add file scope for specific controls

Signed-off-by: rcohencyberarmor <[email protected]>
kubescape · Oct 17, 2023 · f495c4f · f495c4f
1 parent 3c8ea0a
commit f495c4f
Show file tree

Hide file tree

Showing 23 changed files with 46 additions and 23 deletions.
diff --git a/controls/C-0186-minimizeaccesstosecrets.json b/controls/C-0186-minimizeaccesstosecrets.json
@@ -23,7 +23,8 @@
     "default_value": "By default in a kubeadm cluster the following list of principals have `get` privileges on `secret` objects ```CLUSTERROLEBINDING                                    SUBJECT                             TYPE            SA-NAMESPACEcluster-admin                                         system:masters                      Group           system:controller:clusterrole-aggregation-controller  clusterrole-aggregation-controller  ServiceAccount  kube-systemsystem:controller:expand-controller                   expand-controller                   ServiceAccount  kube-systemsystem:controller:generic-garbage-collector           generic-garbage-collector           ServiceAccount  kube-systemsystem:controller:namespace-controller                namespace-controller                ServiceAccount  kube-systemsystem:controller:persistent-volume-binder            persistent-volume-binder            ServiceAccount  kube-systemsystem:kube-controller-manager                        system:kube-controller-manager      User ```",
     "scanningScope": {
         "matches": [
-            "cluster"
+            "cluster",
+            "file"
         ]
     }
 }
diff --git a/controls/C-0187-minimizewildcarduseinrolesandclusterroles.json b/controls/C-0187-minimizewildcarduseinrolesandclusterroles.json
@@ -23,7 +23,8 @@
    },
     "scanningScope": {
         "matches": [
-            "cluster"
+            "cluster",
+            "file"
         ]
     }
 }
diff --git a/controls/C-0188-minimizeaccesstocreatepods.json b/controls/C-0188-minimizeaccesstocreatepods.json
@@ -23,7 +23,8 @@
     "default_value": "By default in a kubeadm cluster the following list of principals have `create` privileges on `pod` objects ```CLUSTERROLEBINDING                                    SUBJECT                             TYPE            SA-NAMESPACEcluster-admin                                         system:masters                      Group           system:controller:clusterrole-aggregation-controller  clusterrole-aggregation-controller  ServiceAccount  kube-systemsystem:controller:daemon-set-controller               daemon-set-controller               ServiceAccount  kube-systemsystem:controller:job-controller                      job-controller                      ServiceAccount  kube-systemsystem:controller:persistent-volume-binder            persistent-volume-binder            ServiceAccount  kube-systemsystem:controller:replicaset-controller               replicaset-controller               ServiceAccount  kube-systemsystem:controller:replication-controller              replication-controller              ServiceAccount  kube-systemsystem:controller:statefulset-controller              statefulset-controller              ServiceAccount  kube-system```",
     "scanningScope": {
         "matches": [
-            "cluster"
+            "cluster",
+            "file"
         ]
     }
 }
diff --git a/controls/C-0189-ensurethatdefaultserviceaccountsarenotactivelyused.json b/controls/C-0189-ensurethatdefaultserviceaccountsarenotactivelyused.json
@@ -24,7 +24,8 @@
    },
     "scanningScope": {
         "matches": [
-            "cluster"
+            "cluster",
+            "file"
         ]
     }
 }
diff --git a/controls/C-0190-ensurethatserviceaccounttokensareonlymountedwherenecessary.json b/controls/C-0190-ensurethatserviceaccounttokensareonlymountedwherenecessary.json
@@ -23,7 +23,8 @@
    },
     "scanningScope": {
         "matches": [
-            "cluster"
+            "cluster",
+            "file"
         ]
     }
 }
diff --git a/...rols/C-0191-limituseofthebindimpersonateandescalatepermissionsinthekubernetescluster.json b/...rols/C-0191-limituseofthebindimpersonateandescalatepermissionsinthekubernetescluster.json
@@ -23,7 +23,8 @@
    },
     "scanningScope": {
         "matches": [
-            "cluster"
+            "cluster",
+            "file"
         ]
     }
 }
diff --git a/controls/C-0192-ensurethattheclusterhasatleastoneactivepolicycontrolmechanisminplace.json b/controls/C-0192-ensurethattheclusterhasatleastoneactivepolicycontrolmechanisminplace.json
@@ -24,7 +24,8 @@
    },
     "scanningScope": {
         "matches": [
-            "cluster"
+            "cluster",
+            "file"
         ]
     }
 }
diff --git a/controls/C-0193-minimizetheadmissionofprivilegedcontainers.json b/controls/C-0193-minimizetheadmissionofprivilegedcontainers.json
@@ -23,7 +23,8 @@
    },
     "scanningScope": {
         "matches": [
-            "cluster"
+            "cluster",
