diff --git a/FWName_CID_CName.csv b/FWName_CID_CName.csv index 51a00a66e..44a74aa54 100644 --- a/FWName_CID_CName.csv +++ b/FWName_CID_CName.csv @@ -42,12 +42,12 @@ AllControls,C-0061,Pods in default namespace AllControls,C-0062,Sudo in container entrypoint AllControls,C-0063,Portforwarding privileges AllControls,C-0065,No impersonation -AllControls,C-0066,Secret/ETCD encryption enabled +AllControls,C-0066,Secret/etcd encryption enabled AllControls,C-0067,Audit logs enabled AllControls,C-0068,PSP enabled AllControls,C-0069,Disable anonymous access to Kubelet service AllControls,C-0070,Enforce Kubelet client TLS authentication -AllControls,C-0073,Naked PODs +AllControls,C-0073,Naked pods AllControls,C-0074,Containers mounting Docker socket AllControls,C-0075,Image pull policy on latest tag AllControls,C-0076,Label usage for resources @@ -85,7 +85,7 @@ ArmoBest,C-0061,Pods in default namespace ArmoBest,C-0062,Sudo in container entrypoint ArmoBest,C-0063,Portforwarding privileges ArmoBest,C-0065,No impersonation -ArmoBest,C-0066,Secret/ETCD encryption enabled +ArmoBest,C-0066,Secret/etcd encryption enabled ArmoBest,C-0067,Audit logs enabled ArmoBest,C-0068,PSP enabled ArmoBest,C-0069,Disable anonymous access to Kubelet service @@ -103,7 +103,7 @@ DevOpsBest,C-0044,Container hostPort DevOpsBest,C-0050,Resources CPU limit and request DevOpsBest,C-0056,Configured liveness probe DevOpsBest,C-0061,Pods in default namespace -DevOpsBest,C-0073,Naked PODs +DevOpsBest,C-0073,Naked pods DevOpsBest,C-0074,Containers mounting Docker socket DevOpsBest,C-0075,Image pull policy on latest tag DevOpsBest,C-0076,Label usage for resources @@ -130,7 +130,7 @@ MITRE,C-0054,Cluster internal networking MITRE,C-0057,Privileged container MITRE,C-0058,CVE-2021-25741 - Using symlink for arbitrary host file system access. MITRE,C-0059,CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability -MITRE,C-0066,Secret/ETCD encryption enabled +MITRE,C-0066,Secret/etcd encryption enabled MITRE,C-0067,Audit logs enabled MITRE,C-0068,PSP enabled MITRE,C-0069,Disable anonymous access to Kubelet service @@ -154,7 +154,7 @@ NSA,C-0055,Linux hardening NSA,C-0057,Privileged container NSA,C-0058,CVE-2021-25741 - Using symlink for arbitrary host file system access. NSA,C-0059,CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability -NSA,C-0066,Secret/ETCD encryption enabled +NSA,C-0066,Secret/etcd encryption enabled NSA,C-0067,Audit logs enabled NSA,C-0068,PSP enabled NSA,C-0069,Disable anonymous access to Kubelet service diff --git a/README.md b/README.md index 149ae8f2b..8b413bb75 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,7 @@ Example of a framework: ] }, "controlsNames": [ - "Naked PODs", + "Naked pods", "Container runtime socket mounted", "Image pull policy on latest tag", "Label usage for resources", @@ -69,12 +69,12 @@ Example of a control: "attributes": { "armoBuiltin": true }, - "description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This control identifies all the PODs running in the default namespace.", - "remediation": "Create necessary namespaces and move all the PODs from default namespace there.", + "description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This control identifies all the pods running in the default namespace.", + "remediation": "Create necessary namespaces and move all the pods from default namespace there.", "rulesNames": [ "pods-in-default-namespace" ], - "long_description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the PODs running in the default namespace.", + "long_description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the pods running in the default namespace.", "test": "Check that there are no pods in the 'default' namespace", "id": "C-0061", "controlID": "C-0061", diff --git a/controls/C-0009-resourcelimits.json b/controls/C-0009-resourcelimits.json index 242d2c725..cf38bf979 100644 --- a/controls/C-0009-resourcelimits.json +++ b/controls/C-0009-resourcelimits.json @@ -14,12 +14,12 @@ } ] }, - "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", - "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/POD yamls.", + "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", + "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/pod manifests.", "rulesNames": [ "resource-policies" ], - "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", + "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", "test": " Check