Skip to content
Nuclei Templates

Set appropriate seccomp profile

ID: k8s-seccomp-profile-set

Severity: medium

Author: princechaddha

Tags: cloud,devops,kubernetes,devsecops,containers,k8s,k8s-cluster-security

Description

Section titled “Description”

Checks if the seccomp profile is set to docker/default or runtime/default in Kubernetes Deployments.

YAML Source

Section titled “YAML Source”
id: k8s-seccomp-profile-set


info:
  name: Set appropriate seccomp profile
  author: princechaddha
  severity: medium
  description: Checks if the seccomp profile is set to docker/default or runtime/default in Kubernetes Deployments.
  impact: |
    Using a default seccomp profile helps in reducing the attack surface of the container by limiting the syscalls containers can make, which can prevent certain types of exploits.
  remediation: |
    Ensure that all containers in Kubernetes Deployments have a seccomp profile of docker/default or runtime/default set in their security contexts.
  reference:
    - https://kubernetes.io/docs/tutorials/clusters/seccomp/
  tags: cloud,devops,kubernetes,devsecops,containers,k8s,k8s-cluster-security


flow: |
  code(1);
  for (let deployment of template.items) {
    set("deployment", deployment)
    javascript(1);
  }


self-contained: true
code:
  - engine:
      - sh
      - bash
    source: kubectl get deployments --all-namespaces --output=json
    extractors:
      - type: json
        name: items
        internal: true
        json:
          - '.items[]'


javascript:
  - code: |
        deployment = JSON.parse(template.deployment);
        deployment.spec.template.spec.containers.forEach(container => {
          if (container.securityContext && container.securityContext.seccompProfile &&
              (container.securityContext.seccompProfile.type === 'RuntimeDefault' || container.securityContext.seccompProfile.type === 'DockerDefault')) {
            // No action needed, configured properly
          } else {
            let result = (`Deployment '${deployment.metadata.name}' in namespace '${deployment.metadata.namespace}' does not have an appropriate seccomp profile set.`);
            Export(result);
          }
        });


    extractors:
      - type: dsl
        dsl:
          - response
# digest: 490a00463044022028242b10cadcfd8aa9200c72697dbc567951f08471ded70cf072bb76184f2c15022013bde40989c5a37d33e0060047e74ed85802b28e9f7dfc6ca791e8d7fce2c3c5:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "cloud/kubernetes/deployments/k8s-seccomp-profile-set.yaml"

View on Github