Página Principal Explorar Ajuda
Iniciar Sessão
rht
/
acs-playbooks
2
0
Fork 0
Ficheiros Problemas 0 Pull Requests 0 Wiki
Ramo: acs-solutions
Ramos Etiquetas
acs-playbooks
/
roles
/
fix-policies
/
files
/
fix-policies.sh

fix-policies.sh 6.1 KB
Link permanente Histórico Em bruto

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173 
  1. #!/bin/bash
    2. 

  2. #
    3. 

  3. # Generate modified policies. Patch existing modified policies to disable them.
    4. 

  4. #
    5. 

  5. # Need files:
    6. 

  6. #   policyexport (a dump of all policies)
    7. 

  7. #   roxctl-token (api auth token)
    8. 

  8. #
    9. 

  9. E=central-rhacs.apps.ocp4.example.com
    10. 

  10. T=$(cat roxctl-token)
    11. 

  11. 

  12. DISABLED_POLICY_LIST=(
    13. 

  13. 	"ADD Command used instead of COPY"
    14. 

  14. 	"Container using read-write root filesystem"
    15. 

  15. 	"Curl in Image"
    16. 

  16. 	"Docker CIS 4.4: Ensure images are scanned and rebuilt to include security patches"
    17. 

  17. 	"Docker CIS 5.21: Ensure the default seccomp profile is not disabled"
    18. 

  18. 	"Fixable CVSS >= 7"
    19. 

  19. 	"Images with no scans"
    20. 

  20. 	"Login Binaries"
    21. 

  21. 	"Password Binaries"
    22. 

  22. 	"Process with UID 0"
    23. 

  23. 	"Required Annotation: Email"
    24. 

  24. 	"Required Annotation: Owner/Team"
    25. 

  25. 	"Required Image Label"
    26. 

  26. 	"Required Label: Owner/Team"
    27. 

  27. 	"Secret Mounted as Environment Variable"
    28. 

  28. 	"SetUID Processes"
    29. 

  29. 	"Shadow File Modification"
    30. 

  30. 	"Shell Management"
    31. 

  31. 	"Wget in Image"
    32. 

  32.     )
    33. 

  33. 

  34. ENABLED_POLICY_LIST=(
    35. 

  35. 	"30-Day Scan Age"
    36. 

  36. 	"Alpine Linux Package Manager Execution"
    37. 

  37. 	"Apache Struts: CVE-2017-5638"
    38. 

  38. 	"CAP_SYS_ADMIN capability added"
    39. 

  39. 	"Compiler Tool Execution"
    40. 

  40. 	"Cryptocurrency Mining Process Execution"
    41. 

  41. 	"Docker CIS 4.7: Alert on Update Instruction"
    42. 

  42. 	"Docker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabled"
    43. 

  43. 	"Docker CIS 5.19: Ensure mount propagation mode is not enabled"
    44. 

  44. 	"Emergency Deployment Annotation"
    45. 

  45. 	"Improper Usage of Orchestrator Secrets Volume"
    46. 

  46. 	"Insecure specified in CMD"
    47. 

  47. 	"Iptables Executed in Privileged Container"
    48. 

  48. 	"Kubernetes Actions: Exec into Pod"
    49. 

  49. 	"Kubernetes Actions: Port Forward to Pod"
    50. 

  50. 	"Kubernetes Dashboard Deployed"
    51. 

  51. 	"Latest tag"
    52. 

  52. 	"Linux Group Add Execution"
    53. 

  53. 	"Linux User Add Execution"
    54. 

  54. 	"Log4Shell: log4j Remote Code Execution vulnerability"
    55. 

  55. 	"Netcat Execution Detected"
    56. 

  56. 	"Network Management Execution"
    57. 

  57. 	"OpenShift: Advanced Cluster Security Central Admin Secret Accessed"
    58. 

  58. 	"OpenShift: Kubeadmin Secret Accessed"
    59. 

