Skip to content

Commit

Permalink
UD-1664: Add check for unauthenticated or anonymous subjects within r…
Browse files Browse the repository at this point in the history 
…ole bindings
  • Loading branch information
@knrc
knrc committed Aug 8, 2024
1 parent 1205318 commit 70da7ad
Show file tree
Hide file tree
Showing 4 changed files with 194 additions and 37 deletions.
73 changes: 37 additions & 36 deletions checks.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,39 +3,40 @@
In the table below, you can view all checks present on Marvin. Click on the #ID column item for more details about each check.


| Framework | #ID | Severity | Message |
|------------------|-------------------------------------------------------------------------------------|----------|-------------------------------------------------------|
| CIS Benchmarks | [M-500](/internal/builtins/cis/M-500_default_namespace.yaml) | Medium | Workloads in default namespace |
| General | [M-400](/internal/builtins/general/M-400_image_tag_latest.yaml) | Medium | Image tagged latest |
| | [M-401](/internal/builtins/general/M-401_unmanaged_pod.yaml) | Low | Unmanaged Pod |
| | [M-402](/internal/builtins/general/M-402_readiness_probe.yaml) | Medium | Readiness and startup probe not configured |
| | [M-403](/internal/builtins/general/M-403_liveness_probe.yaml) | Medium | Liveness probe not configured |
| | [M-404](/internal/builtins/general/M-404_memory_requests.yaml) | Medium | Memory requests not specified |
| | [M-405](/internal/builtins/general/M-405_cpu_requests.yaml) | Medium | CPU requests not specified |
| | [M-406](/internal/builtins/general/M-406_memory_limit.yaml) | Medium | Memory not limited |
| | [M-407](/internal/builtins/general/M-407_cpu_limit.yaml) | Medium | CPU not limited |
| | [M-408](/internal/builtins/general/M-408_sudo_container_entrypoint.yaml) | Medium | Sudo in container entrypoint |
| | [M-409](/internal/builtins/general/M-409_deprecated_image_registry.yaml) | Medium | Deprecated image registry |
| | [M-410](/internal/builtins/general/M-410_resource_using_invalid_restartpolicy.yaml) | Medium | Resource is using an invalid restartPolicy |
| NSA-CISA | [M-300](/internal/builtins/nsa/M-300_read_only_root_filesystem.yml) | Low | Root filesystem write allowed |
| MITRE ATT&CK | [M-200](/internal/builtins/mitre/M-200_allowed_registries.yml) | Medium | Image registry not allowed |
| | [M-201](/internal/builtins/mitre/M-201_app_credentials.yml) | High | Application credentials stored in configuration files |
| | [M-202](/internal/builtins/mitre/M-202_auto_mount_service_account.yml) | Low | Automounted service account token |
| | [M-203](/internal/builtins/mitre/M-203_ssh.yml) | Low | SSH server running inside container |
| PSS - Baseline | [M-100](/internal/builtins/pss/baseline/M-100_host_process.yml) | High | Privileged access to the Windows node |
| | [M-101](/internal/builtins/pss/baseline/M-101_host_namespaces.yml) | High | Host namespaces |
| | [M-102](/internal/builtins/pss/baseline/M-102_privileged_containers.yml) | High | Privileged container |
| | [M-103](/internal/builtins/pss/baseline/M-103_capabilities.yml) | High | Insecure capabilities |
| | [M-104](/internal/builtins/pss/baseline/M-104_host_path_volumes.yml) | High | HostPath volume |
| | [M-105](/internal/builtins/pss/baseline/M-105_host_ports.yml) | High | Not allowed hostPort |
| | [M-106](/internal/builtins/pss/baseline/M-106_apparmor.yml) | Medium | Forbidden AppArmor profile |
| | [M-107](/internal/builtins/pss/baseline/M-107_selinux.yml) | Medium | Forbidden SELinux options |
| | [M-108](/internal/builtins/pss/baseline/M-108_proc_mount.yml) | Medium | Forbidden proc mount type |
| | [M-109](/internal/builtins/pss/baseline/M-109_seccomp.yml) | Medium | Forbidden seccomp profile |
| | [M-110](/internal/builtins/pss/baseline/M-110_sysctls.yml) | Medium | Unsafe sysctls |
| PSS - Restricted | [M-111](/internal/builtins/pss/restricted/M-111_volume_types.yml) | Low | Not allowed volume type |
| | [M-112](/internal/builtins/pss/restricted/M-112_privilege_escalation.yml) | Medium | Allowed privilege escalation |
| | [M-113](/internal/builtins/pss/restricted/M-113_run_as_non_root.yml) | Medium | Container could be running as root user |
| | [M-114](/internal/builtins/pss/restricted/M-114_run_as_user.yml) | Medium | Container running as root UID |
| | [M-115](/internal/builtins/pss/restricted/M-115_seccomp.yml) | Low | Not allowed seccomp profile |
| | [M-116](/internal/builtins/pss/restricted/M-116_capabilities.yml) | Low | Not allowed added/dropped capabilities |
| Framework | #ID | Severity | Message |
|------------------|------------------------------------------------------------------------------------------------------|----------|------------------------------------------------------------------|
| CIS Benchmarks | [M-500](/internal/builtins/cis/M-500_default_namespace.yaml) | Medium | Workloads in default namespace |
| General | [M-400](/internal/builtins/general/M-400_image_tag_latest.yaml) | Medium | Image tagged latest |
| | [M-401](/internal/builtins/general/M-401_unmanaged_pod.yaml) | Low | Unmanaged Pod |
| | [M-402](/internal/builtins/general/M-402_readiness_probe.yaml) | Medium | Readiness and startup probe not configured |
| | [M-403](/internal/builtins/general/M-403_liveness_probe.yaml) | Medium | Liveness probe not configured |
| | [M-404](/internal/builtins/general/M-404_memory_requests.yaml) | Medium | Memory requests not specified |
| | [M-405](/internal/builtins/general/M-405_cpu_requests.yaml) | Medium | CPU requests not specified |
| | [M-406](/internal/builtins/general/M-406_memory_limit.yaml) | Medium | Memory not limited |
| | [M-407](/internal/builtins/general/M-407_cpu_limit.yaml) | Medium | CPU not limited |
| | [M-408](/internal/builtins/general/M-408_sudo_container_entrypoint.yaml) | Medium | Sudo in container entrypoint |
| | [M-409](/internal/builtins/general/M-409_deprecated_image_registry.yaml) | Medium | Deprecated image registry |
| | [M-410](/internal/builtins/general/M-410_resource_using_invalid_restartpolicy.yaml) | Medium | Resource is using an invalid restartPolicy |
| | [M-411](/internal/builtins/general/M-411_role_binding_referencing_anonymous_or_unauthanticated.yaml) | Medium | Role Binding referencing anonymous user or unauthenticated group |
| NSA-CISA | [M-300](/internal/builtins/nsa/M-300_read_only_root_filesystem.yml) | Low | Root filesystem write allowed |
| MITRE ATT&CK | [M-200](/internal/builtins/mitre/M-200_allowed_registries.yml) | Medium | Image registry not allowed |
| | [M-201](/internal/builtins/mitre/M-201_app_credentials.yml) | High | Application credentials stored in configuration files |
| | [M-202](/internal/builtins/mitre/M-202_auto_mount_service_account.yml) | Low | Automounted service account token |
| | [M-203](/internal/builtins/mitre/M-203_ssh.yml) | Low | SSH server running inside container |
| PSS - Baseline | [M-100](/internal/builtins/pss/baseline/M-100_host_process.yml) | High | Privileged access to the Windows node |
| | [M-101](/internal/builtins/pss/baseline/M-101_host_namespaces.yml) | High | Host namespaces |
| | [M-102](/internal/builtins/pss/baseline/M-102_privileged_containers.yml) | High | Privileged container |
| | [M-103](/internal/builtins/pss/baseline/M-103_capabilities.yml) | High | Insecure capabilities |
| | [M-104](/internal/builtins/pss/baseline/M-104_host_path_volumes.yml) | High | HostPath volume |
| | [M-105](/internal/builtins/pss/baseline/M-105_host_ports.yml) | High | Not allowed hostPort |
| | [M-106](/internal/builtins/pss/baseline/M-106_apparmor.yml) | Medium | Forbidden AppArmor profile |
| | [M-107](/internal/builtins/pss/baseline/M-107_selinux.yml) | Medium | Forbidden SELinux options |
| | [M-108](/internal/builtins/pss/baseline/M-108_proc_mount.yml) | Medium | Forbidden proc mount type |
| | [M-109](/internal/builtins/pss/baseline/M-109_seccomp.yml) | Medium | Forbidden seccomp profile |
| | [M-110](/internal/builtins/pss/baseline/M-110_sysctls.yml) | Medium | Unsafe sysctls |
| PSS - Restricted | [M-111](/internal/builtins/pss/restricted/M-111_volume_types.yml) | Low | Not allowed volume type |
| | [M-112](/internal/builtins/pss/restricted/M-112_privilege_escalation.yml) | Medium | Allowed privilege escalation |
| | [M-113](/internal/builtins/pss/restricted/M-113_run_as_non_root.yml) | Medium | Container could be running as root user |
| | [M-114](/internal/builtins/pss/restricted/M-114_run_as_user.yml) | Medium | Container running as root UID |
| | [M-115](/internal/builtins/pss/restricted/M-115_seccomp.yml) | Low | Not allowed seccomp profile |
| | [M-116](/internal/builtins/pss/restricted/M-116_capabilities.yml) | Low | Not allowed added/dropped capabilities |
33 changes: 33 additions & 0 deletions internal/builtins/general/M-411_role_binding_referencing_anonymous_or_unauthanticated.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Copyright 2023 Undistro Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

