forked from kubescape/regolibrary
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit dab452f
Showing
184 changed files
with
7,966 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
name: export | ||
|
||
on: | ||
push: | ||
branches: [ master ] | ||
pull_request: | ||
branches: [ master ] | ||
types: [ closed ] | ||
|
||
jobs: | ||
once: | ||
name: Create release | ||
runs-on: ubuntu-latest | ||
outputs: | ||
upload_url: ${{ steps.create_release.outputs.upload_url }} | ||
steps: | ||
- name: Create a release | ||
id: create_release | ||
uses: actions/create-release@v1 | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
with: | ||
tag_name: v1.0.${{ github.run_number }} | ||
release_name: Release v1.0.${{ github.run_number }} | ||
draft: false | ||
prerelease: false | ||
build: | ||
name: Create cross-platform release build, tag and upload binaries | ||
needs: once | ||
runs-on: ubuntu-latest | ||
strategy: | ||
matrix: | ||
framework: [ mitre, nsa, developer_framework ] | ||
steps: | ||
- uses: actions/checkout@v2 | ||
name: checkout repo content | ||
|
||
- name: setup python | ||
uses: actions/setup-python@v2 | ||
with: | ||
python-version: 3.8 #install the python needed | ||
- name: execute py script # run the run.py to get the latest data | ||
run: | | ||
python export.py | ||
- name: Upload Release Asset | ||
id: upload-release-asset | ||
uses: actions/upload-release-asset@v1 | ||
env: | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
with: | ||
upload_url: ${{ needs.once.outputs.upload_url }} | ||
asset_path: release/${{ matrix.framework }}.json | ||
asset_name: release-${{ matrix.framework }} | ||
asset_content_type: application/octet-stream |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# Binaries for programs and plugins | ||
*.exe | ||
*.exe~ | ||
*.dll | ||
*.so | ||
*.dylib | ||
|
||
# Test binary, built with `go test -c` | ||
*.test | ||
|
||
# Output of the go coverage tool, specifically when used with LiteIDE | ||
*.out | ||
|
||
# Dependency directories (remove the comment below to include it) | ||
# vendor/ | ||
.vscode/* |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
# Regostore | ||
Here we store regos | ||
|
||
### [MITRE Framework](https://www.microsoft.com/security/blog/wp-content/uploads/2021/03/Matrix-1536x926.png) | ||
|
||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access| Discovery | Lateral Movement | Collection | Impact | | ||
| :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | | ||
|Using Cloud credentials|[Exec into container](/controls/execintocontainer.json)|[Backdoor container](/controls/backdoorcontainer.json)|[Privileged container](/controls/privilegedcontainer.json)|[Clear container logs](/controls/clearcontainerlogs.json)|[List k8s secrets](/controls/ListKubernetessecrets.json)|[Access the K8S API server](/controls/accessthek8sAPIserver.json)|Access cloud resources|[Image from private registery](/controls/imagefromPrivateRegistry.json)|[Data Destruction](/controls/datadestruction.json) || | ||
|[Compromised Image in registery](/controls/compromisedimagesinregistry.json)| [bash/cmd inside container](/controls/bash-cmdinsidecontainer.json)|[Writable hostPath mount](/controls/writablehostPathmount.json)|[Cluster-admin binding](/controls/cluster-adminbinding.json)|[Delete K8S events](/controls/deleteKubernetesevents.json)|[Mount service principal](/controls/mountserviceprincipal.json)|[Access Kubelet API](/controls/accesskubeletAPI.json)|[Container service account](/controls/accesscontainerserviceaccount.json)||[Resources Hijacking](/controls/resourcehijacking.json)|| | ||
|kubeconfig file|[New container](/controls/newcontainer.json)|[kubernetes CronJob](/controls/kubernetescronJob.json)|[hostPath mount](/controls/hostPathmount.json)|[Pod/Container name similarity](/controls/namesimilarity.json)|[Access container service account](/controls/accesscontainerserviceaccount.json)|[Network mapping](/controls/networkmapping.json)|[Cluster internal networking](/controls/clusterInternalnetworking.json)||Denial of service|| | ||
|[Application vulnerability](/controls/vulnerableapplication.json)|[Application Exploit (RCE)](/controls/applicationexploitRCE.json)|[Malicious admission controller](/controls/maliciousadmissioncontroller-mutating.json)|Access cloud resources| Connect from Proxy server| [Application credentials in configuration files](/controls/Applicationscredentialsinconfigurationfiles.json)|[Access kubernetes dashboard](/controls/accessk8sdashboard.json)|[Application credentials in configuration](/controls/Applicationscredentialsinconfigurationfiles.json)||||| | ||
|[Exposed Dashboard](/controls/exposeddashboard.json)|[SSH server running insider container](/controls/SSHserverrunninginsidecontainer.json)||||Access managed identity credentials|[instance Metadata API](/controls/instancemetadataAPI..json)|[Writable volume mounts on the host](/controls/writablehostPathmount.json)|||| | ||
