Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

readOnlyRootFilesystem needs a higher score than 1 #572

Open
huornlmj opened this issue Dec 19, 2023 · 2 comments
Open

readOnlyRootFilesystem needs a higher score than 1 #572

huornlmj opened this issue Dec 19, 2023 · 2 comments
Labels

Comments

@huornlmj
Copy link

Describe the bug
"ReadOnlyRootFilesystem" is currently only awarded a +1 score despite it being one of the most effective mitigations against adversaries. As the official Kubesec documentation states:

"Without a writable filesystem the attack surface is dramatically reduced."

To Reproduce
Steps to reproduce the behaviour:

  1. Create a pod spec that does not use the .securityContext .readOnlyRootFilesystem == true
  2. Scan the pod spec with Kubesec.
  3. Observe it being shown as an advisory with a +1 awarded.

Expected behaviour
The value of this needs to be reevaluated and given a much higher score. I suggest making it comparable to .securityContext .runAsNonRoot == true which currently awards 10 points.

@huornlmj huornlmj added the bug label Dec 19, 2023
@06kellyjac
Copy link
Member

Yeah agreed, we can probably boost it.
Although I think running as non-root is probably a bigger deal as if your rootfs has sensible permissions most of that should be non-writable for you as non-root anyway, and if you have some other writable mount you'd still have somewhere to write with a readonly rootfs.

I'll have a chat with some colleagues at some point :)

@huornlmj
Copy link
Author

ok great! Consider this attack BTW, to compare running as non-root against read only FS. If, as an attacker, I gain a remote shell (e.g. via a revshell for example) into a container that has a read-only mounted fs, then it is trickier for me to get attack tools into the container, like linpeas. But if the fs is read & write then I can get linpeas or Peirates in there and they will then tell me (the attacker) all of the available potential methods to escalate to root and possible escape anyway, whether the container is running as root or not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: To Do
Development

No branches or pull requests

2 participants