Chapter 7. Default security policies


The default security policies in Red Hat Advanced Cluster Security for Kubernetes provide broad coverage to identify security issues and ensure best practices for security in your environment. By configuring those policies, you can automatically prevent high-risk service deployments in your environment and respond to runtime security incidents.

Note

The severity levels for policies in Red Hat Advanced Cluster Security for Kubernetes are different from the severity levels that Red Hat Product Security assigns.

The Red Hat Advanced Cluster Security for Kubernetes policy severity levels are Critical, High, Medium, and Low. Red Hat Product Security rates vulnerability severity levels as Critical, Important, Moderate, and Low.

While a policy’s severity level and the Red Hat Product Security severity levels can interact, it is important to distinguish between them. For more information about the Red Hat Product Security severity levels, see Severity Ratings.

7.1. Critical severity security policies

The following table lists the default security policies in Red Hat Advanced Cluster Security for Kubernetes that are of critical severity. The policies are organized by life cycle stage.

Table 7.1. Critical severity security policies
Life cycle stageNameDescriptionStatus

Build or Deploy

Apache Struts: CVE-2017-5638

Alerts when deployments have images that contain the CVE-2017-5638 Apache Struts vulnerability.

Enabled

Build or Deploy

Log4Shell: log4j Remote Code Execution vulnerability

Alerts when deployments include images that contain the CVE-2021-44228 and CVE-2021-45046 Log4Shell vulnerabilities. Flaws exist in the Apache Log4j Java logging library in versions 2.0-beta9 - 2.15.0, excluding version 2.12.2.

Enabled

Build or Deploy

Spring4Shell (Spring Framework Remote Code Execution) and Spring Cloud Function vulnerabilities

Alerts when deployments include images that contain either the CVE-2022-22965 vulnerability, which affects Spring MVC, and the CVE-2022-22963 vulnerability, which affects Spring Cloud. In versions 3.16, 3.2.2, and older unsupported versions, Spring Cloud contains flaws. Flaws exist in Spring Framework in versions 5.3.0 - 5.3.17, versions 5.2.0 - 5.2.19, and in older unsupported versions.

Enabled

Runtime

Iptables Executed in Privileged Container

Alerts when privileged pods run iptables.

Enabled

7.2. High severity security policies

The following table lists the default security policies in Red Hat Advanced Cluster Security for Kubernetes that are of high severity. The policies are organized by life cycle stage.

Table 7.2. High severity security policies
Life cycle stageNameDescriptionStatus

Build or Deploy

Fixable Common Vulnerability Scoring System (CVSS) >= 7

Alerts when deployments with fixable vulnerabilities have a CVSS of at least 7. However, Red Hat recommends that you create policies using Common Vulnerabilities and Exposures (CVE) severity instead of CVSS score.

Disabled

Build or Deploy

Fixable Severity at least Important

Alerts when deployments with fixable vulnerabilities have a severity rating of at least Important.

Enabled

Build or Deploy

Rapid Reset: Denial of Service Vulnerability in HTTP/2 Protocol

Alerts on deployments with images containing components that are susceptible to a Denial of Service (DoS) vulnerability for HTTP/2 servers. This addresses a flaw in the handling of multiplexed streams in HTTP/2. A client can rapidly create a request and immediately reset them, which creates extra work for the server while avoiding hitting any server-side limits, resulting in a denial of service attack. To use this policy, consider cloning the policy and adding the Fixable policy criteria before enabling it.

Disabled

Build or Deploy

Secure Shell (ssh) Port Exposed in Image

Alerts when deployments expose port 22, which is commonly reserved for SSH access.

Enabled

Deploy

Emergency Deployment Annotation

Alerts when deployments use the emergency annotation, such as "admission.stackrox.io/break-glass":"ticket-1234" to circumvent StackRox Admission controller checks.

Enabled

Deploy

Environment Variable Contains Secret

Alerts when deployments have environment variables that contain 'SECRET'.

