Merge pull request #581 from kubescape/improve-C-0012

C-0012 add allowed values and keys lists to reduce false positives

default-config-inputs.json

@@ -74,6 +74,8 @@
                 "_key_",
                 "_secret_"
             ],
+            "sensitiveKeyNamesAllowed": [],
+            "sensitiveValuesAllowed": [],
             "servicesNames": [
                 "nifi-service",
                 "argo-server",

rules/rule-credentials-configmap/raw.rego

@@ -12,6 +12,10 @@ deny[msga] {
 
     contains(lower(map_key), lower(key_name))
 
+    # check that value or key weren't allowed by user
+    not is_allowed_value(map_secret)
+    not is_allowed_key_name(map_key)
+
     path := sprintf("data[%v]", [map_key])
 
 	msga := {
@@ -40,6 +44,10 @@ deny[msga] {
 
     regex.match(value , map_secret)
 
+    # check that value or key weren't allowed by user
+    not is_allowed_value(map_secret)
+    not is_allowed_key_name(map_key)
+
     path := sprintf("data[%v]", [map_key])
 
 	msga := {
@@ -70,6 +78,10 @@ deny[msga] {
 
     regex.match(value , decoded_secret)
 
+    # check that value or key weren't allowed by user
+    not is_allowed_value(map_secret)
+    not is_allowed_key_name(map_key)
+
     path := sprintf("data[%v]", [map_key])
 
 	msga := {
@@ -84,3 +96,13 @@ deny[msga] {
 		}
      }
 }
+
+is_allowed_value(value) {
+    allow_val := data.postureControlInputs.sensitiveValuesAllowed[_]
+    regex.match(allow_val , value)
+}
+
+is_allowed_key_name(key_name) {
+    allow_key := data.postureControlInputs.sensitiveKeyNamesAllowed[_]
+    contains(lower(key_name), lower(allow_key))
+}

rules/rule-credentials-configmap/rule.metadata.json

@@ -20,18 +20,30 @@
   "ruleDependencies": [],
   "configInputs": [
     "settings.postureControlInputs.sensitiveValues",
-    "settings.postureControlInputs.sensitiveKeyNames"
+    "settings.postureControlInputs.sensitiveKeyNames",
+    "settings.postureControlInputs.sensitiveValuesAllowed",
+    "settings.postureControlInputs.sensitiveKeyNamesAllowed"
   ],
   "controlConfigInputs": [
     {
       "path": "settings.postureControlInputs.sensitiveValues",
-      "name": "Values",
+      "name": "Sensitive Values",
       "description": "Strings that identify a value that Kubescape believes should be stored in a Secret, and not in a ConfigMap or an environment variable."
     },
+    {
+      "path": "settings.postureControlInputs.sensitiveValuesAllowed",
+      "name": "Allowed Values",
+      "description": "Reduce false positives with known values."
+    },
     {
       "path": "settings.postureControlInputs.sensitiveKeyNames",
-      "name": "Keys",
+      "name": "Sensitive Keys",
       "description": "Key names that identify a potential value that should be stored in a Secret, and not in a ConfigMap or an environment variable."
+    },
+    {
+      "path": "settings.postureControlInputs.sensitiveKeyNamesAllowed",
+      "name": "Allowed Keys",
+      "description": "Reduce false positives with known key names."
     }
   ],
   "description": "fails if ConfigMaps have sensitive information in configuration",

rules/rule-credentials-configmap/test/test-allowed-values-keys/data.json

@@ -0,0 +1,31 @@
+{
+    "postureControlInputs": {
+        "sensitiveKeyNames": [
+            "aws_access_key_id",
+            "aws_secret_access_key",
+            "azure_batchai_storage_account",
+            "azure_batchai_storage_key",
+            "azure_batch_account",
+            "azure_batch_key",
+            "secret",
+            "key",
+            "password",
+            "pwd",
+            "token",
+            "jwt",
+            "bearer",
+            "credential"
+        ],
+        "sensitiveValues": [
+            "BEGIN \\w+ PRIVATE KEY",
+            "PRIVATE KEY",
+            "eyJhbGciO",
+            "JWT",
+            "Bearer",
+            "_key_",
+            "_secret_"
+        ],
+        "sensitiveKeyNamesAllowed": ["_FILE"],
+        "sensitiveValuesAllowed": ["my/secret/file/path"]
+    }
+}