for each container if there is a \u2018limits\u2019 field defined for both cpu and memory", "controlID": "C-0009", "baseScore": 7.0, diff --git a/controls/C-0013-nonrootcontainers.json b/controls/C-0013-nonrootcontainers.json index 6d044ac61..a60e15ea8 100644 --- a/controls/C-0013-nonrootcontainers.json +++ b/controls/C-0013-nonrootcontainers.json @@ -7,7 +7,7 @@ "compliance" ] }, - "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the Pods running as root or can escalate to root.", + "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.", "remediation": "If your application does not need root privileges, make sure to define the runAsUser or runAsGroup under the PodSecurityContext and use user ID 1000 or higher. Do not turn on allowPrivlegeEscalation bit and make sure runAsNonRoot is true.", "rulesNames": [ "non-root-containers" diff --git a/controls/C-0017-immutablecontainerfilesystem.json b/controls/C-0017-immutablecontainerfilesystem.json index 1615faf62..63f47a664 100644 --- a/controls/C-0017-immutablecontainerfilesystem.json +++ b/controls/C-0017-immutablecontainerfilesystem.json @@ -16,7 +16,7 @@ ] }, "description": "Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.", - "remediation": "Set the filesystem of the container to read-only when possible (POD securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.", + "remediation": "Set the filesystem of the container to read-only when possible (pod securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.", "rulesNames": [ "immutable-container-filesystem" ], diff --git a/controls/C-0018-configuredreadinessprobe.json b/controls/C-0018-configuredreadinessprobe.json index 0a4164753..160e7e2dd 100644 --- a/controls/C-0018-configuredreadinessprobe.json +++ b/controls/C-0018-configuredreadinessprobe.json @@ -6,12 +6,12 @@ "devops" ] }, - "description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.", + "description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.", "remediation": "Ensure Readiness probes are configured wherever possible.", "rulesNames": [ "configured-readiness-probe" ], - "long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.", + "long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.", "controlID": "C-0018", "example": "@controls/examples/c018.yaml", "category": { diff --git a/controls/C-0026-kubernetescronjob.json b/controls/C-0026-kubernetescronjob.json index d9e498343..3f8ebbc7a 100644 --- a/controls/C-0026-kubernetescronjob.json +++ b/controls/C-0026-kubernetescronjob.json @@ -9,7 +9,7 @@ "compliance" ] }, - "description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a POD in the cluster. This control lists all the CronJobs that exist in the cluster for the user to approve.", + "description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a pod in the cluster. This control lists all the CronJobs that exist in the cluster for the user to approve.", "remediation": "Watch Kubernetes CronJobs and make sure they are legitimate.", "rulesNames": [ "rule-deny-cronjobs" diff --git a/controls/C-0030-ingressandegressblocked.json b/controls/C-0030-ingressandegressblocked.json index 706bfb27d..98afdec86 100644 --- a/controls/C-0030-ingressandegressblocked.json +++ b/controls/C-0030-ingressandegressblocked.json @@ -6,7 +6,7 @@ "compliance" ] }, - "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new PODs, and then enable sources/destinations that this POD must communicate with.", + "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.", "remediation": "Define a network policy that restricts ingress and egress connections.", "rulesNames": [ "ingress-and-egress-blocked" diff --git a/controls/C-0034-automaticmappingofserviceaccount.json b/controls/C-0034-automaticmappingofserviceaccount.json index 42d30bd21..a6a37ad32 100644 --- a/controls/C-0034-automaticmappingofserviceaccount.json +++ b/controls/C-0034-automaticmappingofserviceaccount.json @@ -7,8 +7,8 @@ "compliance" ] }, - "description": "Potential attacker may gain access to a POD and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for PODs that need to use them.", - "remediation": "Disable automatic mounting of service account tokens to PODs either at the service account level or at the individual POD level, by specifying the automountServiceAccountToken: false. Note that POD level takes precedence.", + "description": "Potential attacker may gain access to a