frameworks/allcontrols.json

{
    "name": "AllControls",
    "description": "Contains all the controls from all the frameworks",
    "attributes": {
        "armoBuiltin": true
    },
    "activeControls": [
        {
            "controlID": "C-0001",
            "patch": {
                "name": "Forbidden Container Registries"
            }
        },
        {
            "controlID": "C-0002",
            "patch": {
                "name": "Exec into container"
            }
        },
        {
            "controlID": "C-0004",
            "patch": {
                "name": "Resources memory limit and request"
            }
        },
        {
            "controlID": "C-0005",
            "patch": {
                "name": "API server insecure port is enabled"
            }
        },
        {
            "controlID": "C-0007",
            "patch": {
                "name": "Data Destruction"
            }
        },
        {
            "controlID": "C-0009",
            "patch": {
                "name": "Resource limits"
            }
        },
        {
            "controlID": "C-0012",
            "patch": {
                "name": "Applications credentials in configuration files"
            }
        },
        {
            "controlID": "C-0013",
            "patch": {
                "name": "Non-root containers"
            }
        },
        {
            "controlID": "C-0014",
            "patch": {
                "name": "Access Kubernetes dashboard"
            }
        },
        {
            "controlID": "C-0015",
            "patch": {
                "name": "List Kubernetes secrets"
            }
        },
        {
            "controlID": "C-0016",
            "patch": {
                "name": "Allow privilege escalation"
            }
        },
        {
            "controlID": "C-0017",
            "patch": {
                "name": "Immutable container filesystem"
            }
        },
        {
            "controlID": "C-0018",
            "patch": {
                "name": "Configured readiness probe"
            }
        },
        {
            "controlID": "C-0020",
            "patch": {
                "name": "Mount service principal"
            }
        },
        {
            "controlID": "C-0021",
            "patch": {
                "name": "Exposed sensitive interfaces"
            }
        },
        {
            "controlID": "C-0026",
            "patch": {
                "name": "Kubernetes CronJob"
            }
        },
        {
            "controlID": "C-0030",
            "patch": {
                "name": "Ingress and Egress blocked"
            }
        },
        {
            "controlID": "C-0031",
            "patch": {
                "name": "Delete Kubernetes events"
            }
        },
        {
            "controlID": "C-0034",
            "patch": {
                "name": "Automatic mapping of service account"
            }
        },
        {
            "controlID": "C-0035",
            "patch": {
                "name": "Cluster-admin binding"
            }
        },
        {
            "controlID": "C-0036",
            "patch": {
                "name": "Malicious admission controller (validating)"
            }
        },
        {
            "controlID": "C-0038",
            "patch": {
                "name": "Host PID/IPC privileges"
            }
        },
        {
            "controlID": "C-0039",
            "patch": {
                "name": "Malicious admission controller (mutating)"
            }
        },
        {
            "controlID": "C-0041",
            "patch": {
                "name": "HostNetwork access"
            }
        },
        {
            "controlID": "C-0042",
            "patch": {
                "name": "SSH server running inside container"
            }
        },
        {
            "controlID": "C-0044",
            "patch": {
                "name": "Container hostPort"
            }
        },
        {
            "controlID": "C-0045",
            "patch": {
                "name": "Writable hostPath mount"
            }
        },
        {
            "controlID": "C-0046",
            "patch": {
                "name": "Insecure capabilities"
            }
        },
        {
            "controlID": "C-0048",
            "patch": {
                "name": "HostPath mount"
            }
        },
        {
            "controlID": "C-0049",
            "patch": {
                "name": "Network mapping"
            }
        },
        {
            "controlID": "C-0050",
            "patch": {
                "name": "Resources CPU limit and request"
            }
        },
        {
            "controlID": "C-0052",
            "patch": {
                "name": "Instance Metadata API"
            }
        },
        {
            "controlID": "C-0053",
            "patch": {
                "name": "Access container service account"
            }
        },
        {
            "controlID": "C-0054",
            "patch": {
                "name": "Cluster internal networking"
            }
        },
        {
            "controlID": "C-0055",
            "patch": {
                "name": "Linux hardening"
            }
        },
        {
            "controlID": "C-0056",
            "patch": {
                "name": "Configured liveness probe"
            }
        },
        {
            "controlID": "C-0057",
            "patch": {
                "name": "Privileged container"
            }
        },
        {
            "controlID": "C-0058",
            "patch": {
                "name": "CVE-2021-25741 - Using symlink for arbitrary host file system access."
