Containers With Sys Admin Capabilities
- Query id: 3f55386d-75cd-4e9a-ac47-167b26c04724
- Query name: Containers With Sys Admin Capabilities
- Platform: Terraform
- Severity: High
- Category: Insecure Configurations
- CWE: 732
- URL: Github
Description¶
Containers should not have CAP_SYS_ADMIN Linux capability
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "kubernetes_pod" "positive1" {
metadata {
name = "terraform-example"
}
spec {
container = [
{
image = "nginx:1.7.9"
name = "example22"
security_context = {
capabilities = {
add = ["SYS_ADMIN"]
}
}
env = {
name = "environment"
value = "test"
}
port = {
container_port = 8080
}
liveness_probe = {
http_get = {
path = "/nginx_status"
port = 80
http_header = {
name = "X-Custom-Header"
value = "Awesome"
}
}
initial_delay_seconds = 3
period_seconds = 3
}
}
,
{
image = "nginx:1.7.9"
name = "example22222"
security_context = {
capabilities = {
add = ["SYS_ADMIN"]
}
}
env = {
name = "environment"
value = "test"
}
port = {
container_port = 8080
}
liveness_probe = {
http_get = {
path = "/nginx_status"
port = 80
http_header = {
name = "X-Custom-Header"
value = "Awesome"
}
}
initial_delay_seconds = 3
period_seconds = 3
}
}
]
dns_config {
nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"]
searches = ["example.com"]
option {
name = "ndots"
value = 1
}
option {
name = "use-vc"
}
}
dns_policy = "None"
}
}
resource "kubernetes_pod" "positive2" {
metadata {
name = "terraform-example"
}
spec {
container {
image = "nginx:1.7.9"
name = "example"
security_context {
capabilities {
add = ["SYS_ADMIN"]
}
}
env {
name = "environment"
value = "test"
}
port {
container_port = 8080
}
liveness_probe {
http_get {
path = "/nginx_status"
port = 80
http_header {
name = "X-Custom-Header"
value = "Awesome"
}
}
initial_delay_seconds = 3
period_seconds = 3
}
}
dns_config {
nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"]
searches = ["example.com"]
option {
name = "ndots"
value = 1
}
option {
name = "use-vc"
}
}
dns_policy = "None"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "kubernetes_pod" "negative3" {
metadata {
name = "terraform-example"
}
spec {
container = [
{
image = "nginx:1.7.9"
name = "example"
env = {
name = "environment"
value = "test"
}
port = {
container_port = 8080
}
liveness_probe = {
http_get = {
path = "/nginx_status"
port = 80
http_header = {
name = "X-Custom-Header"
value = "Awesome"
}
}
initial_delay_seconds = 3
period_seconds = 3
}
},
{
image = "nginx:1.7.9"
name = "example2"
env = {
name = "environment"
value = "test"
}
port = {
container_port = 8080
}
liveness_probe = {
http_get = {
path = "/nginx_status"
port = 80
http_header = {
name = "X-Custom-Header"
value = "Awesome"
}
}
initial_delay_seconds = 3
period_seconds = 3
}
}
]
dns_config {
nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"]
searches = ["example.com"]
option {
name = "ndots"
value = 1
}
option {
name = "use-vc"
}
}
dns_policy = "None"
}
}
resource "kubernetes_pod" "negative4" {
metadata {
name = "terraform-example"
}
spec {
container {
image = "nginx:1.7.9"
name = "example"
env {
name = "environment"
value = "test"
}
port {
container_port = 8080
}
liveness_probe {
http_get {
path = "/nginx_status"
port = 80
http_header {
name = "X-Custom-Header"
value = "Awesome"
}
}
initial_delay_seconds = 3
period_seconds = 3
}
}
dns_config {
nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"]
searches = ["example.com"]
option {
name = "ndots"
value = 1
}
option {
name = "use-vc"
}
}
dns_policy = "None"
}
}