clarify control descriptions and remediations

kubescape · Oct 4, 2021 · 705b4d6 · 705b4d6
1 parent e089fd7
commit 705b4d6
Show file tree

Hide file tree

Showing 30 changed files with 45 additions and 45 deletions.
diff --git a/controls/Applicationscredentialsinconfigurationfiles.json b/controls/Applicationscredentialsinconfigurationfiles.json
@@ -7,8 +7,8 @@
             "Lateral Movement"
         ]
     },
-    "description": "Attackers who have access to configuration files can steal the stored secrets and use them. Checks if ConfigMaps or pods have sensitive information in configuration.",
-    "remediation": "Use Kubernetes secrets to store credentials. Use ARMO secret protection solution to improve your security even more.",
+    "description": "Attackers who have access to configuration files can steal the stored secrets and use them. This control checks if ConfigMaps or pods have sensitive information in configuration.",
+    "remediation": "Use Kubernetes secrets to store credentials.",
     "rulesNames": [
         "rule-credentials-in-env-var",
         "rule-credentials-configmap"

diff --git a/controls/ListKubernetessecrets.json b/controls/ListKubernetessecrets.json
@@ -7,7 +7,7 @@
         ]
     },
     "description": "Attackers who have permissions to access secrets can access sensitive information that might include credentials to various services. This control determines which subjects can list/get secrets.",
-    "remediation": "Monitor and approve users and service accounts that can access secrets.",
+    "remediation": "Monitor and approve subjects and service accounts that can access secrets.",
     "rulesNames": [
         "rule-can-list-get-secrets"
     ],

diff --git a/controls/SSHserverrunninginsidecontainer.json b/controls/SSHserverrunninginsidecontainer.json
@@ -6,8 +6,8 @@
             "Execution"
         ]
     },
-    "description": "An SSH server that is running inside a container may be used by attackers to get remote access to the container. Checks if pods have an open SSH port (22/2222).",
-    "remediation": "Remove SSH from the container image or limit the access to the SSH server using network policy (Native or ARMO runtime protection).",
+    "description": "An SSH server that is running inside a container may be used by attackers to get remote access to the container. This control checks if pods have an open SSH port (22/2222).",
+    "remediation": "Remove SSH from the container image or limit the access to the SSH server using network policies.",
     "rulesNames": [
         "rule-can-ssh-to-pod"
     ],

diff --git a/controls/accesscontainerserviceaccount.json b/controls/accesscontainerserviceaccount.json
@@ -6,7 +6,7 @@
             "Credential access"
         ]
     },
-    "description": "Attackers who get access to a pod can access the SA and perform actions in the cluster, according to the SA permissions. Determines which service accounts can be used to access other resources in the cluster.",
+    "description": "Attackers who get access to a pod can access the SA and perform actions in the cluster, according to the SA permissions. This control determines which service accounts can be used to access other resources in the cluster.",
     "remediation": "If RBAC is not enabled, you should enable RBAC (refer to the API server documentation). If RBAC is enabled, make sure that you apply least privilege. Monitor and approve privileges of workloads which use kube-api.",
     "rulesNames": [
         "access-container-service-account"

diff --git a/controls/accessk8sdashboard.json b/controls/accessk8sdashboard.json
@@ -7,7 +7,7 @@
             "Lateral Movement"
         ]
     },
-    "description": "Attackers who gain access to the dashboard service account or have its RBAC permissions can use its network access to retrieve information about resources in the cluster or change them. Checks if subject that is not dashboard service account is bound to dashboard role/clusterrole, or - if anyone that is not dashboard pod is associated with its service account.",
+    "description": "Attackers who gain access to the dashboard service account or have its RBAC permissions can use its network access to retrieve information about resources in the cluster or change them. This control checks if a subject that is not dashboard service account is bound to dashboard role/clusterrole, or - if anyone that is not dashboard pod is associated with its service account.",
     "remediation": "Make sure that the \u201cKubernetes Dashboard\u201d service account is only bound to the Kubernetes dashboard following the least privilege principle.",
     "rulesNames": [
         "rule-access-dashboard"

