Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Control implementations for CIS 1.10 implementation #658

Merged
merged 4 commits into from
Feb 12, 2025
Merged

Control implementations for CIS 1.10 implementation #658

merged 4 commits into from
Feb 12, 2025

Conversation

slashben
Copy link
Contributor

@slashben slashben commented Feb 9, 2025

This pull request introduces new security controls and updates to implement CIS 1.10 compliance framework. The changes include adding new JSON files for various security controls, as well as corresponding Rego rules and metadata files to enforce these controls.

This closes #651 and #647

New Security Controls:

  1. Ensure Strong Cryptographic Ciphers for API Server:

    • Added a new control to ensure that the API server only uses strong cryptographic ciphers. This includes a detailed description, remediation steps, and a manual test procedure.
    • Introduced Rego rules to check and enforce the use of strong cryptographic ciphers in the API server configuration. [1] [2]
    • Added metadata for the new rule to describe its purpose and remediation.

  2. Minimize Access to Create Persistent Volumes:

    • Added a new control to restrict access to creating persistent volumes, which can help prevent privilege escalation through hostPath volumes.

  3. Minimize Access to Node Proxy Sub-Resource:

    • Introduced a control to limit access to the proxy sub-resource of node objects to prevent unauthorized use of the Kubelet API.

  4. Minimize Access to Certificate Signing Requests:

    • Added a control to restrict access to the approval sub-resource of certificate signing requests to prevent unauthorized creation of high-privileged user accounts.

  5. Minimize Access to Webhook Configuration Objects:

    • Introduced a control to minimize access to creating, modifying, or deleting webhook configuration objects to prevent privilege escalation or cluster disruption.

  6. Minimize Access to Service Account Token Creation:

    • Added a control to restrict access to creating service account tokens to prevent long-lived privileged credentials and potential privilege escalation.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 9, 2025

Summary:

  • License scan: failure
  • Credentials scan: failure
  • Vulnerabilities scan: failure
  • Unit test: success
  • Go linting: success

@slashben
Fix rule name
85fb53c 
Signed-off-by: Ben <[email protected]>
@github-actions GitHub Actions
Copy link
Contributor

Summary:

  • License scan: failure
  • Credentials scan: failure
  • Vulnerabilities scan: failure
  • Unit test: success
  • Go linting: success

1 similar comment
@github-actions GitHub Actions
Copy link
Contributor

Summary:

  • License scan: failure
  • Credentials scan: failure
  • Vulnerabilities scan: failure
  • Unit test: success
  • Go linting: success

@YiscahLevySilas1
Update controls/C-0277-ensurethattheapiserveronlymakesuseofstrongcryp…
a402212 
…tographicciphers-new.json


fix link

Signed-off-by: YiscahLevySilas1 <[email protected]>
@github-actions GitHub Actions
Copy link
Contributor

Summary:

  • License scan: failure
  • Credentials scan: failure
  • Vulnerabilities scan: failure
  • Unit test: success
  • Go linting: success

@YiscahLevySilas1 YiscahLevySilas1 merged commit 90243de into master Feb 12, 2025
25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@YiscahLevySilas1 YiscahLevySilas1 YiscahLevySilas1 approved these changes

Assignees

@YiscahLevySilas1 YiscahLevySilas1

Labels
None yet
Projects
KS PRs tracking
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement 5.1.9-5.1.13
2 participants
@slashben @YiscahLevySilas1