From 766b34e0575694fa7865fb381f83c6ddb48cd260 Mon Sep 17 00:00:00 2001 From: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com> Date: Mon, 7 Oct 2024 07:18:31 +0000 Subject: [PATCH 1/3] Add ansible to rule S5849 --- rules/S5849/ansible/metadata.json | 2 ++ rules/S5849/ansible/rule.adoc | 44 +++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 rules/S5849/ansible/metadata.json create mode 100644 rules/S5849/ansible/rule.adoc diff --git a/rules/S5849/ansible/metadata.json b/rules/S5849/ansible/metadata.json new file mode 100644 index 00000000000..7a73a41bfdf --- /dev/null +++ b/rules/S5849/ansible/metadata.json @@ -0,0 +1,2 @@ +{ +} \ No newline at end of file diff --git a/rules/S5849/ansible/rule.adoc b/rules/S5849/ansible/rule.adoc new file mode 100644 index 00000000000..912ec60d258 --- /dev/null +++ b/rules/S5849/ansible/rule.adoc @@ -0,0 +1,44 @@ +FIXME: add a description + +// If you want to factorize the description uncomment the following line and create the file. +//include::../description.adoc[] + +== Why is this an issue? + +FIXME: remove the unused optional headers (that are commented out) + +//=== What is the potential impact? + +== How to fix it +//== How to fix it in FRAMEWORK NAME + +=== Code examples + +==== Noncompliant code example + +[source,yaml,diff-id=1,diff-type=noncompliant] +---- +FIXME +---- + +==== Compliant solution + +[source,yaml,diff-id=1,diff-type=compliant] +---- +FIXME +---- + +//=== How does this work? + +//=== Pitfalls + +//=== Going the extra mile + + +//== Resources +//=== Documentation +//=== Articles & blog posts +//=== Conference presentations +//=== Standards +//=== External coding guidelines +//=== Benchmarks From e48663a036124e3576c1c948df65571b67eb870f Mon Sep 17 00:00:00 2001 From: Hendrik Buchwald <hendrik.buchwald@sonarsource.com> Date: Mon, 7 Oct 2024 09:22:37 +0200 Subject: [PATCH 2/3] Update RSPEC content --- rules/S5849/ansible/rule.adoc | 69 +++++++++++++++++++++-------------- 1 file changed, 42 insertions(+), 27 deletions(-) diff --git a/rules/S5849/ansible/rule.adoc b/rules/S5849/ansible/rule.adoc index 912ec60d258..16276a29c27 100644 --- a/rules/S5849/ansible/rule.adoc +++ b/rules/S5849/ansible/rule.adoc @@ -1,44 +1,59 @@ -FIXME: add a description +Setting capabilities can lead to privilege escalation and container escapes. -// If you want to factorize the description uncomment the following line and create the file. -//include::../description.adoc[] +Linux capabilities allow you to assign narrow slices of ``++root++``'s permissions to processes. A thread with capabilities bypasses the normal kernel security checks to execute high-privilege actions such as mounting a device to a directory, without requiring additional root privileges. -== Why is this an issue? +In a container, capabilities might allow to access resources from the host system which can result in container escapes. For example, with the capability ``++SYS_ADMIN++`` an attacker might be able to mount devices from the host system inside of the container. -FIXME: remove the unused optional headers (that are commented out) -//=== What is the potential impact? +== Ask Yourself Whether -== How to fix it -//== How to fix it in FRAMEWORK NAME +Capabilities are granted: -=== Code examples +* To a process that does not require all capabilities to do its job. +* To a not trusted process. -==== Noncompliant code example +There is a risk if you answered yes to any of those questions. -[source,yaml,diff-id=1,diff-type=noncompliant] ----- -FIXME ----- -==== Compliant solution +== Recommended Secure Coding Practices + +Capabilities are high privileges, traditionally associated with superuser (root), thus make sure that the most restrictive and necessary capabilities are assigned. -[source,yaml,diff-id=1,diff-type=compliant] + +== Sensitive Code Example + +[source,yaml] ---- -FIXME +- name: Set cap_sys_chroot+ep on /usr/bin/example + community.general.capabilities: + path: /usr/bin/example + capability: cap_sys_admin+ep # Sensitive + state: present ---- -//=== How does this work? +== See + +* CWE - https://cwe.mitre.org/data/definitions/250[CWE-250 - Execution with Unnecessary Privileges] +* CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 - Incorrect Privilege Assignment] +* https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[Kubernetes Documentation] - Configure a Security Context for a Pod or Container +* https://man7.org/linux/man-pages/man7/capabilities.7.html[Linux manual page] - capabilities(7) + + +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +=== Message + +Make sure setting capabilities is safe here. + -//=== Pitfalls +''' +== Comments And Links +(visible only on this page) -//=== Going the extra mile -//== Resources -//=== Documentation -//=== Articles & blog posts -//=== Conference presentations -//=== Standards -//=== External coding guidelines -//=== Benchmarks +endif::env-github,rspecator-view[] From 81e3d2faebfb3c7d05a68332d290ef1ee28e9f72 Mon Sep 17 00:00:00 2001 From: Hendrik Buchwald <hendrik.buchwald@sonarsource.com> Date: Tue, 8 Oct 2024 11:17:04 +0200 Subject: [PATCH 