Detections
Analytics

CSCv7|5.2

Title

Maintain Secure Images

Description

Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.

Reference Item Details

Category: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Audit Items

View all Reference Audit Items

NamePluginAudit Name
2.1.4 Ensure Config-state is savedCheckPointCIS Check Point Firewall L1 v1.1.0
2.4.1 Ensure 'System Backup' is set.CheckPointCIS Check Point Firewall L1 v1.1.0
3.1.1 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictiveUnixCIS Google Kubernetes Engine (GKE) v1.5.0 L1 Node
3.1.2 Ensure that the proxy kubeconfig file ownership is set to root:rootUnixCIS Google Kubernetes Engine (GKE) v1.5.0 L1 Node
3.1.3 Ensure that the kubelet configuration file has permissions set to 600UnixCIS Google Kubernetes Engine (GKE) v1.5.0 L1 Node
3.1.4 Ensure that the kubelet configuration file ownership is set to root:rootUnixCIS Google Kubernetes Engine (GKE) v1.5.0 L1 Node
4.1.2 Minimize access to secretsGCPCIS Google Kubernetes Engine (GKE) v1.5.0 L1
4.1.5 Ensure that default service accounts are not actively usedGCPCIS Google Kubernetes Engine (GKE) v1.5.0 L1
4.1.9 Ensure that the kubelet --config configuration file has permissions set to 600 or more restrictiveOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
4.2 Ensure that containers use only trusted base imagesUnixCIS Docker v1.6.0 L1 Docker Linux
4.2.1 Ensure that the cluster enforces Pod Security Standard Baseline profile or stricter for all namespaces.GCPCIS Google Kubernetes Engine (GKE) v1.5.0 L1
4.2.6 Ensure that the --protect-kernel-defaults argument is set to trueUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Worker
4.2.6 Ensure that the --protect-kernel-defaults argument is set to trueUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Worker
4.2.6 Ensure that the --protect-kernel-defaults argument is set to trueUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Worker
4.3 Ensure that unnecessary packages are not installed in the containerUnixCIS Docker v1.6.0 L1 Docker Linux
4.6 Ensure that HEALTHCHECK instructions have been added to container imagesUnixCIS Docker v1.6.0 L1 Docker Linux
4.6.2 Ensure that the seccomp profile is set to RuntimeDefault in the pod definitionsGCPCIS Google Kubernetes Engine (GKE) v1.5.0 L2
4.7 Ensure update instructions are not used alone in DockerfilesUnixCIS Docker v1.6.0 L1 Docker Linux
4.8 Ensure Compute Instances Are Launched With Shielded VM EnabledGCPCIS Google Cloud Platform v2.0.0 L2
4.9 Ensure that COPY is used instead of ADD in DockerfilesUnixCIS Docker v1.6.0 L1 Docker Linux
5.1.4 Minimize access to create podsOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
5.1.4 Minimize Container Registries to only those approvedGCPCIS Google Kubernetes Engine (GKE) v1.5.0 L1
5.2 Ensure that, if applicable, an AppArmor Profile is enabledUnixCIS Docker v1.6.0 L1 Docker Linux
5.2.2 Minimize the admission of containers wishing to share the host process ID namespaceOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
5.2.7 Minimize the admission of containers with the NET_RAW capabilityUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
5.2.7 Minimize the admission of containers with the NET_RAW capabilityOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
5.2.8 Minimize the admission of containers with added capabilitiesUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
5.2.8 Minimize the admission of containers with added capabilities - allowedCapabilitiesOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
5.2.8 Minimize the admission of containers with added capabilities - defaultAddCapabilitiesOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
5.2.8 Minimize the admission of containers with the NET_RAW capabilityUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
5.2.8 Minimize the admission of containers with the NET_RAW capabilityUnixCIS Kubernetes Benchmark v1.8.0 L1 Master
5.2.8 Minimize the admission of containers with the NET_RAW capabilityUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
5.2.9 Minimize the admission of containers with added capabilitiesUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
5.2.9 Minimize the admission of containers with added capabilitiesUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
5.2.9 Minimize the admission of containers with added capabilitiesUnixCIS Kubernetes Benchmark v1.8.0 L1 Master
5.2.9 Minimize the admission of containers with capabilities assignedUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L2 Master
5.2.9 Minimize the admission of containers with capabilities assignedOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L2
5.2.10 Minimize the admission of containers with capabilities assignedUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L2 Master
5.2.10 Minimize the admission of containers with capabilities assignedUnixCIS Kubernetes Benchmark v1.8.0 L2 Master
5.2.10 Minimize the admission of containers with capabilities assignedUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L2 Master
5.2.11 Minimize the admission of Windows HostProcess ContainersUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
5.2.11 Minimize the admission of Windows HostProcess ContainersUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
5.2.12 Minimize the admission of HostPath volumesUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
5.2.12 Minimize the admission of HostPath volumesUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
5.2.13 Minimize the admission of containers which use HostPortsUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
5.2.13 Minimize the admission of containers which use HostPortsUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
5.10.4 Ensure use of Binary AuthorizationGCPCIS Google Kubernetes Engine (GKE) v1.5.0 L2
5.15 Ensure that the 'on-failure' container restart policy is set to '5'UnixCIS Docker v1.6.0 L1 Docker Linux
5.19 Ensure that the default ulimit is overwritten at runtime if neededUnixCIS Docker v1.6.0 L1 Docker Linux
5.28 Ensure that Docker commands always make use of the latest version of their imageUnixCIS Docker v1.6.0 L1 Docker Linux