Merge pull request #465 from kubescape/attack-chains

Attack chains
kubescape · Jul 18, 2023 · 863c0f7 · 863c0f7
2 parents 0e5330e + 1b28a4e
commit 863c0f7
Show file tree

Hide file tree

Showing 111 changed files with 2,426 additions and 120 deletions.
diff --git a/attack-tracks/container.json b/attack-tracks/container.json
diff --git a/attack-tracks/kubeapi.json b/attack-tracks/kubeapi.json
diff --git a/attack-tracks/service-destruction.json b/attack-tracks/service-destruction.json
@@ -0,0 +1,18 @@
+{
+    "apiVersion": "regolibrary.kubescape/v1alpha1",
+    "kind": "AttackTrack",
+    "metadata": {
+        "name": "service-destruction"
+    },
+    "spec": {
+        "version": "1.0",
+        "data": {
+            "name": "Workload Exposure",
+            "subSteps": [
+                {
+                    "name": "Service Destruction"
+                }
+            ]
+        }
+    }
+}
diff --git a/attack-tracks/node.json → attack-tracks/workload-external-track.json b/attack-tracks/node.json → attack-tracks/workload-external-track.json
@@ -2,39 +2,34 @@
     "apiVersion": "regolibrary.kubescape/v1alpha1",
     "kind": "AttackTrack",
     "metadata": {
-        "name": "node"
+        "name": "workload-external-track"
     },
     "spec": {
         "version": "1.0",
         "data": {
-            "name": "Initial access",
+            "name": "Workload Exposure",
             "subSteps": [
                 {
-                    "name": "Execution",
+                    "name": "Vulnerable Image",
+                    "checksVulnerabilities": true,
                     "subSteps": [
                         {
-                            "name": "Persistence"
-                        },
-                        {
-                            "name": "Credential access"
+                            "name": "Data Access"
                         },
                         {
-                            "name": "Defense evasion"
+                            "name": "Secret Access"
                         },
                         {
-                            "name": "Discovery"
-                        },
-                        {
-                            "name": "Lateral movement"
+                            "name": "Credential access"
                         },
                         {
-                            "name": "Impact - data theft"
+                            "name": "Potential Node exposure"
                         },
                         {
-                            "name": "Impact - data destruction"
+                            "name": "Persistence"
                         },
                         {
-                            "name": "Impact - service injection"
+                            "name": "Network"
                         }
                     ]
                 }

