fix: change capitalisation of "pod" and "etcd" throughout

FWName_CID_CName.csv

@@ -42,12 +42,12 @@ AllControls,C-0061,Pods in default namespace
 AllControls,C-0062,Sudo in container entrypoint
 AllControls,C-0063,Portforwarding privileges
 AllControls,C-0065,No impersonation
-AllControls,C-0066,Secret/ETCD encryption enabled
+AllControls,C-0066,Secret/etcd encryption enabled
 AllControls,C-0067,Audit logs enabled
 AllControls,C-0068,PSP enabled
 AllControls,C-0069,Disable anonymous access to Kubelet service
 AllControls,C-0070,Enforce Kubelet client TLS authentication
-AllControls,C-0073,Naked PODs
+AllControls,C-0073,Naked pods
 AllControls,C-0074,Containers mounting Docker socket
 AllControls,C-0075,Image pull policy on latest tag
 AllControls,C-0076,Label usage for resources
@@ -88,7 +88,7 @@ ArmoBest,C-0061,Pods in default namespace
 ArmoBest,C-0062,Sudo in container entrypoint
 ArmoBest,C-0063,Portforwarding privileges
 ArmoBest,C-0065,No impersonation
-ArmoBest,C-0066,Secret/ETCD encryption enabled
+ArmoBest,C-0066,Secret/etcd encryption enabled
 ArmoBest,C-0067,Audit logs enabled
 ArmoBest,C-0068,PSP enabled
 ArmoBest,C-0069,Disable anonymous access to Kubelet service
@@ -109,7 +109,7 @@ DevOpsBest,C-0044,Container hostPort
 DevOpsBest,C-0050,Resources CPU limit and request
 DevOpsBest,C-0056,Configured liveness probe
 DevOpsBest,C-0061,Pods in default namespace
-DevOpsBest,C-0073,Naked PODs
+DevOpsBest,C-0073,Naked pods
 DevOpsBest,C-0074,Containers mounting Docker socket
 DevOpsBest,C-0075,Image pull policy on latest tag
 DevOpsBest,C-0076,Label usage for resources
@@ -136,7 +136,7 @@ MITRE,C-0054,Cluster internal networking
 MITRE,C-0057,Privileged container
 MITRE,C-0058,CVE-2021-25741 - Using symlink for arbitrary host file system access.
 MITRE,C-0059,CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability
-MITRE,C-0066,Secret/ETCD encryption enabled
+MITRE,C-0066,Secret/etcd encryption enabled
 MITRE,C-0067,Audit logs enabled
 MITRE,C-0068,PSP enabled
 MITRE,C-0069,Disable anonymous access to Kubelet service
@@ -160,7 +160,7 @@ NSA,C-0055,Linux hardening
 NSA,C-0057,Privileged container
 NSA,C-0058,CVE-2021-25741 - Using symlink for arbitrary host file system access.
 NSA,C-0059,CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability
-NSA,C-0066,Secret/ETCD encryption enabled
+NSA,C-0066,Secret/etcd encryption enabled
 NSA,C-0067,Audit logs enabled
 NSA,C-0068,PSP enabled
 NSA,C-0069,Disable anonymous access to Kubelet service

README.md

@@ -33,7 +33,7 @@ Example of a framework:
       "armoBuiltin": true
     },
     "controlsNames": [
-        "Naked PODs",
+        "Naked pods",
         "Containers mounting Docker socket",
         "Image pull policy on latest tag",
         "Label usage for resources",
@@ -61,12 +61,12 @@ Example of a control:
     "attributes": {
         "armoBuiltin": true
     },
-    "description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This control identifies all the PODs running in the default namespace.",
-    "remediation": "Create necessary namespaces and move all the PODs from default namespace there.",
+    "description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This control identifies all the pods running in the default namespace.",
+    "remediation": "Create necessary namespaces and move all the pods from default namespace there.",
     "rulesNames": [
         "pods-in-default-namespace"
     ],
-    "long_description": "It is recommended to avoid running PODs in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the PODs running in the default namespace.",
+    "long_description": "It is recommended to avoid running pods in cluster without explicit namespace assignment. This may lead to wrong capabilities and permissions assignment and potential compromises. This control identifies all the pods running in the default namespace.",
     "test": "Check that there are no pods in the 'default' namespace",
     "id": "C-0061",
     "controlID": "C-0061",

