Add securityContext to nmap

Author: J12934

scanners/nmap/README.md.gotmpl

@@ -42,6 +42,48 @@ Some useful example parameters listed below:
 - `-script` xx: Replace xx with the script name. Start the scan with the given script.
 - `--script` xx: Replace xx with a coma-separated list of scripts. Start the scan with the given scripts.
 
+## Operating System Scans
+
+:::caution
+Warning! This is currently not tested and might require additional testing to work 😕
+:::
+
+If you want to use Nmap to identify operating systems of hosts you'll need to weaken the securityContext config, as Nmap requires the capability to send raw sockets to identify operating systems. See [Nmap Docs](https://secwiki.org/w/Running_nmap_as_an_unprivileged_user)
+
+You can deployed the ScanType with the config like this:
+
+```bash
+cat <<EOF | helm install nmap-privilidged ./scanners/nmap --values -
+scannerJob:
+  env:
+    - name: "NMAP_PRIVILEGED"
+      value: "true"
+  securityContext:
+    capabilities:
+      drop:
+        - all
+      add:
+        - CAP_NET_RAW
+        - CAP_NET_ADMIN
+        - CAP_NET_BIND_SERVICE
+EOF
+```
+
+You the start scans with operating system identification enabled:
+
+```yaml
+apiVersion: "execution.experimental.securecodebox.io/v1"
+kind: Scan
+metadata:
+  name: "nmap-os-scan"
+spec:
+  scanType: "nmap-privilidged"
+  parameters:
+    - --privileged
+    - "-O"
+    - www.iteratec.de
+```
+
 ## Chart Configuration
 
 {{ template "chart.valuesTable" . }}

scanners/nmap/scanner/Dockerfile

@@ -1,5 +1,5 @@
 FROM alpine:3.12
 RUN apk add --no-cache nmap=7.80-r2 nmap-scripts=7.80-r2
-RUN addgroup -S nmap && adduser -S -g nmap nmap
-USER nmap
+RUN addgroup --system --gid 1001 nmap && adduser nmap --system --uid 1001 --ingroup nmap
+USER 1001
 CMD [nmap]

scanners/nmap/templates/nmap-scan-type.yaml

@@ -1,7 +1,7 @@
 apiVersion: "execution.experimental.securecodebox.io/v1"
 kind: ScanType
 metadata:
-  name: "nmap"
+  name: {{ .Release.Name }}
 spec:
   extractResults:
     type: nmap-xml
@@ -19,5 +19,9 @@ spec:
             - name: nmap
               image: scbexperimental/nmap:7.80
               command: ["nmap", "-oX", "/home/securecodebox/nmap-results.xml"]
+              env:
+                {{- toYaml .Values.scannerJob.env | nindent 16 }}
               resources:
                 {{- toYaml .Values.scannerJob.resources | nindent 16 }}
+              securityContext:
+                {{- toYaml .Values.scannerJob.securityContext | nindent 16 }}

scanners/nmap/values.yaml

@@ -30,3 +30,17 @@ scannerJob:
 
   # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/)
   extraContainers: []
+
+  securityContext:
+    # scannerJob.securityContext.runAsNonRoot -- Enforces that the scanner image is run as a non root user
+    runAsNonRoot: true
+    # scannerJob.securityContext.readOnlyRootFilesystem -- Prevents write access to the containers file system
+    readOnlyRootFilesystem: true
+    # scannerJob.securityContext.allowPrivilegeEscalation -- Ensures that users privilidges canout be escalated
+    allowPrivilegeEscalation: false
+    # scannerJob.securityContext.privileged -- Ensures that the scanner container is not run in privilidged mode
+    privileged: false
+    capabilities:
+      drop:
+        # scannerJob.securityContext.capabilities.drop[0] -- This drops all linux privilidges from the container.
+        - all