            }
        },
        {
            "controlID": "C-0059",
            "patch": {
                "name": "CVE-2021-25742-nginx-ingress-snippet-annotation-vulnerability"
            }
        },
        {
            "controlID": "C-0061",
            "patch": {
                "name": "Pods in default namespace"
            }
        },
        {
            "controlID": "C-0062",
            "patch": {
                "name": "Sudo in container entrypoint"
            }
        },
        {
            "controlID": "C-0063",
            "patch": {
                "name": "Portforwarding privileges"
            }
        },
        {
            "controlID": "C-0065",
            "patch": {
                "name": "No impersonation"
            }
        },
        {
            "controlID": "C-0066",
            "patch": {
                "name": "Secret/ETCD encryption enabled"
            }
        },
        {
            "controlID": "C-0067",
            "patch": {
                "name": "Audit logs enabled"
            }
        },
        {
            "controlID": "C-0068",
            "patch": {
                "name": "PSP enabled"
            }
        },
        {
            "controlID": "C-0069",
            "patch": {
                "name": "Disable anonymous access to Kubelet service"
            }
        },
        {
            "controlID": "C-0070",
            "patch": {
                "name": "Enforce Kubelet client TLS authentication"
            }
        },
        {
            "controlID": "C-0073",
            "patch": {
                "name": "Naked PODs"
            }
        },
        {
            "controlID": "C-0074",
            "patch": {
                "name": "Containers mounting Docker socket"
            }
        },
        {
            "controlID": "C-0075",
            "patch": {
                "name": "Image pull policy on latest tag"
            }
        },
        {
            "controlID": "C-0076",
            "patch": {
                "name": "Label usage for resources"
            }
        },
        {
            "controlID": "C-0077",
            "patch": {
                "name": "K8s common labels usage"
            }
        },
        {
            "controlID": "C-0078",
            "patch": {
                "name": "Images from allowed registry"
            }
        },
        {
            "controlID": "C-0079",
            "patch": {
                "name": "CVE-2022-0185-linux-kernel-container-escape"
            }
        },
        {
            "controlID": "C-0081",
            "patch": {
                "name": "CVE-2022-24348-argocddirtraversal"
            }
        },
        {
            "controlID": "C-0083",
            "patch": {
                "name": "Workloads with Critical vulnerabilities exposed to external traffic"
            }
        },
        {
            "controlID": "C-0084",
            "patch": {
                "name": "Workloads with RCE vulnerabilities exposed to external traffic"
            }
        },
        {
            "controlID": "C-0085",
            "patch": {
                "name": "Workloads with excessive amount of vulnerabilities"
            }
        },
        {
            "controlID": "C-0086",
            "patch": {
                "name": "CVE-2022-0492-cgroups-container-escape"
            }
        },
        {
            "controlID": "C-0087",
            "patch": {
                "name": "CVE-2022-23648-containerd-fs-escape"
            }
        },
        {
            "controlID": "C-0088",
            "patch": {
                "name": "RBAC enabled"
            }
        },
        {
            "controlID": "C-0090",
            "patch": {
                "name": "CVE-2022-39328-grafana-auth-bypass"
            }
        },
        {
            "controlID": "C-0091",
            "patch": {
                "name": "CVE-2022-47633-kyverno-signature-bypass"
            }
        }
    ]
}