Added rule to identify principals that have OPA Gatekeeper admin priv…

…ileges. (#42) Co-authored-by: Gadi Naor <gadi_naor@rapid7.com>
alcideio · Oct 18, 2021 · fb1e18c · fb1e18c
1 parent 45249fd
commit fb1e18c
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 1 deletion.
diff --git a/pkg/analysis/default-rules.yaml b/pkg/analysis/default-rules.yaml
@@ -16,6 +16,15 @@ GlobalExclusions:
     Expression: |
       has(subject.name) && subject.name.startsWith('system:')
     LastModified: "2021-09-22T15:25:01+03:00"
+  - AddedBy: InsightCloudSec@rapid7.com
+    Comment: "Exclude gatekeeper-system/gatekeeper-admin from analysis"
+    Disabled: false
+    Expression: |
+      has(subject.namespace) && (subject.namespace == "gatekeeper-system") &&
+      has(subject.name) && (subject.name == "gatekeeper-admin")
+    LastModified: "2021-09-22T15:25:01+03:00"
+    ValidBefore: 0
+
 # Analysis Rules
 Rules:
   - Name: Secret Readers
@@ -250,4 +259,39 @@ Rules:
           )
         )
       )
-    Exclusions: []
+    Exclusions: []
+
+  - Name: Open Policy Agent (OPA) GateKeeper Administration
+    Description: Capture principals that have adminsitrative priviliges and can manage OPA GateKeeper shared resources resources
+    Severity: HIGH
+    Uuid: 9d3d62c2-81a5-439a-bc51-9b74f8124822
+    Recommendation: |
+      "Review the policy rules for \'" + (has(subject.namespace) ? subject.namespace +"/" : "") + subject.name + "\' ("+ subject.kind +") by running \'rbac-tool policy-rules -e " + subject.name +"\'.\n" +
+      "You can visualize the RBAC policy by running \'rbac-tool viz --include-subjects=" + subject.name +"\'"
+    References:
+      - https://open-policy-agent.github.io/gatekeeper/website/docs/constrainttemplates
+      - https://open-policy-agent.github.io/gatekeeper/website/docs/mutation
+
+    # Analysis expressions are evaluated with array of SubjectPermissions object - see https://github.com/alcideio/rbac-tool/blob/master/pkg/rbac/subject_permissions.go#L11
+    # Expression syntax can be found here: https://github.com/google/cel-spec/blob/master/doc/intro.md
+    # In the expression when evaluating rule.resource - use plural form (secrets not secret)
+    AnalysisExpr: |
+      subjects.filter(
+        subject, subject.allowedTo.exists(
+          rule,
+          (has(rule.verb) && rule.verb in ['create', 'update', 'patch', 'delete', '*']) &&
+          (
+              has(rule.resource) && rule.resource in ['constrainttemplates', '*'] &&
+              has(rule.apiGroup) && rule.apiGroup in ['templates.gatekeeper.sh','*']
+          ) ||
+          (
+              has(rule.resource) && rule.resource in ['assign', 'assignmetadata', '*'] &&
+              has(rule.apiGroup) && rule.apiGroup in ['mutations.gatekeeper.sh','*']
+          ) ||
+          (
+              has(rule.resource) && rule.resource in ['configs', '*'] &&
+              has(rule.apiGroup) && rule.apiGroup in ['config.gatekeeper.sh','*']
+          )
+        )
+      )
+    Exclusions: [] # gatekeeper-system/gatekeeper-admin excluded in global exceptions
diff --git a/pkg/analysis/default_rules_test.go b/pkg/analysis/default_rules_test.go
@@ -114,6 +114,8 @@ func Test__RuleExclusion(t *testing.T) {
 
 	config := DefaultAnalysisConfig()
 
+	config.Rules = config.Rules[0:1]
+
 	config.Rules[0].Exclusions = []Exclusion{
 		{
 			Disabled:     false,