diff --git a/frameworks/security.json b/frameworks/security.json index 42010a264..be65ebd70 100644 --- a/frameworks/security.json +++ b/frameworks/security.json @@ -2,7 +2,7 @@ "name": "security", "description": "Controls that are used to assess security threats.", "attributes": { - "armoBuiltin": true + "armoBuiltin": true }, "typeTags": [ "security" @@ -15,57 +15,57 @@ }, "activeControls": [ { - "controlID": "C-0009", + "controlID": "C-0005", "patch": { - "name": "Resource limits" + "name": "API server insecure port is enabled" } }, { - "controlID": "C-0017", + "controlID": "C-0009", "patch": { - "name": "Immutable container filesystem" + "name": "Resource limits" } }, - { - "controlID": "C-0256", + { + "controlID": "C-0012", "patch": { - "name": "Exposure to Internet" + "name": "Applications credentials in configuration files" } }, - { - "controlID": "C-0259", + { + "controlID": "C-0013", "patch": { - "name": "Workload with credential access" + "name": "Non-root containers" } }, { - "controlID": "C-0258", + "controlID": "C-0016", "patch": { - "name": "Workload with configMap access" + "name": "Allow privilege escalation" } }, { - "controlID": "C-0257", + "controlID": "C-0017", "patch": { - "name": "Workload with PVC access" + "name": "Immutable container filesystem" } }, { - "controlID": "C-0260", + "controlID": "C-0034", "patch": { - "name": "Missing network policy" + "name": "Automatic mapping of service account" } }, { - "controlID": "C-0261", + "controlID": "C-0035", "patch": { - "name": "ServiceAccount token mounted" + "name": "Administrative Roles" } }, { - "controlID": "C-0255", + "controlID": "C-0038", "patch": { - "name": "Workload with secret access" + "name": "Host PID/IPC privileges" } }, { @@ -98,6 +98,36 @@ "name": "HostPath mount" } }, + { + "controlID": "C-0057", + "patch": { + "name": "Privileged container" + } + }, + { + "controlID": "C-0066", + "patch": { + "name": "Secret/etcd encryption enabled" + } + }, + { + "controlID": "C-0069", + "patch": { + "name": "Disable anonymous access to Kubelet service" + } + }, + { + "controlID": "C-0070", + "patch": { + "name": "Enforce Kubelet client TLS authentication" + } + }, + { + "controlID": "C-0074", + "patch": { + "name": "Container runtime socket mounted" + } + }, { "controlID": "C-0211", "patch": { @@ -105,28 +135,64 @@ } }, { - "controlID": "C-0262", + "controlID": "C-0255", "patch": { - "name": "Anonymous access enabled" + "name": "Workload with secret access" } }, { - "controlID": "C-0265", + "controlID": "C-0256", "patch": { - "name": "Authenticated user has sensitive permissions" + "name": "Exposure to Internet" } }, { - "controlID": "C-0057", + "controlID": "C-0257", "patch": { - "name": "Privileged container" + "name": "Workload with PVC access" } }, { - "controlID": "C-0038", + "controlID": "C-0258", "patch": { - "name": "Host PID/IPC privileges" + "name": "Workload with configMap access" + } + }, + { + "controlID": "C-0259", + "patch": { + "name": "Workload with credential access" + } + }, + { + "controlID": "C-0260", + "patch": { + "name": "Missing network policy" + } + }, + { + "controlID": "C-0261", + "patch": { + "name": "ServiceAccount token mounted" + } + }, + { + "controlID": "C-0262", + "patch": { + "name": "Anonymous access enabled" + } + }, + { + "controlID": "C-0264", + "patch": { + "name": "PersistentVolume without encyption" + } + }, + { + "controlID": "C-0265", + "patch": { + "name": "Authenticated user has sensitive permissions" } } ] -} +} \ No newline at end of file