diff --git a/controls/C-0255-workloadwithsecretaccess.json b/controls/C-0255-workloadwithsecretaccess.json
@@ -0,0 +1,23 @@
+{
+    "name": "Workload with secret access",
+    "attributes": {
+        "armoBuiltin": true,
+        "controlTypeTags": [
+            "security"
+        ],
+        "attackTracks": [
+            {
+                "attackTrack": "workload-external-track",
+                "categories": [
+                    "Secret Access"
+                ]
+            }
+        ]
+    },
+    "description": "This control identifies workloads that have mounted secrets. Workloads with secret access can potentially expose sensitive information and increase the risk of unauthorized access to critical resources.",
+    "remediation": "Review the workloads identified by this control and assess whether it's necessary to mount these secrets. Remove secret access from workloads that don't require it or ensure appropriate access controls are in place to protect sensitive information.",
+    "rulesNames": ["workload-mounted-secrets"],
+    "test": "Check if any workload has mounted secrets by inspecting their specifications and verifying if secret volumes are defined.",
+    "controlID": "C-0255",
+    "baseScore": 8.0
+}
diff --git a/controls/C-0256-exposuretointernet.json b/controls/C-0256-exposuretointernet.json
@@ -0,0 +1,29 @@
+{
+    "name": "Exposure to internet",
+    "attributes": {
+        "armoBuiltin": true,
+        "controlTypeTags": [
+            "security"
+        ],
+        "attackTracks": [
+            {
+                "attackTrack": "workload-external-track",
+                "categories": [
+                    "Workload Exposure"
+                ]
+            },
+            {
+                "attackTrack": "",
+                "categories": [
+                    ""
+                ]
+            }
+        ]
+    },
+    "description": "This control detect workloads that are exposed on Internet through a Service (NodePort or LoadBalancer) or Ingress. It fails in case it find workloads connected with these resources.",
+    "remediation": "The user can evaluate its exposed resources and apply relevant changes wherever needed.",
+    "rulesNames": ["exposure-to-internet"],
+    "test": "Checks if workloads are exposed through the use of NodePort, LoadBalancer or Ingress",
+    "controlID": "C-0256",
+    "baseScore": 7.0
+}
diff --git a/controls/C-0257-pvcaccess.json b/controls/C-0257-pvcaccess.json
@@ -0,0 +1,23 @@
+{
+    "name": "Workload with PVC access",
+    "attributes": {
+        "armoBuiltin": true,
+        "controlTypeTags": [
+            "security"
+        ],
+        "attackTracks": [
+            {
+                "attackTrack": "workload-external-track",
+                "categories": [
+                    "Data Access"
+                ]
+            }
+        ]
+    },
+    "description": "This control detects workloads that have mounted PVC. Workloads with PVC access can potentially expose sensitive information and elevate the risk of unauthorized access to critical resources.",
+    "remediation": "Review the workloads identified by this control and assess whether it's necessary to mount these PVCs. Remove PVC access from workloads that don't require it or ensure appropriate access controls are in place to protect sensitive information.",
+    "rulesNames": ["workload-mounted-pvc"],
+    "test": "Check if any workload has mounted PVCs by inspecting their specifications and verifying if PVC volumes are defined",
+    "controlID": "C-0257",
+    "baseScore": 4.0
+}
diff --git a/controls/C-0258-configmapaccess.json b/controls/C-0258-configmapaccess.json
@@ -0,0 +1,23 @@
+{
+    "name": "Workload with ConfigMap access",
+    "attributes": {
+        "armoBuiltin": true,
+        "controlTypeTags": [
+            "security"
+        ],
+        "attackTracks": [
+            {
+                "attackTrack": "workload-external-track",
+                "categories": [
+                    "Data Access"
+                ]
+            }
+        ]
+    },
+    "description": "This control detects workloads that have mounted ConfigMaps. Workloads with ConfigMap access can potentially expose sensitive information and elevate the risk of unauthorized access to critical resources.",
+    "remediation": "Review the workloads identified by this control and assess whether it's necessary to mount these configMaps. Remove configMaps access from workloads that don't require it or ensure appropriate access controls are in place to protect sensitive information.",
+    "rulesNames": ["workload-mounted-configmap"],
+    "test": "Check if any workload has mounted secrets by inspecting their specifications and verifying if secret volumes are defined",
+    "controlID": "C-0258",
+    "baseScore": 5.0
+}
diff --git a/controls/C-0259-workloadwithcredentialaccess.json b/controls/C-0259-workloadwithcredentialaccess.json
@@ -0,0 +1,23 @@
+{
+    "name": "Workload with credential access",
+    "attributes": {
+        "armoBuiltin": true,
+        "controlTypeTags": [
+            "security"
+        ],
+        "attackTracks": [
+            {
+                "attackTrack": "workload-external-track",
+                "categories": [
+                    "Credential access"
+                ]
+            }
+        ]
+    },
+    "description": "This control checks if workloads specifications have sensitive information in their environment variables.",
+    "remediation": "Use Kubernetes secrets or Key Management Systems to store credentials.",
+    "rulesNames": ["rule-credentials-in-env-var"],
+    "test": "Check if the workload has sensitive information in environment variables, by using list of known sensitive key names.",
+    "controlID": "C-0259",
+    "baseScore": 8.0
+}
diff --git a/controls/C-0260-missingnetworkpolicy.json b/controls/C-0260-missingnetworkpolicy.json
@@ -0,0 +1,23 @@
+{
+    "name": "Missing network policy",
+    "attributes": {
+        "armoBuiltin": true,
+        "controlTypeTags": [
+            "security"
+        ],
+        "attackTracks": [
+            {
+                "attackTrack": "workload-external-track",
+                "categories": [
+                    "Network"
+                ]
+            }
+        ]
+    },
+    "description": "This control detects workloads that has no NetworkPolicy configured in labels. If a network policy is not configured, it means that your applications might not have necessary control over the traffic to and from the pods, possibly leading to a security vulnerability.",
+    "remediation": "Review the workloads identified by this control and assess whether it's necessary to configure a network policy for them.",
+    "rulesNames": ["ensure_network_policy_configured_in_labels"],
+    "test": "Check that all workloads has a network policy configured in labels.",
+    "controlID": "C-0260",
+    "baseScore": 5.0
+}
diff --git a/controls/C-0261-satokenmounted.json b/controls/C-0261-satokenmounted.json
@@ -0,0 +1,23 @@
+{
+    "name": "ServiceAccount token mounted",
+    "attributes": {
+        "armoBuiltin": true,
+        "controlTypeTags": [
+            "security"
+        ],
+        "attackTracks": [
+            {
+                "attackTrack": "workload-external-track",
+                "categories": [
+                    "Credential access"
+                ]
+            }
+        ]
+    },
+    "description": "Potential attacker may gain access to a workload and steal its ServiceAccount token. Therefore, it is recommended to disable automatic mapping of the ServiceAccount tokens in ServiceAccount configuration. Enable it only for workloads that need to use them and ensure that this ServiceAccount is not bound to an unnecessary ClusterRoleBinding or RoleBinding.",
+    "remediation": "Disable automatic mounting of service account tokens to pods at the workload level, by specifying automountServiceAccountToken: false. Enable it only for workloads that need to use them and ensure that this ServiceAccount doesn't have unnecessary permissions",
+    "rulesNames": ["serviceaccount-token-mount"],
+    "test": "test if ServiceAccount token is mounted on workload and it has at least one binding.",
+    "controlID": "C-0261",
+    "baseScore": 7.0
+}