kubescape icon indicating copy to clipboard operation
kubescape copied to clipboard

Published 20 hours ago verified publisher icon kubescape

Cannot exclude particular rules from Control

Open RomanTheLegend opened this issue 10 months ago • 1 comments

Description

When applying posturePolicies for given control, the ruleName section doesn't seem to build proper list of rule exclusions, but rather applies all-or-nothing approach.

For example, for C-0211 control I want to scan for some rules like privileged container rule-privilege-escalation & immutable-container-filesystem, but don't scan for set-seLinuxOptions, drop-capability-netraw and few other rules.

According to the documentation, I should pass a map, but when I do that it excludes from scan even the rules I need - I took this as a reference:

https://github.com/kubescape/regolibrary/blob/e98a0d43c5c1d74da5233ce83e9afae9e86ffb9e/controls/C-0211-applysecuritycontexttoyourpodsandcontainers.json

{
    "name": "exclude-excessive-security-context",
    "policyType": "postureExceptionPolicy",
    "actions": [
        "alertOnly"
    ],
    "resources": [
        {
            "designatorType": "Attributes",
            "attributes": {
                "kind": ".*"
            }
        }
    ],
    "posturePolicies": [
        {
            "controlID": "C-0211",
            "ruleName": [
                "drop-capability-netraw",
                "set-seLinuxOptions",
                "set-seccomp-profile",
                "set-procmount-default",
                "set-sysctls-params",
                "set-supplementalgroups-values"
            ]
        }
    ]
}

Completely skips the control

On the other hand

{
    "name": "exclude-excessive-security-context",
    "policyType": "postureExceptionPolicy",
    "actions": [
        "alertOnly"
    ],
    "resources": [
        {
            "designatorType": "Attributes",
            "attributes": {
                "kind": ".*"
            }
        }
    ],
    "posturePolicies": [
        {
            "controlID": "C-0211",
            "ruleName": "drop-capability-netraw"
        },
        {
            "controlID": "C-0211",
            "ruleName": "set-seLinuxOptions"
        },
        {
            "controlID": "C-0211",
            "ruleName": "set-seccomp-profile"
        },
        {
            "controlID": "C-0211",
            "ruleName": "set-procmount-default"
        },
        {
            "controlID": "C-0211",
            "ruleName": "set-sysctls-params"
        },
        {
            "controlID": "C-0211",
            "ruleName": "set-supplementalgroups-values"
        }
    ]
}

Checks every rule regardless if it's on the list or not.

Could you please either provide an example of proper use or confirm this is a bug

https://github.com/kubescape/kubescape/tree/master/examples/exceptions

Kubescape v3.0.8

RomanTheLegend avatar Apr 04 '24 15:04 RomanTheLegend

hi @RomanTheLegend thanks for the report, we'll look at it very soon cc @YiscahLevySilas1

matthyx avatar Apr 05 '24 05:04 matthyx

Any update on this one?

RomanTheLegend avatar Jun 06 '24 17:06 RomanTheLegend

afaik this is by design, as the "lowest" level we show results for is control by resource, so it wouldn't make sense to not run the whole control. We need to fix the documentation of the exceptions, thanks for bringing this up. cc @dwertent In your particular case you can run controls C-0057 and C-0017 as they run only the rules rule-privilege-escalation and immutable-container-filesystem accordingly.

YiscahLevySilas1 avatar Jun 09 '24 06:06 YiscahLevySilas1