From 2edffd10badde1b34f3724574b9e00dc5c181a52 Mon Sep 17 00:00:00 2001 From: moshep Date: Sun, 12 Sep 2021 14:56:38 +0300 Subject: [PATCH] add id to controls --- ...ationscredentialsinconfigurationfiles.json | 16 ++++++++---- controls/ListKubernetessecrets.json | 24 ++++++++++-------- controls/SSHserverrunninginsidecontainer.json | 24 ++++++++++-------- controls/accesscontainerserviceaccount.json | 24 ++++++++++-------- controls/accessk8sdashboard.json | 25 +++++++++++-------- controls/accesskubeletAPI.json | 12 +++++---- controls/accesstillerendpoint.json | 17 ++++++++----- controls/allowedhostpath.json | 10 +++++--- controls/allowprivilegeescalation.json | 10 +++++--- controls/anonymousrequests.json | 11 ++++---- controls/applicationexploitRCE.json | 24 ++++++++++-------- controls/automaticmappingserviceaccount.json | 10 +++++--- controls/backdoorcontainer.json | 16 +++++++----- controls/bash-cmdinsidecontainer.json | 16 +++++++----- controls/clearcontainerlogs.json | 16 +++++++----- controls/cluster-adminbinding.json | 24 ++++++++++-------- controls/clusterInternalnetworking.json | 24 ++++++++++-------- controls/compromisedimagesinregistry.json | 22 +++++++++------- controls/configuredlivenessprobe.json | 10 +++++--- controls/configuredreadinessprobe.json | 10 +++++--- controls/containerhostport.json | 10 +++++--- controls/controlplanehardening.json | 10 +++++--- controls/coreDNSpoisoning.json | 16 +++++++----- controls/dangerouscapabilities.json | 12 +++++---- controls/datadestruction.json | 14 +++++++---- controls/deleteKubernetesevents.json | 14 +++++++---- controls/execintocontainer.json | 24 ++++++++++-------- controls/exposeddashboard.json | 24 ++++++++++-------- controls/exposedsensitiveinterfaces.json | 13 +++++++--- controls/hostPathmount.json | 24 ++++++++++-------- controls/hostnetworkaccess.json | 10 +++++--- controls/hostpidipcprivileges.json | 10 +++++--- controls/immutablecontainerfilesystem.json | 10 +++++--- controls/ingressandegressblocked.json | 10 +++++--- controls/insecurecapabilities.json | 12 +++++---- controls/instancemetadataAPI..json | 24 ++++++++++-------- controls/kubernetescronJob.json | 24 ++++++++++-------- controls/linuxhardening.json | 10 +++++--- ...maliciousadmissioncontroller-mutating.json | 14 +++++++---- ...liciousadmissioncontroller-validating.json | 14 +++++++---- controls/morethanonereplicas.json | 10 +++++--- controls/mountserviceprincipal.json | 14 +++++++---- controls/namesimilarity.json | 14 +++++++---- controls/networkmapping.json | 24 ++++++++++-------- controls/networkpolicies.json | 11 ++++---- controls/newcontainer.json | 22 +++++++++------- controls/nonrootcontainers.json | 10 +++++--- controls/podspecificversiontag.json | 10 +++++--- controls/privilegedcontainer.json | 24 ++++++++++-------- controls/resourcehijacking.json | 14 +++++++---- controls/resourcepolicies.json | 10 +++++--- controls/resourcescpulimit.json | 10 +++++--- controls/resourcesmemorylimit.json | 10 +++++--- controls/sidecarinjection.json | 16 +++++++----- controls/useridlessthanthousand.json | 10 +++++--- controls/vulnerableapplication.json | 24 ++++++++++-------- controls/writablehostPathmount.json | 25 +++++++++++-------- export.py | 1 + 58 files changed, 544 insertions(+), 359 deletions(-) diff --git a/controls/Applicationscredentialsinconfigurationfiles.json b/controls/Applicationscredentialsinconfigurationfiles.json index 61ec20f9d..e41aca7a1 100644 --- a/controls/Applicationscredentialsinconfigurationfiles.json +++ b/controls/Applicationscredentialsinconfigurationfiles.json @@ -1,11 +1,17 @@ { "name": "Applications credentials in configuration files", "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Credential access","Lateral Movement"] + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Credential access", + "Lateral Movement" + ] }, "description": "Attackers who have access to configuration files can steal the stored secrets and use them. Checks if ConfigMaps or pods have sensitive information in configuration.", "remediation": "Use Kubernetes secrets to store credentials. Use ARMO secret protection solution to improve your security even more.", - "rulesNames": ["rule-credentials-in-env-var", "rule-credentials-configmap" - ] - } + "rulesNames": [ + "rule-credentials-in-env-var", + "rule-credentials-configmap" + ], + "id": "c_0012" +} \ No newline at end of file diff --git a/controls/ListKubernetessecrets.json b/controls/ListKubernetessecrets.json index 8e10edf3d..5f7cffefa 100644 --- a/controls/ListKubernetessecrets.json +++ b/controls/ListKubernetessecrets.json @@ -1,11 +1,15 @@ { - "name": "List Kubernetes secrets", - "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Credential access"] - }, - "description": "Attackers who have permissions to access secrets can access sensitive information that might include credentials to various services. Determines which subjects can list/get secrets.", - "remediation": "Monitor and approve users and service accounts that can access secrets. You can also protect these secrets using ARMO runtime protection.", - "rulesNames": [ "rule-can-list-get-secrets" - ] -} + "name": "List Kubernetes secrets", + "attributes": { + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Credential access" + ] + }, + "description": "Attackers who have permissions to access secrets can access sensitive information that might include credentials to various services. Determines which subjects can list/get secrets.", + "remediation": "Monitor and approve users and service accounts that can access secrets. You can also protect these secrets using ARMO runtime protection.", + "rulesNames": [ + "rule-can-list-get-secrets" + ], + "id": "c_0015" +} \ No newline at end of file diff --git a/controls/SSHserverrunninginsidecontainer.json b/controls/SSHserverrunninginsidecontainer.json index 1a15ff276..8281b2921 100644 --- a/controls/SSHserverrunninginsidecontainer.json +++ b/controls/SSHserverrunninginsidecontainer.json @@ -1,11 +1,15 @@ { - "name": "SSH server running inside container", - "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Execution"] - }, - "description": "An SSH server that is running inside a container may be used by attackers to get remote access to the container. Checks if pods have an open SSH port (22/2222).", - "remediation": "Remove SSH from the container image or limit the access to the SSH server using network policy (Native or ARMO runtime protection).", - "rulesNames": [ "rule-can-ssh-to-pod" - ] -} + "name": "SSH server running inside container", + "attributes": { + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Execution" + ] + }, + "description": "An SSH server that is running inside a container may be used by attackers to get remote access to the container. Checks if pods have an open SSH port (22/2222).", + "remediation": "Remove SSH from the container image or limit the access to the SSH server using network policy (Native or ARMO runtime protection).", + "rulesNames": [ + "rule-can-ssh-to-pod" + ], + "id": "c_0042" +} \ No newline at end of file diff --git a/controls/accesscontainerserviceaccount.json b/controls/accesscontainerserviceaccount.json index 23d3a5171..7c7522dd4 100644 --- a/controls/accesscontainerserviceaccount.json +++ b/controls/accesscontainerserviceaccount.json @@ -1,11 +1,15 @@ { - "name": "Access container service account", - "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Credential access"] - }, - "description": "Attackers who get access to a pod can access the SA and perform actions in the cluster, according