diff --git a/controls/accesskubeletAPI.json b/controls/accesskubeletAPI.json
@@ -6,8 +6,8 @@
             "Discovery"
         ]
     },
-    "description": "Kubelet is the Kubernetes agent that is installed on each node. Kubelet is responsible for the proper execution of pods that are assigned to the node. Kubelet exposes a read-only API service that does not require authentication (TCP port 10255). Attackers with network access to the host (for example, via running code on a compromised container) can send API requests to the Kubelet API. Specifically querying https://[NODE IP]:10255/pods/ retrieves the running pods on the node. https://[NODE IP]:10255/spec/ retrieves information about the node itself, such as CPU and memory consumption.",
-    "remediation": "Define network policy (native kubernetes or using ARMO runtime protection). Use ARMO runtime protection capabilities to monitor network traffic.",
+    "description": "Attackers with network access to the host can send API requests to the Kubelet API. This control checks if there is a network policy defined.",
+    "remediation": "Define network policies.",
     "rulesNames": [],
     "id": "C-0003"
 }
diff --git a/controls/accesstillerendpoint.json b/controls/accesstillerendpoint.json
@@ -6,7 +6,7 @@
             "Lateral movement"
         ]
     },
-    "description": "Attackers may run code on any container that is accessible to the tiller\u2019s service and perform actions in the cluster, using the tiller\u2019s service account, which often has high privileges. Checks if Tiller exists in cluster.",
+    "description": "Attackers may run code on any container that is accessible to the tiller\u2019s service and perform actions in the cluster, using the tiller\u2019s service account, which often has high privileges. This control checks if Tiller exists in cluster.",
     "remediation": "Use version higher than 2 of Helm which doesn\u2019t use Tiller",
     "rulesNames": [
         "access-tiller-endpoint"

diff --git a/controls/backdoorcontainer.json b/controls/backdoorcontainer.json
@@ -6,8 +6,8 @@
             "Persistence"
         ]
     },
-    "description": "Attackers run their malicious code in a container in the cluster. By using the Kubernetes controllers such as DaemonSets or Deployments, attackers can ensure that a constant number of containers run in one, or all, the nodes in the cluster.",
-    "remediation": "You should apply least privilege principle (we can point to our audit/least privilege screen). Approve the users who can create new containers.",
+    "description": "Attackers run their malicious code in a container in the cluster. By using the Kubernetes controllers such as DaemonSets or Deployments, attackers can ensure that a constant number of containers run in one, or all, the nodes in the cluster. This control determines which subjects have permissions to create/modify pods.",
+    "remediation": "You should apply least privilege principle. Approve the subjects who can create new containers.",
     "rulesNames": [
         "rule-can-create-modify-pod"
     ],

diff --git a/controls/bash-cmdinsidecontainer.json b/controls/bash-cmdinsidecontainer.json
@@ -6,8 +6,8 @@
             "Execution"
         ]
     },
-    "description": "Attackers who can run new processes inside a container might use cmd/bash script inside a container can use it to execute malicious code. Determines which containers have bash/cmd inside it.",
-    "remediation": "Remove cmd/bash from the containers you are using.",
+    "description": "Attackers who can run new processes inside a container might use cmd/bash script inside a container to execute malicious code. This control determines which containers have bash/cmd inside it.",
+    "remediation": "Consider removing cmd/bash from your containers.",
     "rulesNames": [
         "rule-can-bash-cmd-inside-container"
     ],

diff --git a/controls/clearcontainerlogs.json b/controls/clearcontainerlogs.json
@@ -6,8 +6,8 @@
             "Defense Evasion"
         ]
     },
-    "description": "Attackers may delete the application or OS logs on a compromised container in an attempt to prevent detection of their activity.",
-    "remediation": "You should apply least privilege principle. Approve the users who can delete logs inside containers.",
+    "description": "Attackers may delete the application or OS logs on a compromised container in an attempt to prevent detection of their activity. This control determines which subjects have permissions to delete logs.",
+    "remediation": "You should apply least privilege principle. Approve the subjects who can delete logs inside containers.",
     "rulesNames": [
         "rule-can-delete-logs"
     ],

diff --git a/controls/cluster-adminbinding.json b/controls/cluster-adminbinding.json
@@ -7,7 +7,7 @@
         ]
     },
     "description": "Attackers who have Cluster-admin permissions (can perform any action on any resource), can take advantage of their high privileges for malicious intentions. This control determines which subjects have cluster admin permissions.",
-    "remediation": "You should apply least privilege principle. Monitor and approve cluster admins and make sure users that do not require cluster-admin are not assigned this role.",
+    "remediation": "You should apply least privilege principle. Monitor and approve cluster admins and make sure subjects that do not require cluster-admin are not assigned this role.",
     "rulesNames": [
         "rule-list-all-cluster-admins"
     ],

diff --git a/controls/clusterInternalnetworking.json b/controls/clusterInternalnetworking.json
@@ -6,8 +6,8 @@
             "Lateral movement"
         ]
     },
-    "description": "If no network policy is defined, attackers who gain access to a single container may use it to probe the network. Lists namespaces in which no network policies are defined.",
-    "remediation": "Define network policy (native K8s or using ARMO runtime protection).",
+    "description": "If no network policy is defined, attackers who gain access to a single container may use it to probe the network. This control lists namespaces in which no network policies are defined.",
+    "remediation": "Define network policies.",
     "rulesNames": [
         "internal-networking"
     ],

