Skip to content

Commit

Permalink
update manual vs automate label in k8s-eks-1.4 cis benchmarks
Browse files Browse the repository at this point in the history
Signed-off-by: AnaisUrlichs <[email protected]>
  • Loading branch information
AnaisUrlichs authored and simar7 committed Apr 3, 2024
1 parent 792e6d4 commit 5d531fa
Showing 1 changed file with 24 additions and 24 deletions.
48 changes: 24 additions & 24 deletions specs/compliance/aws-eks-cis-1.4.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ spec:
- https://www.cisecurity.org/benchmark/amazon_web_services
controls:
- id: 2.1.1
name: Enable audit Logs (Automated)
name: Enable audit Logs (Manual)
description: |
Control plane logs provide visibility into operation of the EKS Control plane components systems.
The API server audit logs record all accepted and rejected requests in the cluster.
Expand All @@ -26,21 +26,21 @@ spec:
checks: null
severity: HIGH
- id: 3.1.2
name: Ensure that the kubelet service file ownership is set to root:root (Manual)
name: Ensure that the kubelet service file ownership is set to root:root (Automated)
description: Ensure that the kubelet service file ownership is set to root:root
checks:
- id: AVD-KCV-0070
severity: HIGH
- id: 3.1.3
name: Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Manual)
name: Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Automated)
description: |
Ensure that if the kubelet refers to a configuration file with the
--config argument, that file has permissions of 600 or more restrictive
checks:
- id: AVD-KCV-0077
severity: HIGH
- id: 3.1.4
name: Ensure that the kubelet configuration file ownership is set to root:root (Manual)
name: Ensure that the kubelet configuration file ownership is set to root:root (Automated)
description: |
Ensure that if the kubelet refers to a configuration file with the
--config argument, that file is owned by root:root
Expand All @@ -66,7 +66,7 @@ spec:
- id: AVD-KCV-0081
severity: CRITICAL
- id: 3.2.4
name: Ensure that the --read-only-port is disabled (Manual)
name: Ensure that the --read-only-port is disabled (Automated)
description: |
The Kubelet process provides a read-only API in addition to the main Kubelet API.
Unauthenticated access is provided to this read-only API which could possibly retrieve
Expand All @@ -87,7 +87,7 @@ spec:
- id: AVD-KCV-0084
severity: HIGH
- id: 3.2.7
name: Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture (Automated)
name: Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture (Manual)
description: |
Security relevant information should be captured. The eventRecordQPS on the Kubelet
configuration can be used to limit the rate at which events are gathered and sets the
Expand All @@ -97,7 +97,7 @@ spec:
checks: null
severity: HIGH
- id: 3.2.8
name: Ensure that the --rotate-certificates argument is not present or is set to true (Manual)
name: Ensure that the --rotate-certificates argument is not present or is set to true (Automated)
description: Enable kubelet client certificate rotation.
checks:
- id: AVD-KCV-0090
Expand All @@ -118,15 +118,15 @@ spec:
checks: null
severity: HIGH
- id: 4.1.1
name: Ensure that the cluster-admin role is only used where required (Manual)
name: Ensure that the cluster-admin role is only used where required (Automated)
description: |
The RBAC role cluster-admin provides wide-ranging powers over the environment and
should be used only where and when needed.
checks:
- id: AVD-KSV-0111
severity: HIGH
- id: 4.1.2
name: Minimize access to secrets (Manual)
name: Minimize access to secrets (Automated)
description: |
The Kubernetes API stores secrets, which may be service account tokens for the
Kubernetes API or credentials used by workloads in the cluster. Access to these secrets
Expand Down Expand Up @@ -190,31 +190,31 @@ spec:
checks: null
severity: CRITICAL
- id: 4.2.1
name: Minimize the admission of privileged containers (Manual)
name: Minimize the admission of privileged containers (Automated)
description: Do not generally permit containers to be run with the securityContext.privileged flag set to true.
checks:
- id: AVD-KSV-0017
severity: HIGH
- id: 4.2.2
name: Minimize the admission of containers wishing to share the host process ID namespace (Manual)
name: Minimize the admission of containers wishing to share the host process ID namespace (Automated)
description: Do not generally permit containers to be run with the hostPID flag set to true.