  59. 	"OpenShift: Kubernetes Secret Accessed by an Impersonated User"
    60. 

  60. 	"Process Targeting Cluster Kubelet Endpoint"
    61. 

  61. 	"Process Targeting Cluster Kubernetes Docker Stats Endpoint"
    62. 

  62. 	"Process Targeting Kubernetes Service Endpoint"
    63. 

  63. 	"Red Hat Package Manager Execution"
    64. 

  64. 	"Remote File Copy Binary Execution"
    65. 

  65. 	"Secure Shell (ssh) Port Exposed"
    66. 

  66. 	"Secure Shell (ssh) Port Exposed in Image"
    67. 

  67. 	"Secure Shell Server (sshd) Execution"
    68. 

  68. 	"Shell Spawned by Java Application"
    69. 

  69. 	"Ubuntu Package Manager Execution"
    70. 

  70. 	"Ubuntu Package Manager in Image"
    71. 

  71. 	"Unauthorized Network Flow"
    72. 

  72. 	"Unauthorized Process Execution"
    73. 

  73. 	"chkconfig Execution"
    74. 

  74. 	"crontab Execution"
    75. 

  75. 	"iptables Execution"
    76. 

  76. 	"nmap Execution"
    77. 

  77. 	"systemctl Execution"
    78. 

  78. 	"systemd Execution"
    79. 

  79.     )
    80. 

  80. 

  81. FIX_POLICY_LIST=(
    82. 

  82. 	"90-Day Image Age"
    83. 

  83. 	"Alpine Linux Package Manager (apk) in Image"
    84. 

  84. 	"Docker CIS 4.1: Ensure That a User for the Container Has Been Created"
    85. 

  85. 	"Docker CIS 5.15: Ensure that the host's process namespace is not shared"
    86. 

  86. 	"Docker CIS 5.16: Ensure that the host's IPC namespace is not shared"
    87. 

  87. 	"Docker CIS 5.7: Ensure privileged ports are not mapped within containers"
    88. 

  88. 	"Docker CIS 5.9 and 5.20: Ensure that the host's network namespace is not shared"
    89. 

  89. 	"Environment Variable Contains Secret"
    90. 

  90. 	"Fixable CVSS >= 6 and Privileged"
    91. 

  91. 	"Fixable Severity at least Important"
    92. 

  92. 	"Mount Container Runtime Socket"
    93. 

  93. 	"Mounting Sensitive Host Directories"
    94. 

  94. 	"No resource requests or limits specified"
    95. 

  95. 	"Pod Service Account Token Automatically Mounted"	
    96. 

  96. 	"Privileged Container"
    97. 

  97. 	"Red Hat Package Manager Execution"
    98. 

  98. 	"Red Hat Package Manager in Image"
    99. 

  99.     )
    100. 

  100. 

  101. echo "Fixed policies: ${#FIX_POLICY_LIST[*]}"
    102. 

  102. echo "Enabled policies: ${#ENABLED_POLICY_LIST[*]}"
    103. 

  103. echo "Disabled policies: ${#DISABLED_POLICY_LIST[*]}"
    104. 

  104. 

  105. # Export current policies.
    106. 

  106. # TODO: decide when to use backup and when to use current state
    107. 

  107. # XXX: can't delete system policies anyway
    108. 

  108. 

  109. oldIFS="${IFS}"
    110. 

  110. newIFS='
    111. 

  111. '
    112. 

  112. IFS="${newIFS}"
    113. 

  113. for p in ${DISABLED_POLICY_LIST[*]}; do
    114. 

  114.     id="$(jq -r '.policies[] | select(.name == "'${p}'") | .id' < policyexport)"
    115. 

  115.     if [ -z "${id}" ]; then
    116. 

  116. 	echo "ERROR: Could not look up ID of \"${p}\"!"
    117. 

  117. 	continue
    118. 

  118.     fi
    119. 

  119.     echo -n "Disabling \"${p}\" ($id)... "
    120. 

