Control: Containerized applications should use security services such as SELinux or AppArmor or Seccomp
Description
The underlying host OS needs to be secured in order to prevent container breaches from affecting the host. For this, Linux provides several out-of-the-box security modules. Some of the popular ones are SELinux, AppArmor and Seccomp.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.pod_security_policy_security_services_hardeningSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.pod_security_policy_security_services_hardening --shareSQL
This control uses a named query:
select coalesce(uid, concat(path, ':', start_line)) as resource, case when se_linux -> 'rule' = '"MustRunAs"' then 'ok' when annotations -> 'apparmor.security.beta.kubernetes.io/defaultProfileName' = '"runtime/default"' then 'ok' when annotations -> 'seccomp.security.alpha.kubernetes.io/defaultProfileName' = '"runtime/default"' then 'ok' else 'alarm' end as status, case when se_linux -> 'rule' = '"MustRunAs"' then 'Applications using SELinux security service.' when annotations -> 'apparmor.security.beta.kubernetes.io/defaultProfileName' = '"runtime/default"' then 'Pod security policy ' || name || ' using AppArmor security service.' when annotations -> 'seccomp.security.alpha.kubernetes.io/defaultProfileName' = '"runtime/default"' then 'Pod security policy ' || name || ' using Seccomp security service.' else 'Pod security policy ' || name || ' not using securty services.' end as reason , coalesce(context_name, '') as context_name, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom kubernetes_pod_security_policy;