pod and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for pods that need to use them.", + "remediation": "Disable automatic mounting of service account tokens to pods either at the service account level or at the individual pod level, by specifying the automountServiceAccountToken: false. Note that pod level takes precedence.", "rulesNames": [ "automount-service-account" ], diff --git a/controls/C-0038-hostpidipcprivileges.json b/controls/C-0038-hostpidipcprivileges.json index bea1b65c6..880f1b975 100644 --- a/controls/C-0038-hostpidipcprivileges.json +++ b/controls/C-0038-hostpidipcprivileges.json @@ -7,12 +7,12 @@ "compliance" ] }, - "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.", + "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.", "remediation": "Remove hostPID and hostIPC from the yaml file(s) privileges unless they are absolutely necessary.", "rulesNames": [ "host-pid-ipc-privileges" ], - "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.", + "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.", "controlID": "C-0038", "baseScore": 7.0, "example": "@controls/examples/c038.yaml", diff --git a/controls/C-0041-hostnetworkaccess.json b/controls/C-0041-hostnetworkaccess.json index 844d464f8..739aaf032 100644 --- a/controls/C-0041-hostnetworkaccess.json +++ b/controls/C-0041-hostnetworkaccess.json @@ -15,8 +15,8 @@ } ] }, - "description": "Potential attackers may gain access to a POD and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the PODs with host network access enabled.", - "remediation": "Only connect PODs to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those PODs that must have access to host network by design.", + "description": "Potential attackers may gain access to a pod and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the pods with host network access enabled.", + "remediation": "Only connect pods to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those pods that must have access to host network by design.", "rulesNames": [ "host-network-access" ], diff --git a/controls/C-0045-writablehostpathmount.json b/controls/C-0045-writablehostpathmount.json index 46942b1c4..44199b0cb 100644 --- a/controls/C-0045-writablehostpathmount.json +++ b/controls/C-0045-writablehostpathmount.json @@ -27,7 +27,7 @@ "alert-rw-hostpath" ], "long_description": "hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.", - "test": "Checking in POD spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn\u2019t exist) we raise an alert.", + "test": "Checking in Pod spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn\u2019t exist) we raise an alert.", "controlID": "C-0045", "baseScore": 8.0, "example": "@controls/examples/c045.yaml", diff --git a/controls/C-0046-insecurecapabilities.json b/controls/C-0046-insecurecapabilities.json index c1bb39d89..2ca8ee8d0 100644 --- a/controls/C-0046-insecurecapabilities.json +++ b/controls/C-0046-insecurecapabilities.json @@ -16,7 +16,7 @@ } ] }, - "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the PODs with dangerous capabilities (see documentation pages for details).", + "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the pods with dangerous capabilities (see documentation pages for details).", "remediation": "Remove all insecure capabilities which are not necessary for the container.", "rulesNames": [ "insecure-capabilities" diff --git a/controls/C-0048-hostpathmount.json b/controls/C-0048-hostpathmount.json index b7a747aa6..9c84c0e44 100644 --- a/controls/C-0048-hostpathmount.json +++ b/controls/C-0048-hostpathmount.json @@ -18,7 +18,7 @@ } ] }, - "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the PODs using hostPath mount.", + "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the pods using hostPath mount.", "example": "apiVersion: v1\nkind: Pod\nmetadata:\n name: test-pd\nspec:\n containers:\n - image: k8s.gcr.io/test-webserver\n name: test-container\n volumeMounts:\n - mountPath: /test-pd\n name: test-volume\n volumes:\n - name: test-volume\n hostPath: # This field triggers failure!