delete controls attributes for deprecated attack tracks

Signed-off-by: YiscahLevySilas1 <[email protected]>
kubescape · Jul 23, 2023 · 927811f · 927811f
1 parent 1dde7a2
commit 927811f
Show file tree

Hide file tree

Showing 48 changed files with 0 additions and 413 deletions.
diff --git a/controls/C-0001-forbiddencontainerregistries.json b/controls/C-0001-forbiddencontainerregistries.json
@@ -9,14 +9,6 @@
             "security",
             "compliance"
         ],
-        "attackTracks": [
-            {
-                "attackTrack": "container",
-                "categories": [
-                    "Initial access"
-                ]
-            }
-        ],
         "actionRequired": "configuration"
     },
     "description": "In cases where the Kubernetes cluster is provided by a CSP (e.g., AKS in Azure, GKE in GCP, or EKS in AWS), compromised cloud credential can lead to the cluster takeover. Attackers may abuse cloud account credentials or IAM mechanism to the cluster\u2019s management layer.",

diff --git a/controls/C-0004-resourcesmemorylimitandrequest.json b/controls/C-0004-resourcesmemorylimitandrequest.json
@@ -6,14 +6,6 @@
             "compliance",
             "devops"
         ],
-        "attackTracks": [
-            {
-                "attackTrack": "container",
-                "categories": [
-                    "Impact - service destruction"
-                ]
-            }
-        ],
         "actionRequired": "configuration"
     },
     "description": "This control identifies all Pods for which the memory limit is not set.",

diff --git a/controls/C-0005-apiserverinsecureportisenabled.json b/controls/C-0005-apiserverinsecureportisenabled.json
@@ -5,14 +5,6 @@
         "controlTypeTags": [
             "security",
             "compliance"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "kubeapi",
-                "categories": [
-                    "Initial access"
-                ]
-            }
         ]
     },
     "description": "Kubernetes control plane API is running with non-secure port enabled which allows attackers to gain unprotected access to the cluster.",

diff --git a/controls/C-0009-resourcelimits.json b/controls/C-0009-resourcelimits.json
@@ -4,14 +4,6 @@
         "armoBuiltin": true,
         "controlTypeTags": [
             "security"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "container",
-                "categories": [
-                    "Impact - service destruction"
-                ]
-            }
         ]
     },
     "description": "CPU and memory resources should have a limit set for every container or a namespace to prevent resource exhaustion. This control identifies all the Pods without resource limit definitions by checking their yaml definition file as well as their namespace LimitRange objects. It is also recommended to use ResourceQuota object to restrict overall namespace resources, but this is not verified by this control.",

diff --git a/controls/C-0012-applicationscredentialsinconfigurationfiles.json b/controls/C-0012-applicationscredentialsinconfigurationfiles.json
@@ -11,20 +11,6 @@
             "security",
             "compliance",
             "security-impact"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "kubeapi",
-                "categories": [
-                    "Credential access"
-                ]
-            },
-            {
-                "attackTrack": "container",
-                "categories": [
-                    "Credential access"
-                ]
-            }
         ]
     },
     "description": "Attackers who have access to configuration files can steal the stored secrets and use them. This control checks if ConfigMaps or pod specifications have sensitive information in their configuration.",

diff --git a/controls/C-0013-nonrootcontainers.json b/controls/C-0013-nonrootcontainers.json
@@ -5,14 +5,6 @@
         "controlTypeTags": [
             "security",
             "compliance"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "container",
-                "categories": [
-                    "Privilege escalation"
-                ]
-            }
         ]
     },
     "description": "Potential attackers may gain access to a container and leverage its existing privileges to conduct an attack. Therefore, it is not recommended to deploy containers with root privileges unless it is absolutely necessary. This control identifies all the Pods running as root or can escalate to root.",

diff --git a/controls/C-0015-listkubernetessecrets.json b/controls/C-0015-listkubernetessecrets.json
@@ -9,14 +9,6 @@
         "controlTypeTags": [
             "security-impact",
             "compliance"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "kubeapi",
-                "categories": [
-                    "Credential access"
-                ]
-            }
         ]
     },
     "description": "Attackers who have permissions to access secrets can access sensitive information that might include credentials to various services. This control determines which user, group or service account can list/get secrets.",

