Audit Policy Not Cover Key Security Concerns

YAML Configuration

rule.yaml YAML

apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
  name: spotter-audit-001
  labels:
    severity: "high"
    category: "audit"
  annotations:
    rules.spotter.dev/title: "Audit Policy Not Cover Key Security Concerns"
    rules.spotter.dev/version: "1.0.0"
    rules.spotter.dev/cwe: "CWE-778"
    rules.spotter.dev/description: "The audit policy should be configured to log key security events, such as pod creation, secret access, and RBAC changes."
spec:
  match:
    resources:
      kubernetes:
        apiGroups: ["audit.k8s.io"]
        versions: ["v1"]
        kinds: ["Policy"]
  cel: |
    object.kind == "Policy" &&
    (
      !has(object.rules) || size(object.rules) == 0 ||
      !object.rules.exists(rule,
        has(rule.resources) && rule.resources.exists(res,
          has(res.resources) && (
            res.resources.exists(r, r == "secrets") ||
            res.resources.exists(r, r == "configmaps") ||
            res.resources.exists(r, r == "tokenreviews")
          )
        )
      ) ||
      !object.rules.exists(rule,
        has(rule.resources) && rule.resources.exists(res,
          has(res.resources) && (
            res.resources.exists(r, r == "pods/exec") ||
            res.resources.exists(r, r == "pods/portforward") ||
            res.resources.exists(r, r == "pods/proxy") ||
            res.resources.exists(r, r == "services/proxy")
          )
        )
      )
    )
  remediation:
    manual: "Review and update the audit policy file to ensure it logs important security events. This includes pod creation, secret access, and changes to RBAC roles and bindings."
  references:
    - title: "Kubernetes Auditing"
      url: "https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/"

Test Cases

test-cases.yaml YAML

- name: insecure sample 1 should fail
  pass: false
  input: |
    apiVersion: audit.k8s.io/v1 # This is required.
    kind: Policy
    # Don't generate audit events for all requests in RequestReceived stage.
    omitStages:
      - "RequestReceived"
    rules:

- name: insecure sample 2 should fail
  pass: false
  input: |
    apiVersion: audit.k8s.io/v1 # This is required.
    kind: Policy
    # Don't generate audit events for all requests in RequestReceived stage.
    rules:
      - level: RequestResponse
        resources:
        - group: ""
          resources: ["secrets","configmaps","tokenreviews"]
      - level: Metadata
        resources:
        - group: ""
          resources: ["pods","deployments"]
      - level: None
        resources:
        - group: ""
          resources: ["pods/exec", "pods/portforward", "pods/proxy", "services/proxy"]

- name: insecure sample 3 should fail
  pass: false
  input: |
    apiVersion: audit.k8s.io/v1 # This is required.
    kind: Policy
    # Don't generate audit events for all requests in RequestReceived stage.
    omitStages:
      - "RequestReceived"
    rules:
      - level: Metadata
        resources:
        - group: ""
          resources: ["secrets","configmaps","tokenreviews"]
      - level: Metadata
        resources:
        - group: ""
          resources: ["pods"]
      - level: RequestResponse
        resources:
        - group: ""
          resources: ["pods/exec", "pods/portforward", "pods/proxy", "services/proxy"]


- name: secure sample 1 should pass
  pass: true
  input: |
    apiVersion: audit.k8s.io/v1 # This is required.
    kind: Policy
    # Don't generate audit events for all requests in RequestReceived stage.
    omitStages:
      - "RequestReceived"
    rules:
      - level: Metadata
        resources:
        - group: ""
          resources: ["secrets","configmaps","tokenreviews"]
      - level: Metadata
        resources:
        - group: ""
          resources: ["pods","deployments"]
      - level: RequestResponse
        resources:
        - group: ""
          resources: ["pods/exec", "pods/portforward", "pods/proxy", "services/proxy"]

Validating Admission Policy

validating-admission-policy.yaml YAML

# VAP export for spotter-audit-001
# Generated from Spotter rule
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: spotter-audit-001
spec:
  # Add your VAP configuration here

Rule Metadata

Audit Policy Not Cover Key Security Concerns

YAML Configuration

Test Cases

Validating Admission Policy

Rule Metadata

Rule Information

Tags & Compliance

Compliance Standards

General Tags

Spotter Hub