\n path: /data\n type: Directory\n", "remediation": "Remove hostPath mounts unless they are absolutely necessary and use exception mechanism to remove notifications.", "rulesNames": [ diff --git a/controls/C-0053-accesscontainerserviceaccount.json b/controls/C-0053-accesscontainerserviceaccount.json index ebed68c49..a99e952ee 100644 --- a/controls/C-0053-accesscontainerserviceaccount.json +++ b/controls/C-0053-accesscontainerserviceaccount.json @@ -11,8 +11,8 @@ "security-impact" ] }, - "description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All PODs with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.", - "remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary PODs have SA token mounted into them.", + "description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All pods with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.", + "remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary pods have SA token mounted into them.", "rulesNames": [ "access-container-service-account", "access-container-service-account-v1" diff --git a/controls/C-0056-configuredlivenessprobe.json b/controls/C-0056-configuredlivenessprobe.json index b5f88aa34..88fef2132 100644 --- a/controls/C-0056-configuredlivenessprobe.json +++ b/controls/C-0056-configuredlivenessprobe.json @@ -6,12 +6,12 @@ "devops" ] }, - "description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.", + "description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.", "remediation": "Ensure Liveness probes are configured wherever possible.", "rulesNames": [ "configured-liveness-probe" ], - "long_description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.", + "long_description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.", "controlID": "C-0056", "category": { "name" : "Workload" diff --git a/controls/C-0057-privilegedcontainer.json b/controls/C-0057-privilegedcontainer.json index 52adb5ba6..4189c7554 100644 --- a/controls/C-0057-privilegedcontainer.json +++ b/controls/C-0057-privilegedcontainer.json @@ -16,7 +16,7 @@ "rule-privilege-escalation" ], "long_description": "A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container or have permissions to create a new privileged container (by using the compromised pod\u2019s service account, for example), can get access to the host\u2019s resources.", - "test": "Check in POD spec if securityContext.privileged == true, if so raise an alert.", + "test": "Check in Pod spec if securityContext.privileged == true, if so raise an alert.", "controlID": "C-0057", "baseScore": 8.0, "category": { diff --git a/controls/C-0061-podsindefaultnamespace.json b/controls/C-0061-podsindefaultnamespace.json index e4a85a4b9..e2301b080 100644 --- a/controls/C-0061-podsindefaultnamespace.json +++ b/controls/C-0061-podsindefaultnamespace.json @@ -7,12 +7,12 @@ "devops" ] }, - "description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This control identifies all the PODs running in the default namespace.", - "remediation": "Create necessary namespaces and move all the PODs from default namespace there.", + "description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This control identifies all the pods running in the default namespace.", + "remediation": "Create necessary namespaces and move all the pods from default namespace there.", "rulesNames": [ "pods-in-default-namespace" ], - "long_description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the PODs running in the default namespace.", + "long_description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the pods running in the default namespace.", "test": "Check that there are no pods in the 'default' namespace", "controlID": "C-0061", "category": { diff --git a/controls/C-0062-sudoincontainerentrypoint.json b/controls/C-0062-sudoincontainerentrypoint.json index 7707fb3f2..2a8b27c5e 100644 --- a/controls/C-0062-sudoincontainerentrypoint.json +++ b/controls/C-0062-sudoincontainerentrypoint.json @@ -6,12 +6,12 @@ "security" ] }, - "description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the POD to find those that have sudo command.", + "description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the pod to find those that have sudo command.", "remediation": "Remove sudo from the command line and use Kubernetes native root and capabilities controls to provide necessary privileges where they are required.", "rulesNames": [ "sudo-in-container-entrypoint" ], - "long_description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the POD to find those that have sudo command.", + "long_description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the pod to find those that have sudo command.", "test": "Check that there is no 'sudo' in the container entrypoint", "controlID": "C-0062", "baseScore": 