Skip to content

Commit

Permalink
Merge pull request #598 from kubescape/security-risks
Browse files Browse the repository at this point in the history 
add new attack paths for security risks
  • Loading branch information
@YiscahLevySilas1
YiscahLevySilas1 committed Mar 5, 2024
2 parents 9fc81b7 + 024d59d commit cb9b061
Show file tree
Hide file tree
Showing 5 changed files with 83 additions and 1 deletion.
20 changes: 20 additions & 0 deletions attack-tracks/external-wl-unauthenticated.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{
"apiVersion": "regolibrary.kubescape/v1alpha1",
"kind": "AttackTrack",
"metadata": {
"name": "external-database-without-authentication"
},
"spec": {
"version": "1.0",
"data": {
"name": "Initial Access",
"description": "An attacker can access the Kubernetes environment.",
"subSteps": [
{
"name": "Unauthenticated Access",
"description": "An unauthenticated attacker can access resources."
}
]
}
}
}
20 changes: 20 additions & 0 deletions attack-tracks/external-wl-with-cluster-takeover-roles.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{
"apiVersion": "regolibrary.kubescape/v1alpha1",
"kind": "AttackTrack",
"metadata": {
"name": "external-workload-with-cluster-takeover-roles"
},
"spec": {
"version": "1.0",
"data": {
"name": "Initial Access",
"description": "An attacker can access the Kubernetes environment.",
"subSteps": [
{
"name": "Cluster Access",
"description": "An attacker has access to sensitive information and can leverage them by creating pods in the cluster."
}
]
}
}
}
12 changes: 12 additions & 0 deletions controls/C-0256-exposuretointernet.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,18 @@
"categories": [
"Initial Access"
]
},
{
"attackTrack": "external-workload-with-cluster-takeover-roles",
"categories": [
"Initial Access"
]
},
{
"attackTrack": "external-database-without-authentication",
"categories": [
"Initial Access"
]
}
]
},
Expand Down
14 changes: 13 additions & 1 deletion controls/C-0267-workloadwithclustertakeoverroles.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,18 @@
{
"name": "Workload with cluster takeover roles",
"attributes": {},
"attributes": {
"controlTypeTags": [
"security"
],
"attackTracks": [
{
"attackTrack": "external-workload-with-cluster-takeover-roles",
"categories": [
"Cluster Access"
]
}
]
},
"description": "Cluster takeover roles include workload creation or update and secret access. They can easily lead to super privileges in the cluster. If an attacker can exploit this workload then the attacker can take over the cluster using the RBAC privileges this workload is assigned to.",
"remediation": "You should apply least privilege principle. Make sure each service account has only the permissions that are absolutely necessary.",
"rulesNames": [
Expand Down
18 changes: 18 additions & 0 deletions frameworks/security.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,12 @@
"name": "Authenticated user has sensitive permissions"
}
},
{
"controlID": "C-0267",
"patch": {
"name": "Workload with cluster takeover roles"
}
},
{
"controlID": "C-0270",
"patch": {
Expand All @@ -193,6 +199,18 @@
"patch": {
"name": "Ensure memory limits are set"
}
},
{
"controlID": "C-0272",
"patch": {
"name": "Workload with administrative roles"
}
},
{
"controlID": "C-0273",
"patch": {
"name": "Outdated Kubernetes version"
}
}
]
}

0 comments on commit cb9b061

Please sign in to comment.