Unverified Commit 6536c538 authored by Yishay Mendelsohn's avatar Yishay Mendelsohn Committed by GitHub
Browse files

feat: add NSA Hardening Rules (#603)

* feat: add NSA Hardening Rules

* fix: add documentation url

* test: add unique documentation url test
parent 8f624877
Showing with 372 additions and 349 deletions
+372 -349
......@@ -1170,3 +1170,347 @@ rules:
required:
- retryPolicy
- expression
- id: 45
name: Ensure each container has a read-only root filesystem
uniqueName: CONTAINERS_INCORRECT_READONLYROOTFILESYSTEM_VALUE
enabledByDefault: false
documentationUrl: "https://hub.datree.io/built-in-rules/ensure-read-only-filesystem"
messageOnFailure: Incorrect value for key `readOnlyRootFilesystem` - set to 'true' to protect filesystem from potential attacks
category: NSA
schema:
definitions:
containerSecurityPattern:
properties:
spec:
properties:
containers:
type: array
items:
properties:
securityContext:
properties:
readOnlyRootFilesystem:
const: true
required:
- readOnlyRootFilesystem
required:
- securityContext
podSecurityContextPattern:
if:
properties:
kind:
enum:
- Pod
then:
properties:
spec:
properties:
securityContext:
properties:
readOnlyRootFilesystem:
const: true
required:
- readOnlyRootFilesystem
required:
- securityContext
anyOf:
- $ref: "#/definitions/containerSecurityPattern"
- $ref: "#/definitions/podSecurityContextPattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
- id: 46
name: Prevent containers from accessing underlying host
uniqueName: CONTAINERS_INCORRECT_KEY_HOSTPATH
enabledByDefault: false
documentationUrl: "https://hub.datree.io/built-in-rules/prevent-accessing-underlying-host"
messageOnFailure: Invalid key `hostPath` - refrain from using this mount to prevent an attack on the underlying host
category: NSA
schema:
definitions:
specVolumePattern:
properties:
spec:
properties:
volumes:
type: array
items:
not:
required:
- hostPath
allOf:
- $ref: "#/definitions/specVolumePattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
- id: 47
name: Prevent containers from escalating privileges
uniqueName: CONTAINERS_MISSING_KEY_ALLOWPRIVILEGEESCALATION
enabledByDefault: false
documentationUrl: "https://hub.datree.io/built-in-rules/prevent-escalating-privileges"
messageOnFailure: Missing key `allowPrivilegeEscalation` - set to false to prevent attackers from exploiting escalated container privileges
category: NSA
schema:
definitions:
specContainerPattern:
properties:
spec:
properties:
containers:
type: array
items:
properties:
securityContext:
properties:
allowPrivilegeEscalation:
const: false
required:
- allowPrivilegeEscalation
required:
- securityContext
allOf:
- $ref: "#/definitions/specContainerPattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
- id: 48
name: Prevent containers from allowing command execution
uniqueName: CONTAINERS_INCORRECT_RESOURCES_VERBS_VALUE
enabledByDefault: false
documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-allowing-command-execution'
messageOnFailure: "Incorrect value for key `resources` and/or `verbs` - allowing containers to run the exec command can be exploited by attackers"
category: NSA
schema:
if:
properties:
kind:
enum:
- Role
- ClusterRole
then:
properties:
rules:
type: array
items:
properties:
resources:
type: array
not:
items:
enum:
- "*"
- "pods/exec"
verbs:
type: array
not:
items:
enum:
- "create"
- "*"
- id: 49
name: Prevent containers from having insecure capabilities
uniqueName: CONTAINERS_INVALID_CAPABILITIES_VALUE
enabledByDefault: false
documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-insecure-capabilities'
messageOnFailure: "Incorrect value for key `add` - refrain from using insecure capabilities to prevent access to sensitive components"
category: NSA
schema:
definitions:
specContainerPattern:
properties:
spec:
properties:
containers:
type: array
items:
properties:
securityContext:
properties:
capabilities:
properties:
add:
type: array
items:
not:
enum:
