fix: updated remediation for compliance and config audit (#1841)

* fix: updated remediation for compliance and config audit

Signed-off-by: chenk <hen.keinan@gmail.com>

* fix: updated remediation for compliance and config audit

Signed-off-by: chenk <hen.keinan@gmail.com>

---------

Signed-off-by: chenk <hen.keinan@gmail.com>

pkg/apis/aquasecurity/v1alpha1/compliance_types.go

@@ -216,6 +216,7 @@ func FromDetailReport(sr *report.ComplianceReport) *ComplianceReport {
 					Description: ms.Description,
 					Severity:    Severity(ms.Severity),
 					Category:    "Kubernetes Security Check",
+					Remediation: ms.Resolution,
 					Messages:    []string{ms.Message},
 					Success:     false,
 				})

pkg/compliance/io.go

@@ -170,6 +170,7 @@ func reportsToResults(checks []v1alpha1.Check, name string, namespace string) tt
 				Title:       check.Title,
 				Description: check.Description,
 				Message:     check.Description,
+				Resolution:  check.Remediation,
 				Severity:    string(check.Severity),
 				Status:      status,
 			},

pkg/configauditreport/controller/resource.go

@@ -363,8 +363,9 @@ func getCheck(result scan.Result, id string) v1alpha1.Check {
 		Severity:    v1alpha1.Severity(result.Rule().Severity),
 		Category:    "Kubernetes Security Check",
 
-		Success:  result.Status() == scan.StatusPassed,
-		Messages: []string{result.Description()},
+		Success:     result.Status() == scan.StatusPassed,
+		Messages:    []string{result.Description()},
+		Remediation: result.Rule().Resolution,
 	}
 }
 

pkg/operator/envtest/testdata/fixture/api-server-infraassessmentreport-expected.yaml

