kubescape · kooomix · Jul 20, 2023 · Jul 19, 2023 · Jul 20, 2023 · Jul 20, 2023
diff --git a/README.md b/README.md
@@ -70,11 +70,19 @@ Example of a control:
     "test": "Check that there are no pods in the 'default' namespace",
     "id": "C-0061",
     "controlID": "C-0061",
-    "baseScore": 3
+    "baseScore": 3, 
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }
 ```
 * Attribute `"armoBuiltin": true` - mandatory for armo rules. Only ARMO team members are authorized to create builtin objects.
 * `rulesNames` -  List of rules to run, must be exact name. Use copy-paste to be sure.
+* `scanningScope` - this control will run just if kubescape scan process match to the scope in the list.(for example the control above will run if the running kubescape scan is for scanning cluster or file) - list of allowed scanning scope ``` [["cluster", "file"], ["cluster"], ["cloud"], ["GKE"], ["EKS"], ["AKS"]] ```
+
 
 * `long_description`, `test` and other control fields are used mainly in the [documentation](https://hub.armosec.io/docs)
 

diff --git a/controls/C-0001-forbiddencontainerregistries.json b/controls/C-0001-forbiddencontainerregistries.json
@@ -28,5 +28,11 @@
     "test": "Checking image from pod spec, if the registry of the image is from the list of blocked registries we raise an alert.",
     "controlID": "C-0001",
     "baseScore": 7.0,
-    "example": "@controls/examples/c001.yaml"
+    "example": "@controls/examples/c001.yaml",
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }
diff --git a/controls/C-0002-execintocontainer.json b/controls/C-0002-execintocontainer.json
@@ -21,5 +21,11 @@
     "test": "Check which subjects have RBAC permissions to exec into pods\u2013 if they have the \u201cpods/exec\u201d verb.",
     "controlID": "C-0002",
     "baseScore": 5.0,
-    "example": "@controls/examples/c002.yaml"
+    "example": "@controls/examples/c002.yaml",
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }
diff --git a/controls/C-0004-resourcesmemorylimitandrequest.json b/controls/C-0004-resourcesmemorylimitandrequest.json
@@ -23,5 +23,11 @@
     ],
     "controlID": "C-0004",
     "example": "@controls/examples/c004.yaml",
-    "baseScore": 8.0
+    "baseScore": 8.0,
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }
diff --git a/controls/C-0005-apiserverinsecureportisenabled.json b/controls/C-0005-apiserverinsecureportisenabled.json
@@ -23,5 +23,10 @@
     "long_description": "The control plane is the core of Kubernetes and gives users the ability to view containers, schedule new Pods, read Secrets, and execute commands in the cluster. Therefore, it should be protected. It is recommended to avoid control plane exposure to the Internet or to an untrusted network. The API server runs on ports 6443 and 8080. We recommend to block them in the firewall. Note also that port 8080, when accessed through the local machine, does not require TLS encryption, and the requests bypass authentication and authorization modules.",
     "test": "Check if the insecure-port flag is set (in case of cloud vendor hosted Kubernetes service this verification will not be effective).",
     "controlID": "C-0005",
-    "baseScore": 9.0
+    "baseScore": 9,
+    "scanningScope": {
+        "matches": [
+            "cluster"
+        ]
+    }
 }
diff --git a/controls/C-0007-datadestruction.json b/controls/C-0007-datadestruction.json
@@ -19,6 +19,12 @@
     "long_description": "Attackers may attempt to destroy data and resources in the cluster. This includes deleting deployments, configurations, storage, and compute resources.",
     "test": "Check which subjects have delete/deletecollection RBAC permissions on workloads.",
     "controlID": "C-0007",
-    "baseScore": 5.0,
-    "example": "@controls/examples/c007.yaml"
+    "baseScore": 5,
+    "example": "@controls/examples/c007.yaml",
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }
diff --git a/controls/C-0009-resourcelimits.json b/controls/C-0009-resourcelimits.json
@@ -23,5 +23,11 @@
     "test": " Check for each container if there is a \u2018limits\u2019 field defined for both cpu and memory",