diff --git a/controls/compromisedimagesinregistry.json b/controls/compromisedimagesinregistry.json
@@ -7,7 +7,7 @@
         ]
     },
     "description": "In cases where the Kubernetes cluster is deployed in a public cloud (e.g., AKS in Azure, GKE in GCP, or EKS in AWS), compromised cloud credential can lead to cluster takeover. Attackers who have access to the cloud account credentials can get access to the cluster\u2019s management layer.",
-    "remediation": "Limit the registries from which you pull container images. ",
+    "remediation": "Limit the registries from which you pull container images.",
     "rulesNames": [
         "rule-identify-blacklisted-image-registries"
     ],

diff --git a/controls/coreDNSpoisoning.json b/controls/coreDNSpoisoning.json
@@ -6,8 +6,8 @@
             "Lateral Movement"
         ]
     },
-    "description": "If attackers have permissions to modify the coredns ConfigMap, they can change the behavior of the cluster\u2019s DNS, poison it, and take the network identity of other services. Determines which users can update/patch the 'coredns' configmap.",
-    "remediation": "You should apply least privilege principle. Monitor and approve the users who can modify the 'coredns' configmap.",
+    "description": "If attackers have permissions to modify the coredns ConfigMap they can change the behavior of the cluster\u2019s DNS, poison it, and take the network identity of other services. This control determines which subjects can update/patch the 'coredns' configmap.",
+    "remediation": "You should apply least privilege principle. Monitor and approve the subjects who can modify the 'coredns' configmap.",
     "rulesNames": [
         "rule-can-update-configmap"
     ],

diff --git a/controls/datadestruction.json b/controls/datadestruction.json
@@ -6,8 +6,8 @@
             "Impact"
         ]
     },
-    "description": "Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, storage, and compute resources. Determines which subjects can delete resources.",
-    "remediation": "You should apply least privilege principle. Monitor and approve the users who can delete resources.",
+    "description": "Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, storage, and compute resources. This control determines which subjects can delete resources.",
+    "remediation": "You should apply least privilege principle. Monitor and approve the subjects who can delete resources.",
     "rulesNames": [
         "rule-excessive-delete-rights"
     ],

diff --git a/controls/deleteKubernetesevents.json b/controls/deleteKubernetesevents.json
@@ -6,8 +6,8 @@
             "Defense evasion"
         ]
     },
-    "description": "Attackers may delete these events to avoid detection of their activity in the cluster. Determines which subjects can delete k8s events.",
-    "remediation": "You should apply least privilege principle. Monitor and approve the users who can delete events.",
+    "description": "Attackers may delete these events to avoid detection of their activity in the cluster. This control determines which subjects can delete Kubernetes events.",
+    "remediation": "You should apply least privilege principle. Monitor and approve the subjects who can delete events.",
     "rulesNames": [
         "rule-can-delete-k8s-events"
     ],

diff --git a/controls/execintocontainer.json b/controls/execintocontainer.json
@@ -6,8 +6,8 @@
             "Execution"
         ]
     },
-    "description": "Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (\u201ckubectl exec\u201d). Determines which subjects have permissions to exec into containers.",
-    "remediation": "You should apply least privilege principal (we can point to our audit/least privilege screen). You should monitor and approve users who can exec into containers.",
+    "description": "Attackers who have the relevant permissions can run malicious commands in containers in the cluster using the exec command (\u201ckubectl exec\u201d). This control determines which subjects have permissions to exec into containers.",
+    "remediation": "You should apply least privilege principal. You should monitor and approve subjects who can exec into containers.",
     "rulesNames": [
         "exec-into-container"
     ],

diff --git a/controls/exposedsensitiveinterfaces.json b/controls/exposedsensitiveinterfaces.json
@@ -6,7 +6,7 @@
             "Initial access"
         ]
     },
-    "description": "Exposing a sensitive interface to the internet poses a security risk. It might enable attacker to run malicious code or deploy containers in the cluster. Checks if known interfaces have externally exposed services.",
+    "description": "Exposing a sensitive interface to the internet poses a security risk. It might enable attackers to run malicious code or deploy containers in the cluster. This control checks if known interfaces have externally exposed services.",
     "remediation": "Consider not exposing such interfaces.",
     "rulesNames": [
         "exposed-sensitive-interfaces"

diff --git a/controls/hostPathmount.json b/controls/hostPathmount.json
@@ -7,7 +7,7 @@
         ]
     },
     "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host.",
-    "remediation": "Try to refrain from using host path mount. You can use ARMO runtime protection (encryption capability) to encrypt these files.",
+    "remediation": "Try to refrain from using host path mount.",
     "rulesNames": [
         "alert-any-hostpath"
     ],

