Boost ReadOnlyRootFilesystem rule score from 1 to 3#728
Open
arpitjain099 wants to merge 1 commit into
Open
Conversation
The readOnlyRootFilesystem rule was scored at 1 point, the floor for a positive hardening rule. An immutable root filesystem is a meaningful defense-in-depth control: it raises attacker cost by preventing malicious binaries from being written into PATH and frustrates post-exploitation tooling drops (for example linpeas or peirates) after a remote shell. Raise it to 3, matching the other top container-hardening rules (ServiceAccountName, ApparmorAny). This keeps it at or below RunAsNonRoot's weight, which remains the higher-priority control as it is generally a bigger deal than a read-only rootfs. Updates the affected score assertion in ruleset_test.go (the manifest with readOnlyRootFilesystem + runAsNonRoot now totals 4 instead of 2). Closes controlplaneio#572 Signed-off-by: arpitjain099 <arpitjain099@gmail.com>
a50ac65 to
8e0840c
Compare
Author
|
Rebased onto master. The conflict was the NewRuleset refactor; re-applied the one change (ReadOnlyRootFilesystem Points 1 -> 3) on top of the new structure. Builds and the ruler tests pass. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Raises the
ReadOnlyRootFilesystemrule score fromPoints: 1toPoints: 3.Closes #572
Why
In #572 a maintainer agreed the rule is scored too low:
An immutable root filesystem is a real defense-in-depth control: it raises attacker cost by preventing malicious binaries from being written into PATH and makes it harder to stage post-exploitation tooling (linpeas, peirates, etc.) after gaining a shell, as called out in the issue thread.
Chosen value: 3 (not higher)
1is the floor for a positive hardening rule, so it understates the control. I picked3because:ServiceAccountNameandApparmorAnyare bothPoints: 3), so the rule is now weighted alongside its peers rather than sitting at the floor.RunAsNonRoot's weight, honoring the maintainer's point that running as non-root is the bigger deal.RunAsNonRootkeepsAdvise: 10(the highest advisory weight), so it remains the more strongly recommended control.This is a conservative, defensible boost rather than an arbitrary large bump.
Tests
pkg/ruler/ruleset_test.go: the manifest combiningreadOnlyRootFilesystem: truewithrunAsNonRoot: truenow totals4(3 + 1) instead of2..batsintegration assertions for read-only rootfs (score-1-dep-ro-root-fs.yml) use sign-based checks (assert_gt_zero_points) and the per-element ordering tests assert integer-and-descending, all of which still hold with the new value, so no.batschange is needed. Thescore-N-*.ymlasset filenames are descriptive labels, not asserted totals.go build ./...andgo test ./...both pass.Before / after
A deployment whose only hardening is
readOnlyRootFilesystem: true:score=1,ReadOnlyRootFilesystem points=1score=3,ReadOnlyRootFilesystem points=3