaults", [wl.kind, wl.metadata.name]), "packagename": "armo_builtins", + "deletePaths": [sprintf("subjects[%d]", [i])], "failedPaths": [sprintf("subjects[%d]", [i])], "fixPaths":[], "alertScore": 7, diff --git a/rules/ensure-that-the-API-Server-only-makes-use-of-Strong-Cryptographic-Ciphers/raw.rego b/rules/ensure-that-the-API-Server-only-makes-use-of-Strong-Cryptographic-Ciphers/raw.rego index 6f54fb5d4..8d297f7aa 100644 --- a/rules/ensure-that-the-API-Server-only-makes-use-of-Strong-Cryptographic-Ciphers/raw.rego +++ b/rules/ensure-that-the-API-Server-only-makes-use-of-Strong-Cryptographic-Ciphers/raw.rego @@ -32,6 +32,7 @@ deny[msg] { msg := { "alertMessage": "The API server is not configured to use strong cryptographic ciphers", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-admission-control-plugin-AlwaysAdmit-is-not-set/raw.rego b/rules/ensure-that-the-admission-control-plugin-AlwaysAdmit-is-not-set/raw.rego index 6b1d5d7cc..6e4f6ff74 100644 --- a/rules/ensure-that-the-admission-control-plugin-AlwaysAdmit-is-not-set/raw.rego +++ b/rules/ensure-that-the-admission-control-plugin-AlwaysAdmit-is-not-set/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "admission control plugin AlwaysAdmit is enabled. This is equal to turning off all admission controllers", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-admission-control-plugin-AlwaysPullImages-is-set/raw.rego b/rules/ensure-that-the-admission-control-plugin-AlwaysPullImages-is-set/raw.rego index e70d5c639..028520afd 100644 --- a/rules/ensure-that-the-admission-control-plugin-AlwaysPullImages-is-set/raw.rego +++ b/rules/ensure-that-the-admission-control-plugin-AlwaysPullImages-is-set/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "Admission control policy is not set to AlwaysPullImages", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-admission-control-plugin-EventRateLimit-is-set/raw.rego b/rules/ensure-that-the-admission-control-plugin-EventRateLimit-is-set/raw.rego index 6bf11a368..90917a7ac 100644 --- a/rules/ensure-that-the-admission-control-plugin-EventRateLimit-is-set/raw.rego +++ b/rules/ensure-that-the-admission-control-plugin-EventRateLimit-is-set/raw.rego @@ -10,6 +10,7 @@ deny[msg] { msg := { "alertMessage": "The API server is not configured to limit the rate at which it accepts requests. This could lead to a denial of service attack", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-admission-control-plugin-NamespaceLifecycle-is-set/raw.rego b/rules/ensure-that-the-admission-control-plugin-NamespaceLifecycle-is-set/raw.rego index 637d86233..8c0ff3571 100644 --- a/rules/ensure-that-the-admission-control-plugin-NamespaceLifecycle-is-set/raw.rego +++ b/rules/ensure-that-the-admission-control-plugin-NamespaceLifecycle-is-set/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "admission control plugin AlwaysAdmit is enabled. This is equal to turning off all admission controllers", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-admission-control-plugin-NodeRestriction-is-set/raw.rego b/rules/ensure-that-the-admission-control-plugin-NodeRestriction-is-set/raw.rego index fab0aa34f..7936fcc46 100644 --- a/rules/ensure-that-the-admission-control-plugin-NodeRestriction-is-set/raw.rego +++ b/rules/ensure-that-the-admission-control-plugin-NodeRestriction-is-set/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "NodeRestriction is not enabled", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-admission-control-plugin-SecurityContextDeny-is-set-if-PodSecurityPolicy-is-not-used/raw.rego b/rules/ensure-that-the-admission-control-plugin-SecurityContextDeny-is-set-if-PodSecurityPolicy-is-not-used/raw.rego index 95798a338..691b95940 100644 --- a/rules/ensure-that-the-admission-control-plugin-SecurityContextDeny-is-set-if-PodSecurityPolicy-is-not-used/raw.rego +++ b/rules/ensure-that-the-admission-control-plugin-SecurityContextDeny-is-set-if-PodSecurityPolicy-is-not-used/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage":"The