diff --git a/controls/C-0016-allowprivilegeescalation.json b/controls/C-0016-allowprivilegeescalation.json
@@ -5,14 +5,6 @@
         "controlTypeTags": [
             "security",
             "compliance"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "container",
-                "categories": [
-                    "Privilege escalation"
-                ]
-            }
         ]
     },
     "description": "Attackers may gain access to a container and uplift its privilege to enable excessive capabilities.",

diff --git a/controls/C-0017-immutablecontainerfilesystem.json b/controls/C-0017-immutablecontainerfilesystem.json
@@ -5,15 +5,6 @@
         "controlTypeTags": [
             "security",
             "compliance"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "container",
-                "categories": [
-                    "Execution",
-                    "Persistence"
-                ]
-            }
         ]
     },
     "description": "Mutable container filesystem can be abused to inject malicious code or data into containers. Use immutable (read-only) filesystem to limit potential attacks.",

diff --git a/controls/C-0031-deletekubernetesevents.json b/controls/C-0031-deletekubernetesevents.json
@@ -9,14 +9,6 @@
         "controlTypeTags": [
             "security",
             "compliance"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "kubeapi",
-                "categories": [
-                    "Defense evasion"
-                ]
-            }
         ]
     },
     "description": "Attackers may delete Kubernetes events to avoid detection of their activity in the cluster. This control identifies all the subjects that can delete Kubernetes events.",

diff --git a/controls/C-0034-automaticmappingofserviceaccount.json b/controls/C-0034-automaticmappingofserviceaccount.json
@@ -5,15 +5,6 @@
         "controlTypeTags": [
             "security",
             "compliance"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "container",
-                "categories": [
-                    "Credential access",
-                    "Impact - K8s API access"
-                ]
-            }
         ]
     },
     "description": "Potential attacker may gain access to a POD and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for PODs that need to use them.",

diff --git a/controls/C-0035-clusteradminbinding.json b/controls/C-0035-clusteradminbinding.json
@@ -9,15 +9,6 @@
         "controlTypeTags": [
             "security",
             "compliance"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "kubeapi",
-                "categories": [
-                    "Impact - data destruction",
-                    "Impact - service injection"
-                ]
-            }
         ]
     },
     "description": "Attackers who have cluster admin permissions (can perform any action on any resource), can take advantage of their privileges for malicious activities. This control determines which subjects have cluster admin permissions.",

diff --git a/controls/C-0036-maliciousadmissioncontrollervalidating.json b/controls/C-0036-maliciousadmissioncontrollervalidating.json
@@ -8,15 +8,6 @@
         "controlTypeTags": [
             "security",
             "compliance"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "kubeapi",
-                "categories": [
-                    "Impact - data destruction",
-                    "Impact - service injection"
-                ]
-            }
         ]
     },
     "description": "Attackers can use validating webhooks to intercept and discover all the resources in the cluster. This control lists all the validating webhook configurations that must be verified.",

diff --git a/controls/C-0037-corednspoisoning.json b/controls/C-0037-corednspoisoning.json
@@ -7,14 +7,6 @@
         ],
         "controlTypeTags": [
             "compliance"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "kubeapi",
-                "categories": [
-                    "Impact - service injection"
-                ]
-            }
         ]
     },
     "description": "If attackers have permissions to modify the coredns ConfigMap they can change the behavior of the cluster\u2019s DNS, poison it, and override the network identity of other services. This control identifies all subjects allowed to update the 'coredns' configmap.",

diff --git a/controls/C-0038-hostpidipcprivileges.json b/controls/C-0038-hostpidipcprivileges.json
@@ -5,14 +5,6 @@
         "controlTypeTags": [
             "security",
             "compliance"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "container",
-                "categories": [
-                    "Privilege escalation"
-                ]
-            }
         ]
     },
     "description": "Containers should be isolated from the host machine as much as possible. The hostPID and hostIPC fields in deployment yaml may allow cross-container influence and may expose the host itself to potentially malicious or destructive actions. This control identifies all PODs using hostPID or hostIPC privileges.",

diff --git a/controls/C-0039-maliciousadmissioncontrollermutating.json b/controls/C-0039-maliciousadmissioncontrollermutating.json
@@ -8,14 +8,6 @@
         "controlTypeTags": [
             "security",
             "compliance"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "kubeapi",
-                "categories": [
-                    "Impact - service injection"
-                ]
-            }
         ]
     },
     "description": "Attackers may use mutating webhooks to intercept and modify all the resources in the cluster. This control lists all mutating webhook configurations that must be verified.",

