kubescape · dwertent · Jul 30, 2023 · Jul 11, 2023 · Jul 11, 2023 · Jul 11, 2023
diff --git a/README.md b/README.md
@@ -34,7 +34,7 @@ Example of a framework:
     },
     "controlsNames": [
         "Naked PODs",
-        "Containers mounting Docker socket",
+        "Container runtime socket mounted",
         "Image pull policy on latest tag",
         "Label usage for resources",
         "K8s common labels usage",
@@ -76,12 +76,20 @@ Example of a control:
             "cluster",
             "file"
         ]
-    }
+    },
+     "category": {
+        "name" : "Workload",
+        "subCategory": {
+            "name": "Resource management"
+        }
+   }
 }
 ```
 * Attribute `"armoBuiltin": true` - mandatory for armo rules. Only ARMO team members are authorized to create builtin objects.
 * `rulesNames` -  List of rules to run, must be exact name. Use copy-paste to be sure.
 * `scanningScope` - this control will run just if kubescape scan process match to the scope in the list.(for example the control above will run if the running kubescape scan is for scanning cluster or file) - list of allowed scanning scope ``` [["cluster", "file"], ["cluster"], ["cloud"], ["GKE"], ["EKS"], ["AKS"]] ```
+* `category` - The category the control belongs to. Some controls may also define a `subCategory`. The available categories/sub categories are listed under the `mapCategoryNameToID.json` file, mapped to their respective IDs
+* `subCategory` - A sub category for a `category` (optional). Must be listed under the  `mapCategoryNameToID.json` file
 
 
 * `long_description`, `test` and other control fields are used mainly in the [documentation](https://hub.armosec.io/docs)

diff --git a/categories/mapCategoryNameToID.json b/categories/mapCategoryNameToID.json
@@ -0,0 +1,11 @@
+{
+    "Control plane": "Cat-1",
+    "Access control": "Cat-2",
+    "Secrets": "Cat-3",
+    "Network": "Cat-4",
+    "Workload": "Cat-5",
+    "Supply chain": "Cat-6",
+    "Resource management": "Cat-7",
+    "Storage": "Cat-8",
+    "Node escape": "Cat-9"
+}
diff --git a/controls/C-0001-forbiddencontainerregistries.json b/controls/C-0001-forbiddencontainerregistries.json
@@ -21,6 +21,9 @@
     "controlID": "C-0001",
     "baseScore": 7.0,
     "example": "@controls/examples/c001.yaml",
+    "category": {
+        "name" : "Workload"
+   },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0002-execintocontainer.json b/controls/C-0002-execintocontainer.json
@@ -22,6 +22,9 @@
     "controlID": "C-0002",
     "baseScore": 5.0,
     "example": "@controls/examples/c002.yaml",
+    "category": {
+        "name" : "Access control"
+   },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0004-resourcesmemorylimitandrequest.json b/controls/C-0004-resourcesmemorylimitandrequest.json
@@ -16,6 +16,12 @@
     "controlID": "C-0004",
     "example": "@controls/examples/c004.yaml",
     "baseScore": 8.0,
+    "category": {
+        "name" : "Workload",
+        "subCategory": {
+            "name": "Resource management"
+        }
+   },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0005-apiserverinsecureportisenabled.json b/controls/C-0005-apiserverinsecureportisenabled.json
@@ -15,6 +15,9 @@
     "long_description": "The control plane is the core of Kubernetes and gives users the ability to view containers, schedule new Pods, read Secrets, and execute commands in the cluster. Therefore, it should be protected. It is recommended to avoid control plane exposure to the Internet or to an untrusted network. The API server runs on ports 6443 and 8080. We recommend to block them in the firewall. Note also that port 8080, when accessed through the local machine, does not require TLS encryption, and the requests bypass authentication and authorization modules.",
     "test": "Check if the insecure-port flag is set (in case of cloud vendor hosted Kubernetes service this verification will not be effective).",
     "controlID": "C-0005",
+    "category": {
+        "name" : "Control plane"
+   },
     "baseScore": 9,
     "scanningScope": {
         "matches": [

diff --git a/controls/C-0007-datadestruction.json b/controls/C-0007-datadestruction.json
@@ -19,6 +19,9 @@
     "long_description": "Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, storage, and compute resources.",
     "test": "Check which subjects have delete/deletecollection RBAC permissions on workloads.",
     "controlID": "C-0007",
+    "category": {
+        "name" : "Access control"
+   },
     "baseScore": 5,
     "example": "@controls/examples/c007.yaml",
     "scanningScope": {

diff --git a/controls/C-0009-resourcelimits.json b/controls/C-0009-resourcelimits.json
@@ -24,6 +24,9 @@
     "controlID": "C-0009",
     "baseScore": 7.0,
     "example": "@controls/examples/c009.yaml",
+    "category": {
+        "name" : "Workload"