SecurityContextDeny addmission controller is not enabled. This could allow for privilege escalation in the cluster", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-admission-control-plugin-ServiceAccount-is-set/raw.rego b/rules/ensure-that-the-admission-control-plugin-ServiceAccount-is-set/raw.rego index 46c483780..498c327bf 100644 --- a/rules/ensure-that-the-admission-control-plugin-ServiceAccount-is-set/raw.rego +++ b/rules/ensure-that-the-admission-control-plugin-ServiceAccount-is-set/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "admission control plugin AlwaysAdmit is enabled. This is equal to turning off all admission controllers", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-not-set/raw.rego b/rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-not-set/raw.rego index 70ffc2878..6d05126ce 100644 --- a/rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-not-set/raw.rego +++ b/rules/ensure-that-the-api-server-DenyServiceExternalIPs-is-not-set/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "admission control plugin DenyServiceExternalIPs is enabled. This is equal to turning off all admission controllers", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-api-server-anonymous-auth-argument-is-set-to-false/raw.rego b/rules/ensure-that-the-api-server-anonymous-auth-argument-is-set-to-false/raw.rego index f03aa3e23..ac0ab4e80 100644 --- a/rules/ensure-that-the-api-server-anonymous-auth-argument-is-set-to-false/raw.rego +++ b/rules/ensure-that-the-api-server-anonymous-auth-argument-is-set-to-false/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "anonymous requests is enabled", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-api-server-audit-log-maxage-argument-is-set-to-30-or-as-appropriate/raw.rego b/rules/ensure-that-the-api-server-audit-log-maxage-argument-is-set-to-30-or-as-appropriate/raw.rego index 8d0c5b8ba..df151f31d 100644 --- a/rules/ensure-that-the-api-server-audit-log-maxage-argument-is-set-to-30-or-as-appropriate/raw.rego +++ b/rules/ensure-that-the-api-server-audit-log-maxage-argument-is-set-to-30-or-as-appropriate/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": result.alert, "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-api-server-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate/raw.rego b/rules/ensure-that-the-api-server-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate/raw.rego index 9b77cb862..840a33b96 100644 --- a/rules/ensure-that-the-api-server-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate/raw.rego +++ b/rules/ensure-that-the-api-server-audit-log-maxbackup-argument-is-set-to-10-or-as-appropriate/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": result.alert, "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-api-server-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate/raw.rego b/rules/ensure-that-the-api-server-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate/raw.rego index 7379da0a9..22b62ae8e 100644 --- a/rules/ensure-that-the-api-server-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate/raw.rego +++ b/rules/ensure-that-the-api-server-audit-log-maxsize-argument-is-set-to-100-or-as-appropriate/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": result.alert, "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-api-server-audit-log-path-argument-is-set/raw.rego b/rules/ensure-that-the-api-server-audit-log-path-argument-is-set/raw.rego index 477594444..ec6efcace 100644 --- a/rules/ensure-that-the-api-server-audit-log-path-argument-is-set/raw.rego +++ b/rules/ensure-that-the-api-server-audit-log-path-argument-is-set/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "kubernetes API Server is not audited", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-api-server-authorization-mode-argument-includes-Node/raw.rego b/rules/ensure-that-the-api-server-authorization-mode-argument-includes-Node/raw.rego