OOTB Rules

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Datadog provides out-of-the-box (OOTB) detection rules to flag attacker techniques and potential misconfigurations so you can immediately take steps to remediate. Datadog continuously develops new default rules, which are automatically imported into your account, your App and API Protection library, and the Agent, depending on your configuration.

Datadog's Security Research team continuously adds new OOTB security detection rules. While the aim is to deliver high-quality detections with the release of integrations or other new features, the performance of these detections at scale often needs to be observed before making the rule generally available. These rules contain a Beta tag. This gives Datadog's Security Research team time to either refine or deprecate detection opportunities that do not meet Datadog's standards.

Click the following buttons to filter the detection rules. Security detection rules are available for:

API Findings
>
api-findings Admin endpoint without authentication
api-findings Authenticated route returns sensitive data
api-findings Authenticated route returns sensitive data using predictable IDs
api-findings Authenticated route use expensive APIs without rate limiting
api-findings Authentication route is not protected by AAP's ATO Detection
api-findings Authentication route use Basic Auth
api-findings Authentication route without HTTPS
api-findings Endpoint exposes stack trace errors
api-findings Improper collection of metadata on login requests
api-findings Missing Access-Control-Allow-Origin HTTP header
api-findings Missing Content Type HTTP header
api-findings Missing Content-Security-Policy HTTP header
api-findings Missing Referrer-Policy Security HTTP header
api-findings Missing Strict Transport Security HTTP header
api-findings Missing X-Frame-Options HTTP header
api-findings Private endpoint lacks assigned owner
api-findings Public endpoint exposes stack trace errors
api-findings Public endpoint has no defined schema
api-findings Public endpoint lacks assigned owner
api-findings Read operation on route use predictable IDs
api-findings Route processes payments without HTTPS
api-findings Route returns non-sensitive PII data without HTTPS
api-findings Route returns non-sensitive PII data without rate limit
api-findings Route returns non-sensitive PII without setting Cache-Control HTTP header
api-findings Route returns PCI regulated data without HTTPS
api-findings Route returns PCI regulated data without setting Cache-Control HTTP header
api-findings Route returns sensitive PII data without HTTPS
api-findings Route returns sensitive PII data without rate limit
api-findings Route returns sensitive PII without setting Cache-Control HTTP header
api-findings Route uses expensive APIs without rate limiting
api-findings Route uses HTTP to connect to external APIs
api-findings Route vulnerable to Server-Side Request Forgery (SSRF)
api-findings Service exposes publicly debugging endpoints
api-findings Unauthenticated route is used to invite users
api-findings Unauthenticated route processes payments
api-findings Unauthenticated route returns non-sensitive PII data
api-findings Unauthenticated route returns PCI regulated data
api-findings Unauthenticated route returns sensitive data using predictable IDs
api-findings Unauthenticated route returns sensitive PII
api-findings Unauthenticated route use expensive APIs
api-findings Unauthenticated route use predictable IDs
api-findings Unauthenticated route with SQL injection vulnerability
api-findings Unauthenticated route without rate limit
api-findings Unauthenticated route write using predictable IDs
api-findings Unwanted HTTP header in response
api-findings User preferences endpoint without HTTPS
api-findings User signup endpoint without HTTPS
api-findings Write operation on route use predictable IDs
Application Threats
>
application-threats API scan detected on service
application-threats Attack Tool
application-threats Bruteforce attack
application-threats Cassandra injection vulnerability triggered
application-threats Command injection attempt detected
application-threats Command injection exploited
application-threats Commercial vulnerability scanner
application-threats CQL injections attempts
application-threats Credential Stuffing attack
application-threats Distributed Credential Stuffing campaign (attacker fingerprint)
application-threats Distributed Credential Stuffing campaign (attempt count)
application-threats Distributed Credential Stuffing campaign (user count)
application-threats Excessive account deletion from an IP
application-threats Excessive payment failures from IP
application-threats Excessive resource consumption of third-party API
application-threats Excessive sensitive activity from an IP (SDK instrumented)
application-threats Excessive sensitive activity from an IP (WAF instrumented)
application-threats Feature returning private information abused by IP
application-threats Impossible travel observed from business logic event
application-threats Java code injections attempts
application-threats JWT authentication bypass attempt
application-threats Local File Inclusion (LFI) attack attempts
application-threats Local file inclusion exploited
application-threats Log4shell RCE attempts - CVE-2021-44228
application-threats Log4shell vulnerability triggered (RCE) - CVE-2021-44228
application-threats Mongo injections attempts
application-threats OGNL injection attack attempts on routes parsing OGNL
application-threats Password reset token bruteforce
application-threats Reflected XSS attempts on routes returning HTML
application-threats Resource enumeration detected
application-threats Security scanner detected
application-threats Spring4shell RCE attempts - CVE-2022-22963
application-threats SQL injection exploited
application-threats SQL injections attempts
application-threats SSRF attempts on routes executing network queries
application-threats SSRF exploited
application-threats Unauthenticated activity detected
application-threats Unauthorized activity detected
application-threats Unusual account creations from an IP
application-threats Unusual password reset rate activity
application-threats User activity detected from outside authorized countries
application-threats User activity detected from unauthorized countries
application-threats User activity from Tor
application-threats User enumeration through password reset
application-threats User has changed country
application-threats User has used a disposable email address
azure
Azure
>
azure Azure Active Directory risky sign-in
azure Azure AD brute force login
azure Azure AD escalation from Global Administrator to User Access Administrator
azure Azure AD Identity Protection risky user
azure Azure AD member assigned built-in Administrator role
azure Azure AD member assigned Global Administrator role
azure Azure AD MFA disabled
azure Azure AD new verified domain added to tenant
azure Azure AD possible MFA fatigue attack
azure Azure AD possible MFA fatigue attack followed by successful login
azure Azure AD Privileged Identity Management member assigned
azure Azure AD sign in from AADinternals default user agent
azure Azure AD sign in from AzureHound default user agent
azure BETA Azure administrative unit created
azure BETA Azure administrative unit modified
azure BETA Azure AI API keys listed from previously unseen application
azure BETA Azure AI API keys listed outside of known AI web portals
azure BETA Azure AI models listed directly through API
azure BETA Azure AI service high volume of chat requests
azure BETA Azure Bastion shareable link created
azure Azure Datadog Log Forwarder Deleted
azure Azure diagnostic setting deleted or disabled
azure Azure disk export URI created
azure Azure Firewall Threat Intelligence Alert
azure Azure Frontdoor WAF Blocked a Request
azure Azure Frontdoor WAF Logged a Request
azure Azure Function has administrative privileges over resources
azure Azure group has access to a large number of resources
azure Azure group has administrative privileges over resources
azure Azure group has dangerous key vault role
azure Azure Login Explicitly Denied MFA
azure Azure managed identity has a large permissions gap
azure Azure managed identity has access to a large number of resources
azure Azure managed identity has administrative privileges over resources
azure Azure managed identity has dangerous key vault role
azure Azure Network Security Group Open to the World
azure Azure Network Security Groups or Rules Created, Modified, or Deleted
azure Azure new owner added for service principal
azure Azure New Owner added to Azure Active Directory application
azure Azure New Service Principal created
azure Azure Policy Assignment Created
azure BETA Azure restricted management administrative unit created
azure Azure Service Principal was assigned a role
azure Azure snapshot export URI created
azure Azure SQL Server Firewall Rules Created or Modified
azure BETA Azure user added to restricted management administrative unit
azure BETA Azure user granted scoped role assignment over administrative unit
azure Azure user has a large permissions gap
azure Azure user has access to a large number of resources
azure Azure user has administrative privileges over resources
azure Azure user has dangerous key vault role
azure Azure user invited an external user
azure Azure user ran command on container instance
azure BETA Azure user removed from restricted administrative unit
azure Azure user viewed CosmosDB access keys
azure Azure user viewed CosmosDB connection string
azure Azure Virtual Machine instance has administrative privileges over resources
azure Brute-forced user has assigned a role
azure Credential added to Azure AD application
azure Credential added to rarely used Azure AD application
azure Credential Stuffing Attack on Azure
azure Ensure that Azure Databricks is deployed in a customer-managed virtual network (VNet)
azure Ensure that data at rest and in transit is encrypted in Azure Databricks using customer managed keys (CMK)
azure Microsoft 365 - Modification of Trusted Domain
azure Potential Illicit Consent Grant attack via Azure registered application
azure Tor client IP address identified within Azure environment
azure User ran a command on Azure Compute
azure.activity_log
Azure.activity Log
>
azure.activity_log 'Create or Update Network Security Group' activity log alert should be configured
azure.activity_log 'Create or Update Public Ip Address' activity log alert should be configured
azure.activity_log 'Create or Update Security Solutions' activity log alert should be configured
azure.activity_log 'Create or Update SQL Server Firewall Rule' activity log alert should be configured
azure.activity_log 'Create Policy Assignment' activity log alert should be configured
azure.activity_log 'Delete Network Security Group' activity log alert should be configured
azure.activity_log 'Delete Policy Assignment' activity log alert should be configured
azure.activity_log 'Delete Public Ip Address Rule' activity log alert should be configured
azure.activity_log 'Delete Security Solution' activity log alert should be configured
