From c0d8eb63182a776d2481b65851f501ac1c53dd2c Mon Sep 17 00:00:00 2001 From: Robert Brennan Date: Tue, 31 Aug 2021 11:40:47 -0400 Subject: [PATCH] handle case-insensitivity for capabilities (#619) * handle lowercase letters in ALL for capabilities * change all caps to regexp * revert file --- checks/dangerousCapabilities.yaml | 6 ++-- checks/insecureCapabilities.yaml | 32 +++++++++---------- .../failure.all-caps.yaml | 13 ++++++++ .../dangerousCapabilities/failure.case.yaml | 14 ++++++++ .../checks/dangerousCapabilities/success.yaml | 3 +- .../insecureCapabilities/success.all.yaml | 14 ++++++++ .../insecureCapabilities/success.case.yaml | 29 +++++++++++++++++ 7 files changed, 90 insertions(+), 21 deletions(-) create mode 100644 test/checks/dangerousCapabilities/failure.all-caps.yaml create mode 100644 test/checks/dangerousCapabilities/failure.case.yaml create mode 100644 test/checks/insecureCapabilities/success.all.yaml create mode 100644 test/checks/insecureCapabilities/success.case.yaml diff --git a/checks/dangerousCapabilities.yaml b/checks/dangerousCapabilities.yaml index a4d1517ee..f2bd6d658 100644 --- a/checks/dangerousCapabilities.yaml +++ b/checks/dangerousCapabilities.yaml @@ -17,10 +17,10 @@ schema: allOf: - not: contains: - const: ALL + pattern: '^(?i)ALL$' - not: contains: - const: SYS_ADMIN + pattern: '^(?i)SYS_ADMIN$' - not: contains: - const: NET_ADMIN + pattern: '^(?i)NET_ADMIN$' diff --git a/checks/insecureCapabilities.yaml b/checks/insecureCapabilities.yaml index 8f6b1713f..d9ec436dd 100644 --- a/checks/insecureCapabilities.yaml +++ b/checks/insecureCapabilities.yaml @@ -22,35 +22,35 @@ schema: type: array oneOf: - contains: - const: ALL + pattern: '^(?i)ALL$' - allOf: - contains: - const: NET_ADMIN + pattern: '^(?i)NET_ADMIN$' - contains: - const: CHOWN + pattern: '^(?i)CHOWN$' - contains: - const: DAC_OVERRIDE + pattern: '^(?i)DAC_OVERRIDE$' - contains: - const: FSETID + pattern: '^(?i)FSETID$' - contains: - const: FOWNER + pattern: '^(?i)FOWNER$' - contains: - const: MKNOD + pattern: '^(?i)MKNOD$' - contains: - const: NET_RAW + pattern: '^(?i)NET_RAW$' - contains: - const: SETGID + pattern: '^(?i)SETGID$' - contains: - const: SETUID + pattern: '^(?i)SETUID$' - contains: - const: SETFCAP + pattern: '^(?i)SETFCAP$' - contains: - const: SETPCAP + pattern: '^(?i)SETPCAP$' - contains: - const: NET_BIND_SERVICE + pattern: '^(?i)NET_BIND_SERVICE$' - contains: - const: SYS_CHROOT + pattern: '^(?i)SYS_CHROOT$' - contains: - const: KILL + pattern: '^(?i)KILL$' - contains: - const: AUDIT_WRITE \ No newline at end of file + pattern: '^(?i)AUDIT_WRITE$' diff --git a/test/checks/dangerousCapabilities/failure.all-caps.yaml b/test/checks/dangerousCapabilities/failure.all-caps.yaml new file mode 100644 index 000000000..c6144fc47 --- /dev/null +++ b/test/checks/dangerousCapabilities/failure.all-caps.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx + labels: + app.kubernetes.io/name: nginx +spec: + containers: + - name: nginx + image: nginx + securityContext: + capabilities: + add: ["all"] diff --git a/test/checks/dangerousCapabilities/failure.case.yaml b/test/checks/dangerousCapabilities/failure.case.yaml new file mode 100644 index 000000000..464699dcc --- /dev/null +++ b/test/checks/dangerousCapabilities/failure.case.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx + labels: + app.kubernetes.io/name: nginx +spec: + containers: + - name: nginx + image: nginx + securityContext: + capabilities: + add: + - nEt_aDmIn diff --git a/test/checks/dangerousCapabilities/success.yaml b/test/checks/dangerousCapabilities/success.yaml index 9c823f258..203188eae 100644 --- a/test/checks/dangerousCapabilities/success.yaml +++ b/test/checks/dangerousCapabilities/success.yaml @@ -6,9 +6,8 @@ metadata: app.kubernetes.io/name: nginx spec: containers: - - name: nginx + - name: nginx image: nginx securityContext: capabilities: add: - \ No newline at end of file diff --git a/test/checks/insecureCapabilities/success.all.yaml b/test/checks/insecureCapabilities/success.all.yaml new file mode 100644 index 000000000..6491089ef --- /dev/null +++ b/test/checks/insecureCapabilities/success.all.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx + labels: + env: test +spec: + containers: + - name: nginx + image: nginx + securityContext: + capabilities: + drop: + - All diff --git a/test/checks/insecureCapabilities/success.case.yaml b/test/checks/insecureCapabilities/success.case.yaml new file mode 100644 index 000000000..eee487b8e --- /dev/null +++ b/test/checks/insecureCapabilities/success.case.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx + labels: + env: test +spec: + containers: + - name: nginx + image: nginx + securityContext: + capabilities: + drop: + - net_admin + - ChOwN + - DaC_OverriDE + - fsetid + - FOWNER + - MKNOD + - NET_RAW + - SETGID + - SETUID + - SETFCAP + - SETPCAP + - NET_BIND_SERVICE + - SYS_CHROOT + - KILL + - AUDIT_WRITE +