rules/rule-credentials-configmap/test/test-allowed-values-keys/expected.json

@@ -0,0 +1,35 @@
+[{
+    "alertMessage": "this configmap has sensitive information: game-demo",
+    "deletePaths": ["data[aws_access_key_id]"],
+    "failedPaths": ["data[aws_access_key_id]"],
+    "fixPaths": [],
+    "ruleStatus": "",
+    "packagename": "armo_builtins",
+    "alertScore": 9,
+    "alertObject": {
+        "k8sApiObjects": [{
+            "apiVersion": "v1",
+            "kind": "ConfigMap",
+            "metadata": {
+                "name": "game-demo"
+            }
+        }]
+    }
+}, {
+    "alertMessage": "this configmap has sensitive information: game-demo",
+    "deletePaths": ["data[pwd]"],
+    "failedPaths": ["data[pwd]"],
+    "fixPaths": [],
+    "ruleStatus": "",
+    "packagename": "armo_builtins",
+    "alertScore": 9,
+    "alertObject": {
+        "k8sApiObjects": [{
+            "apiVersion": "v1",
+            "kind": "ConfigMap",
+            "metadata": {
+                "name": "game-demo"
+            }
+        }]
+    }
+}]

rules/rule-credentials-configmap/test/test-allowed-values-keys/input/configmap.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: game-demo
+data:
+  # property-like keys; each key maps to a simple value
+  player_initial_lives: "3"
+  ui_properties_file_name: "user-interface.properties"
+  aws_access_key_id: "XXXX"
+  pwd: "hi"
+  aws_access_key_id_file: "/etc/secret-volume/aws"
+  aws_secret: "my/secret/file/path"
+  # file-like keys
+  game.properties: |
+    enemy.types=aliens,monsters
+    player.maximum-lives=5
+  user-interface.properties: |
+    color.good=purple
+    color.bad=yellow
+    allow.textmode=true

rules/rule-credentials-in-env-var/raw.rego

@@ -11,6 +11,9 @@
 
 		contains(lower(env.name), lower(key_name))
 		env.value != ""
+		# check that value or key weren't allowed by user
+    	not is_allowed_value(env.value)
+    	not is_allowed_key_name(env.name)
 
 		is_not_reference(env)
 
@@ -43,6 +46,9 @@
 
 		contains(lower(env.name), lower(key_name))
 		env.value != ""
+		# check that value or key weren't allowed by user
+    	not is_allowed_value(env.value)
+    	not is_allowed_key_name(env.name)
 
 		is_not_reference(env)
 
@@ -72,8 +78,10 @@
 		env := container.env[j]
 
 		contains(lower(env.name), lower(key_name))
-
 		env.value != ""
+		# check that value or key weren't allowed by user
+    	not is_allowed_value(env.value)
+    	not is_allowed_key_name(env.name)
 
 		is_not_reference(env)
 
@@ -104,6 +112,9 @@ deny[msga] {
 		env := container.env[j]
 
 		contains(lower(env.value), lower(value))
+		# check that value or key weren't allowed by user
+    	not is_allowed_value(env.value)
+    	not is_allowed_key_name(env.name)
 
 		is_not_reference(env)
 
@@ -135,6 +146,9 @@ deny[msga] {
 		env := container.env[j]
 
 		contains(lower(env.value), lower(value))
+		# check that value or key weren't allowed by user
+    	not is_allowed_value(env.value)
+    	not is_allowed_key_name(env.name)
 
 		is_not_reference(env)
 
@@ -164,6 +178,9 @@ deny[msga] {
 		env := container.env[j]
 
 		contains(lower(env.value), lower(value))
+		# check that value or key weren't allowed by user
+    	not is_allowed_value(env.value)
+    	not is_allowed_key_name(env.name)
 
 		is_not_reference(env)
 