azure.activity_log 'Delete SQL Server Firewall Rule' activity log alert should be configured
azure.activity_log 'Service Health' activity log alert should be configured
azure.activity_log Account should have a activity log alert configured for 'Create or Update Network Security Group'
azure.activity_log Account should have a activity log alert configured for 'Delete Load Balancer'
azure.activity_log Account should have a activity log alert configured for 'Delete Storage Accounts'
azure.activity_log Account should have a activity log alert configured for creating or updating storage accounts
azure.activity_log Account should have a activity log alert configured for creating or updating virtual machines
azure.activity_log Account should have a activity log alert configured for deallocating virtual machines
azure.activity_log Account should have a configured activity log alert for 'Delete Key Vault'
azure.activity_log Account should have a configured activity log alert for 'Delete MySQL Database'
azure.activity_log Account should have a configured activity log alert for 'Delete PostgreSQL Database'
azure.activity_log Account should have a configured activity log alert for 'Rename Azure SQL Database'
azure.activity_log Account should have a configured activity log alert for 'Update Key Vault'
azure.activity_log Account should have a configured activity log alert for 'Update Security Policy'
azure.activity_log Account should have a configured activity log alert for deleting Network Security Group
azure.activity_log Account should have a configured activity log alert for deleting policy assignments
azure.activity_log Account should have a configured activity log alert for deleting the SQL Server firewall rule
azure.activity_log Account should have a configured activity log alert for deleting VMs
azure.activity_log Account should have a configured activity log alert for load balancer updates
azure.activity_log Account should have a configured activity log alert for mysql database updates
azure.activity_log Account should have a configured activity log alert for PostgreSQL database updates
azure.activity_log Account should have a configured activity log alert for power off events
azure.activity_log Account should have a configured activity log alert for security solutions creation or updates
azure.activity_log Account should have a configured activity log alert for sql database updates
azure.activity_log The account should have a configured activity log alert for firewall rule creation or update
azure.activity_log The user should configure an activity log alert for SQL Database deletion
cloudtrail
Cloudtrail
>
cloudtrail A user received an anomalous number of AccessDenied errors
cloudtrail Additional AWS regions enabled
cloudtrail Amazon Bedrock activity InvokeModel multiple regions
cloudtrail Amazon Bedrock console activity
cloudtrail Amazon Bedrock discovery attempt by long term access key
cloudtrail Amazon EC2 AMI exfiltration attempt by IAM user
cloudtrail Amazon S3 bucket policy modified
cloudtrail Amazon SES enumeration attempt by previously unseen user
cloudtrail Amazon SES modification attempt
cloudtrail Amazon SNS enumeration attempt by previously unseen user
cloudtrail Amazon SNS enumeration in multiple regions using a long-term access key
cloudtrail An AWS account attempted to leave the AWS Organization
cloudtrail An AWS S3 bucket lifecycle expiration policy was set to disabled
cloudtrail An AWS S3 bucket lifecycle policy expiration is set to < 90 days
cloudtrail An AWS S3 bucket mfaDelete is disabled
cloudtrail An EC2 instance attempted to enumerate S3 bucket
cloudtrail Anomalous amount of access denied events for AWS EC2 Instance
cloudtrail Anomalous amount of Autoscaling Group events
cloudtrail Anomalous API Gateway API key reads by user
cloudtrail Anomalous number of assumed roles from user
cloudtrail Anomalous number of AWS Lambda functions deleted
cloudtrail Anomalous number of S3 buckets accessed
cloudtrail Anomalous number of secrets retrieved from AWS Secrets Manager
cloudtrail Anomalous S3 bucket activity from user ARN
cloudtrail Attempt to create Xlarge EC2 instances in multiple AWS regions
cloudtrail AWS access key creation by previously unseen identity
cloudtrail AWS AMI Made Public
cloudtrail AWS CloudTrail configuration modified
cloudtrail AWS Cloudtrail possible secret enumeration in multiple regions and secret retrieval
cloudtrail AWS CloudTrail trail should have global service events enabled
cloudtrail AWS CloudWatch log group deleted
cloudtrail AWS CloudWatch rule disabled or deleted
cloudtrail AWS Config modified
cloudtrail AWS console login without MFA
cloudtrail AWS ConsoleLogin with MFA triggered Impossible Travel scenario
cloudtrail AWS ConsoleLogin without MFA triggered Impossible Travel scenario
cloudtrail AWS consoler detected
cloudtrail BETA AWS CreateIndex by long term access key
cloudtrail BETA AWS CreateIndex followed by ListResources via long term access key
cloudtrail AWS Detective Graph deleted
cloudtrail AWS Disable Cloudtrail with event selectors
cloudtrail AWS EBS default encryption disabled
cloudtrail AWS EBS Snapshot Made Public
cloudtrail AWS EBS Snapshot possible exfiltration
cloudtrail AWS EC2 key pair creation attempt with known suspicious naming convention
cloudtrail AWS EC2 new event for application
cloudtrail AWS EC2 new event for EKS Node Group
cloudtrail AWS EC2 security group events observed with a suspicious naming convention
cloudtrail AWS EC2 subnet deleted
cloudtrail AWS ECS cluster deleted
cloudtrail AWS ECS CreateCluster API calls in multiple regions
cloudtrail AWS EventBridge rule disabled or deleted
cloudtrail AWS GuardDuty detector deleted
cloudtrail AWS GuardDuty publishing destination deleted
cloudtrail AWS GuardDuty threat intel set deleted
cloudtrail AWS IAM activity by S3 browser utility
cloudtrail AWS IAM activity from EC2 instance
cloudtrail AWS IAM AdministratorAccess policy was applied to a group
cloudtrail AWS IAM AdministratorAccess policy was applied to a role
cloudtrail AWS IAM AdministratorAccess policy was applied to a user
cloudtrail AWS IAM AmazonSESFullAccess policy was applied to a group
cloudtrail AWS IAM AmazonSESFullAccess policy was applied to a role
cloudtrail AWS IAM AmazonSESFullAccess policy was applied to a user
cloudtrail AWS IAM Identity Center SSO configuration updated
cloudtrail AWS IAM policy modified
cloudtrail AWS IAM Roles Anywhere trust anchor created
cloudtrail AWS IAM Roles Anywhere User Profile Creation
cloudtrail AWS IAM User created with AdministratorAccess policy attached
cloudtrail AWS Java_Ghost security group creation attempt
cloudtrail AWS Kinesis Firehose stream destination modified
cloudtrail AWS KMS key deleted or scheduled for deletion
cloudtrail AWS Lambda function modified by IAM user
cloudtrail AWS Lambda function resource-based policy modified by IAM user
cloudtrail BETA AWS ListResources by long term access key
cloudtrail BETA AWS ListResources executed by new principal identity
cloudtrail AWS Network Access Control List created or modified
cloudtrail AWS Network Gateway created or modified
cloudtrail AWS principal added to multiple EKS clusters
cloudtrail AWS principal assigned administrative privileges in an EKS cluster
cloudtrail AWS principal granted access to a EKS cluster then removed
cloudtrail AWS RDS Cluster deleted
cloudtrail AWS root account activity
cloudtrail AWS Route 53 DNS query logging disabled
cloudtrail AWS Route 53 VPC disassociated from query logging configuration
cloudtrail AWS Route Table created or modified
cloudtrail AWS S3 Bucket ACL made public
cloudtrail AWS S3 Object encryption with SSE-C
cloudtrail AWS S3 Public Access Block removed
cloudtrail AWS security group created, modified or deleted
cloudtrail AWS Security Hub disabled
cloudtrail AWS SES add verified identity followed by the deletion of the identity
cloudtrail AWS SES discovery attempt by long term access key
cloudtrail AWS SES email sending enabled in current AWS region
cloudtrail AWS VPC created or modified
cloudtrail AWS VPC Flow Log deleted
cloudtrail AWS WAF traffic blocked by specific rule
cloudtrail AWS WAF traffic blocked by specific rule on multiple IPs
cloudtrail AWS WAF web access control list deleted
cloudtrail AWS WAF web access control list modified
cloudtrail CloudTrail log file validation should be enabled
cloudtrail CloudTrail logs S3 bucket should not be public accessible
cloudtrail CloudTrail logs should be encrypted at rest using KMS CMKs
cloudtrail Cloudtrail SecretsManager secret retrieved from AWS CloudShell environment
cloudtrail CloudTrail trails should be integrated with CloudWatch Logs
cloudtrail Compromised AWS EC2 Instance
cloudtrail Creation of new AWS Bedrock long term access key with no expiration date
cloudtrail EC2 instance created using risky AMI search pattern
cloudtrail Encrypted administrator password retrieved for Windows EC2 instance
cloudtrail Impossible travel observed on IAM User access key
cloudtrail Indications of malicious key pair creation by long term access key
cloudtrail Indications of malicious trust anchor creation
cloudtrail Invitation sent to account to join AWS organization
cloudtrail New Amazon EC2 Instance type
cloudtrail New AWS account seen assuming a role into AWS account
cloudtrail New Private Repository Container Image detected in AWS ECR
cloudtrail New Public Repository Container Image detected in AWS ECR
cloudtrail New user seen executing a command in an ECS task
cloudtrail Object-level logging should be enabled for S3 bucket read events
cloudtrail Object-level logging should be enabled for S3 bucket write events
cloudtrail Password recovery request completed
cloudtrail Possible AWS backup resource enumeration by long term access key
cloudtrail Possible AWS EC2 privilege escalation via the modification of user data
cloudtrail Possible privilege escalation via AWS login profile manipulation
cloudtrail Possible RDS Snapshot exfiltration
cloudtrail Potential administrative port open to the world via AWS security group
cloudtrail Potential brute force attack on AWS ConsoleLogin
cloudtrail Potential database port open to the world via AWS security group
cloudtrail Primary email update request
cloudtrail S3 bucket access logging should be enabled on the CloudTrail S3 bucket
cloudtrail Security group open to the world
cloudtrail Temporary AWS security credentials generated for user
cloudtrail The AWS managed policy AWSCompromisedKeyQuarantine has been attached
cloudtrail There should be at least one multi-region CloudTrail trail per AWS account
cloudtrail Tor client IP address identified within AWS environment
cloudtrail TruffleHog user agent observed in AWS
cloudtrail Unfamiliar IAM user retrieved a decrypted AWS Systems Manager parameter
cloudtrail Unfamiliar IAM user retrieved secret from AWS Secrets Manager
cloudtrail Unfamiliar IAM user retrieved SSM parameter
cloudtrail Unusual AWS enumeration event from EC2 instance
cloudtrail Unusual AWS identity requesting limit increase
cloudtrail User enumerated AWS Secrets Manager - Anomaly
cloudtrail User enumerated AWS Systems Manager parameters - Anomaly
crowdstrike
Crowdstrike
>
docker
Docker
>
docker /usr/bin/containerd should be audited if applicable
docker /var/lib/docker should be audited
