Improve privilage escalation remediation message (#534)

stackrox · Apr 11, 2023 · 94bb6f9 · 94bb6f9
1 parent 68b3287
commit 94bb6f9
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 6 deletions.
diff --git a/docs/generated/checks.md b/docs/generated/checks.md
@@ -434,7 +434,7 @@ strategyTypeRegex: ^(RollingUpdate|Rolling)$
 
 **Description**: Alert on containers of allowing privilege escalation that could gain more privileges than its parent process.
 
-**Remediation**: Ensure containers do not allow privilege escalation by setting allowPrivilegeEscalation=false." See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for more details.
+**Remediation**: Ensure containers do not allow privilege escalation by setting allowPrivilegeEscalation=false, privileged=false and removing CAP_SYS_ADMIN capability. See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for more details.
 
 **Template**: [privilege-escalation-container](templates.md#privilege-escalation-on-containers)
 ## privileged-container

diff --git a/pkg/builtinchecks/yamls/privilege-escalation.yaml b/pkg/builtinchecks/yamls/privilege-escalation.yaml
@@ -1,7 +1,8 @@
 name: "privilege-escalation-container"
 description: "Alert on containers of allowing privilege escalation that could gain more privileges than its parent process."
 remediation: >-
-  Ensure containers do not allow privilege escalation by setting allowPrivilegeEscalation=false."
+  Ensure containers do not allow privilege escalation by setting
+  allowPrivilegeEscalation=false, privileged=false and removing CAP_SYS_ADMIN capability.
   See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for more details.
 scope:
   objectKinds:

diff --git a/pkg/templates/privilegeescalation/template.go b/pkg/templates/privilegeescalation/template.go
@@ -37,12 +37,12 @@ func init() {
 					return []diagnostic.Diagnostic{{Message: fmt.Sprintf("container %q has AllowPrivilegeEscalation set to true.", container.Name)}}
 				}
 				if securityContext.Privileged != nil && *securityContext.Privileged {
-					return []diagnostic.Diagnostic{{Message: fmt.Sprintf("container %q is Privileged and allows privilege escalation.", container.Name)}}
+					return []diagnostic.Diagnostic{{Message: fmt.Sprintf("container %q is Privileged hence allows privilege escalation.", container.Name)}}
 				}
 				if securityContext.Capabilities != nil {
-					for _, cap := range securityContext.Capabilities.Add {
-						if cap == v1.Capability(sysAdminCapability) {
-							return []diagnostic.Diagnostic{{Message: fmt.Sprintf("container %q has SYS_ADMIN capability and allows privilege escalation.", container.Name)}}
+					for _, capability := range securityContext.Capabilities.Add {
+						if capability == sysAdminCapability {
+							return []diagnostic.Diagnostic{{Message: fmt.Sprintf("container %q has SYS_ADMIN capability hence allows privilege escalation.", container.Name)}}
 						}
 					}
 				}