diff --git a/controls/instancemetadataAPI..json b/controls/instancemetadataAPI..json
@@ -6,7 +6,7 @@
             "Discovery"
         ]
     },
-    "description": "Attackers who gain access to a container, may query the metadata API service for getting information about the underlying node. Checks if there is access from the nodes to cloud providers instance metadata services.",
+    "description": "Attackers who gain access to a container, may query the metadata API service for getting information about the underlying node. This control checks if there is access from the nodes to cloud providers instance metadata services.",
     "remediation": "Disable metadata services for pods in cloud provider settings.",
     "rulesNames": [
         "instance-metadata-api-access"

diff --git a/controls/maliciousadmissioncontroller-mutating.json b/controls/maliciousadmissioncontroller-mutating.json
@@ -6,7 +6,7 @@
             "Persistence"
         ]
     },
-    "description": "Attackers can use mutating webhooks to intercept and modify resources in the cluster. Returns mutating webhook configurations to be verified.",
+    "description": "Attackers can use mutating webhooks to intercept and modify resources in the cluster. This control lists mutating webhook configurations to be verified.",
     "remediation": "Analyze webhook for malicious behavior",
     "rulesNames": [
         "list-all-mutating-webhooks"

diff --git a/controls/maliciousadmissioncontroller-validating.json b/controls/maliciousadmissioncontroller-validating.json
@@ -6,7 +6,7 @@
             "Credential access"
         ]
     },
-    "description": "Attackers can use mutating webhooks to intercept and modify resources in the cluster. Returns mutating webhook configurations to be verified.",
+    "description": "Attackers can use mutating webhooks to intercept and modify resources in the cluster. This control lists validating webhook configurations to be verified.",
     "remediation": "Analyze webhook for malicious behavior.",
     "rulesNames": [
         "list-all-validating-webhooks"

diff --git a/controls/mountserviceprincipal.json b/controls/mountserviceprincipal.json
@@ -7,7 +7,7 @@
         ]
     },
     "description": "When a cluster is deployed in the cloud, in some cases attackers can leverage their access to a container in the cluster to gain cloud credentials. This control determines if any workload contains a hostPath volume.",
-    "remediation": "Try to refrain from using host path mount. You can use ARMO runtime protection (encryption capability) to encrypt these files.",
+    "remediation": "Try to refrain from using host path mount.",
     "rulesNames": [
         "alert-any-hostpath"
     ],

diff --git a/controls/namesimilarity.json b/controls/namesimilarity.json
@@ -6,7 +6,7 @@
             "Defense evasion"
         ]
     },
-    "description": "Pods that are created by controllers such as Deployment or DaemonSet have random suffix in their names. Attackers can use this fact and name their backdoor pods as they were created by the existing controllers. For example, an attacker could create a malicious pod named coredns-{random suffix} which would look related to the CoreDNS Deployment.",
+    "description": "An attacker could create a malicious pod whose prefix is identical to existing workloads (for example: coredns- {random suffix}, which would look related to the CoreDNS Deployment). This control checks if there are objects with names similar to system pods, or other known deployments.",
     "remediation": "You should look at the reported Pods and make sure they were created and developed by your team. It would be wise to change the Pod names.",
     "rulesNames": [
         "rule-name-similarity"

diff --git a/controls/networkmapping.json b/controls/networkmapping.json
@@ -6,8 +6,8 @@
             "Discovery"
         ]
     },
-    "description": "If no network policy is defined, attackers who gain access to a single container may use it to probe the network. Lists namespaces in which no network policies are defined.",
-    "remediation": "Define network policy (native Kubernetes or using ARMO runtime protection). Use ARMO runtime protection capabilities to monitor network traffic.",
+    "description": "If no network policy is defined, attackers who gain access to a single container may use it to probe the network. This control lists namespaces in which no network policies are defined.",
+    "remediation": "Define network policies.",
     "rulesNames": [
         "internal-networking"
     ],

diff --git a/controls/networkpolicies.json b/controls/networkpolicies.json
@@ -3,8 +3,8 @@
     "attributes": {
         "armoBuiltin": true
     },
-    "description": "If no network policy is defined, attackers who gain access to a single container may use it to probe the network. Lists namespaces in which no network policies are defined.",
-    "remediation": "Define network policy.",
+    "description": "If no network policy is defined, attackers who gain access to a single container may use it to probe the network. This control lists namespaces in which no network policies are defined.",
+    "remediation": "Define network policies.",
     "rulesNames": [
         "internal-networking"
     ],