From 760180d83763be4814ef8947e9b43e40f458c843 Mon Sep 17 00:00:00 2001 From: Craig Box Date: Tue, 21 Mar 2023 14:02:41 +1300 Subject: [PATCH 1/3] I feel so alive, for the very first time Signed-off-by: Craig Box --- FWName_CID_CName.csv | 4 +- README.md | 8 +- controls/C-0009-resourcelimits.json | 2 +- .../C-0017-immutablecontainerfilesystem.json | 2 +- controls/C-0018-configuredreadinessprobe.json | 4 +- controls/C-0026-kubernetescronjob.json | 2 +- controls/C-0030-ingressandegressblocked.json | 2 +- ...0034-automaticmappingofserviceaccount.json | 4 +- controls/C-0038-hostpidipcprivileges.json | 4 +- controls/C-0041-hostnetworkaccess.json | 4 +- controls/C-0045-writablehostpathmount.json | 2 +- controls/C-0046-insecurecapabilities.json | 2 +- controls/C-0048-hostpathmount.json | 2 +- .../C-0053-accesscontainerserviceaccount.json | 4 +- controls/C-0056-configuredlivenessprobe.json | 4 +- controls/C-0057-privilegedcontainer.json | 2 +- controls/C-0061-podsindefaultnamespace.json | 6 +- .../C-0062-sudoincontainerentrypoint.json | 4 +- controls/C-0063-portforwardingprivileges.json | 2 +- controls/C-0068-pspenabled.json | 2 +- controls/C-0073-nakedpods.json | 10 +- ...C-0074-containersmountingdockersocket.json | 4 +- .../C-0075-imagepullpolicyonlatesttag.json | 6 +- ...lnerabilitiesexposedtoexternaltraffic.json | 2 +- ...lnerabilitiesexposedtoexternaltraffic.json | 6 +- ...C-0087-cve202223648containerdfsescape.json | 2 +- frameworks/__YAMLscan.json | 2 +- frameworks/allcontrols.json | 2 +- frameworks/devopsbest.json | 2 +- releaseDev/FWName_CID_CName.csv | 4 +- releaseDev/allcontrols.json | 84 ++++---- releaseDev/armobest.json | 46 ++-- releaseDev/controls.json | 84 ++++---- releaseDev/devopsbest.json | 34 +-- releaseDev/frameworks.json | 202 +++++++++--------- releaseDev/mitre.json | 14 +- releaseDev/nsa.json | 24 +-- 37 files changed, 297 insertions(+), 297 deletions(-) diff --git a/FWName_CID_CName.csv b/FWName_CID_CName.csv index 1d346dabe..86542b678 100644 --- a/FWName_CID_CName.csv +++ b/FWName_CID_CName.csv @@ -47,7 +47,7 @@ AllControls,C-0067,Audit logs enabled AllControls,C-0068,PSP enabled AllControls,C-0069,Disable anonymous access to Kubelet service AllControls,C-0070,Enforce Kubelet client TLS authentication -AllControls,C-0073,Naked PODs +AllControls,C-0073,Naked pods AllControls,C-0074,Containers mounting Docker socket AllControls,C-0075,Image pull policy on latest tag AllControls,C-0076,Label usage for resources @@ -109,7 +109,7 @@ DevOpsBest,C-0044,Container hostPort DevOpsBest,C-0050,Resources CPU limit and request DevOpsBest,C-0056,Configured liveness probe DevOpsBest,C-0061,Pods in default namespace -DevOpsBest,C-0073,Naked PODs +DevOpsBest,C-0073,Naked pods DevOpsBest,C-0074,Containers mounting Docker socket DevOpsBest,C-0075,Image pull policy on latest tag DevOpsBest,C-0076,Label usage for resources diff --git a/README.md b/README.md index 871bcb712..a16c545ca 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ Example of a framework: "armoBuiltin": true }, "controlsNames": [ - "Naked PODs", + "Naked pods", "Containers mounting Docker socket", "Image pull policy on latest tag", "Label usage for resources", @@ -60,12 +60,12 @@ Example of a control: "attributes": { "armoBuiltin": true }, - "description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This control identifies all the PODs running in the default namespace.", - "remediation": "Create necessary namespaces and move all the PODs from default namespace there.", + "description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This control identifies all the pods running in the default namespace.", + "remediation": "Create necessary namespaces and move all the pods from default namespace there.", "rulesNames": [ "pods-in-default-namespace" ], - "long_description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the PODs running in the default namespace.", + "long_description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the pods running in the default namespace.", "test": "Check that there are no pods in the 'default' namespace", "id": "C-0061", "controlID": "C-0061", diff --git a/controls/C-0009-resourcelimits.json b/controls/C-0009-resourcelimits.json index a7b1671aa..f747fe448 100644 --- a/controls/C-0009-resourcelimits.json +++ b/controls/C-0009-resourcelimits.json @@ -15,7 +15,7 @@ ] }, "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", - "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/POD yamls.", + "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/pod yamls.", "rulesNames": [ "resource-policies" ], diff --git a/controls/C-0017-immutablecontainerfilesystem.json b/controls/C-0017-immutablecontainerfilesystem.json index 8f886dfca..d53a83dc5 100644 --- a/controls/C-0017-immutablecontainerfilesystem.json +++ b/controls/C-0017-immutablecontainerfilesystem.json @@ -17,7 +17,7 @@ ] }, "description": "Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.", - "remediation": "Set the filesystem of the container to read-only when possible (POD securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.", + "remediation": "Set the filesystem of the container to read-only when possible (pod securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.", "rulesNames": [ "immutable-container-filesystem" ], diff --git a/controls/C-0018-configuredreadinessprobe.json b/controls/C-0018-configuredreadinessprobe.json index bb4de61dd..f1f393ef1 100644 --- a/controls/C-0018-configuredreadinessprobe.json +++ b/controls/C-0018-configuredreadinessprobe.json @@ -6,12 +6,12 @@ "devops" ] }, - "description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.", + "description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.", "remediation": "Ensure Readiness probes are configured wherever possible.", "rulesNames": [ "configured-readiness-probe" ], - "long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.", + "long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.", "controlID": "C-0018", "example": "@controls/examples/c018.yaml", "baseScore": 3 diff --git a/controls/C-0026-kubernetescronjob.json b/controls/C-0026-kubernetescronjob.json index 38c4fe702..39ae06954 100644 --- a/controls/C-0026-kubernetescronjob.json +++ b/controls/C-0026-kubernetescronjob.json @@ -9,7 +9,7 @@ "compliance" ] }, - "description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a POD in the cluster. This control lists all the CronJobs that exist in the cluster for the user to approve.", + "description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a pod in the cluster. This control lists all the CronJobs that exist in the cluster for the user to approve.", "remediation": "Watch Kubernetes CronJobs and make sure they are legitimate.", "rulesNames": [ "rule-deny-cronjobs" diff --git a/controls/C-0030-ingressandegressblocked.json b/controls/C-0030-ingressandegressblocked.json index 93c081227..e043e7b81 100644 --- a/controls/C-0030-ingressandegressblocked.json +++ b/controls/C-0030-ingressandegressblocked.json @@ -6,7 +6,7 @@ "compliance" ] }, - "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new PODs, and then enable sources/destinations that this POD must communicate with.", + "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.", "remediation": "Define a network policy that restricts ingress and egress connections.", "rulesNames": [ "ingress-and-egress-blocked" diff --git a/controls/C-0034-automaticmappingofserviceaccount.json b/controls/C-0034-automaticmappingofserviceaccount.json index 54cb98f04..f858766da 100644 --- a/controls/C-0034-automaticmappingofserviceaccount.json +++ b/controls/C-0034-automaticmappingofserviceaccount.json @@ -16,8 +16,8 @@ } ] }, - "description": "Potential attacker may gain access to a POD and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for PODs that need to use them.", - "remediation": "Disable automatic mounting of service account tokens to PODs either at the service account level or at the individual POD level, by specifying the automountServiceAccountToken: false. Note that POD level takes precedence.", + "description": "Potential attacker may gain access to a pod and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for pods that need to use them.", + "remediation": "Disable automatic mounting of service account tokens to pods either at the service account level or at the individual pod level, by specifying the automountServiceAccountToken: false. Note that pod level takes precedence.", "rulesNames": [ "automount-service-account" ], diff --git a/controls/C-0038-hostpidipcprivileges.json b/controls/C-0038-hostpidipcprivileges.json index fb897a3e2..0083853f8 100644 --- a/controls/C-0038-hostpidipcprivileges.json +++ b/controls/C-0038-hostpidipcprivileges.json @@ -15,12 +15,12 @@ } ] }, - "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.", + "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.", "remediation": "Remove hostPID and hostIPC from the yaml file(s) privileges unless they are absolutely necessary.", "rulesNames": [ "host-pid-ipc-privileges" ], - "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.", + "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.", "controlID": "C-0038", "baseScore": 7.0, "example": "@controls/examples/c038.yaml" diff --git a/controls/C-0041-hostnetworkaccess.json b/controls/C-0041-hostnetworkaccess.json index 10092c3e7..b81d7dd19 100644 --- a/controls/C-0041-hostnetworkaccess.json +++ b/controls/C-0041-hostnetworkaccess.json @@ -17,8 +17,8 @@ } ] }, - "description": "Potential attackers may gain access to a POD and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the PODs with host network access enabled.", - "remediation": "Only connect PODs to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those PODs that must have access to host network by design.", + "description": "Potential attackers may gain access to a pod and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the pods with host network access enabled.", + "remediation": "Only connect pods to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those pods that must have access to host network by design.", "rulesNames": [ "host-network-access" ], diff --git a/controls/C-0045-writablehostpathmount.json b/controls/C-0045-writablehostpathmount.json index 4663cbffb..4d9691c35 100644 --- a/controls/C-0045-writablehostpathmount.json +++ b/controls/C-0045-writablehostpathmount.json @@ -28,7 +28,7 @@ "alert-rw-hostpath" ], "long_description": "hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.", - "test": "Checking in POD spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn\u2019t exist) we raise an alert.", + "test": "Checking in pod spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn\u2019t exist) we raise an alert.", "controlID": "C-0045", "baseScore": 8.0, "example": "@controls/examples/c045.yaml" diff --git a/controls/C-0046-insecurecapabilities.json b/controls/C-0046-insecurecapabilities.json index 67f74af50..4b667b605 100644 --- a/controls/C-0046-insecurecapabilities.json +++ b/controls/C-0046-insecurecapabilities.json @@ -16,7 +16,7 @@ } ] }, - "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the PODs with dangerous capabilities (see documentation pages for details).", + "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the pods with dangerous capabilities (see documentation pages for details).", "remediation": "Remove all insecure capabilities which are not necessary for the container.", "rulesNames": [ "insecure-capabilities" diff --git a/controls/C-0048-hostpathmount.json b/controls/C-0048-hostpathmount.json index acbdb0f89..0496f8d38 100644 --- a/controls/C-0048-hostpathmount.json +++ b/controls/C-0048-hostpathmount.json @@ -18,7 +18,7 @@ } ] }, - "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the PODs using hostPath mount.", + "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the pods using hostPath mount.", "example": "apiVersion: v1\nkind: Pod\nmetadata:\n name: test-pd\nspec:\n containers:\n - image: k8s.gcr.io/test-webserver\n name: test-container\n volumeMounts:\n - mountPath: /test-pd\n name: test-volume\n volumes:\n - name: test-volume\n hostPath: # This field triggers failure!\n path: /data\n type: Directory\n", "remediation": "Remove hostPath mounts unless they are absolutely necessary and use exception mechanism to remove notifications.", "rulesNames": [ diff --git a/controls/C-0053-accesscontainerserviceaccount.json b/controls/C-0053-accesscontainerserviceaccount.json index 52f385002..e6c5ba451 100644 --- a/controls/C-0053-accesscontainerserviceaccount.json +++ b/controls/C-0053-accesscontainerserviceaccount.json @@ -20,8 +20,8 @@ } ] }, - "description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All PODs with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.", - "remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary PODs have SA token mounted into them.", + "description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All pods with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.", + "remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary pods have SA token mounted into them.", "rulesNames": [ "access-container-service-account", "access-container-service-account-v1" diff --git a/controls/C-0056-configuredlivenessprobe.json b/controls/C-0056-configuredlivenessprobe.json index 19a68f45a..adfbb7481 100644 --- a/controls/C-0056-configuredlivenessprobe.json +++ b/controls/C-0056-configuredlivenessprobe.json @@ -6,12 +6,12 @@ "devops" ] }, - "description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.", + "description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.", "remediation": "Ensure Liveness probes are configured wherever possible.", "rulesNames": [ "configured-liveness-probe" ], - "long_description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.", + "long_description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.", "controlID": "C-0056", "baseScore": 4 } \ No newline at end of file diff --git a/controls/C-0057-privilegedcontainer.json b/controls/C-0057-privilegedcontainer.json index df30b9532..23f04d70d 100644 --- a/controls/C-0057-privilegedcontainer.json +++ b/controls/C-0057-privilegedcontainer.json @@ -24,7 +24,7 @@ "rule-privilege-escalation" ], "long_description": "A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container or have permissions to create a new privileged container (by using the compromised pod\u2019s service account, for example), can get access to the host\u2019s resources.", - "test": "Check in POD spec if securityContext.privileged == true, if so raise an alert.", + "test": "Check in pod spec if securityContext.privileged == true, if so raise an alert.", "controlID": "C-0057", "baseScore": 8.0 } \ No newline at end of file diff --git a/controls/C-0061-podsindefaultnamespace.json b/controls/C-0061-podsindefaultnamespace.json index 5233973f8..1333d3b19 100644 --- a/controls/C-0061-podsindefaultnamespace.json +++ b/controls/C-0061-podsindefaultnamespace.json @@ -7,12 +7,12 @@ "devops" ] }, - "description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This control identifies all the PODs running in the default namespace.", - "remediation": "Create necessary namespaces and move all the PODs from default namespace there.", + "description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This control identifies all the pods running in the default namespace.", + "remediation": "Create necessary namespaces and move all the pods from default namespace there.", "rulesNames": [ "pods-in-default-namespace" ], - "long_description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the PODs running in the default namespace.", + "long_description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the pods running in the default namespace.", "test": "Check that there are no pods in the 'default' namespace", "controlID": "C-0061", "baseScore": 3 diff --git a/controls/C-0062-sudoincontainerentrypoint.json b/controls/C-0062-sudoincontainerentrypoint.json index b8346d6d1..66e26ded8 100644 --- a/controls/C-0062-sudoincontainerentrypoint.json +++ b/controls/C-0062-sudoincontainerentrypoint.json @@ -14,12 +14,12 @@ } ] }, - "description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the POD to find those that have sudo command.", + "description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the pod to find those that have sudo command.", "remediation": "Remove sudo from the command line and use Kubernetes native root and capabilities controls to provide necessary privileges where they are required.", "rulesNames": [ "sudo-in-container-entrypoint" ], - "long_description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the POD to find those that have sudo command.", + "long_description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the pod to find those that have sudo command.", "test": "Check that there is no 'sudo' in the container entrypoint", "controlID": "C-0062", "baseScore": 5.0, diff --git a/controls/C-0063-portforwardingprivileges.json b/controls/C-0063-portforwardingprivileges.json index 2e37c4ac0..4cecea303 100644 --- a/controls/C-0063-portforwardingprivileges.json +++ b/controls/C-0063-portforwardingprivileges.json @@ -18,7 +18,7 @@ } ] }, - "description": "Attackers with relevant RBAC permission can use \u201ckubectl portforward\u201d command to establish direct communication with PODs from within the cluster or even remotely. Such communication will most likely bypass existing security measures in the cluster. This control determines which subjects have permissions to use this command.", + "description": "Attackers with relevant RBAC permission can use \u201ckubectl portforward\u201d command to establish direct communication with pods from within the cluster or even remotely. Such communication will most likely bypass existing security measures in the cluster. This control determines which subjects have permissions to use this command.", "remediation": "It is recommended to prohibit \u201ckubectl portforward\u201d command in production environments. It is also recommended not to use subjects with this permission for daily cluster operations.", "rulesNames": [ "rule-can-portforward", diff --git a/controls/C-0068-pspenabled.json b/controls/C-0068-pspenabled.json index 107e81181..a18fb07ca 100644 --- a/controls/C-0068-pspenabled.json +++ b/controls/C-0068-pspenabled.json @@ -21,7 +21,7 @@ "psp-enabled-cloud", "psp-enabled-native" ], - "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive PODs in your cluster.", + "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive pods in your cluster.", "test": "Reading the cluster description from the managed cloud API (EKS, GKE), or the API server pod configuration for native K8s and checking if PSP is enabled", "controlID": "C-0068", "baseScore": 1.0 diff --git a/controls/C-0073-nakedpods.json b/controls/C-0073-nakedpods.json index 4ead9b663..dd804de27 100644 --- a/controls/C-0073-nakedpods.json +++ b/controls/C-0073-nakedpods.json @@ -1,18 +1,18 @@ { - "name": "Naked PODs", + "name": "Naked pods", "attributes": { "armoBuiltin": true, "controlTypeTags": [ "devops" ] }, - "description": "It is not recommended to create PODs without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if PODs may lead to a configuration drifts and other untracked changes in the system. Such PODs won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every POD that does not have corresponding parental object.", - "remediation": "Create necessary Deployment object for every POD making any POD a first class citizen in your IaC architecture.", + "description": "It is not recommended to create pods without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if pods may lead to a configuration drifts and other untracked changes in the system. Such pods won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every pod that does not have corresponding parental object.", + "remediation": "Create necessary Deployment object for every pod making any pod a first class citizen in your IaC architecture.", "rulesNames": [ "naked-pods" ], - "long_description": "It is not recommended to create PODs without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if PODs may lead to a configuration drifts and other untracked changes in the system. Such PODs won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every POD that does not have corresponding parental object.", - "test": "Test if PODs are not associated with Deployment, ReplicaSet etc. If not, fail.", + "long_description": "It is not recommended to create pods without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if pods may lead to a configuration drifts and other untracked changes in the system. Such pods won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every pod that does not have corresponding parental object.", + "test": "Test if pods are not associated with Deployment, ReplicaSet etc. If not, fail.", "controlID": "C-0073", "baseScore": 3 } \ No newline at end of file diff --git a/controls/C-0074-containersmountingdockersocket.json b/controls/C-0074-containersmountingdockersocket.json index f0e2ca8ef..c2403c9a2 100644 --- a/controls/C-0074-containersmountingdockersocket.json +++ b/controls/C-0074-containersmountingdockersocket.json @@ -6,12 +6,12 @@ "devops" ] }, - "description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies PODs that attempt to mount Docker socket for accessing Docker runtime.", + "description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies pods that attempt to mount Docker socket for accessing Docker runtime.", "remediation": "Remove docker socket mount request or define an exception.", "rulesNames": [ "containers-mounting-docker-socket" ], - "long_description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies PODs that attempt to mount Docker socket for accessing Docker runtime.", + "long_description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies pods that attempt to mount Docker socket for accessing Docker runtime.", "test": "Check hostpath. If the path is set to /var/run/docker.sock or /var/lib/docker , the container has access to Docker internals - fail.", "controlID": "C-0074", "baseScore": 5 diff --git a/controls/C-0075-imagepullpolicyonlatesttag.json b/controls/C-0075-imagepullpolicyonlatesttag.json index d932795ca..93bf78f78 100644 --- a/controls/C-0075-imagepullpolicyonlatesttag.json +++ b/controls/C-0075-imagepullpolicyonlatesttag.json @@ -6,12 +6,12 @@ "devops" ] }, - "description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all PODs with latest tag that have ImagePullSecret not set to Always.", - "remediation": "Set ImagePullPolicy to Always in all PODs found by this control.", + "description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all pods with latest tag that have ImagePullSecret not set to Always.", + "remediation": "Set ImagePullPolicy to Always in all pods found by this control.", "rulesNames": [ "image-pull-policy-is-not-set-to-always" ], - "long_description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all PODs with latest tag that have ImagePullSecret not set to Always. Note as well that some vendors don't use the word latest in the tag. Some other word may also behave like the latest. For example, Redis uses redis:alpine to signify the latest. Therefore, this control treats any word that does not contain digits as the latest. If no tag is specified, the image is treated as latests too.", + "long_description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all pods with latest tag that have ImagePullSecret not set to Always. Note as well that some vendors don't use the word latest in the tag. Some other word may also behave like the latest. For example, Redis uses redis:alpine to signify the latest. Therefore, this control treats any word that does not contain digits as the latest. If no tag is specified, the image is treated as latests too.", "test": "If imagePullPolicy = always pass, else fail.", "controlID": "C-0075", "baseScore": 2 diff --git a/controls/C-0083-workloadswithcriticalvulnerabilitiesexposedtoexternaltraffic.json b/controls/C-0083-workloadswithcriticalvulnerabilitiesexposedtoexternaltraffic.json index 1d3865a44..219df376c 100644 --- a/controls/C-0083-workloadswithcriticalvulnerabilitiesexposedtoexternaltraffic.json +++ b/controls/C-0083-workloadswithcriticalvulnerabilitiesexposedtoexternaltraffic.json @@ -16,7 +16,7 @@ ] }, "description": "Container images with known critical vulnerabilities pose elevated risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if either LoadBalancer or NodePort service is assigned to them.", - "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the POD to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", + "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the pod to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", "rulesNames": [ "exposed-critical-pods" ], diff --git a/controls/C-0084-workloadswithrcevulnerabilitiesexposedtoexternaltraffic.json b/controls/C-0084-workloadswithrcevulnerabilitiesexposedtoexternaltraffic.json index 716bdb8a0..eff893007 100644 --- a/controls/C-0084-workloadswithrcevulnerabilitiesexposedtoexternaltraffic.json +++ b/controls/C-0084-workloadswithrcevulnerabilitiesexposedtoexternaltraffic.json @@ -16,12 +16,12 @@ } ] }, - "description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their POD has either LoadBalancer or NodePort service.", - "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the POD to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", + "description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their pod has either LoadBalancer or NodePort service.", + "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the pod to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", "rulesNames": [ "exposed-rce-pods" ], - "long_description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their POD has either LoadBalancer or NodePort service.", + "long_description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their