Comments (4)
Hi @kaz-33
these are all more theoretical linter findings rather than something which would really improve the security here.
But if you can open a PR to chagne it we'd be happy to have a look and merge it.
- The lurker and parser are already running with a readOnlyRootFileSystem. So the changes for overloading the disc are minimal. We can still limit it further
- The lurker is runnign with the default non-root user in the distroless image which is somewhere in the 60-isk thousand user range. It's not set via the security context but in the image itself so your linter complaints about this somewhat incorrectly
- The parsers are running with the fixed user id 1001 also set in the image. Increasing it to 10.000 shouldn't hurt
Code for the lurker container and how it's started is here: https://github.com/secureCodeBox/secureCodeBox/blob/main/operator/controllers/execution/scans/scan_reconciler.go#L292
Parser Container / Job Definition is here: https://github.com/secureCodeBox/secureCodeBox/blob/main/operator/controllers/execution/scans/parse_reconciler.go#L140
from securecodebox.
thx for your response, and what about the service?
v1/Service controller-manager-metrics-service in securecodebox-system π₯
[CRITICAL] Service Targets Pod
Β· The services selector does not match any pods
from securecodebox.
The service was initally auto generated and then never acutally used / properly configured can & should be deleted. (And the related resources in the helm chart (anything with auth_proxy
https://github.com/secureCodeBox/secureCodeBox/tree/main/operator/templates/rbac)
But I don't quit see why the tool marks this as a critical (security) issue. But still help ful to mark this out to be aware of this unnecessary service / config.
from securecodebox.
in additionnal security info:
-
seccompProfile (pod or containers "nmap", "lurker" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
-
- >>>The parsers are running with the fixed user id 1001 also set in the image. Increasing it to 10.000 shouldn't hurt
Force the container to run with user ID > 10000 to avoid conflicts with the hostβs user table. (thx aquasec)
- >>> But I don't quit see why the tool marks this as a critical (security) issue. But still help ful to mark this out to be aware of this unnecessary service / config.
service-targets-pod Service Makes sure that all Services targets a Pod (Thx Kube-score)
from securecodebox.
Related Issues (20)
- Ncrack Parser is using a depracated encryption padding mechanism removed in the newest node security patch
- Switch (optional) encryption of identified passwords from ncrack to use AGE
- Passing parameters to ScheduledScan HOT 1
- add no ssl_use value
- Trivy Parser Creates Malformed Location URL HOT 4
- controleur crash with SchedulScan HOT 6
- The scan status displays 'Scanning,' even though the job has reached the specified backoff limit HOT 1
- Lurker terminated with 'OOMKilled' event HOT 5
- NodeSelector configuration not working as documented in SecureCodeBox v4.4.0 HOT 4
- Trivy Scans persisted to Defect Dojo are missing multiple metadata fields HOT 8
- π Recurring documentation issue
- "Exception while attaching findings to engagement" error in Persistence-defectdojo HOT 5
- Auto-Discovery service in Cluster Internal Central Scans architecture HOT 1
- π Recurring documentation issue
- Analytics for securecodebox.io
- π Recurring documentation issue
- DEFECTDOJO and MINIO ISSUE WITH CERTIFCATE HOT 3
- zap-advanced: disable spider for API scanning HOT 1
- π Recurring documentation issue
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from securecodebox.