Skip to content

Commit

Permalink
Merge branch 'master' into poor-old-michael-finnegan
Browse files Browse the repository at this point in the history
  • Loading branch information
craigbox authored Oct 4, 2023
2 parents 83b29b2 + 8da97f9 commit 2b5b07d
Show file tree
Hide file tree
Showing 38 changed files with 69 additions and 69 deletions.
12 changes: 6 additions & 6 deletions FWName_CID_CName.csv
Original file line number Diff line number Diff line change
Expand Up @@ -42,12 +42,12 @@ AllControls,C-0061,Pods in default namespace
AllControls,C-0062,Sudo in container entrypoint
AllControls,C-0063,Portforwarding privileges
AllControls,C-0065,No impersonation
AllControls,C-0066,Secret/ETCD encryption enabled
AllControls,C-0066,Secret/etcd encryption enabled
AllControls,C-0067,Audit logs enabled
AllControls,C-0068,PSP enabled
AllControls,C-0069,Disable anonymous access to Kubelet service
AllControls,C-0070,Enforce Kubelet client TLS authentication
AllControls,C-0073,Naked PODs
AllControls,C-0073,Naked pods
AllControls,C-0074,Containers mounting Docker socket
AllControls,C-0075,Image pull policy on latest tag
AllControls,C-0076,Label usage for resources
Expand Down Expand Up @@ -85,7 +85,7 @@ ArmoBest,C-0061,Pods in default namespace
ArmoBest,C-0062,Sudo in container entrypoint
ArmoBest,C-0063,Portforwarding privileges
ArmoBest,C-0065,No impersonation
ArmoBest,C-0066,Secret/ETCD encryption enabled
ArmoBest,C-0066,Secret/etcd encryption enabled
ArmoBest,C-0067,Audit logs enabled
ArmoBest,C-0068,PSP enabled
ArmoBest,C-0069,Disable anonymous access to Kubelet service
Expand All @@ -103,7 +103,7 @@ DevOpsBest,C-0044,Container hostPort
DevOpsBest,C-0050,Resources CPU limit and request
DevOpsBest,C-0056,Configured liveness probe
DevOpsBest,C-0061,Pods in default namespace
DevOpsBest,C-0073,Naked PODs
DevOpsBest,C-0073,Naked pods
DevOpsBest,C-0074,Containers mounting Docker socket
DevOpsBest,C-0075,Image pull policy on latest tag
DevOpsBest,C-0076,Label usage for resources
Expand All @@ -130,7 +130,7 @@ MITRE,C-0054,Cluster internal networking
MITRE,C-0057,Privileged container
MITRE,C-0058,CVE-2021-25741 - Using symlink for arbitrary host file system access.
MITRE,C-0059,CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability
MITRE,C-0066,Secret/ETCD encryption enabled
MITRE,C-0066,Secret/etcd encryption enabled
MITRE,C-0067,Audit logs enabled
MITRE,C-0068,PSP enabled
MITRE,C-0069,Disable anonymous access to Kubelet service
Expand All @@ -154,7 +154,7 @@ NSA,C-0055,Linux hardening
NSA,C-0057,Privileged container
NSA,C-0058,CVE-2021-25741 - Using symlink for arbitrary host file system access.
NSA,C-0059,CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability
NSA,C-0066,Secret/ETCD encryption enabled
NSA,C-0066,Secret/etcd encryption enabled
NSA,C-0067,Audit logs enabled
NSA,C-0068,PSP enabled
NSA,C-0069,Disable anonymous access to Kubelet service
Expand Down
8 changes: 4 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ Example of a framework:
]
},
"controlsNames": [
"Naked PODs",
"Naked pods",
"Container runtime socket mounted",
"Image pull policy on latest tag",
"Label usage for resources",
Expand Down Expand Up @@ -69,12 +69,12 @@ Example of a control:
"attributes": {
"armoBuiltin": true
},
"description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This control identifies all the PODs running in the default namespace.",
"remediation": "Create necessary namespaces and move all the PODs from default namespace there.",
"description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This control identifies all the pods running in the default namespace.",
"remediation": "Create necessary namespaces and move all the pods from default namespace there.",
"rulesNames": [
"pods-in-default-namespace"
],
"long_description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the PODs running in the default namespace.",
"long_description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the pods running in the default namespace.",
"test": "Check that there are no pods in the 'default' namespace",
"id": "C-0061",
"controlID": "C-0061",
Expand Down
6 changes: 3 additions & 3 deletions controls/C-0009-resourcelimits.json
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,12 @@
}
]
},
"description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.",
"remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/POD yamls.",
"description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.",
"remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/pod manifests.",
"rulesNames": [
"resource-policies"
],
"long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.",
"long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.",
"test": " Check for each container if there is a \u2018limits\u2019 field defined for both cpu and memory",
"controlID": "C-0009",
"baseScore": 7.0,
Expand Down
2 changes: 1 addition & 1 deletion controls/C-0013-nonrootcontainers.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"compliance"
]
},
"description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the Pods running as root or can escalate to root.",
"description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.",
"remediation": "If your application does not need root privileges, make sure to define the runAsUser or runAsGroup under the PodSecurityContext and use user ID 1000 or higher. Do not turn on allowPrivlegeEscalation bit and make sure runAsNonRoot is true.",
"rulesNames": [
"non-root-containers"
Expand Down
2 changes: 1 addition & 1 deletion controls/C-0017-immutablecontainerfilesystem.json
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
]
},
"description": "Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.",
"remediation": "Set the filesystem of the container to read-only when possible (POD securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.",
"remediation": "Set the filesystem of the container to read-only when possible (pod securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.",
"rulesNames": [
"immutable-container-filesystem"
],
Expand Down
4 changes: 2 additions & 2 deletions controls/C-0018-configuredreadinessprobe.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,12 @@
"devops"
]
},
"description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.",
"description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.",
"remediation": "Ensure Readiness probes are configured wherever possible.",
"rulesNames": [
"configured-readiness-probe"
],
"long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.",
"long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.",
"controlID": "C-0018",
"example": "@controls/examples/c018.yaml",
"category": {
Expand Down
2 changes: 1 addition & 1 deletion controls/C-0026-kubernetescronjob.json
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
"compliance"