docker Container images should include HEALTHCHECK instructions
docker Container runtime should include the --pids-limit flag for cgroup limit parameter
docker Containers on the default network bridge should restrict network traffic
docker Containers should have an enabled AppArmor profile
docker Containers should have memory usage limits configured on Docker hosts
docker Containers should not mount the Docker socket docker.sock inside them
docker Containers should not run in privileged mode
docker Containers should not share the host's user namespaces
docker Containers should run as a non-root user
docker Containers should use the cgroup configured in Docker
docker Docker daemon activities should be audited
docker Docker-related files should be audited in /etc/docker
docker Incoming system calls should be filtered using enabled Seccomp profiles
docker Kernel capabilities in Linux should only be granted when necessary
docker Private registry should use TLS encryption for a secure Docker environment
docker Privileged port mapping for containers should be restricted to increase security
docker Processes in containers should have isolated Process ID (PID) namespaces
docker SELinux security options should be properly configured for effective application security
docker Sensitive host system directories should not be mounted on containers
docker The /etc/default/docker file ownership should be set to root
docker The /etc/default/docker file permissions should be set to 644 or stricter
docker The /etc/docker directory permissions should be set to 755 or stricter
docker The /etc/docker directory should be owned by root account
docker The /etc/sysconfig/docker file permissions should be set to 644 or stricter
docker The /etc/sysconfig/docker file should be owned by the root account and group
docker The /usr/sbin/runc executable should be audited, if applicable
docker The container should have a restart policy limited to 5 attempts
docker The container should restrict acquiring additional privileges via suid or sgid bits
docker The container's health should be constantly monitored
docker The container's root filesystem should be set to read-only
docker The critical containers should be configured to remain responsive
docker The daemon.json file should have permissions set to 644 or stricter
docker The daemon.json file should have user and group ownership set to root
docker The default Docker configuration file should be audited on RHEL
docker The default Docker configuration file should be audited, if applicable
docker The Docker daemon configuration file should be audited if applicable
docker The Docker daemon log level should be set to 'info'
docker The Docker daemon should be allowed to configure the firewall rules
docker The Docker daemon should only be controlled by root and Docker group
docker The Docker instance should not use AUFS as its storage driver
docker The Docker local storage partition should be separate from other partitions
docker The Docker server certificate file should be owned by root
docker The Docker server certificate file should have read-only or more restrictive permissions
docker The Docker server certificate key file needs to have permissions of 400
docker The Docker server certificate key file should be owned by root
docker The Docker socket file should be owned by root and Docker group
docker The Docker socket file should have permissions of 660 or stricter
docker The docker.service file ownership and group should be set to root
docker The docker.service file permissions should be set to 644
docker The docker.service file should have auditing configured if applicable
docker The docker.socket file should be audited, if applicable
docker The docker.socket file should be owned by root
docker The file permissions on docker.socket should be set to 644 or stricter
docker The host's network namespace should be hidden from containers
docker The IPC namespace on the host should remain isolated from containers
docker The registry certificate files should be individually and group owned by root
docker The registry certificate files should have read-only or stricter permissions
docker The TLS CA certificate file should be owned by root account
docker The TLS CA certificate file should have read-only or more restrictive permissions
docker The UTS namespace should not be shared with the host
docker TLS authentication should be enabled for Docker daemon to restrict remote access
ec2
EC2
>
ec2 Amazon Machine Image (AMI) should not be publicly shared
ec2 Amazon Machine Image (AMI) should not be shared with external accounts or organizations
ec2 Default VPC security group should restrict all traffic
ec2 EC2 Client VPN endpoints should have client connection logging enabled
ec2 EC2 instance should not have a highly-privileged IAM role attached to it
ec2 EC2 instances and autoscaling groups should enforce IMDSv2
ec2 EC2 instances should not be publicly accessible
ec2 EC2 instances should not use multiple ENIs
ec2 EC2 paravirtual instance types should not be used
ec2 EC2 setting 'Allowed AMIs' should be enabled and enforced by declarative policy
ec2 EC2 setting 'Block public access for AMIs' should be enabled and enforced by declarative policy
ec2 EC2 setting 'Block public access for EBS snapshots' should be enabled and enforced by declarative policy
ec2 EC2 setting 'EBS encryption by default' should be enabled
ec2 EC2 setting 'EC2 Serial Console access' should be disabled and be enforced by declarative policy
ec2 EC2 setting 'IMDS Defaults' should enforce IMDSv2 by default and be enforced by declarative policy
ec2 EC2 setting 'VPC Block Public Access' should be enabled and be enforced by declarative policy
ec2 EC2 should be configured to use AWS VPC endpoints created for the Amazon EC2 service
ec2 EC2 subnets should not automatically assign public IP addresses
ec2 EC2 Transit Gateways should not automatically accept VPC attachment requests
ec2 Inbound CIFS access should be restricted to trusted networks
ec2 Inbound DNS access should be restricted
ec2 Inbound FTP access should be restricted
ec2 Inbound HTTP access should be restricted
ec2 Inbound HTTPS access should be restricted
ec2 Inbound ICMP access to the host should be restricted
ec2 Inbound MongoDB access should be restricted
ec2 Inbound MSSQL access should be restricted
ec2 Inbound MySQL access should be restricted
ec2 Inbound OpenSearch access should be restricted
ec2 Inbound Oracle access should be restricted
ec2 Inbound PostgreSQL access should be restricted
ec2 Inbound RPC access should be restricted
ec2 Inbound SMTP access should be restricted
ec2 Inbound TCP NetBIOS access should be restricted
ec2 Inbound Telnet access should be restricted
ec2 Inbound UDP NetBIOS access should be restricted
ec2 Instance roles should be used for AWS resource access from instances
ec2 Outbound access on all ports should be restricted
ec2 Publicly accessible AWS EC2 instance is vulnerable to CUPS remote code execution attack chain
ec2 Publicly accessible EC2 contains critical vulnerabilities found in CISA KEV with greater than 15 days exposure time
ec2 Publicly accessible EC2 contains critical vulnerabilities which have exploits available with greater than 30 days exposure time
ec2 Publicly accessible EC2 contains critical vulnerabilities with greater than 30 days exposure time
ec2 Publicly accessible EC2 contains high vulnerabilities with greater than 60 days exposure time
ec2 Publicly accessible EC2 host is running IMDSv1 and has an SSRF vulnerability
ec2 Publicly accessible EC2 instance contains critical vulnerability CVE-2024-3094 (RCE in liblzma and xz versions 5.6.0 and 5.6.1)
ec2 Publicly Accessible EC2 instance has a critical vulnerability
ec2 Publicly Accessible EC2 instance has a critical vulnerability has access to Redis ElasticCache with no AUTH
ec2 Publicly accessible EC2 instance has access to an S3 bucket with sensitive data
ec2 Publicly Accessible EC2 instance has privileged role and a critical vulnerability
ec2 Publicly accessible EC2 instance should not have open administrative ports
ec2 Publicly accessible EC2 instance uses IMDSv1
ec2 Publicly accessible EC2 instances should not have highly-privileged IAM roles
ec2 Publicly accessible EC2 with privileged IAM role contains critical vulnerabilities with greater than 30 days exposure time
ec2 Publicly accessible Lambda function has a critical vulnerability
ec2 Security groups should not allow unrestricted access to ports with high risk
ec2 Security groups should restrict traffic to trusted IPv4 addresses
ec2 Security groups should restrict traffic to trusted IPv6 addresses
ec2 Unused Network Access Control Lists should be removed
gcp
GCP
>
gcp Access denied for Google Cloud Service Account
gcp Anomalous number of Google Cloud Compute GPU virtual machines created
gcp Anomalous number of Google Cloud Storage Buckets Accessed
gcp Anomalous number of Google Cloud Storage Objects Accessed
gcp Anomalous number of Google Compute Engine instances created in multiple zones by user
gcp Attempt to add SSH key to Google Compute Engine project metadata by a previously unseen user
gcp GCP App Engine Default Service Account has overly permissive access to resources in the project
gcp GCP Compute Engine Default Service Account has overly permissive access to resources in the project
gcp GCP Group Account has overly permissive access to resources in the project
gcp GCP User Account has overly permissive access to resources in the project
gcp GCP User managed Service Account has overly permissive access to resources in the project
gcp Google App Engine service account used outside of Google Cloud
gcp Google Cloud BigQuery - query results saved to cloud storage
gcp Google Cloud BigQuery - query results saved to new table
gcp Google Cloud BigQuery results saved to cloud storage by a previously unseen user
gcp Google Cloud Compute Engine GPU virtual machine instance created
gcp Google Cloud exposed service account key
gcp Google Cloud GCE instance startup script added or modified
gcp Google Cloud IAM policy modified
gcp Google Cloud IAM role created
gcp Google Cloud IAM Role updated
gcp Google Cloud Logging Bucket deleted
gcp Google Cloud logging sink modified
gcp Google Cloud Project external principal added as project owner
gcp Google Cloud Pub/Sub Subscriber modified
gcp Google Cloud Pub/Sub topic deleted
gcp Google Cloud Service Account accessing anomalous number of Google Cloud APIs
gcp Google Cloud Service Account created
gcp Google Cloud Service Account Impersonation activity using access token generation
gcp Google Cloud Service Account Impersonation using GCPloit Exploitation Framework
gcp Google Cloud Service Account key created
gcp Google Cloud SQL database modified
gcp Google Cloud SQL instance data exported to cloud storage
gcp Google Cloud SQL instance data exported to cloud storage by a previously unseen user
gcp Google Cloud Storage Bucket contents downloaded without authentication
gcp Google Cloud Storage Bucket enumerated
gcp Google Cloud Storage Bucket modified
gcp Google Cloud Storage Bucket permissions modified
gcp Google Cloud unauthorized service account activity
gcp Google Cloud unauthorized user activity
