Task#3.1 Rule generation and Identification of insecure practices
shazibulislam opened this issue · 1 comments
RULES and PSEUDOCODE for identifying insecure practices (WORK IN PROGRESS)
-
check_rbac(YAML file as dictionary)
Is(RBAC objects in value of dictionary) return True else False`
Heuristics: If any of the YAML files in the repository implement RBAC return True else False -
check_default_namespace(YAML file as dictionary)
--> Is(dictionary['metadata']['namespace']) == 'default'
------> defaultNamespace++
OR
--> IsKey(namespace)
------>IsValue(namespace is 'default')
------------>defaultNamespace++ -
check_pod_policy(YAML file as dictionary)
IsKind(Pod` or PodSecurityPolicy)
----->IsKey(securityContext)
----------> IsKey(privilegeEscalation)
---------------> Is(value of privilegeEscalation True)
--------------------> privilegeEscalation++
---------------> else unspecifiedPrivilegeEscalation++
----------> else noSecurityContext++ -
check_root_privilege(YAML file as dictionary)
IsKey(privilege)
---->Is(value(bool or str) of privilege True)
----------> rootPrivilege++ -
check_network_policy(YAML file as dictionary)
IsKind(NetworkPolicy or Ingress or Egress)
---->return True else False
IsKey(Ingress or Egress)
---->return True else False
IsValue(NetworkPolicyAPIversion)
---->return True else False
Heuristics: If any of the YAML files in the repository implement Network Policy return True else False -
check_update_strategy(YAML file as dictionary)
IsKey(replica) AND IsValue(replica)>1
----> IsKey(Strategy)
-------->IsKey(RollingUpdate) PASS
-------->IsKey(StrategyType)
-------------->IsValue(StrategyType is RollingUpdate) PASS
-------------->noRollingUpdate++
--------->noRollingUpdate++
---->noRollingUpdate++ -
check_resource_limit(YAML file as dictionary)
IsKind(Pod)
--->IsKey(Spec AND Container)
------->IsKey(LimitResources)
-----------IsKey(LimitMemory AND LimitRequests)
---------------> return FALSE
---->return TRUE
**Heuristics: We assume the flag (No Resource Quota or Limit ) to be True ** -
check_no_TLS(YAML file as dictionary)
IsValue('http' in dictionary values)
---> no_TLS++ -
Hardcoded(Exposed) Secret (YAML file as dictionary)
IsKey(user,password,key)
---->IsValue(user,password,key)
--------->userCount++, passwordCount++,keyCount++
Sometimes Passwords, keys are not in plaintext but still exposed -
check_network_egress_policy(YAML file as dictionary)
IsKind(Egress)
---->return True
IsKey(Egress) AND IsKind(NetworkPolicy)
---->return True
return False
Heuristics: If any of the YAML files in the repository implement Egress then True else False
check_network_egress_policy() needs to be implemented.