pod has either LoadBalancer or NodePort service.", "test": "This control enumerates external facing workloads, that have LoadBalancer or NodePort service and checks the image vulnerability information for the RCE vulnerability.", "controlID": "C-0084", "baseScore": 8.0, diff --git a/controls/C-0087-cve202223648containerdfsescape.json b/controls/C-0087-cve202223648containerdfsescape.json index 3afc61495..a6ca3a1ca 100644 --- a/controls/C-0087-cve202223648containerdfsescape.json +++ b/controls/C-0087-cve202223648containerdfsescape.json @@ -15,7 +15,7 @@ } ] }, - "description": "CVE-2022-23648 is a vulnerability of containerd enabling attacker to gain access to read-only copies of arbitrary files from the host using aspecially-crafted POD configuration yamls", + "description": "CVE-2022-23648 is a vulnerability of containerd enabling attacker to gain access to read-only copies of arbitrary files from the host using a specially-crafted Pod configuration", "remediation": "Patch containerd to 1.6.1, 1.5.10, 1.4.12 or above", "rulesNames": [ "CVE-2022-23648" diff --git a/frameworks/__YAMLscan.json b/frameworks/__YAMLscan.json index 7e94493b6..7600e4d51 100644 --- a/frameworks/__YAMLscan.json +++ b/frameworks/__YAMLscan.json @@ -46,7 +46,7 @@ "Sudo in container entrypoint", "Portforwarding privileges", "No impersonation", - "Naked PODs", + "Naked pods", "Containers mounting Docker socket", "Image pull policy on latest tag", "Label usage for resources", diff --git a/frameworks/allcontrols.json b/frameworks/allcontrols.json index d03a34993..3e10e6c61 100644 --- a/frameworks/allcontrols.json +++ b/frameworks/allcontrols.json @@ -296,7 +296,7 @@ { "controlID": "C-0073", "patch": { - "name": "Naked PODs" + "name": "Naked pods" } }, { diff --git a/frameworks/devopsbest.json b/frameworks/devopsbest.json index 5576cb42e..887d891eb 100644 --- a/frameworks/devopsbest.json +++ b/frameworks/devopsbest.json @@ -44,7 +44,7 @@ { "controlID": "C-0073", "patch": { - "name": "Naked PODs" + "name": "Naked pods" } }, { diff --git a/releaseDev/FWName_CID_CName.csv b/releaseDev/FWName_CID_CName.csv index 24d4a1ae4..fc23f63d3 100644 --- a/releaseDev/FWName_CID_CName.csv +++ b/releaseDev/FWName_CID_CName.csv @@ -168,7 +168,7 @@ DevOpsBest,C-0044,Container hostPort DevOpsBest,C-0050,Resources CPU limit and request DevOpsBest,C-0056,Configured liveness probe DevOpsBest,C-0061,Pods in default namespace -DevOpsBest,C-0073,Naked PODs +DevOpsBest,C-0073,Naked pods DevOpsBest,C-0074,Containers mounting Docker socket DevOpsBest,C-0075,Image pull policy on latest tag DevOpsBest,C-0076,Label usage for resources @@ -221,7 +221,7 @@ AllControls,C-0067,Audit logs enabled AllControls,C-0068,PSP enabled AllControls,C-0069,Disable anonymous access to Kubelet service AllControls,C-0070,Enforce Kubelet client TLS authentication -AllControls,C-0073,Naked PODs +AllControls,C-0073,Naked pods AllControls,C-0074,Containers mounting Docker socket AllControls,C-0075,Image pull policy on latest tag AllControls,C-0076,Label usage for resources diff --git a/releaseDev/allcontrols.json b/releaseDev/allcontrols.json index 807ada2c3..7a6583f52 100644 --- a/releaseDev/allcontrols.json +++ b/releaseDev/allcontrols.json @@ -412,7 +412,7 @@ ] }, "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", - "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/POD yamls.", + "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/pod yamls.", "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", "test": " Check for each container if there is a \u2018limits\u2019 field defined for both cpu and memory", "controlID": "C-0009", @@ -1042,7 +1042,7 @@ ] }, "description": "Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.", - "remediation": "Set the filesystem of the container to read-only when possible (POD securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.", + "remediation": "Set the filesystem of the container to read-only when possible (pod securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.", "long_description": "By default, containers are permitted mostly unrestricted execution within their own context. An attacker who has access to a container, can create files and download scripts as he wishes, and modify the underlying application running on the container. ", "test": "Check whether the readOnlyRootFilesystem field in the SecurityContext is set to true. ", "controlID": "C-0017", @@ -1110,9 +1110,9 @@ "devops" ] }, - "description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.", + "description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.", "remediation": "Ensure Readiness probes are configured wherever possible.", - "long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.", + "long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.", "controlID": "C-0018", "example": "@controls/examples/c018.yaml", "baseScore": 3, @@ -1417,7 +1417,7 @@ "compliance" ] }, - "description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a POD in the cluster. This control lists all the CronJobs that exist in the cluster for the user to approve.", + "description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a pod in the cluster. This control lists all the CronJobs that exist in the cluster for the user to approve.", "remediation": "Watch Kubernetes CronJobs and make sure they are legitimate.", "long_description": "Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.", "test": "We list all CronJobs that exist in cluster for the user to approve.", @@ -1460,7 +1460,7 @@ "compliance" ] }, - "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new PODs, and then enable sources/destinations that this POD must communicate with.", + "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.", "remediation": "Define a network policy that restricts ingress and egress connections.", "long_description": "Network policies control traffic flow between Pods, namespaces, and external IP addresses. By default, no network policies are applied to Pods or namespaces, resulting in unrestricted ingress and egress traffic within the Pod network. Pods become isolated through a network policy that applies to the Pod or the Pod\u2019s namespace. Once a Pod is selected in a network policy, it rejects any connections that are not specifically allowed by any applicable policy object.Administrators should use a default policy selecting all Pods to deny all ingress and egress traffic and ensure any unselected Pods are isolated. Additional policies could then relax these restrictions for permissible connections.", "test": "Check for each Pod whether there is an ingress and egress policy defined (whether using Pod or Namespace). ", @@ -1647,8 +1647,8 @@ } ] }, - "description": "Potential attacker may gain access to a POD and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for PODs that need to use them.", - "remediation": "Disable automatic mounting of service account tokens to PODs either at the service account level or at the individual POD level, by specifying the automountServiceAccountToken: false. Note that POD level takes precedence.", + "description": "Potential attacker may gain access to a pod and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for pods that need to use them.", + "remediation": "Disable automatic mounting of service account tokens to pods either at the service account level or at the individual pod level, by specifying the automountServiceAccountToken: false. Note that pod level takes precedence.", "long_description": "We have it in Armo best (Automatic mapping of service account token).", "test": "Check all service accounts on which automount is not disabled. Check all workloads on which they and their service account don't disable automount ", "controlID": "C-0034", @@ -1877,9 +1877,9 @@ } ] }, - "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.", + "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.", "remediation": "Remove hostPID and hostIPC from the yaml file(s) privileges unless they are absolutely necessary.", - "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.", + "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.", "controlID": "C-0038", "baseScore": 7.0, "example": "@controls/examples/c038.yaml", @@ -2009,8 +2009,8 @@ } ] }, - "description": "Potential attackers may gain access to a POD and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the PODs with host network access enabled.", - "remediation": "Only connect PODs to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those PODs that must have access to host network by design.", + "description": "Potential attackers may gain access to a pod and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the pods with host network access enabled.", + "remediation": "Only connect pods to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those pods that must have access to host network by design.", "long_description": "We have it in ArmoBest", "test": "", "controlID": "C-0041", @@ -2305,7 +2305,7 @@ "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host and gain persistence.", "remediation": "Refrain from using the hostPath mount or use the exception mechanism to remove unnecessary notifications.", "long_description": "hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.", - "test": "Checking in POD spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn\u2019t exist) we raise an alert.", + "test": "Checking in Pod spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn\u2019t exist) we raise an alert.", "controlID": "C-0045", "baseScore": 8.0, "example": "@controls/examples/c045.yaml", @@ -2389,7 +2389,7 @@ } ] }, - "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the PODs with dangerous capabilities (see documentation pages for details).", + "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the pods with dangerous capabilities (see documentation pages for details).", "remediation": "Remove all insecure capabilities which are not necessary for the container.", "long_description": "Giving insecure and unnecessary capabilities for a container can increase the impact of a container compromise.", "test": "Check capabilities given against a configurable blacklist of insecure capabilities (https://man7.org/linux/man-pages/man7/capabilities.7.html). ", @@ -2480,7 +2480,7 @@ } ] }, - "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the PODs using hostPath mount.", + "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the pods using hostPath mount.", "example": "apiVersion: v1\nkind: Pod\nmetadata:\n name: test-pd\nspec:\n containers:\n - image: k8s.gcr.io/test-webserver\n name: test-container\n volumeMounts:\n - mountPath: /test-pd\n name: test-volume\n volumes:\n - name: test-volume\n hostPath: # This field triggers failure!\n path: /data\n type: Directory\n", "remediation": "Remove hostPath mounts unless they are absolutely necessary and use exception mechanism to remove notifications.", "controlID": "C-0048", @@ -2785,8 +2785,8 @@ } ] }, - "description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All PODs with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.", - "remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary PODs have SA token mounted into them.", + "description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All pods with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.", + "remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary pods have SA token mounted into them.", "long_description": "Service account (SA) represents an application identity in Kubernetes. By default, an SA is mounted to every created pod in the cluster. Using the SA, containers in the pod can send requests to the Kubernetes API server. Attackers who get access to a pod can access the SA token (located in /var/run/secrets/kubernetes.io/serviceaccount/token) and perform actions in the cluster, according to the SA permissions. If RBAC is not enabled, the SA has unlimited permissions in the cluster. If RBAC is enabled, its permissions are determined by the RoleBindings\\\\ClusterRoleBindings that are associated with it.", "test": "Check if RBAC is enabled. If is not, the sa has unlimited permissions.If RBAC enabled, list which workloads have bound service accounts and all the sas permissionsScore-", "controlID": "C-0053", @@ -3086,9 +3086,9 @@ "devops" ] }, - "description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.", + "description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.", "remediation": "Ensure Liveness probes are configured wherever possible.", - "long_description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.", + "long_description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.", "controlID": "C-0056", "baseScore": 4, "rules": [ @@ -3168,7 +3168,7 @@ "example": "apiVersion: v1\nkind: Pod\nmetadata:\n name: privileged\nspec:\n containers:\n - name: pause\n image: k8s.gcr.io/pause\n securityContext:\n privileged: true # This field triggers failure!\n", "remediation": "Remove privileged capabilities by setting the securityContext.privileged to false. If you must deploy a Pod as privileged, add other restriction to it, such as network policy, Seccomp etc and still remove all unnecessary capabilities. Use the exception mechanism to remove unnecessary notifications.", "long_description": "A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container or have permissions to create a new privileged container (by using the compromised pod\u2019s service account, for example), can get access to the host\u2019s resources.", - "test": "Check in POD spec if securityContext.privileged == true, if so raise an alert.", + "test": "Check in Pod spec if securityContext.privileged == true, if so raise an alert.", "controlID": "C-0057", "baseScore": 8.0, "rules": [ @@ -3368,9 +3368,9 @@ "devops" ] }, - "description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This control identifies all the PODs running in the default namespace.", - "remediation": "Create necessary namespaces and move all the PODs from default namespace there.", - "long_description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the PODs running in the default namespace.", + "description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This control identifies all the pods running in the default namespace.", + "remediation": "Create necessary namespaces and move all the pods from default namespace there.", + "long_description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the pods running in the default namespace.", "test": "Check that there are no pods in the 'default' namespace", "controlID": "C-0061", "baseScore": 3, @@ -3444,9 +3444,9 @@ } ] }, - "description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the POD to find those that have sudo command.", + "description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the pod to find those that have sudo command.", "remediation": "Remove sudo from the command line and use Kubernetes native root and capabilities controls to provide necessary privileges where they are required.", - "long_description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the POD to find those that have sudo command.", + "long_description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the pod to find those that have sudo command.", "test": "Check that there is no 'sudo' in the container entrypoint", "controlID": "C-0062", "baseScore": 5.0, @@ -3525,7 +3525,7 @@ } ] }, - "description": "Attackers with relevant RBAC permission can use \u201ckubectl portforward\u201d command to establish direct communication with PODs from within the cluster or even remotely. Such communication will most likely bypass existing security measures in the cluster. This control determines which subjects have permissions to use this command.", + "description": "Attackers with relevant RBAC permission can use \u201ckubectl portforward\u201d command to establish direct communication with pods from within the cluster or even remotely. Such communication will most likely bypass existing security measures in the cluster. This control determines which subjects have permissions to use this command.", "remediation": "It is recommended to prohibit \u201ckubectl portforward\u201d command in production environments. It is also recommended not to use subjects with this permission for daily cluster operations.", "long_description": "Attackers who have relevant RBAC permissions, can run open a backdoor communication channel directly to the sockets inside target container using exec command \u201ckubectl portforward\u201d command. Using this method, attackers can bypass network security restrictions and communicate directly with software in the containers.", "test": "Check which subjects have RBAC permissions to portforward into pods\u2013 if they have the \u201cpods/portforward\u201d resource.", @@ -3892,7 +3892,7 @@ }, "description": "PSP enable fine-grained authorization of pod creation and it is important to enable it", "remediation": "Turn Pod Security Policies on in your cluster, if you use other admission controllers to control the behavior that PSP controls, exclude this control from your scans", - "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive PODs in your cluster.", + "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive pods in your cluster.", "test": "Reading the cluster description from the managed cloud API (EKS, GKE), or the API server pod configuration for native K8s and checking if PSP is enabled", "controlID": "C-0068", "baseScore": 1.0, @@ -4090,17 +4090,17 @@ ] }, { - "name": "Naked PODs", + "name": "Naked pods", "attributes": { "armoBuiltin": true, "controlTypeTags": [ "devops" ] }, - "description": "It is not recommended to create PODs without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if PODs may lead to a configuration drifts and other untracked changes in the system. Such PODs won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every POD that does not have corresponding parental object.", - "remediation": "Create necessary Deployment object for every POD making any POD a first class citizen in your IaC architecture.", - "long_description": "It is not recommended to create PODs without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if PODs may lead to a configuration drifts and other untracked changes in the system. Such PODs won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every POD that does not have corresponding parental object.", - "test": "Test if PODs are not associated with Deployment, ReplicaSet etc. If not, fail.", + "description": "It is not recommended to create pods without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if pods may lead to a configuration drifts and other untracked changes in the system. Such pods won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every pod that does not have corresponding parental object.", + "remediation": "Create necessary Deployment object for every pod making any pod a first class citizen in your IaC architecture.", + "long_description": "It is not recommended to create pods without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if pods may lead to a configuration drifts and other untracked changes in the system. Such pods won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every pod that does not have corresponding parental object.", + "test": "Test if pods are not associated with Deployment, ReplicaSet etc. If not, fail.", "controlID": "C-0073", "baseScore": 3, "rules": [ @@ -4139,9 +4139,9 @@ "devops" ] }, - "description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies PODs that attempt to mount Docker socket for accessing Docker runtime.", + "description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies pods that attempt to mount Docker socket for accessing Docker runtime.", "remediation": "Remove docker socket mount request or define an exception.", - "long_description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies PODs that attempt to mount Docker socket for accessing Docker runtime.", + "long_description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies pods that attempt to mount Docker socket for accessing Docker runtime.", "test": "Check hostpath. If the path is set to /var/run/docker.sock or /var/lib/docker , the container has access to Docker internals - fail.", "controlID": "C-0074", "baseScore": 5, @@ -4207,9 +4207,9 @@ "devops" ] }, - "description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all PODs with latest tag that have ImagePullSecret not set to Always.", - "remediation": "Set ImagePullPolicy to Always in all PODs found by this control.", - "long_description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all PODs with latest tag that have ImagePullSecret not set to Always. Note as well that some vendors don't use the word latest in the tag. Some other word may also behave like the latest. For example, Redis uses redis:alpine to signify the latest. Therefore, this control treats any word that does not contain digits as the latest. If no tag is specified, the image is treated as latests too.", + "description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all pods with latest tag that have ImagePullSecret not set to Always.", + "remediation": "Set ImagePullPolicy to Always in all pods found by this control.", + "long_description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all pods with latest tag that have ImagePullSecret not set to Always. Note as well that some vendors don't use the word latest in the tag. Some other word may also behave like the latest. For example, Redis uses redis:alpine to signify the latest. Therefore, this control treats any word that does not contain digits as the latest. If no tag is specified, the image is treated as latests too.", "test": "If imagePullPolicy = always pass, else fail.", "controlID": "C-0075", "baseScore": 2, @@ -4634,7 +4634,7 @@ ] }, "description": "Container images with known critical vulnerabilities pose elevated risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if either LoadBalancer or NodePort service is assigned to them.", - "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the POD to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", + "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the pod to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", "long_description": "Container images with known critical vulnerabilities pose elevated risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if either LoadBalancer or NodePort service assigned to them.", "test": "This control enumerates external facing workloads, that have LoadBalancer or NodePort services and checks image vulnerability information to see if the image has critical vulnerabilities.", "controlID": "C-0083", @@ -4703,9 +4703,9 @@ } ] }, - "description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their POD has either LoadBalancer or NodePort service.", - "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the POD to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", - "long_description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their POD has either LoadBalancer or NodePort service.", + "description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their pod has either LoadBalancer or NodePort service.", + "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the pod to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", + "long_description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their pod has either LoadBalancer or NodePort service.", "test": "This control enumerates external facing workloads, that have LoadBalancer or NodePort service and checks the image vulnerability information for the RCE vulnerability.", "controlID": "C-0084", "baseScore": 8.0, @@ -4943,7 +4943,7 @@ } ] }, - "description": "CVE-2022-23648 is a vulnerability of containerd enabling attacker to gain access to read-only copies of arbitrary files from the host using aspecially-crafted POD configuration yamls", + "description": "CVE-2022-23648 is a vulnerability of containerd enabling attacker to gain access to read-only copies of arbitrary files from the host using a specially-crafted Pod configuration", "remediation": "Patch containerd to 1.6.1, 1.5.10, 1.4.12 or above", "long_description": "Containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.4.12 where containers launched through containerd\u2019s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. This bug was fixed in containerd versions 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.", "test": "Checking containerd version to see if it is a vulnerable version (where the container runtime is containerd)", diff --git a/releaseDev/armobest.json b/releaseDev/armobest.json index 07de5302c..47b55dbb9 100644 --- a/releaseDev/armobest.json +++ b/releaseDev/armobest.json @@ -243,7 +243,7 @@ ] }, "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", - "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/POD yamls.", + "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/pod yamls.", "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", "test": " Check for each container if there is a \u2018limits\u2019 field defined for both cpu and memory", "controlID": "C-0009", @@ -642,7 +642,7 @@ ] }, "description": "Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.", - "remediation": "Set the filesystem of the container to read-only when possible (POD securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.", + "remediation": "Set the filesystem of the container to read-only when possible (pod securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.", "long_description": "By default, containers are permitted mostly unrestricted execution within their own context. An attacker who has access to a container, can create files and download scripts as he wishes, and modify the underlying application running on the container. ", "test": "Check