gcp Google Compute Engine firewall egress rule opened to the world
gcp Google Compute Engine firewall rule modified
gcp Google Compute Engine image created
gcp Google Compute Engine instance metadata SSH key added or modified
gcp Google Compute Engine instances created in multiple zones by user
gcp Google Compute Engine network created
gcp Google Compute Engine network route created or modified
gcp Google Compute Engine project metadata SSH key added or modified
gcp Google Compute Engine service account used outside of Google Cloud
gcp Potential Google Cloud cryptomining attack from Tor IP
gcp Tor client IP address identified within Google Cloud environment
github-telemetry
Github Telemetry
>
github-telemetry GitHub a branch protection requirement was overridden by a repository administrator
github-telemetry GitHub activity from automated scraping tool
github-telemetry GitHub Advanced Security modification
github-telemetry GitHub anomalous bot git activity
github-telemetry GitHub anomalous bot org activity
github-telemetry GitHub anomalous number of repositories cloned by user
github-telemetry GitHub audit log streaming endpoint was deleted
github-telemetry GitHub audit log streaming endpoint was modified
github-telemetry GitHub branch protection disabled on branch
github-telemetry GitHub critical resource enumeration activity via API
github-telemetry GitHub Dependabot configuration changed
github-telemetry GitHub enterprise or organization recovery codes activity
github-telemetry GitHub enterprise owner added
github-telemetry GitHub IP allow list
github-telemetry GitHub large amount of classic personal access token use via suspicious VPN
github-telemetry GitHub mass deletion of repositories
github-telemetry GitHub mass exfiltration via cloning of repositories using a personal access token
github-telemetry GitHub mass zip file exfiltration of repositories using a personal access token
github-telemetry GitHub mass zip file exfiltration of repositories using an OAuth access token
github-telemetry GitHub MFA requirement disabled
github-telemetry GitHub OAuth access token compromise
github-telemetry GitHub OAuth application access restrictions disabled
github-telemetry GitHub organization was removed from enterprise
github-telemetry GitHub organization was transferred between enterprise accounts
github-telemetry GitHub payment method removed
github-telemetry GitHub personal access token (PAT) auto approve policy modified
github-telemetry GitHub Personal Access Token created by suspicious IP
github-telemetry GitHub personal access token granted and used to clone large amount of repositories
github-telemetry GitHub personal access token impossible travel detected from suspicious IP
github-telemetry GitHub personal access token used by previously unseen user agent
github-telemetry GitHub personal access token used to add collaborator
github-telemetry GitHub PR review enforcement removed for main
github-telemetry BETA GitHub private repository changed to public visibility
github-telemetry GitHub repository activity from suspicious IP
github-telemetry GitHub repository created with suspicious naming convention
github-telemetry GitHub repository transfer
github-telemetry GitHub review settings altered to skip review after PR push
github-telemetry GitHub SAML/OIDC has been disabled
github-telemetry BETA GitHub secret scanning alert generated
github-telemetry GitHub secret scanning disabled or bypassed
github-telemetry GitHub setting changed to fork private repository
github-telemetry GitHub SSH certificate authority deleted
github-telemetry GitHub SSH certificate requirement disabled
github-telemetry GitHub SSH key added by suspicious IP
github-telemetry GitHub Trufflehog user agent activity observed
github-telemetry BETA GitHub unknown user cloned private repository
github-telemetry BETA GitHub user anomalously downloaded data as a ZIP file
github-telemetry GitHub user blocked from accessing organization repositories
google_cloud_asset_inventory
Google Cloud Asset Inventory
>
Google Compute Instance
>
google_compute_instance Compute instances should be launched with Shielded VM enabled
google_compute_instance Compute instances should have confidential computing enabled
google_compute_instance Compute instances should only have internal IP addresses
google_compute_instance Instances should be configured to use a non-default service account with restricted API access
google_compute_instance Instances should have IP forwarding disabled
google_compute_instance Instances should use a non-default service account
google_compute_instance Instances should use instance-specific SSH keys instead of project-wide keys
google_compute_instance Projects should have OS Login enabled for SSH authentication
google_compute_instance Publicly accessible Google Compute instance has a critical severity vulnerability
google_compute_instance Publicly accessible Google Compute instance has a privileged service account and a critical severity vulnerability
google_compute_instance Publicly accessible Google Compute instance uses a privileged service account
google_compute_instance Publicly accessible Google VM instance contains critical vulnerabilities found in CISA KEV with greater than 15 days exposure time
google_compute_instance Publicly accessible Google VM instance contains critical vulnerabilities which have exploits available with greater than 30 days exposure time
google_compute_instance Publicly accessible Google VM instance contains critical vulnerabilities with greater than 30 days exposure time
google_compute_instance Publicly accessible Google VM instance contains critical vulnerability CVE-2024-3094 (RCE in liblzma and xz versions 5.6.0 and 5.6.1)
google_compute_instance Publicly accessible Google VM instance contains high vulnerabilities with greater than 60 days exposure time
google_compute_instance Publicly accessible Google VM instance with a privileged service account contains critical vulnerabilities with greater than 30 days exposure time
google_compute_instance Serial port connection for VM instances should be disabled
Google SQL Database Instance
>
google_sql_database_instance MySQL instance should have the 'skip_show_database' flag set to 'on'
google_sql_database_instance MySQL instances should have the 'local_infile' database flag set to 'off'
google_sql_database_instance PostgreSQL instance should have the 'log_disconnections' database flag enabled
google_sql_database_instance PostgreSQL instances should have the 'log_connections' database flag set to 'on'
google_sql_database_instance PostgreSQL instances should have the 'log_error_verbosity' flag set to 'DEFAULT' or stricter
google_sql_database_instance PostgreSQL instances should have the 'log_hostname' database flag set to 'on'
google_sql_database_instance PostgreSQL instances should have the 'log_min_messages' database flag set to at least 'WARNING'
google_sql_database_instance PostgreSQL instances should have the 'log_statement' database flag set appropriately
google_sql_database_instance PostgreSQL instances should have the `log_min_duration_statement` flag set to '-1' (disabled)
google_sql_database_instance PostgreSQL instances should have the `log_min_error_statement` flag set to 'ERROR' or stricter
google_sql_database_instance SQL database instances should enforce SSL for all incoming connections
google_sql_database_instance SQL database instances should have automated backups enabled
google_sql_database_instance SQL Database instances should only allow ingress traffic from specific IP addresses
google_sql_database_instance SQL Server instances should have the 'contained database authentication' database flag set to 'off'
google_sql_database_instance SQL Server instances should have the 'cross db ownership chaining' database flag set to 'off'
google_sql_database_instance SQL Server instances should have the 'external scripts enabled' database flag set to 'off'
google_sql_database_instance SQL Server instances should have the 'remote access' database flag set to 'off'
google_sql_database_instance SQL Server instances should have the 'user connections' database flag set to a non-limiting value
google_sql_database_instance SQL Server instances should have the `3625 (trace flag)` database flag set to 'on'
google_sql_database_instance SQL Server instances should have the `user options` database flag disabled
google.workspace.alert.center
Google.workspace.alert.center
>
Host Benchmarks
>
host-benchmarks A remote time server for Chrony is configured
host-benchmarks Add nodev Option to /dev/shm
host-benchmarks Add nodev Option to /home
host-benchmarks Add nodev Option to /tmp
host-benchmarks Add nodev Option to /var
host-benchmarks Add nodev Option to /var/log
host-benchmarks Add nodev Option to /var/log/audit
host-benchmarks Add nodev Option to /var/tmp
host-benchmarks Add noexec Option to /dev/shm
host-benchmarks Add noexec Option to /tmp
host-benchmarks Add noexec Option to /var/log
host-benchmarks Add noexec Option to /var/log/audit
host-benchmarks Add noexec Option to /var/tmp
host-benchmarks Add nosuid Option to /dev/shm
host-benchmarks Add nosuid Option to /home
host-benchmarks Add nosuid Option to /tmp
host-benchmarks Add nosuid Option to /var
host-benchmarks Add nosuid Option to /var/log
host-benchmarks Add nosuid Option to /var/log/audit
host-benchmarks Add nosuid Option to /var/tmp
host-benchmarks All AppArmor Profiles are in enforce or complain mode
host-benchmarks All GIDs referenced in /etc/passwd must be defined in /etc/group
host-benchmarks All Interactive User Home Directories Must Be Group-Owned By The Primary Group
host-benchmarks All Interactive User Home Directories Must Be Owned By The Primary User
host-benchmarks All Interactive User Home Directories Must Have mode 0750 Or Less Permissive
host-benchmarks All Interactive Users Home Directories Must Exist
host-benchmarks Audit Configuration Files Must Be Owned By Group root
host-benchmarks Audit Configuration Files Must Be Owned By Root
host-benchmarks Avoid using remember in pam_unix module
host-benchmarks Build and Test AIDE Database
host-benchmarks Chrony Configure Pool and Server
host-benchmarks Configure Accepting Router Advertisements on All IPv6 Interfaces
host-benchmarks Configure AIDE to Verify the Audit Tools
host-benchmarks Configure Firewalld to Restrict Loopback Traffic
host-benchmarks Configure Firewalld to Trust Loopback Traffic
host-benchmarks Configure GNOME3 DConf User Profile
host-benchmarks Configure Kernel Parameter for Accepting Secure Redirects By Default
host-benchmarks Configure ntpd To Run As ntp User
host-benchmarks Configure Periodic Execution of AIDE
host-benchmarks Configure SELinux Policy
host-benchmarks Configure server restrictions for ntpd
host-benchmarks Configure SSH to use System Crypto Policy
host-benchmarks Configure System Cryptography Policy
host-benchmarks Configure Systemd Timer Execution of AIDE
host-benchmarks Configure Systemd Timesyncd Servers
host-benchmarks Configure systemd-journal-upload TLS parameters: ServerKeyFile, ServerCertificateFile and TrustedCertificateFile
host-benchmarks Configure systemd-journal-upload URL
host-benchmarks Configure the Use of the pam_faillock.so Module in the /etc/pam.d/password-auth File.
