diff --git a/attack-tracks/external-wl-unauthenticated.json b/attack-tracks/external-wl-unauthenticated.json new file mode 100644 index 000000000..a09fc9ac6 --- /dev/null +++ b/attack-tracks/external-wl-unauthenticated.json @@ -0,0 +1,20 @@ +{ + "apiVersion": "regolibrary.kubescape/v1alpha1", + "kind": "AttackTrack", + "metadata": { + "name": "external-database-without-authentication" + }, + "spec": { + "version": "1.0", + "data": { + "name": "Initial Access", + "description": "An attacker can access the Kubernetes environment.", + "subSteps": [ + { + "name": "Unauthenticated Access", + "description": "An unauthenticated attacker can access resources." + } + ] + } + } +} \ No newline at end of file diff --git a/attack-tracks/external-wl-with-cluster-takeover-roles.json b/attack-tracks/external-wl-with-cluster-takeover-roles.json new file mode 100644 index 000000000..d12d0a139 --- /dev/null +++ b/attack-tracks/external-wl-with-cluster-takeover-roles.json @@ -0,0 +1,20 @@ +{ + "apiVersion": "regolibrary.kubescape/v1alpha1", + "kind": "AttackTrack", + "metadata": { + "name": "external-workload-with-cluster-takeover-roles" + }, + "spec": { + "version": "1.0", + "data": { + "name": "Initial Access", + "description": "An attacker can access the Kubernetes environment.", + "subSteps": [ + { + "name": "Cluster Access", + "description": "An attacker has access to sensitive information and can leverage them by creating pods in the cluster." + } + ] + } + } +} \ No newline at end of file diff --git a/controls/C-0256-exposuretointernet.json b/controls/C-0256-exposuretointernet.json index c82bd03c0..044528cc5 100644 --- a/controls/C-0256-exposuretointernet.json +++ b/controls/C-0256-exposuretointernet.json @@ -16,6 +16,18 @@ "categories": [ "Initial Access" ] + }, + { + "attackTrack": "external-workload-with-cluster-takeover-roles", + "categories": [ + "Initial Access" + ] + }, + { + "attackTrack": "external-database-without-authentication", + "categories": [ + "Initial Access" + ] } ] }, diff --git a/controls/C-0267-workloadwithclustertakeoverroles.json b/controls/C-0267-workloadwithclustertakeoverroles.json index 0376ae36a..c9dc96379 100644 --- a/controls/C-0267-workloadwithclustertakeoverroles.json +++ b/controls/C-0267-workloadwithclustertakeoverroles.json @@ -1,6 +1,18 @@ { "name": "Workload with cluster takeover roles", - "attributes": {}, + "attributes": { + "controlTypeTags": [ + "security" + ], + "attackTracks": [ + { + "attackTrack": "external-workload-with-cluster-takeover-roles", + "categories": [ + "Cluster Access" + ] + } + ] + }, "description": "Cluster takeover roles include workload creation or update and secret access. They can easily lead to super privileges in the cluster. If an attacker can exploit this workload then the attacker can take over the cluster using the RBAC privileges this workload is assigned to.", "remediation": "You should apply least privilege principle. Make sure each service account has only the permissions that are absolutely necessary.", "rulesNames": [ diff --git a/frameworks/security.json b/frameworks/security.json index 2840c9c17..a2928c2b4 100644 --- a/frameworks/security.json +++ b/frameworks/security.json @@ -182,6 +182,12 @@ "name": "Authenticated user has sensitive permissions" } }, + { + "controlID": "C-0267", + "patch": { + "name": "Workload with cluster takeover roles" + } + }, { "controlID": "C-0270", "patch": { @@ -193,6 +199,18 @@ "patch": { "name": "Ensure memory limits are set" } + }, + { + "controlID": "C-0272", + "patch": { + "name": "Workload with administrative roles" + } + }, + { + "controlID": "C-0273", + "patch": { + "name": "Outdated Kubernetes version" + } } ] } \ No newline at end of file