Skip to content

Commit

Permalink
Merge pull request #1903 from cnti-testcatalog/pr-1862-1893-1899-1890…
Browse files Browse the repository at this point in the history
…-1895-1869

Combined PR with changes from 1862, 1893, 1899, 1890, 1895, 1869
  • Loading branch information
agentpoyo authored Feb 26, 2024
2 parents 549982d + edc6e76 commit d64056e
Show file tree
Hide file tree
Showing 26 changed files with 197 additions and 310 deletions.
8 changes: 0 additions & 8 deletions RATIONALE.md
Original file line number Diff line number Diff line change
Expand Up @@ -222,14 +222,6 @@ Binnie, Chris; McCune, Rory (2021-06-17T23:58:59). Cloud Native Security . Wiley

> Service externalIPs can be used for a MITM attack (CVE-2020-8554). Restrict externalIPs or limit to a known set of addresses. See: https://github.com/kyverno/kyverno/issues/1367
#### *To check if any containers are running as a root user (checks the user outside the container that is running dockerd)*: [non_root_user](docs/LIST_OF_TESTS.md#root-user)

> *Even with other security controls used within a Linux system running containers,
such as namespaces that segregate access between pods in Kubernetes and OpenShift or
containers within a runtime, it is highly advisable never to run a container as the
root user."* Binnie, Chris; McCune, Rory (2021-06-17T23:58:59). Cloud Native Security .
Wiley. Kindle Edition.

#### *To check if any containers allow for privilege escalation*: [privilege_escalation](docs/LIST_OF_TESTS.md#privilege-escalation)

> *When [privilege escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation) is [enabled for a container](https://hub.armo.cloud/docs/c-0016), it will allow setuid binaries to change the effective user ID, allowing processes to turn on extra capabilities.
Expand Down
2 changes: 1 addition & 1 deletion config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,5 +15,5 @@ toggles:
# kind) will be changed, rebooted, chaos tested, etc
- name: destructive
toggle_on: false
loglevel: info
loglevel: error

156 changes: 77 additions & 79 deletions embedded_files/points.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,25 +8,25 @@
neutral: 0

- name: reasonable_image_size
tags: microservice, dynamic, workload, cert, normal
tags: [microservice, dynamic, workload, cert, normal]
- name: specialized_init_system
tags: microservice, dynamic, workload
tags: [microservice, dynamic, workload]
- name: reasonable_startup_time
tags: microservice, dynamic, workload, cert, normal
tags: [microservice, dynamic, workload, cert, normal]
- name: single_process_type
tags: microservice, dynamic, workload, essential, cert
tags: [microservice, dynamic, workload, essential, cert]
pass: 100
- name: service_discovery
tags: microservice, dynamic, workload, cert, bonus
tags: [microservice, dynamic, workload, cert, bonus]
pass: 1
fail: 0
- name: shared_database
tags: microservice, dynamic, workload, cert, normal
tags: [microservice, dynamic, workload, cert, normal]
- name: sig_term_handled
tags: microservice, dynamic, workload, normal
tags: [microservice, dynamic, workload, normal]

- name: cni_compatible
tags: compatibility, dynamic, workload, cert, normal
tags: [compatibility, dynamic, workload, cert, normal]
# - name: cni_spec
# tags: compatibility, dynamic
#- name: api_snoop_alpha
Expand All @@ -42,25 +42,23 @@
# tags: state, dynamic, configuration

- name: privileged
tags: security, dynamic, workload
tags: [security, dynamic, workload]
# required: true
- name: non_root_user
tags: security, dynamic, workload
- name: privilege_escalation
tags: security, dynamic, workload, cert, normal
tags: [security, dynamic, workload, cert, normal]
- name: symlink_file_system
tags: security, dynamic, workload, cert, normal
tags: [security, dynamic, workload, cert, normal]
- name: application_credentials
tags: security, dynamic, workload, cert, normal
tags: [security, dynamic, workload, cert, normal]
- name: host_network
tags: security, dynamic, workload, cert, normal
tags: [security, dynamic, workload, cert, normal]
#- name: shells
# tags: security, dynamic
#- name: protected_access
# tags: security, dynamic

