Container Rulesets Compliance Matrix

Threat Stack now includes CIS Docker and Kubernetes rulesets to increase configuration visibility. The CIS Docker ruleset assists with safe and secure configuration of Docker containers by alerting on known configuration issues and misconfigurations. The Kubernetes ruleset assists with file integrity monitoring (FIM) by alerting on changes to configuration files associated with the Kubernetes API server, Scheduler, etcd, Control Manager, Cluster Administration, and Kublet Service.  

Threat Stack also uses rules in the base ruletset to mitigate risky activity recognized by the MITRE ATT&CK Matrices.

Important

File Integrity Monitoring (FIM) rules for containers provide visibility to files that are accessible from the host file system. For containers, this includes container volumes mounted by the host, but no other files.

If these rulesets provide value for your organization, then please reach out to your customer success manager to add them to your environment.

Docker CIS Docker Kubernetes
Docker MITRE Criteria
Docker: kinsing malware T1496, T1610
Docker: Container File Change T1485
Docker: Data Encoding Observed T1560, T1140, T1132, T1048
Docker: Data Encryption Observed T1486, T1140
Docker: EC2 Instance Metadata Communication T1552
Docker: Exploit: Process Activity from /tmp T1203
Docker: File: Docker Configuration Change T1485
Docker: Kubectl Commands T1610, T1609
Docker: Network: Outbound Connection (Connects) N/A
Docker: Possible Data Download T1204
Docker: Possible Data Exfiltration T1567, T1074, T1048, T1041, T1020
Docker: Privileged Commands T1609
Docker: Suspicious User Commands T1609
Docker: System Time Change Attempt N/A
Docker: User Commands T1609
Docker: User: Push or Pull Commands T1610

Related Articles

Was this article helpful?
1 out of 1 found this helpful