paser-group/KubeSec

Task#3.1 Rule generation and Identification of insecure practices

shazibulislam opened this issue · 1 comments

shazibulislam commented

RULES and PSEUDOCODE for identifying insecure practices (WORK IN PROGRESS)

  1. check_rbac(YAML file as dictionary)
    Is(RBAC objects in value of dictionary) return True else False`
    Heuristics: If any of the YAML files in the repository implement RBAC return True else False

  2. check_default_namespace(YAML file as dictionary)
    --> Is(dictionary['metadata']['namespace']) == 'default'
    ------> defaultNamespace++
    OR
    --> IsKey(namespace)
    ------>IsValue(namespace is 'default')
    ------------>defaultNamespace++

  3. check_pod_policy(YAML file as dictionary)

    IsKind(Pod` or PodSecurityPolicy)
    ----->IsKey(securityContext)
    ----------> IsKey(privilegeEscalation)
    ---------------> Is(value of privilegeEscalation True)
    --------------------> privilegeEscalation++
    ---------------> else unspecifiedPrivilegeEscalation++
    ----------> else noSecurityContext++

  4. check_root_privilege(YAML file as dictionary)
    IsKey(privilege)
    ---->Is(value(bool or str) of privilege True)
    ----------> rootPrivilege++

  5. check_network_policy(YAML file as dictionary)
    IsKind(NetworkPolicy or Ingress or Egress)
    ---->return True else False
    IsKey(Ingress or Egress)
    ---->return True else False
    IsValue(NetworkPolicyAPIversion)
    ---->return True else False
    Heuristics: If any of the YAML files in the repository implement Network Policy return True else False

  6. check_update_strategy(YAML file as dictionary)
    IsKey(replica) AND IsValue(replica)>1
    ----> IsKey(Strategy)
    -------->IsKey(RollingUpdate) PASS
    -------->IsKey(StrategyType)
    -------------->IsValue(StrategyType is RollingUpdate) PASS
    -------------->noRollingUpdate++
    --------->noRollingUpdate++
    ---->noRollingUpdate++

  7. check_resource_limit(YAML file as dictionary)
    IsKind(Pod)
    --->IsKey(Spec AND Container)
    ------->IsKey(LimitResources)
    -----------IsKey(LimitMemory AND LimitRequests)
    ---------------> return FALSE
    ---->return TRUE
    **Heuristics: We assume the flag (No Resource Quota or Limit ) to be True **

  8. check_no_TLS(YAML file as dictionary)
    IsValue('http' in dictionary values)
    ---> no_TLS++

  9. Hardcoded(Exposed) Secret (YAML file as dictionary)
    IsKey(user,password,key)
    ---->IsValue(user,password,key)
    --------->userCount++, passwordCount++,keyCount++
    Sometimes Passwords, keys are not in plaintext but still exposed

  10. check_network_egress_policy(YAML file as dictionary)
    IsKind(Egress)
    ---->return True
    IsKey(Egress) AND IsKind(NetworkPolicy)
    ---->return True
    return False

Heuristics: If any of the YAML files in the repository implement Egress then True else False

shazibulislam commented

check_network_egress_policy() needs to be implemented.