Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Terrascan K8s New categories and ruleRef ID changes #583

Merged
merged 9 commits into from
Mar 9, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@
"prefix": "",
"suffix": ""
},
"severity": "HIGH",
"severity": "MEDIUM",
"description": "TLS disabled can affect the confidentiality of the data in transit",
"reference_id": "AC-K8-NS-IN-H-0020",
"category": "Network Security",
"reference_id": "AC-K8-IS-IN-M-0002",
"category": "Infrastructure Security",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
},
"severity": "LOW",
"description": "No owner for namespace affects the operations",
"reference_id": "AC-K8-OE-NS-L-0128",
"category": "Operational Efficiency",
"reference_id": "AC-K8-SP-NS-L-0013",
"category": "Security Best Practices",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
},
"severity": "LOW",
"description": "The default namespace should not be used",
"reference_id": "accurics.kubernetes.OPS.460",
"category": "Operational Efficiency",
"reference_id": "AC-K8-SP-NS-L-0259",
"category": "Security Best Practices",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
},
"severity": "LOW",
"description": "The default namespace should not be used",
"reference_id": "accurics.kubernetes.OPS.461",
"category": "Operational Efficiency",
"reference_id": "AC-K8-SP-NS-L-0461",
"category": "Security Best Practices",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
},
"severity": "LOW",
"description": "The default namespace should not be used",
"reference_id": "accurics.kubernetes.OPS.462",
"category": "Operational Efficiency",
"reference_id": "AC-K8-SP-NS-L-0462",
"category": "Security Best Practices",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
},
"severity": "MEDIUM",
"description": "AlwaysPullImages plugin is not set",
"reference_id": "AC-K8-OE-PK-M-0034",
"category": "Operational Efficiency",
"reference_id": "AC-K8-CV-PK-M-0021",
"category": "Compliance Validation",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
},
"severity": "HIGH",
"description": "Containers Should Not Run with AllowPrivilegeEscalation",
"reference_id": "AC-K8-CA-PO-H-0165",
"category": "Cloud Assets Management",
"reference_id": "AC-K8-CV-PO-H-0085",
"category": "Compliance Validation",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
},
"severity": "MEDIUM",
"description": "Ensure Kubernetes Dashboard Is Not Deployed",
"reference_id": "AC-K8-DS-PO-M-0176",
"category": "Data Security",
"reference_id": "AC-K8-DP-PO-M-0067",
"category": "Data Protection",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
},
"severity": "MEDIUM",
"description": "Ensure That Tiller (Helm V2) Is Not Deployed",
"reference_id": "AC-K8-DS-PO-M-0177",
"category": "Data Security",
"reference_id": "AC-K8-DP-PO-M-0071",
"category": "Data Protection",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
},
"severity": "MEDIUM",
"description": "Ensure that Service Account Tokens are only mounted where necessary",
"reference_id": "AC-K8-IA-PO-M-0105",
"reference_id": "AC-K8-IA-PK-M-0045",
"category": "Identity and Access Management",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
},
"severity": "HIGH",
"description": "Minimize the admission of privileged containers",
"reference_id": "AC-K8-IA-PO-H-0106",
"reference_id": "AC-K8-IA-PO-H-0046",
"category": "Identity and Access Management",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
},
"severity": "HIGH",
"description": "Allowing hostPaths to mount to Pod arise the probability of getting access to the node's filesystem",
"reference_id": "AC-K8-IA-PO-H-0138",
"reference_id": "AC-K8-IA-PO-H-0076",
"category": "Identity and Access Management",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
},
"severity": "HIGH",
"description": "Minimize Admission of Root Containers",
"reference_id": "AC-K8-IA-PO-H-0168",
"reference_id": "AC-K8-IA-PO-H-0087",
"category": "Identity and Access Management",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
},
"severity": "MEDIUM",
"description": "AppArmor profile not set to default or custom profile will make the container vulnerable to kernel level threats",
"reference_id": "AC-K8-IA-PO-M-0135",
"reference_id": "AC-K8-IA-PO-M-0073",
"category": "Identity and Access Management",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
},
"severity": "HIGH",
"description": "Allowing the pod to make system level calls provide access to host/node sensitive information",
"reference_id": "AC-K8-IA-PO-H-0137",
"reference_id": "AC-K8-IA-PO-M-0074",
"category": "Identity and Access Management",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
},
"severity": "MEDIUM",
"description": "Unmasking the procMount will allow more information than is necessary to the program running in the containers spawned by k8s",
"reference_id": "AC-K8-IA-PO-M-0139",
"reference_id": "AC-K8-IA-PO-M-0077",
"category": "Identity and Access Management",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
},
"severity": "MEDIUM",
"description": "Container images with readOnlyRootFileSystem set as false mounts the container root file system with write permissions",
"reference_id": "AC-K8-IA-PO-M-0140",
"reference_id": "AC-K8-IA-PO-M-0078",
"category": "Identity and Access Management",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
},
"severity": "MEDIUM",
"description": "Default seccomp profile not enabled will make the container to make non-essential system calls",
"reference_id": "AC-K8-IA-PO-M-0141",
"reference_id": "AC-K8-IA-PO-M-0080",
