From 4b3e94eec5285ec8e20c8f06a0e62498f9c711c5 Mon Sep 17 00:00:00 2001 From: YiscahLevySilas1 Date: Sun, 1 Oct 2023 15:41:19 +0300 Subject: [PATCH] add delete / review paths Signed-off-by: YiscahLevySilas1 --- rules/CVE-2021-25741/raw.rego | 3 +++ rules/alert-any-hostpath/raw.rego | 3 +++ rules/alert-container-optimized-os-not-in-use/raw.rego | 1 + rules/alert-mount-potential-credentials-paths/raw.rego | 1 + rules/alert-rw-hostpath/raw.rego | 3 +++ rules/anonymous-requests-to-kubelet-updated/raw.rego | 1 + rules/automount-default-service-account/raw.rego | 1 + rules/automount-service-account/raw.rego | 4 ++++ rules/cluster-admin-role/raw.rego | 1 + rules/configmap-in-default-namespace/raw.rego | 1 + rules/container-hostPort/raw.rego | 3 +++ rules/container-image-repository-v1/raw.rego | 1 + rules/container-image-repository/raw.rego | 3 +++ rules/containers-mounting-docker-socket/raw.rego | 3 +++ rules/csistoragecapacity-in-default-namespace/raw.rego | 1 + rules/insecure-capabilities/raw.rego | 3 +++ 16 files changed, 33 insertions(+) diff --git a/rules/CVE-2021-25741/raw.rego b/rules/CVE-2021-25741/raw.rego index 041ba5f1e..76bde3f26 100644 --- a/rules/CVE-2021-25741/raw.rego +++ b/rules/CVE-2021-25741/raw.rego @@ -14,6 +14,7 @@ deny[msga] { msga := { "alertMessage": sprintf("You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in pod : %v with subPath/subPathExpr", [container.name, pod.metadata.name]), "alertObject": {"k8SApiObjects": [pod]}, + "deletePaths": final_path, "failedPaths": final_path, "fixPaths": [], } @@ -34,6 +35,7 @@ deny[msga] { msga := { "alertMessage": sprintf("You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in %v : %v with subPath/subPathExpr", [container.name, wl.kind, wl.metadata.name]), "alertObject": {"k8SApiObjects": [wl]}, + "deletePaths": final_path, "failedPaths": final_path, "fixPaths": [], } @@ -54,6 +56,7 @@ deny[msga] { msga := { "alertMessage": sprintf("You may be vulnerable to CVE-2021-25741. You have a Node with a vulnerable version and the following container : %v in %v : %v with subPath/subPathExpr", [container.name, wl.kind, wl.metadata.name]), "alertObject": {"k8SApiObjects": [wl]}, + "deletePaths": final_path, "failedPaths": final_path, "fixPaths": [], } diff --git a/rules/alert-any-hostpath/raw.rego b/rules/alert-any-hostpath/raw.rego index 89c30c2ca..49047a291 100644 --- a/rules/alert-any-hostpath/raw.rego +++ b/rules/alert-any-hostpath/raw.rego @@ -15,6 +15,7 @@ deny[msga] { "alertMessage": sprintf("pod: %v has: %v as hostPath volume", [podname, volume.name]), "packagename": "armo_builtins", "alertScore": 7, + "deletePaths": [result], "failedPaths": [result], "fixPaths":[], "alertObject": { @@ -38,6 +39,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v has: %v as hostPath volume", [wl.kind, wl.metadata.name, volume.name]), "packagename": "armo_builtins", "alertScore": 7, + "deletePaths": [result], "failedPaths": [result], "fixPaths":[], "alertObject": { @@ -58,6 +60,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v has: %v as hostPath volume", [wl.kind, wl.metadata.name, volume.name]), "packagename": "armo_builtins", "alertScore": 7, + "deletePaths": [result], "failedPaths": [result], "fixPaths":[], "alertObject": { diff --git a/rules/alert-container-optimized-os-not-in-use/raw.rego b/rules/alert-container-optimized-os-not-in-use/raw.rego index afa632a89..168aa0006 100644 --- a/rules/alert-container-optimized-os-not-in-use/raw.rego +++ b/rules/alert-container-optimized-os-not-in-use/raw.rego @@ -27,6 +27,7 @@ deny[msga] { "packagename": "armo_builtins", "alertScore": 7, + "reviewPaths": failedPaths, "failedPaths": failedPaths, "fixPaths": [], "alertObject": { diff --git a/rules/alert-mount-potential-credentials-paths/raw.rego b/rules/alert-mount-potential-credentials-paths/raw.rego index ae5feb25f..04fcc13e0 100644 --- a/rules/alert-mount-potential-credentials-paths/raw.rego +++ b/rules/alert-mount-potential-credentials-paths/raw.rego @@ -16,6 +16,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v has: %v as volume with potential credentials access.", [resources.kind, resources.metadata.name, volume.name]), "packagename": "armo_builtins", "alertScore": 7, + "deletePaths": [result], "failedPaths": [result], "fixPaths":[], "alertObject": { diff --git a/rules/alert-rw-hostpath/raw.rego b/rules/alert-rw-hostpath/raw.rego index 097508309..eeea414e8 