index 23269a4f8..82dd502b5 100644 --- a/rules/ensure-that-the-api-server-authorization-mode-argument-includes-Node/raw.rego +++ b/rules/ensure-that-the-api-server-authorization-mode-argument-includes-Node/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "kubelet nodes can read objects that are not associated with them", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-api-server-authorization-mode-argument-includes-RBAC/raw.rego b/rules/ensure-that-the-api-server-authorization-mode-argument-includes-RBAC/raw.rego index 92f11dcc4..0c1762387 100644 --- a/rules/ensure-that-the-api-server-authorization-mode-argument-includes-RBAC/raw.rego +++ b/rules/ensure-that-the-api-server-authorization-mode-argument-includes-RBAC/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "RBAC is not enabled", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-api-server-authorization-mode-argument-is-not-set-to-AlwaysAllow/raw.rego b/rules/ensure-that-the-api-server-authorization-mode-argument-is-not-set-to-AlwaysAllow/raw.rego index 031c2eac7..2910780ae 100644 --- a/rules/ensure-that-the-api-server-authorization-mode-argument-is-not-set-to-AlwaysAllow/raw.rego +++ b/rules/ensure-that-the-api-server-authorization-mode-argument-is-not-set-to-AlwaysAllow/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "AlwaysAllow authorization mode is enabled", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-api-server-client-ca-file-argument-is-set-as-appropriate/raw.rego b/rules/ensure-that-the-api-server-client-ca-file-argument-is-set-as-appropriate/raw.rego index a2b4139f1..db1f4553f 100644 --- a/rules/ensure-that-the-api-server-client-ca-file-argument-is-set-as-appropriate/raw.rego +++ b/rules/ensure-that-the-api-server-client-ca-file-argument-is-set-as-appropriate/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "API server communication is not encrypted properly", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-api-server-etcd-cafile-argument-is-set-as-appropriate/raw.rego b/rules/ensure-that-the-api-server-etcd-cafile-argument-is-set-as-appropriate/raw.rego index 3ce353aa8..f2211e702 100644 --- a/rules/ensure-that-the-api-server-etcd-cafile-argument-is-set-as-appropriate/raw.rego +++ b/rules/ensure-that-the-api-server-etcd-cafile-argument-is-set-as-appropriate/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "API server is not configured to use SSL Certificate Authority file for etcd", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-api-server-etcd-certfile-and-etcd-keyfile-arguments-are-set-as-appropriate/raw.rego b/rules/ensure-that-the-api-server-etcd-certfile-and-etcd-keyfile-arguments-are-set-as-appropriate/raw.rego index 1595eaf5d..3ca454ee4 100644 --- a/rules/ensure-that-the-api-server-etcd-certfile-and-etcd-keyfile-arguments-are-set-as-appropriate/raw.rego +++ b/rules/ensure-that-the-api-server-etcd-certfile-and-etcd-keyfile-arguments-are-set-as-appropriate/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "etcd is not configured to use TLS properly", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-api-server-kubelet-certificate-authority-argument-is-set-as-appropriate/raw.rego b/rules/ensure-that-the-api-server-kubelet-certificate-authority-argument-is-set-as-appropriate/raw.rego index 7e6c8f84e..f9b99f703 100644 --- a/rules/ensure-that-the-api-server-kubelet-certificate-authority-argument-is-set-as-appropriate/raw.rego +++ b/rules/ensure-that-the-api-server-kubelet-certificate-authority-argument-is-set-as-appropriate/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "TLS certificate authority file is not specified", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-api-server-kubelet-client-certificate-and-kubelet-client-key-arguments-are-set-as-appropriate/raw.rego b/rules/ensure-that-the-api-server-kubelet-client-certificate-and-kubelet-client-key-arguments-are-set-as-appropriate/raw.rego index fcc185556..cdf398509 