Container Security - Essential
Skyhigh CASB provides Essential and Advanced preconfigured templates for Container Security.
On the Policy > Policy Templates page, select Recommendation/Benchmark filters for Container Security - Essential and Container Security - Advanced policy templates.
- Container Security - Essential. These are 18 policy templates with the minimum requirements for container security resource discovery and On-Demand Scans.
- Container Security - Advanced. This is the list of all available container security policy templates.
The Container Security - Essential policy templates are listed in the following table.
You can also download an XLSX file.
Policy Name | Resource | Benchmark | PCI DSS | HIPAA | NIST 800-53 | Policy Description |
---|---|---|---|---|---|---|
ACR: Repositories should not be exposed to everyone/ publicly for push actions | ACR | Yes | SI-7, Software, Firmware, and Information Integrity. | Repository policy push actions should be avoided | ||
AKS: Argument anonymous-auth should be set to false for Kubelet Server | AKS | CIS Level 1 | 2.2, 2.2.3, 2.2.4, 2.3 6.5.8 7.2 | 164.312(a)(1),164.308(a)(3)(i),164.308(b)(1), 164.312(c)(1), 164.312(e)(1) | CM-3 | When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests. |
AKS: Argument basic-auth-file should not be set for API Server | AKS | CIS Level 1 | 2.2, 2.2.3, 2.2.4, 2.3 6.5.3 | CM-3 | Basic authentication uses plaintext credentials for authentication. Currently, the basic authentication credentials last indefinitely, and the password cannot be changed without restarting API server. The basic authentication is currently supported for convenience. Hence, basic authentication should not be used. | |
ECS Fargate: Default seccomp profile should not be disabled in ECS Fargate cluster | ECS FARGATE | CIS Level 1 | CM-3 | Seccomp filtering provides a means for a process to specify a filter for incoming system calls. The default Docker seccomp profile works on whitelist basis and allows 311 system calls blocking all others. It should not be disabled unless it hinders your container application usage. | ||
ECR: Repositories should not be exposed to everyone/ publicly for push actions | ECR | Yes | SI-7, Software, Firmware, and Information Integrity. | Repository policy push actions should be avoided | ||
ECS Docker Host: Docker Default seccomp profile should not be disabled | ECS | CIS Level 1 | 164.308(a)(3)(i), 164.308(b)(1), 164.312(a)(1), 164.312(c)(1), 164.312(e)(1) | CM-3, SC-39 | Seccomp filtering provides a means for a process to specify a filter for incoming system calls. The default Docker seccomp profile works on a whitelist basis and allows for a large number of common system calls, whilst blocking all others. This filtering should not be disabled unless it causes a problem with your container application usage. | |
ECS Docker Host: Docker's default bridge docker0 should not be used | ECS | CIS Level 1 | 164.308(a)(3)(i), 164.308(b)(1), 164.312(a)(1), 164.312(c)(1), 164.312(e)(1) | CM-3, SC-39 | You should not use Docker's default bridge docker0. Instead you should use Docker's user-defined networks for container networking. | |
ECS: Default seccomp profile should not be disabled | ECS | CIS Level 1 | CM-3 | Seccomp filtering provides a means for a process to specify a filter for incoming system calls. The default Docker seccomp profile works on whitelist basis and allows 311 system calls blocking all others. It should not be disabled unless it hinders your container application usage. | ||
ECS: Docker's default bridge networking mode should not be used | ECS | CIS Level 1 | CM-3 | Do not use Docker's default bridge docker0. Use docker's user-defined networks for container networking | ||
EKS Docker Host: Docker Default seccomp profile should not be disabled in AWS EKS cluster hosts | EKS | 164.308(a)(3)(i), 164.308(b)(1), 164.312(a)(1), 164.312(c)(1), 164.312(e)(1) | CM-3, SC-39 | Seccomp filtering provides a means for a process to specify a filter for incoming system calls. The default Docker seccomp profile works on a whitelist basis and allows for a large number of common system calls, whilst blocking all others. This filtering should not be disabled unless it causes a problem with your container application usage. | ||
EKS Docker Host: Docker's default bridge docker0 should not be used in AWS EKS cluster hosts | EKS | 164.308(a)(3)(i), 164.308(b)(1), 164.312(a)(1), 164.312(c)(1), 164.312(e)(1) | CM-3, SC-39 | You should not use Docker's default bridge docker0. Instead you should use Docker's user-defined networks for container networking. | ||
EKS FARGATE: Argument anonymous-auth should be set to false for Kubelet Server | EKS | CIS Level 1 | 2.2, 2.2.3, 2.2.4, 2.3 6.5.8 7.2 | 164.312(a)(1),164.308(a)(3)(i),164.308(b)(1), 164.312(c)(1), 164.312(e)(1) | CM-3 | When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests. |
EKS: Argument anonymous-auth should be set to false for Kubelet Server | EKS | CIS Level 1 | 2.2, 2.2.3, 2.2.4, 2.3 6.5.8 7.2 | 164.312(a)(1),164.308(a)(3)(i),164.308(b)(1), 164.312(c)(1), 164.312(e)(1) | CM-3 | When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests. |
EKS: Argument basic-auth-file should not be set for API Server | EKS | CIS Level 1 | 2.2, 2.2.3, 2.2.4, 2.3 6.5.3 | CM-3 | Basic authentication uses plaintext credentials for authentication. Currently, the basic authentication credentials last indefinitely, and the password cannot be changed without restarting API server. The basic authentication is currently supported for convenience. Hence, basic authentication should not be used. | |
EKS: Enable control plane logging during EKS cluster creation | EKS | 10.1 10.2.2, 10.2.4, 10.2.5, 10.2.7 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6 | CM-3 | |||
GCR: Registries should not be exposed to everyone/ publicly for push actions | Registry push actions should not be allowed to everyone | |||||
GKE: Argument anonymous-auth should be set to false for Kubelet Server | GKE | CIS Level 1 | 2.2, 2.2.3, 2.2.4, 2.3 6.5.8 7.2 | 164.312(a)(1),164.308(a)(3)(i),164.308(b)(1), 164.312(c)(1), 164.312(e)(1) | CM-3 | When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests. |
GKE: Argument basic-auth-file should not be set for API Server | GKE | CIS Level 1 | 2.2, 2.2.3, 2.2.4, 2.3 6.5.3 | CM-3 | Basic authentication uses plaintext credentials for authentication. Currently, the basic authentication credentials last indefinitely, and the password cannot be changed without restarting API server. The basic authentication is currently supported for convenience. Hence, basic authentication should not be used. |