Versilis/ecapture

[versilis]

No description provided.

[wiz-4570766290]

 IaC Finding

Pod should not be created with sensitive host file system mount
on resource metadata.name={{postman-insights-agent}}.spec.template.spec.volumes.name={{sys-fs-bpf}}.hostPath.path

More Details

This rule checks whether a Kubernetes pod is mounting a host-sensitive OS directory. This rule fails if at least one `volume` contains a `hostPath.path` that starts with a sensitive directory such as `home`, `boot`, or `root` (see the Rego code for the full list). It is recommended to avoid mounting sensitive directories in read-write mode, as their files can be changed. >**Note** >This rule includes a skip condition for managed Kubernetes resources to avoid non-actionable findings due to provider-defined configurations. If you would like to have findings for these resources, you can customize the rule by removing the skip condition.

Expected

Workload name 'postman-insights-agent' of kind 'DaemonSet' should not mount a host sensitive OS directory '/sys/fs/bpf' with hostPath

Found

Workload name 'postman-insights-agent' of kind 'DaemonSet' is mounting a host sensitive OS directory '/sys/fs/bpf' with hostPath

Security Frameworks: wf-id-24, wf-id-105, wf-id-1, wf-id-199

Rule ID: 154c69a0-5907-4f3a-9108-6bd66f42c88b

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).

To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate

[wiz-4570766290]

 IaC Finding

Pod should not be created with sensitive host file system mount
on resource metadata.name={{postman-insights-agent}}.spec.template.spec.volumes.name={{host-procfs}}.hostPath.path

More Details

This rule checks whether a Kubernetes pod is mounting a host-sensitive OS directory. This rule fails if at least one `volume` contains a `hostPath.path` that starts with a sensitive directory such as `home`, `boot`, or `root` (see the Rego code for the full list). It is recommended to avoid mounting sensitive directories in read-write mode, as their files can be changed. >**Note** >This rule includes a skip condition for managed Kubernetes resources to avoid non-actionable findings due to provider-defined configurations. If you would like to have findings for these resources, you can customize the rule by removing the skip condition.

Expected

Workload name 'postman-insights-agent' of kind 'DaemonSet' should not mount a host sensitive OS directory '/proc' with hostPath

Found

Workload name 'postman-insights-agent' of kind 'DaemonSet' is mounting a host sensitive OS directory '/proc' with hostPath

Security Frameworks: wf-id-24, wf-id-105, wf-id-1, wf-id-199

Rule ID: 154c69a0-5907-4f3a-9108-6bd66f42c88b

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).

To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate

[wiz-4570766290]

 IaC Finding

NET_RAW Capabilities Not Being Dropped
on resource metadata.name={{postman-insights-agent}}.spec.template.spec.containers.name={{ecapture-sidecar}}

More Details

This rule checks whether container configurations explicitly drop the NET_RAW capability in their security context settings. The rule fails when a container does not include either 'ALL' or 'NET_RAW' in its securityContext.capabilities.drop array, or when the capabilities.drop field is missing entirely. The NET_RAW capability grants containers permission to use raw sockets, allowing them to manipulate network packets at a low level. This powerful capability can be exploited by attackers to perform various network-based attacks from within a container. When a container retains NET_RAW capabilities, it can create specially crafted network packets with spoofed source addresses, potentially leading to network reconnaissance, ARP spoofing, DNS spoofing, and other malicious network activities. These attacks could enable lateral movement within the cluster, interception of sensitive traffic between services, or even attacks on external systems from within the Kubernetes environment. In a compromised container, these capabilities provide attackers with powerful networking tools that significantly expand their ability to pivot through the network and exploit other systems. Following security best practices and the principle of least privilege, containers should operate with the minimum required capabilities, and dangerous ones like NET_RAW should be explicitly dropped unless absolutely necessary for the application's legitimate functionality.

Expected

metadata.name={{postman-insights-agent}}.spec.template.spec.containers.name={{ecapture-sidecar}}.securityContext.capabilities.drop should be defined

Found

metadata.name={{postman-insights-agent}}.spec.template.spec.containers.name={{ecapture-sidecar}}.securityContext.capabilities.drop is undefined

Security Frameworks: wf-id-199, wf-id-1

Rule ID: 5d05b57c-5735-4445-b85c-f165bcf40d84

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).

To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate

[wiz-4570766290]

 IaC Finding

NET_RAW Capabilities Not Being Dropped
on resource metadata.name={{test-app}}.spec.containers.name={{nginx}}

More Details

This rule checks whether container configurations explicitly drop the NET_RAW capability in their security context settings. The rule fails when a container does not include either 'ALL' or 'NET_RAW' in its securityContext.capabilities.drop array, or when the capabilities.drop field is missing entirely. The NET_RAW capability grants containers permission to use raw sockets, allowing them to manipulate network packets at a low level. This powerful capability can be exploited by attackers to perform various network-based attacks from within a container. When a container retains NET_RAW capabilities, it can create specially crafted network packets with spoofed source addresses, potentially leading to network reconnaissance, ARP spoofing, DNS spoofing, and other malicious network activities. These attacks could enable lateral movement within the cluster, interception of sensitive traffic between services, or even attacks on external systems from within the Kubernetes environment. In a compromised container, these capabilities provide attackers with powerful networking tools that significantly expand their ability to pivot through the network and exploit other systems. Following security best practices and the principle of least privilege, containers should operate with the minimum required capabilities, and dangerous ones like NET_RAW should be explicitly dropped unless absolutely necessary for the application's legitimate functionality.

