tenable · Avanti19 · Jun 1, 2021 · May 25, 2021 · Jun 1, 2021
@@ -8,9 +8,10 @@
         "prefix": "",
         "suffix": ""
     },
-    "severity": "HIGH",
+    "severity": "MEDIUM",
     "description": "TLS disabled can affect the confidentiality of the data in transit",
     "reference_id": "AC-K8-NS-IN-H-0020",
     "category": "Infrastructure Security",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0002"
 }
@@ -12,5 +12,6 @@
     "description": "No owner for namespace affects the operations",
     "reference_id": "AC-K8-OE-NS-L-0128",
     "category": "Security Best Practices",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0013"
 }
@@ -19,5 +19,6 @@
     "description": "Containers Should Not Run with AllowPrivilegeEscalation",
     "reference_id": "AC-K8-CA-PO-H-0165",
     "category": "Compliance Validation",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0085"
 }
@@ -12,5 +12,6 @@
     "description": "Ensure Kubernetes Dashboard Is Not Deployed",
     "reference_id": "AC-K8-DS-PO-M-0176",
     "category": "Data Protection",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0067"
 }
@@ -12,5 +12,6 @@
     "description": "Ensure That Tiller (Helm V2) Is Not Deployed",
     "reference_id": "AC-K8-DS-PO-M-0177",
     "category": "Data Protection",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0071"
 }
@@ -12,5 +12,6 @@
     "description": "Minimize the admission of privileged containers",
     "reference_id": "AC-K8-IA-PO-H-0106",
     "category": "Identity and Access Management",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0046"
 }
@@ -8,9 +8,10 @@
         "prefix": "",
         "suffix": ""
     },
-    "severity": "HIGH",
+    "severity": "MEDIUM",
     "description": "Allowing the pod to make system level calls provide access to host/node sensitive information",
     "reference_id": "AC-K8-IA-PO-H-0137",
     "category": "Identity and Access Management",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0074"
 }
@@ -12,5 +12,6 @@
     "description": "Allowing hostPaths to mount to Pod arise the probability of getting access to the node's filesystem",
     "reference_id": "AC-K8-IA-PO-H-0138",
     "category": "Identity and Access Management",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0076"
 }
@@ -19,5 +19,6 @@
     "description": "Minimize Admission of Root Containers",
     "reference_id": "AC-K8-IA-PO-H-0168",
     "category": "Identity and Access Management",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0087"
 }
@@ -12,5 +12,6 @@
     "description": "Ensure that Service Account Tokens are only mounted where necessary",
     "reference_id": "AC-K8-IA-PO-M-0105",
     "category": "Identity and Access Management",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0045"
 }
@@ -12,5 +12,6 @@
     "description": "AppArmor profile not set to default or custom profile will make the container vulnerable to kernel level threats",
     "reference_id": "AC-K8-IA-PO-M-0135",
     "category": "Identity and Access Management",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0073"
 }
@@ -12,5 +12,6 @@
     "description": "Unmasking the procMount will allow more information than is necessary to the program running in the containers spawned by k8s",
     "reference_id": "AC-K8-IA-PO-M-0139",
     "category": "Identity and Access Management",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0077"
 }
@@ -19,5 +19,6 @@
     "description": "Container images with readOnlyRootFileSystem set as false mounts the container root file system with write permissions",
     "reference_id": "AC-K8-IA-PO-M-0140",
     "category": "Identity and Access Management",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0078"
 }
@@ -12,5 +12,6 @@
     "description": "Default seccomp profile not enabled will make the container to make non-essential system calls",
     "reference_id": "AC-K8-IA-PO-M-0141",
     "category": "Identity and Access Management",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0080"
 }
@@ -20,5 +20,6 @@
     "description": "Some volume types mount the host file system paths to the pod or container, thus increasing the chance of escaping the container to access the host",
     "reference_id": "AC-K8-IA-PO-M-0143",
     "category": "Identity and Access Management",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0081"
 }
@@ -14,5 +14,6 @@
     "description": "Containers Should Not Share Host Process ID Namespace",
     "reference_id": "AC-K8-IA-PO-M-0162",
     "category": "Identity and Access Management",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0082"
 }
@@ -13,5 +13,6 @@
     "description": "Minimize the admission of containers with the NET_RAW capability",
     "reference_id": "AC-K8-IA-PS-M-0112",
     "category": "Identity and Access Management",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0048"
 }
@@ -12,5 +12,6 @@
     "description": "Prefer using secrets as files over secrets as environment variables",
