From 766b34e0575694fa7865fb381f83c6ddb48cd260 Mon Sep 17 00:00:00 2001
From: hendrik-buchwald-sonarsource
 <hendrik-buchwald-sonarsource@users.noreply.github.com>
Date: Mon, 7 Oct 2024 07:18:31 +0000
Subject: [PATCH 1/3] Add ansible to rule S5849

---
 rules/S5849/ansible/metadata.json |  2 ++
 rules/S5849/ansible/rule.adoc     | 44 +++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)
 create mode 100644 rules/S5849/ansible/metadata.json
 create mode 100644 rules/S5849/ansible/rule.adoc

diff --git a/rules/S5849/ansible/metadata.json b/rules/S5849/ansible/metadata.json
new file mode 100644
index 00000000000..7a73a41bfdf
--- /dev/null
+++ b/rules/S5849/ansible/metadata.json
@@ -0,0 +1,2 @@
+{
+}
\ No newline at end of file
diff --git a/rules/S5849/ansible/rule.adoc b/rules/S5849/ansible/rule.adoc
new file mode 100644
index 00000000000..912ec60d258
--- /dev/null
+++ b/rules/S5849/ansible/rule.adoc
@@ -0,0 +1,44 @@
+FIXME: add a description
+
+// If you want to factorize the description uncomment the following line and create the file.
+//include::../description.adoc[]
+
+== Why is this an issue?
+
+FIXME: remove the unused optional headers (that are commented out)
+
+//=== What is the potential impact?
+
+== How to fix it
+//== How to fix it in FRAMEWORK NAME
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,yaml,diff-id=1,diff-type=noncompliant]
+----
+FIXME
+----
+
+==== Compliant solution
+
+[source,yaml,diff-id=1,diff-type=compliant]
+----
+FIXME
+----
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+
+//== Resources
+//=== Documentation
+//=== Articles & blog posts
+//=== Conference presentations
+//=== Standards
+//=== External coding guidelines
+//=== Benchmarks

From e48663a036124e3576c1c948df65571b67eb870f Mon Sep 17 00:00:00 2001
From: Hendrik Buchwald <hendrik.buchwald@sonarsource.com>
Date: Mon, 7 Oct 2024 09:22:37 +0200
Subject: [PATCH 2/3] Update RSPEC content

---
 rules/S5849/ansible/rule.adoc | 69 +++++++++++++++++++++--------------
 1 file changed, 42 insertions(+), 27 deletions(-)

diff --git a/rules/S5849/ansible/rule.adoc b/rules/S5849/ansible/rule.adoc
index 912ec60d258..16276a29c27 100644
--- a/rules/S5849/ansible/rule.adoc
+++ b/rules/S5849/ansible/rule.adoc
@@ -1,44 +1,59 @@
-FIXME: add a description
+Setting capabilities can lead to privilege escalation and container escapes.
 
-// If you want to factorize the description uncomment the following line and create the file.
-//include::../description.adoc[]
+Linux capabilities allow you to assign narrow slices of ``++root++``'s permissions to processes. A thread with capabilities bypasses the normal kernel security checks to execute high-privilege actions such as mounting a device to a directory, without requiring additional root privileges.
 
-== Why is this an issue?
+In a container, capabilities might allow to access resources from the host system which can result in container escapes. For example, with the capability ``++SYS_ADMIN++`` an attacker might be able to mount devices from the host system inside of the container.
 
-FIXME: remove the unused optional headers (that are commented out)
 
-//=== What is the potential impact?
+== Ask Yourself Whether
 
-== How to fix it
-//== How to fix it in FRAMEWORK NAME
+Capabilities are granted:
 
-=== Code examples
+* To a process that does not require all capabilities to do its job.
+* To a not trusted process.
 
-==== Noncompliant code example
+There is a risk if you answered yes to any of those questions.
 
-[source,yaml,diff-id=1,diff-type=noncompliant]
-----
-FIXME
-----
 
-==== Compliant solution
+== Recommended Secure Coding Practices
+
+Capabilities are high privileges, traditionally associated with superuser (root), thus make sure that the most restrictive and necessary capabilities are assigned.
 
-[source,yaml,diff-id=1,diff-type=compliant]
+
+== Sensitive Code Example
+
+[source,yaml]
 ----
-FIXME
+- name: Set cap_sys_chroot+ep on /usr/bin/example
+  community.general.capabilities:
+    path: /usr/bin/example
+    capability: cap_sys_admin+ep  # Sensitive
+    state: present
 ----
 
-//=== How does this work?
+== See
+
+* CWE - https://cwe.mitre.org/data/definitions/250[CWE-250 - Execution with Unnecessary Privileges]
+* CWE - https://cwe.mitre.org/data/definitions/266[CWE-266 -  Incorrect Privilege Assignment]
+* https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[Kubernetes Documentation] - Configure a Security Context for a Pod or Container
+* https://man7.org/linux/man-pages/man7/capabilities.7.html[Linux manual page] - capabilities(7)
+
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+=== Message
+
+Make sure setting capabilities is safe here.
+
 
-//=== Pitfalls
+'''
+== Comments And Links
+(visible only on this page)
 
-//=== Going the extra mile
 
 
-//== Resources
-//=== Documentation
-//=== Articles & blog posts
-//=== Conference presentations
-//=== Standards
-//=== External coding guidelines
-//=== Benchmarks
+endif::env-github,rspecator-view[]