"category": "Identity and Access Management",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
},
"severity": "MEDIUM",
"description": "Some volume types mount the host file system paths to the pod or container, thus increasing the chance of escaping the container to access the host",
"reference_id": "AC-K8-IA-PO-M-0143",
"reference_id": "AC-K8-IA-PO-M-0081",
"category": "Identity and Access Management",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
},
"severity": "MEDIUM",
"description": "Containers Should Not Share Host Process ID Namespace",
"reference_id": "AC-K8-IA-PO-M-0162",
"reference_id": "AC-K8-IA-PO-M-0082",
"category": "Identity and Access Management",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
},
"severity": "MEDIUM",
"description": "Minimize the admission of containers with the NET_RAW capability",
"reference_id": "AC-K8-IA-PS-M-0112",
"reference_id": "AC-K8-IA-PS-M-0048",
"category": "Identity and Access Management",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
},
"severity": "HIGH",
"description": "Prefer using secrets as files over secrets as environment variables",
"reference_id": "AC-K8-NS-PO-H-0117",
"category": "Network Security",
"reference_id": "AC-K8-IS-PO-H-0051",
"category": "Infrastructure Security",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
},
"severity": "MEDIUM",
"description": "Apply Security Context to Your Pods and Containers",
"reference_id": "AC-K8-NS-PO-M-0122",
"category": "Network Security",
"reference_id": "AC-K8-IS-PO-M-0064",
"category": "Infrastructure Security",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
},
"severity": "MEDIUM",
"description": "Image without digest affects the integrity principle of image security",
"reference_id": "AC-K8-NS-PO-M-0133",
"category": "Network Security",
"reference_id": "AC-K8-IS-PO-M-0069",
"category": "Infrastructure Security",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@
"prefix": "",
"suffix": ""
},
"severity": "HIGH",
"severity": "MEDIUM",
"description": "Do Not Use CAP_SYS_ADMIN Linux Capability",
"reference_id": "AC-K8-NS-PO-H-0170",
"category": "Network Security",
"reference_id": "AC-K8-IS-PO-M-0075",
"category": "Infrastructure Security",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
},
"severity": "MEDIUM",
"description": "Containers Should Run as a High UID to Avoid Host Conflict",
"reference_id": "AC-K8-NS-PO-M-0182",
"category": "Network Security",
"reference_id": "AC-K8-IS-PO-M-0079",
"category": "Infrastructure Security",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
},
"severity": "MEDIUM",
"description": "Containers Should Not Share Host IPC Namespace",
"reference_id": "AC-K8-NS-PO-M-0163",
"category": "Network Security",
"reference_id": "AC-K8-IS-PO-M-0083",
"category": "Infrastructure Security",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
},
"severity": "MEDIUM",
"description": "Containers Should Not Share the Host Network Namespace",
"reference_id": "AC-K8-NS-PO-M-0164",
"category": "Network Security",
"reference_id": "AC-K8-IS-PO-M-0084",
"category": "Infrastructure Security",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
},
"severity": "MEDIUM",
"description": "Restrict Mounting Docker Socket in a Container",
"reference_id": "AC-K8-NS-PO-M-0171",
"category": "Network Security",
"reference_id": "AC-K8-IS-PO-M-0088",
"category": "Infrastructure Security",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
},
"severity": "Medium",
"description": "CPU Request Not Set in config file.",
"reference_id": "AC-K8-OE-PK-M-0155",
"category": "Operational Efficiency",
"reference_id": "AC-K8-SP-PK-M-0097",
"category": "Security Best Practices",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
},
"severity": "Medium",
"description": "CPU Limits Not Set in config file.",
"reference_id": "AC-K8-OE-PK-M-0156",
"category": "Operational Efficiency",
"reference_id": "AC-K8-SP-PK-M-0098",
"category": "Security Best Practices",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
},
"severity": "Medium",
"description": "Memory Request Not Set in config file.",
"reference_id": "AC-K8-OE-PK-M-0157",
"category": "Operational Efficiency",
"reference_id": "AC-K8-SP-PK-M-0099",
"category": "Security Best Practices",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
},
"severity": "Medium",
"description": "Memory Limits Not Set in config file.",
"reference_id": "AC-K8-OE-PK-M-0158",
"category": "Operational Efficiency",
"reference_id": "AC-K8-SP-PK-M-0100",
"category": "Security Best Practices",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@
"prefix": "",
"suffix": ""
},
"severity": "MEDIUM",
"severity": "HIGH",
"description": "Default Namespace Should Not be Used",
"reference_id": "AC-K8-OE-PO-M-0166",
"category": "Operational Efficiency",
"reference_id": "AC-K8-SP-PO-H-0086",
"category": "Security Best Practices",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
},
"severity": "LOW",
"description": "No tag or container image with :Latest tag makes difficult to rollback and track",
"reference_id": "AC-K8-OE-PO-L-0134",
"category": "Operational Efficiency",
"reference_id": "AC-K8-SP-PO-L-0068",
"category": "Security Best Practices",
"version": 1
}
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
},
"severity": "LOW",
"description": "No liveness probe will ensure there is no recovery in case of unexpected errors",
"reference_id": "AC-K8-OE-PO-L-0129",
"category": "Operational Efficiency",
"reference_id": "AC-K8-SP-PO-L-0070",
"category": "Security Best Practices",
"version": 1
}
Loading