     "controlID": "C-0009",
     "baseScore": 7.0,
-    "example": "@controls/examples/c009.yaml"
+    "example": "@controls/examples/c009.yaml",
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }
diff --git a/controls/C-0012-applicationscredentialsinconfigurationfiles.json b/controls/C-0012-applicationscredentialsinconfigurationfiles.json
@@ -36,5 +36,11 @@
     "long_description": "Developers store secrets in the Kubernetes configuration files, such as environment variables in the pod configuration. Such behavior is commonly seen in clusters that are monitored by Azure Security Center. Attackers who have access to those configurations, by querying the API server or by accessing those files on the developer\u2019s endpoint, can steal the stored secrets and use them.",
     "test": "Check if the pod has sensitive information in environment variables, by using list of known sensitive key names. Check if there are configmaps with sensitive information.",
     "controlID": "C-0012",
-    "baseScore": 8.0
+    "baseScore": 8.0,
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }
diff --git a/controls/C-0013-nonrootcontainers.json b/controls/C-0013-nonrootcontainers.json
@@ -24,5 +24,11 @@
     "test": "Verify if runAsUser  and runAsGroup are set to a user id greater than 999. Check that the allowPrivilegeEscalation field is set to false. Check all the combinations with PodSecurityContext and SecurityContext (for containers).",
     "controlID": "C-0013",
     "baseScore": 6.0,
-    "example": "@controls/examples/c013.yaml"
+    "example": "@controls/examples/c013.yaml",
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }
diff --git a/controls/C-0014-accesskubernetesdashboard.json b/controls/C-0014-accesskubernetesdashboard.json
@@ -21,5 +21,11 @@
     "long_description": "The Kubernetes dashboard is a web-based UI that is used for monitoring and managing the Kubernetes cluster. The dashboard allows users to perform actions in the cluster using its service account (Kubernetes-dashboard) with the permissions that are determined by the binding or cluster-binding for this service account. Attackers who gain access to a container in the cluster, can use its network access to the dashboard pod. Consequently, attackers may retrieve information about the various resources in the cluster using the dashboard\u2019s identity.",
     "test": "Check who is associated with the dashboard service account or bound to dashboard role/clusterrole.",
     "controlID": "C-0014",
-    "baseScore": 2.0
+    "baseScore": 2.0,
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }
diff --git a/controls/C-0015-listkubernetessecrets.json b/controls/C-0015-listkubernetessecrets.json
@@ -29,5 +29,11 @@
     "test": "Alerting on users  which have get/list/watch RBAC permissions on secrets. ",
     "controlID": "C-0015",
     "baseScore": 7.0,
-    "example": "@controls/examples/c015.yaml"
+    "example": "@controls/examples/c015.yaml",
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }
diff --git a/controls/C-0016-allowprivilegeescalation.json b/controls/C-0016-allowprivilegeescalation.json
@@ -23,5 +23,11 @@
     "test": " Check that the allowPrivilegeEscalation field in securityContext of container is set to false.   ",
     "controlID": "C-0016",
     "baseScore": 6.0,
-    "example": "@controls/examples/allowprivilegeescalation.yaml"
+    "example": "@controls/examples/allowprivilegeescalation.yaml",
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }
diff --git a/controls/C-0017-immutablecontainerfilesystem.json b/controls/C-0017-immutablecontainerfilesystem.json
@@ -25,5 +25,11 @@
     "test": "Check whether the readOnlyRootFilesystem field in the SecurityContext is set to true. ",
     "controlID": "C-0017",
     "baseScore": 3.0,
-    "example": "@controls/examples/c017.yaml"
+    "example": "@controls/examples/c017.yaml",
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }
diff --git a/controls/C-0018-configuredreadinessprobe.json b/controls/C-0018-configuredreadinessprobe.json
@@ -14,5 +14,11 @@
     "long_description": "Readiness probe is intended to ensure that workload is ready to process network traffic. It is highly recommended to define readiness probe for every worker container. This control finds all the PODs where the readiness probe is not configured.",
     "controlID": "C-0018",
     "example": "@controls/examples/c018.yaml",
-    "baseScore": 3
+    "baseScore": 3.0,
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }
diff --git a/controls/C-0020-mountserviceprincipal.json b/controls/C-0020-mountserviceprincipal.json
@@ -18,5 +18,11 @@
     "long_description": "When the cluster is deployed in the cloud, in some cases attackers can leverage their access to a container in the cluster to gain cloud credentials. For example, in AKS each node contains service principal credential.",
     "test": "Check which workloads have volumes with potential access to known cloud credentials folders or files in node, like \u201c/etc/kubernetes/azure.json\u201d for Azure.",
     "controlID": "C-0020",
-    "baseScore": 4.0
+    "baseScore": 4.0,
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }
diff --git a/controls/C-0021-exposedsensitiveinterfaces.json b/controls/C-0021-exposedsensitiveinterfaces.json
@@ -19,5 +19,10 @@
     "long_description": "Exposing a sensitive interface to the internet poses a security risk. Some popular frameworks were not intended to be exposed to the internet, and therefore don\u2019t require authentication by default. Thus, exposing them to the internet allows unauthenticated access to a sensitive interface which might enable running code or deploying containers in the cluster by a malicious actor. Examples of such interfaces that were seen exploited include Apache NiFi, Kubeflow, Argo Workflows, Weave Scope, and the Kubernetes dashboard.",
     "test": "Checking if a service of type nodeport/loadbalancer to one of the known exploited interfaces (Apache NiFi, Kubeflow, Argo Workflows, Weave Scope Kubernetes dashboard) exists. Needs to add user config",
     "controlID": "C-0021",
-    "baseScore": 6.0
+    "baseScore": 6.0,
+    "scanningScope": {
+        "matches": [
+            "cluster"
+        ]
+    }
 }
diff --git a/controls/C-0026-kubernetescronjob.json b/controls/C-0026-kubernetescronjob.json
@@ -17,5 +17,10 @@
     "long_description": "Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.",
     "test": "We list all CronJobs that exist in cluster for the user to approve.",
     "controlID": "C-0026",
-    "baseScore": 1.0
+    "baseScore": 1.0,
+    "scanningScope": {
+        "matches": [
+            "cluster"
+        ]
+    }
 }
diff --git a/controls/C-0030-ingressandegressblocked.json b/controls/C-0030-ingressandegressblocked.json
@@ -15,5 +15,11 @@
     "test": "Check for each Pod whether there is an ingress and egress policy defined (whether using Pod or Namespace). ",
     "controlID": "C-0030",
     "baseScore": 6.0,
-    "example": "@controls/examples/c030.yaml"
+    "example": "@controls/examples/c030.yaml",
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }
diff --git a/controls/C-0031-deletekubernetesevents.json b/controls/C-0031-deletekubernetesevents.json
@@ -29,5 +29,11 @@
     "test": "List who has delete/deletecollection RBAC permissions on events.",
     "controlID": "C-0031",
     "baseScore": 4.0,
-    "example": "@controls/examples/c031.yaml"
+    "example": "@controls/examples/c031.yaml",
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }
diff --git a/controls/C-0034-automaticmappingofserviceaccount.json b/controls/C-0034-automaticmappingofserviceaccount.json
@@ -25,5 +25,11 @@
     "test": "Check all service accounts on which automount is not disabled.  Check all workloads on which they and their service account don't disable automount ",
     "controlID": "C-0034",
     "baseScore": 6.0,
-    "example": "@controls/examples/c034.yaml"
+    "example": "@controls/examples/c034.yaml",
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }
diff --git a/controls/C-0035-clusteradminbinding.json b/controls/C-0035-clusteradminbinding.json
@@ -29,5 +29,11 @@