100644 --- a/rules/alert-rw-hostpath/raw.rego +++ b/rules/alert-rw-hostpath/raw.rego @@ -23,6 +23,7 @@ deny[msga] { "packagename": "armo_builtins", "alertScore": 7, "fixPaths": fixed_path, + "deletePaths": failed_path, "failedPaths": failed_path, "alertObject": { "k8sApiObjects": [pod] @@ -51,6 +52,7 @@ deny[msga] { "packagename": "armo_builtins", "alertScore": 7, "fixPaths": fixed_path, + "deletePaths": failed_path, "failedPaths": failed_path, "alertObject": { "k8sApiObjects": [wl] @@ -81,6 +83,7 @@ deny[msga] { "packagename": "armo_builtins", "alertScore": 7, "fixPaths": fixed_path, + "deletePaths": failed_path, "failedPaths": failed_path, "alertObject": { "k8sApiObjects": [wl] diff --git a/rules/anonymous-requests-to-kubelet-updated/raw.rego b/rules/anonymous-requests-to-kubelet-updated/raw.rego index cdd3c1177..95cc2e464 100644 --- a/rules/anonymous-requests-to-kubelet-updated/raw.rego +++ b/rules/anonymous-requests-to-kubelet-updated/raw.rego @@ -57,6 +57,7 @@ deny[msga] { msga := { "alertMessage": "Anonymous requests is enabled.", "alertScore": 7, + "reviewPaths": ["authentication.anonymous.enabled"], "failedPaths": ["authentication.anonymous.enabled"], "fixPaths": [], "packagename": "armo_builtins", diff --git a/rules/automount-default-service-account/raw.rego b/rules/automount-default-service-account/raw.rego index e523fef9c..7a2f3b633 100644 --- a/rules/automount-default-service-account/raw.rego +++ b/rules/automount-default-service-account/raw.rego @@ -14,6 +14,7 @@ deny [msga]{ "alertScore": 9, "packagename": "armo_builtins", "fixPaths": fixed_path, + "deletePaths": failed_path, "failedPaths": failed_path, "alertObject": { "k8sApiObjects": [service_account] diff --git a/rules/automount-service-account/raw.rego b/rules/automount-service-account/raw.rego index 497374b26..5a5d7a1a1 100644 --- a/rules/automount-service-account/raw.rego +++ b/rules/automount-service-account/raw.rego @@ -13,6 +13,7 @@ deny [msga]{ "alertScore": 9, "packagename": "armo_builtins", "fixPaths": fixed_path, + "deletePaths": failed_path, "failedPaths": failed_path, "alertObject": { "k8sApiObjects": [service_account] @@ -40,6 +41,7 @@ deny [msga]{ "alertScore": 9, "packagename": "armo_builtins", "fixPaths": fixed_path, + "deletePaths": failed_path, "failedPaths": failed_path, "alertObject": { "k8sApiObjects": [pod] @@ -64,6 +66,7 @@ deny[msga] { "packagename": "armo_builtins", "alertScore": 7, "fixPaths": fixed_path, + "deletePaths": failed_path, "failedPaths": failed_path, "alertObject": { "k8sApiObjects": [wl] @@ -88,6 +91,7 @@ deny[msga] { "packagename": "armo_builtins", "alertScore": 7, "fixPaths": fixed_path, + "deletePaths": failed_path, "failedPaths": failed_path, "alertObject": { "k8sApiObjects": [wl] diff --git a/rules/cluster-admin-role/raw.rego b/rules/cluster-admin-role/raw.rego index 306362953..341528abc 100644 --- a/rules/cluster-admin-role/raw.rego +++ b/rules/cluster-admin-role/raw.rego @@ -45,6 +45,7 @@ deny[msga] { "alertMessage": sprintf("Subject: %s-%s is bound to cluster-admin role", [subjectVector.kind, subjectVector.name]), "alertScore": 3, "fixPaths": [], + "deletePaths": finalpath, "failedPaths": finalpath, "packagename": "armo_builtins", "alertObject": { diff --git a/rules/configmap-in-default-namespace/raw.rego b/rules/configmap-in-default-namespace/raw.rego index 716352f01..de13fc0b6 100644 --- a/rules/configmap-in-default-namespace/raw.rego +++ b/rules/configmap-in-default-namespace/raw.rego @@ -9,6 +9,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]), "packagename": "armo_builtins", "alertScore": 3, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixed_path, "alertObject": { diff --git a/rules/container-hostPort/raw.rego b/rules/container-hostPort/raw.rego index a0ced6b5c..736e42ce9 100644 --- a/rules/container-hostPort/raw.rego +++ b/rules/container-hostPort/raw.rego @@ -12,6 +12,7 @@ deny[msga] { "alertMessage": sprintf("Container: %v has Host-port", [ container.name]), "packagename": "armo_builtins", "alertScore": 4, + "deletePaths": path, "failedPaths": path, "fixPaths":[], "alertObject": { @@ -32,6 +33,7 @@ deny[msga] { "alertMessage": sprintf("Container: %v in %v: %v has Host-port", [ container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 4, + "deletePaths": path, "failedPaths": path, "fixPaths":[], "alertObject": { @@ -51,6 +53,7 @@ deny[msga] { "alertMessage": sprintf("Container: %v in %v: %v has Host-port", [ container.