New feature: check which capabilities need to be dropped

Gopkg.toml

@@ -40,3 +40,7 @@
 [[constraint]]
   name = "k8s.io/client-go"
   branch = "master"
+
+[[constraint]]
+  name = "github.com/stretchr/testify"
+  version = "1.1.4"

cmd/config

@@ -0,0 +1 @@
+../config

cmd/errors.go

@@ -1,7 +1,8 @@
 package cmd
 
 const (
-	KubeAuditInfo = iota
+	_ = iota
+	KubeauditInternalError
 	ErrorCapabilitiesAdded
 	ErrorCapabilitiesAddedOrNotDropped
 	ErrorCapabilitiesNIL

cmd/securityContext.go

@@ -1,10 +1,52 @@
 package cmd
 
 import (
+	"io/ioutil"
+
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"gopkg.in/yaml.v2"
 )
 
+type capsDropList struct {
+	Drop []string `yaml:"capabilitiesToBeDropped"`
+}
+
+func recommendedCapabilitiesToBeDropped() (dropList []Capability, err error) {
+	yamlFile, err := ioutil.ReadFile("config/capabilities-drop-list.yml")
+	if err != nil {
+		return
+	}
+	caps := capsDropList{}
+	err = yaml.Unmarshal(yamlFile, &caps)
+	if err != nil {
+		return
+	}
+	for _, drop := range caps.Drop {
+		dropList = append(dropList, Capability(drop))
+	}
+	return
+}
+
+func capsNotDropped(dropped []Capability) (notDropped []Capability, err error) {
+	toBeDropped, err := recommendedCapabilitiesToBeDropped()
+	if err != nil {
+		return
+	}
+	for _, toBeDroppedCap := range toBeDropped {
+		found := false
+		for _, droppedCap := range dropped {
+			if toBeDroppedCap == droppedCap {
+				found = true
+			}
+		}
+		if found == false {
+			notDropped = append(notDropped, toBeDroppedCap)
+		}
+	}
+	return
+}
+
 func checkSecurityContext(container Container, result *Result) {
 	if container.SecurityContext == nil {
 		occ := Occurrence{id: ErrorSecurityContextNIL, kind: Error, message: "SecurityContext not set, please set it!"}
@@ -30,11 +72,17 @@ func checkSecurityContext(container Container, result *Result) {
 	}
 
 	if container.SecurityContext.Capabilities.Drop != nil {
-		// TODO need a check for which caps have been dropped and whether that's an
-		// error because not enough have been dropped
-		result.CapsDropped = container.SecurityContext.Capabilities.Drop
-		occ := Occurrence{id: ErrorCapabilitiesSomeDropped, kind: Error, message: "Not all of the capabilities were dropped!"}
-		result.Occurrences = append(result.Occurrences, occ)
+		capsNotDropped, err := capsNotDropped(container.SecurityContext.Capabilities.Drop)
+		if err != nil {
+			occ := Occurrence{id: KubeauditInternalError, kind: Error, message: "This should not have happened, if you are on kubeaudit master please consider to report: " + err.Error()}
+			result.Occurrences = append(result.Occurrences, occ)
+			return
+		}
+		if len(capsNotDropped) > 0 {
+			result.CapsDropped = capsNotDropped
+			occ := Occurrence{id: ErrorCapabilitiesSomeDropped, kind: Error, message: "Not all of the recommended capabilities were dropped! Please drop the mentioned capabiliites."}
+			result.Occurrences = append(result.Occurrences, occ)
+		}
 	}
 }
 

cmd/securityContext_test.go

@@ -4,19 +4,35 @@ import (
 	"testing"
 
 	"github.com/Shopify/kubeaudit/fakeaudit"
+	"github.com/stretchr/testify/assert"
 )
 
 func init() {
 	fakeaudit.CreateFakeNamespace("fakeDeploymentSC")
 	fakeaudit.CreateFakeDeploymentSC("fakeDeploymentSC")
 }
 
+func TestRecommendedCapabilitiesToBeDropped(t *testing.T) {
+	assert := assert.New(t)
+	capabilities, err := recommendedCapabilitiesToBeDropped()
+	assert.Nil(err)
+	assert.Equal([]Capability{"AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "NET_RAW", "SETFCAP", "SETGID", "SETUID", "SETPCAP", "SYS_CHROOT"}, capabilities, "")
+}
+
+func TestCapsNotDropped(t *testing.T) {
+	assert := assert.New(t)
+	caps := []Capability{"CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "NET_RAW", "SETFCAP", "SETGID", "SETUID", "SETPCAP", "SYS_CHROOT"}
+	notDropped, err := capsNotDropped(caps)
+	assert.Nil(err)
+	assert.Equal([]Capability{"AUDIT_WRITE"}, notDropped, "")
+}
+
 func TestDeploymentSC(t *testing.T) {
 	fakeDeployments := fakeaudit.GetDeployments("fakeDeploymentSC")
 	wg.Add(1)
 	results := auditSecurityContext(kubeAuditDeployments{list: fakeDeployments})
 
-	if len(results) != 5 {
+	if len(results) != 4 {
 		t.Error("Test 1: Failed to catch all the bad configurations")
 	}
 

config/capabilities-drop-list.yml

@@ -0,0 +1,17 @@
+# SANE DEFAULTS:
+capabilitiesToBeDropped:
+  # https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
+  - AUDIT_WRITE # Write records to kernel auditing log.
+  - CHOWN # Make arbitrary changes to file UIDs and GIDs (see chown(2)).
+  - DAC_OVERRIDE # Bypass file read, write, and execute permission checks.
+  - FOWNER # Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.
+  - FSETID # Don’t clear set-user-ID and set-group-ID permission bits when a file is modified.
+  - KILL # Bypass permission checks for sending signals.
+  - MKNOD # Create special files using mknod(2).
+  - NET_BIND_SERVICE # Bind a socket to internet domain privileged ports (port numbers less than 1024).
+  - NET_RAW # Use RAW and PACKET sockets.
+  - SETFCAP # Set file capabilities.
+  - SETGID # Make arbitrary manipulations of process GIDs and supplementary GID list.
+  - SETUID # Make arbitrary manipulations of process UIDs.
+  - SETPCAP # Modify process capabilities.
+  - SYS_CHROOT # Use chroot(2), change root directory.