github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/kubernetes/policies/pss/baseline/9_unsafe_sysctl_options_set.rego (about) 1 # METADATA 2 # title: "Unsafe sysctl options set" 3 # description: "Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed 'safe' subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node." 4 # scope: package 5 # schemas: 6 # - input: schema["kubernetes"] 7 # related_resources: 8 # - https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline 9 # custom: 10 # id: KSV026 11 # avd_id: AVD-KSV-0026 12 # severity: MEDIUM 13 # short_code: no-unsafe-sysctl 14 # recommended_action: "Do not set 'spec.securityContext.sysctls' or set to values in an allowed subset" 15 # input: 16 # selector: 17 # - type: kubernetes 18 package builtin.kubernetes.KSV026 19 20 import data.lib.kubernetes 21 import data.lib.utils 22 23 default failSysctls = false 24 25 # Add allowed sysctls 26 allowed_sysctls = { 27 "kernel.shm_rmid_forced", 28 "net.ipv4.ip_local_port_range", 29 "net.ipv4.tcp_syncookies", 30 "net.ipv4.ping_group_range", 31 } 32 33 # failSysctls is true if a disallowed sysctl is set 34 failSysctls { 35 pod := kubernetes.pods[_] 36 set_sysctls := {sysctl | sysctl := pod.spec.securityContext.sysctls[_].name} 37 sysctls_not_allowed := set_sysctls - allowed_sysctls 38 count(sysctls_not_allowed) > 0 39 } 40 41 deny[res] { 42 failSysctls 43 msg := kubernetes.format(sprintf("%s '%s' should set 'securityContext.sysctl' to the allowed values", [kubernetes.kind, kubernetes.name])) 44 res := result.new(msg, input.spec) 45 }