controls/C-0009-resourcelimits.json

@@ -14,12 +14,12 @@
             }
         ]
     },
-    "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.",
-    "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/POD yamls.",
+    "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.",
+    "remediation": "Define LimitRange and Resource Limits in the namespace or in the deployment/pod yamls.",
     "rulesNames": [
         "resource-policies"
     ],
-    "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.",
+    "long_description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.",
     "test": " Check for each container if there is a \u2018limits\u2019 field defined for both cpu and memory",
     "controlID": "C-0009",
     "baseScore": 7.0,

controls/C-0013-nonrootcontainers.json

@@ -15,7 +15,7 @@
             }
         ]
     },
-    "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the Pods running as root or can escalate to root.",
+    "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the pods running as root or can escalate to root.",
     "remediation": "If your application does not need root privileges, make sure to define the runAsUser or runAsGroup under the PodSecurityContext and use user ID 1000 or higher. Do not turn on allowPrivlegeEscalation bit and make sure runAsNonRoot is true.",
     "rulesNames": [
         "non-root-containers"

controls/C-0017-immutablecontainerfilesystem.json

@@ -17,7 +17,7 @@
         ]
     },
     "description": "Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.",
-    "remediation": "Set the filesystem of the container to read-only when possible (POD securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.",
+    "remediation": "Set the filesystem of the container to read-only when possible (pod securityContext, readOnlyRootFilesystem: true). If containers application needs to write into the filesystem, it is recommended to mount secondary filesystems for specific directories where application require write access.",
     "rulesNames": [
         "immutable-container-filesystem"
     ],

controls/C-0018-configuredreadinessprobe.json

@@ -6,12 +6,12 @@
             "devops"
         ]
     },
-    "description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.",
+    "description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.",
     "remediation": "Ensure Readiness probes are configured wherever possible.",
     "rulesNames": [
         "configured-readiness-probe"
     ],
-    "long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.",
+    "long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the pods where the readiness probe is not configured.",
     "controlID": "C-0018",
     "example": "@controls/examples/c018.yaml",
     "baseScore": 3

controls/C-0026-kubernetescronjob.json

@@ -9,7 +9,7 @@
             "compliance"
         ]
     },
-    "description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a POD in the cluster. This control lists all the CronJobs that exist in the cluster for the user to approve.",
+    "description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a pod in the cluster. This control lists all the CronJobs that exist in the cluster for the user to approve.",
     "remediation": "Watch Kubernetes CronJobs and make sure they are legitimate.",
     "rulesNames": [
         "rule-deny-cronjobs"

controls/C-0030-ingressandegressblocked.json

@@ -6,7 +6,7 @@
             "compliance"
         ]
     },
-    "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new PODs, and then enable sources/destinations that this POD must communicate with.",
+    "description": "Disable Ingress and Egress traffic on all pods wherever possible. It is recommended to define restrictive network policy on all new pods, and then enable sources/destinations that this pod must communicate with.",
     "remediation": "Define a network policy that restricts ingress and egress connections.",
     "rulesNames": [
         "ingress-and-egress-blocked"

controls/C-0034-automaticmappingofserviceaccount.json

@@ -16,8 +16,8 @@
             }
         ]
     },
-    "description": "Potential attacker may gain access to a POD and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for PODs that need to use them.",
-    "remediation": "Disable automatic mounting of service account tokens to PODs either at the service account level or at the individual POD level, by specifying the automountServiceAccountToken: false. Note that POD level takes precedence.",
+    "description": "Potential attacker may gain access to a pod and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for pods that need to use them.",
+    "remediation": "Disable automatic mounting of service account tokens to pods either at the service account level or at the individual pod level, by specifying the automountServiceAccountToken: false. Note that pod level takes precedence.",
     "rulesNames": [
         "automount-service-account"
     ],