host-benchmarks Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File.
host-benchmarks Deactivate Wireless Network Interfaces
host-benchmarks Disable Accepting ICMP Redirects for All IPv4 Interfaces
host-benchmarks Disable Accepting ICMP Redirects for All IPv6 Interfaces
host-benchmarks Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
host-benchmarks Disable apache2 Service
host-benchmarks Disable Apport Service
host-benchmarks Disable Avahi Server Software
host-benchmarks Disable Bluetooth Service
host-benchmarks Disable core dump backtraces
host-benchmarks Disable Core Dumps for All Users
host-benchmarks Disable Core Dumps for SUID programs
host-benchmarks Disable DHCP Service
host-benchmarks Disable DHCPD6 Service
host-benchmarks Disable dnsmasq Service
host-benchmarks Disable Dovecot Service
host-benchmarks Disable GNOME3 Automount Opening
host-benchmarks Disable GNOME3 Automount running
host-benchmarks Disable GNOME3 Automounting
host-benchmarks Disable Host-Based Authentication
host-benchmarks Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
host-benchmarks Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
host-benchmarks Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
host-benchmarks Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
host-benchmarks Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
host-benchmarks Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
host-benchmarks Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
host-benchmarks Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
host-benchmarks Disable Kernel Parameter for IPv6 Forwarding
host-benchmarks Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
host-benchmarks Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
host-benchmarks Disable LDAP Server (slapd)
host-benchmarks Disable Modprobe Loading of USB Storage Driver
host-benchmarks Disable Mounting of cramfs
host-benchmarks Disable Mounting of freevxfs
host-benchmarks Disable Mounting of hfs
host-benchmarks Disable Mounting of hfsplus
host-benchmarks Disable Mounting of jffs2
host-benchmarks Disable Mounting of udf
host-benchmarks Disable named Service
host-benchmarks Disable Network File System (nfs)
host-benchmarks Disable nginx Service
host-benchmarks Disable Postfix Network Listening
host-benchmarks Disable rpcbind Service
host-benchmarks Disable Samba
host-benchmarks Disable snmpd Service
host-benchmarks Disable Squid
host-benchmarks Disable SSH Access via Empty Passwords
host-benchmarks Disable SSH Root Login
host-benchmarks Disable SSH Support for .rhosts Files
host-benchmarks Disable storing core dump
host-benchmarks Disable systemd_timesyncd Service
host-benchmarks Disable systemd-journal-remote Socket
host-benchmarks Disable tftpd-hpa Service
host-benchmarks Disable the Automounter
host-benchmarks Disable the CUPS Service
host-benchmarks Disable the GNOME3 Login User List
host-benchmarks Disable vsftpd Service
host-benchmarks Disable XDMCP in GDM
host-benchmarks Disable xinetd Service
host-benchmarks Disable ypserv Service
host-benchmarks Do Not Allow SSH Environment Options
host-benchmarks Enable authselect
host-benchmarks Enable cron Daemon
host-benchmarks Enable cron Service
host-benchmarks Enable GNOME3 Login Warning Banner
host-benchmarks Enable GNOME3 Screensaver Lock After Idle Period
host-benchmarks Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
host-benchmarks Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
host-benchmarks Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces
host-benchmarks Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
host-benchmarks Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
host-benchmarks Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces
host-benchmarks Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default
host-benchmarks Enable PAM
host-benchmarks Enable Randomized Layout of Virtual Address Space
host-benchmarks Enable rsyslog Service
host-benchmarks Enable SSH Warning Banner
host-benchmarks Enable systemd_timesyncd Service
host-benchmarks Enable systemd-journal-upload Service
host-benchmarks Enable systemd-journald Service
host-benchmarks Enable the NTP Service
host-benchmarks Enforce Password History with use_authtok
host-benchmarks Enforce Usage of pam_wheel with Group Parameter for su Authentication
host-benchmarks Ensure /dev/shm is configured
host-benchmarks Ensure /tmp Located On Separate Partition
host-benchmarks Ensure a Single Time Synchronization Service is in Use
host-benchmarks Ensure a Table Exists for Nftables
host-benchmarks Ensure All Accounts on the System Have Unique Names
host-benchmarks Ensure All Accounts on the System Have Unique User IDs
host-benchmarks Ensure All Files Are Owned by a Group
host-benchmarks Ensure All Files Are Owned by a User
host-benchmarks Ensure All Groups on the System Have Unique Group ID
host-benchmarks Ensure All Groups on the System Have Unique Group Names
host-benchmarks Ensure All User Initialization Files Have Mode 0740 Or Less Permissive
host-benchmarks Ensure all users last password change date is in the past
host-benchmarks Ensure AppArmor is enabled in the bootloader configuration
host-benchmarks Ensure AppArmor is installed
host-benchmarks Ensure AppArmor Utils is installed
host-benchmarks Ensure Authentication Required for Single User Mode
host-benchmarks Ensure Base Chains Exist for Nftables
host-benchmarks Ensure gpgcheck Enabled for All yum Package Repositories
host-benchmarks Ensure gpgcheck Enabled In Main yum Configuration
host-benchmarks Ensure ip6tables Firewall Rules Exist for All Open Ports
host-benchmarks Ensure iptables Firewall Rules Exist for All Open Ports
host-benchmarks Ensure journald ForwardToSyslog is disabled
host-benchmarks Ensure journald is configured to compress large log files
host-benchmarks Ensure journald is configured to send logs to rsyslog
host-benchmarks Ensure journald is configured to write log files to persistent disk
host-benchmarks Ensure LDAP client is not installed
host-benchmarks Ensure Local Login Warning Banner Is Configured Properly
host-benchmarks Ensure Log Files Are Owned By Appropriate Group
host-benchmarks Ensure Log Files Are Owned By Appropriate User
host-benchmarks Ensure Logs Sent To Remote Host
host-benchmarks Ensure Mail Transfer Agent is not Listening on any non-loopback Address
host-benchmarks Ensure Message Of The Day Is Configured Properly
host-benchmarks Ensure network interfaces are assigned to appropriate zone
host-benchmarks Ensure nftables Default Deny Firewall Policy
host-benchmarks Ensure nftables Rules are Permanent
host-benchmarks Ensure No Daemons are Unconfined by SELinux
host-benchmarks Ensure No World-Writable Files Exist
host-benchmarks Ensure One Logging Service Is In Use
host-benchmarks Ensure Only One Firewall Service is Active
host-benchmarks Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
host-benchmarks Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
host-benchmarks Ensure PAM Enforces Password Requirements - Enforce for root User
host-benchmarks Ensure PAM Enforces Password Requirements - Enforcing
host-benchmarks Ensure PAM Enforces Password Requirements - Minimum Different Categories
host-benchmarks Ensure PAM Enforces Password Requirements - Minimum Different Characters
host-benchmarks Ensure PAM Enforces Password Requirements - Minimum Digit Characters
host-benchmarks Ensure PAM Enforces Password Requirements - Minimum Length
host-benchmarks Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
host-benchmarks Ensure PAM Enforces Password Requirements - Minimum Special Characters
host-benchmarks Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
host-benchmarks Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words
host-benchmarks Ensure pam_faillock module is enabled
host-benchmarks Ensure Remote Login Warning Banner Is Configured Properly
host-benchmarks Ensure root account access is controlled
host-benchmarks Ensure rsyncd service is disabled
host-benchmarks Ensure rsyslog Default File Permissions Configured
host-benchmarks Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
host-benchmarks Ensure rsyslog is Installed
host-benchmarks Ensure SELinux is Not Disabled
host-benchmarks Ensure SELinux Not Disabled in /etc/default/grub
host-benchmarks Ensure shadow Group is Empty
host-benchmarks Ensure SSH LoginGraceTime is configured
host-benchmarks Ensure SSH MaxStartups is configured
host-benchmarks Ensure Sudo Logfile Exists - sudo logfile
host-benchmarks Ensure System Log Files Have Correct Permissions
host-benchmarks Ensure that /etc/at.allow exists
host-benchmarks Ensure that /etc/at.deny does not exist
host-benchmarks Ensure that /etc/cron.allow exists
host-benchmarks Ensure that /etc/cron.deny does not exist
host-benchmarks Ensure that All Entries in The Path of Root Are Directories
host-benchmarks Ensure that All Root's Path Directories Are Owned by Root
host-benchmarks Ensure that chronyd is running under chrony user account
host-benchmarks Ensure that Root's Path Does Not Include Relative Paths or Null Directories
host-benchmarks Ensure that Root's Path Does Not Include World or Group-Writable Directories
host-benchmarks Ensure that System Accounts Are Locked
host-benchmarks Ensure that System Accounts Do Not Run a Shell Upon Login
host-benchmarks Ensure the Default Bash Umask is Set Correctly
host-benchmarks Ensure the Default C Shell Umask is Set Correctly
