漏洞描述
Checks if the seccomp profile is set to docker/default or runtime/default in Kubernetes Deployments.
k8s-seccomp-profile-set: Set appropriate seccomp profile
PoC代码[已公开]
id: k8s-seccomp-profile-set
info:
name: Set appropriate seccomp profile
author: princechaddha
severity: medium
description: Checks if the seccomp profile is set to docker/default or runtime/default in Kubernetes Deployments.
impact: |
Using a default seccomp profile helps in reducing the attack surface of the container by limiting the syscalls containers can make, which can prevent certain types of exploits.
remediation: |
Ensure that all containers in Kubernetes Deployments have a seccomp profile of docker/default or runtime/default set in their security contexts.
reference:
- https://kubernetes.io/docs/tutorials/clusters/seccomp/
tags: cloud,devops,kubernetes,devsecops,containers,k8s,k8s-cluster-security
flow: |
code(1);
for (let deployment of template.items) {
set("deployment", deployment)
javascript(1);
}
self-contained: true
code:
- engine:
- sh
- bash
source: kubectl get deployments --all-namespaces --output=json
extractors:
- type: json
name: items
internal: true
json:
- '.items[]'
javascript:
- code: |
deployment = JSON.parse(template.deployment);
deployment.spec.template.spec.containers.forEach(container => {
if (container.securityContext && container.securityContext.seccompProfile &&
(container.securityContext.seccompProfile.type === 'RuntimeDefault' || container.securityContext.seccompProfile.type === 'DockerDefault')) {
// No action needed, configured properly
} else {
let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' does not have an appropriate seccomp profile set.`);
Export(result);
}
});
extractors:
- type: dsl
dsl:
- response
# digest: 490a00463044022028242b10cadcfd8aa9200c72697dbc567951f08471ded70cf072bb76184f2c15022013bde40989c5a37d33e0060047e74ed85802b28e9f7dfc6ca791e8d7fce2c3c5:922c64590222798bb761d5b6d8e72950