|[Exposed sensitive interface](/controls/exposedsensitiveinterfaces.json)|[Sidecar injection](/controls/sidecarinjection.json)||||[Malicious admission controller](/controls/maliciousadmissioncontroller-validating.json)||[Access kubernetes dashboard](/controls/accessk8sdashboard.json)|||| | ||
||||||||[access tiller endpoint](/controls/accesstillerendpoint.json)||||| | ||
||||||||[CoreDNS poisoning](/controls/coreDNSpoisoning.json)||||| | ||
||||||||ARP and IP spoofing||||| | ||
|
||
### [NSA Framework](https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"name": "Applications credentials in configuration files", | ||
"attributes": { | ||
"armoBuiltin": true, | ||
"microsoftMitreColumns": ["Credential access","Lateral Movement"] | ||
}, | ||
"description": "Attackers who have access to configuration files can steal the stored secrets and use them. Checks if ConfigMaps or pods have sensitive information in configuration.", | ||
"remediation": "Use Kubernetes secrets to store credentials. Use ARMO secret protection solution to improve your security even more.", | ||
"rulesNames": ["rule-credentials-in-env-var", "rule-credentials-configmap" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"name": "List Kubernetes secrets", | ||
"attributes": { | ||
"armoBuiltin": true, | ||
"microsoftMitreColumns": ["Credential access"] | ||
}, | ||
"description": "Attackers who have permissions to access secrets can access sensitive information that might include credentials to various services. Determines which subjects can list/get secrets.", | ||
"remediation": "Monitor and approve users and service accounts that can access secrets. You can also protect these secrets using ARMO runtime protection.", | ||
"rulesNames": [ "rule-can-list-get-secrets" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"name": "SSH server running inside container", | ||
"attributes": { | ||
"armoBuiltin": true, | ||
"microsoftMitreColumns": ["Execution"] | ||
}, | ||
"description": "An SSH server that is running inside a container may be used by attackers to get remote access to the container. Checks if pods have an open SSH port (22/2222).", | ||
"remediation": "Remove SSH from the container image or limit the access to the SSH server using network policy (Native or ARMO runtime protection).", | ||
"rulesNames": [ "rule-can-ssh-to-pod" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"name": "Access container service account", | ||
"attributes": { | ||
"armoBuiltin": true, | ||
"microsoftMitreColumns": ["Credential access"] | ||
}, | ||
"description": "Attackers who get access to a pod can access the SA and perform actions in the cluster, according to the SA permissions. Determines which service accounts can be used to access other resources in the cluster.", | ||
"remediation": "If RBAC is not enabled, you should enable RBAC (refer to the API server documentation). If RBAC is enabled, make sure that you apply least privilege. Monitor and approve privileges of workloads which use kube-api.", | ||
"rulesNames": [ "access-container-service-account" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"name": "Access Kubernetes dashboard", | ||
"attributes": { | ||
"armoBuiltin": true, | ||
"microsoftMitreColumns": ["Discovery","Lateral Movement"] | ||
}, | ||
"description": "Attackers who gain access to the dashboard service account or have its RBAC permissions can use its network access to retrieve information about resources in the cluster or change them. Checks if subject that is not dashboard service account is bound to dashboard role/clusterrole, or - if anyone that is not dashboard pod is associated with its service account.", | ||
"remediation": "Make sure that the “Kubernetes Dashboard” service account is only bound to the Kubernetes dashboard following the least privilege principle.", | ||
"rulesNames": ["rule-access-dashboard" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"name": "Access Kubelet API", | ||
"attributes": { | ||
"armoBuiltin": true, | ||
"microsoftMitreColumns": ["Discovery"] | ||
}, | ||
"description": "Kubelet is the Kubernetes agent that is installed on each node. Kubelet is responsible for the proper execution of pods that are assigned to the node. Kubelet exposes a read-only API service that does not require authentication (TCP port 10255). Attackers with network access to the host (for example, via running code on a compromised container) can send API requests to the Kubelet API. Specifically querying https://[NODE IP]:10255/pods/ retrieves the running pods on the node. https://[NODE IP]:10255/spec/ retrieves information about the node itself, such as CPU and memory consumption.", | ||
"remediation": "Define network policy (native kubernetes or using ARMO runtime protection). Use ARMO runtime protection capabilities to monitor network traffic.", | ||
"rulesNames": [ | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
{ | ||
"name": "Access tiller endpoint", | ||
"attributes": { | ||
"armoBuiltin": true, | ||
"microsoftMitreColumns": ["Lateral movement"] | ||
}, | ||
