From 1b28a4e6555e03218f392546b16411d4e32f17a7 Mon Sep 17 00:00:00 2001 From: YiscahLevySilas1 Date: Mon, 17 Jul 2023 22:45:49 +0300 Subject: [PATCH] fix rule and rulename Signed-off-by: YiscahLevySilas1 --- controls/C-0261-satokenmounted.json | 2 +- rules/serviceaccount-token-mount/raw.rego | 6 +++--- rules/serviceaccount-token-mount/rule.metadata.json | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/controls/C-0261-satokenmounted.json b/controls/C-0261-satokenmounted.json index f57ad3ef7..f2216f5e6 100644 --- a/controls/C-0261-satokenmounted.json +++ b/controls/C-0261-satokenmounted.json @@ -16,7 +16,7 @@ }, "description": "Potential attacker may gain access to a workload and steal its ServiceAccount token. Therefore, it is recommended to disable automatic mapping of the ServiceAccount tokens in ServiceAccount configuration. Enable it only for workloads that need to use them and ensure that this ServiceAccount is not bound to an unnecessary ClusterRoleBinding or RoleBinding.", "remediation": "Disable automatic mounting of service account tokens to pods at the workload level, by specifying automountServiceAccountToken: false. Enable it only for workloads that need to use them and ensure that this ServiceAccount doesn't have unnecessary permissions", - "rulesNames": ["automount-service-account"], + "rulesNames": ["serviceaccount-token-mount"], "test": "test if ServiceAccount token is mounted on workload and it has at least one binding.", "controlID": "C-0261", "baseScore": 7.0 diff --git a/rules/serviceaccount-token-mount/raw.rego b/rules/serviceaccount-token-mount/raw.rego index 2474ccb95..f11e8ea29 100644 --- a/rules/serviceaccount-token-mount/raw.rego +++ b/rules/serviceaccount-token-mount/raw.rego @@ -19,7 +19,7 @@ deny[msga] { msga := { "alertMessage": sprintf("%v: %v in the following namespace: %v mounts service account tokens by default", [wl.kind, wl.metadata.name, wl.metadata.namespace]), "packagename": "armo_builtins", - "alertScore": 7, + "alertScore": 9, "fixPaths": fixed_path, "failedPaths": failed_path, "alertObject": { @@ -55,7 +55,7 @@ is_sa_auto_mounted(spec, beggining_of_path, wl_namespace) = [failed_path, fix_pa not spec.automountServiceAccountToken == false not spec.automountServiceAccountToken == true - fix_path = { "path": sprintf("%v.automountServiceAccountToken", [concat(".", containers_path)]), "value": "false"} + fix_path = { "path": sprintf("%v.automountServiceAccountToken", [concat(".", beggining_of_path)]), "value": "false"} failed_path = "" } @@ -63,7 +63,7 @@ is_sa_auto_mounted(spec, beggining_of_path, wl_namespace) = [failed_path, fix_p # automountServiceAccountToken set to true in pod spec spec.automountServiceAccountToken == true - failed_path = sprintf("%v.automountServiceAccountToken", [concat(".", containers_path)]) + failed_path = sprintf("%v.automountServiceAccountToken", [concat(".", beggining_of_path)]) fix_path = "" } diff --git a/rules/serviceaccount-token-mount/rule.metadata.json b/rules/serviceaccount-token-mount/rule.metadata.json index b62fd3678..c10e5c9f2 100644 --- a/rules/serviceaccount-token-mount/rule.metadata.json +++ b/rules/serviceaccount-token-mount/rule.metadata.json @@ -1,5 +1,5 @@ { - "name": "automount-service-account", + "name": "serviceaccount-token-mount", "attributes": { "armoBuiltin": true },