]
},
"description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a POD in the cluster. This control lists all the CronJobs that exist in the cluster for the user to approve.",
"description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a pod in the cluster. This control lists all the CronJobs that exist in the cluster for the user to approve.",
"remediation": "Watch Kubernetes CronJobs and make sure they are legitimate.",
"rulesNames": [
"rule-deny-cronjobs"
Expand Down
2 changes: 1 addition & 1 deletion controls/C-0030-ingressandegressblocked.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"compliance"
]
},
"description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new PODs, and then enable sources/destinations that this POD must communicate with.",
"description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.",
"remediation": "Define a network policy that restricts ingress and egress connections.",
"rulesNames": [
"ingress-and-egress-blocked"
Expand Down
4 changes: 2 additions & 2 deletions controls/C-0034-automaticmappingofserviceaccount.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@
"compliance"
]
},
"description": "Potential attacker may gain access to a POD and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for PODs that need to use them.",
"remediation": "Disable automatic mounting of service account tokens to PODs either at the service account level or at the individual POD level, by specifying the automountServiceAccountToken: false. Note that POD level takes precedence.",
"description": "Potential attacker may gain access to a pod and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for pods that need to use them.",
"remediation": "Disable automatic mounting of service account tokens to pods either at the service account level or at the individual pod level, by specifying the automountServiceAccountToken: false. Note that pod level takes precedence.",
"rulesNames": [
"automount-service-account"
],
Expand Down
4 changes: 2 additions & 2 deletions controls/C-0038-hostpidipcprivileges.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,12 @@
"compliance"
]
},
"description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.",
"description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.",
"remediation": "Remove hostPID and hostIPC from the yaml file(s) privileges unless they are absolutely necessary.",
"rulesNames": [
"host-pid-ipc-privileges"
],
"long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.",
"long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.",
"controlID": "C-0038",
"baseScore": 7.0,
"example": "@controls/examples/c038.yaml",
Expand Down
4 changes: 2 additions & 2 deletions controls/C-0041-hostnetworkaccess.json
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@
}
]
},
"description": "Potential attackers may gain access to a POD and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the PODs with host network access enabled.",
"remediation": "Only connect PODs to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those PODs that must have access to host network by design.",
"description": "Potential attackers may gain access to a pod and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the pods with host network access enabled.",
"remediation": "Only connect pods to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those pods that must have access to host network by design.",
"rulesNames": [
"host-network-access"
],
Expand Down
2 changes: 1 addition & 1 deletion controls/C-0045-writablehostpathmount.json
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
"alert-rw-hostpath"
],
"long_description": "hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.",
"test": "Checking in POD spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn\u2019t exist) we raise an alert.",
"test": "Checking in Pod spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn\u2019t exist) we raise an alert.",
"controlID": "C-0045",
"baseScore": 8.0,
"example": "@controls/examples/c045.yaml",
Expand Down
2 changes: 1 addition & 1 deletion controls/C-0046-insecurecapabilities.json
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
}
]
},
"description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the PODs with dangerous capabilities (see documentation pages for details).",
"description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the pods with dangerous capabilities (see documentation pages for details).",
"remediation": "Remove all insecure capabilities which are not necessary for the container.",
"rulesNames": [
"insecure-capabilities"
Expand Down
2 changes: 1 addition & 1 deletion controls/C-0048-hostpathmount.json
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
}
]
},
"description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the PODs using hostPath mount.",
"description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the pods using hostPath mount.",
"example": "apiVersion: v1\nkind: Pod\nmetadata:\n name: test-pd\nspec:\n containers:\n - image: k8s.gcr.io/test-webserver\n name: test-container\n volumeMounts:\n - mountPath: /test-pd\n name: test-volume\n volumes:\n - name: test-volume\n hostPath: # This field triggers failure!\n path: /data\n type: Directory\n",
"remediation": "Remove hostPath mounts unless they are absolutely necessary and use exception mechanism to remove notifications.",
"rulesNames": [
Expand Down
4 changes: 2 additions & 2 deletions controls/C-0053-accesscontainerserviceaccount.json
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@
"security-impact"
]
},
"description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All PODs with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.",
"remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary PODs have SA token mounted into them.",
"description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All pods with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.",
"remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary pods have SA token mounted into them.",
"rulesNames": [
"access-container-service-account",
"access-container-service-account-v1"
Expand Down
4 changes: 2 additions & 2 deletions controls/C-0056-configuredlivenessprobe.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,12 @@
"devops"
]
},
"description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.",
"description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.",
"remediation": "Ensure Liveness probes are configured wherever possible.",
"rulesNames": [
"configured-liveness-probe"
],
"long_description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.",
"long_description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.",
"controlID": "C-0056",
"category": {
"name" : "Workload"
Expand Down
Loading

0 comments on commit 2b5b07d

Please sign in to comment.