to the SA permissions. Determines which service accounts can be used to access other resources in the cluster.", - "remediation": "If RBAC is not enabled, you should enable RBAC (refer to the API server documentation). If RBAC is enabled, make sure that you apply least privilege. Monitor and approve privileges of workloads which use kube-api.", - "rulesNames": [ "access-container-service-account" - ] -} + "name": "Access container service account", + "attributes": { + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Credential access" + ] + }, + "description": "Attackers who get access to a pod can access the SA and perform actions in the cluster, according to the SA permissions. Determines which service accounts can be used to access other resources in the cluster.", + "remediation": "If RBAC is not enabled, you should enable RBAC (refer to the API server documentation). If RBAC is enabled, make sure that you apply least privilege. Monitor and approve privileges of workloads which use kube-api.", + "rulesNames": [ + "access-container-service-account" + ], + "id": "c_0053" +} \ No newline at end of file diff --git a/controls/accessk8sdashboard.json b/controls/accessk8sdashboard.json index fbbcedb23..eaca4d2b5 100644 --- a/controls/accessk8sdashboard.json +++ b/controls/accessk8sdashboard.json @@ -1,11 +1,16 @@ { - "name": "Access Kubernetes dashboard", - "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Discovery","Lateral Movement"] - }, - "description": "Attackers who gain access to the dashboard service account or have its RBAC permissions can use its network access to retrieve information about resources in the cluster or change them. Checks if subject that is not dashboard service account is bound to dashboard role/clusterrole, or - if anyone that is not dashboard pod is associated with its service account.", - "remediation": "Make sure that the “Kubernetes Dashboard” service account is only bound to the Kubernetes dashboard following the least privilege principle.", - "rulesNames": ["rule-access-dashboard" - ] -} + "name": "Access Kubernetes dashboard", + "attributes": { + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Discovery", + "Lateral Movement" + ] + }, + "description": "Attackers who gain access to the dashboard service account or have its RBAC permissions can use its network access to retrieve information about resources in the cluster or change them. Checks if subject that is not dashboard service account is bound to dashboard role/clusterrole, or - if anyone that is not dashboard pod is associated with its service account.", + "remediation": "Make sure that the \u201cKubernetes Dashboard\u201d service account is only bound to the Kubernetes dashboard following the least privilege principle.", + "rulesNames": [ + "rule-access-dashboard" + ], + "id": "c_0014" +} \ No newline at end of file diff --git a/controls/accesskubeletAPI.json b/controls/accesskubeletAPI.json index d7dc36dd8..a811aee6a 100644 --- a/controls/accesskubeletAPI.json +++ b/controls/accesskubeletAPI.json @@ -1,11 +1,13 @@ { "name": "Access Kubelet API", "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Discovery"] + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Discovery" + ] }, "description": "Kubelet is the Kubernetes agent that is installed on each node. Kubelet is responsible for the proper execution of pods that are assigned to the node. Kubelet exposes a read-only API service that does not require authentication (TCP port 10255). Attackers with network access to the host (for example, via running code on a compromised container) can send API requests to the Kubelet API. Specifically querying https://[NODE IP]:10255/pods/ retrieves the running pods on the node. https://[NODE IP]:10255/spec/ retrieves information about the node itself, such as CPU and memory consumption.", "remediation": "Define network policy (native kubernetes or using ARMO runtime protection). Use ARMO runtime protection capabilities to monitor network traffic.", - "rulesNames": [ - ] - } \ No newline at end of file + "rulesNames": [], + "id": "c_0003" +} \ No newline at end of file diff --git a/controls/accesstillerendpoint.json b/controls/accesstillerendpoint.json index 07f635734..399e99235 100644 --- a/controls/accesstillerendpoint.json +++ b/controls/accesstillerendpoint.json @@ -1,10 +1,15 @@ { "name": "Access tiller endpoint", "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Lateral movement"] + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Lateral movement" + ] }, - "description":" Attackers may run code on any container that is accessible to the tiller’s service and perform actions in the cluster, using the tiller’s service account, which often has high privileges. Checks if Tiller exists in cluster.", - "remediation": "Use version higher than 2 of Helm which doesn’t use Tiller", - "rulesNames": ["access-tiller-endpoint"] -} + "description": " Attackers may run code on any container that is accessible to the tiller\u2019s service and perform actions in the cluster, using the tiller\u2019s service account, which often has high privileges. Checks if Tiller exists in cluster.", + "remediation": "Use version higher than 2 of Helm which doesn\u2019t use Tiller", + "rulesNames": [ + "access-tiller-endpoint" + ], + "id": "c_0033" +} \ No newline at end of file diff --git a/controls/allowedhostpath.json b/controls/allowedhostpath.json index 5a8c59de3..fe68616f2 100644 --- a/controls/allowedhostpath.json +++ b/controls/allowedhostpath.json @@ -1,10 +1,12 @@ { "name": "Allowed hostPath", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "Mounting host directory to the container can be abused to get access to sensitive data and gain persistence on the host machine.", "remediation": "Refrain from using host path mount.", - "rulesNames": [ "alert-rw-hostpath" - ] - } + "rulesNames": [ + "alert-rw-hostpath" + ], + "id": "c_0006" +} \ No newline at end of file diff --git a/controls/allowprivilegeescalation.json b/controls/allowprivilegeescalation.json index e9f5e6858..e720824bf 100644 --- a/controls/allowprivilegeescalation.json +++ b/controls/allowprivilegeescalation.json @@ -1,10 +1,12 @@ { "name": "Allow privilege escalation", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.", "remediation": "If your application does not need it, make sure the allowPrivilegeEscalation field of the securityContext is set to false.", - "rulesNames": [ "rule-allow-privilege-escalation" - ] - } + "rulesNames": [ + "rule-allow-privilege-escalation" + ], + "id": "c_0016" +} \ No newline at end of file diff --git a/controls/anonymousrequests.json b/controls/anonymousrequests.json index 4112dd941..523ac050b 100644 --- a/controls/anonymousrequests.json +++ b/controls/anonymousrequests.json @@ -1,11 +1,12 @@ - { "name": "Anonymous requests", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "In Kubernetes 1.6 and newer, anonymous requests are allowed by default. If there is no RBAC enabled, this type of requests will have authorization to do everything.", "remediation": "Anonymous requests should be disabled by passing the --anonymous-auth=false option to the API server. Leaving anonymous requests enabled could allow a cyber actor to access cluster resources without authentication.", - "rulesNames": [ "anonymous-requests" - ] - } + "rulesNames": [ + "anonymous-requests" + ], + "id": "c_0051" +} \ No newline at end of file diff --git a/controls/applicationexploitRCE.json b/controls/applicationexploitRCE.json index 7178398c1..caa28a7bc 100644 --- a/controls/applicationexploitRCE.json +++ b/controls/applicationexploitRCE.json @@ -1,11 +1,15 @@ { - "name": "Application exploit (RCE)", - "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Execution"] - }, - "description": "Applications that are vulnerable to a remote code execution vulnerability, enables attackers to run malicious code in the cluster. Determines if pods have vulnerable image with remote code execution using ARMO vulnerability scan (must run vulnerability scan before running posture scan).", - "remediation": "Patch your container with a version that does not have this vulnerability or use ARMO runtime protection (sign the workload).", - "rulesNames": [ "deny-RCE-vuln-image-pods" - ] -} + "name": "Application exploit (RCE)", + "attributes": { + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Execution" + ] + }, + "description": "Applications that are vulnerable to a remote code execution vulnerability, enables attackers to run malicious code in the cluster. Determines if pods have vulnerable image with remote code execution using ARMO vulnerability scan (must run vulnerability scan before running posture scan).", + "remediation": "Patch your container with a version that does not have this vulnerability or use ARMO runtime protection (sign the workload).", + "rulesNames": [ + "deny-RCE-vuln-image-pods" + ], + "id": "c_0025" +} \ No newline at end of file diff --git a/controls/automaticmappingserviceaccount.json b/controls/automaticmappingserviceaccount.json index 9ef13c181..3714f5272 100644 --- a/controls/automaticmappingserviceaccount.json +++ b/controls/automaticmappingserviceaccount.json @@ -1,10 +1,12 @@ { "name": "Automatic mapping of service account", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "Potential attacker may gain access to a POD and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for PODs that need to use them.", "remediation": "Only map token to PODs that are really using them. We suggest disabling the automatic mounting of service account tokens to PODs at the service account level, by specifying the securityContext.readOnlyRootFilesystem field to true, and explicitly enabling the map for the PODs which are using it at the POD spec level.", - "rulesNames": [ "automount-service-account" - ] - } + "rulesNames": [ + "automount-service-account" + ], + "id": "c_0034" +} \ No newline at end of file diff --git a/controls/backdoorcontainer.json b/controls/backdoorcontainer.json index 3716fe928..454f62f75 100644 --- a/controls/backdoorcontainer.json +++ b/controls/backdoorcontainer.json @@ -1,11 +1,15 @@ { "name": "Backdoor container", "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Persistence"] + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Persistence" + ] }, - "description": "Attackers run their malicious code in a container in the cluster. By using the Kubernetes controllers such as DaemonSets or Deployments, attackers can ensure that a constant number of containers run in one, or all, the nodes in the cluster." , + "description": "Attackers run their malicious code in a container in the cluster. By using the Kubernetes controllers such as DaemonSets or Deployments, attackers can ensure that a constant number of containers run in one, or all, the nodes in the cluster.", "remediation": "You should apply least privilege principle (we can point to our audit/least privilege screen). Approve the users who can create new containers.", - "rulesNames": [ "rule-can-create-modify-pod" - ] - } \ No newline at end of file + "rulesNames": [ + "rule-can-create-modify-pod" + ], + "id": "c_0027" +} \ No newline at end of file diff --git a/controls/bash-cmdinsidecontainer.json b/controls/bash-cmdinsidecontainer.json index b6ed4b5fd..be06a672d 100644 --- a/controls/bash-cmdinsidecontainer.json +++ b/controls/bash-cmdinsidecontainer.json @@ -1,11 +1,15 @@ { "name": "Bash/cmd inside container", "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Execution"] + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Execution" + ] }, - "description": "Attackers who can run new processes inside a container might use cmd/bash script inside a container can use it to execute malicious code. Determines which containers have bash/cmd inside it." , + "description": "Attackers who can run new processes inside a container might use cmd/bash script inside a container can use it to execute malicious code. Determines which containers have bash/cmd inside it.", "remediation": "Remove cmd/bash from the containers you are using.", - "rulesNames": [ "rule-can-bash-cmd-inside-container" - ] - } + "rulesNames": [ + "rule-can-bash-cmd-inside-container" + ], + "id": "c_0019" +} \ No newline at end of file diff --git a/controls/clearcontainerlogs.json b/controls/clearcontainerlogs.json index 78900909f..e2d971377 100644 --- a/controls/clearcontainerlogs.json +++ b/controls/clearcontainerlogs.json @@ -1,11 +1,15 @@ { "name": "Clear container logs", "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Defense Evasion"] + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Defense Evasion" + ] }, - "description": "Attackers may delete the application or OS logs on a compromised container in an attempt to prevent detection of their activity." , + "description": "Attackers may delete the application or OS logs on a compromised container in an attempt to prevent detection of their activity.", "remediation": "You should apply least privilege principle. Approve the users who can delete logs inside containers.", - "rulesNames": [ "rule-can-delete-logs" - ] - } \ No newline at end of file + "rulesNames": [ + "rule-can-delete-logs" + ], + "id": "c_0029" +} \ No newline at end of file diff --git a/controls/cluster-adminbinding.json b/controls/cluster-adminbinding.json index b8c374548..ca9cd9087 100644 --- a/controls/cluster-adminbinding.json +++ b/controls/cluster-adminbinding.json @@ -1,11 +1,15 @@ { - "name": "Cluster-admin binding", - "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Privilege escalation"] - }, - "description": "Attackers who have Cluster-admin permissions (can perform any action on any resource), can take advantage of their high privileges for malicious intentions. Determines which subjects have cluster admin permissions.", - "remediation": "You should apply least privilege principle. Monitor and approve cluster admins and make sure users that do not require cluster-admin are not assigned with this role.", - "rulesNames": [ "rule-list-all-cluster-admins" - ] -} + "name": "Cluster-admin binding", + "attributes": { + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Privilege escalation" + ] + }, + "description": "Attackers who have Cluster-admin permissions (can perform any action on any resource), can take advantage of their high privileges for malicious intentions. Determines which subjects have cluster admin permissions.", + "remediation": "You should apply least privilege principle. Monitor and approve cluster admins and make sure users that do not require cluster-admin are not assigned with this role.", + "rulesNames": [ + "rule-list-all-cluster-admins" + ], + "id": "c_0035" +} \ No newline at end of file diff --git a/controls/clusterInternalnetworking.json b/controls/clusterInternalnetworking.json index 94f0f4f1b..8f70d701c 100644 --- a/controls/clusterInternalnetworking.json +++ b/controls/clusterInternalnetworking.json @@ -1,11 +1,15 @@ { - "name": "Cluster internal networking", - "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Lateral movement"] - }, - "description": "If no network policy is