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 4, + "deletePaths": path, "failedPaths": path, "fixPaths":[], "alertObject": { diff --git a/rules/container-image-repository-v1/raw.rego b/rules/container-image-repository-v1/raw.rego index d1ef5af1a..5c9fed1f4 100644 --- a/rules/container-image-repository-v1/raw.rego +++ b/rules/container-image-repository-v1/raw.rego @@ -14,6 +14,7 @@ untrustedImageRepo[msga] { "packagename": "armo_builtins", "alertScore": 2, "fixPaths": [], + "reviewPaths": [path], "failedPaths": [path], "alertObject": {"k8sApiObjects": [wl]}, } diff --git a/rules/container-image-repository/raw.rego b/rules/container-image-repository/raw.rego index e7a1b3ec0..b1f24ab67 100644 --- a/rules/container-image-repository/raw.rego +++ b/rules/container-image-repository/raw.rego @@ -14,6 +14,7 @@ untrusted_image_repo[msga] { "alertMessage": sprintf("image '%v' in container '%s' comes from untrusted registry", [image, container.name]), "alertScore": 2, "packagename": "armo_builtins", + "reviewPaths": [path], "failedPaths": [path], "fixPaths":[], "alertObject": { @@ -35,6 +36,7 @@ untrusted_image_repo[msga] { "alertMessage": sprintf("image '%v' in container '%s' comes from untrusted registry", [image, container.name]), "alertScore": 2, "packagename": "armo_builtins", + "reviewPaths": [path], "failedPaths": [path], "fixPaths":[], "alertObject": { @@ -55,6 +57,7 @@ untrusted_image_repo[msga] { "alertMessage": sprintf("image '%v' in container '%s' comes from untrusted registry", [image, container.name]), "alertScore": 2, "packagename": "armo_builtins", + "reviewPaths": [path], "failedPaths": [path], "fixPaths":[], "alertObject": { diff --git a/rules/containers-mounting-docker-socket/raw.rego b/rules/containers-mounting-docker-socket/raw.rego index b067d0d63..9c74778af 100644 --- a/rules/containers-mounting-docker-socket/raw.rego +++ b/rules/containers-mounting-docker-socket/raw.rego @@ -11,6 +11,7 @@ deny[msga] { msga := { "alertMessage": sprintf("volume: %v in pod: %v has mounting to Docker internals.", [volume.name, pod.metadata.name]), "packagename": "armo_builtins", + "deletePaths": [path], "failedPaths": [path], "fixPaths":[], "alertScore": 5, @@ -33,6 +34,7 @@ deny[msga] { msga := { "alertMessage": sprintf("volume: %v in %v: %v has mounting to Docker internals.", [ volume.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", + "deletePaths": [path], "failedPaths": [path], "fixPaths":[], "alertScore": 5, @@ -53,6 +55,7 @@ deny[msga] { msga := { "alertMessage": sprintf("volume: %v in %v: %v has mounting to Docker internals.", [ volume.name, wl.kind, wl.metadata.name]), "packagename": "armo_builtins", + "deletePaths": [path], "failedPaths": [path], "fixPaths":[], "alertScore": 5, diff --git a/rules/csistoragecapacity-in-default-namespace/raw.rego b/rules/csistoragecapacity-in-default-namespace/raw.rego index 716352f01..de13fc0b6 100644 --- a/rules/csistoragecapacity-in-default-namespace/raw.rego +++ b/rules/csistoragecapacity-in-default-namespace/raw.rego @@ -9,6 +9,7 @@ deny[msga] { "alertMessage": sprintf("%v: %v is in the 'default' namespace", [resource.kind, resource.metadata.name]), "packagename": "armo_builtins", "alertScore": 3, + "reviewPaths": failed_path, "failedPaths": failed_path, "fixPaths": fixed_path, "alertObject": { diff --git a/rules/insecure-capabilities/raw.rego b/rules/insecure-capabilities/raw.rego index 456dc2355..c7e07f372 100644 --- a/rules/insecure-capabilities/raw.rego +++ b/rules/insecure-capabilities/raw.rego @@ -12,6 +12,7 @@ deny[msga] { "alertMessage": sprintf("container: %v in pod: %v have dangerous capabilities", [container.name, pod.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "deletePaths": result, "failedPaths": result, "fixPaths": [], "alertObject": { @@ -31,6 +32,7 @@ deny[msga] { "alertMessage": sprintf("container: %v in workload: %v have dangerous capabilities", [container.name, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "deletePaths": result, "failedPaths": result, "fixPaths": [], "alertObject": { @@ -49,6 +51,7 @@ deny[msga] { "alertMessage": sprintf("container: %v in cronjob: %v have dangerous capabilities", [container.name, wl.metadata.name]), "packagename": "armo_builtins", "alertScore": 7, + "deletePaths": result, "failedPaths": result, "fixPaths": [], "alertObject": {