Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Control implementations for CIS 1.10 implementation #658

Merged
merged 4 commits into from
Feb 12, 2025

Conversation

slashben
Copy link
Contributor

@slashben slashben commented Feb 9, 2025

This pull request introduces new security controls and updates to implement CIS 1.10 compliance framework. The changes include adding new JSON files for various security controls, as well as corresponding Rego rules and metadata files to enforce these controls.

This closes #651 and #647

New Security Controls:

  1. Ensure Strong Cryptographic Ciphers for API Server:

    • Added a new control to ensure that the API server only uses strong cryptographic ciphers. This includes a detailed description, remediation steps, and a manual test procedure.
    • Introduced Rego rules to check and enforce the use of strong cryptographic ciphers in the API server configuration. [1] [2]
    • Added metadata for the new rule to describe its purpose and remediation.
  2. Minimize Access to Create Persistent Volumes:

    • Added a new control to restrict access to creating persistent volumes, which can help prevent privilege escalation through hostPath volumes.
  3. Minimize Access to Node Proxy Sub-Resource:

    • Introduced a control to limit access to the proxy sub-resource of node objects to prevent unauthorized use of the Kubelet API.
  4. Minimize Access to Certificate Signing Requests:

    • Added a control to restrict access to the approval sub-resource of certificate signing requests to prevent unauthorized creation of high-privileged user accounts.
  5. Minimize Access to Webhook Configuration Objects:

    • Introduced a control to minimize access to creating, modifying, or deleting webhook configuration objects to prevent privilege escalation or cluster disruption.
  6. Minimize Access to Service Account Token Creation:

    • Added a control to restrict access to creating service account tokens to prevent long-lived privileged credentials and potential privilege escalation.

Copy link
Contributor

github-actions bot commented Feb 9, 2025

Summary:

  • License scan: failure
  • Credentials scan: failure
  • Vulnerabilities scan: failure
  • Unit test: success
  • Go linting: success

Signed-off-by: Ben <[email protected]>
Copy link
Contributor

Summary:

  • License scan: failure
  • Credentials scan: failure
  • Vulnerabilities scan: failure
  • Unit test: success
  • Go linting: success

1 similar comment
Copy link
Contributor

Summary:

  • License scan: failure
  • Credentials scan: failure
  • Vulnerabilities scan: failure
  • Unit test: success
  • Go linting: success

…tographicciphers-new.json


fix link

Signed-off-by: YiscahLevySilas1 <[email protected]>
Copy link
Contributor

Summary:

  • License scan: failure
  • Credentials scan: failure
  • Vulnerabilities scan: failure
  • Unit test: success
  • Go linting: success

@YiscahLevySilas1 YiscahLevySilas1 merged commit 90243de into master Feb 12, 2025
25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

Implement 5.1.9-5.1.13
2 participants