host-benchmarks Ensure the Default Umask is Set Correctly For Interactive Users
host-benchmarks Ensure the Default Umask is Set Correctly in /etc/profile
host-benchmarks Ensure the Default Umask is Set Correctly in login.defs
host-benchmarks Ensure the Group Used by pam_wheel.so Module Exists on System and is Empty
host-benchmarks Ensure the Root Bash Umask is Set Correctly
host-benchmarks Ensure There Are No Accounts With Blank or Null Passwords
host-benchmarks Ensure ufw Default Deny Firewall Policy
host-benchmarks Ensure ufw Firewall Rules Exist for All Open Ports
host-benchmarks Ensure User Bash History File Has Correct Permissions
host-benchmarks Ensure Users Cannot Change GNOME3 Screensaver Settings
host-benchmarks Ensure Users Cannot Change GNOME3 Session Idle Settings
host-benchmarks Ensure Users Re-Authenticate for Privilege Escalation - sudo
host-benchmarks Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
host-benchmarks Ensure users' .netrc Files are not group or world accessible
host-benchmarks Install AIDE
host-benchmarks Install firewalld Package
host-benchmarks Install iptables Package
host-benchmarks Install iptables-persistent Package
host-benchmarks Install libselinux Package
host-benchmarks Install nftables Package
host-benchmarks Install pam_pwquality Package
host-benchmarks Install pam-modules Package
host-benchmarks Install pam-runtime Package
host-benchmarks Install sudo Package
host-benchmarks Install systemd-journal-remote Package
host-benchmarks Install the cron service
host-benchmarks Install the systemd_timesyncd Service
host-benchmarks Install ufw Package
host-benchmarks Limit Password Reuse
host-benchmarks Limit Password Reuse (STIGs - ubuntu2004)
host-benchmarks Limit Password Reuse (ubuntu2404)
host-benchmarks Limit Password Reuse: password-auth
host-benchmarks Limit Password Reuse: system-auth
host-benchmarks Limit the maximum number of sequential characters in passwords
host-benchmarks Limit Users' SSH Access
host-benchmarks Lock Accounts After Failed Password Attempts
host-benchmarks Make sure that the dconf databases are up-to-date with regards to respective keyfiles
host-benchmarks Modify the System Login Banner
host-benchmarks Modify the System Login Banner for Remote Connections
host-benchmarks Modify the System Message of the Day Banner
host-benchmarks Package "prelink" Must not be Installed
host-benchmarks Prevent Login to Accounts With Empty Passwor (ubuntu2404)
host-benchmarks Prevent Login to Accounts With Empty Password
host-benchmarks Remove autofs Package
host-benchmarks Remove ftp Package
host-benchmarks Remove iptables-persistent Package
host-benchmarks Remove NIS Client
host-benchmarks Remove Rsh Trust Files
host-benchmarks Remove telnet Clients
host-benchmarks Remove telnet Clients (ubuntu2404)
host-benchmarks Remove tftp Daemon
host-benchmarks Remove the GDM Package Group
host-benchmarks Remove the X Windows Package Group
host-benchmarks Remove tnftp Package
host-benchmarks Remove ufw Package
host-benchmarks Require Authentication for Emergency Systemd Target
host-benchmarks Require Authentication for Single User Mode
host-benchmarks Require Re-Authentication When Using the sudo Command
host-benchmarks Require use_authtok for pam_unix.so
host-benchmarks Restrict usage of ptrace to descendant processes
host-benchmarks Set Account Expiration Following Inactivity
host-benchmarks Set configuration for IPv6 loopback traffic
host-benchmarks Set configuration for loopback traffic
host-benchmarks Set Default ip6tables Policy for Incoming Packets
host-benchmarks Set Default iptables Policy for Incoming Packets
host-benchmarks Set Deny For Failed Password Attempts
host-benchmarks Set existing passwords a period of inactivity before they been locked
host-benchmarks Set Existing Passwords Maximum Age
host-benchmarks Set Existing Passwords Minimum Age
host-benchmarks Set Existing Passwords Warning Age
host-benchmarks Set GNOME3 Screensaver Inactivity Timeout
host-benchmarks Set GNOME3 Screensaver Lock Delay After Activation Period
host-benchmarks Set Interactive Session Timeout
host-benchmarks Set Interval For Counting Failed Password Attempts
host-benchmarks Set Lockout Time for Failed Password Attempts
host-benchmarks Set LogLevel to INFO
host-benchmarks Set nftables Configuration for Loopback Traffic
host-benchmarks Set PAM''s Password Hashing Algorithm
host-benchmarks Set PAM''s Password Hashing Algorithm - password-auth
host-benchmarks Set Password Hashing Algorithm in /etc/libuser.conf
host-benchmarks Set Password Hashing Algorithm in /etc/login.defs
host-benchmarks Set Password Maximum Age
host-benchmarks Set Password Maximum Consecutive Repeating Characters
host-benchmarks Set Password Minimum Age
host-benchmarks Set Password Warning Age
host-benchmarks Set SSH authentication attempt limit
host-benchmarks Set SSH Client Alive Count Max
host-benchmarks Set SSH Client Alive Interval
host-benchmarks Set SSH Daemon LogLevel to VERBOSE
host-benchmarks Set SSH MaxSessions limit
host-benchmarks Set the GNOME3 Login Warning Banner Text
host-benchmarks Set UFW Loopback Traffic
host-benchmarks System Audit Logs Must Be Group Owned By Root
host-benchmarks System Audit Logs Must Be Owned By Root
host-benchmarks System Audit Logs Must Have Mode 0640 or Less Permissive
host-benchmarks System Audit Logs Must Have Mode 0750 or Less Permissive
host-benchmarks The Chrony package is installed
host-benchmarks The Chronyd service is disabled
host-benchmarks The Chronyd service is enabled
host-benchmarks Uninstall apache2 Package
host-benchmarks Uninstall avahi Server Package
host-benchmarks Uninstall bind Package
host-benchmarks Uninstall CUPS Package
host-benchmarks Uninstall cyrus-imapd Package
host-benchmarks Uninstall DHCP Server Package
host-benchmarks Uninstall dnsmasq Package
host-benchmarks Uninstall dovecot Package
host-benchmarks Uninstall mcstrans Package
host-benchmarks Uninstall net-snmp Package
host-benchmarks Uninstall nfs-kernel-server Package
host-benchmarks Uninstall nftables package
host-benchmarks Uninstall nginx Package
host-benchmarks Uninstall openldap-servers Package
host-benchmarks Uninstall rpcbind Package
host-benchmarks Uninstall rsh Package
host-benchmarks Uninstall rsync Package
host-benchmarks Uninstall Samba Package
host-benchmarks Uninstall setroubleshoot Package
host-benchmarks Uninstall squid Package
host-benchmarks Uninstall talk Package
host-benchmarks Uninstall telnet-server Package
host-benchmarks Uninstall tftpd-hpa Package
host-benchmarks Uninstall the nis package
host-benchmarks Uninstall vsftpd Package
host-benchmarks Uninstall xinetd Package
host-benchmarks Uninstall ypserv Package
host-benchmarks Use Only FIPS 140-2 Validated Ciphers
host-benchmarks Use Only FIPS 140-2 Validated MACs
host-benchmarks Use Only Strong Ciphers
host-benchmarks Use Only Strong Key Exchange algorithms
host-benchmarks Use Only Strong MACs
host-benchmarks User Initialization Files Must Be Group-Owned By The Primary Group
host-benchmarks User Initialization Files Must Be Owned By the Primary User
host-benchmarks User Initialization Files Must Not Run World-Writable Programs
host-benchmarks Verify /boot/efi/EFI/redhat/user.cfg Group Ownership
host-benchmarks Verify /boot/efi/EFI/redhat/user.cfg Permissions
host-benchmarks Verify /boot/efi/EFI/redhat/user.cfg User Ownership
host-benchmarks Verify /boot/grub/grub.cfg Permissions
host-benchmarks Verify /boot/grub/grub.cfg User Ownership
host-benchmarks Verify /boot/grub2/grub.cfg Group Ownership
host-benchmarks Verify /boot/grub2/user.cfg Group Ownership
host-benchmarks Verify /boot/grub2/user.cfg Permissions
host-benchmarks Verify /boot/grub2/user.cfg User Ownership
host-benchmarks Verify All Account Password Hashes are Shadowed
host-benchmarks Verify All Account Password Hashes are Shadowed with SHA512
host-benchmarks Verify firewalld Enabled
host-benchmarks Verify Group Ownership of Message of the Day Banner
host-benchmarks Verify Group Ownership of System Login Banner
host-benchmarks Verify Group Ownership of System Login Banner for Remote Connections
host-benchmarks Verify Group Ownership on SSH Server Private *_key Key Files
host-benchmarks Verify Group Ownership on SSH Server Public *.pub Key Files
host-benchmarks Verify Group Who Owns /etc/at.allow file
host-benchmarks Verify Group Who Owns /etc/at.deny file
host-benchmarks Verify Group Who Owns /etc/cron.allow file
host-benchmarks Verify Group Who Owns /etc/security/opasswd File
host-benchmarks Verify Group Who Owns /etc/security/opasswd.old File
host-benchmarks Verify Group Who Owns /etc/shells File
host-benchmarks Verify Group Who Owns /var/log/(b|w)tmp(.*|-*) File
host-benchmarks Verify Group Who Owns /var/log/*.journal(~) File
host-benchmarks Verify Group Who Owns /var/log/auth.log File
host-benchmarks Verify Group Who Owns /var/log/cloud-init.log* File
host-benchmarks Verify Group Who Owns /var/log/lastlog File
host-benchmarks Verify Group Who Owns /var/log/localmessages* File
host-benchmarks Verify Group Who Owns /var/log/messages File
host-benchmarks Verify Group Who Owns /var/log/secure File
host-benchmarks Verify Group Who Owns /var/log/syslog File
host-benchmarks Verify Group Who Owns /var/log/waagent.log File
host-benchmarks Verify Group Who Owns Backup group File
host-benchmarks Verify Group Who Owns Backup gshadow File
host-benchmarks Verify Group Who Owns Backup passwd File
host-benchmarks Verify Group Who Owns Backup shadow File
