Back to catalog

Mounting Sensitive Host Directories

No violationsstackroxmediumdeploy

Alert on deployments mounting sensitive host directories

Rationale
Mounting system directories from host implies container access to sensitive files on the host. This expands the attack surface of the container and gives an intruder an opportunity to break containment if the host is not properly secured.
Remediation
Ensure that deployments do not mount sensitive host directories, or exclude this deployment if host mount is required.
CategoriesSecurity Best Practices
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 9.2
ISO/IEC 27001 2022
A.8.9
NIST SP 800-53 rev. 5
CM-2CM-7
PCI DSS 4.0
2.2.12.2.4

Generated artifacts

3 of 5 targets supported
mounting-sensitive-host-directories.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: mounting-sensitive-host-directories
  annotations:
    policies.kyverno.io/title: Mounting Sensitive Host Directories
    policies.kyverno.io/category: Security Best Practices
    policies.kyverno.io/severity: medium
    policies.kyverno.io/description: Alert on deployments mounting sensitive host directories
    policies.kyverno.io/remediation: Ensure that deployments do not mount sensitive host directories, or exclude this deployment if host mount is required.
    policies.kyverno.io/rationale: Mounting system directories from host implies container access to sensitive files on the host. This expands the attack surface of the container and gives an intruder an opportunity to break containment if the host is not properly secured.
    policies.io/source: stackrox
    policies.io/source-id: a9b9ecf7-9707-4e32-8b62-d03018ed454f
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: mounting-sensitive-host-directories
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: 'Policy "Mounting Sensitive Host Directories" violated: Alert on deployments mounting sensitive host directories'
        deny:
          conditions:
            all:
              - key: "{{ request.object.spec.volumes[].keys(@)[] || `[]` }}"
                operator: AnyIn
                value:
                  - (/etc/.*|/sys/.*|/dev/.*|/proc/.*|/var/.*)
      exclude:
        any:
          - resources:
              namespaces:
                - openshift-cloud-controller-manager
          - resources:
              namespaces:
                - openshift-vsphere-infra
          - resources:
              namespaces:
                - openshift-vsphere-infra
          - resources:
              namespaces:
                - openshift-vsphere-infra
          - resources:
              namespaces:
                - openshift-security
          - resources:
              namespaces:
                - openshift-authentication
          - resources:
              namespaces:
                - openshift-cloud-controller-manager-operator
          - resources:
              namespaces:
                - openshift-ovn-kubernetes
          - resources:
              namespaces:
                - openshift-ovn-kubernetes
          - resources:
              namespaces:
                - openshift-cluster-version
          - resources:
              namespaces:
                - openshift-security
          - resources:
              namespaces:
                - openshift-azure-logging
          - resources:
              namespaces:
                - stackrox
          - resources:
              namespaces:
                - stackrox
              selector:
                matchLabels:
                  app: stackrox-compliance
          - resources:
              namespaces:
                - kube-system
          - resources:
              namespaces:
                - istio-system
          - resources:
              namespaces:
                - openshift-kube-apiserver
          - resources:
              namespaces:
                - openshift-kube-scheduler
          - resources:
              namespaces:
                - openshift-etcd
          - resources:
              namespaces:
                - openshift-kube-controller-manager
          - resources:
              namespaces:
                - openshift-oauth-apiserver
          - resources:
              namespaces:
                - openshift-apiserver
          - resources:
              namespaces:
                - openshift-network-operator
          - resources:
              namespaces:
                - openshift-machine-api
          - resources:
              namespaces:
                - openshift-dns
          - resources:
              namespaces:
                - openshift-cluster-csi-drivers
          - resources:
              namespaces:
                - openshift-cluster-node-tuning-operator
          - resources:
              namespaces:
                - openshift-multus
          - resources:
              namespaces:
                - openshift-image-registry
          - resources:
              namespaces:
                - openshift-sdn
          - resources:
              namespaces:
                - openshift-machine-config-operator
          - resources:
              namespaces:
                - openshift-logging
          - resources:
              namespaces:
                - openshift-cloud-controller-manager
IR (canonical)
{
  "id": "a9b9ecf7-9707-4e32-8b62-d03018ed454f",
  "name": "Mounting Sensitive Host Directories",
  "description": "Alert on deployments mounting sensitive host directories",
  "rationale": "Mounting system directories from host implies container access to sensitive files on the host. This expands the attack surface of the container and gives an intruder an opportunity to break containment if the host is not properly secured.",
  "remediation": "Ensure that deployments do not mount sensitive host directories, or exclude this deployment if host mount is required.",
  "severity": "medium",
  "categories": [
    "Security Best Practices"
  ],
  "lifecycle": [
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [
    {
      "name": "gcp-cloud-controller-manager",
      "namespace": "openshift-cloud-controller-manager"
    },
    {
      "name": "haproxy-.*",
      "namespace": "openshift-vsphere-infra"
    },
    {
      "name": "keepalived-.*",
      "namespace": "openshift-vsphere-infra"
    },
    {
      "name": "coredns-.*",
      "namespace": "openshift-vsphere-infra"
    },
    {
      "name": "splunkforwarder-ds",
      "namespace": "openshift-security"
    },
    {
      "name": "oauth-openshift",
      "namespace": "openshift-authentication"
    },
    {
      "name": "cluster-cloud-controller-manager-operator",
      "namespace": "openshift-cloud-controller-manager-operator"
    },
    {
      "name": "ovnkube-master",
      "namespace": "openshift-ovn-kubernetes"
    },
    {
      "name": "ovnkube-node",
      "namespace": "openshift-ovn-kubernetes"
    },
    {
      "name": "cluster-version-operator",
      "namespace": "openshift-cluster-version"
    },
    {
      "name": "audit-exporter",
      "namespace": "openshift-security"
    },
    {
      "name": "mdsd",
      "namespace": "openshift-azure-logging"
    },
    {
      "name": "collector",
      "namespace": "stackrox"
    },
    {
      "name": "Don't alert on StackRox compliance",
      "namespace": "stackrox",
      "labelKey": "app",
      "labelValue": "stackrox-compliance"
    },
    {
      "name": "Don't alert on kube-system namespace",
      "namespace": "kube-system"
    },
    {
      "name": "Don't alert on istio-system namespace",
      "namespace": "istio-system"
    },
    {
      "name": "Don't alert on openshift-kube-apiserver namespace",
      "namespace": "openshift-kube-apiserver"
    },
    {
      "name": "Don't alert on openshift-kube-scheduler namespace",
      "namespace": "openshift-kube-scheduler"
    },
    {
      "name": "Don't alert on openshift-etcd namespace",
      "namespace": "openshift-etcd"
    },
    {
      "name": "Don't alert on openshift-kube-controller-manager namespace",
      "namespace": "openshift-kube-controller-manager"
    },
    {
      "name": "Don't alert on openshift-oauth-apiserver namespace",
      "namespace": "openshift-oauth-apiserver"
    },
    {
      "name": "Don't alert on openshift-apiserver namespace",
      "namespace": "openshift-apiserver"
    },
    {
      "name": "Don't alert on openshift-network-operator namespace",
      "namespace": "openshift-network-operator"
    },
    {
      "name": "Don't alert on openshift-machine-api namespace",
      "namespace": "openshift-machine-api"
    },
    {
      "name": "Don't alert on openshift-dns namespace",
      "namespace": "openshift-dns"
    },
    {
      "name": "Don't alert on openshift-cluster-csi-drivers namespace",
      "namespace": "openshift-cluster-csi-drivers"
    },
    {
      "name": "Don't alert on openshift-cluster-node-tuning-operator namespace",
      "namespace": "openshift-cluster-node-tuning-operator"
    },
    {
      "name": "Don't alert on openshift-multus namespace",
      "namespace": "openshift-multus"
    },
    {
      "name": "node-ca",
      "namespace": "openshift-image-registry"
    },
    {
      "name": "Don't alert on openshift-sdn namespace",
      "namespace": "openshift-sdn"
    },
    {
      "name": "Don't alert on openshift-machine-config-operator namespace",
      "namespace": "openshift-machine-config-operator"
    },
    {
      "name": "Don't alert on openshift-logging namespace",
      "namespace": "openshift-logging"
    },
    {
      "name": "aws-cloud-controller-manager",
      "namespace": "openshift-cloud-controller-manager"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "volume-source",
    "values": [
      "(/etc/.*|/sys/.*|/dev/.*|/proc/.*|/var/.*)"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "a9b9ecf7-9707-4e32-8b62-d03018ed454f",
  "name": "Mounting Sensitive Host Directories",
  "description": "Alert on deployments mounting sensitive host directories",
  "rationale": "Mounting system directories from host implies container access to sensitive files on the host. This expands the attack surface of the container and gives an intruder an opportunity to break containment if the host is not properly secured.",
  "remediation": "Ensure that deployments do not mount sensitive host directories, or exclude this deployment if host mount is required.",
  "disabled": false,
  "categories": [
    "Security Best Practices"
  ],
  "lifecycleStages": [
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [
    {
      "name": "Don't alert on deployment gcp-cloud-controller-manager in openshift-cloud-controller-manager namespace",
      "deployment": {
        "name": "gcp-cloud-controller-manager",
        "scope": {
          "cluster": "",
          "namespace": "openshift-cloud-controller-manager",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment haproxy-* in openshift-vsphere-infra namespace",
      "deployment": {
        "name": "haproxy-.*",
        "scope": {
          "cluster": "",
          "namespace": "openshift-vsphere-infra",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment keepalived-.* in openshift-vsphere-infra namespace",
      "deployment": {
        "name": "keepalived-.*",
        "scope": {
          "cluster": "",
          "namespace": "openshift-vsphere-infra",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment coredns-* in openshift-vsphere-infra namespace",
      "deployment": {
        "name": "coredns-.*",
        "scope": {
          "cluster": "",
          "namespace": "openshift-vsphere-infra",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment splunkforwarder-ds in openshift-security namespace",
      "deployment": {
        "name": "splunkforwarder-ds",
        "scope": {
          "cluster": "",
          "namespace": "openshift-security",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment oauth-openshift in openshift-authentication namespace",
      "deployment": {
        "name": "oauth-openshift",
        "scope": {
          "cluster": "",
          "namespace": "openshift-authentication",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment cluster-cloud-controller-manager-operator in openshift-cloud-controller-manager-operator namespace",
      "deployment": {
        "name": "cluster-cloud-controller-manager-operator",
        "scope": {
          "cluster": "",
          "namespace": "openshift-cloud-controller-manager-operator",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment ovnkube-master in  openshift-ovn-kubernetes namespace",
      "deployment": {
        "name": "ovnkube-master",
        "scope": {
          "cluster": "",
          "namespace": "openshift-ovn-kubernetes",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment ovnkube-node in openshift-ovn-kubernetes namespace",
      "deployment": {
        "name": "ovnkube-node",
        "scope": {
          "cluster": "",
          "namespace": "openshift-ovn-kubernetes",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment cluster-version-operator in openshift-cluster-version namespace",
      "deployment": {
        "name": "cluster-version-operator",
        "scope": {
          "cluster": "",
          "namespace": "openshift-cluster-version",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment audit-exporter in openshift-security namespace",
      "deployment": {
        "name": "audit-exporter",
        "scope": {
          "cluster": "",
          "namespace": "openshift-security",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment mdsd in openshift-azure-logging namespace",
      "deployment": {
        "name": "mdsd",
        "scope": {
          "cluster": "",
          "namespace": "openshift-azure-logging",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on StackRox collector",
      "deployment": {
        "name": "collector",
        "scope": {
          "cluster": "",
          "namespace": "stackrox",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on StackRox compliance",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "stackrox",
          "label": {
            "key": "app",
            "value": "stackrox-compliance"
          }
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on kube-system namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "kube-system",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on istio-system namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "istio-system",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on openshift-kube-apiserver namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "openshift-kube-apiserver",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on openshift-kube-scheduler namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "openshift-kube-scheduler",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on openshift-etcd namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "openshift-etcd",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on openshift-kube-controller-manager namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "openshift-kube-controller-manager",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on openshift-oauth-apiserver namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "openshift-oauth-apiserver",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on openshift-apiserver namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "openshift-apiserver",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on openshift-network-operator namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "openshift-network-operator",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on openshift-machine-api namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "openshift-machine-api",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on openshift-dns namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "openshift-dns",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on openshift-cluster-csi-drivers namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "openshift-cluster-csi-drivers",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on openshift-cluster-node-tuning-operator namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "openshift-cluster-node-tuning-operator",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on openshift-multus namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "openshift-multus",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on node-ca dameonset in the openshift-image-registry namespace",
      "deployment": {
        "name": "node-ca",
        "scope": {
          "cluster": "",
          "namespace": "openshift-image-registry",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on openshift-sdn namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "openshift-sdn",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on openshift-machine-config-operator namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "openshift-machine-config-operator",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on openshift-logging namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "openshift-logging",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment aws-cloud-controller-manager in namespace openshift-cloud-controller-manager",
      "deployment": {
        "name": "aws-cloud-controller-manager",
        "scope": {
          "cluster": "",
          "namespace": "openshift-cloud-controller-manager",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "MEDIUM_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Volume Source",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "(/etc/.*|/sys/.*|/dev/.*|/proc/.*|/var/.*)"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}