+            "file"
         ]
     }
 }
diff --git a/controls/C-0194-minimizetheadmissionofcontainerswishingtosharethehostprocessidnamespace.json b/controls/C-0194-minimizetheadmissionofcontainerswishingtosharethehostprocessidnamespace.json
@@ -23,7 +23,8 @@
    },
     "scanningScope": {
         "matches": [
-            "cluster"
+            "cluster",
+            "file"
         ]
     }
 }
diff --git a/controls/C-0195-minimizetheadmissionofcontainerswishingtosharethehostipcnamespace.json b/controls/C-0195-minimizetheadmissionofcontainerswishingtosharethehostipcnamespace.json
@@ -23,7 +23,8 @@
    },
     "scanningScope": {
         "matches": [
-            "cluster"
+            "cluster",
+            "file"
         ]
     }
 }
diff --git a/controls/C-0196-minimizetheadmissionofcontainerswishingtosharethehostnetworknamespace.json b/controls/C-0196-minimizetheadmissionofcontainerswishingtosharethehostnetworknamespace.json
@@ -23,7 +23,8 @@
    },
     "scanningScope": {
         "matches": [
-            "cluster"
+            "cluster",
+            "file"
         ]
     }
 }
diff --git a/controls/C-0197-minimizetheadmissionofcontainerswithallowprivilegeescalation.json b/controls/C-0197-minimizetheadmissionofcontainerswithallowprivilegeescalation.json
@@ -23,7 +23,8 @@
    },
     "scanningScope": {
         "matches": [
-            "cluster"
+            "cluster",
+            "file"
         ]
     }
 }
diff --git a/controls/C-0198-minimizetheadmissionofrootcontainers.json b/controls/C-0198-minimizetheadmissionofrootcontainers.json
@@ -23,7 +23,8 @@
    },
     "scanningScope": {
         "matches": [
-            "cluster"
+            "cluster",
+            "file"
         ]
     }
 }
diff --git a/controls/C-0199-minimizetheadmissionofcontainerswiththenet_rawcapability.json b/controls/C-0199-minimizetheadmissionofcontainerswiththenet_rawcapability.json
@@ -23,7 +23,8 @@
    },
     "scanningScope": {
         "matches": [
-            "cluster"
+            "cluster",
+            "file"
         ]
     }
 }
diff --git a/controls/C-0200-minimizetheadmissionofcontainerswithaddedcapabilities.json b/controls/C-0200-minimizetheadmissionofcontainerswithaddedcapabilities.json
@@ -23,7 +23,8 @@
    },
     "scanningScope": {
         "matches": [
-            "cluster"
+            "cluster",
+            "file"
         ]
     }
 }
diff --git a/controls/C-0201-minimizetheadmissionofcontainerswithcapabilitiesassigned.json b/controls/C-0201-minimizetheadmissionofcontainerswithcapabilitiesassigned.json
@@ -23,7 +23,8 @@
    },
     "scanningScope": {
         "matches": [
-            "cluster"
+            "cluster",
+            "file"
         ]
     }
 }
diff --git a/controls/C-0202-minimizetheadmissionofwindowshostprocesscontainers.json b/controls/C-0202-minimizetheadmissionofwindowshostprocesscontainers.json
@@ -23,7 +23,8 @@
    },
     "scanningScope": {
         "matches": [
-          "cluster"
+          "cluster",
+          "file"
         ]
       }
 }
diff --git a/controls/C-0203-minimizetheadmissionofhostpathvolumes.json b/controls/C-0203-minimizetheadmissionofhostpathvolumes.json
@@ -23,7 +23,8 @@
    },
     "scanningScope": {
         "matches": [
-            "cluster"
+            "cluster",
+            "file"
         ]
     }
 }
diff --git a/controls/C-0204-minimizetheadmissionofcontainerswhichusehostports.json b/controls/C-0204-minimizetheadmissionofcontainerswhichusehostports.json
@@ -23,7 +23,8 @@
    },
     "scanningScope": {
         "matches": [
-            "cluster"
+            "cluster",
+            "file"
         ]
     }
 }
diff --git a/controls/C-0206-ensurethatallnamespaceshavenetworkpoliciesdefined.json b/controls/C-0206-ensurethatallnamespaceshavenetworkpoliciesdefined.json
@@ -23,7 +23,8 @@
    },
     "scanningScope": {
         "matches": [
-            "cluster"
+            "cluster",
+            "file"
         ]
     }
 }
diff --git a/controls/C-0207-preferusingsecretsasfilesoversecretsasenvironmentvariables.json b/controls/C-0207-preferusingsecretsasfilesoversecretsasenvironmentvariables.json
@@ -26,7 +26,8 @@
     },
     "scanningScope": {
         "matches": [
-            "cluster"
+            "cluster",
+            "file"
         ]
     }
 }
diff --git a/controls/C-0210-ensurethattheseccompprofileissettodockerdefaultinyourpoddefinitions.json b/controls/C-0210-ensurethattheseccompprofileissettodockerdefaultinyourpoddefinitions.json
@@ -23,7 +23,8 @@
    },
     "scanningScope": {
         "matches": [
-            "cluster"
+            "cluster",
+            "file"
         ]
     }
 }
diff --git a/controls/C-0211-applysecuritycontexttoyourpodsandcontainers.json b/controls/C-0211-applysecuritycontexttoyourpodsandcontainers.json
@@ -45,7 +45,8 @@
    },
     "scanningScope": {
         "matches": [
-            "cluster"
+            "cluster",
+            "file"
         ]
     }
 }