Improvements to control C-0262 (#519)

* SUB-2185 - improve C-0262 Signed-off-by: YiscahLevySilas1 <[email protected]> * minor fix Signed-off-by: YiscahLevySilas1 <[email protected]> --------- Signed-off-by: YiscahLevySilas1 <[email protected]>
kubescape · Oct 9, 2023 · 46cdc49 · 46cdc49
1 parent a9b037a
commit 46cdc49
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 14 deletions.
diff --git a/controls/C-0262-anonymousaccessisenabled.json b/controls/C-0262-anonymousaccessisenabled.json
@@ -1,17 +1,16 @@
 {
     "controlID": "C-0262",
-    "name": "Anonymous access enabled",
+    "name": "Anonymous user has RoleBinding",
     "description": "Granting permissions to the system:unauthenticated or system:anonymous user is generally not recommended and can introduce security risks. Allowing unauthenticated access to your Kubernetes cluster can lead to unauthorized access, potential data breaches, and abuse of cluster resources.",
     "remediation": "Review and modify your cluster's RBAC configuration to ensure that only authenticated and authorized users have appropriate permissions based on their roles and responsibilities within your system.",
     "test": "Checks if ClusterRoleBinding/RoleBinding resources give permissions to anonymous user. Also checks in the apiserver if the --anonymous-auth flag is set to false",
     "attributes": {
         "armoBuiltin": true
     },
     "rulesNames": [
-        "ensure-that-the-api-server-anonymous-auth-argument-is-set-to-false",
         "anonymous-access-enabled"
     ],
-    "baseScore": 5,
+    "baseScore": 7,
     "category": {
         "name": "Control plane",
         "subCategory": {

diff --git a/rules/anonymous-access-enabled/raw.rego b/rules/anonymous-access-enabled/raw.rego
@@ -4,12 +4,14 @@ package armo_builtins
 deny[msga] {
     rolebindings := [rolebinding | rolebinding = input[_]; endswith(rolebinding.kind, "Binding")]
     rolebinding := rolebindings[_]
-
-    isAnonymous(rolebinding)
-
+    subject := rolebinding.subjects[i]
+    isAnonymous(subject)
+    delete_path := sprintf("subjects[%d]", [i])
     msga := {
         "alertMessage": sprintf("the following RoleBinding: %v gives permissions to anonymous users", [rolebinding.metadata.name]),
         "alertScore": 9,
+        "deletePaths": [delete_path],
+        "failedPaths": [delete_path],
         "packagename": "armo_builtins",
         "alertObject": {
             "k8sApiObjects": [rolebinding]
@@ -18,13 +20,10 @@ deny[msga] {
 }
 
 
-isAnonymous(binding) {
-    subject := binding.subjects[_]
+isAnonymous(subject) {
     subject.name == "system:anonymous"
 }
 
-
-isAnonymous(binding) {
-    subject := binding.subjects[_]
+isAnonymous(subject) {
     subject.name == "system:unauthenticated"
 }
diff --git a/rules/anonymous-access-enabled/rule.metadata.json b/rules/anonymous-access-enabled/rule.metadata.json
@@ -19,7 +19,7 @@
         }
     ],
     "ruleDependencies": [],
-    "description": "Fails in case anonymous access is enabled on the cluster",
-    "remediation": "Disable anonymous access by passing the --anonymous-auth=false flag to the kube-apiserver component, or if it's a managed cluster, you can remove any RBAC rules which allow anonymous users to perform actions",
+    "description": "Fails in case anonymous or unauthenticated user has any rbac permissions (is bound by a RoleBinding/ClusterRoleBinding)",
+    "remediation": "Remove any RBAC rules which allow anonymous users to perform actions",
     "ruleQuery": "armo_builtins"
 }
diff --git a/rules/anonymous-access-enabled/test/fail/expected.json b/rules/anonymous-access-enabled/test/fail/expected.json
@@ -1,7 +1,7 @@
 [
     {
         "alertMessage": "the following RoleBinding: system:public-info-viewer gives permissions to anonymous users",
-        "failedPaths": null,
+        "failedPaths": ["subjects[1]"],
         "fixPaths": null,
         "ruleStatus": "",
         "packagename": "armo_builtins",