Enabled

Deploy

Fixable CVSS >= 6 and Privileged

Alerts when deployments run in privileged mode with fixable vulnerabilities that have a CVSS of at least 6. However, Red Hat recommends that you create policies using CVE severity instead of CVSS score.

Disabled by default in version 3.72.0 and later

Deploy

Privileged Containers with Important and Critical Fixable CVEs

Alerts when containers that run in privileged mode have important or critical fixable vulnerabilities.

Enabled

Deploy

Secret Mounted as Environment Variable

Alerts when a deployment has a Kubernetes secret that is mounted as an environment variable.

Disabled

Deploy

Secure Shell (ssh) Port Exposed

Alerts when deployments expose port 22, which is commonly reserved for SSH access.

Enabled

Runtime

Cryptocurrency Mining Process Execution

Spawns the crypto-currency mining process.

Enabled

Runtime

iptables Execution

Detects when someone runs iptables, which is a deprecated way of managing network states in containers.

Enabled

Runtime

Kubernetes Actions: Exec into Pod

Alerts when the Kubernetes API receives a request to run a command in a container.

Enabled

Runtime

Linux Group Add Execution

Detects when someone runs the addgroup or groupadd binary to add a Linux group.

Enabled

Runtime

Linux User Add Execution

Detects when someone runs the useradd or adduser binary to add a Linux user.

Enabled

Runtime

Login Binaries

Indicates when someone tries to log in.

Disabled

Runtime

Network Management Execution

Detects when someone runs binary files that can manipulate network configuration and management.

Enabled

Runtime

nmap Execution

Alerts when someone starts the nmap process in a container during run time.

Enabled

Runtime

OpenShift: Kubeadmin Secret Accessed

Alerts when someone accesses the kubeadmin secret.

Enabled

Runtime

Password Binaries

Indicates when someone attempts to change a password.

Disabled

Runtime

Process Targeting Cluster Kubelet Endpoint

Detects the misuse of the healthz, kubelet API, or heapster endpoint.

Enabled

Runtime

Process Targeting Cluster Kubernetes Docker Stats Endpoint

Detects the misuse of the Kubernetes docker stats endpoint.

Enabled

Runtime

Process Targeting Kubernetes Service Endpoint

Detects the misuse of the Kubernetes Service API endpoint.

Enabled

Runtime

Process with UID 0

Alerts when deployments contain processes that run with UID 0.

Disabled

Runtime

Secure Shell Server (sshd) Execution

Detects containers that run the SSH daemon.

Enabled

Runtime

SetUID Processes

Use setuid binary files, which permit people to run certain programs with escalated privileges.

Disabled

Runtime

Shadow File Modification

Indicates when someone tries to modify shadow files.

Disabled

Runtime

Shell Spawned by Java Application

Detects when a shell, such as bash, csh, sh, or zsh, is run as a subprocess of a Java application.

Enabled

Runtime

Unauthorized Network Flow

Generates a violation for any network flows that fall outside of the baselines of the "alert on anomalous violations" setting.

Enabled

Runtime

Unauthorized Processed Execution

Generates a violation for any process execution that is not explicitly allowed by a locked process baseline for a container specification in a Kubernetes deployment.

Enabled

7.3. Medium severity security policies

The following table lists the default security policies in Red Hat Advanced Cluster Security for Kubernetes that are of medium severity. The policies are organized by life cycle stage.

Table 7.3. Medium severity security policies
Life cycle stageNameDescriptionStatus

Build

Docker CIS 4.4: Ensure images are scanned and rebuilt to include security patches

Alerts when images are not scanned and rebuilt to include security patches. It is important to scan images often to find vulnerabilities, rebuild the images to include security patches, and then instantiate containers for the images.

Disabled

Deploy

30-Day Scan Age

Alerts when a deployment has not been scanned in 30 days.

Enabled

Deploy

CAP_SYS_ADMIN capability added

Alerts when a deployment includes containers that are escalating with CAP_SYS_ADMIN.

