| Property | |
|---|---|
| Language |  |
| Severity |  |
Description
Ensure that the scheduler config file ownership is set to root:root.
Resolution
Change the scheduler config file /etc/kubernetes/scheduler.conf ownership to root:root
Ensure that the scheduler config file permissions are set to 600 or more restrictive
| Property | |
|---|---|
| Language | |
| Severity | |
Description
The Kubernetes scheduler configuration file (/etc/kubernetes/scheduler.conf) is set with permissions that are too permissive, allowing unauthorized users to read, modify, or overwrite the file. This exposes sensitive scheduler credentials and settings to anyone with access permissions beyond the owner.
Impact
If exploited, unauthorized users could gain access to or alter the Kubernetes scheduler’s configuration, potentially compromising cluster operations, escalating privileges, or disrupting services. This could lead to cluster-wide security breaches or outages.
Ensure that the scheduler pod specification file ownership is set to root:root
| Property | |
|---|---|
| Language | |
| Severity | |
Description
Ensure that the scheduler pod specification file ownership is set to root:root.
Resolution
Change the scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml ownership to root:root
Ensure that the scheduler pod specification file permissions are set to 600 or more restrictive
| Property | |
|---|---|
| Language | |
| Severity | |
Description
Ensure that the scheduler pod specification file has permissions of 600 or more restrictive.
Resolution
Change the scheduler pod specification file /etc/kubernetes/manifests/kube-scheduler.yaml permissions of 600 or more restrictive
Ensure the activity retention log is set to at least a year
| Property | |
|---|---|
| Language | |
| Severity |  |
| Service | monitor |
| Provider | Azure |
| Vulnerability Type | misconfiguration |
Description
The log retention period for Azure activity logs is set to less than one year, which means older log data may be deleted before investigations can begin or complete. This configuration reduces the ability to perform effective forensic analysis after a security incident.
Impact
If a breach is discovered after the short retention window, critical log records may be missing, hindering the ability to trace attacker actions, determine the scope of compromise, and comply with regulatory requirements. This can delay response, obscure root cause analysis, and increase organizational risk.
Ensure the Function App can only be accessed via HTTPS. The default is false.
| Property | |
|---|---|
| Language | |
| Severity |  |
| Service | appservice |
| Provider | Azure |
| Vulnerability Type | omission |
Description
The Function App is configured to accept connections over both HTTP and HTTPS, allowing unencrypted traffic by default. This exposes sensitive data to interception because HTTP does not encrypt communication between clients and the app.
Impact
Allowing HTTP access enables attackers to intercept, read, or modify data in transit, potentially leading to credential theft, data leakage, and unauthorized access. This compromises the security and confidentiality of the application and its users.
Exec into Pods
| Property | |
|---|---|
| Language | |
| Severity | |
| Vulnerability Type | omission |
Description
Granting write or exec permissions to ‘pods/exec’ in Kubernetes roles or cluster roles allows users to execute commands inside running containers, potentially with elevated privileges. This misconfiguration creates a pathway for privilege escalation within the cluster.
Impact
An attacker exploiting this vulnerability could gain shell access to containers, escalate privileges to cluster-admin, access sensitive data, disrupt workloads, or take control of the entire Kubernetes cluster, leading to data breaches or service outages.
Execution with Unnecessary Privileges
| Property | |
|---|---|
| Language |  |
| Severity | |
| CWE | CWE-250: Execution with Unnecessary Privileges |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
The container is configured to allow running as the root user by setting ‘runAsNonRoot: false’ in the securityContext. This means applications inside the container can have unnecessary root privileges, increasing the risk of security breaches.
Impact
If exploited, an attacker gaining access to the container could use root privileges to escalate their actions, potentially compromising the entire Kubernetes node, accessing sensitive data, or disrupting other services. This undermines container isolation and can lead to a full system breach.
Execution with Unnecessary Privileges
| Property | |
|---|---|
| Language | |
| Severity |  |
| CWE | CWE-250: Execution with Unnecessary Privileges |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The container is not explicitly configured to run as a non-root user in its Kubernetes securityContext. This means the container may run as root by default, increasing the risk of privilege escalation.
Impact
If an attacker exploits a vulnerability in the container, they could gain root access, allowing them to compromise the container, access sensitive data, or disrupt other services. Running as root increases the potential impact of any container breach.
Execution with Unnecessary Privileges
| Property | |
|---|---|
| Language | |
| Severity | |
| CWE | CWE-250: Execution with Unnecessary Privileges |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The container definition is missing a security context specifying that it must run as a non-root user. This means the container could run processes with root privileges inside, increasing the risk of security breaches.
Impact
If an attacker exploits a vulnerability in the application, they could gain root access within the container, allowing them to modify system files, escalate privileges, or attempt to break out of the container and compromise the host or other services.