fix rule and rulename

Signed-off-by: YiscahLevySilas1 <[email protected]>
kubescape · Jul 17, 2023 · 1b28a4e · 1b28a4e
1 parent 3782b3d
commit 1b28a4e
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 5 deletions.
diff --git a/controls/C-0261-satokenmounted.json b/controls/C-0261-satokenmounted.json
@@ -16,7 +16,7 @@
     },
     "description": "Potential attacker may gain access to a workload and steal its ServiceAccount token. Therefore, it is recommended to disable automatic mapping of the ServiceAccount tokens in ServiceAccount configuration. Enable it only for workloads that need to use them and ensure that this ServiceAccount is not bound to an unnecessary ClusterRoleBinding or RoleBinding.",
     "remediation": "Disable automatic mounting of service account tokens to pods at the workload level, by specifying automountServiceAccountToken: false. Enable it only for workloads that need to use them and ensure that this ServiceAccount doesn't have unnecessary permissions",
-    "rulesNames": ["automount-service-account"],
+    "rulesNames": ["serviceaccount-token-mount"],
     "test": "test if ServiceAccount token is mounted on workload and it has at least one binding.",
     "controlID": "C-0261",
     "baseScore": 7.0

diff --git a/rules/serviceaccount-token-mount/raw.rego b/rules/serviceaccount-token-mount/raw.rego
@@ -19,7 +19,7 @@ deny[msga] {
     msga := {
         "alertMessage": sprintf("%v: %v in the following namespace: %v mounts service account tokens by default", [wl.kind, wl.metadata.name, wl.metadata.namespace]),
         "packagename": "armo_builtins",
-        "alertScore": 7,
+        "alertScore": 9,
         "fixPaths": fixed_path,
         "failedPaths": failed_path,
         "alertObject": {
@@ -55,15 +55,15 @@ is_sa_auto_mounted(spec, beggining_of_path, wl_namespace) = [failed_path, fix_pa
     not spec.automountServiceAccountToken == false
     not spec.automountServiceAccountToken == true
 
-    fix_path = { "path": sprintf("%v.automountServiceAccountToken", [concat(".", containers_path)]), "value": "false"}
+    fix_path = { "path": sprintf("%v.automountServiceAccountToken", [concat(".", beggining_of_path)]), "value": "false"}
     failed_path = ""
 }
 
 is_sa_auto_mounted(spec, beggining_of_path, wl_namespace) =  [failed_path, fix_path]  {
     # automountServiceAccountToken set to true in pod spec
     spec.automountServiceAccountToken == true
 
-    failed_path = sprintf("%v.automountServiceAccountToken", [concat(".", containers_path)])
+    failed_path = sprintf("%v.automountServiceAccountToken", [concat(".", beggining_of_path)])
     fix_path = ""
 }
 

diff --git a/rules/serviceaccount-token-mount/rule.metadata.json b/rules/serviceaccount-token-mount/rule.metadata.json
@@ -1,5 +1,5 @@
 {
-    "name": "automount-service-account",
+    "name": "serviceaccount-token-mount",
     "attributes": {
       "armoBuiltin": true
     },