host-benchmarks Verify Group Who Owns cron.d
host-benchmarks Verify Group Who Owns cron.daily
host-benchmarks Verify Group Who Owns cron.hourly
host-benchmarks Verify Group Who Owns cron.monthly
host-benchmarks Verify Group Who Owns cron.weekly
host-benchmarks Verify Group Who Owns Crontab
host-benchmarks Verify Group Who Owns group File
host-benchmarks Verify Group Who Owns gshadow File
host-benchmarks Verify Group Who Owns passwd File
host-benchmarks Verify Group Who Owns shadow File
host-benchmarks Verify Group Who Owns SSH Server config file
host-benchmarks Verify Grouponwership of Files in /var/log/sssd
host-benchmarks Verify Groupownership of Files in /var/log/apt
host-benchmarks Verify Groupownership of Files in /var/log/gdm
host-benchmarks Verify Groupownership of Files in /var/log/gdm3
host-benchmarks Verify nftables Service is Disabled
host-benchmarks Verify nftables Service is Enabled
host-benchmarks Verify No .forward Files Exist
host-benchmarks Verify No netrc Files Exist
host-benchmarks Verify Non-Interactive Accounts Are Locked
host-benchmarks Verify Only Group Root Has GID 0
host-benchmarks Verify Only Root Has UID 0
host-benchmarks Verify Owner on cron.d
host-benchmarks Verify Owner on cron.daily
host-benchmarks Verify Owner on cron.hourly
host-benchmarks Verify Owner on cron.monthly
host-benchmarks Verify Owner on cron.weekly
host-benchmarks Verify Owner on crontab
host-benchmarks Verify Owner on SSH Server config file
host-benchmarks Verify Ownership of Files in /var/log/apt
host-benchmarks Verify Ownership of Files in /var/log/gdm
host-benchmarks Verify Ownership of Files in /var/log/gdm3
host-benchmarks Verify Ownership of Files in /var/log/sssd
host-benchmarks Verify ownership of log files
host-benchmarks Verify ownership of log files (ubuntu2404)
host-benchmarks Verify ownership of Message of the Day Banner
host-benchmarks Verify ownership of System Login Banner
host-benchmarks Verify ownership of System Login Banner for Remote Connections
host-benchmarks Verify Ownership on SSH Server Private *_key Key Files
host-benchmarks Verify Ownership on SSH Server Public *.pub Key Files
host-benchmarks Verify pam_pwhistory module is activated
host-benchmarks Verify pam_pwquality module is activated
host-benchmarks Verify pam_unix module is activated
host-benchmarks Verify Permissions and Ownership of Old Passwords File
host-benchmarks Verify Permissions of Files in /var/log/gdm
host-benchmarks Verify Permissions of Files in /var/log/gdm3
host-benchmarks Verify Permissions of Files in /var/log/sssd
host-benchmarks Verify permissions of log files
host-benchmarks Verify Permissions on /etc/at.allow file
host-benchmarks Verify Permissions on /etc/at.deny file
host-benchmarks Verify Permissions on /etc/audit/auditd.conf
host-benchmarks Verify Permissions on /etc/audit/rules.d/*.rules
host-benchmarks Verify Permissions on /etc/cron.allow file
host-benchmarks Verify Permissions on /etc/security/opasswd File
host-benchmarks Verify Permissions on /etc/security/opasswd.old File
host-benchmarks Verify Permissions on /etc/shells File
host-benchmarks Verify Permissions on /var/log/auth.log File
host-benchmarks Verify Permissions on /var/log/cloud-init.log(.*) Files
host-benchmarks Verify Permissions on /var/log/lastlog(.*) Files
host-benchmarks Verify Permissions on /var/log/localmessages(.*) Files
host-benchmarks Verify Permissions on /var/log/messages File
host-benchmarks Verify Permissions on /var/log/secure File
host-benchmarks Verify Permissions on /var/log/syslog File
host-benchmarks Verify Permissions on /var/log/waagent.log(.*) Files
host-benchmarks Verify Permissions on /var/log/wtmp(.*) Files
host-benchmarks Verify Permissions on Backup group File
host-benchmarks Verify Permissions on Backup gshadow File
host-benchmarks Verify Permissions on Backup passwd File
host-benchmarks Verify Permissions on Backup shadow File
host-benchmarks Verify Permissions on cron.d
host-benchmarks Verify Permissions on cron.daily
host-benchmarks Verify Permissions on cron.hourly
host-benchmarks Verify Permissions on cron.monthly
host-benchmarks Verify Permissions on cron.weekly
host-benchmarks Verify Permissions on crontab
host-benchmarks Verify Permissions on files in the /var/log/apt/.* directory
host-benchmarks Verify Permissions on group File
host-benchmarks Verify Permissions on gshadow File
host-benchmarks Verify permissions on Message of the Day Banner
host-benchmarks Verify Permissions on passwd File
host-benchmarks Verify Permissions on shadow File
host-benchmarks Verify Permissions on SSH Server config file
host-benchmarks Verify Permissions on SSH Server Private *_key Key Files
host-benchmarks Verify Permissions on SSH Server Public *.pub Key Files
host-benchmarks Verify permissions on System Login Banner
host-benchmarks Verify permissions on System Login Banner for Remote Connections
host-benchmarks Verify Root Has A Primary GID 0
host-benchmarks Verify that All World-Writable Directories Have Sticky Bits Set
host-benchmarks Verify that audit tools are owned by group root
host-benchmarks Verify that audit tools are owned by root
host-benchmarks Verify that audit tools Have Mode 0755 or less
host-benchmarks Verify the UEFI Boot Loader grub.cfg Group Ownership
host-benchmarks Verify the UEFI Boot Loader grub.cfg Permissions
host-benchmarks Verify the UEFI Boot Loader grub.cfg User Ownership
host-benchmarks Verify ufw Active
host-benchmarks Verify ufw Enabled
host-benchmarks Verify User Who Owns /etc/at.allow file
host-benchmarks Verify User Who Owns /etc/at.deny file
host-benchmarks Verify User Who Owns /etc/cron.allow file
host-benchmarks Verify User Who Owns /etc/security/opasswd File
host-benchmarks Verify User Who Owns /etc/security/opasswd.old File
host-benchmarks Verify User Who Owns /var/log/(b|w)tmp(.*|-*) File
host-benchmarks Verify User Who Owns /var/log/*.journal(~) Files
host-benchmarks Verify User Who Owns /var/log/auth.log File
host-benchmarks Verify User Who Owns /var/log/cloud-init.log File
host-benchmarks Verify User Who Owns /var/log/lastlog File
host-benchmarks Verify User Who Owns /var/log/localmessages File
host-benchmarks Verify User Who Owns /var/log/messages File
host-benchmarks Verify User Who Owns /var/log/secure File
host-benchmarks Verify User Who Owns /var/log/syslog File
host-benchmarks Verify User Who Owns /var/log/waagent.log File
host-benchmarks Verify User Who Owns Backup group File
host-benchmarks Verify User Who Owns Backup gshadow File
host-benchmarks Verify User Who Owns Backup passwd File
host-benchmarks Verify User Who Owns Backup shadow File
host-benchmarks Verify User Who Owns group File
host-benchmarks Verify User Who Owns gshadow File
host-benchmarks Verify User Who Owns passwd File
host-benchmarks Verify User Who Owns shadow File
host-benchmarks Verify Who Owns /etc/shells File
iam
IAM
>
iam Access keys granting 'root' should be removed
iam Access keys should be rotated every 90 days or less
iam AWS Cognito identity pool has guest access configured for a role with administrative privileges
iam AWS EC2 instance can assume a role with administrative privileges
iam AWS EC2 instance can assume a role with administrative privileges cross-account
iam AWS EC2 instance can assume multiple roles with administrative privileges cross-account
iam AWS EC2 instance can create a login profile for an IAM user with administrative privileges
iam AWS EC2 instance can create access keys for an IAM user with administrative privileges
iam AWS EC2 instance can update a login profile for an IAM user with administrative privileges
iam AWS EC2 instance can update the trust policy for a role with administrative privileges
iam AWS EC2 instance has administrative privileges
iam AWS IAM group can assume a role with administrative privileges
iam AWS IAM group can create a login profile for an IAM user with administrative privileges
iam AWS IAM group can create access keys for an IAM user with administrative privileges
iam AWS IAM group can update a login profile for an IAM user with administrative privileges
iam AWS IAM group can update the trust policy for a role with administrative privileges
iam AWS IAM group has access to a large number of resources
iam AWS IAM group has administrative privileges
iam AWS IAM policy with administrative privileges is not attached to any principal
iam AWS IAM role can assume a role with administrative privileges
iam AWS IAM role can assume a role with administrative privileges cross-account
iam AWS IAM role can assume multiple roles with administrative privileges cross-account
iam AWS IAM role can create a login profile for an IAM user with administrative privileges
iam AWS IAM role can create access keys for an IAM user with administrative privileges
iam AWS IAM role can update a login profile for an IAM user with administrative privileges
iam AWS IAM role can update the trust policy for a role with administrative privileges
iam AWS IAM role has a large permissions gap
iam AWS IAM role has a trust relationship with a wildcard principal
iam AWS IAM role has access to a large number of resources
iam AWS IAM role has administrative privileges
iam AWS IAM role has administrative privileges and is inactive
iam AWS IAM role with administrative privileges has a trust relationship with a wildcard principal
iam AWS IAM role with external cross-account trust relationship does not use an external ID