     "long_description": "Role-based access control (RBAC) is a key security feature in Kubernetes. RBAC can restrict the allowed actions of the various identities in the cluster. Cluster-admin is a built-in high privileged role in Kubernetes. Attackers who have permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.",
     "test": "Check which subjects have cluster-admin RBAC permissions \u2013 either by being bound to the cluster-admin clusterrole, or by having equivalent high privileges.  ",
     "controlID": "C-0035",
-    "baseScore": 6.0
+    "baseScore": 6.0,
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }
diff --git a/controls/C-0036-maliciousadmissioncontrollervalidating.json b/controls/C-0036-maliciousadmissioncontrollervalidating.json
@@ -25,5 +25,10 @@
         "list-all-validating-webhooks"
     ],
     "controlID": "C-0036",
-    "baseScore": 3.0
+    "baseScore": 3.0,
+    "scanningScope": {
+        "matches": [
+            "cluster"
+        ]
+    }
 }
diff --git a/controls/C-0037-corednspoisoning.json b/controls/C-0037-corednspoisoning.json
@@ -26,5 +26,11 @@
     "long_description": "CoreDNS is a modular Domain Name System (DNS) server written in Go, hosted by Cloud Native Computing Foundation (CNCF). CoreDNS is the main DNS service that is being used in Kubernetes. The configuration of CoreDNS can be modified by a file named corefile. In Kubernetes, this file is stored in a ConfigMap object, located at the kube-system namespace. If attackers have permissions to modify the ConfigMap, for example by using the container\u2019s service account, they can change the behavior of the cluster\u2019s DNS, poison it, and take the network identity of other services.",
     "test": "Check who has update/patch RBAC permissions on \u2018coredns\u2019 configmaps, or to all configmaps.",
     "controlID": "C-0037",
-    "baseScore": 4.0
+    "baseScore": 4.0,
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }
diff --git a/controls/C-0038-hostpidipcprivileges.json b/controls/C-0038-hostpidipcprivileges.json
@@ -23,5 +23,11 @@
     "long_description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.",
     "controlID": "C-0038",
     "baseScore": 7.0,
-    "example": "@controls/examples/c038.yaml"
+    "example": "@controls/examples/c038.yaml",
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }
diff --git a/controls/C-0039-maliciousadmissioncontrollermutating.json b/controls/C-0039-maliciousadmissioncontrollermutating.json
@@ -24,5 +24,10 @@
         "list-all-mutating-webhooks"
     ],
     "controlID": "C-0039",
-    "baseScore": 4.0
+    "baseScore": 4.0,
+    "scanningScope": {
+        "matches": [
+            "cluster"
+        ]
+    }
 }
diff --git a/controls/C-0041-hostnetworkaccess.json b/controls/C-0041-hostnetworkaccess.json
@@ -26,5 +26,11 @@
     "test": "",
     "controlID": "C-0041",
     "baseScore": 7.0,
-    "example": "@controls/examples/c041.yaml"
+    "example": "@controls/examples/c041.yaml",
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }
diff --git a/controls/C-0042-sshserverrunninginsidecontainer.json b/controls/C-0042-sshserverrunninginsidecontainer.json
@@ -18,5 +18,11 @@
     "long_description": "SSH server that is running inside a container may be used by attackers. If attackers gain valid credentials to a container, whether by brute force attempts or by other methods (such as phishing), they can use it to get remote access to the container by SSH.",
     "test": "Check if service connected to some workload has an SSH port (22/2222). If so we raise an alert. ",
     "controlID": "C-0042",
-    "baseScore": 3.0
+    "baseScore": 3.0,
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }
diff --git a/controls/C-0044-containerhostport.json b/controls/C-0044-containerhostport.json
@@ -25,5 +25,11 @@
     "test": "Check for each workload (with container) if it exists inside the container hostPort.\u00a0\u00a0",
     "controlID": "C-0044",
     "baseScore": 4.0,
-    "example": "@controls/examples/c044.yaml"
+    "example": "@controls/examples/c044.yaml",
+    "scanningScope": {
+        "matches": [
+            "cluster",
+            "file"
+        ]
+    }
 }