@@ -17,92 +17,120 @@ metadata:
       uid: null
 report:
   checks:
-    - category: Kubernetes Security Check
-      checkID: KCV0022
-      description: Rotate log files on reaching 100 MB or as appropriate.
+    - checkID: KCV0001
+      title: Ensure that the --anonymous-auth argument is set to false
+      description: Disable anonymous requests to the API server.
+      severity: MEDIUM
+      category: Kubernetes Security Check
       messages:
-        - Ensure that the --audit-log-maxsize argument is set to 100 or as
-          appropriate
-      severity: LOW
+        - Ensure that the --anonymous-auth argument is set to false
+      remediation: Set '--anonymous-auth' to 'false'.
       success: false
-      title: Ensure that the --audit-log-maxsize argument is set to 100 or as
+    - checkID: KCV0006
+      title: Ensure that the --kubelet-certificate-authority argument is set as
         appropriate
-    - category: Kubernetes Security Check
-      checkID: KCV0006
       description: Verify kubelet's certificate before establishing connection.
+      severity: LOW
+      category: Kubernetes Security Check
       messages:
         - Ensure that the --kubelet-certificate-authority argument is set as
           appropriate
-      severity: LOW
+      remediation: "Follow the Kubernetes documentation and setup the TLS connection
+        between the apiserver and kubelets. "
       success: false
-      title: Ensure that the --kubelet-certificate-authority argument is set as
-        appropriate
-    - category: Kubernetes Security Check
-      checkID: KCV0001
-      description: Disable anonymous requests to the API server.
+    - checkID: KCV0010
+      title: Ensure that the admission control plugin EventRateLimit is set
+      description: Limit the rate at which the API server accepts requests.
+      severity: LOW
+      category: Kubernetes Security Check
       messages:
-        - Ensure that the --anonymous-auth argument is set to false
-      severity: MEDIUM
+        - Ensure that the admission control plugin EventRateLimit is set
+      remediation: Follow the Kubernetes documentation and set the desired limits in a
+        configuration file. Then, edit the API server pod specification file
+        /etc/kubernetes/manifests/kube-apiserver.yaml and set the below
+        parameters.
       success: false
-      title: Ensure that the --anonymous-auth argument is set to false
-    - category: Kubernetes Security Check
-      checkID: KCV0020
-      description: Retain the logs for at least 30 days or as appropriate.
+    - checkID: KCV0013
+      title: Ensure that the admission control plugin SecurityContextDeny is set if
+        PodSecurityPolicy is not used
+      description: The SecurityContextDeny admission controller can be used to deny
+        pods which make use of some SecurityContext fields which could allow for
+        privilege escalation in the cluster. This should be used where
+        PodSecurityPolicy is not in place within the cluster.
+      severity: LOW
+      category: Kubernetes Security Check
       messages:
-        - Ensure that the --audit-log-maxage argument is set to 30 or as
-          appropriate
+        - Ensure that the admission control plugin SecurityContextDeny is set if
+          PodSecurityPolicy is not used
+      remediation: Edit the API server pod specification file
+        /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node
+        and set the --enable-admission-plugins parameter to include
+        SecurityContextDeny, unless PodSecurityPolicy is already in place.
+      success: false
+    - checkID: KCV0018
+      title: Ensure that the --profiling argument is set to false
+      description: Disable profiling, if not needed.
       severity: LOW
+      category: Kubernetes Security Check
+      messages:
+        - Ensure that the --profiling argument is set to false
+      remediation: Edit the API server pod specification file
+        /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node
+        and set the below parameter.
       success: false
