github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/specs/compliance/k8s-nsa-1.0.yaml (about) 1 --- 2 spec: 3 id: k8s-nsa 4 title: National Security Agency - Kubernetes Hardening Guidance v1.0 5 description: National Security Agency - Kubernetes Hardening Guidance 6 relatedResources : 7 - https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/ 8 version: "1.0" 9 controls: 10 - name: Non-root containers 11 description: 'Check that container is not running as root' 12 id: '1.0' 13 checks: 14 - id: AVD-KSV-0012 15 severity: 'MEDIUM' 16 - name: Immutable container file systems 17 description: 'Check that container root file system is immutable' 18 id: '1.1' 19 checks: 20 - id: AVD-KSV-0014 21 severity: 'LOW' 22 - name: Preventing privileged containers 23 description: 'Controls whether Pods can run privileged containers' 24 id: '1.2' 25 checks: 26 - id: AVD-KSV-0017 27 severity: 'HIGH' 28 - name: Share containers process namespaces 29 description: 'Controls whether containers can share process namespaces' 30 id: '1.3' 31 checks: 32 - id: AVD-KSV-0008 33 severity: 'HIGH' 34 - name: Share host process namespaces 35 description: 'Controls whether share host process namespaces' 36 id: '1.4' 37 checks: 38 - id: AVD-KSV-0009 39 severity: 'HIGH' 40 - name: Use the host network 41 description: 'Controls whether containers can use the host network' 42 id: '1.5' 43 checks: 44 - id: AVD-KSV-0010 45 severity: 'HIGH' 46 - name: Run with root privileges or with root group membership 47 description: 'Controls whether container applications can run with root privileges or with root group membership' 48 id: '1.6' 49 checks: 50 - id: AVD-KSV-0029 51 severity: 'LOW' 52 - name: Restricts escalation to root privileges 53 description: 'Control check restrictions escalation to root privileges' 54 id: '1.7' 55 checks: 56 - id: AVD-KSV-0001 57 severity: 'MEDIUM' 58 - name: Sets the SELinux context of the container 59 description: 'Control checks if pod sets the SELinux context of the container' 60 id: '1.8' 61 checks: 62 - id: AVD-KSV-0002 63 severity: 'MEDIUM' 64 - name: Restrict a container's access to resources with AppArmor 65 description: 'Control checks the restriction of containers access to resources with AppArmor' 66 id: '1.9' 67 checks: 68 - id: AVD-KSV-0030 69 severity: 'MEDIUM' 70 - name: Sets the seccomp profile used to sandbox containers. 71 description: 'Control checks the sets the seccomp profile used to sandbox containers' 72 id: '1.10' 73 checks: 74 - id: AVD-KSV-0030 75 severity: 'LOW' 76 - name: Protecting Pod service account tokens 77 description: 'Control check whether disable secret token been mount ,automountServiceAccountToken: false' 78 id: '1.11' 79 checks: 80 - id: AVD-KSV-0036 81 severity: 'MEDIUM' 82 - name: Namespace kube-system should not be used by users 83 description: 'Control check whether Namespace kube-system is not be used by users' 84 id: '1.12' 85 defaultStatus: 'FAIL' 86 checks: 87 - id: AVD-KSV-0037 88 severity: 'MEDIUM' 89 - name: Pod and/or namespace Selectors usage 90 description: 'Control check validate the pod and/or namespace Selectors usage' 91 id: '2.0' 92 defaultStatus: 'FAIL' 93 checks: 94 - id: AVD-KSV-0038 95 severity: 'MEDIUM' 96 - name: Use CNI plugin that supports NetworkPolicy API (Manual) 97 description: 'Control check whether check cni plugin installed' 98 id: '3.0' 99 defaultStatus: 'FAIL' 100 checks: 101 severity: 'CRITICAL' 102 - name: Use ResourceQuota policies to limit resources 103 description: 'Control check the use of ResourceQuota policy to limit aggregate resource usage within namespace' 104 id: '4.0' 105 defaultStatus: 'FAIL' 106 checks: 107 - id: AVD-KSV-0040 108 severity: 'MEDIUM' 109 - name: Use LimitRange policies to limit resources 110 description: 'Control check the use of LimitRange policy limit resource usage for namespaces or nodes' 111 id: '4.1' 112 defaultStatus: 'FAIL' 113 checks: 114 - id: AVD-KSV-0039 115 severity: 'MEDIUM' 116 - name: Control plan disable insecure port (Manual) 117 description: 'Control check whether control plan disable insecure port' 118 id: '5.0' 119 defaultStatus: 'FAIL' 120 checks: 121 severity: 'CRITICAL' 122 - name: Encrypt etcd communication 123 description: 'Control check whether etcd communication is encrypted' 124 id: '5.1' 125 checks: 126 - id: AVD-KCV-0030 127 severity: 'CRITICAL' 128 - name: Ensure kube config file permission (Manual) 129 description: 'Control check whether kube config file permissions' 130 id: '6.0' 131 defaultStatus: 'FAIL' 132 checks: 133 severity: 'CRITICAL' 134 - name: Check that encryption resource has been set 135 description: 'Control checks whether encryption resource has been set' 136 id: '6.1' 137 checks: 138 - id: AVD-KCV-0029 139 severity: 'CRITICAL' 140 - name: Check encryption provider 141 description: 'Control checks whether encryption provider has been set' 142 id: '6.2' 143 checks: 144 - id: AVD-KCV-0004 145 severity: 'CRITICAL' 146 - name: Make sure anonymous-auth is unset 147 description: 'Control checks whether anonymous-auth is unset' 148 id: '7.0' 149 checks: 150 - id: AVD-KCV-0001 151 severity: 'CRITICAL' 152 - name: Make sure -authorization-mode=RBAC 153 description: 'Control check whether RBAC permission is in use' 154 id: '7.1' 155 checks: 156 - id: AVD-KCV-0008 157 severity: 'CRITICAL' 158 - name: Audit policy is configure (Manual) 159 description: 'Control check whether audit policy is configure' 160 id: '8.0' 161 defaultStatus: 'FAIL' 162 checks: 163 severity: 'HIGH' 164 - name: Audit log path is configure 165 description: 'Control check whether audit log path is configure' 166 id: '8.1' 167 checks: 168 - id: AVD-KCV-0019 169 severity: 'MEDIUM' 170 - name: Audit log aging 171 description: 'Control check whether audit log aging is configure' 172 id: '8.2' 173 checks: 174 - id: AVD-KCV-0020 175 severity: 'MEDIUM'