From 083add30765dcacb80582743a2aa47e46eab9c69 Mon Sep 17 00:00:00 2001 From: sanaayousaf Date: Tue, 22 Nov 2022 11:54:33 +0000 Subject: [PATCH 1/8] added policy to check immutable tags for ecr --- avd_docs/aws/ecr/AVD-AWS-0192/docs.md | 13 ++++++++++ .../kubernetes/general/AVD-KSV-01010/docs.md | 2 +- .../kubernetes/general/AVD-KSV-0107/docs.md | 5 +++- .../kubernetes/general/AVD-KSV-0108/docs.md | 4 +-- .../kubernetes/general/AVD-KSV-0109/docs.md | 2 +- .../aws/ecr/enforce_immutable_repository.rego | 25 +++++++++++++++++++ .../enforce_immutable_repository_test.rego | 11 ++++++++ 7 files changed, 57 insertions(+), 5 deletions(-) create mode 100644 avd_docs/aws/ecr/AVD-AWS-0192/docs.md create mode 100644 internal/rules/policies/cloud/policies/aws/ecr/enforce_immutable_repository.rego create mode 100644 internal/rules/policies/cloud/policies/aws/ecr/enforce_immutable_repository_test.rego diff --git a/avd_docs/aws/ecr/AVD-AWS-0192/docs.md b/avd_docs/aws/ecr/AVD-AWS-0192/docs.md new file mode 100644 index 000000000..dcd9ec324 --- /dev/null +++ b/avd_docs/aws/ecr/AVD-AWS-0192/docs.md @@ -0,0 +1,13 @@ + +Ensures ECR repository image tags cannot be overwritten + +### Impact + + + +{{ remediationActions }} + +### Links +- https://sysdig.com/blog/toctou-tag-mutability/ + + diff --git a/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md b/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md index 1cee68f20..f69f12cad 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md @@ -2,7 +2,7 @@ Storing sensitive content such as usernames and email addresses in configMaps is unsafe ### Impact -Unsafe storage of sensitive content in configMaps could lead to the information being compromised. + {{ remediationActions }} diff --git a/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md index e8258523c..6af76b2a2 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md @@ -1,5 +1,5 @@ -apiVersion and kind has been deprecated +apiVersion '' and kind '' has been deprecated on: '' and planned for removal on:'' ### Impact @@ -7,4 +7,7 @@ apiVersion and kind has been deprecated {{ remediationActions }} +### Links +- + diff --git a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md index 8d55a3498..9c1e77234 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md @@ -2,8 +2,8 @@ Services with external IP addresses allows direct access from the internet and might expose risk for CVE-2020-8554 ### Impact -Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect. -https://www.cvedetails.com/cve/CVE-2020-8554/ + + {{ remediationActions }} diff --git a/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md index d215353f0..70bba0fb1 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md @@ -2,7 +2,7 @@ Storing secrets in configMaps is unsafe ### Impact -Unsafe storage of secret content in configMaps could lead to the information being compromised. + {{ remediationActions }} diff --git a/internal/rules/policies/cloud/policies/aws/ecr/enforce_immutable_repository.rego b/internal/rules/policies/cloud/policies/aws/ecr/enforce_immutable_repository.rego new file mode 100644 index 000000000..e55171b50 --- /dev/null +++ b/internal/rules/policies/cloud/policies/aws/ecr/enforce_immutable_repository.rego @@ -0,0 +1,25 @@ +# METADATA +# title: "ECR Repository Tag Immutability" +# description: "Ensures ECR repository image tags cannot be overwritten" +# scope: package +# schemas: +# - input: schema.input +# related_resources: +# - https://sysdig.com/blog/toctou-tag-mutability/ +# custom: +# avd_id: AVD-AWS-0192 +# provider: aws +# service: ecr +# severity: HIGH +# short_code: enforce-immutable-repository +# recommended_action: "Update ECR registry configurations to ensure image tag mutability is set to immutable." +# input: +# selector: +# - type: cloud +package builtin.aws.ecr.aws0192 + +deny[res] { + repo := input.aws.ecr.repositories[_] + not repo.imagetagsimmutable.value + res := result.new("Repository tags are mutable.", repo.imagetagsimmutable) +} \ No newline at end of file diff --git a/internal/rules/policies/cloud/policies/aws/ecr/enforce_immutable_repository_test.rego b/internal/rules/policies/cloud/policies/aws/ecr/enforce_immutable_repository_test.rego new file mode 100644 index 000000000..8b99a7af3 --- /dev/null +++ b/internal/rules/policies/cloud/policies/aws/ecr/enforce_immutable_repository_test.rego @@ -0,0 +1,11 @@ +package builtin.aws.ecr.aws0192 + +test_detects_when_mutable { + r := deny with input as {"aws": {"ecr": {"repositories": [{"imagetagsimmutable": {"value": false}}]}}} + count(r) == 1 +} + +test_when_immutable { + r := deny with input as {"aws": {"ecr": {"repositories": [{"imagetagsimmutable": {"value": true}}]}}} + count(r) == 0 +} \ No newline at end of file From ed54cde49156be74979463bda5d58c493bddd7d7 Mon Sep 17 00:00:00 2001 From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com> Date: Fri, 25 Nov 2022 14:00:47 +0000 Subject: [PATCH 2/8] Update avd_docs/kubernetes/general/AVD-KSV-01010/docs.md --- avd_docs/kubernetes/general/AVD-KSV-01010/docs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md b/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md index f69f12cad..1cee68f20 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md @@ -2,7 +2,7 @@ Storing sensitive content such as usernames and email addresses in configMaps is unsafe ### Impact - +Unsafe storage of sensitive content in configMaps could lead to the information being compromised. {{ remediationActions }} From fe5fb9079bf79ef228c37e4a2b22b9c6e4f6cfa5 Mon Sep 17 00:00:00 2001 From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com> Date: Fri, 25 Nov 2022 14:01:21 +0000 Subject: [PATCH 3/8] Update avd_docs/kubernetes/general/AVD-KSV-0107/docs.md --- avd_docs/kubernetes/general/AVD-KSV-0107/docs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md index 6af76b2a2..e7596a0c9 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md @@ -1,5 +1,5 @@ -apiVersion '' and kind '' has been deprecated on: '' and planned for removal on:'' +piVersion and kind has been deprecated ### Impact From d3e697710813eb493aa8111c4493beee4fab2693 Mon Sep 17 00:00:00 2001 From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com> Date: Fri, 25 Nov 2022 14:02:01 +0000 Subject: [PATCH 4/8] Update avd_docs/kubernetes/general/AVD-KSV-0107/docs.md --- avd_docs/kubernetes/general/AVD-KSV-0107/docs.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md index e7596a0c9..cb5f72c4a 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md @@ -7,7 +7,4 @@ piVersion and kind has been deprecated {{ remediationActions }} -### Links -- - From 395cb788c7b86083853f3c4a1d11d23b761f087b Mon Sep 17 00:00:00 2001 From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com> Date: Fri, 25 Nov 2022 14:02:48 +0000 Subject: [PATCH 5/8] Update avd_docs/kubernetes/general/AVD-KSV-0109/docs.md --- avd_docs/kubernetes/general/AVD-KSV-0109/docs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md index 70bba0fb1..d215353f0 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md @@ -2,7 +2,7 @@ Storing secrets in configMaps is unsafe ### Impact - +Unsafe storage of secret content in configMaps could lead to the information being compromised. {{ remediationActions }} From 7226feabd1b1986df887ed0927adf29bb39b49c8 Mon Sep 17 00:00:00 2001 From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com> Date: Fri, 25 Nov 2022 14:03:26 +0000 Subject: [PATCH 6/8] Update avd_docs/kubernetes/general/AVD-KSV-0107/docs.md --- avd_docs/kubernetes/general/AVD-KSV-0107/docs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md index cb5f72c4a..e8258523c 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md @@ -1,5 +1,5 @@ -piVersion and kind has been deprecated +apiVersion and kind has been deprecated ### Impact From d97e8a876fccfaae1be3e0ff1d5dab52f68000f1 Mon Sep 17 00:00:00 2001 From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com> Date: Fri, 25 Nov 2022 14:04:12 +0000 Subject: [PATCH 7/8] Update avd_docs/kubernetes/general/AVD-KSV-0108/docs.md --- avd_docs/kubernetes/general/AVD-KSV-0108/docs.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md index 9c1e77234..58feb86a3 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md @@ -2,7 +2,8 @@ Services with external IP addresses allows direct access from the internet and might expose risk for CVE-2020-8554 ### Impact - +Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect. +https://www.cvedetails.com/cve/CVE-2020-8554/ {{ remediationActions }} From 48e7c9488213b31b049a49fde06c9888f007e84e Mon Sep 17 00:00:00 2001 From: SanaYousaf <78966921+SanaaYousaf@users.noreply.github.com> Date: Fri, 25 Nov 2022 14:04:35 +0000 Subject: [PATCH 8/8] Update avd_docs/kubernetes/general/AVD-KSV-0108/docs.md --- avd_docs/kubernetes/general/AVD-KSV-0108/docs.md | 1 - 1 file changed, 1 deletion(-) diff --git a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md index 58feb86a3..8d55a3498 100644 --- a/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md +++ b/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md @@ -4,7 +4,6 @@ Services with external IP addresses allows direct access from the internet and m ### Impact Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect. https://www.cvedetails.com/cve/CVE-2020-8554/ - {{ remediationActions }}