- "SETPCAP"
- "NET_ADMIN"
- "NET_RAW"
- "SYS_MODULE"
- "SYS_RAWIO"
- "SYS_PTRACE"
- "SYS_ADMIN"
- "SYS_BOOT"
- "MAC_OVERRIDE"
- "MAC_ADMIN"
- "PERFMON"
- "ALL"
- "BPF"
allOf:
- $ref: "#/definitions/specContainerPattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
- id: 50
name: Prevent containers from insecurely exposing workload
uniqueName: CONTAINERS_INCORRECT_KEY_HOSTPORT
enabledByDefault: false
documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-insecurely-exposing-workload'
messageOnFailure: "Incorrect key `hostPort` - refrain from using this key to prevent insecurely exposing your workload"
category: NSA
schema:
definitions:
specContainerPattern:
properties:
spec:
properties:
containers:
type: array
items:
properties:
ports:
type: array
items:
not:
required:
- hostPort
allOf:
- $ref: "#/definitions/specContainerPattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
- id: 51
name: Prevent containers from accessing host files by using high GIDs
uniqueName: CONTAINERS_INCORRECT_RUNASGROUP_VALUE_LOWGID
enabledByDefault: false
documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-accessing-host-files-by-using-high-gids'
messageOnFailure: "Invalid value for key `runAsGroup` - must be greater than 999 to ensure container is running with non-root group membership"
category: NSA
schema:
definitions:
specContainerPattern:
properties:
spec:
properties:
containers:
type: array
items:
properties:
securityContext:
properties:
runAsGroup:
minimum: 1000
podSecurityContextPattern:
if:
properties:
kind:
enum:
- Pod
then:
properties:
spec:
properties:
securityContext:
properties:
runAsGroup:
minimum: 1000
allOf:
- $ref: "#/definitions/specContainerPattern"
- $ref: "#/definitions/podSecurityContextPattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
- id: 52
name: Prevent container from running with root privileges
uniqueName: CONTAINERS_INCORRECT_RUNASNONROOT_VALUE
enabledByDefault: false
documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-running-with-root-privileges'
messageOnFailure: "Invalid value for key `runAsNonRoot` - must be set to `true` to prevent unnecessary privileges"
category: NSA
schema:
definitions:
containerSecurityPattern:
properties:
spec:
properties:
containers:
type: array
items:
properties:
securityContext:
properties:
runAsNonRoot:
const: true
required:
- runAsNonRoot
required:
- securityContext
podSecurityContextPattern:
if:
properties:
kind:
enum:
- Pod
then:
properties:
spec:
properties:
securityContext:
properties:
runAsNonRoot:
const: true
required:
- runAsNonRoot
allOf:
- $ref: "#/definitions/containerSecurityPattern"
- $ref: "#/definitions/podSecurityContextPattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
- id: 53
name: Prevent service account token auto-mounting on pods
uniqueName: SRVACC_INCORRECT_AUTOMOUNTSERVICEACCOUNTTOKEN_VALUE
enabledByDefault: false
documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-service-account-token-auto-mount'
messageOnFailure: "Invalid value for key `automountServiceAccountToken` - must be set to `false` to prevent granting unnecessary access to the service account"
category: NSA
schema:
definitions:
podPattern:
if:
properties:
kind:
enum:
- Pod
then:
properties:
spec:
properties:
automountServiceAccountToken:
const: false
required:
- automountServiceAccountToken
serviceAccountPattern:
if:
properties:
kind:
enum:
- ServiceAccount
then:
properties:
automountServiceAccountToken:
const: false
required:
- automountServiceAccountToken
allOf:
- $ref: "#/definitions/podPattern"
- $ref: "#/definitions/serviceAccountPattern"
......@@ -9,15 +9,15 @@
},
"rules": {
"type": "array",
"minItems": 44,
"maxItems": 44,
"minItems": 53,
"maxItems": 53,
"items": {
"type": "object",
"properties": {
"id": {
"type": "number",
"minimum": 1,
"maximum": 44
"maximum": 53
},
"name": {
"type": "string",
......@@ -51,7 +51,8 @@
"Security",
"Other",
"Custom",
"Argo"
"Argo",
"NSA"
]
},
"schema": {
......