100644 --- a/rules/ensure-that-the-api-server-kubelet-client-certificate-and-kubelet-client-key-arguments-are-set-as-appropriate/raw.rego +++ b/rules/ensure-that-the-api-server-kubelet-client-certificate-and-kubelet-client-key-arguments-are-set-as-appropriate/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "certificate based kubelet authentication is not enabled", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-api-server-profiling-argument-is-set-to-false/raw.rego b/rules/ensure-that-the-api-server-profiling-argument-is-set-to-false/raw.rego index e57d2e992..8ec920f86 100644 --- a/rules/ensure-that-the-api-server-profiling-argument-is-set-to-false/raw.rego +++ b/rules/ensure-that-the-api-server-profiling-argument-is-set-to-false/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "profiling is enabled. This could potentially be exploited to uncover system and program details.", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-api-server-request-timeout-argument-is-set-as-appropriate/raw.rego b/rules/ensure-that-the-api-server-request-timeout-argument-is-set-as-appropriate/raw.rego index 21f6dab9f..61949f254 100644 --- a/rules/ensure-that-the-api-server-request-timeout-argument-is-set-as-appropriate/raw.rego +++ b/rules/ensure-that-the-api-server-request-timeout-argument-is-set-as-appropriate/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": result.alert, "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-api-server-secure-port-argument-is-not-set-to-0/raw.rego b/rules/ensure-that-the-api-server-secure-port-argument-is-not-set-to-0/raw.rego index 73d132fe6..28043b48a 100644 --- a/rules/ensure-that-the-api-server-secure-port-argument-is-not-set-to-0/raw.rego +++ b/rules/ensure-that-the-api-server-secure-port-argument-is-not-set-to-0/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "the secure port is disabled", "alertScore": 2, + "reviewPaths": [sprintf("spec.containers[0].command[%v]", [i])], "failedPaths": [sprintf("spec.containers[0].command[%v]", [i])], "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-api-server-service-account-key-file-argument-is-set-as-appropriate/raw.rego b/rules/ensure-that-the-api-server-service-account-key-file-argument-is-set-as-appropriate/raw.rego index f17095279..127d863be 100644 --- a/rules/ensure-that-the-api-server-service-account-key-file-argument-is-set-as-appropriate/raw.rego +++ b/rules/ensure-that-the-api-server-service-account-key-file-argument-is-set-as-appropriate/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "TLS certificate authority", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-api-server-service-account-lookup-argument-is-set-to-true/raw.rego b/rules/ensure-that-the-api-server-service-account-lookup-argument-is-set-to-true/raw.rego index f33a4e99c..1946f89ae 100644 --- a/rules/ensure-that-the-api-server-service-account-lookup-argument-is-set-to-true/raw.rego +++ b/rules/ensure-that-the-api-server-service-account-lookup-argument-is-set-to-true/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "anonymous requests is enabled", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-api-server-tls-cert-file-and-tls-private-key-file-arguments-are-set-as-appropriate/raw.rego b/rules/ensure-that-the-api-server-tls-cert-file-and-tls-private-key-file-arguments-are-set-as-appropriate/raw.rego index b4c23a62b..79fc4e7fc 100644 --- a/rules/ensure-that-the-api-server-tls-cert-file-and-tls-private-key-file-arguments-are-set-as-appropriate/raw.rego +++ b/rules/ensure-that-the-api-server-tls-cert-file-and-tls-private-key-file-arguments-are-set-as-appropriate/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "API server is not configured to serve only HTTPS traffic", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-api-server-token-auth-file-parameter-is-not-set/raw.rego b/rules/ensure-that-the-api-server-token-auth-file-parameter-is-not-set/raw.rego index 328faa720..e06f40a27 