checks:
- id: AVD-KSV-0010
severity: HIGH
- id: 4.2.3
name: Minimize the admission of containers wishing to share the host IPC namespace (Manual)
name: Minimize the admission of containers wishing to share the host IPC namespace (Automated)
description: Do not generally permit containers to be run with the hostIPC flag set to true.
checks:
- id: AVD-KSV-0008
severity: HIGH
- id: 4.2.4
name: Minimize the admission of containers wishing to share the host network namespace (Manual)
name: Minimize the admission of containers wishing to share the host network namespace (Automated)
description: Do not generally permit containers to be run with the hostNetwork flag set to true.
checks:
- id: AVD-KSV-0009
severity: HIGH
- id: 4.2.5
name: Minimize the admission of containers with allowPrivilegeEscalation (Manual)
name: Minimize the admission of containers with allowPrivilegeEscalation (Automated)
description: |
Do not generally permit containers to be run with the allowPrivilegeEscalation flag set
to true. Allowing this right can lead to a process running a container getting more rights
Expand All @@ -223,19 +223,19 @@ spec:
- id: AVD-KSV-0001
severity: HIGH
- id: 4.2.6
name: Minimize the admission of root containers (Manual)
name: Minimize the admission of root containers (Automated)
description: Do not generally permit containers to be run as the root user.
checks:
- id: AVD-KSV-0012
severity: MEDIUM
- id: 4.2.7
name: Minimize the admission of containers with added capabilities (Manual)
name: Minimize the admission of containers with added capabilities (Automated)
description: Do not generally permit containers with capabilities assigned beyond the default set.
checks:
- id: AVD-KSV-0004
severity: LOW
- id: 4.2.8
name: Minimize the admission of containers with capabilities assigned (Manual)
name: Minimize the admission of containers with capabilities assigned (Automated)
description: Do not generally permit containers with capabilities
checks:
- id: AVD-KSV-0103
Expand All @@ -250,7 +250,7 @@ spec:
checks: null
severity: MEDIUM
- id: 4.3.2
name: Ensure that all Namespaces have Network Policies defined (Manual)
name: Ensure that all Namespaces have Network Policies defined (Automated)
description: Use network policies to isolate traffic in your cluster network.
checks:
- id: AVD-KSV-0038
Expand Down Expand Up @@ -278,7 +278,7 @@ spec:
checks: null
severity: MEDIUM
- id: 4.5.2
name: Apply Security Context to Your Pods and Containers (Manual)
name: Apply Security Context to Your Pods and Containers (Automated)
description: Apply Security Context to Your Pods and Containers
checks:
- id: AVD-KSV-0021
Expand All @@ -289,7 +289,7 @@ spec:
- id: AVD-KSV-0030
severity: HIGH
- id: 4.5.3
name: The default namespace should not be used (Manual)
name: The default namespace should not be used (Automated)
description: |
Kubernetes provides a default namespace, where objects are placed if no namespace
is specified for them. Placing objects in this namespace makes application of RBAC and
Expand Down Expand Up @@ -334,23 +334,23 @@ spec:
checks: null
severity: MEDIUM
- id: 5.4.1
name: Restrict Access to the Control Plane Endpoint (Automated)
name: Restrict Access to the Control Plane Endpoint (Manual)
description: Enable Endpoint Private Access to restrict access to the cluster's control plane to only an allowlist of authorized IPs
checks: null
severity: MEDIUM
- id: 5.4.2
name: Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Automated)
name: Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)
description: Disable access to the Kubernetes API from outside the node network if it is not required.
checks: null
severity: MEDIUM
- id: 5.4.3
name: Ensure clusters are created with Private Nodes (Automated)
name: Ensure clusters are created with Private Nodes (Manual)
description: Disable public IP addresses for cluster nodes, so that they only have private IP addresses.
Private Nodes are nodes with no public IP addresses.
checks: null
severity: MEDIUM
- id: 5.4.4
name: Ensure Network Policy is Enabled and set as appropriate (Automated)
name: Ensure Network Policy is Enabled and set as appropriate (Manual)
description: |
Amazon EKS provides two ways to implement network policy. You choose a network
policy option when you create an EKS cluster. The policy option can't be changed after the cluster is created:
Expand Down

0 comments on commit 5d531fa

Please sign in to comment.