     "reference_id": "AC-K8-NS-PO-H-0117",
     "category": "Infrastructure Security",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0051"
 }
@@ -8,9 +8,10 @@
         "prefix": "",
         "suffix": ""
     },
-    "severity": "HIGH",
+    "severity": "MEDIUM",
     "description": "Do Not Use CAP_SYS_ADMIN Linux Capability",
     "reference_id": "AC-K8-NS-PO-H-0170",
     "category": "Infrastructure Security",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0075"
 }
@@ -12,5 +12,6 @@
     "description": "Apply Security Context to Your Pods and Containers",
     "reference_id": "AC-K8-NS-PO-M-0122",
     "category": "Infrastructure Security",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0064"
 }
@@ -12,5 +12,6 @@
     "description": "Image without digest affects the integrity principle of image security",
     "reference_id": "AC-K8-NS-PO-M-0133",
     "category": "Infrastructure Security",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0069"
 }
@@ -14,5 +14,6 @@
     "description": "Containers Should Not Share Host IPC Namespace",
     "reference_id": "AC-K8-NS-PO-M-0163",
     "category": "Infrastructure Security",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0083"
 }
@@ -14,5 +14,6 @@
     "description": "Containers Should Not Share the Host Network Namespace",
     "reference_id": "AC-K8-NS-PO-M-0164",
     "category": "Infrastructure Security",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0084"
 }
@@ -15,5 +15,6 @@
     "description": "Restrict Mounting Docker Socket in a Container",
     "reference_id": "AC-K8-NS-PO-M-0171",
     "category": "Infrastructure Security",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0088"
 }
@@ -12,5 +12,6 @@
     "description": "Containers Should Run as a High UID to Avoid Host Conflict",
     "reference_id": "AC-K8-NS-PO-M-0182",
     "category": "Infrastructure Security",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0079"
 }
@@ -17,5 +17,6 @@
     "description": "AlwaysPullImages plugin is not set",
     "reference_id": "AC-K8-OE-PK-M-0034",
     "category": "Compliance Validation",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0021"
 }
@@ -19,5 +19,6 @@
     "description": "CPU Request Not Set in config file.",
     "reference_id": "AC-K8-OE-PK-M-0155",
     "category": "Security Best Practices",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0097"
 }
@@ -19,5 +19,6 @@
     "description": "CPU Limits Not Set in config file.",
     "reference_id": "AC-K8-OE-PK-M-0156",
     "category": "Security Best Practices",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0098"
 }
@@ -19,5 +19,6 @@
     "description": "Memory Request Not Set in config file.",
     "reference_id": "AC-K8-OE-PK-M-0157",
     "category": "Security Best Practices",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0099"
 }
@@ -19,5 +19,6 @@
     "description": "Memory Limits Not Set in config file.",
     "reference_id": "AC-K8-OE-PK-M-0158",
     "category": "Security Best Practices",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0100"
 }
@@ -14,5 +14,6 @@
     "description": "No liveness probe will ensure there is no recovery in case of unexpected errors",
     "reference_id": "AC-K8-OE-PO-L-0129",
     "category": "Security Best Practices",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0070"
 }
@@ -14,5 +14,6 @@
     "description": "No readiness probe will affect automatic recovery in case of unexpected errors",
     "reference_id": "AC-K8-OE-PO-L-0130",
     "category": "Security Best Practices",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0072"
 }
@@ -12,5 +12,6 @@
     "description": "No tag or container image with :Latest tag makes difficult to rollback and track",
     "reference_id": "AC-K8-OE-PO-L-0134",
     "category": "Security Best Practices",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0068"
 }
@@ -8,9 +8,10 @@
         "prefix": "",
         "suffix": ""
     },
-    "severity": "MEDIUM",
+    "severity": "HIGH",
     "description": "Default Namespace Should Not be Used",
     "reference_id": "AC-K8-OE-PO-M-0166",
     "category": "Security Best Practices",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0086"
 }
@@ -12,5 +12,6 @@
     "description": "Ensure that the Tiller Service (Helm v2) is deleted",
     "reference_id": "AC-K8-NS-SE-M-0185",
     "category": "Infrastructure Security",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0110"
 }
@@ -12,5 +12,6 @@
     "description": "Restrict the use of externalIPs",
     "reference_id": "AC-K8-NS-SE-M-0188",
     "category": "Infrastructure Security",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0112"
 }
@@ -12,5 +12,6 @@
     "description": "Nodeport service can expose the worker nodes as they have public interface",
     "reference_id": "AC-K8-NS-SV-L-0132",
     "category": "Infrastructure Security",
-    "version": 1
+    "version": 1,
+    "id": "AC_K8S_0111"
 }