Startseite Erkunden Hilfe
Anmelden
rht
/
acs-playbooks
2
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Struktur: ec2e7baf4f
Branches Tags
acs-playbooks
/
roles
/
fix-policies
/
files
/
fix-policies.sh

fix-policies.sh 6.0 KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172 
  1. #!/bin/bash
    2. 

  2. #
    3. 

  3. # Generate modified policies. Patch existing modified policies to disable them.
    4. 

  4. #
    5. 

  5. # Need files:
    6. 

  6. #   policyexport (a dump of all policies)
    7. 

  7. #   roxctl-token (api auth token)
    8. 

  8. #
    9. 

  9. E=central-rhacs.apps.ocp4.example.com
    10. 

  10. T=$(cat roxctl-token)
    11. 

  11. 

  12. DISABLED_POLICY_LIST=(
    13. 

  13. 	"ADD Command used instead of COPY"
    14. 

  14. 	"Container using read-write root filesystem"
    15. 

  15. 	"Curl in Image"
    16. 

  16. 	"Docker CIS 4.4: Ensure images are scanned and rebuilt to include security patches"
    17. 

  17. 	"Docker CIS 5.21: Ensure the default seccomp profile is not disabled"
    18. 

  18. 	"Fixable CVSS >= 7"
    19. 

  19. 	"Images with no scans"
    20. 

  20. 	"Login Binaries"
    21. 

  21. 	"Password Binaries"
    22. 

  22. 	"Process with UID 0"
    23. 

  23. 	"Required Annotation: Email"
    24. 

  24. 	"Required Annotation: Owner/Team"
    25. 

  25. 	"Required Image Label"
    26. 

  26. 	"Required Label: Owner/Team"
    27. 

  27. 	"Secret Mounted as Environment Variable"
    28. 

  28. 	"SetUID Processes"
    29. 

  29. 	"Shadow File Modification"
    30. 

  30. 	"Shell Management"
    31. 

  31. 	"Wget in Image"
    32. 

  32.     )
    33. 

  33. 

  34. ENABLED_POLICY_LIST=(
    35. 

  35. 	"30-Day Scan Age"
    36. 

  36. 	"Alpine Linux Package Manager Execution"
    37. 

  37. 	"Apache Struts: CVE-2017-5638"
    38. 

  38. 	"CAP_SYS_ADMIN capability added"
    39. 

  39. 	"Compiler Tool Execution"
    40. 

  40. 	"Cryptocurrency Mining Process Execution"
    41. 

  41. 	"Docker CIS 4.7: Alert on Update Instruction"
    42. 

  42. 	"Docker CIS 5.1 Ensure that, if applicable, an AppArmor Profile is enabled"
    43. 

  43. 	"Docker CIS 5.19: Ensure mount propagation mode is not enabled"
    44. 

  44. 	"Emergency Deployment Annotation"
    45. 

  45. 	"Improper Usage of Orchestrator Secrets Volume"
    46. 

  46. 	"Insecure specified in CMD"
    47. 

  47. 	"Iptables Executed in Privileged Container"
    48. 

  48. 	"Kubernetes Actions: Exec into Pod"
    49. 

  49. 	"Kubernetes Actions: Port Forward to Pod"
    50. 

  50. 	"Kubernetes Dashboard Deployed"
    51. 

  51. 	"Latest tag"
    52. 

  52. 	"Linux Group Add Execution"
    53. 

  53. 	"Linux User Add Execution"
    54. 

  54. 	"Log4Shell: log4j Remote Code Execution vulnerability"
    55. 

  55. 	"Netcat Execution Detected"
    56. 

  56. 	"Network Management Execution"
    57. 

  57. 	"OpenShift: Advanced Cluster Security Central Admin Secret Accessed"
    58. 

  58. 	"OpenShift: Kubeadmin Secret Accessed"
    59. 

  59. 	"OpenShift: Kubernetes Secret Accessed by an Impersonated User"
    60. 

