mirror of
https://github.com/projectdiscovery/nuclei-templates.git
synced 2026-01-31 15:53:33 +08:00
47 lines
1.7 KiB
YAML
47 lines
1.7 KiB
YAML
id: k8s-readonly-fs
|
|
|
|
info:
|
|
name: Enforce Read-Only Filesystem for Containers
|
|
author: princechaddha
|
|
severity: critical
|
|
description: Checks for containers that do not use a read-only filesystem, which can prevent malicious write operations at runtime
|
|
impact: |
|
|
Not using a read-only filesystem can expose containers to risks of malicious modifications at runtime, compromising the container's integrity and security.
|
|
remediation: Configure containers to use read-only filesystems where possible to enhance security and minimize risk of unauthorized data modification
|
|
reference:
|
|
- https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation
|
|
tags: cloud,devops,kubernetes,k8s,devsecops,pods,k8s-cluster-security
|
|
|
|
flow: |
|
|
code(1);
|
|
for (let container of template.items) {
|
|
set("container", container)
|
|
javascript(1);
|
|
}
|
|
|
|
self-contained: true
|
|
code:
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: kubectl get pods --all-namespaces --output=json
|
|
extractors:
|
|
- type: json
|
|
name: items
|
|
internal: true
|
|
json:
|
|
- '.items[].spec.containers[]'
|
|
|
|
javascript:
|
|
- code: |
|
|
container = JSON.parse(template.container);
|
|
if (!container.securityContext || container.securityContext.readOnlyRootFilesystem !== true) {
|
|
let result = (`Container '${container.name}' in pod '${container.metadata.name}' in namespace '${container.metadata.namespace}' does not use a read-only filesystem.`);
|
|
Export(result);
|
|
}
|
|
|
|
extractors:
|
|
- type: dsl
|
|
dsl:
|
|
- response
|
|
# digest: 4a0a00473045022100822332f29c05236643aceb706c563112c463a6fdda5a60f391aaec1308fa9e3902207c8e95c0302c1f6f85c9a8e43e719b3e52c67684e4b5806e4e9ec0c44e1bfb20:366f2a24c8eb519f6968bd8801c08ebe |