github/polaris
1
0
Fork 0
mirror of https://github.com/FairwindsOps/polaris.git synced 2026-05-10 03:07:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
rb/machine
polaris/checks/insecureCapabilities.yaml
Robert Brennan c0d8eb6318 handle case-insensitivity for capabilities (#619) 
* handle lowercase letters in ALL for capabilities

* change all caps to regexp

* revert file
2021-08-31 11:40:47 -04:00

57 lines
1.7 KiB
YAML
Raw Permalink Blame History

successMessage: Container does not have any insecure capabilities
failureMessage: Container should not have insecure capabilities
category: Security
target: Container
schema:
'$schema': http://json-schema.org/draft-07/schema
type: object
required:
- securityContext
properties:
securityContext:
type: object
required:
- capabilities
properties:
capabilities:
type: object
required:
- drop
properties:
drop:
type: array
oneOf:
- contains:
pattern: '^(?i)ALL$'
- allOf:
- contains:
pattern: '^(?i)NET_ADMIN$'
- contains:
pattern: '^(?i)CHOWN$'
- contains:
pattern: '^(?i)DAC_OVERRIDE$'
- contains:
pattern: '^(?i)FSETID$'
- contains:
pattern: '^(?i)FOWNER$'
- contains:
pattern: '^(?i)MKNOD$'
- contains:
pattern: '^(?i)NET_RAW$'
- contains:
pattern: '^(?i)SETGID$'
- contains:
pattern: '^(?i)SETUID$'
- contains:
pattern: '^(?i)SETFCAP$'
- contains:
pattern: '^(?i)SETPCAP$'
- contains:
pattern: '^(?i)NET_BIND_SERVICE$'
- contains:
pattern: '^(?i)SYS_CHROOT$'
- contains:
pattern: '^(?i)KILL$'
- contains:
pattern: '^(?i)AUDIT_WRITE$'
Reference in New Issue View Git Blame Copy Permalink