diff --git a/controls/C-0041-hostnetworkaccess.json b/controls/C-0041-hostnetworkaccess.json
@@ -5,16 +5,6 @@
         "controlTypeTags": [
             "security",
             "compliance"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "container",
-                "categories": [
-                    "Discovery",
-                    "Lateral movement",
-                    "Impact - service access"
-                ]
-            }
         ]
     },
     "description": "Potential attackers may gain access to a POD and inherit access to the entire host network. For example, in AWS case, they will have access to the entire VPC. This control identifies all the PODs with host network access enabled.",

diff --git a/controls/C-0044-containerhostport.json b/controls/C-0044-containerhostport.json
@@ -6,14 +6,6 @@
             "security",
             "compliance",
             "devops"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "container",
-                "categories": [
-                    "Initial access"
-                ]
-            }
         ]
     },
     "description": "Configuring hostPort requires a particular port number. If two objects specify the same HostPort, they could not be deployed to the same node. It may prevent the second object from starting, even if Kubernetes will try reschedule it on another node, provided there are available nodes with sufficient amount of resources. Also, if the number of replicas of such workload is higher than the number of nodes, the deployment will consistently fail.",

diff --git a/controls/C-0045-writablehostpathmount.json b/controls/C-0045-writablehostpathmount.json
@@ -11,15 +11,6 @@
             "compliance",
             "devops",
             "security-impact"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "container",
-                "categories": [
-                    "Persistence",
-                    "Impact - Data access in container"
-                ]
-            }
         ]
     },
     "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host and gain persistence.",

diff --git a/controls/C-0046-insecurecapabilities.json b/controls/C-0046-insecurecapabilities.json
@@ -6,14 +6,6 @@
         "controlTypeTags": [
             "security",
             "compliance"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "container",
-                "categories": [
-                    "Privilege escalation"
-                ]
-            }
         ]
     },
     "description": "Giving insecure or excessive capabilities to a container can increase the impact of the container compromise. This control identifies all the PODs with dangerous capabilities (see documentation pages for details).",

diff --git a/controls/C-0048-hostpathmount.json b/controls/C-0048-hostpathmount.json
@@ -8,14 +8,6 @@
         "controlTypeTags": [
             "security",
             "compliance"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "container",
-                "categories": [
-                    "Impact - Data access in container"
-                ]
-            }
         ]
     },
     "description": "Mounting host directory to the container can be used by attackers to get access to the underlying host. This control identifies all the PODs using hostPath mount.",

diff --git a/controls/C-0049-networkmapping.json b/controls/C-0049-networkmapping.json
@@ -8,14 +8,6 @@
         "controlTypeTags": [
             "security",
             "compliance"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "container",
-                "categories": [
-                    "Discovery"
-                ]
-            }
         ]
     },
     "description": "If no network policy is defined, attackers who gain access to a single container may use it to probe the network. This control lists all namespaces in which no network policies are defined.",

diff --git a/controls/C-0052-instancemetadataapi.json b/controls/C-0052-instancemetadataapi.json
@@ -8,16 +8,6 @@
         "controlTypeTags": [
             "security",
             "compliance"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "container",
-                "categories": [
-                    "Credential access",
-                    "Discovery",
-                    "Impact - service access"
-                ]
-            }
         ]
     },
     "description": "Attackers who gain access to a container, may query the metadata API service for getting information about the underlying node. This control checks if there is access from the nodes to cloud providers instance metadata services.",

diff --git a/controls/C-0053-accesscontainerserviceaccount.json b/controls/C-0053-accesscontainerserviceaccount.json
@@ -9,15 +9,6 @@
         "controlTypeTags": [
             "compliance",
             "security-impact"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "container",
-                "categories": [
-                    "Credential access",
-                    "Impact - K8s API access"
-                ]
-            }
         ]
     },
     "description": "Attackers who obtain access to a pod can use its SA token to communicate with KubeAPI server. All PODs with SA token mounted (if such token has a Role or a ClusterRole binding) are considerred potentially dangerous.",

diff --git a/controls/C-0054-clusterinternalnetworking.json b/controls/C-0054-clusterinternalnetworking.json
@@ -8,15 +8,6 @@
         "controlTypeTags": [
             "security",
             "compliance"
-        ],
-        "attackTracks": [
-            {
-                "attackTrack": "container",
-                "categories": [
-                    "Discovery",
-                    "Lateral movement"
-                ]
-            }
         ]
     },
     "description": "If no network policy is defined, attackers who gain access to a container may use it to move laterally in the cluster. This control lists namespaces in which no network policy is defined.",