3/3] Move descriptions to shared files --- rules/S5849/ansible/rule.adoc | 18 +++--------------- rules/S5849/common/ask-yourself.adoc | 6 ++++++ rules/S5849/common/description.adoc | 5 +++++ rules/S5849/common/recommended.adoc | 4 ++++ rules/S5849/kubernetes/rule.adoc | 18 +++--------------- 5 files changed, 21 insertions(+), 30 deletions(-) create mode 100644 rules/S5849/common/ask-yourself.adoc create mode 100644 rules/S5849/common/description.adoc create mode 100644 rules/S5849/common/recommended.adoc diff --git a/rules/S5849/ansible/rule.adoc b/rules/S5849/ansible/rule.adoc index 16276a29c27..4997d379394 100644 --- a/rules/S5849/ansible/rule.adoc +++ b/rules/S5849/ansible/rule.adoc @@ -1,24 +1,12 @@ -Setting capabilities can lead to privilege escalation and container escapes. - -Linux capabilities allow you to assign narrow slices of ``++root++``'s permissions to processes. A thread with capabilities bypasses the normal kernel security checks to execute high-privilege actions such as mounting a device to a directory, without requiring additional root privileges. - -In a container, capabilities might allow to access resources from the host system which can result in container escapes. For example, with the capability ``++SYS_ADMIN++`` an attacker might be able to mount devices from the host system inside of the container. - +include::../common/description.adoc[] == Ask Yourself Whether -Capabilities are granted: - -* To a process that does not require all capabilities to do its job. -* To a not trusted process. - -There is a risk if you answered yes to any of those questions. - +include::../common/ask-yourself.adoc[] == Recommended Secure Coding Practices -Capabilities are high privileges, traditionally associated with superuser (root), thus make sure that the most restrictive and necessary capabilities are assigned. - +include::../common/recommended.adoc[] == Sensitive Code Example diff --git a/rules/S5849/common/ask-yourself.adoc b/rules/S5849/common/ask-yourself.adoc new file mode 100644 index 00000000000..83967979807 --- /dev/null +++ b/rules/S5849/common/ask-yourself.adoc @@ -0,0 +1,6 @@ +Capabilities are granted: + +* To a process that does not require all capabilities to do its job. +* To a not trusted process. + +There is a risk if you answered yes to any of those questions. \ No newline at end of file diff --git a/rules/S5849/common/description.adoc b/rules/S5849/common/description.adoc new file mode 100644 index 00000000000..08180f0fc4e --- /dev/null +++ b/rules/S5849/common/description.adoc @@ -0,0 +1,5 @@ +Setting capabilities can lead to privilege escalation and container escapes. + +Linux capabilities allow you to assign narrow slices of ``++root++``'s permissions to processes. A thread with capabilities bypasses the normal kernel security checks to execute high-privilege actions such as mounting a device to a directory, without requiring additional root privileges. + +In a container, capabilities might allow to access resources from the host system which can result in container escapes. For example, with the capability ``++SYS_ADMIN++`` an attacker might be able to mount devices from the host system inside of the container. \ No newline at end of file diff --git a/rules/S5849/common/recommended.adoc b/rules/S5849/common/recommended.adoc new file mode 100644 index 00000000000..5f4cecc1a29 --- /dev/null +++ b/rules/S5849/common/recommended.adoc @@ -0,0 +1,4 @@ +Capabilities are high privileges, traditionally associated with superuser (root), +thus make sure that the most restrictive and necessary capabilities are assigned. + +In the best case, no capabilities should be granted at all. \ No newline at end of file diff --git a/rules/S5849/kubernetes/rule.adoc b/rules/S5849/kubernetes/rule.adoc index 7061a056d11..72e3ee867e1 100644 --- a/rules/S5849/kubernetes/rule.adoc +++ b/rules/S5849/kubernetes/rule.adoc @@ -1,24 +1,12 @@ -Setting capabilities can lead to privilege escalation and container escapes. - -Linux capabilities allow you to assign narrow slices of ``++root++``'s permissions to processes. A thread with capabilities bypasses the normal kernel security checks to execute high-privilege actions such as mounting a device to a directory, without requiring additional root privileges. - -In a container, capabilities might allow to access resources from the host system which can result in container escapes. For example, with the capability ``++SYS_ADMIN++`` an attacker might be able to mount devices from the host system inside of the container. - +include::../common/description.adoc[] == Ask Yourself Whether -Capabilities are granted: - -* To a process that does not require all capabilities to do its job. -* To a not trusted process. - -There is a risk if you answered yes to any of those questions. - +include::../common/ask-yourself.adoc[] == Recommended Secure Coding Practices -Capabilities are high privileges, traditionally associated with superuser (root), thus make sure that the most restrictive and necessary capabilities are assigned. - +include::../common/recommended.adoc[] == Sensitive Code Example