5.0, diff --git a/controls/C-0063-portforwardingprivileges.json b/controls/C-0063-portforwardingprivileges.json index 1a7aa4960..5d24a32e1 100644 --- a/controls/C-0063-portforwardingprivileges.json +++ b/controls/C-0063-portforwardingprivileges.json @@ -8,7 +8,7 @@ "compliance" ] }, - "description": "Attackers with relevant RBAC permission can use \u201ckubectl portforward\u201d command to establish direct communication with PODs from within the cluster or even remotely. Such communication will most likely bypass existing security measures in the cluster. This control determines which subjects have permissions to use this command.", + "description": "Attackers with relevant RBAC permission can use \u201ckubectl portforward\u201d command to establish direct communication with pods from within the cluster or even remotely. Such communication will most likely bypass existing security measures in the cluster. This control determines which subjects have permissions to use this command.", "remediation": "It is recommended to prohibit \u201ckubectl portforward\u201d command in production environments. It is also recommended not to use subjects with this permission for daily cluster operations.", "rulesNames": [ "rule-can-portforward", diff --git a/controls/C-0066-secretetcdencryptionenabled.json b/controls/C-0066-secretetcdencryptionenabled.json index e820f056b..24880d5ec 100644 --- a/controls/C-0066-secretetcdencryptionenabled.json +++ b/controls/C-0066-secretetcdencryptionenabled.json @@ -1,5 +1,5 @@ { - "name": "Secret/ETCD encryption enabled", + "name": "Secret/etcd encryption enabled", "attributes": { "armoBuiltin": true, "controlTypeTags": [ diff --git a/controls/C-0068-pspenabled.json b/controls/C-0068-pspenabled.json index 4a678de5a..b18ede310 100644 --- a/controls/C-0068-pspenabled.json +++ b/controls/C-0068-pspenabled.json @@ -13,7 +13,7 @@ "psp-enabled-cloud", "psp-enabled-native" ], - "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive PODs in your cluster.", + "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive pods in your cluster.", "test": "Reading the cluster description from the managed cloud API (EKS, GKE), or the API server pod configuration for native K8s and checking if PSP is enabled", "controlID": "C-0068", "baseScore": 1.0, diff --git a/controls/C-0073-nakedpods.json b/controls/C-0073-nakedpods.json index 8bc1f89ea..6782d3900 100644 --- a/controls/C-0073-nakedpods.json +++ b/controls/C-0073-nakedpods.json @@ -1,18 +1,18 @@ { - "name": "Naked PODs", + "name": "Naked pods", "attributes": { "armoBuiltin": true, "controlTypeTags": [ "devops" ] }, - "description": "It is not recommended to create PODs without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if PODs may lead to a configuration drifts and other untracked changes in the system. Such PODs won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every POD that does not have corresponding parental object.", - "remediation": "Create necessary Deployment object for every POD making any POD a first class citizen in your IaC architecture.", + "description": "It is not recommended to create pods without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if pods may lead to a configuration drifts and other untracked changes in the system. Such pods won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every pod that does not have corresponding parental object.", + "remediation": "Create necessary Deployment object for every pod making any pod a first class citizen in your IaC architecture.", "rulesNames": [ "naked-pods" ], - "long_description": "It is not recommended to create PODs without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if PODs may lead to a configuration drifts and other untracked changes in the system. Such PODs won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every POD that does not have corresponding parental object.", - "test": "Test if PODs are not associated with Deployment, ReplicaSet etc. If not, fail.", + "long_description": "It is not recommended to create pods without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if pods may lead to a configuration drifts and other untracked changes in the system. Such pods won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every pod that does not have corresponding parental object.", + "test": "Test if pods are not associated with Deployment, ReplicaSet etc. If