+   },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0012-applicationscredentialsinconfigurationfiles.json b/controls/C-0012-applicationscredentialsinconfigurationfiles.json
@@ -23,6 +23,9 @@
     "test": "Check if the pod has sensitive information in environment variables, by using list of known sensitive key names. Check if there are configmaps with sensitive information.",
     "controlID": "C-0012",
     "baseScore": 8.0,
+    "category": {
+        "name" : "Secrets"
+   },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0013-nonrootcontainers.json b/controls/C-0013-nonrootcontainers.json
@@ -17,6 +17,12 @@
     "controlID": "C-0013",
     "baseScore": 6.0,
     "example": "@controls/examples/c013.yaml",
+    "category": {
+        "name": "Workload",
+        "subCategory": {
+            "name": "Node escape"
+        }
+    },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0014-accesskubernetesdashboard.json b/controls/C-0014-accesskubernetesdashboard.json
@@ -22,6 +22,9 @@
     "test": "Check who is associated with the dashboard service account or bound to dashboard role/clusterrole.",
     "controlID": "C-0014",
     "baseScore": 2.0,
+    "category": {
+        "name" : "Access control"
+   },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0015-listkubernetessecrets.json b/controls/C-0015-listkubernetessecrets.json
@@ -22,6 +22,9 @@
     "controlID": "C-0015",
     "baseScore": 7.0,
     "example": "@controls/examples/c015.yaml",
+    "category": {
+        "name" : "Access control"
+   },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0016-allowprivilegeescalation.json b/controls/C-0016-allowprivilegeescalation.json
@@ -16,6 +16,12 @@
     "controlID": "C-0016",
     "baseScore": 6.0,
     "example": "@controls/examples/allowprivilegeescalation.yaml",
+    "category": {
+        "name": "Workload",
+        "subCategory": {
+            "name": "Node escape"
+        }
+    },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0017-immutablecontainerfilesystem.json b/controls/C-0017-immutablecontainerfilesystem.json
@@ -25,6 +25,12 @@
     "controlID": "C-0017",
     "baseScore": 3.0,
     "example": "@controls/examples/c017.yaml",
+    "category": {
+        "name": "Workload",
+        "subCategory": {
+            "name": "Node escape"
+        }
+    },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0018-configuredreadinessprobe.json b/controls/C-0018-configuredreadinessprobe.json
@@ -14,6 +14,9 @@
     "long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.",
     "controlID": "C-0018",
     "example": "@controls/examples/c018.yaml",
+    "category": {
+        "name" : "Workload"
+   },
     "baseScore": 3.0,
     "scanningScope": {
         "matches": [

diff --git a/controls/C-0020-mountserviceprincipal.json b/controls/C-0020-mountserviceprincipal.json
@@ -19,6 +19,9 @@
     "test": "Check which workloads have volumes with potential access to known cloud credentials folders or files in node, like \u201c/etc/kubernetes/azure.json\u201d for Azure.",
     "controlID": "C-0020",
     "baseScore": 4.0,
+    "category": {
+        "name" : "Workload"
+   },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0021-exposedsensitiveinterfaces.json b/controls/C-0021-exposedsensitiveinterfaces.json
@@ -20,6 +20,9 @@
     "test": "Checking if a service of type nodeport/loadbalancer to one of the known exploited interfaces (Apache NiFi, Kubeflow, Argo Workflows, Weave Scope Kubernetes dashboard) exists. Needs to add user config",
     "controlID": "C-0021",
     "baseScore": 6.0,
+    "category": {
+        "name" : "Workload"
+   },
     "scanningScope": {
         "matches": [
             "cluster"

diff --git a/controls/C-0026-kubernetescronjob.json b/controls/C-0026-kubernetescronjob.json
@@ -18,6 +18,9 @@
     "test": "We list all CronJobs that exist in cluster for the user to approve.",
     "controlID": "C-0026",
     "baseScore": 1.0,
+    "category": {
+        "name" : "Workload"
+   },
     "scanningScope": {
         "matches": [
             "cluster"

diff --git a/controls/C-0030-ingressandegressblocked.json b/controls/C-0030-ingressandegressblocked.json
@@ -16,6 +16,9 @@
     "controlID": "C-0030",
     "baseScore": 6.0,
     "example": "@controls/examples/c030.yaml",
+    "category": {
+        "name" : "Network"
+   },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0031-deletekubernetesevents.json b/controls/C-0031-deletekubernetesevents.json
@@ -22,6 +22,9 @@
     "controlID": "C-0031",
     "baseScore": 4.0,
     "example": "@controls/examples/c031.yaml",
+    "category": {
+        "name" : "Access control"
+   },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0034-automaticmappingofserviceaccount.json b/controls/C-0034-automaticmappingofserviceaccount.json
@@ -17,6 +17,9 @@
     "controlID": "C-0034",
     "baseScore": 6.0,
