diff --git a/controls/C-0262-anonymousaccessisenabled.json b/controls/C-0262-anonymousaccessisenabled.json index 97a282ca5..acc295a63 100644 --- a/controls/C-0262-anonymousaccessisenabled.json +++ b/controls/C-0262-anonymousaccessisenabled.json @@ -1,6 +1,6 @@ { "controlID": "C-0262", - "name": "Anonymous access enabled", + "name": "Anonymous user has RoleBinding", "description": "Granting permissions to the system:unauthenticated or system:anonymous user is generally not recommended and can introduce security risks. Allowing unauthenticated access to your Kubernetes cluster can lead to unauthorized access, potential data breaches, and abuse of cluster resources.", "remediation": "Review and modify your cluster's RBAC configuration to ensure that only authenticated and authorized users have appropriate permissions based on their roles and responsibilities within your system.", "test": "Checks if ClusterRoleBinding/RoleBinding resources give permissions to anonymous user. Also checks in the apiserver if the --anonymous-auth flag is set to false", @@ -8,10 +8,9 @@ "armoBuiltin": true }, "rulesNames": [ - "ensure-that-the-api-server-anonymous-auth-argument-is-set-to-false", "anonymous-access-enabled" ], - "baseScore": 5, + "baseScore": 7, "category": { "name": "Control plane", "subCategory": { diff --git a/rules/anonymous-access-enabled/raw.rego b/rules/anonymous-access-enabled/raw.rego index 235f25196..abec9e122 100644 --- a/rules/anonymous-access-enabled/raw.rego +++ b/rules/anonymous-access-enabled/raw.rego @@ -4,12 +4,14 @@ package armo_builtins deny[msga] { rolebindings := [rolebinding | rolebinding = input[_]; endswith(rolebinding.kind, "Binding")] rolebinding := rolebindings[_] - - isAnonymous(rolebinding) - + subject := rolebinding.subjects[i] + isAnonymous(subject) + delete_path := sprintf("subjects[%d]", [i]) msga := { "alertMessage": sprintf("the following RoleBinding: %v gives permissions to anonymous users", [rolebinding.metadata.name]), "alertScore": 9, + "deletePaths": [delete_path], + "failedPaths": [delete_path], "packagename": "armo_builtins", "alertObject": { "k8sApiObjects": [rolebinding] @@ -18,13 +20,10 @@ deny[msga] { } -isAnonymous(binding) { - subject := binding.subjects[_] +isAnonymous(subject) { subject.name == "system:anonymous" } - -isAnonymous(binding) { - subject := binding.subjects[_] +isAnonymous(subject) { subject.name == "system:unauthenticated" } diff --git a/rules/anonymous-access-enabled/rule.metadata.json b/rules/anonymous-access-enabled/rule.metadata.json index eb6793735..ed0b38635 100644 --- a/rules/anonymous-access-enabled/rule.metadata.json +++ b/rules/anonymous-access-enabled/rule.metadata.json @@ -19,7 +19,7 @@ } ], "ruleDependencies": [], - "description": "Fails in case anonymous access is enabled on the cluster", - "remediation": "Disable anonymous access by passing the --anonymous-auth=false flag to the kube-apiserver component, or if it's a managed cluster, you can remove any RBAC rules which allow anonymous users to perform actions", + "description": "Fails in case anonymous or unauthenticated user has any rbac permissions (is bound by a RoleBinding/ClusterRoleBinding)", + "remediation": "Remove any RBAC rules which allow anonymous users to perform actions", "ruleQuery": "armo_builtins" } diff --git a/rules/anonymous-access-enabled/test/fail/expected.json b/rules/anonymous-access-enabled/test/fail/expected.json index 785972a18..f3757ef2f 100644 --- a/rules/anonymous-access-enabled/test/fail/expected.json +++ b/rules/anonymous-access-enabled/test/fail/expected.json @@ -1,7 +1,7 @@ [ { "alertMessage": "the following RoleBinding: system:public-info-viewer gives permissions to anonymous users", - "failedPaths": null, + "failedPaths": ["subjects[1]"], "fixPaths": null, "ruleStatus": "", "packagename": "armo_builtins",