forked from aquasecurity/trivy-operator
-
Notifications
You must be signed in to change notification settings - Fork 0
/
nsa-1.0.yaml
183 lines (183 loc) · 6.71 KB
/
nsa-1.0.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
---
apiVersion: aquasecurity.github.io/v1alpha1
kind: ClusterComplianceReport
metadata:
name: nsa
labels:
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy-operator
app.kubernetes.io/version: "0.12.1"
app.kubernetes.io/managed-by: kubectl
spec:
cron: "0 */6 * * *"
reportType: "summary" # 'summary' or 'all'
compliance:
id: nsa
title: National Security Agency - Kubernetes Hardening Guidance v1.0
description: National Security Agency - Kubernetes Hardening Guidance
relatedResources :
- https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/
version: "1.0"
controls:
- name: Non-root containers
description: 'Check that container is not running as root'
id: '1.0'
checks:
- id: AVD-KSV-0012
severity: 'MEDIUM'
- name: Immutable container file systems
description: 'Check that container root file system is immutable'
id: '1.1'
checks:
- id: AVD-KSV-0014
severity: 'LOW'
- name: Preventing privileged containers
description: 'Controls whether Pods can run privileged containers'
id: '1.2'
checks:
- id: AVD-KSV-0017
severity: 'HIGH'
- name: Share containers process namespaces
description: 'Controls whether containers can share process namespaces'
id: '1.3'
checks:
- id: AVD-KSV-0008
severity: 'HIGH'
- name: Share host process namespaces
description: 'Controls whether share host process namespaces'
id: '1.4'
checks:
- id: AVD-KSV-0009
severity: 'HIGH'
- name: Use the host network
description: 'Controls whether containers can use the host network'
id: '1.5'
checks:
- id: AVD-KSV-0010
severity: 'HIGH'
- name: Run with root privileges or with root group membership
description: 'Controls whether container applications can run with root privileges or with root group membership'
id: '1.6'
checks:
- id: AVD-KSV-0029
severity: 'LOW'
- name: Restricts escalation to root privileges
description: 'Control check restrictions escalation to root privileges'
id: '1.7'
checks:
- id: AVD-KSV-0001
severity: 'MEDIUM'
- name: Sets the SELinux context of the container
description: 'Control checks if pod sets the SELinux context of the container'
id: '1.8'
checks:
- id: AVD-KSV-0002
severity: 'MEDIUM'
- name: Restrict a container's access to resources with AppArmor
description: 'Control checks the restriction of containers access to resources with AppArmor'
id: '1.9'
checks:
- id: AVD-KSV-0030
severity: 'MEDIUM'
- name: Sets the seccomp profile used to sandbox containers.
description: 'Control checks the sets the seccomp profile used to sandbox containers'
id: '1.10'
checks:
- id: AVD-KSV-0030
severity: 'LOW'
- name: Protecting Pod service account tokens
description: 'Control check whether disable secret token been mount ,automountServiceAccountToken: false'
id: '1.11'
checks:
- id: AVD-KSV-0036
severity: 'MEDIUM'
- name: Namespace kube-system should not be used by users
description: 'Control check whether Namespace kube-system is not be used by users'
id: '1.12'
defaultStatus: 'FAIL'
checks:
- id: AVD-KSV-0037
severity: 'MEDIUM'
- name: Pod and/or namespace Selectors usage
description: 'Control check validate the pod and/or namespace Selectors usage'
id: '2.0'
defaultStatus: 'FAIL'
checks:
- id: AVD-KSV-0038
severity: 'MEDIUM'
- name: Use CNI plugin that supports NetworkPolicy API (Manual)
description: 'Control check whether check cni plugin installed'
id: '3.0'
defaultStatus: 'FAIL'
severity: 'CRITICAL'
- name: Use ResourceQuota policies to limit resources
description: 'Control check the use of ResourceQuota policy to limit aggregate resource usage within namespace'
id: '4.0'
defaultStatus: 'FAIL'
checks:
- id: AVD-KSV-0040
severity: 'MEDIUM'
- name: Use LimitRange policies to limit resources
description: 'Control check the use of LimitRange policy limit resource usage for namespaces or nodes'
id: '4.1'
defaultStatus: 'FAIL'
checks:
- id: AVD-KSV-0039
severity: 'MEDIUM'
- name: Control plan disable insecure port (Manual)
description: 'Control check whether control plan disable insecure port'
id: '5.0'
defaultStatus: 'FAIL'
severity: 'CRITICAL'
- name: Encrypt etcd communication
description: 'Control check whether etcd communication is encrypted'
id: '5.1'
checks:
- id: AVD-KCV-0030
severity: 'CRITICAL'
- name: Ensure kube config file permission (Manual)
description: 'Control check whether kube config file permissions'
id: '6.0'
defaultStatus: 'FAIL'
severity: 'CRITICAL'
- name: Check that encryption resource has been set
description: 'Control checks whether encryption resource has been set'
id: '6.1'
checks:
- id: AVD-KCV-0029
severity: 'CRITICAL'
- name: Check encryption provider
description: 'Control checks whether encryption provider has been set'
id: '6.2'
checks:
- id: AVD-KCV-0004
severity: 'CRITICAL'
- name: Make sure anonymous-auth is unset
description: 'Control checks whether anonymous-auth is unset'
id: '7.0'
checks:
- id: AVD-KCV-0001
severity: 'CRITICAL'
- name: Make sure -authorization-mode=RBAC
description: 'Control check whether RBAC permission is in use'
id: '7.1'
checks:
- id: AVD-KCV-0008
severity: 'CRITICAL'
- name: Audit policy is configure (Manual)
description: 'Control check whether audit policy is configure'
id: '8.0'
defaultStatus: 'FAIL'
severity: 'HIGH'
- name: Audit log path is configure
description: 'Control check whether audit log path is configure'
id: '8.1'
checks:
- id: AVD-KCV-0019
severity: 'MEDIUM'
- name: Audit log aging
description: 'Control check whether audit log aging is configure'
id: '8.2'
checks:
- id: AVD-KCV-0020
severity: 'MEDIUM'