id: M-411
slug: role binding referencing anonymous or unauthenticated
severity: Medium
message: "Role Binding referencing anonymous user or unauthenticated group"
match:
resources:
- group: "rbac.authorization.k8s.io"
version: v1
resource: rolebindings
- group: "rbac.authorization.k8s.io"
version: v1
resource: clusterrolebindings
validations:
- expression: >
!has(object.subjects) ||
object.subjects.all(subject,
!(subject.kind == "User" && subject.name == "system:anonymous") &&
!(subject.kind == "Group" && subject.name == "system:unauthenticated")
)
123 changes: 123 additions & 0 deletions ...al/builtins/general/M-411_role_binding_referencing_anonymous_or_unauthanticated_test.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
# Copyright 2023 Undistro Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: "anonymous user in role binding"
pass: false
input: |
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: binding-name
namespace: binding-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: role-name
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: system:anonymous
- kind: ServiceAccount
name: zora-operator
namespace: zora-system
- name: "anonymous user in cluster role binding"
pass: false
input: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: binding-name
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: role-name
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: system:anonymous
- kind: ServiceAccount
name: zora-operator
namespace: zora-system
- name: "unauthenticated group in role binding"
pass: false
input: |
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: binding-name
namespace: binding-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: role-name
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:unauthenticated
- kind: ServiceAccount
name: zora-operator
namespace: zora-system
- name: "unauthenticated group in cluster role binding"
pass: false
input: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: binding-name
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: role-name
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:unauthenticated
- kind: ServiceAccount
name: zora-operator
namespace: zora-system
- name: "valid role binding"
pass: true
input: |
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: binding-name
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: role-name
subjects:
- kind: ServiceAccount
name: zora-operator
namespace: zora-system
- name: "valid cluster role binding"
pass: true
input: |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: binding-name
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: role-name
subjects:
- kind: ServiceAccount
name: zora-operator
namespace: zora-system
2 changes: 1 addition & 1 deletion pkg/loader/builtin_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,5 +23,5 @@ import (
func TestBuiltins(t *testing.T) {
assert.NotNil(t, Builtins)
assert.Greater(t, len(Builtins), 0)
assert.Equal(t, len(Builtins), 34)
assert.Equal(t, 35, len(Builtins))
}

0 comments on commit 70da7ad

Please sign in to comment.