From 485be38b87db4f8b67dd4b1bda4b1da0c142457e Mon Sep 17 00:00:00 2001 From: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> Date: Tue, 3 Dec 2024 16:25:11 +0100 Subject: [PATCH] Modify rule S6868: Make S6868 a Security Hotspot (#4340) Co-authored-by: Jonas Wielage --- rules/S6868/ansible/rule.adoc | 23 ++++++----------------- rules/S6868/kubernetes/description.adoc | 18 +++++++----------- rules/S6868/kubernetes/resources.adoc | 10 +--------- rules/S6868/kubernetes/rule.adoc | 22 +++++----------------- rules/S6868/metadata.json | 2 +- 5 files changed, 20 insertions(+), 55 deletions(-) diff --git a/rules/S6868/ansible/rule.adoc b/rules/S6868/ansible/rule.adoc index ca9f155a855..2aa7f64656e 100644 --- a/rules/S6868/ansible/rule.adoc +++ b/rules/S6868/ansible/rule.adoc @@ -1,14 +1,11 @@ include::../kubernetes/description.adoc[] -== How to fix it -=== Code examples +== Sensitive Code Example -==== Noncompliant code example - -[source,yaml,diff-id=1,diff-type=noncompliant] +[source,yaml] ---- -- name: Noncompliant example task +- name: Sensitive example task kubernetes.core.k8s: state: present definition: @@ -22,13 +19,13 @@ include::../kubernetes/description.adoc[] resources: ["pods"] verbs: ["get"] - apiGroups: [""] - resources: ["pods/exec"] # Noncompliant + resources: ["pods/exec"] # Sensitive verbs: ["create"] ---- -==== Compliant solution +== Compliant Solution -[source,yaml,diff-id=1,diff-type=compliant] +[source,yaml] ---- - name: Compliant example task kubernetes.core.k8s: @@ -45,14 +42,6 @@ include::../kubernetes/description.adoc[] verbs: ["get"] ---- -=== How does this work? - -The `exec` permissions are set by allowing the `create` verb for the `pods/exec` resource. Removing this permission will prevent users and services from executing arbitrary commands within containers. - -//=== Pitfalls - -//=== Going the extra mile - include::../kubernetes/resources.adoc[] diff --git a/rules/S6868/kubernetes/description.adoc b/rules/S6868/kubernetes/description.adoc index 12c1691bf0c..99bd52f1313 100644 --- a/rules/S6868/kubernetes/description.adoc +++ b/rules/S6868/kubernetes/description.adoc @@ -1,19 +1,15 @@ -== Why is this an issue? - Allowing command execution (exec) for roles in a Kubernetes cluster can pose a significant security risk. This is because it provides the user with the ability to execute arbitrary commands within a container, potentially leading to unauthorized access or data breaches. In a production Kubernetes cluster, exec permissions are typically unnecessary due to the principle of least privilege, which suggests that a user or process should only have the minimum permissions necessary to perform its function. Additionally, containers in production are often treated as immutable infrastructure, meaning they should not be changed once deployed. Any changes should be made to the container image, which is then used to deploy a new container. -=== What is the potential impact? - -==== Exploiting Vulnerabilities Within the Container - -If a user or service has the ability to execute commands within a container, they could potentially identify and exploit vulnerabilities within the container's software. This could include exploiting known vulnerabilities in outdated software versions, or finding and exploiting new vulnerabilities. This could lead to unauthorized access to the container, allowing the attacker to manipulate its operations or access its data. +== Ask Yourself Whether -==== Installing Malicious Software +* This role is given to people who are not administrators of the Kubernetes cluster. -Command execution permissions could also be used to install malicious software within a container. This could include malware, spyware, ransomware, or other types of harmful software. Once installed, this software could cause a wide range of issues, from data corruption or loss, to providing a backdoor for further attacks. It could also be used to create a botnet, using the compromised container to launch attacks on other systems. +There is a risk if you answered yes to this question. -==== Extracting Sensitive Data +== Recommended Secure Coding Practices -If an attacker has the ability to execute commands within a container, they could potentially access and extract sensitive data. This could include user data, confidential business information, or other types of sensitive data. The extracted data could then be used for a wide range of malicious purposes, from identity theft to corporate espionage. This could lead to significant financial loss, damage to reputation, and potential legal consequences. +Disable exec privileges for this role. +The `exec` permissions are set by allowing the `create` verb for the `pods/exec` resource. +Removing this permission will prevent users and services from executing arbitrary commands within containers. diff --git a/rules/S6868/kubernetes/resources.adoc b/rules/S6868/kubernetes/resources.adoc index 8bec4b85c2c..118784f2afe 100644 --- a/rules/S6868/kubernetes/resources.adoc +++ b/rules/S6868/kubernetes/resources.adoc @@ -1,12 +1,4 @@ -== Resources -=== Documentation +== See * Kubernetes Documentation - https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/[Get a Shell to a Running Container] - -//=== Articles & blog posts -//=== Conference presentations -=== Standards * CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control] - -//=== External coding guidelines -//=== Benchmarks diff --git a/rules/S6868/kubernetes/rule.adoc b/rules/S6868/kubernetes/rule.adoc index 6d8d3abbea3..8b0b14997d9 100644 --- a/rules/S6868/kubernetes/rule.adoc +++ b/rules/S6868/kubernetes/rule.adoc @@ -1,12 +1,8 @@ include::description.adoc[] -== How to fix it +== Sensitive Code Example -=== Code examples - -==== Noncompliant code example - -[source,yaml,diff-id=1,diff-type=noncompliant] +[source,yaml] ---- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -18,13 +14,13 @@ rules: resources: ["pods"] verbs: ["get"] - apiGroups: [""] - resources: ["pods/exec"] # Noncompliant + resources: ["pods/exec"] # Sensitive verbs: ["create"] ---- -==== Compliant solution +== Compliant Solution -[source,yaml,diff-id=1,diff-type=compliant] +[source,yaml] ---- apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -37,14 +33,6 @@ rules: verbs: ["get"] ---- -=== How does this work? - -The `exec` permissions are set by allowing the `create` verb for the `pods/exec` resource. Removing this permission will prevent users and services from executing arbitrary commands within containers. - -//=== Pitfalls - -//=== Going the extra mile - include::resources.adoc[] diff --git a/rules/S6868/metadata.json b/rules/S6868/metadata.json index 2d7baf87744..b166b1e4452 100644 --- a/rules/S6868/metadata.json +++ b/rules/S6868/metadata.json @@ -1,6 +1,6 @@ { "title": "Allowing command execution is security sensitive", - "type": "VULNERABILITY", + "type": "SECURITY_HOTSPOT", "status": "ready", "remediation": { "func": "Constant\/Issue",