  60. 	"Process Targeting Cluster Kubelet Endpoint"
    61. 

  61. 	"Process Targeting Cluster Kubernetes Docker Stats Endpoint"
    62. 

  62. 	"Process Targeting Kubernetes Service Endpoint"
    63. 

  63. 	"Red Hat Package Manager Execution"
    64. 

  64. 	"Remote File Copy Binary Execution"
    65. 

  65. 	"Secure Shell (ssh) Port Exposed"
    66. 

  66. 	"Secure Shell (ssh) Port Exposed in Image"
    67. 

  67. 	"Secure Shell Server (sshd) Execution"
    68. 

  68. 	"Shell Spawned by Java Application"
    69. 

  69. 	"Ubuntu Package Manager Execution"
    70. 

  70. 	"Ubuntu Package Manager in Image"
    71. 

  71. 	"Unauthorized Network Flow"
    72. 

  72. 	"Unauthorized Process Execution"
    73. 

  73. 	"chkconfig Execution"
    74. 

  74. 	"crontab Execution"
    75. 

  75. 	"iptables Execution"
    76. 

  76. 	"nmap Execution"
    77. 

  77. 	"systemctl Execution"
    78. 

  78. 	"systemd Execution"
    79. 

  79.     )
    80. 

  80. 

  81. FIX_POLICY_LIST=(
    82. 

  82. 	"90-Day Image Age"
    83. 

  83. 	"Alpine Linux Package Manager (apk) in Image"
    84. 

  84. 	"Docker CIS 4.1: Ensure That a User for the Container Has Been Created"
    85. 

  85. 	"Docker CIS 5.15: Ensure that the host's process namespace is not shared"
    86. 

  86. 	"Docker CIS 5.16: Ensure that the host's IPC namespace is not shared"
    87. 

  87. 	"Docker CIS 5.7: Ensure privileged ports are not mapped within containers"
    88. 

  88. 	"Docker CIS 5.9 and 5.20: Ensure that the host's network namespace is not shared"
    89. 

  89. 	"Environment Variable Contains Secret"
    90. 

  90. 	"Fixable CVSS >= 6 and Privileged"
    91. 

  91. 	"Fixable Severity at least Important"
    92. 

  92. 	"Mount Container Runtime Socket"
    93. 

  93. 	"Mounting Sensitive Host Directories"
    94. 

  94. 	"No resource requests or limits specified"
    95. 

  95. 	"Pod Service Account Token Automatically Mounted"	
    96. 

  96. 	"Privileged Container"
    97. 

  97. 	"Red Hat Package Manager in Image"
    98. 

  98.     )
    99. 

  99. 

  100. echo "Fixed policies: ${#FIX_POLICY_LIST[*]}"
    101. 

  101. echo "Enabled policies: ${#ENABLED_POLICY_LIST[*]}"
    102. 

  102. echo "Disabled policies: ${#DISABLED_POLICY_LIST[*]}"
    103. 

  103. 

  104. # Export current policies.
    105. 

  105. # TODO: decide when to use backup and when to use current state
    106. 

  106. # XXX: can't delete system policies anyway
    107. 

  107. 

  108. oldIFS="${IFS}"
    109. 

  109. newIFS='
    110. 

  110. '
    111. 

  111. IFS="${newIFS}"
    112. 

  112. for p in ${DISABLED_POLICY_LIST[*]}; do
    113. 

  113.     id="$(jq -r '.policies[] | select(.name == "'${p}'") | .id' < policyexport)"
    114. 

  114.     if [ -z "${id}" ]; then
    115. 

  115. 	echo "ERROR: Could not look up ID of \"${p}\"!"
    116. 

  116. 	continue
    117. 

  117.     fi
    118. 

  118.     echo -n "Disabling \"${p}\" ($id)... "
    119. 