defined, attackers who gain access to a single container may use it to probe the network. Lists namespaces in which no network policies are defined.", - "remediation": "Define network policy (native K8s or using ARMO runtime protection).", - "rulesNames": [ "internal-networking" - ] -} + "name": "Cluster internal networking", + "attributes": { + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Lateral movement" + ] + }, + "description": "If no network policy is defined, attackers who gain access to a single container may use it to probe the network. Lists namespaces in which no network policies are defined.", + "remediation": "Define network policy (native K8s or using ARMO runtime protection).", + "rulesNames": [ + "internal-networking" + ], + "id": "c_0054" +} \ No newline at end of file diff --git a/controls/compromisedimagesinregistry.json b/controls/compromisedimagesinregistry.json index 4d06fabd5..1aa2c3873 100644 --- a/controls/compromisedimagesinregistry.json +++ b/controls/compromisedimagesinregistry.json @@ -1,11 +1,15 @@ { - "name": "Compromised images in registry", - "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Initial Access"] - }, - "description": "In cases where the Kubernetes cluster is deployed in a public cloud (e.g., AKS in Azure, GKE in GCP, or EKS in AWS), compromised cloud credential can lead to cluster takeover. Attackers who have access to the cloud account credentials can get access to the cluster’s management layer.", - "remediation": "Limit the registries from which you pull container images. ", - "rulesNames": ["rule-identify-blacklisted-image-registries" - ] + "name": "Compromised images in registry", + "attributes": { + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Initial Access" + ] + }, + "description": "In cases where the Kubernetes cluster is deployed in a public cloud (e.g., AKS in Azure, GKE in GCP, or EKS in AWS), compromised cloud credential can lead to cluster takeover. Attackers who have access to the cloud account credentials can get access to the cluster\u2019s management layer.", + "remediation": "Limit the registries from which you pull container images. ", + "rulesNames": [ + "rule-identify-blacklisted-image-registries" + ], + "id": "c_0001" } \ No newline at end of file diff --git a/controls/configuredlivenessprobe.json b/controls/configuredlivenessprobe.json index 59e2a8422..620b03318 100644 --- a/controls/configuredlivenessprobe.json +++ b/controls/configuredlivenessprobe.json @@ -1,10 +1,12 @@ { "name": "Configured liveness probe", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "Liveness probe is not configured.", "remediation": "Ensure Liveness probe is configured", - "rulesNames": [ "configured-liveness-probe" - ] - } + "rulesNames": [ + "configured-liveness-probe" + ], + "id": "c_0056" +} \ No newline at end of file diff --git a/controls/configuredreadinessprobe.json b/controls/configuredreadinessprobe.json index c5cade855..62bcdb870 100644 --- a/controls/configuredreadinessprobe.json +++ b/controls/configuredreadinessprobe.json @@ -1,10 +1,12 @@ { "name": "Configured readiness probe", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "Readiness probe is not configured.", "remediation": "Ensure Readiness probe is configured.", - "rulesNames": [ "configured-readiness-probe" - ] - } + "rulesNames": [ + "configured-readiness-probe" + ], + "id": "c_0018" +} \ No newline at end of file diff --git a/controls/containerhostport.json b/controls/containerhostport.json index 1fa5c11f0..c956b88e5 100644 --- a/controls/containerhostport.json +++ b/controls/containerhostport.json @@ -1,10 +1,12 @@ { "name": "Container hostPort", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "Configuring hostPort limits you to a particular port, and if any two workloads that specify the same HostPort cannot be deployed to the same node. And if the scale of your workload is larger than the number of nodes in your Kubernetes cluster, the deployment fails.", "remediation": "Make sure you do not configure hostPort for the container, if necessary use NodePort / ClusterIP", - "rulesNames": [ "container-hostPort" - ] - } + "rulesNames": [ + "container-hostPort" + ], + "id": "c_0044" +} \ No newline at end of file diff --git a/controls/controlplanehardening.json b/controls/controlplanehardening.json index 5934b961e..6846274d3 100644 --- a/controls/controlplanehardening.json +++ b/controls/controlplanehardening.json @@ -1,10 +1,12 @@ { "name": "Control plane hardening", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "Kubernetes control plane API is running with non-secure port enabled which allows attackers to gain unprotected access to the cluster.", "remediation": "Set the insecure-port flag of the API server to zero.", - "rulesNames": ["insecure-port-flag" - ] - } + "rulesNames": [ + "insecure-port-flag" + ], + "id": "c_0005" +} \ No newline at end of file diff --git a/controls/coreDNSpoisoning.json b/controls/coreDNSpoisoning.json index 62acf32a3..0b7943c11 100644 --- a/controls/coreDNSpoisoning.json +++ b/controls/coreDNSpoisoning.json @@ -1,11 +1,15 @@ { "name": "CoreDNS poisoning", "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Lateral Movement"] + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Lateral Movement" + ] }, - "description": "If attackers have permissions to modify the coredns ConfigMap, they can change the behavior of the cluster’s DNS, poison it, and take the network identity of other services. Determines which users can update/patch the 'coredns' configmap.", + "description": "If attackers have permissions to modify the coredns ConfigMap, they can change the behavior of the cluster\u2019s DNS, poison it, and take the network identity of other services. Determines which users can update/patch the 'coredns' configmap.", "remediation": "You should apply least privilege principle. Monitor and approve the users who can modify the 'coredns' configmap.", - "rulesNames": [ "rule-can-update-configmap" - ] - } + "rulesNames": [ + "rule-can-update-configmap" + ], + "id": "c_0037" +} \ No newline at end of file diff --git a/controls/dangerouscapabilities.json b/controls/dangerouscapabilities.json index ac898c480..e9ab50765 100644 --- a/controls/dangerouscapabilities.json +++ b/controls/dangerouscapabilities.json @@ -1,10 +1,12 @@ { "name": "Dangerous capabilities", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "Giving dangerous and unnecessary capabilities for a container can increase the impact of a container compromise.", - "remediation": "Remove all dangerous capabilities which aren’t necessary for the container.", - "rulesNames": [ "dangerous-capabilities" - ] - } + "remediation": "Remove all dangerous capabilities which aren\u2019t necessary for the container.", + "rulesNames": [ + "dangerous-capabilities" + ], + "id": "c_0028" +} \ No newline at end of file diff --git a/controls/datadestruction.json b/controls/datadestruction.json index 91590a43e..e0800a7eb 100644 --- a/controls/datadestruction.json +++ b/controls/datadestruction.json @@ -1,11 +1,15 @@ { "name": "Data Destruction", "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Impact"] + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Impact" + ] }, "description": "Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, storage, and compute resources. Determines which subjects can delete resources.", "remediation": "You should apply least privilege principle. Monitor and approve the users who can delete resources.", - "rulesNames": [ "rule-excessive-delete-rights" - ] - } + "rulesNames": [ + "rule-excessive-delete-rights" + ], + "id": "c_0007" +} \ No newline at end of file diff --git a/controls/deleteKubernetesevents.json b/controls/deleteKubernetesevents.json index c885f8cf6..fc67a396b 100644 --- a/controls/deleteKubernetesevents.json +++ b/controls/deleteKubernetesevents.json @@ -1,11 +1,15 @@ { "name": "Delete Kubernetes events", "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Defense evasion"] + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Defense evasion" + ] }, "description": "Attackers may delete these events to avoid detection of their activity in the cluster. Determines which subjects can delete k8s events.", "remediation": "You should apply least privilege principle. Monitor and approve the users who can delete events.", - "rulesNames": [ "rule-can-delete-k8s-events" - ] - } + "rulesNames": [ + "rule-can-delete-k8s-events" + ], + "id": "c_0031" +} \ No newline at end of file diff --git a/controls/execintocontainer.json b/controls/execintocontainer.json index 3f1da28f4..529a428c6 100644 --- a/controls/execintocontainer.json +++ b/controls/execintocontainer.json @@ -1,11 +1,15 @@ { - "name": "Exec into container", - "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Execution"] - }, - "description": "Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). Determines which subjects have permissions to exec into containers." , - "remediation": "You should apply least privilege principal (we can point to our audit/least privilege screen). You should monitor and approve users who can exec into containers.", - "rulesNames": [ "exec-into-container" - ] -} + "name": "Exec into container", + "attributes": { + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Execution" + ] + }, + "description": "Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (\u201ckubectl exec\u201d). Determines which subjects have permissions to exec into containers.", + "remediation": "You should apply least privilege principal (we can point to our audit/least privilege screen). You should monitor and approve users who can exec into containers.", + "rulesNames": [ + "exec-into-container" + ], + "id": "c_0002" +} \ No newline at end of file diff --git a/controls/exposeddashboard.json b/controls/exposeddashboard.json index 22f9ba30b..1cd76e300 100644 --- a/controls/exposeddashboard.json +++ b/controls/exposeddashboard.json @@ -1,11 +1,15 @@ { - "name": "Exposed dashboard", - "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Initial Access"] - }, - "description": "If Kubernetes dashboard is exposed externally in Dashboard versions before 2.01, it will allow unauthenticated remote management of the cluster.", - "remediation": "Update dashboard version to v2.0.1 or above.", - "rulesNames": ["rule-exposed-dashboard" - ] -} + "name": "Exposed dashboard", + "attributes": { + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Initial Access" + ] + }, + "description": "If Kubernetes dashboard is exposed externally in Dashboard versions before 2.01, it will allow unauthenticated remote management of the cluster.", + "remediation": "Update dashboard version to v2.0.1 or above.", + "rulesNames": [ + "rule-exposed-dashboard" + ], + "id": "c_0047" +} \ No newline at end of file diff --git a/controls/exposedsensitiveinterfaces.json b/controls/exposedsensitiveinterfaces.json index 6043877e2..5385aa7cf 100644 --- a/controls/exposedsensitiveinterfaces.json +++ b/controls/exposedsensitiveinterfaces.json @@ -1,10 +1,15 @@ { "name": "Exposed sensitive interfaces", "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Initial access"] + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Initial access" + ] }, "description": "Exposing a sensitive interface to the internet poses a security risk. It might enable attacker to run malicious code or deploy containers in the cluster. Checks if known interfaces have externally exposed services.", "remediation": "Consider not exposing such interfaces.", - "rulesNames": ["exposed-sensitive-interfaces"] -} + "rulesNames": [ + "exposed-sensitive-interfaces" + ], + "id": "c_0021" +} \ No newline at end of file diff --git a/controls/hostPathmount.json b/controls/hostPathmount.json index 53f078cc0..5c546e892 100644 --- a/controls/hostPathmount.json +++ b/controls/hostPathmount.json @@ -1,11 +1,15 @@ { - "name": "hostPath mount", - "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Privilege escalation"] - }, - "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host.", - "remediation": "Try to refrain from using host path mount. You can use ARMO runtime protection (encryption capability) to encrypt these files.", - "rulesNames": [ "alert-any-hostpath" - ] -} + "name": "hostPath mount", + "attributes": { + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Privilege escalation" + ] + }, + "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host.", + "remediation": "Try to refrain from using host path mount. You can use ARMO runtime protection (encryption capability) to encrypt these files.", + "rulesNames": [ + "alert-any-hostpath" + ], + "id": "c_0048" +} \ No newline at end of file diff --git a/controls/hostnetworkaccess.json b/controls/hostnetworkaccess.json index ae41c79bd..1cd1363bf 100644 --- a/controls/hostnetworkaccess.json +++ b/controls/hostnetworkaccess.json @@ -1,10 +1,12 @@ { "name": "hostNetwork access", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "Potential attackers may gain access to a POD and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC.", "remediation": "Only connect PODs to host network when it is necessary. If not, set the hostNetwork field of the pod spec to false, or erase it (false is the default). Whitelist those PODs that need access to host network by design.", - "rulesNames": [ "host-network-access" - ] - } + "rulesNames": [ + "host-network-access" + ], + "id": "c_0041" +} \ No newline at end of file diff --git a/controls/hostpidipcprivileges.json b/controls/hostpidipcprivileges.json index 43b4bdf24..f27935035 100644 --- a/controls/hostpidipcprivileges.json +++ b/controls/hostpidipcprivileges.json @@ -1,10 +1,12 @@ { "name": "Host PID/IPC privileges", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "Containers should be as isolated as possible from the host machine. The hostPID and hostIPC fields in Kubernetes may excessively expose the host for potentially malicious actions.", "remediation": "Apply least privilege principle and disable the hostPID and hostIPC fields unless strictly needed.", - "rulesNames": ["host-pid-ipc-privileges" - ] - } + "rulesNames": [ + "host-pid-ipc-privileges" + ], + "id": "c_0038" +} \ No newline at end of file diff --git a/controls/immutablecontainerfilesystem.json b/controls/immutablecontainerfilesystem.json index 637010d7c..e3c9c7d09 100644 --- a/controls/immutablecontainerfilesystem.json +++ b/controls/immutablecontainerfilesystem.json @@ -1,10 +1,12 @@ { "name": "Immutable container filesystem", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "Mutable container filesystem can be abused to gain malicious code and data injection into containers. Use immutable (read-only) filesystem to limit potential attacks.", "remediation": "Set the filesystem of the container to read-only when possible. If the containers application needs to write into the filesystem, it is possible to mount secondary filesystems for specific directories where application require write access. ", - "rulesNames": [ "immutable-container-filesystem" - ] - } + "rulesNames": [ + "immutable-container-filesystem" + ], + "id": "c_0017" +} \ No newline at