-      title: Ensure that the --audit-log-maxage argument is set to 30 or as
-        appropriate
-    - category: Kubernetes Security Check
-      checkID: KCV0019
+    - checkID: KCV0019
+      title: Ensure that the --audit-log-path argument is set
       description: Enable auditing on the Kubernetes API Server and set the desired
         audit log path.
+      severity: LOW
+      category: Kubernetes Security Check
       messages:
         - Ensure that the --audit-log-path argument is set
-      severity: LOW
+      remediation: Edit the API server pod specification file
+        /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node
+        and set the --audit-log-path parameter.
       success: false
-      title: Ensure that the --audit-log-path argument is set
-    - category: Kubernetes Security Check
-      checkID: KCV0018
-      description: Disable profiling, if not needed.
-      messages:
-        - Ensure that the --profiling argument is set to false
+    - checkID: KCV0020
+      title: Ensure that the --audit-log-maxage argument is set to 30 or as
+        appropriate
+      description: Retain the logs for at least 30 days or as appropriate.
       severity: LOW
+      category: Kubernetes Security Check
+      messages:
+        - Ensure that the --audit-log-maxage argument is set to 30 or as
+          appropriate
+      remediation: Edit the API server pod specification file
+        /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node
+        and set the --audit-log-maxage parameter to 30 or as an appropriate
+        number of days.
       success: false
-      title: Ensure that the --profiling argument is set to false
-    - category: Kubernetes Security Check
-      checkID: KCV0021
+    - checkID: KCV0021
+      title: Ensure that the --audit-log-maxbackup argument is set to 10 or as
+        appropriate
       description: Retain 10 or an appropriate number of old log files.
+      severity: LOW
+      category: Kubernetes Security Check
       messages:
         - Ensure that the --audit-log-maxbackup argument is set to 10 or as
           appropriate
-      severity: LOW
+      remediation: Edit the API server pod specification file
+        /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node
+        and set the --audit-log-maxbackup parameter to 10 or to an appropriate
+        value.
       success: false
-      title: Ensure that the --audit-log-maxbackup argument is set to 10 or as
+    - checkID: KCV0022
+      title: Ensure that the --audit-log-maxsize argument is set to 100 or as
         appropriate
-    - category: Kubernetes Security Check
-      checkID: KCV0010
-      description: Limit the rate at which the API server accepts requests.
-      messages:
-        - Ensure that the admission control plugin EventRateLimit is set
+      description: Rotate log files on reaching 100 MB or as appropriate.
       severity: LOW
-      success: false
-      title: Ensure that the admission control plugin EventRateLimit is set
-    - category: Kubernetes Security Check
-      checkID: KCV0013
-      description: The SecurityContextDeny admission controller can be used to deny
-        pods which make use of some SecurityContext fields which could allow for
-        privilege escalation in the cluster. This should be used where
-        PodSecurityPolicy is not in place within the cluster.
+      category: Kubernetes Security Check
       messages:
-        - Ensure that the admission control plugin SecurityContextDeny is set if
-          PodSecurityPolicy is not used
-      severity: LOW
+        - Ensure that the --audit-log-maxsize argument is set to 100 or as
+          appropriate
+      remediation: Edit the API server pod specification file
+        /etc/kubernetes/manifests/kube-apiserver.yaml on the Control Plane node
+        and set the --audit-log-maxsize parameter to an appropriate size in MB
       success: false
-      title: Ensure that the admission control plugin SecurityContextDeny is set if
-        PodSecurityPolicy is not used
   scanner:
     name: Trivy
     vendor: Aqua Security