     "example": "@controls/examples/c034.yaml",
+    "category": {
+        "name" : "Secrets"
+   },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0035-clusteradminbinding.json b/controls/C-0035-clusteradminbinding.json
@@ -21,6 +21,9 @@
     "test": "Check which subjects have cluster-admin RBAC permissions \u2013 either by being bound to the cluster-admin clusterrole, or by having equivalent high privileges.  ",
     "controlID": "C-0035",
     "baseScore": 6.0,
+    "category": {
+        "name" : "Access control"
+   },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0036-maliciousadmissioncontrollervalidating.json b/controls/C-0036-maliciousadmissioncontrollervalidating.json
@@ -1,5 +1,5 @@
 {
-    "name": "Malicious admission controller (validating)",
+    "name": "Validate admission controller (validating)",
     "attributes": {
         "armoBuiltin": true,
         "microsoftMitreColumns": [
@@ -17,6 +17,9 @@
     ],
     "controlID": "C-0036",
     "baseScore": 3.0,
+    "category": {
+        "name" : "Access control"
+   },
     "scanningScope": {
         "matches": [
             "cluster"

diff --git a/controls/C-0037-corednspoisoning.json b/controls/C-0037-corednspoisoning.json
@@ -19,6 +19,9 @@
     "test": "Check who has update/patch RBAC permissions on \u2018coredns\u2019 configmaps, or to all configmaps.",
     "controlID": "C-0037",
     "baseScore": 4.0,
+    "category": {
+        "name" : "Access control"
+   },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0038-hostpidipcprivileges.json b/controls/C-0038-hostpidipcprivileges.json
@@ -16,6 +16,12 @@
     "controlID": "C-0038",
     "baseScore": 7.0,
     "example": "@controls/examples/c038.yaml",
+    "category": {
+        "name": "Workload",
+        "subCategory": {
+            "name": "Node escape"
+        }
+    },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0039-maliciousadmissioncontrollermutating.json b/controls/C-0039-maliciousadmissioncontrollermutating.json
@@ -1,5 +1,5 @@
 {
-    "name": "Malicious admission controller (mutating)",
+    "name": "Validate admission controller (mutating)",
     "attributes": {
         "armoBuiltin": true,
         "microsoftMitreColumns": [
@@ -17,6 +17,9 @@
     ],
     "controlID": "C-0039",
     "baseScore": 4.0,
+    "category": {
+        "name" : "Access control"
+   },
     "scanningScope": {
         "matches": [
             "cluster"

diff --git a/controls/C-0041-hostnetworkaccess.json b/controls/C-0041-hostnetworkaccess.json
@@ -25,6 +25,12 @@
     "controlID": "C-0041",
     "baseScore": 7.0,
     "example": "@controls/examples/c041.yaml",
+    "category": {
+        "name" : "Workload",
+        "subCategory": {
+        "name": "Network"
+        }
+   },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0042-sshserverrunninginsidecontainer.json b/controls/C-0042-sshserverrunninginsidecontainer.json
@@ -19,6 +19,9 @@
     "test": "Check if service connected to some workload has an SSH port (22/2222). If so we raise an alert. ",
     "controlID": "C-0042",
     "baseScore": 3.0,
+    "category": {
+        "name" : "Workload"
+   },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0044-containerhostport.json b/controls/C-0044-containerhostport.json
@@ -32,6 +32,9 @@
     "controlID": "C-0044",
     "baseScore": 4.0,
     "example": "@controls/examples/c044.yaml",
+    "category": {
+        "name" : "Network"
+   },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0045-writablehostpathmount.json b/controls/C-0045-writablehostpathmount.json
@@ -31,6 +31,12 @@
     "controlID": "C-0045",
     "baseScore": 8.0,
     "example": "@controls/examples/c045.yaml",
+    "category": {
+        "name" : "Workload",
+        "subCategory": {
+        "name": "Storage"
+        }
+   },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0046-insecurecapabilities.json b/controls/C-0046-insecurecapabilities.json
@@ -26,6 +26,12 @@
     "controlID": "C-0046",
     "baseScore": 7.0,
     "example": "@controls/examples/c046.yaml",
+    "category": {
+        "name": "Workload",
+        "subCategory": {
+            "name": "Node escape"
+        }
+    },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0048-hostpathmount.json b/controls/C-0048-hostpathmount.json
@@ -26,6 +26,12 @@
     ],
     "controlID": "C-0048",
     "baseScore": 7.0,
+    "category": {
+        "name": "Workload",
+        "subCategory": {
+            "name": "Storage"
+        }
+    },
     "scanningScope": {
         "matches": [
             "cluster",

diff --git a/controls/C-0049-networkmapping.json b/controls/C-0049-networkmapping.json
@@ -20,6 +20,9 @@
     "controlID": "C-0049",
     "baseScore": 3.0,
     "example": "@controls/examples/c049.yaml",
+    "category": {
+        "name" : "Network"
+   },
     "scanningScope": {
         "matches": [
             "cluster",