welcome-to-palo-alto-networks[bot]
commented
1 year ago :tada: Thanks for opening your first issue here! Welcome to the community!
Open UgOrange opened 1 year ago
welcome-to-palo-alto-networks[bot]
commented
1 year ago :tada: Thanks for opening your first issue here! Welcome to the community!
yuvalavra
commented
1 year ago Hi, good question! If you can create a secret you can link it to a service account (using a few fields in the secret definition) and Kubernetes will automatically populate a new token for that SA in the secret :) At that point if you can somehow read the secret you could retrieve that token and potentially escalate privileges depending on its permissions.
Btw at the bottom of the report linked in this repo description there are explanations for how the permissions in most of the policies lead to attacks.
As for the severity of secrets listing policy - I agree, could be changed to High.
Documentation link
link
Describe the problem
I am currently studying your detection rules and have come across a couple of questions that I would appreciate your assistance with. Regarding the "issue_token_secrets" rule, it appears to detect permissions related to modifying or creating secrets. I would like to understand how this rule handles the issuance of administrator-equivalent service account privileges. Additionally, I believe that the risk level associated with the "list_secret" rule could be increased. I would like to suggest considering an adjustment to reflect a higher level of risk.
Suggested fix