yaml.kubernetes.security.writable-filesystem-container.writable-filesystem-container

profile photo of semgrepsemgrep
Author
418
Download Count*

Container $CONTAINER is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add 'readOnlyRootFilesystem: true' to this container to prevent this.

Run Locally

Run in CI

Defintion

rules:
  - id: writable-filesystem-container
    patterns:
      - pattern-inside: |
          containers:
            ...
      - pattern-inside: |
          - name: $CONTAINER
            ...
      - pattern: |
          image: ...
          ...
      - pattern-not: |
          image: ...
          ...
          securityContext:
            ...
            readOnlyRootFilesystem: true
      - focus-metavariable: $CONTAINER
    message: "Container $CONTAINER is running with a writable root filesystem. This
      may allow malicious applications to download and run additional payloads,
      or modify container files. If an application inside a container has to
      save something temporarily consider using a tmpfs. Add
      'readOnlyRootFilesystem: true' to this container to prevent this."
    metadata:
      cwe:
        - "CWE-732: Incorrect Permission Assignment for Critical Resource"
      owasp:
        - A05:2021 - Security Misconfiguration
        - A06:2017 - Security Misconfiguration
      references:
        - https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems
        - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
        - https://blog.atomist.com/security-of-docker-kubernetes/
        - https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-8-set-filesystem-and-volumes-to-read-only
      category: security
      technology:
        - kubernetes
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authorization
    languages:
      - yaml
    severity: WARNING

Examples

writable-filesystem-container.test.yaml

apiVersion: v1
kind: Pod
spec:
  containers:
    # ruleid: writable-filesystem-container
    - name: nginx
      image: nginx
    # ruleid: writable-filesystem-container
    - name: postgres
      image: postgres
      securityContext:
        runAsUser: 1000
        runAsGroup: 3000
        fsGroup: 2000
    # ruleid: writable-filesystem-container
    - name: redis
      image: redis
      securityContext:
        readOnlyRootFilesystem: false
    # ok: writable-filesystem-container
    - name: haproxy
      image: haproxy
      securityContext:
        readOnlyRootFilesystem: true