diff --git a/hook-sdk/nodejs/Dockerfile b/hook-sdk/nodejs/Dockerfile index bce6e837..11963747 100644 --- a/hook-sdk/nodejs/Dockerfile +++ b/hook-sdk/nodejs/Dockerfile @@ -5,10 +5,10 @@ RUN npm ci --production FROM node:12-alpine ARG NODE_ENV -RUN addgroup -S app && adduser app -S -G app +RUN addgroup --system --gid 1001 app && adduser app --system --uid 1001 --ingroup app WORKDIR /home/app/hook-wrapper/ COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ COPY --chown=app:app ./hook-wrapper.js ./hook-wrapper.js -USER app +USER 1001 ENV NODE_ENV ${NODE_ENV:-production} -ENTRYPOINT ["node", "/home/app/hook-wrapper/hook-wrapper.js"] \ No newline at end of file +ENTRYPOINT ["node", "/home/app/hook-wrapper/hook-wrapper.js"] diff --git a/lurcher/Dockerfile b/lurcher/Dockerfile index 38d1d11b..c5b5cf1e 100644 --- a/lurcher/Dockerfile +++ b/lurcher/Dockerfile @@ -20,6 +20,5 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o lurcher FROM gcr.io/distroless/static:nonroot WORKDIR / COPY --from=builder /workspace/lurcher . -USER nonroot:nonroot ENTRYPOINT ["/lurcher"] diff --git a/operator/Dockerfile b/operator/Dockerfile index 0257cc0d..44c1379e 100644 --- a/operator/Dockerfile +++ b/operator/Dockerfile @@ -28,6 +28,5 @@ ENV TELEMETRY_ENABLED "true" WORKDIR / COPY --from=builder /workspace/manager . -USER nonroot:nonroot ENTRYPOINT ["/manager"] diff --git a/operator/README.md b/operator/README.md index 8a23bbde..970ff3b5 100644 --- a/operator/README.md +++ b/operator/README.md @@ -24,7 +24,7 @@ helm install securecodebox-operator secureCodeBox/operator | image.pullPolicy | string | `"Always"` | Image pull policy | | image.repository | string | `"docker.io/securecodebox/operator"` | The operator image repository | | image.tag | string | defaults to the charts version | Parser image tag | -| lurcher.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | +| lurcher.image.pullPolicy | string | `"Always"` | Image pull policy | | lurcher.image.repository | string | `"docker.io/securecodebox/lurcher"` | The operator image repository | | lurcher.image.tag | string | defaults to the charts version | Parser image tag | | minio.defaultBucket.enabled | bool | `true` | | @@ -38,5 +38,10 @@ helm install securecodebox-operator secureCodeBox/operator | s3.port | string | `nil` | | | s3.secretAttributeNames.accesskey | string | `"accesskey"` | | | s3.secretAttributeNames.secretkey | string | `"secretkey"` | | +| securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated | +| securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the operator container. They are not required | +| securityContext.privileged | bool | `false` | Ensures that the operator container is not run in privileged mode | +| securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | +| securityContext.runAsNonRoot | bool | `true` | Enforces that the Operator image is run as a non root user | | telemetryEnabled | bool | `true` | The Operator sends anonymous telemetry data, to give the team an overview how much the secureCodeBox is used. Find out more at https://www.securecodebox.io/telemetry | diff --git a/operator/controllers/execution/scans/hook_reconciler.go b/operator/controllers/execution/scans/hook_reconciler.go index a332c2b3..9fdd768f 100644 --- a/operator/controllers/execution/scans/hook_reconciler.go +++ b/operator/controllers/execution/scans/hook_reconciler.go @@ -362,6 +362,8 @@ func (r *ScanReconciler) createJobForHook(hook *executionv1.ScanCompletionHook, labels["securecodebox.io/hook-name"] = hook.Name var backOffLimit int32 = 3 + truePointer := true + falsePointer := false job := &batch.Job{ ObjectMeta: metav1.ObjectMeta{ Annotations: make(map[string]string), @@ -388,7 +390,7 @@ func (r *ScanReconciler) createJobForHook(hook *executionv1.ScanCompletionHook, Image: hook.Spec.Image, Args: cliArgs, Env: append(hook.Spec.Env, standardEnvVars...), - ImagePullPolicy: "IfNotPresent", + ImagePullPolicy: "Always", Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ corev1.ResourceCPU: resource.MustParse("200m"), @@ -399,6 +401,15 @@ func (r *ScanReconciler) createJobForHook(hook *executionv1.ScanCompletionHook, corev1.ResourceMemory: resource.MustParse("200Mi"), }, }, + SecurityContext: &corev1.SecurityContext{ + RunAsNonRoot: &truePointer, + AllowPrivilegeEscalation: &falsePointer, + ReadOnlyRootFilesystem: &truePointer, + Privileged: &falsePointer, + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"all"}, + }, + }, }, }, }, diff --git a/operator/controllers/execution/scans/parse_reconciler.go b/operator/controllers/execution/scans/parse_reconciler.go index 6a4041d0..6fcdf032 100644 --- a/operator/controllers/execution/scans/parse_reconciler.go +++ b/operator/controllers/execution/scans/parse_reconciler.go @@ -80,6 +80,8 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error { labels["securecodebox.io/job-type"] = "parser" automountServiceAccountToken := true var backOffLimit int32 = 3 + truePointer := true + falsePointer := false job := &batch.Job{ ObjectMeta: metav1.ObjectMeta{ Annotations: make(map[string]string), @@ -133,6 +135,15 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error { corev1.ResourceMemory: resource.MustParse("200Mi"), }, }, + SecurityContext: &corev1.SecurityContext{ + RunAsNonRoot: &truePointer, + AllowPrivilegeEscalation: &falsePointer, + ReadOnlyRootFilesystem: &truePointer, + Privileged: &falsePointer, + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"all"}, + }, + }, }, }, AutomountServiceAccountToken: &automountServiceAccountToken, diff --git a/operator/controllers/execution/scans/scan_reconciler.go b/operator/controllers/execution/scans/scan_reconciler.go index 93371076..0117f1d4 100644 --- a/operator/controllers/execution/scans/scan_reconciler.go +++ b/operator/controllers/execution/scans/scan_reconciler.go @@ -221,6 +221,9 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *e return nil, fmt.Errorf("Unknown imagePull Policy for lurcher: %s", lurcherPullPolicyRaw) } + falsePointer := false + truePointer := true + lurcherSidecar := &corev1.Container{ Name: "lurcher", Image: lurcherImage, @@ -260,6 +263,15 @@ func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *e ReadOnly: true, }, }, + SecurityContext: &corev1.SecurityContext{ + RunAsNonRoot: &truePointer, + AllowPrivilegeEscalation: &falsePointer, + ReadOnlyRootFilesystem: &truePointer, + Privileged: &falsePointer, + Capabilities: &corev1.Capabilities{ + Drop: []corev1.Capability{"all"}, + }, + }, } job.Spec.Template.Spec.Containers = append(job.Spec.Template.Spec.Containers, *lurcherSidecar) diff --git a/operator/templates/manager/manager.yaml b/operator/templates/manager/manager.yaml index 9bc7c197..75b7a795 100644 --- a/operator/templates/manager/manager.yaml +++ b/operator/templates/manager/manager.yaml @@ -77,4 +77,6 @@ spec: value: {{ .Values.lurcher.image.pullPolicy }} resources: {{- toYaml .Values.resources | nindent 12 }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} terminationGracePeriodSeconds: 10 diff --git a/operator/values.yaml b/operator/values.yaml index efe654c6..d1bb333d 100644 --- a/operator/values.yaml +++ b/operator/values.yaml @@ -14,6 +14,20 @@ image: # image.pullPolicy -- Image pull policy pullPolicy: Always +securityContext: + # securityContext.runAsNonRoot -- Enforces that the Operator image is run as a non root user + runAsNonRoot: true + # securityContext.readOnlyRootFilesystem -- Prevents write access to the containers file system + readOnlyRootFilesystem: true + # securityContext.allowPrivilegeEscalation -- Ensure that users privileges cannot be escalated + allowPrivilegeEscalation: false + # securityContext.privileged -- Ensures that the operator container is not run in privileged mode + privileged: false + capabilities: + drop: + # securityContext.capabilities.drop[0] -- This drops all linux privileges from the operator container. They are not required + - all + lurcher: image: # lurcher.image.repository -- The operator image repository @@ -22,7 +36,7 @@ lurcher: # @default -- defaults to the charts version tag: null # lurcher.image.pullPolicy -- Image pull policy - pullPolicy: IfNotPresent + pullPolicy: Always minio: # minio.enabled Enable this to use minio as storage backend instead of a cloud bucket provider like AWS S3, Google Cloud Storage, DigitalOcean Spaces etc. diff --git a/parser-sdk/nodejs/Dockerfile b/parser-sdk/nodejs/Dockerfile index 23aa0dd6..7382046e 100644 --- a/parser-sdk/nodejs/Dockerfile +++ b/parser-sdk/nodejs/Dockerfile @@ -5,10 +5,10 @@ RUN npm ci --production FROM node:12-alpine ARG NODE_ENV -RUN addgroup -S app && adduser app -S -G app +RUN addgroup --system --gid 1001 app && adduser app --system --uid 1001 --ingroup app WORKDIR /home/app/parser-wrapper/ COPY --from=build --chown=app:app /home/app/node_modules/ ./node_modules/ COPY --chown=app:app ./parser-wrapper.js ./parser-wrapper.js -USER app +USER 1001 ENV NODE_ENV ${NODE_ENV:-production} -ENTRYPOINT ["node", "/home/app/parser-wrapper/parser-wrapper.js"] \ No newline at end of file +ENTRYPOINT ["node", "/home/app/parser-wrapper/parser-wrapper.js"] diff --git a/scanners/amass/Chart.yaml b/scanners/amass/Chart.yaml index b2cbc9a2..a8df7f9f 100644 --- a/scanners/amass/Chart.yaml +++ b/scanners/amass/Chart.yaml @@ -5,7 +5,7 @@ description: A Helm chart for the Amass security scanner that integrates with th type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: latest -appVersion: 3.10.3 +appVersion: 3.10.4 kubeVersion: ">=v1.11.0" keywords: diff --git a/scanners/amass/README.md b/scanners/amass/README.md index 741ec647..61730430 100644 --- a/scanners/amass/README.md +++ b/scanners/amass/README.md @@ -4,7 +4,7 @@ path: "scanners/amass" category: "scanner" type: "Network" state: "released" -appVersion: "3.10.3" +appVersion: "3.10.4" usecase: "Subdomain Enumeration Scanner" --- @@ -44,9 +44,10 @@ Special command line options: | parserImage.tag | string | defaults to the charts version | Parser image tag | | scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scannerJob.extraVolumeMounts | list | `[{"mountPath":"/amass/output/config.ini","name":"amass-config","subPath":"config.ini"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scannerJob.extraVolumes | list | `[{"configMap":{"name":"amass-config"},"name":"amass-config"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) | [owasp_amass_project]: https://owasp.org/www-project-amass/ diff --git a/scanners/amass/README.md.gotmpl b/scanners/amass/README.md.gotmpl index 957aa9c5..025de4ca 100644 --- a/scanners/amass/README.md.gotmpl +++ b/scanners/amass/README.md.gotmpl @@ -4,7 +4,7 @@ path: "scanners/amass" category: "scanner" type: "Network" state: "released" -appVersion: "3.10.3" +appVersion: "3.10.4" usecase: "Subdomain Enumeration Scanner" --- diff --git a/scanners/amass/helm2.Chart.yaml b/scanners/amass/helm2.Chart.yaml index b1cc68da..0ccd0c02 100644 --- a/scanners/amass/helm2.Chart.yaml +++ b/scanners/amass/helm2.Chart.yaml @@ -5,7 +5,7 @@ description: A Helm chart for the Amass security scanner that integrates with th type: application # version - gets automatically set to the secureCodeBox release version when the helm charts gets published version: latest -appVersion: 3.10.3 +appVersion: 3.10.4 kubeVersion: ">=v1.11.0" keywords: diff --git a/scanners/amass/templates/amass-scan-type.yaml b/scanners/amass/templates/amass-scan-type.yaml index 01629519..546a2f0d 100644 --- a/scanners/amass/templates/amass-scan-type.yaml +++ b/scanners/amass/templates/amass-scan-type.yaml @@ -24,16 +24,19 @@ spec: - "enum" - "-json" - "/home/securecodebox/amass-results.jsonl" - volumeMounts: - - name: "amass-config" - mountPath: "/amass/output/config.ini" - subPath: "config.ini" resources: {{- toYaml .Values.scannerJob.resources | nindent 16 }} + securityContext: + {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + env: + {{- toYaml .Values.scannerJob.env | nindent 16 }} + volumeMounts: + {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} + {{- if .Values.scannerJob.extraContainers }} + {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- end }} volumes: - - name: "amass-config" - configMap: - name: "amass-config" + {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 12 }} --- apiVersion: v1 kind: ConfigMap diff --git a/scanners/amass/values.yaml b/scanners/amass/values.yaml index bdbc0cfb..aaf00c6d 100644 --- a/scanners/amass/values.yaml +++ b/scanners/amass/values.yaml @@ -12,22 +12,31 @@ scannerJob: # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} -# resources: -# requests: -# memory: "256Mi" -# cpu: "250m" -# limits: -# memory: "512Mi" -# cpu: "500m" + # resources: + # requests: + # memory: "256Mi" + # cpu: "250m" + # limits: + # memory: "512Mi" + # cpu: "500m" # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] # scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) - extraVolumes: [] + extraVolumes: + - name: "amass-config" + configMap: + name: "amass-config" # scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) - extraVolumeMounts: [] + extraVolumeMounts: + - name: "amass-config" + mountPath: "/amass/output/config.ini" + subPath: "config.ini" # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) - extraContainers: [] \ No newline at end of file + extraContainers: [] + + # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + securityContext: {} diff --git a/scanners/kube-hunter/README.md b/scanners/kube-hunter/README.md index e9912a4a..6c7e047f 100644 --- a/scanners/kube-hunter/README.md +++ b/scanners/kube-hunter/README.md @@ -43,6 +43,7 @@ The following security scan configuration example are based on the [kube-hunter | scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) | [kube-hunter Website]: https://kube-hunter.aquasec.com/ diff --git a/scanners/kube-hunter/templates/kubehunter-scan-type.yaml b/scanners/kube-hunter/templates/kubehunter-scan-type.yaml index 71316bd2..007102fc 100644 --- a/scanners/kube-hunter/templates/kubehunter-scan-type.yaml +++ b/scanners/kube-hunter/templates/kubehunter-scan-type.yaml @@ -24,3 +24,14 @@ spec: - 'json' resources: {{- toYaml .Values.scannerJob.resources | nindent 16 }} + securityContext: + {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + env: + {{- toYaml .Values.scannerJob.env | nindent 16 }} + volumeMounts: + {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} + {{- if .Values.scannerJob.extraContainers }} + {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- end }} + volumes: + {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} diff --git a/scanners/kube-hunter/values.yaml b/scanners/kube-hunter/values.yaml index ccbd9ea2..d94a8923 100644 --- a/scanners/kube-hunter/values.yaml +++ b/scanners/kube-hunter/values.yaml @@ -17,13 +17,13 @@ scannerJob: # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} -# resources: -# requests: -# memory: "256Mi" -# cpu: "250m" -# limits: -# memory: "512Mi" -# cpu: "500m" + # resources: + # requests: + # memory: "256Mi" + # cpu: "250m" + # limits: + # memory: "512Mi" + # cpu: "500m" # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] @@ -36,3 +36,6 @@ scannerJob: # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] + + # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + securityContext: {} diff --git a/scanners/ncrack/README.md b/scanners/ncrack/README.md index c2deaee4..07384f88 100644 --- a/scanners/ncrack/README.md +++ b/scanners/ncrack/README.md @@ -151,6 +151,7 @@ SEE THE MAN PAGE (http://nmap.org/ncrack/man.html) FOR MORE OPTIONS AND EXAMPLES | scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) | --- diff --git a/scanners/ncrack/templates/ncrack-scan-type.yaml b/scanners/ncrack/templates/ncrack-scan-type.yaml index ce58dcc4..8567147e 100644 --- a/scanners/ncrack/templates/ncrack-scan-type.yaml +++ b/scanners/ncrack/templates/ncrack-scan-type.yaml @@ -21,8 +21,15 @@ spec: command: ["ncrack", "-oX", "/home/securecodebox/ncrack-results.xml"] resources: {{- toYaml .Values.scannerJob.resources | nindent 16 }} + securityContext: + {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + env: + {{- toYaml .Values.scannerJob.env | nindent 16 }} volumeMounts: {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} + {{- if .Values.scannerJob.extraContainers }} + {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- end }} volumes: {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} diff --git a/scanners/ncrack/values.yaml b/scanners/ncrack/values.yaml index 564eb24d..61d0dab2 100644 --- a/scanners/ncrack/values.yaml +++ b/scanners/ncrack/values.yaml @@ -17,13 +17,13 @@ scannerJob: # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} -# resources: -# requests: -# memory: "256Mi" -# cpu: "250m" -# limits: -# memory: "512Mi" -# cpu: "500m" + # resources: + # requests: + # memory: "256Mi" + # cpu: "250m" + # limits: + # memory: "512Mi" + # cpu: "500m" # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] @@ -36,3 +36,6 @@ scannerJob: # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] + + # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + securityContext: {} diff --git a/scanners/nikto/README.md b/scanners/nikto/README.md index fb2e83e6..26f00934 100644 --- a/scanners/nikto/README.md +++ b/scanners/nikto/README.md @@ -60,6 +60,7 @@ Nikto also has a comprehensive list of [command line options documented](https:/ | scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | | scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) | [cirt.net]: https://cirt.net/ diff --git a/scanners/nikto/templates/nikto-scan-type.yaml b/scanners/nikto/templates/nikto-scan-type.yaml index a3154cdc..77fdd936 100644 --- a/scanners/nikto/templates/nikto-scan-type.yaml +++ b/scanners/nikto/templates/nikto-scan-type.yaml @@ -26,3 +26,14 @@ spec: - '/home/securecodebox/nikto-results.json' resources: {{- toYaml .Values.scannerJob.resources | nindent 16 }} + securityContext: + {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + env: + {{- toYaml .Values.scannerJob.env | nindent 16 }} + volumeMounts: + {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} + {{- if .Values.scannerJob.extraContainers }} + {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- end }} + volumes: + {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} diff --git a/scanners/nikto/values.yaml b/scanners/nikto/values.yaml index b29ecf1c..3f583804 100644 --- a/scanners/nikto/values.yaml +++ b/scanners/nikto/values.yaml @@ -12,13 +12,13 @@ scannerJob: # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} -# resources: -# requests: -# memory: "256Mi" -# cpu: "250m" -# limits: -# memory: "512Mi" -# cpu: "500m" + # resources: + # requests: + # memory: "256Mi" + # cpu: "250m" + # limits: + # memory: "512Mi" + # cpu: "500m" # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] @@ -31,3 +31,6 @@ scannerJob: # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] + + # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + securityContext: {} diff --git a/scanners/nmap/README.md b/scanners/nmap/README.md index 08aae974..3c169d66 100644 --- a/scanners/nmap/README.md +++ b/scanners/nmap/README.md @@ -42,6 +42,48 @@ Some useful example parameters listed below: - `-script` xx: Replace xx with the script name. Start the scan with the given script. - `--script` xx: Replace xx with a coma-separated list of scripts. Start the scan with the given scripts. +## Operating System Scans + +:::caution +Warning! This is currently not tested and might require additional testing to work 😕 +::: + +If you want to use Nmap to identify operating systems of hosts you'll need to weaken the securityContext config, as Nmap requires the capability to send raw sockets to identify operating systems. See [Nmap Docs](https://secwiki.org/w/Running_nmap_as_an_unprivileged_user) + +You can deploy the ScanType with the config like this: + +```bash +cat <