-
Notifications
You must be signed in to change notification settings - Fork 48
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #465 from kubescape/attack-chains
Attack chains
- Loading branch information
Showing
111 changed files
with
2,426 additions
and
120 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| { | ||
| "apiVersion": "regolibrary.kubescape/v1alpha1", | ||
| "kind": "AttackTrack", | ||
| "metadata": { | ||
| "name": "service-destruction" | ||
| }, | ||
| "spec": { | ||
| "version": "1.0", | ||
| "data": { | ||
| "name": "Workload Exposure", | ||
| "subSteps": [ | ||
| { | ||
| "name": "Service Destruction" | ||
| } | ||
| ] | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| { | ||
| "name": "Workload with secret access", | ||
| "attributes": { | ||
| "armoBuiltin": true, | ||
| "controlTypeTags": [ | ||
| "security" | ||
| ], | ||
| "attackTracks": [ | ||
| { | ||
| "attackTrack": "workload-external-track", | ||
| "categories": [ | ||
| "Secret Access" | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| "description": "This control identifies workloads that have mounted secrets. Workloads with secret access can potentially expose sensitive information and increase the risk of unauthorized access to critical resources.", | ||
| "remediation": "Review the workloads identified by this control and assess whether it's necessary to mount these secrets. Remove secret access from workloads that don't require it or ensure appropriate access controls are in place to protect sensitive information.", | ||
| "rulesNames": ["workload-mounted-secrets"], | ||
| "test": "Check if any workload has mounted secrets by inspecting their specifications and verifying if secret volumes are defined.", | ||
| "controlID": "C-0255", | ||
| "baseScore": 8.0 | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| { | ||
| "name": "Exposure to internet", | ||
| "attributes": { | ||
| "armoBuiltin": true, | ||
| "controlTypeTags": [ | ||
| "security" | ||
| ], | ||
| "attackTracks": [ | ||
| { | ||
| "attackTrack": "workload-external-track", | ||
| "categories": [ | ||
| "Workload Exposure" | ||
| ] | ||
| }, | ||
| { | ||
| "attackTrack": "", | ||
| "categories": [ | ||
| "" | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| "description": "This control detect workloads that are exposed on Internet through a Service (NodePort or LoadBalancer) or Ingress. It fails in case it find workloads connected with these resources.", | ||
| "remediation": "The user can evaluate its exposed resources and apply relevant changes wherever needed.", | ||
| "rulesNames": ["exposure-to-internet"], | ||
| "test": "Checks if workloads are exposed through the use of NodePort, LoadBalancer or Ingress", | ||
| "controlID": "C-0256", | ||
| "baseScore": 7.0 | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| { | ||
| "name": "Workload with PVC access", | ||
| "attributes": { | ||
| "armoBuiltin": true, | ||
| "controlTypeTags": [ | ||
| "security" | ||
| ], | ||
| "attackTracks": [ | ||
| { | ||
| "attackTrack": "workload-external-track", | ||
| "categories": [ | ||
| "Data Access" | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| "description": "This control detects workloads that have mounted PVC. Workloads with PVC access can potentially expose sensitive information and elevate the risk of unauthorized access to critical resources.", | ||
| "remediation": "Review the workloads identified by this control and assess whether it's necessary to mount these PVCs. Remove PVC access from workloads that don't require it or ensure appropriate access controls are in place to protect sensitive information.", | ||
| "rulesNames": ["workload-mounted-pvc"], | ||
| "test": "Check if any workload has mounted PVCs by inspecting their specifications and verifying if PVC volumes are defined", | ||
| "controlID": "C-0257", | ||
| "baseScore": 4.0 | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| { | ||
| "name": "Workload with ConfigMap access", | ||
| "attributes": { | ||
| "armoBuiltin": true, | ||
| "controlTypeTags": [ | ||
| "security" | ||
| ], | ||
| "attackTracks": [ | ||
| { | ||
| "attackTrack": "workload-external-track", | ||
| "categories": [ | ||
| "Data Access" | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| "description": "This control detects workloads that have mounted ConfigMaps. Workloads with ConfigMap access can potentially expose sensitive information and elevate the risk of unauthorized access to critical resources.", | ||
| "remediation": "Review the workloads identified by this control and assess whether it's necessary to mount these configMaps. Remove configMaps access from workloads that don't require it or ensure appropriate access controls are in place to protect sensitive information.", | ||
| "rulesNames": ["workload-mounted-configmap"], | ||
| "test": "Check if any workload has mounted secrets by inspecting their specifications and verifying if secret volumes are defined", | ||
| "controlID": "C-0258", | ||
| "baseScore": 5.0 | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| { | ||
| "name": "Workload with credential access", | ||
| "attributes": { | ||
| "armoBuiltin": true, | ||
| "controlTypeTags": [ | ||
| "security" | ||
| ], | ||
| "attackTracks": [ | ||
| { | ||
| "attackTrack": "workload-external-track", | ||
| "categories": [ | ||
| "Credential access" | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| "description": "This control checks if workloads specifications have sensitive information in their environment variables.", | ||
| "remediation": "Use Kubernetes secrets or Key Management Systems to store credentials.", | ||
| "rulesNames": ["rule-credentials-in-env-var"], | ||
| "test": "Check if the workload has sensitive information in environment variables, by using list of known sensitive key names.", | ||
| "controlID": "C-0259", | ||
| "baseScore": 8.0 | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| { | ||
| "name": "Missing network policy", | ||
| "attributes": { | ||
| "armoBuiltin": true, | ||
| "controlTypeTags": [ | ||
| "security" | ||
| ], | ||
| "attackTracks": [ | ||
| { | ||
| "attackTrack": "workload-external-track", | ||
| "categories": [ | ||
| "Network" | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| "description": "This control detects workloads that has no NetworkPolicy configured in labels. If a network policy is not configured, it means that your applications might not have necessary control over the traffic to and from the pods, possibly leading to a security vulnerability.", | ||
| "remediation": "Review the workloads identified by this control and assess whether it's necessary to configure a network policy for them.", | ||
| "rulesNames": ["ensure_network_policy_configured_in_labels"], | ||
| "test": "Check that all workloads has a network policy configured in labels.", | ||
| "controlID": "C-0260", | ||
| "baseScore": 5.0 | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| { | ||
| "name": "ServiceAccount token mounted", | ||
| "attributes": { | ||
| "armoBuiltin": true, | ||
| "controlTypeTags": [ | ||
| "security" | ||
| ], | ||
| "attackTracks": [ | ||
| { | ||
| "attackTrack": "workload-external-track", | ||
| "categories": [ | ||
| "Credential access" | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| "description": "Potential attacker may gain access to a workload and steal its ServiceAccount token. Therefore, it is recommended to disable automatic mapping of the ServiceAccount tokens in ServiceAccount configuration. Enable it only for workloads that need to use them and ensure that this ServiceAccount is not bound to an unnecessary ClusterRoleBinding or RoleBinding.", | ||
| "remediation": "Disable automatic mounting of service account tokens to pods at the workload level, by specifying automountServiceAccountToken: false. Enable it only for workloads that need to use them and ensure that this ServiceAccount doesn't have unnecessary permissions", | ||
| "rulesNames": ["serviceaccount-token-mount"], | ||
| "test": "test if ServiceAccount token is mounted on workload and it has at least one binding.", | ||
| "controlID": "C-0261", | ||
| "baseScore": 7.0 | ||
| } |
Oops, something went wrong.