Fix: adding new queries

Author: acx1729

queries/kubernetes/aws_cognito_user_pool_2.yaml

@@ -0,0 +1,24 @@
+id: aws_cognito_user_pool_2
+type: query
+title: List All AWS Cognito User Pools with MFA Configuration
+description: Allows users to query AWS Cognito User Pools to fetch detailed information about each user pool, including the pool's configuration, status, and associated metadata.
+integration_type:
+  - aws_cloud_account
+query: |
+    SELECT
+      name,
+      arn,
+      mfa_configuration
+    FROM
+      aws_cognito_user_pool
+    WHERE
+      mfa_configuration != 'OFF';
+tags:
+    cloud_asset_management:
+      - 'true'
+    cloud_identity_security:
+      - 'true'
+    cloud_provider:
+      - aws
+    cloud_service:
+      - Cognito

queries/kubernetes/k8s_clusterrolebindings_granting_cluster_admin.yaml

@@ -0,0 +1,60 @@
+id: k8s_clusterrolebindings_granting_cluster_admin
+title: Kubernetes ClusterRoleBindings Granting Cluster-Admin Role
+type: query
+primary_table: k8_cluster_role_binding
+description: Finds ClusterRoleBindings that grant the highly privileged 'cluster-admin' ClusterRole to users, groups, or service accounts. Granting cluster-admin provides unrestricted access across the entire cluster and should be strictly controlled. Allows excluding specific binding titles via parameter.
+metadata:
+  reasoning: The 'cluster-admin' role provides superuser access to the entire Kubernetes cluster, allowing the subject to perform any action on any resource. Granting this role unnecessarily violates the principle of least privilege and significantly increases risk if the subject's credentials are compromised or misused.
+  value: Enforce least privilege and minimize security risk by ensuring the powerful 'cluster-admin' role is only granted when absolutely necessary and to trusted entities, excluding known/approved bindings.
+integration_type:
+  - kubernetes_cluster
+is_view: false
+parameters:
+  - key: excluded_binding_titles
+    # Comma-separated list of ClusterRoleBinding titles (exact match) to exclude from findings.
+    # Use this to exempt specific, approved bindings granting cluster-admin. Max 4 suggested, but accepts more.
+    # Example: "system:kube-dns-autoscaler-binding,my-admin-tool-binding"
+    value: "" # Default: Report all cluster-admin bindings
+query: |
+  WITH excluded_bindings AS (
+    SELECT trim(title) AS title
+    FROM unnest(string_to_array('{{.excluded_binding_titles}}', ',')) AS title
+    WHERE trim(title) != ''
+  )
+  SELECT DISTINCT -- Distinct on binding, not subject, as the finding is about the binding itself
+    crb.platform_integration_id,
+    crb.title AS resource, -- The binding title is the resource
+    CASE
+      WHEN crb.title IN (SELECT title FROM excluded_bindings) THEN 'ok'
+      ELSE 'alarm'
+    END AS status,
+    'ClusterRoleBinding ''' || crb.title || ''' grants ''cluster-admin'' role' ||
+      CASE
+        WHEN crb.title IN (SELECT title FROM excluded_bindings) THEN ' (Excluded by parameter).'
+        ELSE '.'
+      END
+     AS reason,
+    -- Flag if excluded
+    (crb.title IN (SELECT title FROM excluded_bindings)) AS is_excluded_by_parameter,
+    jsonb_build_object(
+      'binding_title', crb.title,
+      'role_ref_kind', crb.role_kind,
+      'role_ref_name', crb.role_name,
+      'subjects', crb.subjects -- Show all subjects granted by this binding
+    ) AS finding_details
+  FROM
+    k8_cluster_role_binding crb
+  WHERE crb.role_kind = 'ClusterRole' AND crb.role_name = 'cluster-admin'
+  ORDER BY
+    status ASC, -- Show alarms first
+    crb.platform_integration_id ASC,
+    resource ASC;
+tags:
+  asset: Kubernetes
+  value: Enforce Least Privilege
+  outcome: Reduce Security Risk
+  standard: CIS Kubernetes Benchmark
+classification:
+  - [ "Security", "IAM", "Admin Rights" ]
+  - [ "Security", "IAM", "Excessive Permissions" ]
+  - [ "Infrastructure", "Kubernetes", "Access Control" ]

queries/kubernetes/k8s_containers_running_as_root.yaml

@@ -0,0 +1,60 @@
+id: k8s_containers_running_as_root
+title: Kubernetes Containers Running as Root
+type: query
+primary_table: k8_pod
+description: Finds containers that are configured to run as root (or likely to run as root by default) within pods. This checks for securityContext.runAsNonRoot=false or missing, and securityContext.runAsUser=0 or missing at both pod and container levels. Running containers as root increases the potential impact of a container compromise.
+metadata:
+  reasoning: Containers running as the root user have elevated privileges within the container's namespaces. If a vulnerability is exploited, the attacker gains root access within the container, potentially facilitating escape or further exploitation. Best practice is to run containers as non-root users with the minimum required privileges.
+  value: Reduce the potential impact of container compromises by enforcing the principle of least privilege for container user IDs.
+integration_type:
+  - kubernetes_cluster
+query: |
+  SELECT DISTINCT
+    p.platform_integration_id,
+    p.namespace || '/' || p.title AS resource,
+    'alarm' AS status,
+    'Pod ''' || p.title || ''' in namespace ''' || p.namespace || ''' container ''' || (c ->> 'Name') || ''' may run as root.' AS reason,
+    jsonb_build_object(
+      'pod_title', p.title,
+      'namespace', p.namespace,
+      'container_name', c ->> 'Name',
+      'container_image', c ->> 'Image',
+      'container_security_context', c -> 'SecurityContext',
+      'pod_security_context', p.security_context,
+      'node_name', p.node_name
+    ) AS finding_details
+  FROM
+    k8_pod AS p,
+    jsonb_array_elements(COALESCE(p.containers, '[]'::jsonb)) AS c
+  WHERE
+    -- Condition 1: Container explicitly configured to run as root
+    (
+      (c -> 'SecurityContext' ->> 'RunAsNonRoot' = 'false') -- Explicitly false
+      OR
+      ( (c -> 'SecurityContext' ->> 'RunAsNonRoot' IS NULL) AND (c -> 'SecurityContext' ->> 'RunAsUser' = '0') ) -- runAsNonRoot is null, and runAsUser is 0
+    )
+    -- Condition 2: Pod context forces root, and container doesn't override
+    OR
+    (
+      ( (p.security_context ->> 'RunAsNonRoot' = 'false') OR ( (p.security_context ->> 'RunAsNonRoot' IS NULL) AND (p.security_context ->> 'RunAsUser' = '0') ) ) -- Pod context forces root
+      AND (c -> 'SecurityContext' ->> 'RunAsUser' IS NULL) -- Container does not specify user
+      AND (c -> 'SecurityContext' ->> 'RunAsNonRoot' IS NULL OR c -> 'SecurityContext' ->> 'RunAsNonRoot' = 'false') -- Container does not specify runAsNonRoot=true
+    )
+    -- Condition 3: Neither Pod nor Container specifies user/nonRoot (defaults to image definition, often root) - check if *no* setting prevents root
+    OR
+    (
+       (p.security_context ->> 'RunAsUser' IS NULL AND p.security_context ->> 'RunAsNonRoot' IS NULL) -- Pod has no relevant settings
+       AND (c -> 'SecurityContext' ->> 'RunAsUser' IS NULL AND c -> 'SecurityContext' ->> 'RunAsNonRoot' IS NULL) -- Container has no relevant settings
+    )
+  ORDER BY
+    p.platform_integration_id ASC,
+    resource ASC;
+tags:
+  asset: Kubernetes
+  value: Reduce Security Risk
+  outcome: Limit Blast Radius
+  standard: CIS Kubernetes Benchmark
+classification:
+  - [ "Security", "Workload Configuration" ]
+  - [ "Security", "Vulnerabilities", "Containers" ]
+  - [ "Security", "IAM", "Excessive Permissions" ]

queries/kubernetes/k8s_ingress_without_tls.yaml

@@ -0,0 +1,40 @@
+id: k8s_ingress_without_tls
+title: Kubernetes Ingress Without TLS Configuration
+type: query
+primary_table: k8_ingress
+description: Finds Ingress resources that define routing rules but do not have a corresponding TLS configuration section. This indicates potential HTTP traffic exposure for paths defined in the Ingress, lacking encryption.
+metadata:
+  reasoning: Ingress resources managing external access should enforce TLS (HTTPS) to encrypt traffic between clients and the cluster. Ingresses without TLS configuration handle traffic over unencrypted HTTP, exposing sensitive data in transit and enabling potential man-in-the-middle attacks.
+  value: Protect data confidentiality and integrity for external traffic by ensuring all Ingress resources enforce TLS encryption.
+integration_type:
+  - kubernetes_cluster
+query: |
+  SELECT
+    i.platform_integration_id,
+    i.namespace || '/' || i.title AS resource,
+    'alarm' AS status,
+    'Ingress ''' || i.title || ''' in namespace ''' || i.namespace || ''' defines rules but lacks TLS configuration.' AS reason,
+    jsonb_build_object(
+      'ingress_title', i.title,
+      'namespace', i.namespace,
+      'ingress_class_name', i.ingress_class_name,
+      'rules_defined', i.rules,
+      'tls_configured', i.tls -- Will be null or empty array
+    ) AS finding_details
+  FROM
+    k8_ingress AS i
+  WHERE
+    COALESCE(jsonb_array_length(i.rules), 0) > 0 -- Has rules defined
+    AND COALESCE(jsonb_array_length(i.tls), 0) = 0 -- Has no TLS section defined
+  ORDER BY
+    i.platform_integration_id ASC,
+    resource ASC;
+tags:
+  asset: Kubernetes
+  value: Enhance Data Security
+  outcome: Enforce Encryption
+  standard: CIS Kubernetes Benchmark
+classification:
+  - [ "Security", "Web Security" ]
+  - [ "Security", "Data Protection" ]
+  - [ "Infrastructure", "Kubernetes", "Networking" ]

queries/kubernetes/k8s_pod_privileged_containers.yaml

@@ -0,0 +1,40 @@
+id: k8s_pod_privileged_containers
+title: Kubernetes Pods with Privileged Containers
+type: query
+primary_table: k8_pod
+description: Finds container workloads running with the securityContext.privileged=true setting enabled across all clusters. Privileged containers bypass standard container isolation and security controls, significantly increasing risk and potential blast radius if compromised.
+metadata:
+  reasoning: Privileged containers bypass kernel namespacing and control group restrictions, gaining access to host devices and elevated kernel capabilities. This significantly increases the risk and potential impact of a container escape if the workload is breached, expanding the blast radius.
+  value: Limit the blast radius of potential workload compromises and reduce overall security risk by enforcing standard container isolation and removing privileged access.
+integration_type:
+  - kubernetes_cluster
+query: |
+  SELECT DISTINCT
+    p.platform_integration_id,
+    p.namespace || '/' || p.title AS resource, -- Use namespace/name as unique resource identifier
+    'alarm' as status,
+    'Pod ''' || p.title || ''' in namespace ''' || p.namespace || ''' has privileged container ''' || (c ->> 'Name') || '''.' AS reason,
+    jsonb_build_object(
+      'pod_title', p.title,
+      'namespace', p.namespace,
+      'container_name', c ->> 'Name',
+      'container_image', c ->> 'Image',
+      'container_security_context', c -> 'SecurityContext',
+      'node_name', p.node_name
+    ) AS finding_details
+  FROM
+    k8_pod AS p,
+    jsonb_array_elements(COALESCE(p.containers, '[]'::jsonb)) AS c -- Use jsonb_array_elements for safety
+  WHERE
+    -- Check if securityContext exists and privileged is explicitly true
+    c -> 'SecurityContext' ->> 'Privileged' = 'true'
+  ORDER BY
+    p.platform_integration_id ASC,
+    resource ASC;
+tags:
+  asset: Kubernetes
+  value: Reduce Security Risk
+  outcome: Limit Blast Radius
+classification:
+  - [ "Security", "Workload Configuration" ]
+  - [ "Security", "Vulnerabilities", "Containers" ]

queries/kubernetes/k8s_pods_mounting_sensitive_hostpaths.yaml

@@ -0,0 +1,54 @@
+id: k8s_pods_mounting_sensitive_hostpaths
+title: Kubernetes Pods Mounting Sensitive Host Paths
+type: query
+primary_table: k8_pod
+description: Finds pods mounting potentially sensitive host filesystem paths using hostPath volumes (e.g., '/', '/etc', '/var/run/docker.sock', '/var/lib/kubelet', '/proc'). Access to sensitive host paths can break node isolation, allowing container escape, data exposure, or modification of the host system.
+metadata:
+  reasoning: Mounting host paths directly into pods bypasses storage abstractions and couples the pod lifecycle to the node's filesystem. Accessing sensitive paths like '/', '/etc', '/var/run/docker.sock', or '/proc' can grant the pod excessive privileges, allow container escape, or enable interference with the node's operation or other pods.
+  value: Maintain node isolation, prevent container escape vectors, and protect host system integrity by disallowing or strictly controlling hostPath volumes, especially for sensitive paths.
+integration_type:
+  - kubernetes_cluster
+query: |
+  WITH sensitive_paths (path) AS (
+    VALUES ('/'), ('/etc'), ('/var/run/docker.sock'), ('/var/lib/kubelet'), ('/proc'), ('/root') -- Hardcoded list as requested
+  )
+  SELECT DISTINCT
+    p.platform_integration_id,
+    p.namespace || '/' || p.title AS resource,
+    'alarm' AS status,
+    'Pod ''' || p.title || ''' in namespace ''' || p.namespace || ''' mounts sensitive hostPath ''' || (v -> 'HostPath' ->> 'Path') || ''' via volume ''' || (v ->> 'Name') || '''.' AS reason,
+    jsonb_build_object(
+      'pod_title', p.title,
+      'namespace', p.namespace,
+      'node_name', p.node_name,
+      'volume_name', v ->> 'Name',
+      'host_path_mounted', v -> 'HostPath' ->> 'Path',
+      'volume_definition', v
+    ) AS finding_details
+  FROM
+    k8_pod AS p,
+    jsonb_array_elements(COALESCE(p.volumes, '[]'::jsonb)) AS v
+  WHERE
+    v ->> 'HostPath' IS NOT NULL -- It is a hostPath volume
+    AND EXISTS ( -- Check if the mounted path matches any sensitive path
+      SELECT 1
+      FROM sensitive_paths sp
+      WHERE v -> 'HostPath' ->> 'Path' = sp.path
+        OR sp.path = '/' -- If '/' is sensitive, any hostPath is sensitive (except maybe empty path?)
+        -- Basic check if mounted path is a parent of a sensitive path
+        OR (sp.path LIKE (v -> 'HostPath' ->> 'Path') || '/%' AND v -> 'HostPath' ->> 'Path' != '/')
+    )
+  ORDER BY
+    p.platform_integration_id ASC,
+    resource ASC;
+tags:
+  asset: Kubernetes
+  value: Reduce Attack Surface
+  outcome: # Use list format for multiple outcomes
+    - Enhance Isolation
+    - Prevent Container Escape
+  standard: CIS Kubernetes Benchmark
+classification:
+  - [ "Security", "Workload Configuration" ]
+  - [ "Security", "Vulnerabilities", "Configuration" ]
+  - [ "Infrastructure", "Storage" ]

queries/kubernetes/k8s_pods_using_host_network.yaml

@@ -0,0 +1,37 @@
+id: k8s_pods_using_host_network
+title: Kubernetes Pods Using Host Network
+type: query
+primary_table: k8_pod
+description: Finds pods configured with spec.hostNetwork=true. These pods share the host's network namespace, bypassing pod network isolation and potentially exposing host network services or allowing network sniffing.
+metadata:
+  reasoning: Pods running with hostNetwork share the network namespace of the underlying node. This breaks network isolation between pods, allows access to the node's loopback device, potentially exposes node services, and enables sniffing of network traffic on the node. It significantly increases the attack surface and risk.
+  value: Maintain network isolation, reduce attack surface, and prevent potential information disclosure or interference by avoiding hostNetwork where possible.
+integration_type:
+  - kubernetes_cluster
+query: |
+  SELECT DISTINCT
+    p.platform_integration_id,
+    p.namespace || '/' || p.title AS resource,
+    'alarm' AS status,
+    'Pod ''' || p.title || ''' in namespace ''' || p.namespace || ''' is configured to use host network (spec.hostNetwork=true).' AS reason,
+    jsonb_build_object(
+      'pod_title', p.title,
+      'namespace', p.namespace,
+      'node_name', p.node_name,
+      'host_network_setting', p.host_network
+    ) AS finding_details
+  FROM
+    k8_pod AS p
+  WHERE
+    p.host_network = true
+  ORDER BY
+    p.platform_integration_id ASC,
+    resource ASC;
+tags:
+  asset: Kubernetes
+  value: Reduce Attack Surface
+  outcome: Enhance Isolation
+  standard: CIS Kubernetes Benchmark
+classification:
+  - [ "Security", "Workload Configuration" ]
+  - [ "Security", "Vulnerabilities", "Configuration" ]

queries/kubernetes/k8s_pods_using_host_pid_ipc.yaml

@@ -0,0 +1,42 @@
+id: k8s_pods_using_host_pid_ipc
+title: Kubernetes Pods Using Host PID or IPC Namespaces
+type: query
+primary_table: k8_pod
+description: Finds pods configured with spec.hostPID=true or spec.hostIPC=true. These pods share the host's process ID or inter-process communication namespaces, breaking isolation and potentially allowing process inspection/manipulation or interference with host processes.
+metadata:
+  reasoning: Sharing the host's PID namespace allows processes within the pod to see (and potentially signal) all other processes on the host node. Sharing the host's IPC namespace allows processes in the pod to interact with host processes via shared memory or other IPC mechanisms. Both break crucial container isolation boundaries.
+  value: Maintain process and IPC isolation, reduce attack surface, and prevent potential information disclosure or interference with host node processes.
+integration_type:
+  - kubernetes_cluster
+query: |
+  SELECT DISTINCT
+    p.platform_integration_id,
+    p.namespace || '/' || p.title AS resource,
+    'alarm' AS status,
+    'Pod ''' || p.title || ''' in namespace ''' || p.namespace || ''' is configured to use ' ||
+      CASE WHEN p.host_pid = true AND p.host_ipc = true THEN 'host PID and IPC namespaces'
+           WHEN p.host_pid = true THEN 'host PID namespace'
+           ELSE 'host IPC namespace'
+      END || '.' AS reason,
+    jsonb_build_object(
+      'pod_title', p.title,
+      'namespace', p.namespace,
+      'node_name', p.node_name,
+      'host_pid_setting', p.host_pid,
+      'host_ipc_setting', p.host_ipc
+    ) AS finding_details
+  FROM
+    k8_pod AS p
+  WHERE
+    p.host_pid = true OR p.host_ipc = true
+  ORDER BY
+    p.platform_integration_id ASC,
+    resource ASC;
+tags:
+  asset: Kubernetes
+  value: Reduce Attack Surface
+  outcome: Enhance Isolation
+  standard: CIS Kubernetes Benchmark
+classification:
+  - [ "Security", "Workload Configuration" ]
+  - [ "Security", "Vulnerabilities", "Configuration" ]