controls/C-0038-hostpidipcprivileges.json

@@ -15,12 +15,12 @@
             }
         ]
     },
-    "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.",
+    "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.",
     "remediation": "Remove hostPID and hostIPC from the yaml file(s) privileges unless they are absolutely necessary.",
     "rulesNames": [
         "host-pid-ipc-privileges"
     ],
-    "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.",
+    "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all pods using hostPID or hostIPC privileges.",
     "controlID": "C-0038",
     "baseScore": 7.0,
     "example": "@controls/examples/c038.yaml"

controls/C-0041-hostnetworkaccess.json

@@ -17,8 +17,8 @@
             }
         ]
     },
-    "description": "Potential attackers may gain access to a POD and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the PODs with host network access enabled.",
-    "remediation": "Only connect PODs to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those PODs that must have access to host network by design.",
+    "description": "Potential attackers may gain access to a pod and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the pods with host network access enabled.",
+    "remediation": "Only connect pods to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or completely remove it (false is the default). Whitelist only those pods that must have access to host network by design.",
     "rulesNames": [
         "host-network-access"
     ],

controls/C-0045-writablehostpathmount.json

@@ -28,7 +28,7 @@
         "alert-rw-hostpath"
     ],
     "long_description": "hostPath volume mounts a directory or a file from the host to the container. Attackers who have permissions to create a new container in the cluster may create one with a writable hostPath volume and gain persistence on the underlying host. For example, the latter can be achieved by creating a cron job on the host.",
-    "test": "Checking in POD spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn\u2019t exist) we raise an alert.",
+    "test": "Checking in pod spec if there is a hostPath volume, if it has the section mount.readOnly == false (or doesn\u2019t exist) we raise an alert.",
     "controlID": "C-0045",
     "baseScore": 8.0,
     "example": "@controls/examples/c045.yaml"

controls/C-0046-insecurecapabilities.json

@@ -16,7 +16,7 @@
             }
         ]
     },
-    "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the PODs with dangerous capabilities (see documentation pages for details).",
+    "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the pods with dangerous capabilities (see documentation pages for details).",
     "remediation": "Remove all insecure capabilities which are not necessary for the container.",
     "rulesNames": [
         "insecure-capabilities"

controls/C-0048-hostpathmount.json

@@ -18,7 +18,7 @@
             }
         ]
     },
-    "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the PODs using hostPath mount.",
+    "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the pods using hostPath mount.",
     "example": "apiVersion: v1\nkind: Pod\nmetadata:\n  name: test-pd\nspec:\n  containers:\n  - image: k8s.gcr.io/test-webserver\n    name: test-container\n    volumeMounts:\n    - mountPath: /test-pd\n      name: test-volume\n  volumes:\n  - name: test-volume\n    hostPath: # This field triggers failure!\n      path: /data\n      type: Directory\n",
     "remediation": "Remove hostPath mounts unless they are absolutely necessary and use exception mechanism to remove notifications.",
     "rulesNames": [

controls/C-0053-accesscontainerserviceaccount.json

@@ -20,8 +20,8 @@
             }
         ]
     },
-    "description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All PODs with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.",
-    "remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary PODs have SA token mounted into them.",
+    "description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All pods with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.",
+    "remediation": "Verify that RBAC is enabled. Follow the least privilege principle and ensure that only necessary pods have SA token mounted into them.",
     "rulesNames": [
         "access-container-service-account",
         "access-container-service-account-v1"

controls/C-0056-configuredlivenessprobe.json

@@ -6,12 +6,12 @@
             "devops"
         ]
     },
-    "description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.",
+    "description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.",
     "remediation": "Ensure Liveness probes are configured wherever possible.",
     "rulesNames": [
         "configured-liveness-probe"
     ],
-    "long_description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the PODs where the Liveness probe is not configured.",
+    "long_description": "Liveness probe is intended to ensure that workload remains healthy during its entire execution lifecycle, or otherwise restrat the container. It is highly recommended to define liveness probe for every worker container. This control finds all the pods where the Liveness probe is not configured.",
     "controlID": "C-0056",
     "baseScore": 4
 }