- name: increase_decrease_capacity
tags: compatibility, dynamic, workload, essential, cert
tags: [compatibility, dynamic, workload, essential, cert]
pass: 100
#- name: small_autoscaling
# tags: compatibility, dynamic, workload
Expand All @@ -69,29 +67,29 @@
# - name: network_chaos
# tags: resilience, dynamic, workload
- name: pod_network_latency
tags: resilience, dynamic, workload, cert, bonus
tags: [resilience, dynamic, workload, cert, bonus]
pass: 1
fail: 0
- name: pod_network_corruption
tags: resilience, dynamic, workload, cert, bonus
tags: [resilience, dynamic, workload, cert, bonus]
pass: 1
fail: 0
- name: pod_network_duplication
tags: resilience, dynamic, workload, cert, bonus
tags: [resilience, dynamic, workload, cert, bonus]
pass: 1
fail: 0
- name: pod_delete
tags: resilience, dynamic, workload, cert, normal
tags: [resilience, dynamic, workload, cert, normal]
- name: pod_io_stress
tags: resilience, dynamic, workload, cert, bonus
tags: [resilience, dynamic, workload, cert, bonus]
pass: 1
fail: 0
- name: pod_memory_hog
tags: resilience, dynamic, workload, cert, normal
tags: [resilience, dynamic, workload, cert, normal]
- name: disk_fill
tags: resilience, dynamic, workload, cert, normal
tags: [resilience, dynamic, workload, cert, normal]
- name: pod_dns_error
tags: resilience, dynamic, workload, cert, bonus
tags: [resilience, dynamic, workload, cert, bonus]
pass: 1
fail: 0
#- name: external_retry
Expand All @@ -100,43 +98,43 @@
#- name: versioned_helm_chart
# tags: configuration, dynamic, workload
- name: versioned_tag
tags: configuration, dynamic, workload
tags: [configuration, dynamic, workload]
- name: ip_addresses
pass: 0
fail: -1
tags: configuration, static, workload
tags: [configuration, static, workload]
- name: operator_installed
tags: configuration, dynamic, workload, cert, bonus
tags: [configuration, dynamic, workload, cert, bonus]
- name: liveness
tags: resilience, dynamic, workload, essential, cert
tags: [resilience, dynamic, workload, essential, cert]
pass: 100
- name: readiness
tags: resilience, dynamic, workload, essential, cert
tags: [resilience, dynamic, workload, essential, cert]
pass: 100
#- name: no_volume_with_configuration
# tags: configuration, dynamic
- name: rolling_update
tags: compatibility, dynamic, workload
tags: [compatibility, dynamic, workload]
- name: rolling_downgrade
tags: compatibility, dynamic, workload
tags: [compatibility, dynamic, workload]
- name: rolling_version_change
tags: compatibility, dynamic, workload
tags: [compatibility, dynamic, workload]
- name: rollback
tags: compatibility, dynamic, workload, cert, normal
tags: [compatibility, dynamic, workload, cert, normal]
- name: nodeport_not_used
tags: configuration, dynamic, workload, cert, normal
tags: [configuration, dynamic, workload, cert, normal]
- name: hostport_not_used
tags: configuration, dynamic, workload, essential, cert
tags: [configuration, dynamic, workload, essential, cert]
pass: 100
- name: hardcoded_ip_addresses_in_k8s_runtime_configuration
tags: configuration, dynamic, workload, essential, cert
tags: [configuration, dynamic, workload, essential, cert]
pass: 100
- name: secrets_used
tags: configuration, dynamic, workload, cert, bonus
tags: [configuration, dynamic, workload, cert, bonus]
pass: 1
fail: 0
- name: immutable_configmap
tags: configuration, dynamic, workload, cert, bonus
tags: [configuration, dynamic, workload, cert, bonus]
pass: 1
fail: 0

Expand All @@ -152,11 +150,11 @@
# tags: observability, dynamic, workload

- name: helm_deploy
tags: compatibility, dynamic, workload, cert, normal
tags: [compatibility, dynamic, workload, cert, normal]
- name: helm_chart_valid
tags: compatibility, dynamic, workload, cert, normal
tags: [compatibility, dynamic, workload, cert, normal]
- name: helm_chart_published
tags: compatibility, dynamic, workload, cert, normal
tags: [compatibility, dynamic, workload, cert, normal]

# - name: chaos_network_loss
# tags: resilience, dynamic, workload
Expand All @@ -166,22 +164,22 @@
# tags: resilience, dynamic, workload

- name: volume_hostpath_not_found
tags: state, dynamic, workload
tags: [state, dynamic, workload]
- name: no_local_volume_configuration
tags: state, dynamic, workload, cert, bonus
tags: [state, dynamic, workload, cert, bonus]
pass: 1
fail: 0
- name: elastic_volumes
tags: state, dynamic, workload, cert, bonus
tags: [state, dynamic, workload, cert, bonus]
pass: 1
fail: 0
- name: database_persistence
tags: state, dynamic, workload
tags: [state, dynamic, workload]
pass5: 5
pass3: 3
fail: -1
- name: node_drain
tags: state, dynamic, workload, essential, cert
tags: [state, dynamic, workload, essential, cert]
pass: 100

#- name: hardware_and_scheduling
Expand All @@ -196,112 +194,112 @@
# tags: hardware, dynamic, workload

- name: k8s_conformance
tags: platform, dynamic
tags: [platform, dynamic]
- name: worker_reboot_recovery
tags: platform, platform:resilience, dynamic
tags: ["platform", "platform:resilience", dynamic]
- name: oci_compliant
tags: platform, platform:hardware_and_scheduling, dynamic
tags: ["platform", "platform:hardware_and_scheduling", dynamic]
- name: control_plane_hardening
tags: platform, platform:security, dynamic
tags: ["platform", "platform:security", "dynamic"]
- name: cluster_admin
tags: platform, platform:security, dynamic
tags: ["platform", "platform:security", "dynamic"]
- name: exposed_dashboard
tags: platform, platform:security, dynamic
tags: ["platform", "platform:security", "dynamic"]

- name: service_account_mapping
tags: security, dynamic, workload, cert, normal
tags: [security, dynamic, workload, cert, normal]

- name: privileged_containers
tags: security, dynamic, workload, essential, cert
tags: [security, dynamic, workload, essential, cert]
pass: 100

- name: non_root_containers
tags: security, dynamic, workload, essential, cert
tags: [security, dynamic, workload, essential, cert]
pass: 100

- name: host_pid_ipc_privileges
tags: security, dynamic, workload, cert, normal
tags: [security, dynamic, workload, cert, normal]

- name: linux_hardening
tags: security, dynamic, workload, cert, bonus
tags: [security, dynamic, workload, cert, bonus]
pass: 1
fail: 0

- name: resource_policies
tags: security, dynamic, workload, cert, essential
tags: [security, dynamic, workload, cert, essential]
pass: 100

- name: immutable_file_systems
tags: security, dynamic, workload, cert, bonus
tags: [security, dynamic, workload, cert, bonus]
pass: 1
fail: 0

- name: hostpath_mounts
tags: security, dynamic, workload, essential, cert
tags: [security, dynamic, workload, essential, cert]
pass: 100

- name: ingress_egress_blocked
tags: security, dynamic, workload, cert, bonus
tags: [security, dynamic, workload, cert, bonus]
pass: 1
fail: 0

- name: insecure_capabilities
tags: security, dynamic, workload, cert, normal
tags: [security, dynamic, workload, cert, normal]

- name: sysctls
tags: security, dynamic, workload, cert, normal
tags: [security, dynamic, workload, cert, normal]

- name: log_output
tags: observability, dynamic, workload, essential, cert
tags: [observability, dynamic, workload, essential, cert]
pass: 100
- name: prometheus_traffic
tags: observability, dynamic, workload, cert, bonus
tags: [observability, dynamic, workload, cert, bonus]
pass: 1
fail: 0
- name: open_metrics
tags: observability, dynamic, workload, cert, bonus
tags: [observability, dynamic, workload, cert, bonus]
pass: 1
fail: 0
- name: routed_logs
tags: observability, dynamic, workload, cert, bonus
tags: [observability, dynamic, workload, cert, bonus]
pass: 1
fail: 0
- name: tracing
tags: observability, dynamic, workload, cert, bonus
tags: [observability, dynamic, workload, cert, bonus]
pass: 1
fail: 0
- name: alpha_k8s_apis
tags: configuration, dynamic, workload
tags: [configuration, dynamic, workload]

- name: container_sock_mounts
tags: security, dynamic, workload, essential, cert
tags: [security, dynamic, workload, essential, cert]
pass: 100

- name: require_labels
tags: configuration, dynamic, workload, cert, normal
tags: [configuration, dynamic, workload, cert, normal]

- name: helm_tiller
tags: platform, platform:security, dynamic
tags: ["platform", "platform:security", "dynamic"]

- name: external_ips
tags: security, dynamic, workload, cert, normal
tags: [security, dynamic, workload, cert, normal]

- name: selinux_options
tags: security, dynamic, workload, essential, cert
tags: [security, dynamic, workload, essential, cert]
pass: 100

- name: default_namespace
tags: configuration, dynamic, workload, cert, normal
tags: [configuration, dynamic, workload, cert, normal]

- name: latest_tag
tags: configuration, dynamic, workload, essential, cert
tags: [configuration, dynamic, workload, essential, cert]
pass: 100

- name: smf_upf_heartbeat
tags: 5g, dynamic
tags: [5g, dynamic]

- name: suci_enabled
tags: 5g, dynamic
tags: [5g, dynamic]