not, fail.", "controlID": "C-0073", "category": { "name" : "Workload" diff --git a/controls/C-0074-containersmountingdockersocket.json b/controls/C-0074-containersmountingdockersocket.json index 584834c97..9c952d1e6 100644 --- a/controls/C-0074-containersmountingdockersocket.json +++ b/controls/C-0074-containersmountingdockersocket.json @@ -6,12 +6,12 @@ "devops" ] }, - "description": "Mounting Container runtime socket (Unix socket) enables container to access Container runtime, retrieve sensitive information and execute commands, if Container runtime is available. This control identifies PODs that attempt to mount Container runtime socket for accessing Container runtime.", + "description": "Mounting Container runtime socket (Unix socket) enables container to access Container runtime, retrieve sensitive information and execute commands, if Container runtime is available. This control identifies pods that attempt to mount Container runtime socket for accessing Container runtime.", "remediation": "Remove container runtime socket mount request or define an exception.", "rulesNames": [ "containers-mounting-docker-socket" ], - "long_description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies PODs that attempt to mount Docker socket for accessing Docker runtime.", + "long_description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies pods that attempt to mount Docker socket for accessing Docker runtime.", "test": "Check hostpath. If the path is set to one of the container runtime socket, the container has access to container runtime - fail.", "controlID": "C-0074", "baseScore": 5.0, diff --git a/controls/C-0075-imagepullpolicyonlatesttag.json b/controls/C-0075-imagepullpolicyonlatesttag.json index e671ce952..0ecca02c2 100644 --- a/controls/C-0075-imagepullpolicyonlatesttag.json +++ b/controls/C-0075-imagepullpolicyonlatesttag.json @@ -6,12 +6,12 @@ "devops" ] }, - "description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all PODs with latest tag that have ImagePullSecret not set to Always.", - "remediation": "Set ImagePullPolicy to Always in all PODs found by this control.", + "description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all pods with latest tag that have ImagePullSecret not set to Always.", + "remediation": "Set ImagePullPolicy to Always in all pods found by this control.", "rulesNames": [ "image-pull-policy-is-not-set-to-always" ], - "long_description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all PODs with latest tag that have ImagePullSecret not set to Always. Note as well that some vendors don't use the word latest in the tag. Some other word may also behave like the latest. For example, Redis uses redis:alpine to signify the latest. Therefore, this control treats any word that does not contain digits as the latest. If no tag is specified, the image is treated as latests too.", + "long_description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all pods with latest tag that have ImagePullSecret not set to Always. Note as well that some vendors don't use the word latest in the tag. Some other word may also behave like the latest. For example, Redis uses redis:alpine to signify the latest. Therefore, this control treats any word that does not contain digits as the latest. If no tag is specified, the image is treated as latests too.", "test": "If imagePullPolicy = always pass, else fail.", "controlID": "C-0075", "category": { diff --git a/controls/C-0083-workloadswithcriticalvulnerabilitiesexposedtoexternaltraffic.json b/controls/C-0083-workloadswithcriticalvulnerabilitiesexposedtoexternaltraffic.json index d83c13975..72199d3d7 100644 --- a/controls/C-0083-workloadswithcriticalvulnerabilitiesexposedtoexternaltraffic.json +++ b/controls/C-0083-workloadswithcriticalvulnerabilitiesexposedtoexternaltraffic.json @@ -7,7 +7,7 @@ ] }, "description": "Container images with known critical vulnerabilities pose elevated risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if either LoadBalancer or NodePort service is assigned to them.", - "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the POD to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", + "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the pod to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", "rulesNames": [ "exposed-critical-pods" ], diff --git a/controls/C-0084-workloadswithrcevulnerabilitiesexposedtoexternaltraffic.json