Updating Helm Docs

Author: J12934

operator/README.md

@@ -38,10 +38,10 @@ helm install securecodebox-operator secureCodeBox/operator
 | s3.port | string | `nil` |  |
 | s3.secretAttributeNames.accesskey | string | `"accesskey"` |  |
 | s3.secretAttributeNames.secretkey | string | `"secretkey"` |  |
-| securityContext.allowPrivilegeEscalation | bool | `false` |  |
-| securityContext.capabilities.drop[0] | string | `"all"` |  |
-| securityContext.privileged | bool | `false` |  |
-| securityContext.readOnlyRootFilesystem | bool | `true` |  |
-| securityContext.runAsNonRoot | bool | `true` |  |
+| securityContext.allowPrivilegeEscalation | bool | `false` | Ensures that users privilidges canout be escalated |
+| securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privilidges from the operator container. They are not required |
+| securityContext.privileged | bool | `false` | Ensures that the operator container is not run in privilidged mode |
+| securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system |
+| securityContext.runAsNonRoot | bool | `true` | Enforces that the Operator image is run as a non root user |
 | telemetryEnabled | bool | `true` | The Operator sends anonymous telemetry data, to give the team an overview how much the secureCodeBox is used. Find out more at https://www.securecodebox.io/telemetry |
 

scanners/nmap/README.md

@@ -42,6 +42,48 @@ Some useful example parameters listed below:
 - `-script` xx: Replace xx with the script name. Start the scan with the given script.
 - `--script` xx: Replace xx with a coma-separated list of scripts. Start the scan with the given scripts.
 
+## Operating System Scans
+
+:::caution
+Warning! This is currently not tested and might require additional testing to work 😕
+:::
+
+If you want to use Nmap to identify operating systems of hosts you'll need to weaken the securityContext config, as Nmap requires the capability to send raw sockets to identify operating systems. See [Nmap Docs](https://secwiki.org/w/Running_nmap_as_an_unprivileged_user)
+
+You can deployed the ScanType with the config like this:
+
+```bash
+cat <<EOF | helm install nmap-privilidged ./scanners/nmap --values -
+scannerJob:
+  env:
+    - name: "NMAP_PRIVILEGED"
+      value: "true"
+  securityContext:
+    capabilities:
+      drop:
+        - all
+      add:
+        - CAP_NET_RAW
+        - CAP_NET_ADMIN
+        - CAP_NET_BIND_SERVICE
+EOF
+```
+
+You the start scans with operating system identification enabled:
+
+```yaml
+apiVersion: "execution.experimental.securecodebox.io/v1"
+kind: Scan
+metadata:
+  name: "nmap-os-scan"
+spec:
+  scanType: "nmap-privilidged"
+  parameters:
+    - --privileged
+    - "-O"
+    - www.iteratec.de
+```
+
 ## Chart Configuration
 
 | Key | Type | Default | Description |
@@ -53,4 +95,9 @@ Some useful example parameters listed below:
 | scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
 | scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
 | scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
+| scannerJob.securityContext.allowPrivilegeEscalation | bool | `false` | Ensures that users privilidges canout be escalated |
+| scannerJob.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privilidges from the container. |
+| scannerJob.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privilidged mode |
+| scannerJob.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system |
+| scannerJob.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user |
 | scannerJob.ttlSecondsAfterFinished | string | `nil` | Defines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/) |