Enabled

Deploy

Container using read-write root filesystem

Alerts when a deployment includes containers that have read-write root file systems.

Disabled

Deploy

Container with privilege escalation allowed

Alerts when a container might be running with unintended privileges, creating a security risk. This situation can happen when a container process that has more privileges than its parent process allows the container to run with unintended privileges.

Enabled

Deploy

Deployments should have at least one Ingress Network Policy

Alerts if deployments are missing an Ingress Network Policy.

Disabled

Deploy

Deployments with externally exposed endpoints

Detects if a deployment has any service that is externally exposed through any methods. Deployments with services exposed outside of the cluster are at a higher risk of attempted intrusions because they are reachable outside of the cluster. This policy provides an alert so that you can verify that service exposure outside of the cluster is required. If the service is only needed for intra-cluster communication, use service type ClusterIP.

Disabled

Deploy

Docker CIS 5.1: Ensure that, if applicable, an AppArmor profile is enabled

Uses AppArmor to protect the Linux operating system and applications by enforcing a security policy that is known as an AppArmor profile. AppArmor is a Linux application security system that is available on some Linux distributions by default, such as Debian and Ubuntu.

Enabled

Deploy

Docker CIS 5.15: Ensure that the host’s process namespace is not shared

Creates process-level isolation between the containers and the host. The Process ID (PID) namespace isolates the process ID space, which means that processes in different PID namespaces can have the same PID.

Enabled

Deploy

Docker CIS 5.16: Ensure that the host’s IPC namespace is not shared

Alerts when the IPC namespace on the host is shared with containers. The IPC (POSIX/SysV IPC) namespace separates named shared memory segments, semaphores, and message queues.

Enabled

Deploy

Docker CIS 5.19: Ensure mount propagation mode is not enabled

Alerts when mount propagation mode is enabled. When mount propagation mode is enabled, you can mount container volumes in Bidirectional, Host to Container, and None modes. Do not use Bidirectional mount propagation mode unless it is explicitly needed.

Enabled

Deploy

Docker CIS 5.21: Ensure the default seccomp profile is not disabled

Alerts when the seccomp profile is disabled. The seccomp profile uses an allowlist to permit common system calls and blocks all others.

Disabled

Deploy

Docker CIS 5.7: Ensure privileged ports are not mapped within containers

Alerts when privileged ports are mapped within containers. The TCP/IP port numbers that are lower than 1024 are privileged ports. Normal users and processes can not use them for security reasons, but containers might map their ports to privileged ports.

Enabled

Deploy

Docker CIS 5.9 and 5.20: Ensure that the host’s network namespace is not shared

Alerts when the host’s network namespace is shared. When HostNetwork is enabled, the container is not placed inside a separate network stack, and the container’s networking is not containerized. As a result, the container has full access to the host’s network interfaces, and a shared UTS namespace is enabled. The UTS namespace provides isolation between the hostname and the NIS domain name, and it sets the hostname and the domain, which are visible to running processes in that namespace. Processes that run within containers do not typically require to know the hostname or the domain name, so the UTS namespace should not be shared with the host.

Enabled

Deploy

Images with no scans

Alerts when a deployment includes images that were not scanned.

Disabled

Runtime

Kubernetes Actions: Port Forward to Pod

Alerts when the Kubernetes API receives a port forward request.

Enabled

Deploy

Mount Container Runtime Socket

Alerts when a deployment has a volume mount on the container runtime socket.

Enabled

Deploy

Mounting Sensitive Host Directories

Alerts when a deployment mounts sensitive host directories.

Enabled

Deploy

No resource requests or limits specified

Alerts when a deployment includes containers that do not have resource requests and limits.

Enabled

Deploy

Pod Service Account Token Automatically Mounted

Protects pod default service account tokens from being compromised by minimizing the mounting of the default service account token to only those pods whose applications require interaction with the Kubernetes API.

Enabled

Deploy

Privileged Container

Alerts when a deployment includes containers that run in privileged mode.