  119.     curl -ks -XPATCH -H "Authorization: Bearer ${T}" -d '{"id": "'${id}'", "disabled": true}' https://${E}/v1/policies/${id}
    120. 

  120.     echo
    121. 

  121. done
    122. 

  122. 

  123. for p in ${ENABLED_POLICY_LIST[*]}; do
    124. 

  124.     id="$(jq -r '.policies[] | select(.name == "'${p}'") | .id' < policyexport)"
    125. 

  125.     if [ -z "${id}" ]; then
    126. 

  126. 	echo "ERROR: Could not look up ID of \"${p}\"!"
    127. 

  127. 	continue
    128. 

  128.     fi
    129. 

  129.     echo -n "Enabling \"${p}\" ($id)... "
    130. 

  130.     curl -ks -XPATCH -H "Authorization: Bearer ${T}" -d '{"id": "'${id}'", "disabled": false}' https://${E}/v1/policies/${id}
    131. 

  131.     echo
    132. 

  132. done
    133. 

  133. 

  134. for p in ${FIX_POLICY_LIST[*]}; do
    135. 

  135.     # find matching policies
    136. 

  136.     ids="$(jq -r '.policies[] | select(.name | test("(?i)^'${p//[()]/.}'")) | .id' < policyexport)"
    137. 

  137.     if [ -z "${ids}" ]; then
    138. 

  138. 	echo "ERROR: Could not look up ID(s) of \"${p//[()]/.}\"!"
    139. 

  139. 	continue
    140. 

  140.     fi
    141. 

  141.     # how many?
    142. 

  142.     nmatch=$(echo "${ids}" | wc -l | tr -d '[[:space:]]')
    143. 

  143.     echo "Found ${nmatch} policies matching \"${p}\"..."
    144. 

  144.     if [ ${nmatch} -gt 1 ]; then
    145. 

  145. 	# delete the one(s) that are not an exact match
    146. 

  146. 	id="$(jq -r '.policies[] | select(.name == "'${p}'") | .id' < policyexport)"
    147. 

  147. 	if [ -z "${id}" ]; then
    148. 

  148. 	    echo "ERROR: Could not find exact match for \"${p}\"!"
    149. 

  149. 	    continue
    150. 

  150. 	fi
    151. 

  151. 	xtraids="$(echo "${ids}" | grep -v ${id})"
    152. 

  152. 	for rmid in ${xtraids}; do
    153. 

  153. 	    echo -n "  - removing: ${rmid}"
    154. 

  154. 	    curl -ks -XDELETE -H "Authorization: Bearer ${T}" https://${E}/v1/policies/${rmid}
    155. 

  155. 	    echo
    156. 

  156. 	done
    157. 

  157.     else
    158. 

  158. 	id="${ids}"
    159. 

  159.     fi
    160. 

  160. 

  161.     echo "  - keeping: ${id}"
    162. 

  162.     echo -n "      disabling... "
    163. 

  163.     curl -ks -XPATCH -H "Authorization: Bearer ${T}" -d '{"id": "'${id}'", "disabled": true}' https://${E}/v1/policies/${id}
    164. 

  164.     echo
    165. 

  165.     echo -n "      creating patched copy... "
    166. 

  166.     PAYLOAD="$(jq '.policies[] | select(.id == "'${id}'") | .exclusions |= [ { "name": "Skip system namespaces", "deployment": { "name": "", "scope": { "cluster": "", "namespace": "^kube-.*|^openshift-.*|^istio-.*|^rhacs$|^stackrox$", "label": null } }, "image": null, "expiration": null } ] | .name |= . + " (non-system)" | .id |= "" | .disabled |= false' < policyexport)"
    167. 

  167.     curl -ks -XPOST -H "Authorization: Bearer ${T}" -d "${PAYLOAD}" https://${E}/v1/policies
    168. 

  168.     echo
    169. 

  169. done
    170. 

  170. IFS="${oldIFS}"
    171. 

  171. unset oldIFS newIFS
    172. 

  172.