100644 --- a/rules/ensure-that-the-api-server-token-auth-file-parameter-is-not-set/raw.rego +++ b/rules/ensure-that-the-api-server-token-auth-file-parameter-is-not-set/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "API server TLS is not configured", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-controller-manager-RotateKubeletServerCertificate-argument-is-set-to-true/raw.rego b/rules/ensure-that-the-controller-manager-RotateKubeletServerCertificate-argument-is-set-to-true/raw.rego index defd898dd..9cac52562 100644 --- a/rules/ensure-that-the-controller-manager-RotateKubeletServerCertificate-argument-is-set-to-true/raw.rego +++ b/rules/ensure-that-the-controller-manager-RotateKubeletServerCertificate-argument-is-set-to-true/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "`RotateKubeletServerCertificate` is set to false on the controller manager", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-controller-manager-bind-address-argument-is-set-to-127.0.0.1/raw.rego b/rules/ensure-that-the-controller-manager-bind-address-argument-is-set-to-127.0.0.1/raw.rego index 2745c9041..df020c941 100644 --- a/rules/ensure-that-the-controller-manager-bind-address-argument-is-set-to-127.0.0.1/raw.rego +++ b/rules/ensure-that-the-controller-manager-bind-address-argument-is-set-to-127.0.0.1/raw.rego @@ -12,6 +12,7 @@ deny[msg] { msg := { "alertMessage": "the Controller Manager API service is not bound to a localhost interface only", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-controller-manager-profiling-argument-is-set-to-false/raw.rego b/rules/ensure-that-the-controller-manager-profiling-argument-is-set-to-false/raw.rego index 41e50b7d4..c28a77633 100644 --- a/rules/ensure-that-the-controller-manager-profiling-argument-is-set-to-false/raw.rego +++ b/rules/ensure-that-the-controller-manager-profiling-argument-is-set-to-false/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "profiling is enabled for the kube-controller-manager", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-controller-manager-root-ca-file-argument-is-set-as-appropriate/raw.rego b/rules/ensure-that-the-controller-manager-root-ca-file-argument-is-set-as-appropriate/raw.rego index 11ed24780..c6fe79bec 100644 --- a/rules/ensure-that-the-controller-manager-root-ca-file-argument-is-set-as-appropriate/raw.rego +++ b/rules/ensure-that-the-controller-manager-root-ca-file-argument-is-set-as-appropriate/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "the controller manager is not configured to inject the trusted ca.crt file into pods so that they can verify TLS connections to the API server", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-controller-manager-service-account-private-key-file-argument-is-set-as-appropriate/raw.rego b/rules/ensure-that-the-controller-manager-service-account-private-key-file-argument-is-set-as-appropriate/raw.rego index 4e6b86834..bbfc8eeba 100644 --- a/rules/ensure-that-the-controller-manager-service-account-private-key-file-argument-is-set-as-appropriate/raw.rego +++ b/rules/ensure-that-the-controller-manager-service-account-private-key-file-argument-is-set-as-appropriate/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "service account token can not be rotated as needed", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-controller-manager-terminated-pod-gc-threshold-argument-is-set-as-appropriate/raw.rego b/rules/ensure-that-the-controller-manager-terminated-pod-gc-threshold-argument-is-set-as-appropriate/raw.rego index 34c7b3d18..657fac74c 100644 --- a/rules/ensure-that-the-controller-manager-terminated-pod-gc-threshold-argument-is-set-as-appropriate/raw.rego +++ b/rules/ensure-that-the-controller-manager-terminated-pod-gc-threshold-argument-is-set-as-appropriate/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": result.alert, "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-controller-manager-use-service-account-credentials-argument-is-set-to-true/raw.rego