end of file diff --git a/controls/ingressandegressblocked.json b/controls/ingressandegressblocked.json index 206afbec3..b4e94de3c 100644 --- a/controls/ingressandegressblocked.json +++ b/controls/ingressandegressblocked.json @@ -1,10 +1,12 @@ { "name": "Ingress and Egress blocked", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "By default, you should disable Ingress and Egress traffic on all pods.", "remediation": "Define a network policy that restricts ingress and egress connections. ", - "rulesNames": [ "ingress-and-egress-blocked" - ] - } + "rulesNames": [ + "ingress-and-egress-blocked" + ], + "id": "c_0030" +} \ No newline at end of file diff --git a/controls/insecurecapabilities.json b/controls/insecurecapabilities.json index 6e19b1451..a866700b8 100644 --- a/controls/insecurecapabilities.json +++ b/controls/insecurecapabilities.json @@ -1,10 +1,12 @@ { "name": "Insecure capabilities", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "Giving insecure and unnecessary capabilities for a container can increase the impact of a container compromise.", - "remediation": "Remove all insecure capabilities which aren’t necessary for the container.", - "rulesNames": [ "insecure-capabilities" - ] - } + "remediation": "Remove all insecure capabilities which aren\u2019t necessary for the container.", + "rulesNames": [ + "insecure-capabilities" + ], + "id": "c_0046" +} \ No newline at end of file diff --git a/controls/instancemetadataAPI..json b/controls/instancemetadataAPI..json index 8d5469b06..37a3c23bc 100644 --- a/controls/instancemetadataAPI..json +++ b/controls/instancemetadataAPI..json @@ -1,11 +1,15 @@ { - "name": "Instance Metadata API", - "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Discovery"] - }, - "description": "Attackers who gain access to a container, may query the metadata API service for getting information about the underlying node. Checks if there is access from the nodes to cloud providers instance metadata services.", - "remediation": "Disable metadata services for pods in cloud provider settings.", - "rulesNames": [ "instance-metadata-api-access" - ] -} + "name": "Instance Metadata API", + "attributes": { + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Discovery" + ] + }, + "description": "Attackers who gain access to a container, may query the metadata API service for getting information about the underlying node. Checks if there is access from the nodes to cloud providers instance metadata services.", + "remediation": "Disable metadata services for pods in cloud provider settings.", + "rulesNames": [ + "instance-metadata-api-access" + ], + "id": "c_0052" +} \ No newline at end of file diff --git a/controls/kubernetescronJob.json b/controls/kubernetescronJob.json index 1f05f7056..0739f170c 100644 --- a/controls/kubernetescronJob.json +++ b/controls/kubernetescronJob.json @@ -1,11 +1,15 @@ { - "name": "Kubernetes CronJob", - "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Persistence"] - }, - "description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. Lists all CronJobs that exist in the cluster for the user to approve.", - "remediation": "Watch Kubernetes CronJobs and make sure there is a reason for creating these CronJobs.", - "rulesNames": [ "rule-deny-cronjobs" - ] -} + "name": "Kubernetes CronJob", + "attributes": { + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Persistence" + ] + }, + "description": "Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. Lists all CronJobs that exist in the cluster for the user to approve.", + "remediation": "Watch Kubernetes CronJobs and make sure there is a reason for creating these CronJobs.", + "rulesNames": [ + "rule-deny-cronjobs" + ], + "id": "c_0026" +} \ No newline at end of file diff --git a/controls/linuxhardening.json b/controls/linuxhardening.json index c590d5ab0..279492c9c 100644 --- a/controls/linuxhardening.json +++ b/controls/linuxhardening.json @@ -1,10 +1,12 @@ { "name": "Linux hardening", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "Often, containers are given more privileges than actually needed. This behavior can increase the impact of a container compromise.", "remediation": "Make sure you define at least one linux security hardening property out of AppArmor, Seccomp, SELinux or Capabilities.", - "rulesNames": [ "linux-hardening" - ] - } + "rulesNames": [ + "linux-hardening" + ], + "id": "c_0055" +} \ No newline at end of file diff --git a/controls/maliciousadmissioncontroller-mutating.json b/controls/maliciousadmissioncontroller-mutating.json index fea4aa1b3..0d4fceaf1 100644 --- a/controls/maliciousadmissioncontroller-mutating.json +++ b/controls/maliciousadmissioncontroller-mutating.json @@ -1,11 +1,15 @@ { "name": "Malicious admission controller (mutating)", "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Persistence"] + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Persistence" + ] }, "description": "Attackers can use mutating webhooks to intercept and modify resources in the cluster. Returns mutating webhook configurations to be verified.", "remediation": "Analyze webhook for malicious behavior", - "rulesNames": [ "list-all-mutating-webhooks" - ] - } + "rulesNames": [ + "list-all-mutating-webhooks" + ], + "id": "c_0039" +} \ No newline at end of file diff --git a/controls/maliciousadmissioncontroller-validating.json b/controls/maliciousadmissioncontroller-validating.json index bc4f642b2..f6709a079 100644 --- a/controls/maliciousadmissioncontroller-validating.json +++ b/controls/maliciousadmissioncontroller-validating.json @@ -1,11 +1,15 @@ { "name": "Malicious admission controller (validating)", "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Credential access"] + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Credential access" + ] }, "description": "Attackers can use mutating webhooks to intercept and modify resources in the cluster. Returns mutating webhook configurations to be verified.", "remediation": "Analyze webhook for malicious behavior.", - "rulesNames": [ "list-all-validating-webhooks" - ] - } + "rulesNames": [ + "list-all-validating-webhooks" + ], + "id": "c_0036" +} \ No newline at end of file diff --git a/controls/morethanonereplicas.json b/controls/morethanonereplicas.json index 1a9a789fc..e4f567653 100644 --- a/controls/morethanonereplicas.json +++ b/controls/morethanonereplicas.json @@ -1,10 +1,12 @@ { "name": "More than one replicas", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "Replicas are set to one.", "remediation": "Ensure replicas field is set and value is bigger than one.", - "rulesNames": [ "more-than-one-replicas" - ] - } + "rulesNames": [ + "more-than-one-replicas" + ], + "id": "c_0032" +} \ No newline at end of file diff --git a/controls/mountserviceprincipal.json b/controls/mountserviceprincipal.json index a394492da..d58949e0b 100644 --- a/controls/mountserviceprincipal.json +++ b/controls/mountserviceprincipal.json @@ -1,11 +1,15 @@ { "name": "Mount service principal", "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Credential Access"] + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Credential Access" + ] }, "description": "Determines if any workload contains a hostPath volume.", "remediation": "Try to refrain from using host path mount. You can use ARMO runtime protection (encryption capability) to encrypt these files.", - "rulesNames": [ "alert-any-hostpath" - ] -} + "rulesNames": [ + "alert-any-hostpath" + ], + "id": "c_0020" +} \ No newline at end of file diff --git a/controls/namesimilarity.json b/controls/namesimilarity.json