Base Rule Set Compliance Matrix

Follow

 

Rule Sets Overview

Threat Stack provides several base rule sets to help you get started on your security journey – the Base Rule Set, the CloudTrail Base Rule Set, and the container rule set. Threat Stack recognizes that a base may not meet your organization's specific needs and created alternate compliance rule sets based on:

  • HIPAA
  • ISO 27001
  • MPAA
  • PCI
  • SOC2
Base Rule Set and Matching Compliance Rule Sets

To help clarify how these other compliance rule sets compare to the host's Base Rule Set, we created comparison charts for each compliance rule set.

HIPAA ISO 27001 MPAA PCI SOC2
Base Rule Set HIPAA Rule Set Supports Criteria  Severity
Database: Connection from Command Line N/A N/A 2
Exploit: Kernel Module Activity HIPAA: Exploit: Kernel Module Activity  HIPAA 164.308(a)(5)(ii)(B) 1
Exploit: Process Activity from /tmp HIPAA: Exploit: Process Activity From /tmp HIPAA 164.308(a)(5)(ii)(B) 1
Exploit: Service Running Shell N/A N/A 1
Exploit: Service Running as Root HIPAA: Exploit: Service Running As Root HIPAA 164.308(a)(5)(ii)(B) 1
File: Canary File Opens HIPAA: File: Patient File Opens HIPAA 164.312(b) 2
File: Secret File Opens HIPAA: File: Secret File Opens HIPAA 164.312(b) 3
File: System Configuration File Changes HIPAA: File: System Configuration File Changes HIPAA 164.312(b) Integrity 2
File: System File Changes HIPAA: File: System File Changes  HIPAA 164.312(b) 2
File: System Logs Deleted HIPAA: File: System Logs Deleted  HIPAA 164.312(b) 2
Host: Excessive Root Login Failures from LAN HIPAA: Host: Excessive Login Failures HIPAA 164.308(a)(5)(ii)(C) 2
Host: Excessive User Login Failures from LAN HIPAA: Host: Excessive Login Failures HIPAA 164.308(a)(5)(ii)(C) 2
Host: New User Added HIPAA: Host: New User Added HIPAA 164.308(a)(3)(ii)(A) 2
Network: Inbound Connection (Accepts) from LAN HIPAA: Network: Inbound Connection (Accepts) HIPAA 164.312(b) 3
Network: Inbound Connection (Accepts) from WAN HIPAA: Network: Inbound Connection (Accepts) HIPAA 164.312(b) 3
Network: Outbound Connection (Connects) to LAN HIPAA: Network: Outbound Connection (Connects) HIPAA 164.312(b) 3
Network: Outbound Connection (Connects) to WAN HIPAA: Network: Outbound Connection (Connects) HIPAA 164.312(b) 3
Threat Intelligence: Inbound Connection (Accepts) from WAN N/A N/A 3
Threat Intelligence: Outbound Connection (Connects) to WAN HIPAA: Threat Intelligence: Outbound Connection (Connects) HIPAA 164.312(b) 1
User: Data Movement inside the LAN N/A N/A
User: Possible Data Exfiltration HIPAA: User: Possible Data Exfiltration HIPAA 164.312(b)
User: Root Login from LAN HIPAA: User: Logins HIPAA 164.308(a)(5)(ii)(C) 3
User: Root Login from WAN HIPAA: User: Logins HIPAA 164.308(a)(5)(ii)(C) 3
User: User Login from LAN HIPAA: User: Logins HIPAA 164.308(a)(5)(ii)(C) 3
User: User Login from WAN HIPAA: User: Logins HIPAA 164.308(a)(5)(ii)(C) 3
User: Possible Data Download HIPAA: User: Possible Data Download HIPAA 164.312(b) 2
User: Potentially Suspicious Command Usage HIPAA: User: Potentially Suspicious Command Usage HIPAA 164.308(a)(5)(ii)(B) 2
User: Privilege Escalations HIPAA: User: Privilege Escalation HIPAA 164.308 (a)(4)(i) 2
User: System Time Changes N/A N/A
User: Terminated Employee Activity N/A N/A
N/A HIPAA : User : Root Login N/A 1
CloudTrail Base Rule Set and Matching Compliance Rule Sets

To help clarify how these other compliance rule sets compare to CloudTrail's Base Rule Set, we created comparison charts for each compliance rule set.

HIPAA ISO 27001 MPAA PCI SOC2
CloudTrail Base Rule Set HIPAA Rule Set Supports Criteria Severity
CloudTrail : Admin Activity N/A N/A 2
CloudTrail : AWS VPC Changes N/A N/A 2
CloudTrail : DirectConnect Policy Changes N/A N/A 2
CloudTrail : IAM Policy Changes N/A N/A 1
CloudTrail : ELB Changes  N/A N/A 2
CloudTrail : Route53 DNS Record Changes N/A N/A 2
CloudTrail : S3 File Tracking HIPAA: CloudTrail: S3 File Tracking HIPAA 164.312(c)(1) 2
CloudTrail : S3 Security Activity N/A N/A 2
CloudTrail : Security Group Changes HIPAA: CloudTrail: Security Group Changes HIPAA 164.312(c)(1) 2
CloudTrail : Wide Open Security Group HIPAA: CloudTrail: Wide Open Security Group HIPAA 164.312(c)(1) 1
CloudTrail : Console Login : MFA Not Used HIPAA: CloudTrail: Console Login (MFA Not Used) HIPAA 164.308(a)(5)(ii)(C) 2
CloudTrail : Non-Standard VPC N/A N/A 3
CloudTrail : AWS Kinesis Service N/A N/A 3
CloudTrail : Access Denied N/A N/A 3
CloudTrail : Admin Activity N/A N/A 1
CloudTrail : Certificate Manager Changes N/A N/A 2
CloudTrail : Console Login by Root N/A N/A 1
CloudTrail : EC2 Service Policy Changes N/A N/A 2
CloudTrail : Glacier Policy and Vault Changes N/A N/A 2
CloudTrail : Instances in non-standard region N/A N/A 3
CloudTrail : Key Activity N/A N/A 2
CloudTrail : Lambda Permission Changes N/A N/A 2
CloudTrail : Non-Standard Image Id N/A N/A 3
CloudTrail : RDS Changes N/A N/A 3
CloudTrail : SES Changes N/A N/A 2
CloudTrail : SNS Changes N/A N/A 2
CloudTrail : SQS Changes N/A N/A 2
CloudTrail : Too many API calls N/A N/A 3
Container Rule Sets

Container rule sets do not compare to the Threat Stack base rule set. The table below lists the individual rules and, if necessary, their compliance standard.

Docker CIS Docker Kubernetes
Docker
Docker: File: Docker Container File Change
Docker: File: Docker Configuration Change
Docker: File: Docker Executable Change
Docker: Network: Outbound Connection (Connects)
Docker: User: Privileged Commands
Docker: User: Push or Pull Commands
Docker: User: User Commands
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.