Severity Framework
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Snyk CCSS
Rule category
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Containers/ Privileged Access
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-ControlsCSA-CCMISO-27001NIST-800-53
- Snyk IDSNYK-CC-00505
- creditSnyk Research Team
Description
Job will have elevated privileges on the host instance which may allow it to access information about other workloads.
How to fix?
Set properties.startTask.userIdentity.autoUser.elevationLevel to NonAdmin.
Set start_task.user_identity.auto_user.elevation_level attribute to NonAdmin.
Example configuration:
resource "azurerm_batch_pool" "allowed" {
name = "testaccpool"
resource_group_name = azurerm_resource_group.example.name
account_name = azurerm_batch_account.example.name
display_name = "Test Acc Pool Auto"
vm_size = "Standard_A1"
node_agent_sku_id = "batch.node.ubuntu 16.04"
auto_scale {
evaluation_interval = "PT15M"
formula = <<EOF
startingNumberOfVMs = 1;
maxNumberofVMs = 25;
pendingTaskSamplePercent = $PendingTasks.GetSamplePercent(180 * TimeInterval_Second);
pendingTaskSamples = pendingTaskSamplePercent < 70 ? startingNumberOfVMs : avg($PendingTasks.GetSample(180 * TimeInterval_Second));
$TargetDedicatedNodes=min(maxNumberofVMs, pendingTaskSamples);
EOF
}
storage_image_reference {
publisher = "microsoft-azure-batch"
offer = "ubuntu-server-container"
sku = "16-04-lts"
version = "latest"
}
container_configuration {
type = "DockerCompatible"
container_registries {
registry_server = "docker.io"
user_name = "login"
password = "apassword"
}
}
start_task {
command_line = "echo 'Hello World from $env'"
max_task_retry_count = 1
wait_for_success = true
environment = {
env = "TEST"
}
user_identity {
auto_user {
elevation_level = "NonAdmin"
scope = "Task"
}
}
}
certificate {
id = azurerm_batch_certificate.example.id
visibility = ["StartTask"]
store_location = "LocalMachine"
}
}