- name: oran_e2_connection
tags: ran, dynamic
tags: [ran, dynamic]
2 changes: 1 addition & 1 deletion spec/cnf_testsuite_all/cnf_testsuite_spec.cr
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ describe CnfTestSuite do
# begin
# LOGGING.info `./cnf-testsuite cnf_setup cnf-config=./sample-cnfs/sample_privileged_cnf/cnf-testsuite.yml verbose wait_count=0`
# $?.success?.should be_true
# response_s = `./cnf-testsuite workload ~automatic_cnf_install ~ensure_cnf_installed ~configuration_file_setup ~compatibility ~state ~scalability ~configuration_lifecycle ~observability ~installability ~hardware_and_scheduling ~microservice ~resilience ~non_root_user`
# response_s = `./cnf-testsuite workload ~automatic_cnf_install ~ensure_cnf_installed ~configuration_file_setup ~compatibility ~state ~scalability ~configuration_lifecycle ~observability ~installability ~hardware_and_scheduling ~microservice ~resilience`
# LOGGING.info response_s
# $?.success?.should be_false
# (/Found.*privileged containers.*/ =~ response_s).should_not be_nil
Expand Down
2 changes: 1 addition & 1 deletion spec/utils/cnf_manager_spec.cr
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,7 @@ describe "SampleUtils" do

it "'CNFManager::Points.all_task_test_names' should return all tasks names", tags: ["points"] do
CNFManager::Points.clean_results_yml
tags = ["alpha_k8s_apis", "application_credentials", "cni_compatible", "container_sock_mounts", "database_persistence", "default_namespace", "disk_fill", "elastic_volumes", "external_ips", "hardcoded_ip_addresses_in_k8s_runtime_configuration", "helm_chart_published", "helm_chart_valid", "helm_deploy", "host_network", "host_pid_ipc_privileges", "hostpath_mounts", "hostport_not_used", "immutable_configmap", "immutable_file_systems", "increase_decrease_capacity", "ingress_egress_blocked", "insecure_capabilities", "ip_addresses", "latest_tag", "linux_hardening", "liveness", "log_output", "no_local_volume_configuration", "node_drain", "nodeport_not_used", "non_root_containers", "non_root_user", "open_metrics", "operator_installed", "oran_e2_connection", "pod_delete", "pod_dns_error", "pod_io_stress", "pod_memory_hog", "pod_network_corruption", "pod_network_duplication", "pod_network_latency", "privilege_escalation", "privileged", "privileged_containers", "prometheus_traffic", "readiness", "reasonable_image_size", "reasonable_startup_time", "require_labels", "resource_policies", "rollback", "rolling_downgrade", "rolling_update", "rolling_version_change", "routed_logs", "secrets_used", "selinux_options", "service_account_mapping", "service_discovery", "shared_database", "sig_term_handled", "single_process_type", "smf_upf_heartbeat", "specialized_init_system", "suci_enabled", "symlink_file_system", "sysctls", "tracing", "versioned_tag", "volume_hostpath_not_found"]
tags = ["alpha_k8s_apis", "application_credentials", "cni_compatible", "container_sock_mounts", "database_persistence", "default_namespace", "disk_fill", "elastic_volumes", "external_ips", "hardcoded_ip_addresses_in_k8s_runtime_configuration", "helm_chart_published", "helm_chart_valid", "helm_deploy", "host_network", "host_pid_ipc_privileges", "hostpath_mounts", "hostport_not_used", "immutable_configmap", "immutable_file_systems", "increase_decrease_capacity", "ingress_egress_blocked", "insecure_capabilities", "ip_addresses", "latest_tag", "linux_hardening", "liveness", "log_output", "no_local_volume_configuration", "node_drain", "nodeport_not_used", "non_root_containers", "open_metrics", "operator_installed", "oran_e2_connection", "pod_delete", "pod_dns_error", "pod_io_stress", "pod_memory_hog", "pod_network_corruption", "pod_network_duplication", "pod_network_latency", "privilege_escalation", "privileged", "privileged_containers", "prometheus_traffic", "readiness", "reasonable_image_size", "reasonable_startup_time", "require_labels", "resource_policies", "rollback", "rolling_downgrade", "rolling_update", "rolling_version_change", "routed_logs", "secrets_used", "selinux_options", "service_account_mapping", "service_discovery", "shared_database", "sig_term_handled", "single_process_type", "smf_upf_heartbeat", "specialized_init_system", "suci_enabled", "symlink_file_system", "sysctls", "tracing", "versioned_tag", "volume_hostpath_not_found"]
(CNFManager::Points.all_task_test_names()).sort.should eq(tags.sort)
end

Expand Down
Loading

0 comments on commit d64056e

Please sign in to comment.