regolibrary icon indicating copy to clipboard operation
regolibrary copied to clipboard

Published 20 hours ago verified publisher icon kubescape

Why some controls are not in the AllControls framework?

Open jeffmou787 opened this issue 1 year ago • 7 comments

For example, control C-0260 not in the framework, but C-0262 does.

The problem is that for air-gapped environment, user will add --use-artifacts-from flag, like

kubescape scan control C-0260 --use-artifacts-from=artifacts

For C-0262 it's totally fine, but C-0260 will failed with error controlID: C-0260: framework from file not matching

Seems like this is because of the C-0260 control not in the AllControls framework.

jeffmou787 avatar Oct 31 '23 11:10 jeffmou787

Hi and thanks for opening the issue! Some controls are specific for the security framework, so we though for now of not including them into other frameworks like allcontrols. They could be not "generic" enough to be used in other frameworks. Is there some specific reason why you would use that control? :)

alegrey91 avatar Oct 31 '23 11:10 alegrey91

@alegrey91 Thx for the reply. The problem is that I ran kubescape scan in the air-gapped environment, the report said control C-260 & C-262 was failed and could be specified by running kubescape scan control C-260 --use-artifacts-from=my-air-gapped-artifacts-storage

However it was failed with error message 'controlID: C-0260: framework from file not matching'
After I added C-260 into allcontrol.json manually, the scan was successful then.

My problem is that this seem kind of confuse for users, since some controls can be scan but some cannot.
Also the description of allcontrol.json says "Contains all the controls from all the frameworks" but it seems not like this, like you said the control C-260 only locate in the security.json.

jeffmou787 avatar Nov 01 '23 02:11 jeffmou787

@yuleib @YiscahLevySilas1 do you see problems of adding these controls into the allcontrols framework? @jeffmou787 could you eventually provide your fix?

alegrey91 avatar Nov 07 '23 17:11 alegrey91

@slashben - please kindly advice here :)

yuleib avatar Nov 08 '23 06:11 yuleib

@yuleib @YiscahLevySilas1 do you see problems of adding these controls into the allcontrols framework? @jeffmou787 could you eventually provide your fix?

I just added C-0260 infos in the arrays of ControlsIDs and controls in the allcontrols.json, just like other controls in the file.

jeffmou787 avatar Nov 08 '23 11:11 jeffmou787

@jeffmou787 - did you opened this fix via a new branch ?

yuleib avatar Nov 08 '23 11:11 yuleib

Hi @jeffmou787, thanks for raising this issue. It was a conscious decision not to include some controls in the allcontrols framework such as the CIS controls and those of the security framework, but I agree that the name and description are misleading. @yuleib we should discuss with @yossi77 how to clarify this. As for the issue - IMO what we should address here is the ability to run any control in an air-gapped environment, also those that are not in allcontrols framework, just as it works when running regularly: kubescape scan control C-0260 To do that we need to load the control not from any specific framework file but from the controls file which we currently don't download in the download artifacts command. Something to notice here is that the controls.json in the regolibrary release does not include the rules themselves to avoid creating a very large file, and in the usual flow (not air-gapped) the gitregostore handles filling the controls with the rules. @alegrey91 Perhaps we should expand the gitregostore to handle local files and then the air-gapped flow could be the same. @dwertent cc

YiscahLevySilas1 avatar Nov 13 '23 06:11 YiscahLevySilas1