b/controls/C-0084-workloadswithrcevulnerabilitiesexposedtoexternaltraffic.json index b9f2dc4ee..f67d95544 100644 --- a/controls/C-0084-workloadswithrcevulnerabilitiesexposedtoexternaltraffic.json +++ b/controls/C-0084-workloadswithrcevulnerabilitiesexposedtoexternaltraffic.json @@ -7,12 +7,12 @@ "compliance" ] }, - "description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their POD has either LoadBalancer or NodePort service.", - "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the POD to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", + "description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their pod has either LoadBalancer or NodePort service.", + "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the pod to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", "rulesNames": [ "exposed-rce-pods" ], - "long_description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their POD has either LoadBalancer or NodePort service.", + "long_description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their pod has either LoadBalancer or NodePort service.", "test": "This control enumerates external facing workloads, that have LoadBalancer or NodePort service and checks the image vulnerability information for the RCE vulnerability.", "controlID": "C-0084", "baseScore": 8.0, diff --git a/controls/C-0087-cve202223648containerdfsescape.json b/controls/C-0087-cve202223648containerdfsescape.json index ab660a416..d850d7f1a 100644 --- a/controls/C-0087-cve202223648containerdfsescape.json +++ b/controls/C-0087-cve202223648containerdfsescape.json @@ -6,7 +6,7 @@ "security" ] }, - "description": "CVE-2022-23648 is a vulnerability of containerd enabling attacker to gain access to read-only copies of arbitrary files from the host using aspecially-crafted POD configuration yamls", + "description": "CVE-2022-23648 is a vulnerability of containerd enabling attacker to gain access to read-only copies of arbitrary files from the host using specially-crafted manifests", "remediation": "Patch containerd to 1.6.1, 1.5.10, 1.4.12 or above", "rulesNames": [ "CVE-2022-23648" diff --git a/frameworks/__YAMLscan.json b/frameworks/__YAMLscan.json index a0ffd4ac5..8c42e60b7 100644 --- a/frameworks/__YAMLscan.json +++ b/frameworks/__YAMLscan.json @@ -51,7 +51,7 @@ "Sudo in container entrypoint", "Portforwarding privileges", "No impersonation", - "Naked PODs", + "Naked pods", "Container runtime socket mounted", "Image pull policy on latest tag", "Label usage for resources", diff --git a/frameworks/allcontrols.json b/frameworks/allcontrols.json index b65249512..890e01015 100644 --- a/frameworks/allcontrols.json +++ b/frameworks/allcontrols.json @@ -273,7 +273,7 @@ { "controlID": "C-0066", "patch": { - "name": "Secret/ETCD encryption enabled" + "name": "Secret/etcd encryption enabled" } }, { @@ -303,7 +303,7 @@ { "controlID": "C-0073", "patch": { - "name": "Naked PODs" + "name": "Naked pods" } }, { diff --git a/frameworks/armobest.json b/frameworks/armobest.json index f0ddb9b71..04c639036 100644 --- a/frameworks/armobest.json +++ b/frameworks/armobest.json @@ -165,7 +165,7 @@ { "controlID": "C-0066", "patch": { - "name": "Secret/ETCD encryption enabled" + "name": "Secret/etcd encryption enabled" } }, { diff --git a/frameworks/cis-eks-t1.2.0.json b/frameworks/cis-eks-t1.2.0.json index 1b1dc032c..4dc1ffda5 100644 --- a/frameworks/cis-eks-t1.2.0.json +++ b/frameworks/cis-eks-t1.2.0.json @@ -19,7 +19,7 @@ "description": "Encrypt Kubernetes secrets, stored in etcd, using secrets encryption feature during Amazon EKS cluster creation.", "long_description": "Kubernetes can store secrets that pods can access via a mounted volume. Today, Kubernetes secrets are stored with Base64 encoding, but encrypting is the recommended approach. Amazon EKS clusters version 1.13 and higher support the capability of encrypting your Kubernetes secrets using AWS Key Management Service (KMS) Customer Managed Keys (CMK). The only requirement is to enable the encryption provider support during EKS cluster creation.\n\n Use AWS Key Management Service (KMS) keys to provide envelope encryption of Kubernetes secrets stored in Amazon EKS. Implementing envelope encryption is considered a security best practice for applications that store sensitive data and is part of a defense in depth security strategy.