index ace7c4ba3..88c682bc9 100644 --- a/controls/namesimilarity.json +++ b/controls/namesimilarity.json @@ -1,11 +1,15 @@ { "name": "Pod / container name similarity", "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Defense evasion"] + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Defense evasion" + ] }, "description": "Pods that are created by controllers such as Deployment or DaemonSet have random suffix in their names. Attackers can use this fact and name their backdoor pods as they were created by the existing controllers. For example, an attacker could create a malicious pod named coredns-{random suffix} which would look related to the CoreDNS Deployment.", "remediation": "You should look at the reported Pods and make sure they were created and developed by your team. It would be wise to change the Pod names.", - "rulesNames": [ "rule-name-similarity" - ] - } \ No newline at end of file + "rulesNames": [ + "rule-name-similarity" + ], + "id": "c_0043" +} \ No newline at end of file diff --git a/controls/networkmapping.json b/controls/networkmapping.json index 1a0ca9b15..ae41e5ab1 100644 --- a/controls/networkmapping.json +++ b/controls/networkmapping.json @@ -1,11 +1,15 @@ { - "name": "Network mapping", - "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Discovery"] - }, - "description": "If no network policy is defined, attackers who gain access to a single container may use it to probe the network. Lists namespaces in which no network policies are defined.", - "remediation": "Define network policy (native Kubernetes or using ARMO runtime protection). Use ARMO runtime protection capabilities to monitor network traffic.", - "rulesNames": [ "internal-networking" - ] -} + "name": "Network mapping", + "attributes": { + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Discovery" + ] + }, + "description": "If no network policy is defined, attackers who gain access to a single container may use it to probe the network. Lists namespaces in which no network policies are defined.", + "remediation": "Define network policy (native Kubernetes or using ARMO runtime protection). Use ARMO runtime protection capabilities to monitor network traffic.", + "rulesNames": [ + "internal-networking" + ], + "id": "c_0049" +} \ No newline at end of file diff --git a/controls/networkpolicies.json b/controls/networkpolicies.json index b7140a81e..22e143dea 100644 --- a/controls/networkpolicies.json +++ b/controls/networkpolicies.json @@ -1,11 +1,12 @@ { "name": "Network policies", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "If no network policy is defined, attackers who gain access to a single container may use it to probe the network. Lists namespaces in which no network policies are defined.", "remediation": "Define network policy.", - "rulesNames": [ "internal-networking" - ] - } - \ No newline at end of file + "rulesNames": [ + "internal-networking" + ], + "id": "c_0011" +} \ No newline at end of file diff --git a/controls/newcontainer.json b/controls/newcontainer.json index b9bd52a9b..ab14c48b6 100644 --- a/controls/newcontainer.json +++ b/controls/newcontainer.json @@ -1,11 +1,15 @@ { - "name": "New container", - "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Execution"] - }, - "description": "Attackers may attempt to run their code in the cluster by deploying a container. Attackers who have permissions to deploy a pod or a controller in the cluster (such as DaemonSet / ReplicaSet / Deployment) can create a new resource for running their code." , - "remediation": "You should apply least privilege principle (we can point to our audit/least privilege screen). Approve the users who can create new containers.", - "rulesNames": [ "rule-can-create-modify-pod" - ] + "name": "New container", + "attributes": { + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Execution" + ] + }, + "description": "Attackers may attempt to run their code in the cluster by deploying a container. Attackers who have permissions to deploy a pod or a controller in the cluster (such as DaemonSet / ReplicaSet / Deployment) can create a new resource for running their code.", + "remediation": "You should apply least privilege principle (we can point to our audit/least privilege screen). Approve the users who can create new containers.", + "rulesNames": [ + "rule-can-create-modify-pod" + ], + "id": "c_0010" } \ No newline at end of file diff --git a/controls/nonrootcontainers.json b/controls/nonrootcontainers.json index fb97db8f6..52d98f57c 100644 --- a/controls/nonrootcontainers.json +++ b/controls/nonrootcontainers.json @@ -1,10 +1,12 @@ { "name": "Non-root containers", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "Potential attackers may gain access to a container and leverage its privileges to conduct an attack. Hence it is not recommended to deploy containers with root privileges unless it is absolutely necessary.", "remediation": "If your application does not need root privileges, make sure to define the runAsUser and runAsGroup under the PodSecurityContext to use user ID 1000 or higher, do not turn on allowPrivlegeEscalation bit and runAsNonRoot is true.", - "rulesNames": [ "non-root-containers" - ] - } + "rulesNames": [ + "non-root-containers" + ], + "id": "c_0013" +} \ No newline at end of file diff --git a/controls/podspecificversiontag.json b/controls/podspecificversiontag.json index 5ab5bab2e..b458596b8 100644 --- a/controls/podspecificversiontag.json +++ b/controls/podspecificversiontag.json @@ -1,10 +1,12 @@ { "name": "Specific version tag", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "", "remediation": "", - "rulesNames": [ "pod-specific-version-tag" - ] - } + "rulesNames": [ + "pod-specific-version-tag" + ], + "id": "c_0040" +} \ No newline at end of file diff --git a/controls/privilegedcontainer.json b/controls/privilegedcontainer.json index 064a32f91..fcf875c87 100644 --- a/controls/privilegedcontainer.json +++ b/controls/privilegedcontainer.json @@ -1,11 +1,15 @@ { - "name": "Privileged container", - "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Privilege escalation"] - }, - "description": "Potential attackers may gain access to privileged containers and inherit access to the host resources. Therefore, it is not recommended to deploy privileged containers unless it is absolutely necessary.", - "remediation": "Change the deployment and/or pod definition to unprivileged. The securityContext.privileged should be false.", - "rulesNames": [ "rule-privilege-escalation" - ] -} + "name": "Privileged container", + "attributes": { + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Privilege escalation" + ] + }, + "description": "Potential attackers may gain access to privileged containers and inherit access to the host resources. Therefore, it is not recommended to deploy privileged containers unless it is absolutely necessary.", + "remediation": "Change the deployment and/or pod definition to unprivileged. The securityContext.privileged should be false.", + "rulesNames": [ + "rule-privilege-escalation" + ], + "id": "c_0057" +} \ No newline at end of file diff --git a/controls/resourcehijacking.json b/controls/resourcehijacking.json index 73665c859..276d96087 100644 --- a/controls/resourcehijacking.json +++ b/controls/resourcehijacking.json @@ -1,11 +1,15 @@ { "name": "Resource Hijacking", "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Impact"] + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Impact" + ] }, "description": "Attackers who have access to a container in the cluster or have