From 8e0840c85f14b32eff6ffc5160d9d7e27187ea4e Mon Sep 17 00:00:00 2001 From: arpitjain099 Date: Thu, 4 Jun 2026 15:35:23 +0900 Subject: [PATCH] Boost ReadOnlyRootFilesystem rule score from 1 to 3 The readOnlyRootFilesystem rule was scored at 1 point, the floor for a positive hardening rule. An immutable root filesystem is a meaningful defense-in-depth control: it raises attacker cost by preventing malicious binaries from being written into PATH and frustrates post-exploitation tooling drops (for example linpeas or peirates) after a remote shell. Raise it to 3, matching the other top container-hardening rules (ServiceAccountName, ApparmorAny). This keeps it at or below RunAsNonRoot's weight, which remains the higher-priority control as it is generally a bigger deal than a read-only rootfs. Updates the affected score assertion in ruleset_test.go (the manifest with readOnlyRootFilesystem + runAsNonRoot now totals 4 instead of 2). Closes #572 Signed-off-by: arpitjain099 --- pkg/ruler/ruleset.go | 2 +- pkg/ruler/ruleset_test.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/ruler/ruleset.go b/pkg/ruler/ruleset.go index aaf29e70a..8044e8f04 100644 --- a/pkg/ruler/ruleset.go +++ b/pkg/ruler/ruleset.go @@ -63,7 +63,7 @@ func NewRuleset(logger *zap.SugaredLogger, ruleIDs ...string) (*Ruleset, error) Selector: "containers[] .securityContext .readOnlyRootFilesystem == true", Reason: "An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost", Kinds: []string{"Pod", "Deployment", "StatefulSet", "DaemonSet"}, - Points: 1, + Points: 3, Advise: 3, }, { diff --git a/pkg/ruler/ruleset_test.go b/pkg/ruler/ruleset_test.go index 2f3554fb7..4194766ba 100644 --- a/pkg/ruler/ruleset_test.go +++ b/pkg/ruler/ruleset_test.go @@ -191,8 +191,8 @@ spec: report := reports[0] - if report.Score != 2 { - t.Errorf("Got score: %d, expected: 2", report.Score) + if report.Score != 4 { + t.Errorf("Got score: %d, expected: 4", report.Score) } })