Commit 8e0840c
committed
Boost ReadOnlyRootFilesystem rule score from 1 to 3
The readOnlyRootFilesystem rule was scored at 1 point, the floor for a
positive hardening rule. An immutable root filesystem is a meaningful
defense-in-depth control: it raises attacker cost by preventing malicious
binaries from being written into PATH and frustrates post-exploitation
tooling drops (for example linpeas or peirates) after a remote shell.
Raise it to 3, matching the other top container-hardening rules
(ServiceAccountName, ApparmorAny). This keeps it at or below RunAsNonRoot's
weight, which remains the higher-priority control as it is generally a
bigger deal than a read-only rootfs.
Updates the affected score assertion in ruleset_test.go (the manifest with
readOnlyRootFilesystem + runAsNonRoot now totals 4 instead of 2).
Closes #572
Signed-off-by: arpitjain099 <arpitjain099@gmail.com>1 parent a59caad commit 8e0840c
2 files changed
Lines changed: 3 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
63 | 63 | | |
64 | 64 | | |
65 | 65 | | |
66 | | - | |
| 66 | + | |
67 | 67 | | |
68 | 68 | | |
69 | 69 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
191 | 191 | | |
192 | 192 | | |
193 | 193 | | |
194 | | - | |
195 | | - | |
| 194 | + | |
| 195 | + | |
196 | 196 | | |
197 | 197 | | |
198 | 198 | | |
| |||
0 commit comments