Tenable.cs Policies

Search

IDNameCSPDomainSeverity
AC_K8S_0001Configure Image Provenance using ImagePolicyWebhook admission controllerKubernetesIdentity and Access Management
MEDIUM
AC_K8S_0002Ensure HTTPS is enabled on Kubernetes Ingress resourceKubernetesInfrastructure Security
MEDIUM
AC_K8S_0003Ensure that the --make-iptables-util-chains argument is set to trueKubernetesInfrastructure Security
LOW
AC_K8S_0004Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event captureKubernetesLogging and Monitoring
LOW
AC_K8S_0005Ensure that the --anonymous-auth argument is set to falseKubernetesIdentity and Access Management
MEDIUM
AC_K8S_0006Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriateKubernetesInfrastructure Security
MEDIUM
AC_K8S_0007Ensure that the --authorization-mode argument is not set to AlwaysAllowKubernetesIdentity and Access Management
HIGH
AC_K8S_0008Ensure that the --client-ca-file argument is set as appropriateKubernetesIdentity and Access Management
HIGH
AC_K8S_0009Ensure that the --rotate-certificates argument is not set to falseKubernetesData Protection
MEDIUM
AC_K8S_0010Ensure that the --read-only-port is securedKubernetesIdentity and Access Management
LOW
AC_K8S_0011Ensure that the --streaming-connection-idle-timeout argument is not set to 0KubernetesCompliance Validation
LOW
AC_K8S_0012Ensure that the --protect-kernel-defaults argument is set to trueKubernetesIdentity and Access Management
LOW
AC_K8S_0013Ensure an owner key with proper label is set for Kubernetes namespaceKubernetesSecurity Best Practices
LOW
AC_K8S_0014Ensure Kubernetes Network policy does not allow ingress from public IPs to query DNSKubernetesInfrastructure Security
HIGH
AC_K8S_0015Ensure Kubernetes Network policy does not allow ingress from public IPs to SSHKubernetesInfrastructure Security
HIGH
AC_K8S_0016Ensure Kubernetes Network policy does not allow ingress from public IPs to access sql serversKubernetesInfrastructure Security
HIGH
AC_K8S_0017Ensure Kubernetes Network policy does not allow ingress from public IPs to access Redis serversKubernetesInfrastructure Security
HIGH
AC_K8S_0018Ensure that the --authorization-mode argument includes RBACKubernetesIdentity and Access Management
MEDIUM
AC_K8S_0019Ensure that the admission control plugin EventRateLimit is setKubernetesCompliance Validation
MEDIUM
AC_K8S_0020Ensure kube-controller-manager (affected versions of kube-controller-manager: v1.18.0, v1.17.0 - v1.17.4, v1.16.0 - v1.16.8, and v1.15.11) are not vulnerable to CVE-2020-8555KubernetesData Protection
MEDIUM
AC_K8S_0021Ensure that the admission control plugin AlwaysPullImages is setKubernetesCompliance Validation
MEDIUM
AC_K8S_0022Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not usedKubernetesIdentity and Access Management
HIGH
AC_K8S_0023Ensure that the admission control plugin ServiceAccount is setKubernetesIdentity and Access Management
MEDIUM
AC_K8S_0024Ensure that the admission control plugin NamespaceLifecycle is setKubernetesCompliance Validation
MEDIUM
AC_K8S_0025Ensure default name space is not in use in Kubernetes NamespaceKubernetesSecurity Best Practices
LOW
AC_K8S_0026Ensure that the admission control plugin NodeRestriction is setKubernetesIdentity and Access Management
MEDIUM
AC_K8S_0027Ensure that the --insecure-bind-address argument is not setKubernetesInfrastructure Security
HIGH
AC_K8S_0028Ensure that the --insecure-port argument is set to 0KubernetesInfrastructure Security
HIGH
AC_K8S_0029Ensure that the --secure-port argument is not set to 0KubernetesInfrastructure Security
HIGH
AC_K8S_0030Ensure that the --profiling argument is set to falseKubernetesLogging and Monitoring
MEDIUM
AC_K8S_0031Ensure that the --audit-log-path argument is setKubernetesLogging and Monitoring
MEDIUM
AC_K8S_0032Ensure that the --audit-log-maxage argument is set to 30 or as appropriateKubernetesLogging and Monitoring
MEDIUM
AC_K8S_0033Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriateKubernetesLogging and Monitoring
MEDIUM
AC_K8S_0034Ensure that the --audit-log-maxsize argument is set to 100 or as appropriateKubernetesLogging and Monitoring
MEDIUM
AC_K8S_0035Ensure that the --request-timeout argument is set as appropriateKubernetesLogging and Monitoring
MEDIUM
AC_K8S_0036Ensure that the --service-account-lookup argument is set to trueKubernetesIdentity and Access Management
MEDIUM
AC_K8S_0037Ensure that the --service-account-key-file argument is set as appropriateKubernetesData Protection
MEDIUM
AC_K8S_0038Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriateKubernetesData Protection
MEDIUM
AC_K8S_0039Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriateKubernetesData Protection
MEDIUM
AC_K8S_0040Ensure that the --client-ca-file argument is set as appropriateKubernetesData Protection
MEDIUM
AC_K8S_0041Ensure that the --etcd-cafile argument is set as appropriateKubernetesData Protection
MEDIUM
AC_K8S_0042Ensure that the --encryption-provider-config argument is set as appropriateKubernetesData Protection
MEDIUM
AC_K8S_0043Ensure that the API Server only makes use of Strong Cryptographic CiphersKubernetesData Protection
MEDIUM
AC_K8S_0044Ensure that the --terminated-pod-gc-threshold argument is set as appropriateKubernetesData Protection
MEDIUM
AC_K8S_0045Ensure that Service Account Tokens are only mounted where necessaryKubernetesIdentity and Access Management
MEDIUM
AC_K8S_0046Minimize the admission of privileged containersKubernetesIdentity and Access Management
HIGH
AC_K8S_0047Ensure that the admission control plugin AlwaysAdmit is not setKubernetesCompliance Validation
MEDIUM
AC_K8S_0048Ensure default routes are set for Istio servicesKubernetesSecurity Best Practices
LOW
AC_K8S_0049Ensure ALLOW-with-positive-matching exist for Istio Authorization ObjectKubernetesInfrastructure Security
MEDIUM
AC_K8S_0050Ensure custom snippets annotations is not set to true for Ingress-nginx controller deployment's Kubernetes Config MapKubernetesSecurity Best Practices
HIGH