permissions to create new containers may abuse them to run compromising tasks, such as running digital currency mining. Determines which subjects have permissions to create/modify pods.", "remediation": "You should apply least privilege principle. Approve the users who can create/delete pods.", - "rulesNames": [ "rule-can-create-modify-pod" - ] - } + "rulesNames": [ + "rule-can-create-modify-pod" + ], + "id": "c_0023" +} \ No newline at end of file diff --git a/controls/resourcepolicies.json b/controls/resourcepolicies.json index 548a7f769..0575faaf5 100644 --- a/controls/resourcepolicies.json +++ b/controls/resourcepolicies.json @@ -1,10 +1,12 @@ { "name": "Resource policies", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "CPU and memory resources should have a limit set for every container to prevent resource exhaustion.", "remediation": "Define LimitRange and ResourceQuota policies to limit resource usage for namespaces or nodes.", - "rulesNames": ["resource-policies" - ] - } + "rulesNames": [ + "resource-policies" + ], + "id": "c_0009" +} \ No newline at end of file diff --git a/controls/resourcescpulimit.json b/controls/resourcescpulimit.json index 1c08845c9..7458e2006 100644 --- a/controls/resourcescpulimit.json +++ b/controls/resourcescpulimit.json @@ -1,10 +1,12 @@ { "name": "Resources CPU limit", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "CPU limits are not set.", "remediation": "Ensure CPU limits are set.", - "rulesNames": [ "resources-cpu-limit" - ] - } + "rulesNames": [ + "resources-cpu-limit" + ], + "id": "c_0050" +} \ No newline at end of file diff --git a/controls/resourcesmemorylimit.json b/controls/resourcesmemorylimit.json index 4efa5c1f1..f953043f2 100644 --- a/controls/resourcesmemorylimit.json +++ b/controls/resourcesmemorylimit.json @@ -1,10 +1,12 @@ { "name": "Resources memory limit", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "memory limits are not set.", "remediation": "Ensure memory limits are set.", - "rulesNames": [ "resources-memory-limit" - ] - } + "rulesNames": [ + "resources-memory-limit" + ], + "id": "c_0004" +} \ No newline at end of file diff --git a/controls/sidecarinjection.json b/controls/sidecarinjection.json index 716b2d721..d88407c4a 100644 --- a/controls/sidecarinjection.json +++ b/controls/sidecarinjection.json @@ -1,11 +1,15 @@ { "name": "Sidecar injection", "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Execution"] + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Execution" + ] }, - "description": "A Kubernetes Pod is a group of one or more containers with shared storage and network resources. Sidecar container is a term that is used to describe an additional container that resides alongside the main container. For example, service-mesh proxies are operating as sidecars in the applications’ pods. Attackers can run their code and hide their activity by injecting a sidecar container to a legitimate pod in the cluster instead of running their own separated pod in the cluster.", + "description": "A Kubernetes Pod is a group of one or more containers with shared storage and network resources. Sidecar container is a term that is used to describe an additional container that resides alongside the main container. For example, service-mesh proxies are operating as sidecars in the applications\u2019 pods. Attackers can run their code and hide their activity by injecting a sidecar container to a legitimate pod in the cluster instead of running their own separated pod in the cluster.", "remediation": "", - "rulesNames": [ "sidecar-injection" - ] - } \ No newline at end of file + "rulesNames": [ + "sidecar-injection" + ], + "id": "c_0008" +} \ No newline at end of file diff --git a/controls/useridlessthanthousand.json b/controls/useridlessthanthousand.json index 9b9cb1e9d..3381b7467 100644 --- a/controls/useridlessthanthousand.json +++ b/controls/useridlessthanthousand.json @@ -1,10 +1,12 @@ { "name": "User-id-less-than-thousand", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "description": "Potential attackers may gain access to a container and leverage its privileges to conduct an attack. Hence it is not recommended to deploy containers with user/group id less than 1000, unless it is absolutely necessary.", "remediation": "If your application does not need root privileges, make sure to define the runAsUser and runAsGroup under the PodSecurityContext to use user ID 1000 or higher, do not turn on allowPrivlegeEscalation bit and runAsNonRoot is true.", - "rulesNames": [ "user-id-less-than-thousands" - ] - } + "rulesNames": [ + "user-id-less-than-thousands" + ], + "id": "c_0022" +} \ No newline at end of file diff --git a/controls/vulnerableapplication.json b/controls/vulnerableapplication.json index 875cb7ee5..e457b0fe1 100644 --- a/controls/vulnerableapplication.json +++ b/controls/vulnerableapplication.json @@ -1,11 +1,15 @@ { - "name": "Vulnerable application", - "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Initial Access"] - }, - "description": "Running a vulnerable application in a cluster can enable an attacker initial access to the cluster. Determines if pods/deployments have vulnerable image using ARMO vulnerability scan (must run vulnerability scan before running posture scan). ", - "remediation": "Patch your container with a version that does not have this vulnerability or use ARMO runtime protection (sign the workload).", - "rulesNames": [ "deny-vuln-image-pods" - ] -} + "name": "Vulnerable application", + "attributes": { + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Initial Access" + ] + }, + "description": "Running a vulnerable application in a cluster can enable an attacker initial access to the cluster. Determines if pods/deployments have vulnerable image using ARMO vulnerability scan (must run vulnerability scan before running posture scan). ", + "remediation": "Patch your container with a version that does not have this vulnerability or use ARMO runtime protection (sign the workload).", + "rulesNames": [ + "deny-vuln-image-pods" + ], + "id": "c_0024" +} \ No newline at end of file diff --git a/controls/writablehostPathmount.json b/controls/writablehostPathmount.json index b94f73b48..06412f790 100644 --- a/controls/writablehostPathmount.json +++ b/controls/writablehostPathmount.json @@ -1,11 +1,16 @@ { - "name": "Writable hostPath mount", - "attributes": { - "armoBuiltin": true, - "microsoftMitreColumns": ["Persistence", "Lateral Movement"] - }, - "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host.", - "remediation": "Try to refrain from using host path mount. You can use ARMO runtime protection (encryption capability) to encrypt these files.", - "rulesNames": [ "alert-rw-hostpath" - ] -} + "name": "Writable hostPath mount", + "attributes": { + "armoBuiltin": true, + "microsoftMitreColumns": [ + "Persistence", + "Lateral Movement" + ] + }, + "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host.", + "remediation": "Try to refrain from using host path mount. You can use ARMO runtime protection (encryption capability) to encrypt these files.", + "rulesNames": [ + "alert-rw-hostpath" + ], + "id": "c_0045" +} \ No newline at end of file diff --git a/export.py b/export.py index b8e454c60..15e2f7485 100644 --- a/export.py +++ b/export.py @@ -85,6 +85,7 @@ def export_json(d: dict, output_path: str): if __name__ == '__main__': rules = load_rules() controls = load_controls(loaded_rules=rules) + # TODO - validate controls frameworks = load_frameworks(loaded_controls=controls) export_json(d=frameworks, output_path="release")