......@@ -72,6 +72,15 @@ func TestDefaultRulesHasUniqueIDsInRules(t *testing.T) {
assert.Nil(t, uniquenessValidationError)
}
func TestDefaultRulesHasUniqueDocumentationUrlsInRules(t *testing.T) {
defaultRulesMap, conversionToMapError := convertYamlFileToMap(defaultRulesFileContent)
assert.Nil(t, conversionToMapError)
uniquenessValidationError := validateDocumentationUrlUniquenessInRules(defaultRulesMap.Rules)
assert.Nil(t, uniquenessValidationError)
}
func getFileFromPath(path string) (string, error) {
fileReader := fileReader.CreateFileReader(nil)
fileContent, readFileError := fileReader.ReadFileContent(path)
......@@ -151,3 +160,17 @@ func validateIDUniquenessInRules(rules []DefaultRuleDefinition) error {
return nil
}
func validateDocumentationUrlUniquenessInRules(rules []DefaultRuleDefinition) error {
propertyValuesExistenceMap := make(map[string]bool)
for _, item := range rules {
if propertyValuesExistenceMap[item.DocumentationUrl] {
return fmt.Errorf("duplicate id found: %d", item.ID)
}
propertyValuesExistenceMap[item.DocumentationUrl] = true
}
return nil
}
- id: 45
name: Ensure each container has a read-only root filesystem
uniqueName: CONTAINERS_INCORRECT_READONLYROOTFILESYSTEM_VALUE
enabledByDefault: true
documentationUrl: 'https://hub.datree.io/'
messageOnFailure: Incorrect value for key `readOnlyRootFilesystem` - set to 'true' to protect filesystem from potential attacks
category: Containers
schema:
definitions:
containerSecurityPattern:
properties:
spec:
properties:
containers:
type: array
items:
properties:
securityContext:
properties:
readOnlyRootFilesystem:
const: true
required:
- readOnlyRootFilesystem
required:
- securityContext
podSecurityContextPattern:
if:
properties:
kind:
enum:
- Pod
then:
properties:
spec:
properties:
securityContext:
properties:
readOnlyRootFilesystem:
const: true
required:
- readOnlyRootFilesystem
required:
- securityContext
anyOf:
- $ref: "#/definitions/containerSecurityPattern"
- $ref: "#/definitions/podSecurityContextPattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
- id: 46
name: Prevent containers from accessing underlying host
uniqueName: CONTAINERS_INCORRECT_KEY_HOSTPATH
enabledByDefault: true
documentationUrl: 'https://hub.datree.io/'
messageOnFailure: Invalid key `hostPath` - refrain from using this mount to prevent an attack on the underlying host
category: Containers
schema:
definitions:
specVolumePattern:
properties:
spec:
properties:
volumes:
type: array
items:
not:
required:
- hostPath
allOf:
- $ref: "#/definitions/specVolumePattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
- id: 47
name: Prevent containers from escalating privileges
uniqueName: CONTAINERS_MISSING_KEY_ALLOWPRIVILEGEESCALATION
enabledByDefault: true
documentationUrl: 'https://hub.datree.io/'
messageOnFailure: Missing key `allowPrivilegeEscalation` - set to false to prevent attackers from exploiting escalated container privileges
category: Containers
schema:
definitions:
specContainerPattern:
properties:
spec:
properties:
containers:
type: array
items:
properties:
securityContext:
properties:
allowPrivilegeEscalation:
const: false
required:
- allowPrivilegeEscalation
required:
- securityContext
allOf:
- $ref: "#/definitions/specContainerPattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
- id: 48
name: Prevent containers from allowing command execution
uniqueName: CONTAINERS_INCORRECT_RESOURCES_VERBS_VALUE
enabledByDefault: true
documentationUrl: 'https://hub.datree.io/'
messageOnFailure: 'Incorrect value for key `resources` and/or `verbs` - allowing containers to run the exec command can be exploited by attackers'
category: Containers
schema:
if:
properties:
kind:
enum:
- Role
- ClusterRole
then:
properties:
rules:
type: array
items:
properties:
resources:
type: array
not:
items:
enum:
- "*"
- "pods/exec"
verbs:
type: array
not:
items:
enum:
- "create"
- "*"
- id: 49
name: Prevent containers from having insecure capabilities