From 81e3d2faebfb3c7d05a68332d290ef1ee28e9f72 Mon Sep 17 00:00:00 2001
From: Hendrik Buchwald <hendrik.buchwald@sonarsource.com>
Date: Tue, 8 Oct 2024 11:17:04 +0200
Subject: [PATCH 3/3] Move descriptions to shared files

---
 rules/S5849/ansible/rule.adoc        | 18 +++---------------
 rules/S5849/common/ask-yourself.adoc |  6 ++++++
 rules/S5849/common/description.adoc  |  5 +++++
 rules/S5849/common/recommended.adoc  |  4 ++++
 rules/S5849/kubernetes/rule.adoc     | 18 +++---------------
 5 files changed, 21 insertions(+), 30 deletions(-)
 create mode 100644 rules/S5849/common/ask-yourself.adoc
 create mode 100644 rules/S5849/common/description.adoc
 create mode 100644 rules/S5849/common/recommended.adoc

diff --git a/rules/S5849/ansible/rule.adoc b/rules/S5849/ansible/rule.adoc
index 16276a29c27..4997d379394 100644
--- a/rules/S5849/ansible/rule.adoc
+++ b/rules/S5849/ansible/rule.adoc
@@ -1,24 +1,12 @@
-Setting capabilities can lead to privilege escalation and container escapes.
-
-Linux capabilities allow you to assign narrow slices of ``++root++``'s permissions to processes. A thread with capabilities bypasses the normal kernel security checks to execute high-privilege actions such as mounting a device to a directory, without requiring additional root privileges.
-
-In a container, capabilities might allow to access resources from the host system which can result in container escapes. For example, with the capability ``++SYS_ADMIN++`` an attacker might be able to mount devices from the host system inside of the container.
-
+include::../common/description.adoc[]
 
 == Ask Yourself Whether
 
-Capabilities are granted:
-
-* To a process that does not require all capabilities to do its job.
-* To a not trusted process.
-
-There is a risk if you answered yes to any of those questions.
-
+include::../common/ask-yourself.adoc[]
 
 == Recommended Secure Coding Practices
 
-Capabilities are high privileges, traditionally associated with superuser (root), thus make sure that the most restrictive and necessary capabilities are assigned.
-
+include::../common/recommended.adoc[]
 
 == Sensitive Code Example
 
diff --git a/rules/S5849/common/ask-yourself.adoc b/rules/S5849/common/ask-yourself.adoc
new file mode 100644
index 00000000000..83967979807
--- /dev/null
+++ b/rules/S5849/common/ask-yourself.adoc
@@ -0,0 +1,6 @@
+Capabilities are granted:
+
+* To a process that does not require all capabilities to do its job.
+* To a not trusted process.
+
+There is a risk if you answered yes to any of those questions.
\ No newline at end of file
diff --git a/rules/S5849/common/description.adoc b/rules/S5849/common/description.adoc
new file mode 100644
index 00000000000..08180f0fc4e
--- /dev/null
+++ b/rules/S5849/common/description.adoc
@@ -0,0 +1,5 @@
+Setting capabilities can lead to privilege escalation and container escapes.
+
+Linux capabilities allow you to assign narrow slices of ``++root++``'s permissions to processes. A thread with capabilities bypasses the normal kernel security checks to execute high-privilege actions such as mounting a device to a directory, without requiring additional root privileges.
+
+In a container, capabilities might allow to access resources from the host system which can result in container escapes. For example, with the capability ``++SYS_ADMIN++`` an attacker might be able to mount devices from the host system inside of the container.
\ No newline at end of file
diff --git a/rules/S5849/common/recommended.adoc b/rules/S5849/common/recommended.adoc
new file mode 100644
index 00000000000..5f4cecc1a29
--- /dev/null
+++ b/rules/S5849/common/recommended.adoc
@@ -0,0 +1,4 @@
+Capabilities are high privileges, traditionally associated with superuser (root),
+thus make sure that the most restrictive and necessary capabilities are assigned.
+
+In the best case, no capabilities should be granted at all.
\ No newline at end of file
diff --git a/rules/S5849/kubernetes/rule.adoc b/rules/S5849/kubernetes/rule.adoc
index 7061a056d11..72e3ee867e1 100644
--- a/rules/S5849/kubernetes/rule.adoc
+++ b/rules/S5849/kubernetes/rule.adoc
@@ -1,24 +1,12 @@
-Setting capabilities can lead to privilege escalation and container escapes.
-
-Linux capabilities allow you to assign narrow slices of ``++root++``'s permissions to processes. A thread with capabilities bypasses the normal kernel security checks to execute high-privilege actions such as mounting a device to a directory, without requiring additional root privileges.
-
-In a container, capabilities might allow to access resources from the host system which can result in container escapes. For example, with the capability ``++SYS_ADMIN++`` an attacker might be able to mount devices from the host system inside of the container.
-
+include::../common/description.adoc[]
 
 == Ask Yourself Whether
 
-Capabilities are granted:
-
-* To a process that does not require all capabilities to do its job.
-* To a not trusted process.
-
-There is a risk if you answered yes to any of those questions.
-
+include::../common/ask-yourself.adoc[]
 
 == Recommended Secure Coding Practices
 
-Capabilities are high privileges, traditionally associated with superuser (root), thus make sure that the most restrictive and necessary capabilities are assigned.
-
+include::../common/recommended.adoc[]
 
 == Sensitive Code Example