-
Notifications
You must be signed in to change notification settings - Fork 34
/
rules.yaml
573 lines (508 loc) · 22.5 KB
/
rules.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
---
# ========================== MACROS ==========================
#
# Macros can specify shared / common attributes referenced by one or more risk rules below.
# If you choose to use specific macro for a given risk rule please specifying `macro: <macro-name>` in rule definition.
# Note: Attributes defined in macro will take precedence i.e. replace the same attributes defined on the rule level.
#
# Macro can contain any of the following attributes:
#
# :query - RedisGraph query (see README.md). Has precedence over :template. Requires :writer to be defined.
# :writer - Writer is a (Ruby) expression used to format :query result set. Writer has precedence over :template.
# :template - Built-in query/writer template name. If :query & :writer are not specified then chosen
# query generator will be used along with matching writer. See rule attributes below for more information.
#
macros:
# risky-role:
# query: # Shared GraphQL query
# writer: # Shared Writer expression (Ruby)
# template: # Shared built-in query/writer template
# ========================== RULES ==========================
#
# Rule can contain any of the following attributes:
# :id - [Required] Rule id should be a unique
# :group_title - [Required] Title applying to all items falling under this risk check
# :severity - [Required] Severity, as one of :danger, :warning, :info
# :info - [Required] Textual information about the check and suggestions on how to mitigate the risk
# :query - [Conditonal] RedisGraph query (see README.md). Has precedence over :template. Requires :writer to be defined.
# :writer - [Conditonal] Writer is a Ruby expression used to format query result set. Writer has precedence over :template. Required :query to be defined.
# :template - [Conditonal] Built-in query/writer template name. If :query & :writer are not specified then chosen
# query generator will be used along with matching writer.
# Some templates require `:match_rules` attribute to be specified on individual rule level in order to build correct query.
# Supported templates kinds:
# - risky-role : Builds multi-match graph query based on the access rule specified in :match_rules.
# Attributes and values in :match_rule follow Kubernetes spec at:
# * https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-examples
# Generated graph query returns the following columns:
# * role_name
# * role_kind
# * namespace_name (an array is returned if multiple items returned)
# :match_rules - [Conditonal] Required when :template relies on match rules in order to build a query.
# Example:
# match_rules:
# - resources: ['cronjobs']
# verbs: ['update']
# :custom_params - List of custom key-value pairs to be replaced in resolved :query / :writer.
# Example:
# custom_params:
# - attrA: valueA
# - attrB: valueB
# Templated placeholders for keys above `{{attrA}}` and `{{attrB}}` will be replaced with `valueA` and `valueB` respectively.
# :threshold - [Optional] Numeric value. When definied this will become available as templated placeholder `{{threshold}}` in writer expression.
# :macro - [Optional] Reference to common parameters set defined in a named macro
# :disabled - [Optional] When set to `true` it'll disable given rule and exclude it from evaluation.
# By default all rules are enabled.
#
rules:
#
# ==== Begin Example Rule ====
#
- id: example-rule
group_title: Example rule
severity: :danger
info: Risk description and instructions on how to mitigate it goes here
query: | # Example query: match all subjects and associated namespaces to which subject has access to
MATCH
(s:Subject)-[:ACCESS]->(ns:Namespace)
RETURN
s.kind as subject_kind,
s.name as subject_name,
COLLECT(ns.name) as namespace_names
ORDER BY
subject_kind,
subject_name,
namespace_names DESC
threshold: 2 # threshold used in writer to limit items to those with at least 2 namespaces
writer: | # Ruby code snippet, last expression will be captured as formatted result item output
if result.namespace_names.count >= {{threshold}}
"#{result.subject_kind} #{result.subject_name} can access namespaces: #{result.namespace_names.join(', ')}"
end
disabled: true # This is just an example rule
#
# ==== End Example Rule ====
#
- id: subjects-with-privileged-psp-not-scoped-to-ns
group_title: Subjects with privileged PSP access NOT scoped to a namespace (N/A for K8s version >= 1.25)
severity: :danger
info: |
Subjects below are able to run privileged containers and are NOT scoped to a particular namespace.
Review PSP policies and limit subject's access to specific namespaces.
template: privileged-psp-subjects
- id: subjects-with-open-cluster-wide-access
group_title: Subjects with too open cluster-wide access
severity: :danger
info: |
Subjects below have URESTRICTED cluster-wide access to ALL resources (apiGroups: *, core)! This is potentially dangerous.