b/rules/ensure-that-the-controller-manager-use-service-account-credentials-argument-is-set-to-true/raw.rego index 6100e609e..6889bf0f5 100644 --- a/rules/ensure-that-the-controller-manager-use-service-account-credentials-argument-is-set-to-true/raw.rego +++ b/rules/ensure-that-the-controller-manager-use-service-account-credentials-argument-is-set-to-true/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "--use-service-account-credentials is set to false in the controller manager", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-scheduler-bind-address-argument-is-set-to-127.0.0.1/raw.rego b/rules/ensure-that-the-scheduler-bind-address-argument-is-set-to-127.0.0.1/raw.rego index 0fd8e4b71..55c3ff058 100644 --- a/rules/ensure-that-the-scheduler-bind-address-argument-is-set-to-127.0.0.1/raw.rego +++ b/rules/ensure-that-the-scheduler-bind-address-argument-is-set-to-127.0.0.1/raw.rego @@ -10,6 +10,7 @@ deny[msg] { msg := { "alertMessage": "the kube scheduler is not bound to a localhost interface only", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/ensure-that-the-scheduler-profiling-argument-is-set-to-false/raw.rego b/rules/ensure-that-the-scheduler-profiling-argument-is-set-to-false/raw.rego index 66d883c4a..d75f3346a 100644 --- a/rules/ensure-that-the-scheduler-profiling-argument-is-set-to-false/raw.rego +++ b/rules/ensure-that-the-scheduler-profiling-argument-is-set-to-false/raw.rego @@ -9,6 +9,7 @@ deny[msg] { msg := { "alertMessage": "profiling is enabled for the kube-scheduler", "alertScore": 2, + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "packagename": "armo_builtins", diff --git a/rules/etcd-auto-tls-disabled/raw.rego b/rules/etcd-auto-tls-disabled/raw.rego index cff875c86..4c1a2554d 100644 --- a/rules/etcd-auto-tls-disabled/raw.rego +++ b/rules/etcd-auto-tls-disabled/raw.rego @@ -12,6 +12,7 @@ deny[msga] { "alertMessage": "Auto tls is enabled. Clients are able to use self-signed certificates for TLS.", "alertScore": 6, "packagename": "armo_builtins", + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "alertObject": {"k8sApiObjects": [obj]}, diff --git a/rules/etcd-client-auth-cert/raw.rego b/rules/etcd-client-auth-cert/raw.rego index 4f6654187..8dbee455d 100644 --- a/rules/etcd-client-auth-cert/raw.rego +++ b/rules/etcd-client-auth-cert/raw.rego @@ -10,6 +10,7 @@ deny[msga] { "alertMessage": "Etcd server is not requiring a valid client certificate", "alertScore": 8, "packagename": "armo_builtins", + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "alertObject": {"k8sApiObjects": [obj]}, diff --git a/rules/etcd-peer-auto-tls-disabled/raw.rego b/rules/etcd-peer-auto-tls-disabled/raw.rego index 256949730..eb4417cc6 100644 --- a/rules/etcd-peer-auto-tls-disabled/raw.rego +++ b/rules/etcd-peer-auto-tls-disabled/raw.rego @@ -11,6 +11,7 @@ deny[msga] { "alertMessage": "Peer auto tls is enabled. Peer clients are able to use self-signed certificates for TLS.", "alertScore": 6, "packagename": "armo_builtins", + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "alertObject": {"k8sApiObjects": [obj]}, diff --git a/rules/etcd-peer-client-auth-cert/raw.rego b/rules/etcd-peer-client-auth-cert/raw.rego index c273b7fe8..43eda6715 100644 --- a/rules/etcd-peer-client-auth-cert/raw.rego +++ b/rules/etcd-peer-client-auth-cert/raw.rego @@ -10,6 +10,7 @@ deny[msga] { "alertMessage": "Etcd server is not requiring a valid client certificate.", "alertScore": 7, "packagename": "armo_builtins", + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "alertObject": {"k8sApiObjects": [obj]}, diff --git a/rules/etcd-peer-tls-enabled/raw.rego b/rules/etcd-peer-tls-enabled/raw.rego index c1090a8d4..b46a009bd 100644 --- a/rules/etcd-peer-tls-enabled/raw.rego +++ b/rules/etcd-peer-tls-enabled/raw.rego @@ -10,6 +10,7 @@ deny[msga] { "alertMessage": "Etcd encryption for peer connection is not enabled.", "alertScore": 