Enabled

Runtime

crontab Execution

Detects the usage of the crontab scheduled jobs editor.

Enabled

Runtime

Netcat Execution Detected

Detects when netcat runs in a container.

Enabled

Runtime

OpenShift: Advanced Cluster Security Central Admin Secret Accessed

Alerts when someone accesses the Red Hat Advanced Cluster Security Central secret.

Enabled

Runtime

OpenShift: Kubernetes Secret Accessed by an Impersonated User

Alerts when someone impersonates a user to access a secret in the cluster.

Enabled

Runtime

Remote File Copy Binary Execution

Alerts when a deployment runs a remote file copy tool.

Enabled

7.4. Low severity security policies

The following table lists the default security policies in Red Hat Advanced Cluster Security for Kubernetes that are of low severity. The policies are organized by life cycle stage.

Table 7.4. Low severity security policies
Life cycle stageNameDescriptionStatus

Build or Deploy

90-Day Image Age

Alerts when a deployment has not been updated in 90 days.

Enabled

Build or Deploy

ADD Command used instead of COPY

Alerts when a deployment uses an ADD command.

Disabled

Build or Deploy

Alpine Linux Package Manager (apk) in Image

Alerts when a deployment includes the Alpine Linux package manager (apk).

Enabled

Build or Deploy

Curl in Image

Alerts when a deployment includes curl.

Disabled

Build or Deploy

Docker CIS 4.1: Ensure That a User for the Container Has Been Created

Ensures that containers are running as non-root users.

Enabled

Build or Deploy

Docker CIS 4.7: Alert on Update Instruction

Ensures that update instructions are not used alone in the Dockerfile.

Enabled

Build or Deploy

Insecure specified in CMD

Alerts when a deployment uses 'insecure' in the command.

Enabled

Build or Deploy

Latest tag

Alerts when a deployment includes images that use the 'latest' tag.

Enabled

Build or Deploy

Red Hat Package Manager in Image

Alerts when a deployment includes components of the Red Hat, Fedora, or CentOS package management system.

Enabled

Build or Deploy

Required Image Label

Alerts when a deployment includes images that are missing the specified label.

Disabled

Build or Deploy

Ubuntu Package Manager Execution

Detects the usage of the Ubuntu package management system.

Enabled

Build or Deploy

Ubuntu Package Manager in Image

Alerts when a deployment includes components of the Debian or Ubuntu package management system in the image.

Enabled

Build or Deploy

Wget in Image

Alerts when a deployment includes wget.

Disabled

Deploy

Drop All Capabilities

Alerts when a deployment does not drop all capabilities.

Disabled

Deploy

Improper Usage of Orchestrator Secrets Volume

Alerts when a deployment uses a Dockerfile with 'VOLUME /run/secrets'.

Enabled

Deploy

Kubernetes Dashboard Deployed

Alerts when a Kubernetes dashboard service is detected.

Enabled

Deploy

Required Annotation: Email

Alerts when a deployment is missing the 'email' annotation.

Disabled

Deploy

Required Annotation: Owner/Team

Alerts when a deployment is missing the 'owner' or 'team' annotation.

Disabled

Deploy

Required Label: Owner/Team

Alerts when a deployment is missing the 'owner' or 'team' label.

Disabled

Runtime

Alpine Linux Package Manager Execution

Alerts when the Alpine Linux package manager (apk) is run at run time.

Enabled

Runtime

chkconfig Execution

Detects the usage of the ckconfig service manager, which is typically not used in a container.

Enabled

Runtime

Compiler Tool Execution

Alerts when binary files that compile software are run at run time.

Enabled

Runtime

Red Hat Package Manager Execution

Alerts when Red Hat, Fedora, or CentOS package manager programs are run at run time.

Enabled

Runtime

Shell Management

Alerts when commands are run to add or remove a shell.

Disabled

Runtime

systemctl Execution

Detects the usage of the systemctl service manager.

Enabled

Runtime

systemd Execution

Detects the usage of the systemd service manager.

Enabled

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.