Review RBAC associated with items below and limit access to required namespaces only.
template: unrestricted-cluster-wide-subjects
- id: subjects-with-open-ns-level-access
group_title: Subjects with too open namespace level access
severity: :warning
info: |
Subjects below have UNRESTRICTED access to ALL resources (apiGroups: *, core) within the scope of a namespace.
This might be a potential security risk. Review RBAC associated with items below and replace wildcard access with
more specific access rules.
template: unrestricted-ns-level-subjects
- id: subjects-with-rbac-management
group_title: Subjects with ability to manage RBAC
severity: :warning
info: |
List of Subjects able to create Roles and/or RoleBindings. This might be a potential security risk.
Review RBAC associated with items below and consider revoking unnecessary privileges.
template: rbac-managing-subjects
- id: subjects-with-non-existing-roles
group_title: Subjects associated with non-existing roles
severity: :warning
info: |
List of Subjects with Role or ClusterRole which hasn't been defined.
Review and check whether Role/ClusterRole should exist.
template: undefined-role-subjects
- id: subjects-with-many-roles
group_title: Subjects associated with multiple roles
severity: :info
info: |
List of Subjects associated with multiple roles. Depending on complexity this may indicate a bad RBAC design.
Consider role aggregation.
template: multiple-role-subjects
threshold: 4
- id: namespaces-with-many-subjects
group_title: Namespaces with multiple subjects
severity: :info
info: |
List of Namespaces with multiple subject access. Significant number of Subjects having access
to a Namespace might indicate bad design or potential security risk. Review namespaces below.
template: multiple-subject-namespaces
threshold: 5
# Secrets list / get
- id: risky-get-secrets
group_title: Risky Roles/ClusterRoles allowing viewing specific secrets
severity: :warning
info: Roles/ClusterRoles allowing to view specific secrets. This can be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['secrets']
verbs: ['get']
- id: risky-list-secrets
group_title: Risky Roles/ClusterRoles allowing listing of all secrets
severity: :warning
info: Roles/ClusterRoles allowing to list all secrets. This can be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['secrets']
verbs: ['list']
# Impersonation
- id: risky-impersonate-privileged-groups
group_title: Risky Roles/ClusterRoles allowing to impersonate privileged groups (like 'system:masters')
severity: :danger
info: Roles/ClusterRoles allowing to impersonate privileged groups. This is dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['groups']
verbs: ['impersonate']
# All actions (*) on specific resource
- id: risky-any-verb-secrets
group_title: Risky Roles/ClusterRoles allowing all actions on secrets
severity: :danger
info: Roles/ClusterRoles allowing all actions on secrets. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['secrets']
verbs: ['*']
- id: risky-any-verb-pods
group_title: Risky Roles/ClusterRoles allowing all actions on pods
severity: :danger
info: Roles/ClusterRoles allowing all actions on pods. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['pods']
verbs: ['*']
- id: risky-any-verb-deployments
group_title: Risky Roles/ClusterRoles allowing all actions on deployments
severity: :danger
info: Roles/ClusterRoles allowing all actions on deployments. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['deployments']
verbs: ['*']
- id: risky-any-verb-daemonsets
group_title: Risky Roles/ClusterRoles allowing all actions on daemonsets
severity: :danger
info: Roles/ClusterRoles allowing all actions on daemonsets. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['daemonsets']
verbs: ['*']
- id: risky-any-verb-statefulsets
group_title: Risky Roles/ClusterRoles allowing all actions on statefulsets
severity: :danger
info: Roles/ClusterRoles allowing all actions on statefulsets. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['statefulsets']
verbs: ['*']
- id: risky-any-verb-replicationcontrollers
group_title: Risky Roles/ClusterRoles allowing all actions on replicationcontrollers
severity: :danger
info: Roles/ClusterRoles allowing all actions on replicationcontrollers. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['replicationcontrollers']
verbs: ['*']
- id: risky-any-verb-replicasets
group_title: Risky Roles/ClusterRoles allowing all actions on replicasets
severity: :danger
info: Roles/ClusterRoles allowing all actions on replicasets. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['replicasets']
verbs: ['*']
- id: risky-any-verb-cronjobs
group_title: Risky Roles/ClusterRoles allowing all actions on cronjobs
severity: :danger
info: Roles/ClusterRoles allowing all actions on cronjobs. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['cronjobs']
verbs: ['*']
- id: risky-any-verb-jobs
group_title: Risky Roles/ClusterRoles allowing all actions on jobs
severity: :danger
info: Roles/ClusterRoles allowing all actions on jobs. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['jobs']
verbs: ['*']
- id: risky-any-verb-roles
group_title: Risky Roles/ClusterRoles allowing all actions on roles
severity: :danger
info: Roles/ClusterRoles allowing all actions on roles. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['roles']
verbs: ['*']
- id: risky-any-verb-clusterroles
group_title: Risky Roles/ClusterRoles allowing all actions on clusterroles
severity: :danger
info: Roles/ClusterRoles allowing all actions on clusterroles. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['clusterroles']
verbs: ['*']
- id: risky-any-verb-rolebindings
group_title: Risky Roles/ClusterRoles allowing all actions on rolebindings
severity: :danger
info: Roles/ClusterRoles allowing all actions on rolebindings. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['rolebindings']
verbs: ['*']
- id: risky-any-verb-clusterrolebindings
group_title: Risky Roles/ClusterRoles allowing all actions on clusterrolebindings
severity: :danger
info: Roles/ClusterRoles allowing all actions on clusterrolebindings. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['clusterrolebindings']
verbs: ['*']
- id: risky-any-verb-users
group_title: Risky Roles/ClusterRoles allowing all actions on users
severity: :danger
info: "Roles/ClusterRoles allowing all actions on users. This might be dangerous. Review listed Roles!"
template: risky-role
match_rules:
- resources: ['users']
verbs: ['*']
- id: risky-any-verb-groups
group_title: Risky Roles/ClusterRoles allowing all actions on groups
severity: :danger
info: Roles/ClusterRoles allowing all actions on groups. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['groups']
verbs: ['*']
# Specific action on all (*) resources
- id: risky-any-resource-delete
group_title: Risky Roles/ClusterRoles allowing delete action on all resources
severity: :danger
info: Roles/ClusterRoles allowing delete action on all resources. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['*']
verbs: ['delete']
- id: risky-any-resource-deletecollection
group_title: Risky Roles/ClusterRoles allowing deletecollection action on all resources
severity: :danger
info: Roles/ClusterRoles allowing deletecollection action on all resources. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['*']
verbs: ['deletecollection']
- id: risky-any-resource-create
group_title: Risky Roles/ClusterRoles allowing create action on all resources
severity: :danger
info: Roles/ClusterRoles allowing create action on all resources. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['*']
verbs: ['create']
- id: risky-any-resource-list
group_title: Risky Roles/ClusterRoles allowing list action on all resources
severity: :danger
info: Roles/ClusterRoles allowing list action on all resources. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['*']
verbs: ['list']
- id: risky-any-resource-get
group_title: Risky Roles/ClusterRoles allowing get action on all resources
severity: :danger
info: Roles/ClusterRoles allowing get action on all resources. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['*']
verbs: ['get']
- id: risky-any-resource-impersonate
group_title: Risky Roles/ClusterRoles allowing impersonate action on all resources
severity: :danger
info: Roles/ClusterRoles allowing impersonate action on all resources. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['*']
verbs: ['impersonate']
# Malicious pod
- id: risky-create-deployments
group_title: Risky Roles/ClusterRoles allowing to create a potentially malicious pod
severity: :warning
info: Roles/ClusterRoles allowing to create a potentially malicious pod. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['deployments']
verbs: ['create']
- id: risky-update-deployments
group_title: Risky Roles/ClusterRoles allowing to update a potentially malicious pod
severity: :warning
info: Roles/ClusterRoles allowing to update a potentially malicious pod. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['deployments']
verbs: ['update']
- id: risky-create-daemonsets
group_title: Risky Roles/ClusterRoles allowing to create a potentially malicious daemonset
severity: :warning
info: Roles/ClusterRoles allowing to create a potentially malicious daemonset. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['daemonsets']
verbs: ['create']
- id: risky-update-daemonsets
group_title: Risky Roles/ClusterRoles allowing to update a potentially malicious daemonset
severity: :warning
info: Roles/ClusterRoles allowing to update a potentially malicious daemonset. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['daemonsets']
verbs: ['update']
- id: risky-create-statefulsets
group_title: Risky Roles/ClusterRoles allowing to create a potentially malicious statefulset
severity: :warning
info: Roles/ClusterRoles allowing to create a potentially malicious statefulset. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['statefulsets']
verbs: ['create']