uniqueName: CONTAINERS_INVALID_CAPABILITIES_VALUE
enabledByDefault: true
documentationUrl: 'https://hub.datree.io/'
messageOnFailure: 'Incorrect value for key `add` - refrain from using insecure capabilities to prevent access to sensitive components'
category: Containers
schema:
definitions:
specContainerPattern:
properties:
spec:
properties:
containers:
type: array
items:
properties:
securityContext:
properties:
capabilities:
properties:
add:
type: array
items:
not:
enum:
- "SETPCAP"
- "NET_ADMIN"
- "NET_RAW"
- "SYS_MODULE"
- "SYS_RAWIO"
- "SYS_PTRACE"
- "SYS_ADMIN"
- "SYS_BOOT"
- "MAC_OVERRIDE"
- "MAC_ADMIN"
- "PERFMON"
- "ALL"
- "BPF"
allOf:
- $ref: "#/definitions/specContainerPattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
- id: 50
name: Prevent containers from insecurely exposing workload
uniqueName: CONTAINERS_INCORRECT_KEY_HOSTPORT
enabledByDefault: true
documentationUrl: 'https://hub.datree.io/'
messageOnFailure: 'Incorrect key `hostPort` - refrain from using this key to prevent insecurely exposing your workload'
category: Containers
schema:
definitions:
specContainerPattern:
properties:
spec:
properties:
containers:
type: array
items:
properties:
ports:
type: array
items:
not:
required:
- hostPort
allOf:
- $ref: "#/definitions/specContainerPattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
- id: 51
name: Prevent containers from accessing host files by using high GIDs
uniqueName: CONTAINERS_INCORRECT_RUNASGROUP_VALUE_LOWGID
enabledByDefault: true
documentationUrl: 'https://hub.datree.io/'
messageOnFailure: 'Invalid value for key `runAsGroup` - must be greater than 999 to ensure container is running with non-root group membership'
category: Containers
schema:
definitions:
specContainerPattern:
properties:
spec:
properties:
containers:
type: array
items:
properties:
securityContext:
properties:
runAsGroup:
minimum: 1000
podSecurityContextPattern:
if:
properties:
kind:
enum:
- Pod
then:
properties:
spec:
properties:
securityContext:
properties:
runAsGroup:
minimum: 1000
allOf:
- $ref: "#/definitions/specContainerPattern"
- $ref: "#/definitions/podSecurityContextPattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
- id: 52
name: Prevent container from running with root privileges
uniqueName: CONTAINERS_INCORRECT_RUNASNONROOT_VALUE
enabledByDefault: true
documentationUrl: 'https://hub.datree.io/'
messageOnFailure: 'Invalid value for key `runAsNonRoot` - must be set to `true` to prevent unnecessary privileges'
category: Containers
schema:
definitions:
containerSecurityPattern:
properties:
spec:
properties:
containers:
type: array
items:
properties:
securityContext:
properties:
runAsNonRoot:
const: true
required:
- runAsNonRoot
required:
- securityContext
podSecurityContextPattern:
if:
properties:
kind:
enum:
- Pod
then:
properties:
spec:
properties:
securityContext:
properties:
runAsNonRoot:
const: true
required:
- runAsNonRoot
allOf:
- $ref: "#/definitions/containerSecurityPattern"
- $ref: "#/definitions/podSecurityContextPattern"
additionalProperties:
$ref: "#"
items:
$ref: "#"
- id: 53
name: Prevent service account token auto-mounting on pods
uniqueName: SRVACC_INCORRECT_AUTOMOUNTSERVICEACCOUNTTOKEN_VALUE
enabledByDefault: true
documentationUrl: 'https://hub.datree.io/'
messageOnFailure: 'Invalid value for key `automountServiceAccountToken` - must be set to `false` to prevent granting unnecessary access to the service account'
category: Other
schema:
definitions:
podPattern:
if:
properties:
kind:
enum:
- Pod
then:
properties:
spec:
properties:
automountServiceAccountToken:
const: false
required:
- automountServiceAccountToken
serviceAccountPattern:
if:
properties:
kind:
enum:
- ServiceAccount
then:
properties:
automountServiceAccountToken:
const: false
required:
- automountServiceAccountToken
allOf:
- $ref: "#/definitions/podPattern"
- $ref: "#/definitions/serviceAccountPattern"
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment