2.0.5 13-07-2025

- Kubernetes Security Standards: [Insecure sysctls](https://protsenko.dev/infrastructure-security/insecure-sysctls/)

Author: NordCoderd

CHANGELOG.md

@@ -2,6 +2,11 @@
 
 # Cloud (IaC) Security Changelog
 
+## [2.0.5] 13-07-2025
+
+### Added
+- Kubernetes Security Standards: [Insecure sysctls](https://protsenko.dev/infrastructure-security/insecure-sysctls/)
+
 ## [2.0.4] 05-07-2025
 
 ### Added

README.md

@@ -11,7 +11,7 @@
 
 Cloud (IaC) Security Linter for JetBrains IDEs (e.g., IntelliJ IDEA, PyCharm, WebStorm, and more).
 
-Scan Docker, Kubernetes, and other Infrastructure-as-Code (IaC) files for security vulnerabilities and misconfigurations directly within your JetBrains IDE.
+Scan Docker (dockerfile and compose), Kubernetes files for security vulnerabilities and misconfigurations directly within your JetBrains IDE.
 
 ## Why this plugin?
 

gradle.properties

@@ -1,7 +1,7 @@
 pluginGroup = dev.protsenko.securityLinter
 pluginName = Cloud (IaC) Security
 pluginRepositoryUrl = https://github.com/NordCoderd/cloud-security-plugin
-pluginVersion = 2.0.4
+pluginVersion = 2.0.5
 
 # Supported build number ranges and IntelliJ Platform versions -> https://plugins.jetbrains.com/docs/intellij/build-number-ranges.html
 pluginSinceBuild = 231

src/main/kotlin/dev/protsenko/securityLinter/kubernetes/InsecureSysctlsInspection.kt

@@ -0,0 +1,59 @@
+package dev.protsenko.securityLinter.kubernetes
+
+import com.intellij.codeInspection.LocalInspectionTool
+import com.intellij.codeInspection.ProblemHighlightType
+import com.intellij.codeInspection.ProblemsHolder
+import com.intellij.psi.PsiElementVisitor
+import dev.protsenko.securityLinter.core.HtmlProblemDescriptor
+import dev.protsenko.securityLinter.core.SecurityPluginBundle
+import dev.protsenko.securityLinter.kubernetes.quickfix.ReplaceValueToDefaultQuickFix
+import dev.protsenko.securityLinter.utils.YamlPath
+import org.jetbrains.yaml.psi.YAMLDocument
+import org.jetbrains.yaml.psi.YAMLScalar
+import org.jetbrains.yaml.psi.YAMLSequence
+
+class InsecureSysctlsInspection : LocalInspectionTool() {
+
+    override fun buildVisitor(holder: ProblemsHolder, isOnTheFly: Boolean): PsiElementVisitor {
+        return object : BaseKubernetesVisitor() {
+            override fun analyze(specPrefix: String, document: YAMLDocument) {
+                val seccompProfileType = YamlPath.findByYamlPath(
+                    "$specPrefix$SYSCTL_PATH",
+                    document
+                ) as? YAMLSequence ?: return
+
+                for (sysctl in seccompProfileType.items) {
+                    val sysctlKey = sysctl
+                        .keysValues
+                        .firstOrNull { it.name == "name" } ?: continue
+                    val sysctlValueText = sysctlKey.valueText
+                    if (sysctlValueText !in allowedSysctls) {
+                        val descriptor = HtmlProblemDescriptor(
+                            sysctl,
+                            SecurityPluginBundle.message("kube011.documentation"),
+                            SecurityPluginBundle.message("kube011.problem-text"),
+                            ProblemHighlightType.ERROR, emptyArray()
+                        )
+                        holder.registerProblem(descriptor)
+                    }
+                }
+
+            }
+        }
+    }
+}
+
+private val SYSCTL_PATH = "spec.securityContext.sysctls"
+private val allowedSysctls = setOf(
+    "",
+    "kernel.shm_rmid_forced",
+    "net.ipv4.ip_local_port_range",
+    "net.ipv4.ip_unprivileged_port_start",
+    "net.ipv4.tcp_syncookies",
+    "net.ipv4.ping_group_range",
+    "net.ipv4.ip_local_reserved_ports",
+    "net.ipv4.tcp_keepalive_time",
+    "net.ipv4.tcp_fin_timeout",
+    "net.ipv4.tcp_keepalive_intvl",
+    "net.ipv4.tcp_keepalive_probes"
+)

src/main/resources/META-INF/dev.protsenko.security-linter-yaml.xml

@@ -65,5 +65,10 @@
                 displayName="Unconfined seccomp profile"
                 groupPathKey="common.group-key" groupKey="common.kubernetes-group-key"
                 enabledByDefault="true" language="yaml"/>
+        <localInspection
+                implementationClass="dev.protsenko.securityLinter.kubernetes.InsecureSysctlsInspection"
+                displayName="Insecure systctls"
+                groupPathKey="common.group-key" groupKey="common.kubernetes-group-key"
+                enabledByDefault="true" language="yaml"/>
     </extensions>
 </idea-plugin>

src/main/resources/inspectionDescriptions/InsecureSysctls.html

@@ -0,0 +1,6 @@
+<html>
+<body>
+<p>Detects insecure sysctls</p>
+<p>Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed "safe" subset.</p>
+</body>
+</html>

src/main/resources/messages/SecurityPluginBundle.properties

@@ -161,6 +161,10 @@ kube010.documentation=insecure-seccomp-profile
 kube010.problem-text=Seccomp profile set to 'Unconfined' disables syscall filtering and exposes the container to kernel-level attacks.
 kube010.qf.fix-value=Set the type to 'RuntimeDefault'
 
+## kube011
+kube011.documentation=insecure-sysctls
+kube011.problem-text=Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed "safe" subset.
+
 # Not implemented
 ds029.missing-healthcheck=Missing HEALTHCHECK instruction
 ds023.multiple-exposed-port=Port {0} exposed more than one time.

src/test/kotlin/dev/protsenko/securityLinter/kubernetes/KUBE011InsecureSysctls.kt

@@ -0,0 +1,11 @@
+package dev.protsenko.securityLinter.kubernetes
+
+import com.intellij.codeInspection.LocalInspectionTool
+import dev.protsenko.securityLinter.core.KubernetesHighlightingBaseTest
+
+class KUBE011InsecureSysctls(
+    override val ruleFolderName: String = "KUBE011",
+    override val targetFileName: String = "pod.yaml",
+    override val targetInspection: LocalInspectionTool = InsecureSysctlsInspection(),
+    override val customFiles: Set<String> = setOf()
+) : KubernetesHighlightingBaseTest()

src/test/testData/kubernetes/KUBE011/pod.yaml.allowed

@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: safe-sysctl-demo
+  labels:
+    app: demo
+spec:
+  securityContext:
+    sysctls:
+      - name: net.ipv4.ip_local_port_range
+        value: "1024 65535"
+      - name: net.ipv4.tcp_syncookies
+        value: "1"
+      - name: net.ipv4.tcp_keepalive_time     # ≥ 1.29
+        value: "7200"
+      - name: net.ipv4.tcp_keepalive_intvl    # ≥ 1.29
+        value: "75"
+      - name: net.ipv4.tcp_keepalive_probes   # ≥ 1.29
+        value: "9"
+  containers:
+    - name: nginx
+      image: nginx:1.29-alpine
+      ports:
+        - containerPort: 80
+      securityContext:
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop: ["ALL"]
+        readOnlyRootFilesystem: true

src/test/testData/kubernetes/KUBE011/pod.yaml.denied

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: unsafe-sysctl-demo
+spec:
+  securityContext:
+    sysctls:
+      <error descr="Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed \"safe\" subset.">- name: net.core.somaxconn
+        value: "1024"</error>
+      <error descr="Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed \"safe\" subset.">- name: kernel.msgmax
+        value: "65536"</error>
+  containers:
+    - name: nginx
+      image: nginx:1.29-alpine
+      ports:
+        - containerPort: 80