whether the readOnlyRootFilesystem field in the SecurityContext is set to true. ", "controlID": "C-0017", @@ -710,7 +710,7 @@ "compliance" ] }, - "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new PODs, and then enable sources/destinations that this POD must communicate with.", + "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.", "remediation": "Define a network policy that restricts ingress and egress connections.", "long_description": "Network policies control traffic flow between Pods, namespaces, and external IP addresses. By default, no network policies are applied to Pods or namespaces, resulting in unrestricted ingress and egress traffic within the Pod network. Pods become isolated through a network policy that applies to the Pod or the Pod\u2019s namespace. Once a Pod is selected in a network policy, it rejects any connections that are not specifically allowed by any applicable policy object.Administrators should use a default policy selecting all Pods to deny all ingress and egress traffic and ensure any unselected Pods are isolated. Additional policies could then relax these restrictions for permissible connections.", "test": "Check for each Pod whether there is an ingress and egress policy defined (whether using Pod or Namespace). ", @@ -800,8 +800,8 @@ } ] }, - "description": "Potential attacker may gain access to a POD and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for PODs that need to use them.", - "remediation": "Disable automatic mounting of service account tokens to PODs either at the service account level or at the individual POD level, by specifying the automountServiceAccountToken: false. Note that POD level takes precedence.", + "description": "Potential attacker may gain access to a pod and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for pods that need to use them.", + "remediation": "Disable automatic mounting of service account tokens to pods either at the service account level or at the individual pod level, by specifying the automountServiceAccountToken: false. Note that pod level takes precedence.", "long_description": "We have it in Armo best (Automatic mapping of service account token).", "test": "Check all service accounts on which automount is not disabled. Check all workloads on which they and their service account don't disable automount ", "controlID": "C-0034", @@ -976,9 +976,9 @@ } ] }, - "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.", + "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.", "remediation": "Remove hostPID and hostIPC from the yaml file(s) privileges unless they are absolutely necessary.", - "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.", + "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.", "controlID": "C-0038", "baseScore": 7.0, "example": "@controls/examples/c038.yaml", @@ -1055,8 +1055,8 @@ } ] }, - "description": "Potential attackers may gain access to a POD and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the PODs with host network access enabled.", - "remediation": "Only connect PODs to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those PODs that must have access to host network by design.", + "description": "Potential attackers may gain access to a pod and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the pods with host network access enabled.", + "remediation": "Only connect pods to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those pods that must have access to host network by design.", "long_description": "We have it in ArmoBest", "test": "", "controlID": "C-0041", @@ -1213,7 +1213,7 @@ } ] }, - "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the PODs with dangerous capabilities (see documentation pages for details).", + "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the pods with dangerous capabilities (see documentation pages for details).", "remediation": "Remove all insecure capabilities which are not necessary for the container.", "long_description": "Giving insecure and unnecessary capabilities for a container can increase the impact of a container compromise.", "test": "Check capabilities given against a configurable blacklist of insecure capabilities (https://man7.org/linux/man-pages/man7/capabilities.7.html). ", @@ -1520,7 +1520,7 @@ "example": "apiVersion: v1\nkind: Pod\nmetadata:\n name: privileged\nspec:\n containers:\n - name: pause\n image: k8s.gcr.io/pause\n securityContext:\n privileged: true # This field triggers failure!\n", "remediation": "Remove privileged capabilities by setting the securityContext.privileged to false. If you must deploy a Pod as privileged, add other restriction to it, such as network policy, Seccomp etc and still remove all unnecessary capabilities. Use the exception mechanism to remove unnecessary notifications.", "long_description": "A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container or have permissions to create a new privileged container (by using the compromised pod\u2019s service account, for example), can get access to the host\u2019s resources.", - "test": "Check in POD spec if securityContext.privileged == true, if so raise an alert.", + "test": "Check in Pod spec if securityContext.privileged == true, if so raise an alert.", "controlID": "C-0057", "baseScore": 8.0, "rules": [ @@ -1720,9 +1720,9 @@ "devops" ] }, - "description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This control identifies all the PODs running in the default namespace.", - "remediation": "Create necessary namespaces and move all the PODs from default namespace there.", - "long_description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the PODs running in the default namespace.", + "description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This control identifies all the pods running in the default namespace.", + "remediation": "Create necessary namespaces and move all the pods from default namespace there.", + "long_description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the pods running in the default namespace.", "test": "Check that there are no pods in the 'default' namespace", "controlID": "C-0061", "baseScore": 3, @@ -1796,9 +1796,9 @@ } ] }, - "description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the POD to find those that have sudo command.", + "description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the pod to find those that have sudo command.", "remediation": "Remove sudo from the command line and use Kubernetes native root and capabilities controls to provide necessary privileges where they are required.", - "long_description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the POD to find those that have sudo command.", + "long_description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the pod to find those that have sudo command.", "test": "Check that there is no 'sudo' in the container entrypoint", "controlID": "C-0062", "baseScore": 5.0, @@ -1877,7 +1877,7 @@ } ] }, - "description": "Attackers with relevant RBAC permission can use \u201ckubectl portforward\u201d command to establish direct communication with PODs from within the cluster or even remotely. Such communication will most likely bypass existing security measures in the cluster. This control determines which subjects have permissions to use this command.", + "description": "Attackers with relevant RBAC permission can use \u201ckubectl portforward\u201d command to establish direct communication with pods from within the cluster or even remotely. Such communication will most likely bypass existing security measures in the cluster. This control determines which subjects have permissions to use this command.", "remediation": "It is recommended to prohibit \u201ckubectl portforward\u201d command in production environments. It is also recommended not to use subjects with this permission for daily cluster operations.", "long_description": "Attackers who have relevant RBAC permissions, can run open a backdoor communication channel directly to the sockets inside target container using exec command \u201ckubectl portforward\u201d command. Using this method, attackers can bypass network security restrictions and communicate directly with software in the containers.", "test": "Check which subjects have RBAC permissions to portforward into pods\u2013 if they have the \u201cpods/portforward\u201d resource.", @@ -2244,7 +2244,7 @@ }, "description": "PSP enable fine-grained authorization of pod creation and it is important to enable it", "remediation": "Turn Pod Security Policies on in your cluster, if you use other admission controllers to control the behavior that PSP controls, exclude this control from your scans", - "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive PODs in your cluster.", + "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive pods in your cluster.", "test": "Reading the cluster description from the managed cloud API (EKS, GKE), or the API server pod configuration for native K8s and checking if PSP is enabled", "controlID": "C-0068", "baseScore": 1.0, @@ -2670,7 +2670,7 @@ ] }, "description": "Container images with known critical vulnerabilities pose elevated risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if either LoadBalancer or NodePort service is assigned to them.", - "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the POD to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", + "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the pod to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", "long_description": "Container images with known critical vulnerabilities pose elevated risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if either LoadBalancer or NodePort service assigned to them.", "test": "This control enumerates external facing workloads, that have LoadBalancer or NodePort services and checks image vulnerability information to see if the image has critical vulnerabilities.", "controlID": "C-0083", @@ -2739,9 +2739,9 @@ } ] }, - "description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their POD has either LoadBalancer or NodePort service.", - "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the POD to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", - "long_description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their POD has either LoadBalancer or NodePort service.", + "description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their pod has either LoadBalancer or NodePort service.", + "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the pod to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", + "long_description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their pod has either LoadBalancer or NodePort service.", "test": "This control enumerates external facing workloads, that have LoadBalancer or NodePort service and checks the image vulnerability information for the RCE vulnerability.", "controlID": "C-0084", "baseScore": 8.0, @@ -2979,7 +2979,7 @@ } ] }, - "description": "CVE-2022-23648 is a vulnerability of containerd enabling attacker to gain access to read-only copies of arbitrary files from the host using aspecially-crafted POD configuration yamls", + "description": "CVE-2022-23648 is a vulnerability of containerd enabling attacker to gain access to read-only copies of arbitrary files from the host using a specially-crafted Pod configuration", "remediation": "Patch containerd to 1.6.1, 1.5.10, 1.4.12 or above", "long_description": "Containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.4.12 where containers launched through containerd\u2019s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. This bug was fixed in containerd versions 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.", "test": "Checking containerd version to see if it is a vulnerable version (where the container runtime is containerd)", diff --git a/releaseDev/controls.json b/releaseDev/controls.json index 750797b46..2b97028f5 100644 --- a/releaseDev/controls.json +++ b/releaseDev/controls.json @@ -164,12 +164,12 @@ } ] }, - "description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their POD has either LoadBalancer or NodePort service.", - "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the POD to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", + "description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their pod has either LoadBalancer or NodePort service.", + "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the pod to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", "rulesNames": [ "exposed-rce-pods" ], - "long_description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their POD has either LoadBalancer or NodePort service.", + "long_description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their pod has either LoadBalancer or NodePort service.", "test": "This control enumerates external facing workloads, that have LoadBalancer or NodePort service and checks the image vulnerability information for the RCE vulnerability.", "controlID": "C-0084", "baseScore": 8.0, @@ -193,7 +193,7 @@ ] }, "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", - "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/POD yamls.", + "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/pod yamls.", "rulesNames": [ "resource-policies" ], @@ -286,7 +286,7 @@ "compliance" ] }, - "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new PODs, and then enable sources/destinations that this POD must communicate with.", + "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.", "remediation": "Define a network policy that restricts ingress and egress connections.", "rulesNames": [ "ingress-and-egress-blocked" @@ -306,12 +306,12 @@ "devops" ] }, - "description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies PODs that attempt to mount Docker socket for accessing Docker runtime.", + "description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies pods that attempt to mount Docker socket for accessing Docker runtime.", "remediation": "Remove docker socket mount request or define an exception.", "rulesNames": [ "containers-mounting-docker-socket" ], - "long_description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies PODs that attempt to mount Docker socket for accessing Docker runtime.", + "long_description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies pods that attempt to mount Docker socket for accessing Docker runtime.", "test": "Check hostpath. If the path is set to /var/run/docker.sock or /var/lib/docker , the container has access to Docker internals - fail.", "controlID": "C-0074", "baseScore": 5, @@ -655,7 +655,7 @@ "psp-enabled-cloud", "psp-enabled-native" ], - "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive PODs in your cluster.", + "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive pods in your cluster.", "test": "Reading the cluster description from the managed cloud API (EKS, GKE), or the API server pod configuration for native K8s and checking if PSP is enabled", "controlID": "C-0068", "baseScore": 1.0, @@ -702,8 +702,8 @@ } ] }, - "description": "Potential attackers may gain access to a POD and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the PODs with host network access enabled.", - "remediation": "Only connect PODs to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those PODs that must have access to host network by design.", + "description": "Potential attackers may gain access to a pod and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the pods with host network access enabled.", + "remediation": "Only connect pods to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those pods that must have access to host network by design.", "rulesNames": [ "host-network-access" ], @@ -881,12 +881,12 @@ } ] }, - "description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the POD to find those that have sudo command.", + "description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the pod to find those that have sudo command.", "remediation": "Remove sudo from the command line and use Kubernetes native root and capabilities controls to provide necessary privileges where they are required.", "rulesNames": [ "sudo-in-container-entrypoint" ], - "long_description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the POD to find those that have sudo command.", + "long_description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the pod to find those that have sudo command.", "test": "Check that there is no 'sudo' in the container entrypoint", "controlID": "C-0062", "baseScore": 5.0, @@ -1121,7 +1121,7 @@ } ] }, - "description": "Attackers with relevant RBAC permission can use \u201ckubectl portforward\u201d command to establish direct communication with PODs from within the cluster or even remotely. Such communication will most likely bypass existing security measures in the cluster. This control determines which subjects have permissions to use this command.", + "description": "Attackers with relevant RBAC permission can use \u201ckubectl portforward\u201d command to establish direct communication with pods from within the cluster or even remotely. Such communication will most likely bypass existing security measures in the cluster. This control determines which subjects have permissions to use this command.", "remediation": "It is recommended to prohibit \u201ckubectl portforward\u201d command in production environments. It is also recommended not to use subjects with this permission for daily cluster operations.", "rulesNames": [ "rule-can-portforward", @@ -1383,7 +1383,7 @@ "alert-rw-hostpath" ], "long_description": "hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.", - "test": "Checking in POD spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn\u2019t exist) we raise an alert.", + "test": "Checking in Pod spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn\u2019t exist) we raise an alert.", "controlID": "C-0045", "baseScore": 8.0, "example": "@controls/examples/c045.yaml", @@ -1568,7 +1568,7 @@ } ] }, - "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the PODs using hostPath mount.", + "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the pods using hostPath mount.", "example": "apiVersion: v1\nkind: Pod\nmetadata:\n name: test-pd\nspec:\n containers:\n - image: k8s.gcr.io/test-webserver\n name: test-container\n volumeMounts:\n - mountPath: /test-pd\n name: test-volume\n volumes:\n - name: test-volume\n hostPath: # This field triggers failure!\n path: /data\n type: Directory\n", "remediation": "Remove hostPath mounts unless they are absolutely necessary and use exception mechanism to remove notifications.", "rulesNames": [ @@ -1617,7 +1617,7 @@ } ] }, - "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the PODs with dangerous capabilities (see documentation pages for details).", + "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the pods with dangerous capabilities (see documentation pages for details).", "remediation": "Remove all insecure capabilities which are not necessary for the container.", "rulesNames": [ "insecure-capabilities" @@ -1739,12 +1739,12 @@ "devops" ] }, - "description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.", + "description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.", "remediation": "Ensure Liveness probes are configured wherever possible.", "rulesNames": [ "configured-liveness-probe" ], - "long_description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.", + "long_description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.", "controlID": "C-0056", "baseScore": 4, "rules": [] @@ -1788,7 +1788,7 @@ ] }, "description": "Container images with known critical vulnerabilities pose elevated risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if either LoadBalancer or NodePort service is assigned to them.", - "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the POD to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", + "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the pod to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", "rulesNames": [ "exposed-critical-pods" ], @@ -2077,8 +2077,8 @@ } ] }, - "description": "Potential attacker may gain access to a POD and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for PODs that need to use them.", - "remediation": "Disable automatic mounting of service account tokens to PODs either at the service account level or at the individual POD level, by specifying the automountServiceAccountToken: false. Note that POD level takes precedence.", + "description": "Potential attacker may gain access to a pod and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for pods that need to use them.", + "remediation": "Disable automatic mounting of service account tokens to pods either at the service account level or at the individual pod level, by specifying the automountServiceAccountToken: false. Note that pod level takes precedence.", "rulesNames": [ "automount-service-account" ], @@ -2286,20 +2286,20 @@ "rules": [] }, { - "name": "Naked PODs", + "name": "Naked pods", "attributes": { "armoBuiltin": true, "controlTypeTags": [ "devops" ] }, - "description": "It is not recommended to create PODs without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if PODs may lead to a configuration drifts and other untracked changes in the system. Such PODs won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every POD that does not have corresponding parental object.", - "remediation": "Create necessary Deployment object for every POD making any POD a first class citizen in your IaC architecture.", + "description": "It is not recommended to create pods without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if pods may lead to a configuration drifts and other untracked changes in the system. Such pods won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every pod that does not have corresponding parental object.", + "remediation": "Create necessary Deployment object for every pod making any pod a first class citizen in your IaC architecture.", "rulesNames": [ "naked-pods" ], - "long_description": "It is not recommended to create PODs without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if PODs may lead to a configuration drifts and other untracked changes in the system. Such PODs won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every POD that does not have corresponding parental object.", - "test": "Test if PODs are not associated with Deployment, ReplicaSet etc. If not, fail.", + "long_description": "It is not recommended to create pods without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if pods may lead to a configuration drifts and other untracked changes in the system. Such pods won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every pod that does not have corresponding parental object.", + "test": "Test if pods are not associated with Deployment, ReplicaSet etc. If not, fail.", "controlID": "C-0073", "baseScore": 3, "rules": [] @@ -2698,12 +2698,12 @@ "devops" ] }, - "description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all PODs with latest tag that have ImagePullSecret not set to Always.", - "remediation": "Set ImagePullPolicy to Always in all PODs found by this control.", + "description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all pods with latest tag that have ImagePullSecret not set to Always.", + "remediation": "Set ImagePullPolicy to Always in all pods found by this control.", "rulesNames": [ "image-pull-policy-is-not-set-to-always" ], - "long_description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all PODs with latest tag that have ImagePullSecret not set to Always. Note as well that some vendors don't use the word latest in the tag. Some other word may also behave like the latest. For example, Redis uses redis:alpine to signify the latest. Therefore, this control treats any word that does not contain digits as the latest. If no tag is specified, the image is treated as latests too.", + "long_description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all pods with latest tag that have ImagePullSecret not set to Always. Note as well that some vendors don't use the word latest in the tag. Some other word may also behave like the latest. For example, Redis uses redis:alpine to signify the latest. Therefore, this control treats any word that does not contain digits as the latest. If no tag is specified, the image is treated as latests too.", "test": "If imagePullPolicy = always pass, else fail.", "controlID": "C-0075", "baseScore": 2, @@ -2902,7 +2902,7 @@ "compliance" ] }, - "description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a POD in the cluster. This control lists all the CronJobs that exist in the cluster for the user to approve.", + "description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a pod in the cluster. This control lists all the CronJobs that exist in the cluster for the user to approve.", "remediation": "Watch Kubernetes CronJobs and make sure they are legitimate.", "rulesNames": [ "rule-deny-cronjobs" @@ -3181,7 +3181,7 @@ "rule-privilege-escalation" ], "long_description": "A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container or have permissions to create a new privileged container (by using the compromised pod\u2019s service account, for example), can get access to the host\u2019s resources.", - "test": "Check in POD spec if securityContext.privileged == true, if so raise an alert.", + "test": "Check in Pod spec if securityContext.privileged == true, if so raise an alert.", "controlID": "C-0057", "baseScore": 8.0, "rules": [] @@ -3491,7 +3491,7 @@ } ] }, - "description": "CVE-2022-23648 is a vulnerability of containerd enabling attacker to gain access to read-only copies of arbitrary files from the host using aspecially-crafted POD configuration yamls", + "description": "CVE-2022-23648 is a vulnerability of containerd enabling attacker to gain access to read-only copies of arbitrary