pkg/operator/envtest/testdata/fixture/cronjob-configauditreport-expected.yaml

@@ -39,6 +39,7 @@ report:
       messages:
         - Container 'hello' of CronJob 'hello' should set
           'securityContext.allowPrivilegeEscalation' to false
+      remediation: Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.
       success: false
     - checkID: KSV003
       title: "Default capabilities: some containers do not drop all"
@@ -49,6 +50,7 @@ report:
       messages:
         - Container 'hello' of CronJob 'hello' should add 'ALL' to
           'securityContext.capabilities.drop'
+      remediation: Add 'ALL' to containers[].securityContext.capabilities.drop.
       success: false
     - checkID: KSV011
       title: CPU not limited
@@ -57,6 +59,7 @@ report:
       category: Kubernetes Security Check
       messages:
         - Container 'hello' of CronJob 'hello' should set 'resources.limits.cpu'
+      remediation: Set a limit value under 'containers[].resources.limits.cpu'.
       success: false
     - checkID: KSV012
       title: Runs as root user
@@ -67,49 +70,51 @@ report:
       messages:
         - Container 'hello' of CronJob 'hello' should set
           'securityContext.runAsNonRoot' to true
+      remediation: Set 'containers[].securityContext.runAsNonRoot' to true.
       success: false
     - checkID: KSV014
       title: Root file system is not read-only
       description: An immutable root file system prevents applications from writing to
-        their local disk. This can limit intrusions, as attackers will not be
-        able to tamper with the file system or write foreign executables to
-        disk.
+        their local disk. This can limit intrusions, as attackers will not be able
+        to tamper with the file system or write foreign executables to disk.
       severity: LOW
       category: Kubernetes Security Check
       messages:
         - Container 'hello' of CronJob 'hello' should set
           'securityContext.readOnlyRootFilesystem' to true
+      remediation: Change 'containers[].securityContext.readOnlyRootFilesystem' to 'true'.
       success: false
     - checkID: KSV015
       title: CPU requests not specified
       description: When containers have resource requests specified, the scheduler can
-        make better decisions about which nodes to place pods on, and how to
-        deal with resource contention.
+        make better decisions about which nodes to place pods on, and how to deal
+        with resource contention.
       severity: LOW
       category: Kubernetes Security Check
       messages:
-        - Container 'hello' of CronJob 'hello' should set
-          'resources.requests.cpu'
+        - Container 'hello' of CronJob 'hello' should set 'resources.requests.cpu'
+      remediation: Set 'containers[].resources.requests.cpu'.
       success: false
     - checkID: KSV016
       title: Memory requests not specified
       description: When containers have memory requests specified, the scheduler can
-        make better decisions about which nodes to place pods on, and how to
-        deal with resource contention.
+        make better decisions about which nodes to place pods on, and how to deal
+        with resource contention.
       severity: LOW
       category: Kubernetes Security Check
       messages:
         - Container 'hello' of CronJob 'hello' should set
           'resources.requests.memory'
+      remediation: Set 'containers[].resources.requests.memory'.
       success: false
     - checkID: KSV018
       title: Memory not limited
       description: Enforcing memory limits prevents DoS via resource exhaustion.
       severity: LOW
       category: Kubernetes Security Check
       messages:
-        - Container 'hello' of CronJob 'hello' should set
-          'resources.limits.memory'
+        - Container 'hello' of CronJob 'hello' should set 'resources.limits.memory'
+      remediation: Set a limit value under 'containers[].resources.limits.memory'.
       success: false
     - checkID: KSV020
       title: Runs with UID <= 10000
@@ -120,6 +125,7 @@ report:
       messages:
         - Container 'hello' of CronJob 'hello' should set
           'securityContext.runAsUser' > 10000
+      remediation: Set 'containers[].securityContext.runAsUser' to an integer > 10000.
       success: false
     - checkID: KSV021
       title: Runs with GID <= 10000
@@ -130,6 +136,7 @@ report:
       messages:
         - Container 'hello' of CronJob 'hello' should set
           'securityContext.runAsGroup' > 10000
+      remediation: Set 'containers[].securityContext.runAsGroup' to an integer > 10000.
       success: false
     - checkID: KSV030
       title: Runtime/Default Seccomp profile not set
@@ -138,8 +145,12 @@ report:
       severity: LOW
       category: Kubernetes Security Check
       messages:
-        - Either Pod or Container should set
-          'securityContext.seccompProfile.type' to 'RuntimeDefault'
+        - Either Pod or Container should set 'securityContext.seccompProfile.type'
+          to 'RuntimeDefault'
+      remediation: Set 'spec.securityContext.seccompProfile.type',
+        'spec.containers[*].securityContext.seccompProfile' and
+        'spec.initContainers[*].securityContext.seccompProfile' to
+        'RuntimeDefault' or undefined.
       success: false
     - checkID: KSV104
       title: Seccomp policies disabled
@@ -149,6 +160,8 @@ report:
       messages:
         - container hello of cronjob hello in default namespace should specify a
           seccomp profile
+      remediation: Specify seccomp either by annotation or by seccomp profile type
+        having allowed values as per pod security standards
       success: false
     - checkID: KSV106
       title: Container capabilities must only include NET_BIND_SERVICE
@@ -158,6 +171,9 @@ report:
       category: Kubernetes Security Check
       messages:
         - container should drop all
+      remediation: Set 'spec.containers[*].securityContext.capabilities.drop' to 'ALL'
+        and only add 'NET_BIND_SERVICE' to
+        'spec.containers[*].securityContext.capabilities.add'.
       success: false
     - checkID: KSV110
       title: Workloads in the default namespace
@@ -167,19 +183,21 @@ report:
       messages:
         - cronjob hello in default namespace should set metadata.namespace to a
           non-default namespace
+      remediation: Set 'metadata.namespace' to a non-default namespace.
       success: false
     - checkID: KSV116
       title: Runs with a root primary or supplementary GID
       description: According to pod security standard 'Non-root groups', containers
-        should be forbidden from running with a root primary or supplementary
-        GID.
+        should be forbidden from running with a root primary or supplementary GID.
       severity: LOW
       category: Kubernetes Security Check
       messages:
         - cronjob hello in default namespace should set
           spec.securityContext.runAsGroup,
           spec.securityContext.supplementalGroups[*] and
           spec.securityContext.fsGroup to integer greater than 0
+      remediation: Set 'containers[].securityContext.runAsGroup' to a non-zero integer
+        or leave undefined.
       success: false
     - checkID: KSV118
       title: Default security context configured
@@ -192,4 +210,8 @@ report:
       messages:
         - cronjob hello in default namespace is using the default security
           context, which allows root privileges
+      remediation: To enhance security, it is strongly recommended not to rely on the
+        default security context. Instead, it is advisable to explicitly define
+        the required security parameters (such as runAsNonRoot, capabilities,
+        readOnlyRootFilesystem, etc.) within the security context.
       success: false