"description":" Attackers may run code on any container that is accessible to the tiller’s service and perform actions in the cluster, using the tiller’s service account, which often has high privileges. Checks if Tiller exists in cluster.", | ||
"remediation": "Use version higher than 2 of Helm which doesn’t use Tiller", | ||
"rulesNames": ["access-tiller-endpoint"] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
{ | ||
"name": "Allowed hostPath", | ||
"attributes": { | ||
"armoBuiltin": true | ||
}, | ||
"description": "Mounting host directory to the container can be abused to get access to sensitive data and gain persistence on the host machine.", | ||
"remediation": "Refrain from using host path mount.", | ||
"rulesNames": [ "alert-rw-hostpath" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
{ | ||
"name": "Allow privilege escalation", | ||
"attributes": { | ||
"armoBuiltin": true | ||
}, | ||
"description": "Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.", | ||
"remediation": "If your application does not need it, make sure the allowPrivilegeEscalation field of the securityContext is set to false.", | ||
"rulesNames": [ "rule-allow-privilege-escalation" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
|
||
{ | ||
"name": "Anonymous requests", | ||
"attributes": { | ||
"armoBuiltin": true | ||
}, | ||
"description": "In Kubernetes 1.6 and newer, anonymous requests are allowed by default. If there is no RBAC enabled, this type of requests will have authorization to do everything.", | ||
"remediation": "Anonymous requests should be disabled by passing the --anonymous-auth=false option to the API server. Leaving anonymous requests enabled could allow a cyber actor to access cluster resources without authentication.", | ||
"rulesNames": [ "anonymous-requests" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"name": "Application exploit (RCE)", | ||
"attributes": { | ||
"armoBuiltin": true, | ||
"microsoftMitreColumns": ["Execution"] | ||
}, | ||
"description": "Applications that are vulnerable to a remote code execution vulnerability, enables attackers to run malicious code in the cluster. Determines if pods have vulnerable image with remote code execution using ARMO vulnerability scan (must run vulnerability scan before running posture scan).", | ||
"remediation": "Patch your container with a version that does not have this vulnerability or use ARMO runtime protection (sign the workload).", | ||
"rulesNames": [ "deny-RCE-vuln-image-pods" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
{ | ||
"name": "Automatic mapping of service account", | ||
"attributes": { | ||
"armoBuiltin": true | ||
}, | ||
"description": "Potential attacker may gain access to a POD and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for PODs that need to use them.", | ||
"remediation": "Only map token to PODs that are really using them. We suggest disabling the automatic mounting of service account tokens to PODs at the service account level, by specifying the securityContext.readOnlyRootFilesystem field to true, and explicitly enabling the map for the PODs which are using it at the POD spec level.", | ||
"rulesNames": [ "automount-service-account" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"name": "Backdoor container", | ||
"attributes": { | ||
"armoBuiltin": true, | ||
"microsoftMitreColumns": ["Persistence"] | ||
}, | ||
"description": "Attackers run their malicious code in a container in the cluster. By using the Kubernetes controllers such as DaemonSets or Deployments, attackers can ensure that a constant number of containers run in one, or all, the nodes in the cluster." , | ||
"remediation": "You should apply least privilege principle (we can point to our audit/least privilege screen). Approve the users who can create new containers.", | ||
"rulesNames": [ "rule-can-create-modify-pod" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"name": "Bash/cmd inside container", | ||
"attributes": { | ||
"armoBuiltin": true, | ||
"microsoftMitreColumns": ["Execution"] | ||
}, | ||
"description": "Attackers who can run new processes inside a container might use cmd/bash script inside a container can use it to execute malicious code. Determines which containers have bash/cmd inside it." , | ||
"remediation": "Remove cmd/bash from the containers you are using.", | ||
"rulesNames": [ "rule-can-bash-cmd-inside-container" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"name": "Clear container logs", | ||
"attributes": { | ||
"armoBuiltin": true, | ||
"microsoftMitreColumns": ["Defense Evasion"] | ||
}, | ||
"description": "Attackers may delete the application or OS logs on a compromised container in an attempt to prevent detection of their activity." , | ||
"remediation": "You should apply least privilege principle. Approve the users who can delete logs inside containers.", | ||
"rulesNames": [ "rule-can-delete-logs" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"name": "Cluster-admin binding", | ||
"attributes": { | ||