files from the host using a specially-crafted Pod configuration", "remediation": "Patch containerd to 1.6.1, 1.5.10, 1.4.12 or above", "rulesNames": [ "CVE-2022-23648" @@ -3685,7 +3685,7 @@ ] }, "description": "Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.", - "remediation": "Set the filesystem of the container to read-only when possible (POD securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.", + "remediation": "Set the filesystem of the container to read-only when possible (pod securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.", "rulesNames": [ "immutable-container-filesystem" ], @@ -3924,12 +3924,12 @@ "devops" ] }, - "description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This control identifies all the PODs running in the default namespace.", - "remediation": "Create necessary namespaces and move all the PODs from default namespace there.", + "description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This control identifies all the pods running in the default namespace.", + "remediation": "Create necessary namespaces and move all the pods from default namespace there.", "rulesNames": [ "pods-in-default-namespace" ], - "long_description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the PODs running in the default namespace.", + "long_description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the pods running in the default namespace.", "test": "Check that there are no pods in the 'default' namespace", "controlID": "C-0061", "baseScore": 3, @@ -4053,12 +4053,12 @@ "devops" ] }, - "description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.", + "description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.", "remediation": "Ensure Readiness probes are configured wherever possible.", "rulesNames": [ "configured-readiness-probe" ], - "long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.", + "long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.", "controlID": "C-0018", "example": "@controls/examples/c018.yaml", "baseScore": 3, @@ -4408,8 +4408,8 @@ } ] }, - "description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All PODs with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.", - "remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary PODs have SA token mounted into them.", + "description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All pods with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.", + "remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary pods have SA token mounted into them.", "rulesNames": [ "access-container-service-account", "access-container-service-account-v1" @@ -4500,12 +4500,12 @@ } ] }, - "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.", + "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.", "remediation": "Remove hostPID and hostIPC from the yaml file(s) privileges unless they are absolutely necessary.", "rulesNames": [ "host-pid-ipc-privileges" ], - "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.", + "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.", "controlID": "C-0038", "baseScore": 7.0, "example": "@controls/examples/c038.yaml", diff --git a/releaseDev/devopsbest.json b/releaseDev/devopsbest.json index 285ef4a1d..28546ba04 100644 --- a/releaseDev/devopsbest.json +++ b/releaseDev/devopsbest.json @@ -99,9 +99,9 @@ "devops" ] }, - "description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.", + "description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.", "remediation": "Ensure Readiness probes are configured wherever possible.", - "long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.", + "long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.", "controlID": "C-0018", "example": "@controls/examples/c018.yaml", "baseScore": 3, @@ -342,9 +342,9 @@ "devops" ] }, - "description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.", + "description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.", "remediation": "Ensure Liveness probes are configured wherever possible.", - "long_description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.", + "long_description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.", "controlID": "C-0056", "baseScore": 4, "rules": [ @@ -410,9 +410,9 @@ "devops" ] }, - "description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This control identifies all the PODs running in the default namespace.", - "remediation": "Create necessary namespaces and move all the PODs from default namespace there.", - "long_description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the PODs running in the default namespace.", + "description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This control identifies all the pods running in the default namespace.", + "remediation": "Create necessary namespaces and move all the pods from default namespace there.", + "long_description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the pods running in the default namespace.", "test": "Check that there are no pods in the 'default' namespace", "controlID": "C-0061", "baseScore": 3, @@ -471,17 +471,17 @@ ] }, { - "name": "Naked PODs", + "name": "Naked pods", "attributes": { "armoBuiltin": true, "controlTypeTags": [ "devops" ] }, - "description": "It is not recommended to create PODs without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if PODs may lead to a configuration drifts and other untracked changes in the system. Such PODs won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every POD that does not have corresponding parental object.", - "remediation": "Create necessary Deployment object for every POD making any POD a first class citizen in your IaC architecture.", - "long_description": "It is not recommended to create PODs without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if PODs may lead to a configuration drifts and other untracked changes in the system. Such PODs won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every POD that does not have corresponding parental object.", - "test": "Test if PODs are not associated with Deployment, ReplicaSet etc. If not, fail.", + "description": "It is not recommended to create pods without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if pods may lead to a configuration drifts and other untracked changes in the system. Such pods won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every pod that does not have corresponding parental object.", + "remediation": "Create necessary Deployment object for every pod making any pod a first class citizen in your IaC architecture.", + "long_description": "It is not recommended to create pods without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if pods may lead to a configuration drifts and other untracked changes in the system. Such pods won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every pod that does not have corresponding parental object.", + "test": "Test if pods are not associated with Deployment, ReplicaSet etc. If not, fail.", "controlID": "C-0073", "baseScore": 3, "rules": [ @@ -520,9 +520,9 @@ "devops" ] }, - "description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies PODs that attempt to mount Docker socket for accessing Docker runtime.", + "description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies pods that attempt to mount Docker socket for accessing Docker runtime.", "remediation": "Remove docker socket mount request or define an exception.", - "long_description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies PODs that attempt to mount Docker socket for accessing Docker runtime.", + "long_description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies pods that attempt to mount Docker socket for accessing Docker runtime.", "test": "Check hostpath. If the path is set to /var/run/docker.sock or /var/lib/docker , the container has access to Docker internals - fail.", "controlID": "C-0074", "baseScore": 5, @@ -588,9 +588,9 @@ "devops" ] }, - "description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all PODs with latest tag that have ImagePullSecret not set to Always.", - "remediation": "Set ImagePullPolicy to Always in all PODs found by this control.", - "long_description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all PODs with latest tag that have ImagePullSecret not set to Always. Note as well that some vendors don't use the word latest in the tag. Some other word may also behave like the latest. For example, Redis uses redis:alpine to signify the latest. Therefore, this control treats any word that does not contain digits as the latest. If no tag is specified, the image is treated as latests too.", + "description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all pods with latest tag that have ImagePullSecret not set to Always.", + "remediation": "Set ImagePullPolicy to Always in all pods found by this control.", + "long_description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all pods with latest tag that have ImagePullSecret not set to Always. Note as well that some vendors don't use the word latest in the tag. Some other word may also behave like the latest. For example, Redis uses redis:alpine to signify the latest. Therefore, this control treats any word that does not contain digits as the latest. If no tag is specified, the image is treated as latests too.", "test": "If imagePullPolicy = always pass, else fail.", "controlID": "C-0075", "baseScore": 2, diff --git a/releaseDev/frameworks.json b/releaseDev/frameworks.json index 42a2ed37e..ea54d68e1 100644 --- a/releaseDev/frameworks.json +++ b/releaseDev/frameworks.json @@ -101,7 +101,7 @@ ] }, "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", - "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/POD yamls.", + "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/pod yamls.", "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", "test": " Check for each container if there is a \u2018limits\u2019 field defined for both cpu and memory", "controlID": "C-0009", @@ -216,7 +216,7 @@ ] }, "description": "Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.", - "remediation": "Set the filesystem of the container to read-only when possible (POD securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.", + "remediation": "Set the filesystem of the container to read-only when possible (pod securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.", "long_description": "By default, containers are permitted mostly unrestricted execution within their own context. An attacker who has access to a container, can create files and download scripts as he wishes, and modify the underlying application running on the container. ", "test": "Check whether the readOnlyRootFilesystem field in the SecurityContext is set to true. ", "controlID": "C-0017", @@ -232,7 +232,7 @@ "compliance" ] }, - "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new PODs, and then enable sources/destinations that this POD must communicate with.", + "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.", "remediation": "Define a network policy that restricts ingress and egress connections.", "long_description": "Network policies control traffic flow between Pods, namespaces, and external IP addresses. By default, no network policies are applied to Pods or namespaces, resulting in unrestricted ingress and egress traffic within the Pod network. Pods become isolated through a network policy that applies to the Pod or the Pod\u2019s namespace. Once a Pod is selected in a network policy, it rejects any connections that are not specifically allowed by any applicable policy object.Administrators should use a default policy selecting all Pods to deny all ingress and egress traffic and ensure any unselected Pods are isolated. Additional policies could then relax these restrictions for permissible connections.", "test": "Check for each Pod whether there is an ingress and egress policy defined (whether using Pod or Namespace). ", @@ -259,8 +259,8 @@ } ] }, - "description": "Potential attacker may gain access to a POD and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for PODs that need to use them.", - "remediation": "Disable automatic mounting of service account tokens to PODs either at the service account level or at the individual POD level, by specifying the automountServiceAccountToken: false. Note that POD level takes precedence.", + "description": "Potential attacker may gain access to a pod and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for pods that need to use them.", + "remediation": "Disable automatic mounting of service account tokens to pods either at the service account level or at the individual pod level, by specifying the automountServiceAccountToken: false. Note that pod level takes precedence.", "long_description": "We have it in Armo best (Automatic mapping of service account token).", "test": "Check all service accounts on which automount is not disabled. Check all workloads on which they and their service account don't disable automount ", "controlID": "C-0034", @@ -315,9 +315,9 @@ } ] }, - "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.", + "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.", "remediation": "Remove hostPID and hostIPC from the yaml file(s) privileges unless they are absolutely necessary.", - "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.", + "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.", "controlID": "C-0038", "baseScore": 7.0, "example": "@controls/examples/c038.yaml", @@ -342,8 +342,8 @@ } ] }, - "description": "Potential attackers may gain access to a POD and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the PODs with host network access enabled.", - "remediation": "Only connect PODs to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those PODs that must have access to host network by design.", + "description": "Potential attackers may gain access to a pod and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the pods with host network access enabled.", + "remediation": "Only connect pods to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those pods that must have access to host network by design.", "long_description": "We have it in ArmoBest", "test": "", "controlID": "C-0041", @@ -396,7 +396,7 @@ } ] }, - "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the PODs with dangerous capabilities (see documentation pages for details).", + "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the pods with dangerous capabilities (see documentation pages for details).", "remediation": "Remove all insecure capabilities which are not necessary for the container.", "long_description": "Giving insecure and unnecessary capabilities for a container can increase the impact of a container compromise.", "test": "Check capabilities given against a configurable blacklist of insecure capabilities (https://man7.org/linux/man-pages/man7/capabilities.7.html). ", @@ -511,7 +511,7 @@ "example": "apiVersion: v1\nkind: Pod\nmetadata:\n name: privileged\nspec:\n containers:\n - name: pause\n image: k8s.gcr.io/pause\n securityContext:\n privileged: true # This field triggers failure!\n", "remediation": "Remove privileged capabilities by setting the securityContext.privileged to false. If you must deploy a Pod as privileged, add other restriction to it, such as network policy, Seccomp etc and still remove all unnecessary capabilities. Use the exception mechanism to remove unnecessary notifications.", "long_description": "A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container or have permissions to create a new privileged container (by using the compromised pod\u2019s service account, for example), can get access to the host\u2019s resources.", - "test": "Check in POD spec if securityContext.privileged == true, if so raise an alert.", + "test": "Check in Pod spec if securityContext.privileged == true, if so raise an alert.", "controlID": "C-0057", "baseScore": 8.0, "rules": [] @@ -574,9 +574,9 @@ "devops" ] }, - "description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This control identifies all the PODs running in the default namespace.", - "remediation": "Create necessary namespaces and move all the PODs from default namespace there.", - "long_description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the PODs running in the default namespace.", + "description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This control identifies all the pods running in the default namespace.", + "remediation": "Create necessary namespaces and move all the pods from default namespace there.", + "long_description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the pods running in the default namespace.", "test": "Check that there are no pods in the 'default' namespace", "controlID": "C-0061", "baseScore": 3, @@ -598,9 +598,9 @@ } ] }, - "description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the POD to find those that have sudo command.", + "description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the pod to find those that have sudo command.", "remediation": "Remove sudo from the command line and use Kubernetes native root and capabilities controls to provide necessary privileges where they are required.", - "long_description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the POD to find those that have sudo command.", + "long_description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the pod to find those that have sudo command.", "test": "Check that there is no 'sudo' in the container entrypoint", "controlID": "C-0062", "baseScore": 5.0, @@ -627,7 +627,7 @@ } ] }, - "description": "Attackers with relevant RBAC permission can use \u201ckubectl portforward\u201d command to establish direct communication with PODs from within the cluster or even remotely. Such communication will most likely bypass existing security measures in the cluster. This control determines which subjects have permissions to use this command.", + "description": "Attackers with relevant RBAC permission can use \u201ckubectl portforward\u201d command to establish direct communication with pods from within the cluster or even remotely. Such communication will most likely bypass existing security measures in the cluster. This control determines which subjects have permissions to use this command.", "remediation": "It is recommended to prohibit \u201ckubectl portforward\u201d command in production environments. It is also recommended not to use subjects with this permission for daily cluster operations.", "long_description": "Attackers who have relevant RBAC permissions, can run open a backdoor communication channel directly to the sockets inside target container using exec command \u201ckubectl portforward\u201d command. Using this method, attackers can bypass network security restrictions and communicate directly with software in the containers.", "test": "Check which subjects have RBAC permissions to portforward into pods\u2013 if they have the \u201cpods/portforward\u201d resource.", @@ -732,7 +732,7 @@ }, "description": "PSP enable fine-grained authorization of pod creation and it is important to enable it", "remediation": "Turn Pod Security Policies on in your cluster, if you use other admission controllers to control the behavior that PSP controls, exclude this control from your scans", - "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive PODs in your cluster.", + "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive pods in your cluster.", "test": "Reading the cluster description from the managed cloud API (EKS, GKE), or the API server pod configuration for native K8s and checking if PSP is enabled", "controlID": "C-0068", "baseScore": 1.0, @@ -887,7 +887,7 @@ ] }, "description": "Container images with known critical vulnerabilities pose elevated risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if either LoadBalancer or NodePort service is assigned to them.", - "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the POD to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", + "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the pod to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", "long_description": "Container images with known critical vulnerabilities pose elevated risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if either LoadBalancer or NodePort service assigned to them.", "test": "This control enumerates external facing workloads, that have LoadBalancer or NodePort services and checks image vulnerability information to see if the image has critical vulnerabilities.", "controlID": "C-0083", @@ -913,9 +913,9 @@ } ] }, - "description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their POD has either LoadBalancer or NodePort service.", - "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the POD to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", - "long_description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their POD has either LoadBalancer or NodePort service.", + "description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their pod has either LoadBalancer or NodePort service.", + "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the pod to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", + "long_description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their pod has either LoadBalancer or NodePort service.", "test": "This control enumerates external facing workloads, that have LoadBalancer or NodePort service and checks the image vulnerability information for the RCE vulnerability.", "controlID": "C-0084", "baseScore": 8.0, @@ -993,7 +993,7 @@ } ] }, - "description": "CVE-2022-23648 is a vulnerability of containerd enabling attacker to gain access to read-only copies of arbitrary files from the host using aspecially-crafted POD configuration yamls", + "description": "CVE-2022-23648 is a vulnerability of containerd enabling attacker to gain access to read-only copies of arbitrary files from the host using a specially-crafted Pod configuration", "remediation": "Patch containerd to 1.6.1, 1.5.10, 1.4.12 or above", "long_description": "Containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.4.12 where containers launched through containerd\u2019s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. This bug was fixed in containerd versions 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.", "test": "Checking containerd version to see if it is a vulnerable version (where the container runtime is containerd)", @@ -3717,9 +3717,9 @@ "devops" ] }, - "description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.", + "description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.", "remediation": "Ensure Readiness probes are configured wherever possible.", - "long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.", + "long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.", "controlID": "C-0018", "example": "@controls/examples/c018.yaml", "baseScore": 3, @@ -3776,9 +3776,9 @@ "devops" ] }, - "description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.", + "description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.", "remediation": "Ensure Liveness probes are configured wherever possible.", - "long_description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.", + "long_description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.", "controlID": "C-0056", "baseScore": 4, "rules": [] @@ -3792,26 +3792,26 @@ "devops" ] }, - "description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This control identifies all the PODs running in the default namespace.", - "remediation": "Create necessary namespaces and move all the PODs from default namespace there.", - "long_description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the PODs running in the default namespace.", + "description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This control identifies all the pods running in the default namespace.", + "remediation": "Create necessary namespaces and move all the pods from default namespace there.", + "long_description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the pods running in the default namespace.", "test": "Check that there are no pods in the 'default' namespace", "controlID": "C-0061", "baseScore": 3, "rules": [] }, { - "name": "Naked PODs", + "name": "Naked pods", "attributes": { "armoBuiltin": true, "controlTypeTags": [ "devops" ] }, - "description": "It is not recommended to create PODs without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if PODs may lead to a configuration drifts and other untracked changes in the system. Such PODs won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every POD that does not have corresponding parental object.", - "remediation": "Create necessary Deployment object for every POD making any POD a first class citizen in your IaC architecture.", - "long_description": "It is not recommended to create PODs without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if PODs may lead to a configuration drifts and other untracked changes in the system. Such PODs won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every POD that does not have corresponding parental object.", - "test": "Test if PODs are not associated with Deployment, ReplicaSet etc. If not, fail.", + "description": "It is not recommended to create pods without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if pods may lead to a configuration drifts and other untracked changes in the system. Such pods won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every pod that does not have corresponding parental object.", + "remediation": "Create necessary Deployment object for every pod making any pod a first class citizen in your IaC architecture.", + "long_description": "It is not recommended to create pods without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if pods may lead to a configuration drifts and other untracked changes in the system. Such pods