Expected

metadata.name={{test-app}}.spec.containers.name={{nginx}}.securityContext.capabilities.drop should be defined

Found

metadata.name={{test-app}}.spec.containers.name={{nginx}}.securityContext.capabilities.drop is undefined

Security Frameworks: wf-id-199, wf-id-1

Rule ID: 5d05b57c-5735-4445-b85c-f165bcf40d84

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).

To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate

[wiz-4570766290]

 IaC Finding

Host Aliases Undefined Or Empty
on resource metadata.name={{test-app}}.spec

More Details

This rule checks if Kubernetes Pod resources have host aliases defined. This rule fails if a Pod specification does not have the hostAliases field defined or if the field is defined but empty. Host aliases allow you to add entries to a Pod's /etc/hosts file, providing custom host-to-IP mappings. Without defined host aliases, pods might rely on external DNS for name resolution, which could lead to DNS spoofing attacks or service disruptions if DNS services are unavailable. It is recommended to define appropriate host aliases for critical services to ensure reliable and secure name resolution within pods.

Expected

metadata.name=test-app.spec.hostAliases is defined

Found

metadata.name=test-app.spec.hostAliases is undefined

Security Frameworks: wf-id-1, wf-id-199

Rule ID: 4ea1c6c1-bb80-457b-a7a5-e3848ef33bad

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).

To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate

[wiz-4570766290]

 IaC Finding

Pod should not be created with sensitive host file system mount
on resource metadata.name={{postman-insights-agent}}.spec.template.spec.volumes.name={{sys-kernel-debug}}.hostPath.path

More Details

This rule checks whether a Kubernetes pod is mounting a host-sensitive OS directory. This rule fails if at least one `volume` contains a `hostPath.path` that starts with a sensitive directory such as `home`, `boot`, or `root` (see the Rego code for the full list). It is recommended to avoid mounting sensitive directories in read-write mode, as their files can be changed. >**Note** >This rule includes a skip condition for managed Kubernetes resources to avoid non-actionable findings due to provider-defined configurations. If you would like to have findings for these resources, you can customize the rule by removing the skip condition.

Expected

Workload name 'postman-insights-agent' of kind 'DaemonSet' should not mount a host sensitive OS directory '/sys/kernel/debug' with hostPath

Found

Workload name 'postman-insights-agent' of kind 'DaemonSet' is mounting a host sensitive OS directory '/sys/kernel/debug' with hostPath

Security Frameworks: wf-id-24, wf-id-105, wf-id-1, wf-id-199

Rule ID: 154c69a0-5907-4f3a-9108-6bd66f42c88b

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).

To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate

[wiz-4570766290]

 IaC Finding

Pod should not be created with sensitive host file system mount
on resource metadata.name={{postman-insights-agent}}.spec.template.spec.volumes.name={{host-netns}}.hostPath.path

More Details

This rule checks whether a Kubernetes pod is mounting a host-sensitive OS directory. This rule fails if at least one `volume` contains a `hostPath.path` that starts with a sensitive directory such as `home`, `boot`, or `root` (see the Rego code for the full list). It is recommended to avoid mounting sensitive directories in read-write mode, as their files can be changed. >**Note** >This rule includes a skip condition for managed Kubernetes resources to avoid non-actionable findings due to provider-defined configurations. If you would like to have findings for these resources, you can customize the rule by removing the skip condition.

Expected

Workload name 'postman-insights-agent' of kind 'DaemonSet' should not mount a host sensitive OS directory '/var/run/netns' with hostPath

Found

Workload name 'postman-insights-agent' of kind 'DaemonSet' is mounting a host sensitive OS directory '/var/run/netns' with hostPath

Security Frameworks: wf-id-24, wf-id-105, wf-id-1, wf-id-199

Rule ID: 154c69a0-5907-4f3a-9108-6bd66f42c88b

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).

To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate

[wiz-4570766290]

 IaC Finding

Pod should not be created with sensitive host file system mount
on resource metadata.name={{postman-insights-agent}}.spec.template.spec.volumes.name={{containerdsocket}}.hostPath.path

More Details

This rule checks whether a Kubernetes pod is mounting a host-sensitive OS directory. This rule fails if at least one `volume` contains a `hostPath.path` that starts with a sensitive directory such as `home`, `boot`, or `root` (see the Rego code for the full list). It is recommended to avoid mounting sensitive directories in read-write mode, as their files can be changed. >**Note** >This rule includes a skip condition for managed Kubernetes resources to avoid non-actionable findings due to provider-defined configurations. If you would like to have findings for these resources, you can customize the rule by removing the skip condition.

Expected

Workload name 'postman-insights-agent' of kind 'DaemonSet' should not mount a host sensitive OS directory '/var/run/containerd/containerd.sock' with hostPath

Found

Workload name 'postman-insights-agent' of kind 'DaemonSet' is mounting a host sensitive OS directory '/var/run/containerd/containerd.sock' with hostPath

Security Frameworks: wf-id-24, wf-id-105, wf-id-1, wf-id-199

Rule ID: 154c69a0-5907-4f3a-9108-6bd66f42c88b

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).

To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate