welcome-to-palo-alto-networks[bot]
commented
1 year ago :tada: Thanks for opening your first issue here! Welcome to the community!
Open krol3 opened 1 year ago
welcome-to-palo-alto-networks[bot]
commented
1 year ago :tada: Thanks for opening your first issue here! Welcome to the community!
yuvalavra
commented
1 year ago I think it makes sense to add policies for the anonymous user & unauthenticated group.
Not sure on what to alert on though - do we flag any permission given to the anonymous user / grp? Should we have exceptions for harmless permissions that are commonly given to the them (given that’s actually a thing)? So a bit to sort out but I think that it’ll be a good addition.
I won’t get to implementing this soon so feel free to open a PR
yuvalavra
commented
1 year ago Given it some thought and it’s a bit tricky to implement as rbac-police is built to alert on risky permissions rather than risky users & groups. Might still be doable though.
Btw it’s possible to run with ‘—violations user,group’ to search for users & groups with risky permissions, including the anonymous user / group
Context
After creating a clusterrolebinding for the user system: anonymous, I didn't see it in the list of Risky report.
See the details :
kubectl create clusterrolebinding anonymous-xdemo --clusterrole=view --user=system: anonymous