7, "packagename": "armo_builtins", + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "alertObject": {"k8sApiObjects": [obj]}, diff --git a/rules/etcd-tls-enabled/raw.rego b/rules/etcd-tls-enabled/raw.rego index 507188a95..4026e159c 100644 --- a/rules/etcd-tls-enabled/raw.rego +++ b/rules/etcd-tls-enabled/raw.rego @@ -11,6 +11,7 @@ deny[msga] { "alertMessage": "etcd encryption is not enabled", "alertScore": 8, "packagename": "armo_builtins", + "reviewPaths": result.failed_paths, "failedPaths": result.failed_paths, "fixPaths": result.fix_paths, "alertObject": {"k8sApiObjects": [obj]}, diff --git a/rules/etcd-unique-ca/raw.rego b/rules/etcd-unique-ca/raw.rego index c86df0b7f..4c7f152e4 100644 --- a/rules/etcd-unique-ca/raw.rego +++ b/rules/etcd-unique-ca/raw.rego @@ -16,6 +16,7 @@ deny[msga] { "alertMessage": "Cert file is the same both for the api server and the etcd", "alertScore": 8, "packagename": "armo_builtins", + "reviewPaths": [etcdCheckResult.path, apiserverCheckResult.path], "failedPaths": [etcdCheckResult.path, apiserverCheckResult.path], "fixPaths": [etcdCheckResult.fix_paths, apiserverCheckResult.fix_paths], "alertObject": {"k8sApiObjects": [etcdPod[0], apiserverPod[0]]}, diff --git a/rules/excessive_amount_of_vulnerabilities_pods/raw.rego b/rules/excessive_amount_of_vulnerabilities_pods/raw.rego index ce805e9d9..a20083d34 100644 --- a/rules/excessive_amount_of_vulnerabilities_pods/raw.rego +++ b/rules/excessive_amount_of_vulnerabilities_pods/raw.rego @@ -39,6 +39,7 @@ deny[msga] { "alertMessage": sprintf("pod '%v' exposed with critical vulnerabilities", [pod.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": { diff --git a/rules/exec-into-container-v1/raw.rego b/rules/exec-into-container-v1/raw.rego index 640bf4e6e..3400d9af6 100644 --- a/rules/exec-into-container-v1/raw.rego +++ b/rules/exec-into-container-v1/raw.rego @@ -42,6 +42,7 @@ deny[msga] { "alertMessage": sprintf("Subject: %s-%s can exec into containers", [subjectVector.kind, subjectVector.name]), "alertScore": 9, "packagename": "armo_builtins", + "reviewPaths": finalpath, "failedPaths": finalpath, "fixPaths": [], "alertObject": { diff --git a/rules/exec-into-container/raw.rego b/rules/exec-into-container/raw.rego index 6aca8517c..2ddac11d1 100644 --- a/rules/exec-into-container/raw.rego +++ b/rules/exec-into-container/raw.rego @@ -25,6 +25,7 @@ deny[msga] { msga := { "alertMessage": sprintf("the following %v: %v, can exec into containers", [subject.kind, subject.name]), "alertScore": 9, + "deletePaths": [path], "failedPaths": [path], "packagename": "armo_builtins", "alertObject": { diff --git a/rules/exposed-critical-pods/raw.rego b/rules/exposed-critical-pods/raw.rego index c14e1093b..aaba28cfa 100644 --- a/rules/exposed-critical-pods/raw.rego +++ b/rules/exposed-critical-pods/raw.rego @@ -48,6 +48,7 @@ deny[msga] { "alertMessage": sprintf("pod '%v' exposed with critical vulnerabilities", [pod.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": { diff --git a/rules/exposed-rce-pods/raw.rego b/rules/exposed-rce-pods/raw.rego index a299a4780..701175ced 100644 --- a/rules/exposed-rce-pods/raw.rego +++ b/rules/exposed-rce-pods/raw.rego @@ -47,6 +47,7 @@ deny[msga] { "alertMessage": sprintf("pod '%v' exposed with rce vulnerability", [pod.metadata.name]), "packagename": "armo_builtins", "alertScore": 8, + "reviewPaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": { diff --git a/rules/exposed-sensitive-interfaces-v1/raw.rego b/rules/exposed-sensitive-interfaces-v1/raw.rego index e543e9ca7..b606343bc 100644 --- a/rules/exposed-sensitive-interfaces-v1/raw.rego +++ b/rules/exposed-sensitive-interfaces-v1/raw.rego @@ -31,6 +31,7 @@ deny[msga] { "alertMessage": sprintf("service: %v is exposed", [service.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": result, "failedPaths": result, "fixPaths":[], "alertObject": { @@ -68,6 +69,7 @@ deny[msga] { "alertMessage": sprintf("service: %v is exposed", [service.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": result, "failedPaths": result, "fixPaths":[], "alertObject": { @@ -105,6 +107,7 @@ deny[msga] { "alertMessage": sprintf("service: %v is exposed", [service.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": result, "failedPaths": result, "fixPaths":[], "alertObject": { diff --git a/rules/exposed-sensitive-interfaces/raw.rego b/rules/exposed-sensitive-interfaces/raw.rego index e162f795e..f33b9dcf8 100644 --- a/rules/exposed-sensitive-interfaces/raw.rego +++ b/rules/exposed-sensitive-interfaces/raw.rego @@ -24,6 +24,7 @@ deny[msga] { "alertMessage": sprintf("service: %v is exposed", [service.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": result, "failedPaths": result, "alertObject": { "k8sApiObjects": [wl, service] @@ -55,6 +56,7 @@ deny[msga] { "alertMessage": sprintf("service: %v is exposed", [service.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": result, "failedPaths": result, "alertObject": { "k8sApiObjects": [pod, service] @@ -90,6 +92,7 @@ deny[msga] { "alertMessage": sprintf("service: %v is exposed", [service.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": result, "failedPaths": result, "alertObject": { "k8sApiObjects": [wl, service] From 1a552af7aa8218c7d8716b45f1f86656180a26ed Mon Sep 17 00:00:00 2001 From: YiscahLevySilas1 Date: Mon, 2 Oct 2023 00:01:18 +0300 Subject: [PATCH 2/3] add delete / review paths Signed-off-by: YiscahLevySilas1 --- rules/pods-in-default-namespace/raw.rego | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/pods-in-default-namespace/raw.rego b/rules/pods-in-default-namespace/raw.rego index 4d3e8a26f..9970db6cc 100644 --- a/rules/pods-in-default-namespace/raw.rego +++ b/rules/pods-in-default-namespace/raw.rego @@ -11,6 +11,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v has pods running in the 'default' namespace", [wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 3, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixed_path, "alertObject": { From 1dc93646b8c198ab2596bf3893bd4157ebd110be Mon Sep 17 00:00:00 2001 From: YiscahLevySilas1 Date: Mon, 2 Oct 2023 00:08:20 +0300 Subject: [PATCH 3/3] add delete / review paths Signed-off-by: YiscahLevySilas1 --- rules/host-pid-ipc-privileges/raw.rego | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/rules/host-pid-ipc-privileges/raw.rego b/rules/host-pid-ipc-privileges/raw.rego index 7f300be15..c8c4e2c88 100644 --- a/rules/host-pid-ipc-privileges/raw.rego +++ b/rules/host-pid-ipc-privileges/raw.rego @@ -11,6 +11,7 @@ deny[msga] { "alertMessage": sprintf("Pod: %v has hostPID enabled", [pod.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "deletePaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": { @@ -29,6 +30,7 @@ deny[msga] { "alertMessage": sprintf("Pod: %v has hostIPC enabled", [pod.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "deletePaths": [path], "failedPaths": [path], "fixPaths": [], "alertObject": { @@ -47,6 +49,7 @@ deny[msga] { msga := { "alertMessage": sprintf("%v: %v has a pod with hostPID enabled", [wl.kind, wl.metadata.name]), "alertScore": 9, + "deletePaths": [path], "failedPaths": [path], "fixPaths": [], "packagename": "armo_builtins", @@ -66,6 +69,7 @@ deny[msga] { msga := { "alertMessage": sprintf("%v: %v has a pod with hostIPC enabled", [wl.kind, wl.metadata.name]), "alertScore": 9, + "deletePaths": [path], "failedPaths": [path], "fixPaths": [], "packagename": "armo_builtins", @@ -84,6 +88,7 @@ deny[msga] { msga := { "alertMessage": sprintf("CronJob: %v has a pod with hostPID enabled", [wl.metadata.name]), "alertScore": 9, + "deletePaths": [path], "failedPaths": [path], "fixPaths": [], "packagename": "armo_builtins", @@ -103,6 +108,7 @@ deny[msga] { msga := { "alertMessage": sprintf("CronJob: %v has a pod with hostIPC enabled", [wl.metadata.name]), "alertScore": 9, + "deletePaths": [path], "failedPaths": [path], "fixPaths": [], "packagename": "armo_builtins",