@@ -189,3 +206,13 @@ is_not_reference(env)
 	not env.valueFrom.secretKeyRef
 	not env.valueFrom.configMapKeyRef
 }
+
+is_allowed_value(value) {
+    allow_val := data.postureControlInputs.sensitiveValuesAllowed[_]
+    regex.match(allow_val , value)
+}
+
+is_allowed_key_name(key_name) {
+    allow_key := data.postureControlInputs.sensitiveKeyNamesAllowed[_]
+    contains(lower(key_name), lower(allow_key))
+}

rules/rule-credentials-in-env-var/rule.metadata.json

@@ -46,18 +46,30 @@
   "ruleDependencies": [],
   "configInputs": [
     "settings.postureControlInputs.sensitiveValues",
-    "settings.postureControlInputs.sensitiveKeyNames"
+    "settings.postureControlInputs.sensitiveKeyNames",
+    "settings.postureControlInputs.sensitiveValuesAllowed",
+    "settings.postureControlInputs.sensitiveKeyNamesAllowed"
   ],
   "controlConfigInputs": [
     {
       "path": "settings.postureControlInputs.sensitiveValues",
-      "name": "Values",
+      "name": "Sensitive Values",
       "description": "Strings that identify a value that Kubescape believes should be stored in a Secret, and not in a ConfigMap or an environment variable."
     },
+    {
+      "path": "settings.postureControlInputs.sensitiveValuesAllowed",
+      "name": "Allowed Values",
+      "description": "Reduce false positives with known values."
+    },
     {
       "path": "settings.postureControlInputs.sensitiveKeyNames",
-      "name": "Keys",
+      "name": "Sensitive Keys",
       "description": "Key names that identify a potential value that should be stored in a Secret, and not in a ConfigMap or an environment variable."
+    },
+    {
+      "path": "settings.postureControlInputs.sensitiveKeyNamesAllowed",
+      "name": "Allowed Keys",
+      "description": "Reduce false positives with known key names."
     }
   ],
   "description": "fails if Pods have sensitive information in configuration",

rules/rule-credentials-in-env-var/test/pod-allowed-values-keys/data.json

@@ -0,0 +1,31 @@
+{
+    "postureControlInputs": {
+        "sensitiveKeyNames": [
+            "aws_access_key_id",
+            "aws_secret_access_key",
+            "azure_batchai_storage_account",
+            "azure_batchai_storage_key",
+            "azure_batch_account",
+            "azure_batch_key",
+            "secret",
+            "key",
+            "password",
+            "pwd",
+            "token",
+            "jwt",
+            "bearer",
+            "credential"
+        ],
+        "sensitiveValues": [
+            "BEGIN \\w+ PRIVATE KEY",
+            "PRIVATE KEY",
+            "eyJhbGciO",
+            "JWT",
+            "Bearer",
+            "_key_",
+            "_secret_"
+        ],
+        "sensitiveKeyNamesAllowed": ["_FILE"],
+        "sensitiveValuesAllowed": ["my/secret/file/path"]
+    }
+}

rules/rule-credentials-in-env-var/test/pod-allowed-values-keys/expected.json

@@ -0,0 +1,31 @@
+[
+    {
+        "alertMessage": "Pod: audit-pod has sensitive information in environment variables",
+        "deletePaths": [
+            "spec.containers[0].env[1].name",
+            "spec.containers[0].env[1].value"
+        ],
+        "failedPaths": [
+            "spec.containers[0].env[1].name",
+            "spec.containers[0].env[1].value"
+        ],
+        "fixPaths": [],
+        "ruleStatus": "",
+        "packagename": "armo_builtins",
+        "alertScore": 9,
+        "alertObject": {
+            "k8sApiObjects": [
+                {
+                    "apiVersion": "v1",
+                    "kind": "Pod",
+                    "metadata": {
+                        "labels": {
+                            "app": "audit-pod"
+                        },
+                        "name": "audit-pod"
+                    }
+                }
+            ]
+        }
+    }
+]

rules/rule-credentials-in-env-var/test/pod-allowed-values-keys/input/pod.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: audit-pod
+  labels:
+    app: audit-pod
+spec:
+  containers:
+  - name: test-container
+    env :
+      - name : random
+        value : "Hello from the environment"
+      - name: some-name
+        value: my_key_value
+    image: hashicorp/http-echo:0.2.3
+    securityContext:
+      allowPrivilegeEscalation: true
+  - name : test-container2
+    env :
+      - name : random
+        value : "Hello from the environment"
+      - name: AWS_TOKEN_FILE
+        value: /etc/secret-volume/aws
+      - name: my_password
+        value: my/secret/file/path
+    image : hashicorp/http-echo:0.2.3