Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(cloud): add kubernetes-allow-privilege-escalation-no-securitycon… #9738

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(cloud): add kubernetes-allow-privilege-escalation-no-securitycon… #9738

wants to merge 1 commit into from

Conversation

dwisiswant0
Copy link
Contributor

…text

Template / PR Information

  • Fixed CVE-2020-XXX / Added CVE-2020-XXX / Updated CVE-2020-XXX
  • References:

Template Validation

I've validated this template locally?

  • YES
  • NO

Additional Details (leave it blank if not applicable)

Additional References:

@dwisiswant0
feat(cloud): add kubernetes-allow-privilege-escalation-no-securitycon…
7179a14 
…text

Signed-off-by: Dwi Siswanto <git@dw1.io>
@GeorginaReeder
Copy link

Thanks for your contribution @dwisiswant0 !

@princechaddha
Copy link
Member

princechaddha commented May 19, 2024
edited

@dwisiswant0 The template was not showing the results earlier. I made a few minor changes and validated them locally. Can you update the template without the digest?

id: k8s-exposing-docker-socket

info:
  name: Kubernetes Exposing Host's Docker Socket
  author: dwisiswant0
  severity: high
  description: Exposing host's Docker socket to containers via a volume.
  impact: |
    The owner of this socket is root. Giving someone access to it is equivalent
    to giving unrestricted root access to your host.
  remediation: Remove 'docker.sock' from hostpath to prevent this.
  reference:
    - https://kubernetes.io/docs/concepts/storage/volumes/#hostpath
    - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
    - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
    - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers
  tags: cloud,devops,kubernetes,k8s,devsecops

flow: |
  code(1);
  for (let pod of template.items) {
    pod = JSON.parse(pod);
    if (!pod.spec.hasOwnProperty('volumes')) continue;
    for (const volume of pod.spec.volumes) {
      if (volume.hasOwnProperty('hostPath')) {
        if (!volume.hostPath.hasOwnProperty('path')) continue;
        const path = volume.hostPath.path;
        if (path && path !== '/var/run/docker.sock') continue;
        set('volume', JSON.stringify(volume));
        set('pod', pod.metadata.name);
        set('namespace', pod.metadata.namespace);
        code(2)
      }
    }
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: kubectl get pods --all-namespaces --output=json
    extractors:
      - type: json
        name: items
        internal: true
        json:
          - '.items[]'

  - engine:
      - sh
      - bash
    source: echo -e $volume

    matchers:
      - type: word
        words:
          - "/var/run/docker.sock"

    extractors:
      - type: dsl
        dsl:
          - '"Exposed Docker socket via a volume in the " + pod + " pod of " + namespace + " namespace"'

@princechaddha princechaddha self-assigned this May 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@princechaddha princechaddha

Labels
waiting for more info
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@dwisiswant0 @GeorginaReeder @princechaddha