Skip to content

Commit 8e0840c

Browse files
committed
Boost ReadOnlyRootFilesystem rule score from 1 to 3
The readOnlyRootFilesystem rule was scored at 1 point, the floor for a positive hardening rule. An immutable root filesystem is a meaningful defense-in-depth control: it raises attacker cost by preventing malicious binaries from being written into PATH and frustrates post-exploitation tooling drops (for example linpeas or peirates) after a remote shell. Raise it to 3, matching the other top container-hardening rules (ServiceAccountName, ApparmorAny). This keeps it at or below RunAsNonRoot's weight, which remains the higher-priority control as it is generally a bigger deal than a read-only rootfs. Updates the affected score assertion in ruleset_test.go (the manifest with readOnlyRootFilesystem + runAsNonRoot now totals 4 instead of 2). Closes #572 Signed-off-by: arpitjain099 <arpitjain099@gmail.com>
1 parent a59caad commit 8e0840c

2 files changed

Lines changed: 3 additions & 3 deletions

File tree

pkg/ruler/ruleset.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ func NewRuleset(logger *zap.SugaredLogger, ruleIDs ...string) (*Ruleset, error)
6363
Selector: "containers[] .securityContext .readOnlyRootFilesystem == true",
6464
Reason: "An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost",
6565
Kinds: []string{"Pod", "Deployment", "StatefulSet", "DaemonSet"},
66-
Points: 1,
66+
Points: 3,
6767
Advise: 3,
6868
},
6969
{

pkg/ruler/ruleset_test.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -191,8 +191,8 @@ spec:
191191

192192
report := reports[0]
193193

194-
if report.Score != 2 {
195-
t.Errorf("Got score: %d, expected: 2", report.Score)
194+
if report.Score != 4 {
195+
t.Errorf("Got score: %d, expected: 4", report.Score)
196196
}
197197

198198
})

0 commit comments

Comments
 (0)