- id: risky-update-statefulsets
group_title: Risky Roles/ClusterRoles allowing to update a potentially malicious statefulset
severity: :warning
info: Roles/ClusterRoles allowing to update a potentially malicious statefulset. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['statefulsets']
verbs: ['update']
- id: risky-create-replicationcontrollers
group_title: Risky Roles/ClusterRoles allowing to create a potentially malicious replicationcontroller
severity: :warning
info: Roles/ClusterRoles allowing to create a potentially malicious replicationcontroller. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['replicationcontrollers']
verbs: ['create']
- id: risky-update-replicationcontrollers
group_title: Risky Roles/ClusterRoles allowing to update a potentially malicious replicationcontroller
severity: :warning
info: Roles/ClusterRoles allowing to update a potentially malicious replicationcontroller. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['replicationcontrollers']
verbs: ['update']
- id: risky-create-replicasets
group_title: Risky Roles/ClusterRoles allowing to create a potentially malicious replicaset
severity: :warning
info: Roles/ClusterRoles allowing to create a potentially malicious replicaset. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['replicasets']
verbs: ['create']
- id: risky-update-replicasets
group_title: Risky Roles/ClusterRoles allowing to update a potentially malicious replicaset
severity: :warning
info: Roles/ClusterRoles allowing to update a potentially malicious replicaset. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['replicasets']
verbs: ['update']
- id: risky-create-jobs
group_title: Risky Roles/ClusterRoles allowing to create a potentially malicious job
severity: :warning
info: Roles/ClusterRoles allowing to create a potentially malicious job. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['jobs']
verbs: ['create']
- id: risky-update-jobs
group_title: Risky Roles/ClusterRoles allowing to update a potentially malicious job
severity: :warning
info: Roles/ClusterRoles allowing to update a potentially malicious job. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['jobs']
verbs: ['update']
- id: risky-create-cronjobs
group_title: Risky Roles/ClusterRoles allowing to create a potentially malicious cronjob
severity: :warning
info: Roles/ClusterRoles allowing to create a potentially malicious cronjob. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['cronjobs']
verbs: ['create']
- id: risky-update-cronjobs
group_title: Risky Roles/ClusterRoles allowing to update a potentially malicious cronjob
severity: :warning
info: Roles/ClusterRoles allowing to update a potentially malicious cronjob. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['cronjobs']
verbs: ['update']
# Multiple permissions simulaneously
- id: risky-create-rolebinding-role
group_title: Risky Roles/ClusterRoles allowing creation of rolebinding and associate privileged role to itself
severity: :warning
info: Roles able to create bindings referencing roles. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- apiGroups: ['rbac.authorization.k8s.io']
resources: ['rolebindings']
verbs: ['create']
- apiGroups: ['rbac.authorization.k8s.io']
resources: ['roles']
verbs: ['bind']
- id: risky-create-rolebinding-clusterrole
group_title: Risky Roles/ClusterRoles allowing creation of rolebinding and associate privileged clusterrole to itself
severity: :warning
info: Roles able to create bindings referencing cluster roles. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- apiGroups: ['rbac.authorization.k8s.io']
resources: ['rolebindings']
verbs: ['create']
- apiGroups: ['rbac.authorization.k8s.io']
resources: ['clusterroles']
verbs: ['bind']
- id: risky-create-clusterrolebinding
group_title: Risky Roles/ClusterRoles allowing creation of clusterrolebinding
severity: :warning
info: Roles able to create cluster role bindings. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- apiGroups: ['rbac.authorization.k8s.io']
resources: ['clusterrolebindings']
verbs: ['create']
# Pod exec / attach
- id: risky-exec-pods
group_title: Risky Roles/ClusterRoles allowing shell on pods
severity: :danger
info: Roles allow exec into running container. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['pods/exec']
verbs: ['create']
- resources: ['pods']
verbs: ['get']
- id: risky-attach-pods
group_title: Risky Roles/ClusterRoles allowing attaching pod and view all its logs in realtime
severity: :danger
info: Roles allow attaching to a running container. This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['pods/attach']
verbs: ['create']
- resources: ['pods']
verbs: ['get']
# Low priority
- id: risky-add-rolebinding
group_title: Risky Roles/ClusterRoles allowing users in a rolebinding to add other users to their rolebindings
severity: :warning
info: This might be dangerous. Review listed Roles!
template: risky-role
match_rules:
- resources: ['rolebindings']
verbs: ['patch', 'get']