"armoBuiltin": true, | ||
"microsoftMitreColumns": ["Privilege escalation"] | ||
}, | ||
"description": "Attackers who have Cluster-admin permissions (can perform any action on any resource), can take advantage of their high privileges for malicious intentions. Determines which subjects have cluster admin permissions.", | ||
"remediation": "You should apply least privilege principle. Monitor and approve cluster admins and make sure users that do not require cluster-admin are not assigned with this role.", | ||
"rulesNames": [ "rule-list-all-cluster-admins" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"name": "Cluster internal networking", | ||
"attributes": { | ||
"armoBuiltin": true, | ||
"microsoftMitreColumns": ["Lateral movement"] | ||
}, | ||
"description": "If no network policy is defined, attackers who gain access to a single container may use it to probe the network. Lists namespaces in which no network policies are defined.", | ||
"remediation": "Define network policy (native K8s or using ARMO runtime protection).", | ||
"rulesNames": [ "internal-networking" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"name": "Compromised images in registry", | ||
"attributes": { | ||
"armoBuiltin": true, | ||
"microsoftMitreColumns": ["Initial Access"] | ||
}, | ||
"description": "In cases where the Kubernetes cluster is deployed in a public cloud (e.g., AKS in Azure, GKE in GCP, or EKS in AWS), compromised cloud credential can lead to cluster takeover. Attackers who have access to the cloud account credentials can get access to the cluster’s management layer.", | ||
"remediation": "Limit the registries from which you pull container images. ", | ||
"rulesNames": ["rule-identify-blacklisted-image-registries" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
{ | ||
"name": "Configured liveness probe", | ||
"attributes": { | ||
"armoBuiltin": true | ||
}, | ||
"description": "Liveness probe is not configured.", | ||
"remediation": "Ensure Liveness probe is configured", | ||
"rulesNames": [ "configured-liveness-probe" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
{ | ||
"name": "Configured readiness probe", | ||
"attributes": { | ||
"armoBuiltin": true | ||
}, | ||
"description": "Readiness probe is not configured.", | ||
"remediation": "Ensure Readiness probe is configured.", | ||
"rulesNames": [ "configured-readiness-probe" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
{ | ||
"name": "Container hostPort", | ||
"attributes": { | ||
"armoBuiltin": true | ||
}, | ||
"description": "Configuring hostPort limits you to a particular port, and if any two workloads that specify the same HostPort cannot be deployed to the same node. And if the scale of your workload is larger than the number of nodes in your Kubernetes cluster, the deployment fails.", | ||
"remediation": "Make sure you do not configure hostPort for the container, if necessary use NodePort / ClusterIP", | ||
"rulesNames": [ "container-hostPort" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
{ | ||
"name": "Control plane hardening", | ||
"attributes": { | ||
"armoBuiltin": true | ||
}, | ||
"description": "Kubernetes control plane API is running with non-secure port enabled which allows attackers to gain unprotected access to the cluster.", | ||
"remediation": "Set the insecure-port flag of the API server to zero.", | ||
"rulesNames": ["insecure-port-flag" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"name": "CoreDNS poisoning", | ||
"attributes": { | ||
"armoBuiltin": true, | ||
"microsoftMitreColumns": ["Lateral Movement"] | ||
}, | ||
"description": "If attackers have permissions to modify the coredns ConfigMap, they can change the behavior of the cluster’s DNS, poison it, and take the network identity of other services. Determines which users can update/patch the 'coredns' configmap.", | ||
"remediation": "You should apply least privilege principle. Monitor and approve the users who can modify the 'coredns' configmap.", | ||
"rulesNames": [ "rule-can-update-configmap" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
{ | ||
"name": "Dangerous capabilities", | ||
"attributes": { | ||
"armoBuiltin": true | ||
}, | ||
"description": "Giving dangerous and unnecessary capabilities for a container can increase the impact of a container compromise.", | ||
"remediation": "Remove all dangerous capabilities which aren’t necessary for the container.", | ||
"rulesNames": [ "dangerous-capabilities" | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"name": "Data Destruction", | ||
"attributes": { | ||
"armoBuiltin": true, | ||
"microsoftMitreColumns": ["Impact"] | ||
}, | ||
"description": "Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, storage, and compute resources. Determines which subjects can delete resources.", | ||
"remediation": "You should apply least privilege principle. Monitor and approve the users who can delete resources.", | ||
"rulesNames": [ "rule-excessive-delete-rights" | ||
] | ||
} |
Oops, something went wrong.