won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every pod that does not have corresponding parental object.", + "test": "Test if pods are not associated with Deployment, ReplicaSet etc. If not, fail.", "controlID": "C-0073", "baseScore": 3, "rules": [] @@ -3824,9 +3824,9 @@ "devops" ] }, - "description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies PODs that attempt to mount Docker socket for accessing Docker runtime.", + "description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies pods that attempt to mount Docker socket for accessing Docker runtime.", "remediation": "Remove docker socket mount request or define an exception.", - "long_description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies PODs that attempt to mount Docker socket for accessing Docker runtime.", + "long_description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies pods that attempt to mount Docker socket for accessing Docker runtime.", "test": "Check hostpath. If the path is set to /var/run/docker.sock or /var/lib/docker , the container has access to Docker internals - fail.", "controlID": "C-0074", "baseScore": 5, @@ -3840,9 +3840,9 @@ "devops" ] }, - "description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all PODs with latest tag that have ImagePullSecret not set to Always.", - "remediation": "Set ImagePullPolicy to Always in all PODs found by this control.", - "long_description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all PODs with latest tag that have ImagePullSecret not set to Always. Note as well that some vendors don't use the word latest in the tag. Some other word may also behave like the latest. For example, Redis uses redis:alpine to signify the latest. Therefore, this control treats any word that does not contain digits as the latest. If no tag is specified, the image is treated as latests too.", + "description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all pods with latest tag that have ImagePullSecret not set to Always.", + "remediation": "Set ImagePullPolicy to Always in all pods found by this control.", + "long_description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all pods with latest tag that have ImagePullSecret not set to Always. Note as well that some vendors don't use the word latest in the tag. Some other word may also behave like the latest. For example, Redis uses redis:alpine to signify the latest. Therefore, this control treats any word that does not contain digits as the latest. If no tag is specified, the image is treated as latests too.", "test": "If imagePullPolicy = always pass, else fail.", "controlID": "C-0075", "baseScore": 2, @@ -4045,7 +4045,7 @@ ] }, "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", - "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/POD yamls.", + "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/pod yamls.", "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", "test": " Check for each container if there is a \u2018limits\u2019 field defined for both cpu and memory", "controlID": "C-0009", @@ -4211,7 +4211,7 @@ ] }, "description": "Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.", - "remediation": "Set the filesystem of the container to read-only when possible (POD securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.", + "remediation": "Set the filesystem of the container to read-only when possible (pod securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.", "long_description": "By default, containers are permitted mostly unrestricted execution within their own context. An attacker who has access to a container, can create files and download scripts as he wishes, and modify the underlying application running on the container. ", "test": "Check whether the readOnlyRootFilesystem field in the SecurityContext is set to true. ", "controlID": "C-0017", @@ -4227,9 +4227,9 @@ "devops" ] }, - "description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.", + "description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.", "remediation": "Ensure Readiness probes are configured wherever possible.", - "long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.", + "long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.", "controlID": "C-0018", "example": "@controls/examples/c018.yaml", "baseScore": 3, @@ -4286,7 +4286,7 @@ "compliance" ] }, - "description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a POD in the cluster. This control lists all the CronJobs that exist in the cluster for the user to approve.", + "description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a pod in the cluster. This control lists all the CronJobs that exist in the cluster for the user to approve.", "remediation": "Watch Kubernetes CronJobs and make sure they are legitimate.", "long_description": "Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.", "test": "We list all CronJobs that exist in cluster for the user to approve.", @@ -4302,7 +4302,7 @@ "compliance" ] }, - "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new PODs, and then enable sources/destinations that this POD must communicate with.", + "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.", "remediation": "Define a network policy that restricts ingress and egress connections.", "long_description": "Network policies control traffic flow between Pods, namespaces, and external IP addresses. By default, no network policies are applied to Pods or namespaces, resulting in unrestricted ingress and egress traffic within the Pod network. Pods become isolated through a network policy that applies to the Pod or the Pod\u2019s namespace. Once a Pod is selected in a network policy, it rejects any connections that are not specifically allowed by any applicable policy object.Administrators should use a default policy selecting all Pods to deny all ingress and egress traffic and ensure any unselected Pods are isolated. Additional policies could then relax these restrictions for permissible connections.", "test": "Check for each Pod whether there is an ingress and egress policy defined (whether using Pod or Namespace). ", @@ -4359,8 +4359,8 @@ } ] }, - "description": "Potential attacker may gain access to a POD and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for PODs that need to use them.", - "remediation": "Disable automatic mounting of service account tokens to PODs either at the service account level or at the individual POD level, by specifying the automountServiceAccountToken: false. Note that POD level takes precedence.", + "description": "Potential attacker may gain access to a pod and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for pods that need to use them.", + "remediation": "Disable automatic mounting of service account tokens to pods either at the service account level or at the individual pod level, by specifying the automountServiceAccountToken: false. Note that pod level takes precedence.", "long_description": "We have it in Armo best (Automatic mapping of service account token).", "test": "Check all service accounts on which automount is not disabled. Check all workloads on which they and their service account don't disable automount ", "controlID": "C-0034", @@ -4442,9 +4442,9 @@ } ] }, - "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.", + "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.", "remediation": "Remove hostPID and hostIPC from the yaml file(s) privileges unless they are absolutely necessary.", - "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.", + "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.", "controlID": "C-0038", "baseScore": 7.0, "example": "@controls/examples/c038.yaml", @@ -4495,8 +4495,8 @@ } ] }, - "description": "Potential attackers may gain access to a POD and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the PODs with host network access enabled.", - "remediation": "Only connect PODs to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those PODs that must have access to host network by design.", + "description": "Potential attackers may gain access to a pod and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the pods with host network access enabled.", + "remediation": "Only connect pods to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those pods that must have access to host network by design.", "long_description": "We have it in ArmoBest", "test": "", "controlID": "C-0041", @@ -4577,7 +4577,7 @@ "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host and gain persistence.", "remediation": "Refrain from using the hostPath mount or use the exception mechanism to remove unnecessary notifications.", "long_description": "hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.", - "test": "Checking in POD spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn\u2019t exist) we raise an alert.", + "test": "Checking in Pod spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn\u2019t exist) we raise an alert.", "controlID": "C-0045", "baseScore": 8.0, "example": "@controls/examples/c045.yaml", @@ -4601,7 +4601,7 @@ } ] }, - "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the PODs with dangerous capabilities (see documentation pages for details).", + "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the pods with dangerous capabilities (see documentation pages for details).", "remediation": "Remove all insecure capabilities which are not necessary for the container.", "long_description": "Giving insecure and unnecessary capabilities for a container can increase the impact of a container compromise.", "test": "Check capabilities given against a configurable blacklist of insecure capabilities (https://man7.org/linux/man-pages/man7/capabilities.7.html). ", @@ -4630,7 +4630,7 @@ } ] }, - "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the PODs using hostPath mount.", + "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the pods using hostPath mount.", "example": "apiVersion: v1\nkind: Pod\nmetadata:\n name: test-pd\nspec:\n containers:\n - image: k8s.gcr.io/test-webserver\n name: test-container\n volumeMounts:\n - mountPath: /test-pd\n name: test-volume\n volumes:\n - name: test-volume\n hostPath: # This field triggers failure!\n path: /data\n type: Directory\n", "remediation": "Remove hostPath mounts unless they are absolutely necessary and use exception mechanism to remove notifications.", "controlID": "C-0048", @@ -4734,8 +4734,8 @@ } ] }, - "description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All PODs with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.", - "remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary PODs have SA token mounted into them.", + "description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All pods with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.", + "remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary pods have SA token mounted into them.", "long_description": "Service account (SA) represents an application identity in Kubernetes. By default, an SA is mounted to every created pod in the cluster. Using the SA, containers in the pod can send requests to the Kubernetes API server. Attackers who get access to a pod can access the SA token (located in /var/run/secrets/kubernetes.io/serviceaccount/token) and perform actions in the cluster, according to the SA permissions. If RBAC is not enabled, the SA has unlimited permissions in the cluster. If RBAC is enabled, its permissions are determined by the RoleBindings\\\\ClusterRoleBindings that are associated with it.", "test": "Check if RBAC is enabled. If is not, the sa has unlimited permissions.If RBAC enabled, list which workloads have bound service accounts and all the sas permissionsScore-", "controlID": "C-0053", @@ -4804,9 +4804,9 @@ "devops" ] }, - "description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.", + "description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.", "remediation": "Ensure Liveness probes are configured wherever possible.", - "long_description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.", + "long_description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.", "controlID": "C-0056", "baseScore": 4, "rules": [] @@ -4834,7 +4834,7 @@ "example": "apiVersion: v1\nkind: Pod\nmetadata:\n name: privileged\nspec:\n containers:\n - name: pause\n image: k8s.gcr.io/pause\n securityContext:\n privileged: true # This field triggers failure!\n", "remediation": "Remove privileged capabilities by setting the securityContext.privileged to false. If you must deploy a Pod as privileged, add other restriction to it, such as network policy, Seccomp etc and still remove all unnecessary capabilities. Use the exception mechanism to remove unnecessary notifications.", "long_description": "A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container or have permissions to create a new privileged container (by using the compromised pod\u2019s service account, for example), can get access to the host\u2019s resources.", - "test": "Check in POD spec if securityContext.privileged == true, if so raise an alert.", + "test": "Check in Pod spec if securityContext.privileged == true, if so raise an alert.", "controlID": "C-0057", "baseScore": 8.0, "rules": [] @@ -4897,9 +4897,9 @@ "devops" ] }, - "description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This control identifies all the PODs running in the default namespace.", - "remediation": "Create necessary namespaces and move all the PODs from default namespace there.", - "long_description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the PODs running in the default namespace.", + "description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This control identifies all the pods running in the default namespace.", + "remediation": "Create necessary namespaces and move all the pods from default namespace there.", + "long_description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the pods running in the default namespace.", "test": "Check that there are no pods in the 'default' namespace", "controlID": "C-0061", "baseScore": 3, @@ -4921,9 +4921,9 @@ } ] }, - "description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the POD to find those that have sudo command.", + "description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the pod to find those that have sudo command.", "remediation": "Remove sudo from the command line and use Kubernetes native root and capabilities controls to provide necessary privileges where they are required.", - "long_description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the POD to find those that have sudo command.", + "long_description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the pod to find those that have sudo command.", "test": "Check that there is no 'sudo' in the container entrypoint", "controlID": "C-0062", "baseScore": 5.0, @@ -4950,7 +4950,7 @@ } ] }, - "description": "Attackers with relevant RBAC permission can use \u201ckubectl portforward\u201d command to establish direct communication with PODs from within the cluster or even remotely. Such communication will most likely bypass existing security measures in the cluster. This control determines which subjects have permissions to use this command.", + "description": "Attackers with relevant RBAC permission can use \u201ckubectl portforward\u201d command to establish direct communication with pods from within the cluster or even remotely. Such communication will most likely bypass existing security measures in the cluster. This control determines which subjects have permissions to use this command.", "remediation": "It is recommended to prohibit \u201ckubectl portforward\u201d command in production environments. It is also recommended not to use subjects with this permission for daily cluster operations.", "long_description": "Attackers who have relevant RBAC permissions, can run open a backdoor communication channel directly to the sockets inside target container using exec command \u201ckubectl portforward\u201d command. Using this method, attackers can bypass network security restrictions and communicate directly with software in the containers.", "test": "Check which subjects have RBAC permissions to portforward into pods\u2013 if they have the \u201cpods/portforward\u201d resource.", @@ -5055,7 +5055,7 @@ }, "description": "PSP enable fine-grained authorization of pod creation and it is important to enable it", "remediation": "Turn Pod Security Policies on in your cluster, if you use other admission controllers to control the behavior that PSP controls, exclude this control from your scans", - "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive PODs in your cluster.", + "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive pods in your cluster.", "test": "Reading the cluster description from the managed cloud API (EKS, GKE), or the API server pod configuration for native K8s and checking if PSP is enabled", "controlID": "C-0068", "baseScore": 1.0, @@ -5112,17 +5112,17 @@ "rules": [] }, { - "name": "Naked PODs", + "name": "Naked pods", "attributes": { "armoBuiltin": true, "controlTypeTags": [ "devops" ] }, - "description": "It is not recommended to create PODs without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if PODs may lead to a configuration drifts and other untracked changes in the system. Such PODs won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every POD that does not have corresponding parental object.", - "remediation": "Create necessary Deployment object for every POD making any POD a first class citizen in your IaC architecture.", - "long_description": "It is not recommended to create PODs without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if PODs may lead to a configuration drifts and other untracked changes in the system. Such PODs won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every POD that does not have corresponding parental object.", - "test": "Test if PODs are not associated with Deployment, ReplicaSet etc. If not, fail.", + "description": "It is not recommended to create pods without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if pods may lead to a configuration drifts and other untracked changes in the system. Such pods won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every pod that does not have corresponding parental object.", + "remediation": "Create necessary Deployment object for every pod making any pod a first class citizen in your IaC architecture.", + "long_description": "It is not recommended to create pods without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if pods may lead to a configuration drifts and other untracked changes in the system. Such pods won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every pod that does not have corresponding parental object.", + "test": "Test if pods are not associated with Deployment, ReplicaSet etc. If not, fail.", "controlID": "C-0073", "baseScore": 3, "rules": [] @@ -5135,9 +5135,9 @@ "devops" ] }, - "description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies PODs that attempt to mount Docker socket for accessing Docker runtime.", + "description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies pods that attempt to mount Docker socket for accessing Docker runtime.", "remediation": "Remove docker socket mount request or define an exception.", - "long_description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies PODs that attempt to mount Docker socket for accessing Docker runtime.", + "long_description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies pods that attempt to mount Docker socket for accessing Docker runtime.", "test": "Check hostpath. If the path is set to /var/run/docker.sock or /var/lib/docker , the container has access to Docker internals - fail.", "controlID": "C-0074", "baseScore": 5, @@ -5151,9 +5151,9 @@ "devops" ] }, - "description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all PODs with latest tag that have ImagePullSecret not set to Always.", - "remediation": "Set ImagePullPolicy to Always in all PODs found by this control.", - "long_description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all PODs with latest tag that have ImagePullSecret not set to Always. Note as well that some vendors don't use the word latest in the tag. Some other word may also behave like the latest. For example, Redis uses redis:alpine to signify the latest. Therefore, this control treats any word that does not contain digits as the latest. If no tag is specified, the image is treated as latests too.", + "description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all pods with latest tag that have ImagePullSecret not set to Always.", + "remediation": "Set ImagePullPolicy to Always in all pods found by this control.", + "long_description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all pods with latest tag that have ImagePullSecret not set to Always. Note as well that some vendors don't use the word latest in the tag. Some other word may also behave like the latest. For example, Redis uses redis:alpine to signify the latest. Therefore, this control treats any word that does not contain digits as the latest. If no tag is specified, the image is treated as latests too.", "test": "If imagePullPolicy = always pass, else fail.", "controlID": "C-0075", "baseScore": 2, @@ -5292,7 +5292,7 @@ ] }, "description": "Container images with known critical vulnerabilities pose elevated risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if either LoadBalancer or NodePort service is assigned to them.", - "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the POD to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", + "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the pod to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", "long_description": "Container images with known critical vulnerabilities pose elevated risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if either LoadBalancer or NodePort service assigned to them.", "test": "This control enumerates external facing workloads, that have LoadBalancer or NodePort services and checks image vulnerability information to see if the image has critical vulnerabilities.", "controlID": "C-0083", @@ -5318,9 +5318,9 @@ } ] }, - "description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their POD has either LoadBalancer or NodePort service.", - "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the POD to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", - "long_description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their POD has either LoadBalancer or NodePort service.", + "description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their pod has either LoadBalancer or NodePort service.", + "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the pod to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", + "long_description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their pod has either LoadBalancer or NodePort service.", "test": "This control enumerates external facing workloads, that have LoadBalancer or NodePort service and checks the image vulnerability information for the RCE vulnerability.", "controlID": "C-0084", "baseScore": 8.0, @@ -5398,7 +5398,7 @@ } ] }, - "description": "CVE-2022-23648 is a vulnerability of containerd enabling attacker to gain access to read-only copies of arbitrary files from the host using aspecially-crafted POD configuration yamls", + "description": "CVE-2022-23648 is a vulnerability of containerd enabling attacker to gain access to read-only copies of arbitrary files from the host using a specially-crafted Pod configuration", "remediation": "Patch containerd to 1.6.1, 1.5.10, 1.4.12 or above", "long_description": "Containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.4.12 where containers launched through containerd\u2019s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. This bug was fixed in containerd versions 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue.", "test": "Checking containerd version to see if it is a vulnerable version (where the container runtime is containerd)", @@ -5743,7 +5743,7 @@ "compliance" ] }, - "description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a POD in the cluster. This control lists all the CronJobs that exist in the cluster for the user to approve.", + "description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a pod in the cluster. This control lists all the CronJobs that exist in the cluster for the user to approve.", "remediation": "Watch Kubernetes CronJobs and make sure they are legitimate.", "long_description": "Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.", "test": "We list all CronJobs that exist in cluster for the user to approve.", @@ -5937,7 +5937,7 @@ "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host and gain persistence.", "remediation": "Refrain from using the hostPath mount or use the exception mechanism to remove unnecessary notifications.", "long_description": "hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.", - "test": "Checking in POD spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn\u2019t exist) we raise an alert.", + "test": "Checking in Pod spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn\u2019t exist) we raise an alert.", "controlID": "C-0045", "baseScore": 8.0, "example": "@controls/examples/c045.yaml", @@ -5963,7 +5963,7 @@ } ] }, - "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the PODs using hostPath mount.", + "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the pods using hostPath mount.", "example": "apiVersion: v1\nkind: Pod\nmetadata:\n name: test-pd\nspec:\n containers:\n - image: k8s.gcr.io/test-webserver\n name: test-container\n volumeMounts:\n - mountPath: /test-pd\n name: test-volume\n volumes:\n - name: test-volume\n hostPath: # This field triggers failure!