\n\n Application-layer Secrets Encryption provides an additional layer of security for sensitive data, such as user defined Secrets and Secrets required for the operation of the cluster, such as service account keys, which are all stored in etcd.\n\n Using this functionality, you can use a key, that you manage in AWS KMS, to encrypt data at the application layer. This protects against attackers in the event that they manage to gain access to etcd.", "remediation": "This process can only be performed during Cluster Creation.\n\n Enable 'Secrets Encryption' during Amazon EKS cluster creation as described in the links within the 'References' section.", - "manual_test": "Using the etcdctl commandline, read that secret out of etcd:\n\n \n```\nETCDCTL_API=3 etcdctl get /registry/secrets/default/secret1 [...] | hexdump -C\n\n```\n where [...] must be the additional arguments for connecting to the etcd server.\n\n Verify the stored secret is prefixed with k8s:enc:aescbc:v1: which indicates the aescbc provider has encrypted the resulting data.", + "manual_test": "Using the etcdctl commandline, read that secret out of etcd:\n\n \n```\netcdCTL_API=3 etcdctl get /registry/secrets/default/secret1 [...] | hexdump -C\n\n```\n where [...] must be the additional arguments for connecting to the etcd server.\n\n Verify the stored secret is prefixed with k8s:enc:aescbc:v1: which indicates the aescbc provider has encrypted the resulting data.", "references": [ "https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/" ], diff --git a/frameworks/clusterscan.json b/frameworks/clusterscan.json index 3cec6b089..a97ab72ec 100644 --- a/frameworks/clusterscan.json +++ b/frameworks/clusterscan.json @@ -11,7 +11,7 @@ { "controlID": "C-0066", "patch": { - "name": "Secret/ETCD encryption enabled" + "name": "Secret/etcd encryption enabled" } }, { diff --git a/frameworks/devopsbest.json b/frameworks/devopsbest.json index 09f943b9b..55906992b 100644 --- a/frameworks/devopsbest.json +++ b/frameworks/devopsbest.json @@ -51,7 +51,7 @@ { "controlID": "C-0073", "patch": { - "name": "Naked PODs" + "name": "Naked pods" } }, { diff --git a/frameworks/mitre.json b/frameworks/mitre.json index 66f84c086..460d794b3 100644 --- a/frameworks/mitre.json +++ b/frameworks/mitre.json @@ -147,7 +147,7 @@ { "controlID": "C-0066", "patch": { - "name": "Secret/ETCD encryption enabled" + "name": "Secret/etcd encryption enabled" } }, { diff --git a/frameworks/nsaframework.json b/frameworks/nsaframework.json index 3f4d32bcb..3955df176 100644 --- a/frameworks/nsaframework.json +++ b/frameworks/nsaframework.json @@ -129,7 +129,7 @@ { "controlID": "C-0066", "patch": { - "name": "Secret/ETCD encryption enabled" + "name": "Secret/etcd encryption enabled" } }, { diff --git a/rules/ensure_network_policy_configured_in_labels/test/failed_deployment_no_matched_label/input/deployment.yaml b/rules/ensure_network_policy_configured_in_labels/test/failed_deployment_no_matched_label/input/deployment.yaml index c7b97b9c6..f98839c8a 100644 --- a/rules/ensure_network_policy_configured_in_labels/test/failed_deployment_no_matched_label/input/deployment.yaml +++ b/rules/ensure_network_policy_configured_in_labels/test/failed_deployment_no_matched_label/input/deployment.yaml @@ -8,11 +8,11 @@ spec: replicas: 3 selector: matchLabels: - app: my-app # Used to select the Pods the Deployment should manage + app: my-app # Used to select the pods the Deployment should manage template: metadata: labels: - app: my-app # Labels for the Pods created by the Deployment + app: my-app # Labels for the pods created by the Deployment spec: containers: - name: my-app diff --git a/rules/ensure_network_policy_configured_in_labels/test/success_deployment_label_match/input/deployment.yaml b/rules/ensure_network_policy_configured_in_labels/test/success_deployment_label_match/input/deployment.yaml index c7b97b9c6..f98839c8a 100644 --- a/rules/ensure_network_policy_configured_in_labels/test/success_deployment_label_match/input/deployment.yaml +++ b/rules/ensure_network_policy_configured_in_labels/test/success_deployment_label_match/input/deployment.yaml @@ -8,11 +8,11 @@ spec: replicas: 3 selector: matchLabels: - app: my-app # Used to select the Pods the Deployment should manage + app: my-app # Used to select the pods the Deployment should manage template: metadata: labels: - app: my-app # Labels for the Pods created by the Deployment + app: my-app # Labels for the pods created by the Deployment spec: containers: - name: my-app