  120.     curl -ks -XPATCH -H "Authorization: Bearer ${T}" -d '{"id": "'${id}'", "disabled": true}' https://${E}/v1/policies/${id}
    121. 

  121.     echo
    122. 

  122. done
    123. 

  123. 

  124. for p in ${ENABLED_POLICY_LIST[*]}; do
    125. 

  125.     id="$(jq -r '.policies[] | select(.name == "'${p}'") | .id' < policyexport)"
    126. 

  126.     if [ -z "${id}" ]; then
    127. 

  127. 	echo "ERROR: Could not look up ID of \"${p}\"!"
    128. 

  128. 	continue
    129. 

  129.     fi
    130. 

  130.     echo -n "Enabling \"${p}\" ($id)... "
    131. 

  131.     curl -ks -XPATCH -H "Authorization: Bearer ${T}" -d '{"id": "'${id}'", "disabled": false}' https://${E}/v1/policies/${id}
    132. 

  132.     echo
    133. 

  133. done
    134. 

  134. 

  135. for p in ${FIX_POLICY_LIST[*]}; do
    136. 

  136.     # find matching policies
    137. 

  137.     ids="$(jq -r '.policies[] | select(.name | test("(?i)^'${p//[()]/.}'")) | .id' < policyexport)"
    138. 

  138.     if [ -z "${ids}" ]; then
    139. 

  139. 	echo "ERROR: Could not look up ID(s) of \"${p//[()]/.}\"!"
    140. 

  140. 	continue
    141. 

  141.     fi
    142. 

  142.     # how many?
    143. 

  143.     nmatch=$(echo "${ids}" | wc -l | tr -d '[[:space:]]')
    144. 

  144.     echo "Found ${nmatch} policies matching \"${p}\"..."
    145. 

  145.     if [ ${nmatch} -gt 1 ]; then
    146. 

  146. 	# delete the one(s) that are not an exact match
    147. 

  147. 	id="$(jq -r '.policies[] | select(.name == "'${p}'") | .id' < policyexport)"
    148. 

  148. 	if [ -z "${id}" ]; then
    149. 

  149. 	    echo "ERROR: Could not find exact match for \"${p}\"!"
    150. 

  150. 	    continue
    151. 

  151. 	fi
    152. 

  152. 	xtraids="$(echo "${ids}" | grep -v ${id})"
    153. 

  153. 	for rmid in ${xtraids}; do
    154. 

  154. 	    echo -n "  - removing: ${rmid}"
    155. 

  155. 	    curl -ks -XDELETE -H "Authorization: Bearer ${T}" https://${E}/v1/policies/${rmid}
    156. 

  156. 	    echo
    157. 

  157. 	done
    158. 

  158.     else
    159. 

  159. 	id="${ids}"
    160. 

  160.     fi
    161. 

  161. 

  162.     echo "  - keeping: ${id}"
    163. 

  163.     echo -n "      disabling... "
    164. 

  164.     curl -ks -XPATCH -H "Authorization: Bearer ${T}" -d '{"id": "'${id}'", "disabled": true}' https://${E}/v1/policies/${id}
    165. 

  165.     echo
    166. 

  166.     echo -n "      creating patched copy... "
    167. 

  167.     PAYLOAD="$(jq '.policies[] | select(.id == "'${id}'") | .exclusions |= [ { "name": "Skip system namespaces", "deployment": { "name": "", "scope": { "cluster": "", "namespace": "^kube-.*|^openshift-.*|^istio-.*|^rhacs$|^stackrox$", "label": null } }, "image": null, "expiration": null } ] | .name |= . + " (non-system)" | .id |= "" | .disabled |= false' < policyexport)"
    168. 

  168.     curl -ks -XPOST -H "Authorization: Bearer ${T}" -d "${PAYLOAD}" https://${E}/v1/policies
    169. 

  169.     echo
    170. 

  170. done
    171. 

  171. IFS="${oldIFS}"
    172. 

  172. unset oldIFS newIFS
    173. 

  173.