\n path: /data\n type: Directory\n", "remediation": "Remove hostPath mounts unless they are absolutely necessary and use exception mechanism to remove notifications.", "controlID": "C-0048", @@ -6022,8 +6022,8 @@ } ] }, - "description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All PODs with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.", - "remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary PODs have SA token mounted into them.", + "description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All pods with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.", + "remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary pods have SA token mounted into them.", "long_description": "Service account (SA) represents an application identity in Kubernetes. By default, an SA is mounted to every created pod in the cluster. Using the SA, containers in the pod can send requests to the Kubernetes API server. Attackers who get access to a pod can access the SA token (located in /var/run/secrets/kubernetes.io/serviceaccount/token) and perform actions in the cluster, according to the SA permissions. If RBAC is not enabled, the SA has unlimited permissions in the cluster. If RBAC is enabled, its permissions are determined by the RoleBindings\\\\ClusterRoleBindings that are associated with it.", "test": "Check if RBAC is enabled. If is not, the sa has unlimited permissions.If RBAC enabled, list which workloads have bound service accounts and all the sas permissionsScore-", "controlID": "C-0053", @@ -6082,7 +6082,7 @@ "example": "apiVersion: v1\nkind: Pod\nmetadata:\n name: privileged\nspec:\n containers:\n - name: pause\n image: k8s.gcr.io/pause\n securityContext:\n privileged: true # This field triggers failure!\n", "remediation": "Remove privileged capabilities by setting the securityContext.privileged to false. If you must deploy a Pod as privileged, add other restriction to it, such as network policy, Seccomp etc and still remove all unnecessary capabilities. Use the exception mechanism to remove unnecessary notifications.", "long_description": "A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container or have permissions to create a new privileged container (by using the compromised pod\u2019s service account, for example), can get access to the host\u2019s resources.", - "test": "Check in POD spec if securityContext.privileged == true, if so raise an alert.", + "test": "Check in Pod spec if securityContext.privileged == true, if so raise an alert.", "controlID": "C-0057", "baseScore": 8.0, "rules": [] @@ -6205,7 +6205,7 @@ }, "description": "PSP enable fine-grained authorization of pod creation and it is important to enable it", "remediation": "Turn Pod Security Policies on in your cluster, if you use other admission controllers to control the behavior that PSP controls, exclude this control from your scans", - "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive PODs in your cluster.", + "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive pods in your cluster.", "test": "Reading the cluster description from the managed cloud API (EKS, GKE), or the API server pod configuration for native K8s and checking if PSP is enabled", "controlID": "C-0068", "baseScore": 1.0, @@ -6364,7 +6364,7 @@ ] }, "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", - "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/POD yamls.", + "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/pod yamls.", "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", "test": " Check for each container if there is a \u2018limits\u2019 field defined for both cpu and memory", "controlID": "C-0009", @@ -6479,7 +6479,7 @@ ] }, "description": "Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.", - "remediation": "Set the filesystem of the container to read-only when possible (POD securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.", + "remediation": "Set the filesystem of the container to read-only when possible (pod securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.", "long_description": "By default, containers are permitted mostly unrestricted execution within their own context. An attacker who has access to a container, can create files and download scripts as he wishes, and modify the underlying application running on the container. ", "test": "Check whether the readOnlyRootFilesystem field in the SecurityContext is set to true. ", "controlID": "C-0017", @@ -6495,7 +6495,7 @@ "compliance" ] }, - "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new PODs, and then enable sources/destinations that this POD must communicate with.", + "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.", "remediation": "Define a network policy that restricts ingress and egress connections.", "long_description": "Network policies control traffic flow between Pods, namespaces, and external IP addresses. By default, no network policies are applied to Pods or namespaces, resulting in unrestricted ingress and egress traffic within the Pod network. Pods become isolated through a network policy that applies to the Pod or the Pod\u2019s namespace. Once a Pod is selected in a network policy, it rejects any connections that are not specifically allowed by any applicable policy object.Administrators should use a default policy selecting all Pods to deny all ingress and egress traffic and ensure any unselected Pods are isolated. Additional policies could then relax these restrictions for permissible connections.", "test": "Check for each Pod whether there is an ingress and egress policy defined (whether using Pod or Namespace). ", @@ -6522,8 +6522,8 @@ } ] }, - "description": "Potential attacker may gain access to a POD and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for PODs that need to use them.", - "remediation": "Disable automatic mounting of service account tokens to PODs either at the service account level or at the individual POD level, by specifying the automountServiceAccountToken: false. Note that POD level takes precedence.", + "description": "Potential attacker may gain access to a pod and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for pods that need to use them.", + "remediation": "Disable automatic mounting of service account tokens to pods either at the service account level or at the individual pod level, by specifying the automountServiceAccountToken: false. Note that pod level takes precedence.", "long_description": "We have it in Armo best (Automatic mapping of service account token).", "test": "Check all service accounts on which automount is not disabled. Check all workloads on which they and their service account don't disable automount ", "controlID": "C-0034", @@ -6578,9 +6578,9 @@ } ] }, - "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.", + "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.", "remediation": "Remove hostPID and hostIPC from the yaml file(s) privileges unless they are absolutely necessary.", - "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.", + "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.", "controlID": "C-0038", "baseScore": 7.0, "example": "@controls/examples/c038.yaml", @@ -6605,8 +6605,8 @@ } ] }, - "description": "Potential attackers may gain access to a POD and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the PODs with host network access enabled.", - "remediation": "Only connect PODs to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those PODs that must have access to host network by design.", + "description": "Potential attackers may gain access to a pod and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the pods with host network access enabled.", + "remediation": "Only connect pods to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those pods that must have access to host network by design.", "long_description": "We have it in ArmoBest", "test": "", "controlID": "C-0041", @@ -6659,7 +6659,7 @@ } ] }, - "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the PODs with dangerous capabilities (see documentation pages for details).", + "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the pods with dangerous capabilities (see documentation pages for details).", "remediation": "Remove all insecure capabilities which are not necessary for the container.", "long_description": "Giving insecure and unnecessary capabilities for a container can increase the impact of a container compromise.", "test": "Check capabilities given against a configurable blacklist of insecure capabilities (https://man7.org/linux/man-pages/man7/capabilities.7.html). ", @@ -6745,7 +6745,7 @@ "example": "apiVersion: v1\nkind: Pod\nmetadata:\n name: privileged\nspec:\n containers:\n - name: pause\n image: k8s.gcr.io/pause\n securityContext:\n privileged: true # This field triggers failure!\n", "remediation": "Remove privileged capabilities by setting the securityContext.privileged to false. If you must deploy a Pod as privileged, add other restriction to it, such as network policy, Seccomp etc and still remove all unnecessary capabilities. Use the exception mechanism to remove unnecessary notifications.", "long_description": "A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container or have permissions to create a new privileged container (by using the compromised pod\u2019s service account, for example), can get access to the host\u2019s resources.", - "test": "Check in POD spec if securityContext.privileged == true, if so raise an alert.", + "test": "Check in Pod spec if securityContext.privileged == true, if so raise an alert.", "controlID": "C-0057", "baseScore": 8.0, "rules": [] @@ -6868,7 +6868,7 @@ }, "description": "PSP enable fine-grained authorization of pod creation and it is important to enable it", "remediation": "Turn Pod Security Policies on in your cluster, if you use other admission controllers to control the behavior that PSP controls, exclude this control from your scans", - "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive PODs in your cluster.", + "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive pods in your cluster.", "test": "Reading the cluster description from the managed cloud API (EKS, GKE), or the API server pod configuration for native K8s and checking if PSP is enabled", "controlID": "C-0068", "baseScore": 1.0, diff --git a/releaseDev/mitre.json b/releaseDev/mitre.json index e6020b3fb..5e5eedcf2 100644 --- a/releaseDev/mitre.json +++ b/releaseDev/mitre.json @@ -811,7 +811,7 @@ "compliance" ] }, - "description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a POD in the cluster. This control lists all the CronJobs that exist in the cluster for the user to approve.", + "description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a pod in the cluster. This control lists all the CronJobs that exist in the cluster for the user to approve.", "remediation": "Watch Kubernetes CronJobs and make sure they are legitimate.", "long_description": "Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.", "test": "We list all CronJobs that exist in cluster for the user to approve.", @@ -1398,7 +1398,7 @@ "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host and gain persistence.", "remediation": "Refrain from using the hostPath mount or use the exception mechanism to remove unnecessary notifications.", "long_description": "hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.", - "test": "Checking in POD spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn\u2019t exist) we raise an alert.", + "test": "Checking in Pod spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn\u2019t exist) we raise an alert.", "controlID": "C-0045", "baseScore": 8.0, "example": "@controls/examples/c045.yaml", @@ -1484,7 +1484,7 @@ } ] }, - "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the PODs using hostPath mount.", + "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the pods using hostPath mount.", "example": "apiVersion: v1\nkind: Pod\nmetadata:\n name: test-pd\nspec:\n containers:\n - image: k8s.gcr.io/test-webserver\n name: test-container\n volumeMounts:\n - mountPath: /test-pd\n name: test-volume\n volumes:\n - name: test-volume\n hostPath: # This field triggers failure!\n path: /data\n type: Directory\n", "remediation": "Remove hostPath mounts unless they are absolutely necessary and use exception mechanism to remove notifications.", "controlID": "C-0048", @@ -1625,8 +1625,8 @@ } ] }, - "description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All PODs with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.", - "remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary PODs have SA token mounted into them.", + "description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All pods with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.", + "remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary pods have SA token mounted into them.", "long_description": "Service account (SA) represents an application identity in Kubernetes. By default, an SA is mounted to every created pod in the cluster. Using the SA, containers in the pod can send requests to the Kubernetes API server. Attackers who get access to a pod can access the SA token (located in /var/run/secrets/kubernetes.io/serviceaccount/token) and perform actions in the cluster, according to the SA permissions. If RBAC is not enabled, the SA has unlimited permissions in the cluster. If RBAC is enabled, its permissions are determined by the RoleBindings\\\\ClusterRoleBindings that are associated with it.", "test": "Check if RBAC is enabled. If is not, the sa has unlimited permissions.If RBAC enabled, list which workloads have bound service accounts and all the sas permissionsScore-", "controlID": "C-0053", @@ -1864,7 +1864,7 @@ "example": "apiVersion: v1\nkind: Pod\nmetadata:\n name: privileged\nspec:\n containers:\n - name: pause\n image: k8s.gcr.io/pause\n securityContext:\n privileged: true # This field triggers failure!\n", "remediation": "Remove privileged capabilities by setting the securityContext.privileged to false. If you must deploy a Pod as privileged, add other restriction to it, such as network policy, Seccomp etc and still remove all unnecessary capabilities. Use the exception mechanism to remove unnecessary notifications.", "long_description": "A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container or have permissions to create a new privileged container (by using the compromised pod\u2019s service account, for example), can get access to the host\u2019s resources.", - "test": "Check in POD spec if securityContext.privileged == true, if so raise an alert.", + "test": "Check in Pod spec if securityContext.privileged == true, if so raise an alert.", "controlID": "C-0057", "baseScore": 8.0, "rules": [ @@ -2254,7 +2254,7 @@ }, "description": "PSP enable fine-grained authorization of pod creation and it is important to enable it", "remediation": "Turn Pod Security Policies on in your cluster, if you use other admission controllers to control the behavior that PSP controls, exclude this control from your scans", - "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive PODs in your cluster.", + "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive pods in your cluster.", "test": "Reading the cluster description from the managed cloud API (EKS, GKE), or the API server pod configuration for native K8s and checking if PSP is enabled", "controlID": "C-0068", "baseScore": 1.0, diff --git a/releaseDev/nsa.json b/releaseDev/nsa.json index df60d9424..74ae69297 100644 --- a/releaseDev/nsa.json +++ b/releaseDev/nsa.json @@ -164,7 +164,7 @@ ] }, "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", - "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/POD yamls.", + "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/pod yamls.", "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", "test": " Check for each container if there is a \u2018limits\u2019 field defined for both cpu and memory", "controlID": "C-0009", @@ -563,7 +563,7 @@ ] }, "description": "Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.", - "remediation": "Set the filesystem of the container to read-only when possible (POD securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.", + "remediation": "Set the filesystem of the container to read-only when possible (pod securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.", "long_description": "By default, containers are permitted mostly unrestricted execution within their own context. An attacker who has access to a container, can create files and download scripts as he wishes, and modify the underlying application running on the container. ", "test": "Check whether the readOnlyRootFilesystem field in the SecurityContext is set to true. ", "controlID": "C-0017", @@ -631,7 +631,7 @@ "compliance" ] }, - "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new PODs, and then enable sources/destinations that this POD must communicate with.", + "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.", "remediation": "Define a network policy that restricts ingress and egress connections.", "long_description": "Network policies control traffic flow between Pods, namespaces, and external IP addresses. By default, no network policies are applied to Pods or namespaces, resulting in unrestricted ingress and egress traffic within the Pod network. Pods become isolated through a network policy that applies to the Pod or the Pod\u2019s namespace. Once a Pod is selected in a network policy, it rejects any connections that are not specifically allowed by any applicable policy object.Administrators should use a default policy selecting all Pods to deny all ingress and egress traffic and ensure any unselected Pods are isolated. Additional policies could then relax these restrictions for permissible connections.", "test": "Check for each Pod whether there is an ingress and egress policy defined (whether using Pod or Namespace). ", @@ -721,8 +721,8 @@ } ] }, - "description": "Potential attacker may gain access to a POD and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for PODs that need to use them.", - "remediation": "Disable automatic mounting of service account tokens to PODs either at the service account level or at the individual POD level, by specifying the automountServiceAccountToken: false. Note that POD level takes precedence.", + "description": "Potential attacker may gain access to a pod and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for pods that need to use them.", + "remediation": "Disable automatic mounting of service account tokens to pods either at the service account level or at the individual pod level, by specifying the automountServiceAccountToken: false. Note that pod level takes precedence.", "long_description": "We have it in Armo best (Automatic mapping of service account token).", "test": "Check all service accounts on which automount is not disabled. Check all workloads on which they and their service account don't disable automount ", "controlID": "C-0034", @@ -897,9 +897,9 @@ } ] }, - "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.", + "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.", "remediation": "Remove hostPID and hostIPC from the yaml file(s) privileges unless they are absolutely necessary.", - "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.", + "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.", "controlID": "C-0038", "baseScore": 7.0, "example": "@controls/examples/c038.yaml", @@ -976,8 +976,8 @@ } ] }, - "description": "Potential attackers may gain access to a POD and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the PODs with host network access enabled.", - "remediation": "Only connect PODs to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those PODs that must have access to host network by design.", + "description": "Potential attackers may gain access to a pod and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the pods with host network access enabled.", + "remediation": "Only connect pods to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those pods that must have access to host network by design.", "long_description": "We have it in ArmoBest", "test": "", "controlID": "C-0041", @@ -1134,7 +1134,7 @@ } ] }, - "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the PODs with dangerous capabilities (see documentation pages for details).", + "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the pods with dangerous capabilities (see documentation pages for details).", "remediation": "Remove all insecure capabilities which are not necessary for the container.", "long_description": "Giving insecure and unnecessary capabilities for a container can increase the impact of a container compromise.", "test": "Check capabilities given against a configurable blacklist of insecure capabilities (https://man7.org/linux/man-pages/man7/capabilities.7.html). ", @@ -1373,7 +1373,7 @@ "example": "apiVersion: v1\nkind: Pod\nmetadata:\n name: privileged\nspec:\n containers:\n - name: pause\n image: k8s.gcr.io/pause\n securityContext:\n privileged: true # This field triggers failure!\n", "remediation": "Remove privileged capabilities by setting the securityContext.privileged to false. If you must deploy a Pod as privileged, add other restriction to it, such as network policy, Seccomp etc and still remove all unnecessary capabilities. Use the exception mechanism to remove unnecessary notifications.", "long_description": "A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container or have permissions to create a new privileged container (by using the compromised pod\u2019s service account, for example), can get access to the host\u2019s resources.", - "test": "Check in POD spec if securityContext.privileged == true, if so raise an alert.", + "test": "Check in Pod spec if securityContext.privileged == true, if so raise an alert.", "controlID": "C-0057", "baseScore": 8.0, "rules": [ @@ -1763,7 +1763,7 @@ }, "description": "PSP enable fine-grained authorization of pod creation and it is important to enable it", "remediation": "Turn Pod Security Policies on in your cluster, if you use other admission controllers to control the behavior that PSP controls, exclude this control from your scans", - "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive PODs in your cluster.", + "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive pods in your cluster.", "test": "Reading the cluster description from the managed cloud API (EKS, GKE), or the API server pod configuration for native K8s and checking if PSP is enabled", "controlID": "C-0068", "baseScore": 1.0, From 04bc69050381f13a5471bab0481fd5f90eabd41d Mon Sep 17 00:00:00 2001 From: Craig Box Date: Tue, 21 Mar 2023 14:03:35 +1300 Subject: [PATCH 2/3] et cetera daemon Signed-off-by: Craig Box --- FWName_CID_CName.csv | 8 ++++---- controls/C-0066-secretetcdencryptionenabled.json | 2 +- frameworks/allcontrols.json | 2 +- frameworks/armobest.json | 2 +- frameworks/mitre.json | 2 +- frameworks/nsaframework.json | 2 +- releaseDev/FWName_CID_CName.csv | 10 +++++----- releaseDev/allcontrols.json | 2 +- releaseDev/armobest.json | 2 +- releaseDev/controls.json | 2 +- releaseDev/frameworks.json | 8 ++++---- releaseDev/mitre.json | 2 +- releaseDev/nsa.json | 2 +- 13 files changed, 23 insertions(+), 23 deletions(-) diff --git a/FWName_CID_CName.csv b/FWName_CID_CName.csv index 86542b678..aa344424a 100644 --- a/FWName_CID_CName.csv +++ b/FWName_CID_CName.csv @@ -42,7 +42,7 @@ AllControls,C-0061,Pods in default namespace AllControls,C-0062,Sudo in container entrypoint AllControls,C-0063,Portforwarding privileges AllControls,C-0065,No impersonation -AllControls,C-0066,Secret/ETCD encryption enabled +AllControls,C-0066,Secret/etcd encryption enabled AllControls,C-0067,Audit logs enabled AllControls,C-0068,PSP enabled AllControls,C-0069,Disable anonymous access to Kubelet service @@ -88,7 +88,7 @@ ArmoBest,C-0061,Pods in default namespace ArmoBest,C-0062,Sudo in container entrypoint ArmoBest,C-0063,Portforwarding privileges ArmoBest,C-0065,No impersonation -ArmoBest,C-0066,Secret/ETCD encryption enabled +ArmoBest,C-0066,Secret/etcd encryption enabled ArmoBest,C-0067,Audit logs enabled ArmoBest,C-0068,PSP enabled ArmoBest,C-0069,Disable anonymous access to Kubelet service @@ -136,7 +136,7 @@ MITRE,C-0054,Cluster internal networking MITRE,C-0057,Privileged container MITRE,C-0058,CVE-2021-25741 - Using symlink for arbitrary host file system access. MITRE,C-0059,CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability -MITRE,C-0066,Secret/ETCD encryption enabled +MITRE,C-0066,Secret/etcd encryption enabled MITRE,C-0067,Audit logs enabled MITRE,C-0068,PSP enabled MITRE,C-0069,Disable anonymous access to Kubelet service @@ -160,7 +160,7 @@ NSA,C-0055,Linux hardening NSA,C-0057,Privileged container NSA,C-0058,CVE-2021-25741 - Using symlink for arbitrary host file system access. NSA,C-0059,CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability -NSA,C-0066,Secret/ETCD encryption enabled +NSA,C-0066,Secret/etcd encryption enabled NSA,C-0067,Audit logs enabled NSA,C-0068,PSP enabled NSA,C-0069,Disable anonymous access to Kubelet service diff --git a/controls/C-0066-secretetcdencryptionenabled.json b/controls/C-0066-secretetcdencryptionenabled.json index 45c4ccbf2..0f22a1d4f 100644 --- a/controls/C-0066-secretetcdencryptionenabled.json +++ b/controls/C-0066-secretetcdencryptionenabled.json @@ -1,5 +1,5 @@ { - "name": "Secret/ETCD encryption enabled", + "name": "Secret/etcd encryption enabled", "attributes": { "armoBuiltin": true, "controlTypeTags": [ diff --git a/frameworks/allcontrols.json b/frameworks/allcontrols.json index 3e10e6c61..ab8cc6d3a 100644 --- a/frameworks/allcontrols.json +++ b/frameworks/allcontrols.json @@ -266,7 +266,7 @@ { "controlID": "C-0066", "patch": { - "name": "Secret/ETCD encryption enabled" + "name": "Secret/etcd encryption enabled" } }, { diff --git a/frameworks/armobest.json b/frameworks/armobest.json index a87e7b3f9..024be57c0 100644 --- a/frameworks/armobest.json +++ b/frameworks/armobest.json @@ -158,7 +158,7 @@ { "controlID": "C-0066", "patch": { - "name": "Secret/ETCD encryption enabled" + "name": "Secret/etcd encryption enabled" } }, { diff --git a/frameworks/mitre.json b/frameworks/mitre.json index 1f38dd462..a937e3c87 100644 --- a/frameworks/mitre.json +++ b/frameworks/mitre.json @@ -140,7 +140,7 @@ { "controlID": "C-0066", "patch": { - "name": "Secret/ETCD encryption enabled" + "name": "Secret/etcd encryption enabled" } }, { diff --git a/frameworks/nsaframework.json b/frameworks/nsaframework.json index 4e2ff39e7..d08a2bba2 100644 --- a/frameworks/nsaframework.json +++ b/frameworks/nsaframework.json @@ -122,7 +122,7 @@ { "controlID": "C-0066", "patch": { - "name": "Secret/ETCD encryption enabled" + "name": "Secret/etcd encryption enabled" } }, { diff --git a/releaseDev/FWName_CID_CName.csv b/releaseDev/FWName_CID_CName.csv index fc23f63d3..651c5f9fe 100644 --- a/releaseDev/FWName_CID_CName.csv +++ b/releaseDev/FWName_CID_CName.csv @@ -24,7 +24,7 @@ ArmoBest,C-0061,Pods in default namespace ArmoBest,C-0062,Sudo in container entrypoint ArmoBest,C-0063,Portforwarding privileges ArmoBest,C-0065,No impersonation -ArmoBest,C-0066,Secret/ETCD encryption enabled +ArmoBest,C-0066,Secret/etcd encryption enabled ArmoBest,C-0067,Audit logs enabled ArmoBest,C-0068,PSP enabled ArmoBest,C-0069,Disable anonymous access to Kubelet service @@ -216,7 +216,7 @@ AllControls,C-0061,Pods in default namespace AllControls,C-0062,Sudo in container entrypoint AllControls,C-0063,Portforwarding privileges AllControls,C-0065,No impersonation -AllControls,C-0066,Secret/ETCD encryption enabled +AllControls,C-0066,Secret/etcd encryption enabled AllControls,C-0067,Audit logs enabled AllControls,C-0068,PSP enabled AllControls,C-0069,Disable anonymous access to Kubelet service @@ -259,7 +259,7 @@ MITRE,C-0054,Cluster internal networking MITRE,C-0057,Privileged container MITRE,C-0058,CVE-2021-25741 - Using symlink for arbitrary host file system access. MITRE,C-0059,CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability -MITRE,C-0066,Secret/ETCD encryption enabled +MITRE,C-0066,Secret/etcd encryption enabled MITRE,C-0067,Audit logs enabled MITRE,C-0068,PSP enabled MITRE,C-0069,Disable anonymous access to Kubelet service @@ -283,12 +283,12 @@ NSA,C-0055,Linux hardening NSA,C-0057,Privileged container NSA,C-0058,CVE-2021-25741 - Using symlink for arbitrary host file system access. NSA,C-0059,CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability -NSA,C-0066,Secret/ETCD encryption enabled +NSA,C-0066,Secret/etcd encryption enabled NSA,C-0067,Audit logs enabled NSA,C-0068,PSP enabled NSA,C-0069,Disable anonymous access to Kubelet service NSA,C-0070,Enforce Kubelet client TLS authentication -cis-eks-t1.2.0,C-0066,Secret/ETCD encryption enabled +cis-eks-t1.2.0,C-0066,Secret/etcd encryption enabled cis-eks-t1.2.0,C-0067,Audit logs enabled cis-eks-t1.2.0,C-0078,Images from allowed registry cis-eks-t1.2.0,C-0167,Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root diff --git a/releaseDev/allcontrols.json b/releaseDev/allcontrols.json index 7a6583f52..9bdcff6a8 100644 --- a/releaseDev/allcontrols.json +++ b/releaseDev/allcontrols.json @@ -3694,7 +3694,7 @@ ] }, { - "name": "Secret/ETCD encryption enabled", + "name": "Secret/etcd encryption enabled", "attributes": { "armoBuiltin": true, "controlTypeTags": [ diff --git a/releaseDev/armobest.json b/releaseDev/armobest.json index 47b55dbb9..75a52f605 100644 --- a/releaseDev/armobest.json +++ b/releaseDev/armobest.json @@ -2046,7 +2046,7 @@ ] }, { - "name": "Secret/ETCD encryption enabled", + "name": "Secret/etcd encryption enabled", "attributes": { "armoBuiltin": true, "controlTypeTags": [ diff --git a/releaseDev/controls.json b/releaseDev/controls.json index 2b97028f5..b91149bf2 100644 --- a/releaseDev/controls.json +++ b/releaseDev/controls.json @@ -480,7 +480,7 @@ "rules": [] }, { - "name": "Secret/ETCD encryption enabled", + "name": "Secret/etcd encryption enabled", "attributes": { "armoBuiltin": true, "controlTypeTags": [ diff --git a/releaseDev/frameworks.json b/releaseDev/frameworks.json index ea54d68e1..97bb966d9 100644 --- a/releaseDev/frameworks.json +++ b/releaseDev/frameworks.json @@ -664,7 +664,7 @@ "rules": [] }, { - "name": "Secret/ETCD encryption enabled", + "name": "Secret/etcd encryption enabled", "attributes": { "armoBuiltin": true, "controlTypeTags": [ @@ -4987,7 +4987,7 @@ "rules": [] }, { - "name": "Secret/ETCD encryption enabled", + "name": "Secret/etcd encryption enabled", "attributes": { "armoBuiltin": true, "controlTypeTags": [ @@ -6137,7 +6137,7 @@ "rules": [] }, { - "name": "Secret/ETCD encryption enabled", + "name": "Secret/etcd encryption enabled", "attributes": { "armoBuiltin": true, "controlTypeTags": [ @@ -6800,7 +6800,7 @@ "rules": [] }, { - "name": "Secret/ETCD encryption enabled", + "name": "Secret/etcd encryption enabled", "attributes": { "armoBuiltin": true, "controlTypeTags": [ diff --git a/releaseDev/mitre.json b/releaseDev/mitre.json index 5e5eedcf2..2be27973e 100644 --- a/releaseDev/mitre.json +++ b/releaseDev/mitre.json @@ -2056,7 +2056,7 @@ ] }, { - "name": "Secret/ETCD encryption enabled", + "name": "Secret/etcd encryption enabled", "attributes": { "armoBuiltin": true, "controlTypeTags": [ diff --git a/releaseDev/nsa.json b/releaseDev/nsa.json index 74ae69297..2419ab5e4 100644 --- a/releaseDev/nsa.json +++ b/releaseDev/nsa.json @@ -1565,7 +1565,7 @@ ] }, { - "name": "Secret/ETCD encryption enabled", + "name": "Secret/etcd encryption enabled", "attributes": { "armoBuiltin": true, "controlTypeTags": [ From 1c338c6098784052e3293a4c661b0df466d8f888 Mon Sep 17 00:00:00 2001 From: Craig Box Date: Tue, 30 May 2023 15:07:57 +0100 Subject: [PATCH 3/3] post-merge fixes Signed-off-by: Craig Box --- controls/C-0009-resourcelimits.json | 4 +- controls/C-0013-nonrootcontainers.json | 2 +- releaseDev/FWName_CID_CName.csv | 10 +-- releaseDev/allcontrols.json | 6 +- releaseDev/armobest.json | 6 +- releaseDev/controls.json | 92 +++++++++++++------------- releaseDev/frameworks.json | 68 +++++++++---------- releaseDev/nsa.json | 6 +- 8 files changed, 97 insertions(+), 97 deletions(-) diff --git a/controls/C-0009-resourcelimits.json b/controls/C-0009-resourcelimits.json index f747fe448..271fbd270 100644 --- a/controls/C-0009-resourcelimits.json +++ b/controls/C-0009-resourcelimits.json @@ -14,12 +14,12 @@ } ] }, - "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", + "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/pod yamls.", "rulesNames": [ "resource-policies" ], - "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", + "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", "test": " Check for each container if there is a \u2018limits\u2019 field defined for both cpu and memory", "controlID": "C-0009", "baseScore": 7.0, diff --git a/controls/C-0013-nonrootcontainers.json b/controls/C-0013-nonrootcontainers.json index 29274949c..cca327158 100644 --- a/controls/C-0013-nonrootcontainers.json +++ b/controls/C-0013-nonrootcontainers.json @@ -15,7 +15,7 @@ } ] }, - "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the Pods running as root or can escalate to root.", + "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.", "remediation": "If your application does not need root privileges, make sure to define the runAsUser or runAsGroup under the PodSecurityContext and use user ID 1000 or higher. Do not turn on allowPrivlegeEscalation bit and make sure runAsNonRoot is true.", "rulesNames": [ "non-root-containers" diff --git a/releaseDev/FWName_CID_CName.csv b/releaseDev/FWName_CID_CName.csv index 8bd2bfa42..29d967e57 100644 --- a/releaseDev/FWName_CID_CName.csv +++ b/releaseDev/FWName_CID_CName.csv @@ -84,12 +84,12 @@ AllControls,C-0061,Pods in default namespace AllControls,C-0062,Sudo in container entrypoint AllControls,C-0063,Portforwarding privileges AllControls,C-0065,No impersonation -AllControls,C-0066,Secret/ETCD encryption enabled +AllControls,C-0066,Secret/etcd encryption enabled AllControls,C-0067,Audit logs enabled AllControls,C-0068,PSP enabled AllControls,C-0069,Disable anonymous access to Kubelet service AllControls,C-0070,Enforce Kubelet client TLS authentication -AllControls,C-0073,Naked PODs +AllControls,C-0073,Naked pods AllControls,C-0074,Containers mounting Docker socket AllControls,C-0075,Image pull policy on latest tag AllControls,C-0076,Label usage for resources @@ -176,7 +176,7 @@ NSA,C-0055,Linux hardening NSA,C-0057,Privileged container NSA,C-0058,CVE-2021-25741 - Using symlink for arbitrary host file system access. NSA,C-0059,CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability -NSA,C-0066,Secret/ETCD encryption enabled +NSA,C-0066,Secret/etcd encryption enabled NSA,C-0067,Audit logs enabled NSA,C-0068,PSP enabled NSA,C-0069,Disable anonymous access to Kubelet service @@ -187,13 +187,13 @@ DevOpsBest,C-0044,Container hostPort DevOpsBest,C-0050,Resources CPU limit and request DevOpsBest,C-0056,Configured liveness probe DevOpsBest,C-0061,Pods in default namespace -DevOpsBest,C-0073,Naked PODs +DevOpsBest,C-0073,Naked pods DevOpsBest,C-0074,Containers mounting Docker socket DevOpsBest,C-0075,Image pull policy on latest tag DevOpsBest,C-0076,Label usage for resources DevOpsBest,C-0077,K8s common labels usage DevOpsBest,C-0253,Deprecated Kubernetes image registry -cis-eks-t1.2.0,C-0066,Secret/ETCD encryption enabled +cis-eks-t1.2.0,C-0066,Secret/etcd encryption enabled cis-eks-t1.2.0,C-0067,Audit logs enabled cis-eks-t1.2.0,C-0078,Images from allowed registry cis-eks-t1.2.0,C-0167,Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root diff --git a/releaseDev/allcontrols.json b/releaseDev/allcontrols.json index e2491eb7c..1a7a8981a 100644 --- a/releaseDev/allcontrols.json +++ b/releaseDev/allcontrols.json @@ -411,9 +411,9 @@ } ] }, - "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", + "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/pod yamls.", - "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", + "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", "test": " Check for each container if there is a \u2018limits\u2019 field defined for both cpu and memory", "controlID": "C-0009", "baseScore": 7.0, @@ -643,7 +643,7 @@ } ] }, - "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the Pods running as root or can escalate to root.", + "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.", "remediation": "If your application does not need root privileges, make sure to define the runAsUser or runAsGroup under the PodSecurityContext and use user ID 1000 or higher. Do not turn on allowPrivlegeEscalation bit and make sure runAsNonRoot is true.", "long_description": "Container engines allow containers to run applications as a non-root user with non-root group membership. Typically, this non-default setting is configured when the container image is built. . Alternatively, Kubernetes can load containers into a Pod with SecurityContext:runAsUser specifying a non-zero user. While the runAsUser directive effectively forces non-root execution at deployment, NSA and CISA encourage developers to build container applications to execute as a non-root user. Having non-root execution integrated at build time provides better assurance that applications will function correctly without root privileges.", "test": "Verify if runAsUser and runAsGroup are set to a user id greater than 999. Check that the allowPrivilegeEscalation field is set to false. Check all the combinations with PodSecurityContext and SecurityContext (for containers).", diff --git a/releaseDev/armobest.json b/releaseDev/armobest.json index 95187b3f8..1a49d51db 100644 --- a/releaseDev/armobest.json +++ b/releaseDev/armobest.json @@ -242,9 +242,9 @@ } ] }, - "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", + "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/pod yamls.", - "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", + "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", "test": " Check for each container if there is a \u2018limits\u2019 field defined for both cpu and memory", "controlID": "C-0009", "baseScore": 7.0, @@ -474,7 +474,7 @@ } ] }, - "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the Pods running as root or can escalate to root.", + "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.", "remediation": "If your application does not need root privileges, make sure to define the runAsUser or runAsGroup under the PodSecurityContext and use user ID 1000 or higher. Do not turn on allowPrivlegeEscalation bit and make sure runAsNonRoot is true.", "long_description": "Container engines allow containers to run applications as a non-root user with non-root group membership. Typically, this non-default setting is configured when the container image is built. . Alternatively, Kubernetes can load containers into a Pod with SecurityContext:runAsUser specifying a non-zero user. While the runAsUser directive effectively forces non-root execution at deployment, NSA and CISA encourage developers to build container applications to execute as a non-root user. Having non-root execution integrated at build time provides better assurance that applications will function correctly without root privileges.", "test": "Verify if runAsUser and runAsGroup are set to a user id greater than 999. Check that the allowPrivilegeEscalation field is set to false. Check all the combinations with PodSecurityContext and SecurityContext (for containers).", diff --git a/releaseDev/controls.json b/releaseDev/controls.json index 718939993..489835a2a 100644 --- a/releaseDev/controls.json +++ b/releaseDev/controls.json @@ -57,12 +57,12 @@ } ] }, - "description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the POD to find those that have sudo command.", + "description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the pod to find those that have sudo command.", "remediation": "Remove sudo from the command line and use Kubernetes native root and capabilities controls to provide necessary privileges where they are required.", "rulesNames": [ "sudo-in-container-entrypoint" ], - "long_description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the POD to find those that have sudo command.", + "long_description": "Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the pod to find those that have sudo command.", "test": "Check that there is no 'sudo' in the container entrypoint", "controlID": "C-0062", "baseScore": 5.0, @@ -566,12 +566,12 @@ } ] }, - "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.", + "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.", "remediation": "Remove hostPID and hostIPC from the yaml file(s) privileges unless they are absolutely necessary.", "rulesNames": [ "host-pid-ipc-privileges" ], - "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.", + "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.", "controlID": "C-0038", "baseScore": 7.0, "example": "@controls/examples/c038.yaml", @@ -928,8 +928,8 @@ } ] }, - "description": "Potential attackers may gain access to a POD and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the PODs with host network access enabled.", - "remediation": "Only connect PODs to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those PODs that must have access to host network by design.", + "description": "Potential attackers may gain access to a pod and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the pods with host network access enabled.", + "remediation": "Only connect pods to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those pods that must have access to host network by design.", "rulesNames": [ "host-network-access" ], @@ -1234,12 +1234,12 @@ "devops" ] }, - "description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies PODs that attempt to mount Docker socket for accessing Docker runtime.", + "description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies pods that attempt to mount Docker socket for accessing Docker runtime.", "remediation": "Remove docker socket mount request or define an exception.", "rulesNames": [ "containers-mounting-docker-socket" ], - "long_description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies PODs that attempt to mount Docker socket for accessing Docker runtime.", + "long_description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies pods that attempt to mount Docker socket for accessing Docker runtime.", "test": "Check hostpath. If the path is set to /var/run/docker.sock or /var/lib/docker , the container has access to Docker internals - fail.", "controlID": "C-0074", "baseScore": 5, @@ -1427,7 +1427,7 @@ ] }, "description": "Container images with known critical vulnerabilities pose elevated risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if either LoadBalancer or NodePort service is assigned to them.", - "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the POD to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", + "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the pod to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", "rulesNames": [ "exposed-critical-pods" ], @@ -1488,7 +1488,7 @@ "compliance" ] }, - "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new PODs, and then enable sources/destinations that this POD must communicate with.", + "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.", "remediation": "Define a network policy that restricts ingress and egress connections.", "rulesNames": [ "ingress-and-egress-blocked" @@ -1601,12 +1601,12 @@ } ] }, - "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", - "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/POD yamls.", + "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", + "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/pod yamls.", "rulesNames": [ "resource-policies" ], - "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", + "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", "test": " Check for each container if there is a \u2018limits\u2019 field defined for both cpu and memory", "controlID": "C-0009", "baseScore": 7.0, @@ -1690,20 +1690,20 @@ "rules": [] }, { - "name": "Naked PODs", + "name": "Naked pods", "attributes": { "armoBuiltin": true, "controlTypeTags": [ "devops" ] }, - "description": "It is not recommended to create PODs without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if PODs may lead to a configuration drifts and other untracked changes in the system. Such PODs won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every POD that does not have corresponding parental object.", - "remediation": "Create necessary Deployment object for every POD making any POD a first class citizen in your IaC architecture.", + "description": "It is not recommended to create pods without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if pods may lead to a configuration drifts and other untracked changes in the system. Such pods won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every pod that does not have corresponding parental object.", + "remediation": "Create necessary Deployment object for every pod making any pod a first class citizen in your IaC architecture.", "rulesNames": [ "naked-pods" ], - "long_description": "It is not recommended to create PODs without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if PODs may lead to a configuration drifts and other untracked changes in the system. Such PODs won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every POD that does not have corresponding parental object.", - "test": "Test if PODs are not associated with Deployment, ReplicaSet etc. If not, fail.", + "long_description": "It is not recommended to create pods without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if pods may lead to a configuration drifts and other untracked changes in the system. Such pods won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every pod that does not have corresponding parental object.", + "test": "Test if pods are not associated with Deployment, ReplicaSet etc. If not, fail.", "controlID": "C-0073", "baseScore": 3, "rules": [] @@ -2017,12 +2017,12 @@ } ] }, - "description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their POD has either LoadBalancer or NodePort service.", - "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the POD to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", + "description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their pod has either LoadBalancer or NodePort service.", + "remediation": "Either update the container image to fix the vulnerabilities (if such fix is available) or reassess if this workload must be exposed to the outseide traffic. If no fix is available, consider periodic restart of the pod to minimize the risk of persistant intrusion. Use exception mechanism if you don't want to see this report again.", "rulesNames": [ "exposed-rce-pods" ], - "long_description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their POD has either LoadBalancer or NodePort service.", + "long_description": "Container images with known Remote Code Execution (RCE) vulnerabilities pose significantly higher risk if they are exposed to the external traffic. This control lists all images with such vulnerabilities if their pod has either LoadBalancer or NodePort service.", "test": "This control enumerates external facing workloads, that have LoadBalancer or NodePort service and checks the image vulnerability information for the RCE vulnerability.", "controlID": "C-0084", "baseScore": 8.0, @@ -2218,7 +2218,7 @@ "alert-rw-hostpath" ], "long_description": "hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.", - "test": "Checking in POD spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn\u2019t exist) we raise an alert.", + "test": "Checking in pod spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn\u2019t exist) we raise an alert.", "controlID": "C-0045", "baseScore": 8.0, "example": "@controls/examples/c045.yaml", @@ -2268,7 +2268,7 @@ } ] }, - "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the Pods running as root or can escalate to root.", + "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.", "remediation": "If your application does not need root privileges, make sure to define the runAsUser or runAsGroup under the PodSecurityContext and use user ID 1000 or higher. Do not turn on allowPrivlegeEscalation bit and make sure runAsNonRoot is true.", "rulesNames": [ "non-root-containers" @@ -2605,7 +2605,7 @@ } ] }, - "description": "CVE-2022-23648 is a vulnerability of containerd enabling attacker to gain access to read-only copies of arbitrary files from the host using aspecially-crafted POD configuration yamls", + "description": "CVE-2022-23648 is a vulnerability of containerd enabling attacker to gain access to read-only copies of arbitrary files from the host using specially-crafted pod configuration yamls", "remediation": "Patch containerd to 1.6.1, 1.5.10, 1.4.12 or above", "rulesNames": [ "CVE-2022-23648" @@ -2764,7 +2764,7 @@ } ] }, - "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the PODs using hostPath mount.", + "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the pods using hostPath mount.", "example": "apiVersion: v1\nkind: Pod\nmetadata:\n name: test-pd\nspec:\n containers:\n - image: k8s.gcr.io/test-webserver\n name: test-container\n volumeMounts:\n - mountPath: /test-pd\n name: test-volume\n volumes:\n - name: test-volume\n hostPath: # This field triggers failure!\n path: /data\n type: Directory\n", "remediation": "Remove hostPath mounts unless they are absolutely necessary and use exception mechanism to remove notifications.", "rulesNames": [ @@ -2867,7 +2867,7 @@ "psp-enabled-cloud", "psp-enabled-native" ], - "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive PODs in your cluster.", + "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive pods in your cluster.", "test": "Reading the cluster description from the managed cloud API (EKS, GKE), or the API server pod configuration for native K8s and checking if PSP is enabled", "controlID": "C-0068", "baseScore": 1.0, @@ -2903,12 +2903,12 @@ "devops" ] }, - "description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.", + "description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.", "remediation": "Ensure Readiness probes are configured wherever possible.", "rulesNames": [ "configured-readiness-probe" ], - "long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.", + "long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.", "controlID": "C-0018", "example": "@controls/examples/c018.yaml", "baseScore": 3, @@ -2985,12 +2985,12 @@ "devops" ] }, - "description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all PODs with latest tag that have ImagePullSecret not set to Always.", - "remediation": "Set ImagePullPolicy to Always in all PODs found by this control.", + "description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all pods with latest tag that have ImagePullSecret not set to Always.", + "remediation": "Set ImagePullPolicy to Always in all pods found by this control.", "rulesNames": [ "image-pull-policy-is-not-set-to-always" ], - "long_description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all PODs with latest tag that have ImagePullSecret not set to Always. Note as well that some vendors don't use the word latest in the tag. Some other word may also behave like the latest. For example, Redis uses redis:alpine to signify the latest. Therefore, this control treats any word that does not contain digits as the latest. If no tag is specified, the image is treated as latests too.", + "long_description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all pods with latest tag that have ImagePullSecret not set to Always. Note as well that some vendors don't use the word latest in the tag. Some other word may also behave like the latest. For example, Redis uses redis:alpine to signify the latest. Therefore, this control treats any word that does not contain digits as the latest. If no tag is specified, the image is treated as latests too.", "test": "If imagePullPolicy = always pass, else fail.", "controlID": "C-0075", "baseScore": 2, @@ -3602,7 +3602,7 @@ "rules": [] }, { - "name": "Secret/ETCD encryption enabled", + "name": "Secret/etcd encryption enabled", "attributes": { "armoBuiltin": true, "controlTypeTags": [ @@ -3950,8 +3950,8 @@ } ] }, - "description": "Potential attacker may gain access to a POD and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for PODs that need to use them.", - "remediation": "Disable automatic mounting of service account tokens to PODs either at the service account level or at the individual POD level, by specifying the automountServiceAccountToken: false. Note that POD level takes precedence.", + "description": "Potential attacker may gain access to a pod and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for pods that need to use them.", + "remediation": "Disable automatic mounting of service account tokens to pods either at the service account level or at the individual pod level, by specifying the automountServiceAccountToken: false. Note that pod level takes precedence.", "rulesNames": [ "automount-service-account" ], @@ -4127,8 +4127,8 @@ } ] }, - "description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All PODs with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.", - "remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary PODs have SA token mounted into them.", + "description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All pods with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.", + "remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary pods have SA token mounted into them.", "rulesNames": [ "access-container-service-account", "access-container-service-account-v1" @@ -4587,7 +4587,7 @@ ] }, "description": "Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.", - "remediation": "Set the filesystem of the container to read-only when possible (POD securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.", + "remediation": "Set the filesystem of the container to read-only when possible (pod securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.", "rulesNames": [ "immutable-container-filesystem" ], @@ -4839,12 +4839,12 @@ "devops" ] }, - "description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.", + "description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.", "remediation": "Ensure Liveness probes are configured wherever possible.", "rulesNames": [ "configured-liveness-probe" ], - "long_description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.", + "long_description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.", "controlID": "C-0056", "baseScore": 4, "rules": [] @@ -4888,7 +4888,7 @@ } ] }, - "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the PODs with dangerous capabilities (see documentation pages for details).", + "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the pods with dangerous capabilities (see documentation pages for details).", "remediation": "Remove all insecure capabilities which are not necessary for the container.", "rulesNames": [ "insecure-capabilities" @@ -4909,12 +4909,12 @@ "devops" ] }, - "description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This control identifies all the PODs running in the default namespace.", - "remediation": "Create necessary namespaces and move all the PODs from default namespace there.", + "description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This control identifies all the pods running in the default namespace.", + "remediation": "Create necessary namespaces and move all the pods from default namespace there.", "rulesNames": [ "pods-in-default-namespace" ], - "long_description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the PODs running in the default namespace.", + "long_description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the pods running in the default namespace.", "test": "Check that there are no pods in the 'default' namespace", "controlID": "C-0061", "baseScore": 3, @@ -4931,7 +4931,7 @@ "compliance" ] }, - "description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a POD in the cluster. This control lists all the CronJobs that exist in the cluster for the user to approve.", + "description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a pod in the cluster. This control lists all the CronJobs that exist in the cluster for the user to approve.", "remediation": "Watch Kubernetes CronJobs and make sure they are legitimate.", "rulesNames": [ "rule-deny-cronjobs" @@ -4962,7 +4962,7 @@ } ] }, - "description": "Attackers with relevant RBAC permission can use \u201ckubectl portforward\u201d command to establish direct communication with PODs from within the cluster or even remotely. Such communication will most likely bypass existing security measures in the cluster. This control determines which subjects have permissions to use this command.", + "description": "Attackers with relevant RBAC permission can use \u201ckubectl portforward\u201d command to establish direct communication with pods from within the cluster or even remotely. Such communication will most likely bypass existing security measures in the cluster. This control determines which subjects have permissions to use this command.", "remediation": "It is recommended to prohibit \u201ckubectl portforward\u201d command in production environments. It is also recommended not to use subjects with this permission for daily cluster operations.", "rulesNames": [ "rule-can-portforward", @@ -5180,7 +5180,7 @@ "rule-privilege-escalation" ], "long_description": "A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container or have permissions to create a new privileged container (by using the compromised pod\u2019s service account, for example), can get access to the host\u2019s resources.", - "test": "Check in POD spec if securityContext.privileged == true, if so raise an alert.", + "test": "Check in pod spec if securityContext.privileged == true, if so raise an alert.", "controlID": "C-0057", "baseScore": 8.0, "rules": [] diff --git a/releaseDev/frameworks.json b/releaseDev/frameworks.json index adea1bcf0..5c0a68455 100644 --- a/releaseDev/frameworks.json +++ b/releaseDev/frameworks.json @@ -100,9 +100,9 @@ } ] }, - "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", + "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/pod yamls.", - "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", + "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", "test": " Check for each container if there is a \u2018limits\u2019 field defined for both cpu and memory", "controlID": "C-0009", "baseScore": 7.0, @@ -163,7 +163,7 @@ } ] }, - "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the Pods running as root or can escalate to root.", + "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.", "remediation": "If your application does not need root privileges, make sure to define the runAsUser or runAsGroup under the PodSecurityContext and use user ID 1000 or higher. Do not turn on allowPrivlegeEscalation bit and make sure runAsNonRoot is true.", "long_description": "Container engines allow containers to run applications as a non-root user with non-root group membership. Typically, this non-default setting is configured when the container image is built. . Alternatively, Kubernetes can load containers into a Pod with SecurityContext:runAsUser specifying a non-zero user. While the runAsUser directive effectively forces non-root execution at deployment, NSA and CISA encourage developers to build container applications to execute as a non-root user. Having non-root execution integrated at build time provides better assurance that applications will function correctly without root privileges.", "test": "Verify if runAsUser and runAsGroup are set to a user id greater than 999. Check that the allowPrivilegeEscalation field is set to false. Check all the combinations with PodSecurityContext and SecurityContext (for containers).", @@ -1272,9 +1272,9 @@ } ] }, - "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", + "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/pod yamls.", - "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", + "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", "test": " Check for each container if there is a \u2018limits\u2019 field defined for both cpu and memory", "controlID": "C-0009", "baseScore": 7.0, @@ -1335,7 +1335,7 @@ } ] }, - "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the Pods running as root or can escalate to root.", + "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.", "remediation": "If your application does not need root privileges, make sure to define the runAsUser or runAsGroup under the PodSecurityContext and use user ID 1000 or higher. Do not turn on allowPrivlegeEscalation bit and make sure runAsNonRoot is true.", "long_description": "Container engines allow containers to run applications as a non-root user with non-root group membership. Typically, this non-default setting is configured when the container image is built. . Alternatively, Kubernetes can load containers into a Pod with SecurityContext:runAsUser specifying a non-zero user. While the runAsUser directive effectively forces non-root execution at deployment, NSA and CISA encourage developers to build container applications to execute as a non-root user. Having non-root execution integrated at build time provides better assurance that applications will function correctly without root privileges.", "test": "Verify if runAsUser and runAsGroup are set to a user id greater than 999. Check that the allowPrivilegeEscalation field is set to false. Check all the combinations with PodSecurityContext and SecurityContext (for containers).", @@ -4065,9 +4065,9 @@ } ] }, - "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", + "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/pod yamls.", - "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", + "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", "test": " Check for each container if there is a \u2018limits\u2019 field defined for both cpu and memory", "controlID": "C-0009", "baseScore": 7.0, @@ -4128,7 +4128,7 @@ } ] }, - "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the Pods running as root or can escalate to root.", + "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.", "remediation": "If your application does not need root privileges, make sure to define the runAsUser or runAsGroup under the PodSecurityContext and use user ID 1000 or higher. Do not turn on allowPrivlegeEscalation bit and make sure runAsNonRoot is true.", "long_description": "Container engines allow containers to run applications as a non-root user with non-root group membership. Typically, this non-default setting is configured when the container image is built. . Alternatively, Kubernetes can load containers into a Pod with SecurityContext:runAsUser specifying a non-zero user. While the runAsUser directive effectively forces non-root execution at deployment, NSA and CISA encourage developers to build container applications to execute as a non-root user. Having non-root execution integrated at build time provides better assurance that applications will function correctly without root privileges.", "test": "Verify if runAsUser and runAsGroup are set to a user id greater than 999. Check that the allowPrivilegeEscalation field is set to false. Check all the combinations with PodSecurityContext and SecurityContext (for containers).", @@ -4695,9 +4695,9 @@ "devops" ] }, - "description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.", + "description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.", "remediation": "Ensure Readiness probes are configured wherever possible.", - "long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.", + "long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.", "controlID": "C-0018", "example": "@controls/examples/c018.yaml", "baseScore": 3, @@ -4754,9 +4754,9 @@ "devops" ] }, - "description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.", + "description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.", "remediation": "Ensure Liveness probes are configured wherever possible.", - "long_description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.", + "long_description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.", "controlID": "C-0056", "baseScore": 4, "rules": [] @@ -4770,26 +4770,26 @@ "devops" ] }, - "description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This control identifies all the PODs running in the default namespace.", - "remediation": "Create necessary namespaces and move all the PODs from default namespace there.", - "long_description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the PODs running in the default namespace.", + "description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This control identifies all the pods running in the default namespace.", + "remediation": "Create necessary namespaces and move all the pods from default namespace there.", + "long_description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the pods running in the default namespace.", "test": "Check that there are no pods in the 'default' namespace", "controlID": "C-0061", "baseScore": 3, "rules": [] }, { - "name": "Naked PODs", + "name": "Naked pods", "attributes": { "armoBuiltin": true, "controlTypeTags": [ "devops" ] }, - "description": "It is not recommended to create PODs without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if PODs may lead to a configuration drifts and other untracked changes in the system. Such PODs won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every POD that does not have corresponding parental object.", - "remediation": "Create necessary Deployment object for every POD making any POD a first class citizen in your IaC architecture.", - "long_description": "It is not recommended to create PODs without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if PODs may lead to a configuration drifts and other untracked changes in the system. Such PODs won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every POD that does not have corresponding parental object.", - "test": "Test if PODs are not associated with Deployment, ReplicaSet etc. If not, fail.", + "description": "It is not recommended to create pods without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if pods may lead to a configuration drifts and other untracked changes in the system. Such pods won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every pod that does not have corresponding parental object.", + "remediation": "Create necessary Deployment object for every pod making any pod a first class citizen in your IaC architecture.", + "long_description": "It is not recommended to create pods without parental Deployment, ReplicaSet, StatefulSet etc.Manual creation if pods may lead to a configuration drifts and other untracked changes in the system. Such pods won't be automatically rescheduled by Kubernetes in case of a crash or infrastructure failure. This control identifies every pod that does not have corresponding parental object.", + "test": "Test if pods are not associated with Deployment, ReplicaSet etc. If not, fail.", "controlID": "C-0073", "baseScore": 3, "rules": [] @@ -4802,9 +4802,9 @@ "devops" ] }, - "description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies PODs that attempt to mount Docker socket for accessing Docker runtime.", + "description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies pods that attempt to mount Docker socket for accessing Docker runtime.", "remediation": "Remove docker socket mount request or define an exception.", - "long_description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies PODs that attempt to mount Docker socket for accessing Docker runtime.", + "long_description": "Mounting Docker socket (Unix socket) enables container to access Docker internals, retrieve sensitive information and execute Docker commands, if Docker runtime is available. This control identifies pods that attempt to mount Docker socket for accessing Docker runtime.", "test": "Check hostpath. If the path is set to /var/run/docker.sock or /var/lib/docker , the container has access to Docker internals - fail.", "controlID": "C-0074", "baseScore": 5, @@ -4818,9 +4818,9 @@ "devops" ] }, - "description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all PODs with latest tag that have ImagePullSecret not set to Always.", - "remediation": "Set ImagePullPolicy to Always in all PODs found by this control.", - "long_description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all PODs with latest tag that have ImagePullSecret not set to Always. Note as well that some vendors don't use the word latest in the tag. Some other word may also behave like the latest. For example, Redis uses redis:alpine to signify the latest. Therefore, this control treats any word that does not contain digits as the latest. If no tag is specified, the image is treated as latests too.", + "description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all pods with latest tag that have ImagePullSecret not set to Always.", + "remediation": "Set ImagePullPolicy to Always in all pods found by this control.", + "long_description": "While usage of the latest tag is not generally recommended, in some cases this is necessary. If it is, the ImagePullPolicy must be set to Always, otherwise Kubernetes may run an older image with the same name that happens to be present in the node cache. Note that using Always will not cause additional image downloads because Kubernetes will check the image hash of the local local against the registry and only pull the image if this hash has changed, which is exactly what users want when use the latest tag. This control will identify all pods with latest tag that have ImagePullSecret not set to Always. Note as well that some vendors don't use the word latest in the tag. Some other word may also behave like the latest. For example, Redis uses redis:alpine to signify the latest. Therefore, this control treats any word that does not contain digits as the latest. If no tag is specified, the image is treated as latests too.", "test": "If imagePullPolicy = always pass, else fail.", "controlID": "C-0075", "baseScore": 2, @@ -8902,7 +8902,7 @@ "compliance" ] }, - "description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a POD in the cluster. This control lists all the CronJobs that exist in the cluster for the user to approve.", + "description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a pod in the cluster. This control lists all the CronJobs that exist in the cluster for the user to approve.", "remediation": "Watch Kubernetes CronJobs and make sure they are legitimate.", "long_description": "Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.", "test": "We list all CronJobs that exist in cluster for the user to approve.", @@ -9096,7 +9096,7 @@ "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host and gain persistence.", "remediation": "Refrain from using the hostPath mount or use the exception mechanism to remove unnecessary notifications.", "long_description": "hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.", - "test": "Checking in POD spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn\u2019t exist) we raise an alert.", + "test": "Checking in pod spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn\u2019t exist) we raise an alert.", "controlID": "C-0045", "baseScore": 8.0, "example": "@controls/examples/c045.yaml", @@ -9122,7 +9122,7 @@ } ] }, - "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the PODs using hostPath mount.", + "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the pods using hostPath mount.", "example": "apiVersion: v1\nkind: Pod\nmetadata:\n name: test-pd\nspec:\n containers:\n - image: k8s.gcr.io/test-webserver\n name: test-container\n volumeMounts:\n - mountPath: /test-pd\n name: test-volume\n volumes:\n - name: test-volume\n hostPath: # This field triggers failure!\n path: /data\n type: Directory\n", "remediation": "Remove hostPath mounts unless they are absolutely necessary and use exception mechanism to remove notifications.", "controlID": "C-0048", @@ -9181,8 +9181,8 @@ } ] }, - "description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All PODs with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.", - "remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary PODs have SA token mounted into them.", + "description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All pods with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.", + "remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary pods have SA token mounted into them.", "long_description": "Service account (SA) represents an application identity in Kubernetes. By default, an SA is mounted to every created pod in the cluster. Using the SA, containers in the pod can send requests to the Kubernetes API server. Attackers who get access to a pod can access the SA token (located in /var/run/secrets/kubernetes.io/serviceaccount/token) and perform actions in the cluster, according to the SA permissions. If RBAC is not enabled, the SA has unlimited permissions in the cluster. If RBAC is enabled, its permissions are determined by the RoleBindings\\\\ClusterRoleBindings that are associated with it.", "test": "Check if RBAC is enabled. If is not, the sa has unlimited permissions.If RBAC enabled, list which workloads have bound service accounts and all the sas permissions", "controlID": "C-0053", @@ -9241,7 +9241,7 @@ "example": "apiVersion: v1\nkind: Pod\nmetadata:\n name: privileged\nspec:\n containers:\n - name: pause\n image: k8s.gcr.io/pause\n securityContext:\n privileged: true # This field triggers failure!\n", "remediation": "Remove privileged capabilities by setting the securityContext.privileged to false. If you must deploy a Pod as privileged, add other restriction to it, such as network policy, Seccomp etc and still remove all unnecessary capabilities. Use the exception mechanism to remove unnecessary notifications.", "long_description": "A privileged container is a container that has all the capabilities of the host machine, which lifts all the limitations regular containers have. Practically, this means that privileged containers can do almost every action that can be performed directly on the host. Attackers who gain access to a privileged container or have permissions to create a new privileged container (by using the compromised pod\u2019s service account, for example), can get access to the host\u2019s resources.", - "test": "Check in POD spec if securityContext.privileged == true, if so raise an alert.", + "test": "Check in pod spec if securityContext.privileged == true, if so raise an alert.", "controlID": "C-0057", "baseScore": 8.0, "rules": [] @@ -9296,7 +9296,7 @@ "rules": [] }, { - "name": "Secret/ETCD encryption enabled", + "name": "Secret/etcd encryption enabled", "attributes": { "armoBuiltin": true, "controlTypeTags": [ @@ -9364,7 +9364,7 @@ }, "description": "PSP enable fine-grained authorization of pod creation and it is important to enable it", "remediation": "Turn Pod Security Policies on in your cluster, if you use other admission controllers to control the behavior that PSP controls, exclude this control from your scans", - "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive PODs in your cluster.", + "long_description": "Pod Security Policies enable fine-grained authorization of pod creation and updates and it extends authorization beyond RBAC. It is an important to use PSP to control the creation of sensitive pods in your cluster.", "test": "Reading the cluster description from the managed cloud API (EKS, GKE), or the API server pod configuration for native K8s and checking if PSP is enabled", "controlID": "C-0068", "baseScore": 1.0, diff --git a/releaseDev/nsa.json b/releaseDev/nsa.json index 0e2de8fef..2eb03de04 100644 --- a/releaseDev/nsa.json +++ b/releaseDev/nsa.json @@ -163,9 +163,9 @@ } ] }, - "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", + "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/pod yamls.", - "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", + "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.", "test": " Check for each container if there is a \u2018limits\u2019 field defined for both cpu and memory", "controlID": "C-0009", "baseScore": 7.0, @@ -395,7 +395,7 @@ } ] }, - "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the Pods running as root or can escalate to root.", + "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.", "remediation": "If your application does not need root privileges, make sure to define the runAsUser or runAsGroup under the PodSecurityContext and use user ID 1000 or higher. Do not turn on allowPrivlegeEscalation bit and make sure runAsNonRoot is true.", "long_description": "Container engines allow containers to run applications as a non-root user with non-root group membership. Typically, this non-default setting is configured when the container image is built. . Alternatively, Kubernetes can load containers into a Pod with SecurityContext:runAsUser specifying a non-zero user. While the runAsUser directive effectively forces non-root execution at deployment, NSA and CISA encourage developers to build container applications to execute as a non-root user. Having non-root execution integrated at build time provides better assurance that applications will function correctly without root privileges.", "test": "Verify if runAsUser and runAsGroup are set to a user id greater than 999. Check that the allowPrivilegeEscalation field is set to false. Check all the combinations with PodSecurityContext and SecurityContext (for containers).",