iam AWS IAM user can assume a role with administrative privileges
iam AWS IAM user can assume a role with administrative privileges cross-account
iam AWS IAM user can assume multiple roles with administrative privileges cross-account
iam AWS IAM user can create a login profile for an IAM user with administrative privileges
iam AWS IAM user can create access keys for an IAM user with administrative privileges
iam AWS IAM user can update a login profile for an IAM user with administrative privileges
iam AWS IAM user can update the trust policy for a role with administrative privileges
iam AWS IAM user has a large permissions gap
iam AWS IAM user has access to a large number of resources
iam AWS IAM user has administrative privileges
iam AWS IAM user has administrative privileges and is inactive
iam AWS Lambda function has administrative privileges
iam AWS Organizations centralized root credentials management feature should be enabled
iam AWS Organizations member accounts should not have root user credentials when centralized access is enabled
iam AWS Organizations root sessions feature should be enabled
iam Bedrock Knowledge Base write access should be condition-scoped in IAM Customer-Managed policies
iam Bedrock Knowledge Base write access should be condition-scoped in IAM group inline policies
iam Bedrock Knowledge Base write access should be condition-scoped in IAM role inline policies
iam Bedrock Knowledge Base write access should be condition-scoped in IAM user inline policies
iam Expired SSL/TLS certificates should be removed from AWS IAM
iam IAM Access Analyzer should be enabled in all active regions
iam IAM access keys that are inactive and older than 1 year should be removed
iam IAM customer managed policies should not allow decryption actions on all KMS keys
iam IAM customer managed policies should not allow wildcard actions for services
iam IAM groups should have assigned permissions
iam IAM groups should have at least one user attached
iam IAM groups should not have IAM inline policies that allow decryption actions on all KMS keys
iam IAM groups should not have inline policies attached
iam IAM password policy should require at least one lowercase letter
iam IAM password policy should require at least one number in passwords
iam IAM password policy should require at least one symbol
iam IAM password policy should require uppercase characters
iam IAM password policy should require user passwords to expire within 90 days
iam IAM policies should adhere to least-privilege
iam IAM policies should be attached and managed at the group level
iam IAM policies should not use 'Effect: Allow' with 'NotAction'
iam IAM role has trust policy containing cross-organization principal
iam IAM role has trust policy containing cross-OU principal
iam IAM role has trust policy containing external principal
iam IAM roles should be used within the last 90 days
iam IAM roles should not allow untrusted GitHub Actions to assume them
iam IAM roles should not allow untrusted GitLab runners to assume them
iam IAM roles should not have a trust policy that contains a wildcard principal
iam IAM roles should not have IAM inline policies that allow decryption actions on all KMS keys
iam IAM roles with policies attached should be used within the last 90 days
iam IAM server certificate should be renewed 30 days before expiration
iam IAM User access keys should be created after initial setup
iam IAM users should have assigned permissions
iam IAM users should not have both Console access and Access Keys
iam IAM users should not have IAM inline policies that allow decryption actions on all KMS keys
iam IAM users should not have the 'AdministratorAccess' policy attached
iam Known compromised IAM users should not be present in the account
iam MFA should be enabled for all users with console access
iam MFA should be enabled for the 'root' account
iam Only one active access key should exist per user
iam Password policy should prevent password reuse
iam Password policy should require at least 14 characters
iam Support roles should be created to manage incidents with AWS Support
iam The 'root' account should not be used for daily tasks
iam The 'root' user account should use hardware-based MFA
iam Unused credentials should be deactivated or removed
kubernetes
Kubernetes
>
kubernetes [Deprecated The /etc/kubernetes/manifests/etcd.yaml file ownership should be root:root
kubernetes A Kubernetes audit policy should exist
kubernetes A Kubernetes user attempted to perform a high number of actions that were denied
kubernetes A Kubernetes user was assigned cluster administrator permissions
kubernetes A new Kubernetes admission controller was created
kubernetes All requests should not be allowed; explicit authorization should be enabled
kubernetes API server audit log files should be retained for at least 10 log file rotations
kubernetes API server audit logs should be enabled
kubernetes API server audit logs should be retained for at least 30 days
kubernetes API server should have the anonymous-auth argument set to false
kubernetes API server should only authorize explicitly authorized requests
kubernetes API server should verify the kubelet's certificate before establishing connection
kubernetes Application with a critical vulnerability in a container with elevated privileges
kubernetes Application with a critical vulnerability in a container with elevated privileges assigned to a privileged Kubernetes node
kubernetes Certificate-based kubelet authentication should be required
kubernetes Container with elevated privileges assigned to a privileged Kubernetes node
kubernetes Containers should not be allowed to share the host network namespace
kubernetes Containers should not be generally permitted to run with hostIPC flag
kubernetes Containers should not be run with allowPrivilegeEscalation flag set to true
kubernetes Containers should not be run with the hostPID flag set to true
kubernetes Controller Manager profiling should be disabled
kubernetes Each controller should use individual service account credentials
kubernetes Each controller should use individual service account credentials
kubernetes Etcd data directory should have permissions of 700 or more restrictive
kubernetes Etcd key-value store should be encrypted at rest
kubernetes Etcd key-value store should be encrypted at rest
kubernetes Etcd pod specification file should have permissions of 600 or more restrictive
kubernetes Etcd server should require API servers to present a client certificate and key when connecting
kubernetes etcd servers should make use of TLS encryption for client connections
kubernetes Etcd service should have client authentication enabled
kubernetes Etcd should be configured for peer authentication
kubernetes Etcd should be configured with TLS encryption
kubernetes Etcd should have client authentication enabled
kubernetes Etcd should have peer authentication configured
kubernetes Etcd should only allow the use of valid client certificates
kubernetes etcd should use TLS encryption for client connections
kubernetes Etcd should use TLS encryption for peer connections
kubernetes Etcd should use TLS encryption for peer connections
kubernetes Ingress NGINX Controller pod is vulnerable to critical remote code execution vulnerability (IngressNightmare)
kubernetes Kube-proxy configuration file ownership should be assigned to root
kubernetes Kube-proxy configuration file should have permissions of 600 or more restrictive
kubernetes Kubelet authentication should require certificate-based authentication
kubernetes Kubelet client certificate rotation should be enabled
kubernetes Kubelet connections should use HTTPS for enhanced security
kubernetes Kubelet default kernel parameter values should be protected from overriding.
kubernetes Kubelet nodes should only be authorized to read objects they are associated with
kubernetes Kubelet nodes should only read objects associated with them
kubernetes Kubelet server certificate rotation should be enabled
kubernetes Kubelet should be able to manage changes to iptables
kubernetes Kubelet should enable authentication using certificates for TLS client authentication
kubernetes Kubelet should only allow explicitly authorized requests
kubernetes Kubelet should require HTTPS connections
kubernetes Kubelet should use TLS certificate client authentication
kubernetes Kubelets should be allowed to manage changes to the iptables
kubernetes Kubelets should have HTTPS connections with TLS setup
kubernetes Kubernetes API server profiling should be disabled
kubernetes Kubernetes PKI certificate files should have permissions of 600 or more restrictive
kubernetes Kubernetes PKI certificate files should have permissions of 644 or more restrictive
kubernetes Kubernetes Pod Created in Kube Namespace
kubernetes Kubernetes Pod Created with hostNetwork
kubernetes Kubernetes principal attempted to enumerate their permissions
kubernetes Kubernetes Service Account Created in Kube Namespace
kubernetes Kubernetes Service Created with NodePort
kubernetes Log files for the API server should be rotated at 100 MB
kubernetes Logs for API server audits should be retained for 30 days
kubernetes Network policies should be defined to isolate traffic in cluster network
kubernetes New Kubernetes Namespace Created
kubernetes New Kubernetes privileged pod created
kubernetes Pods should use `root-ca-file` to pass serving certificates to the API server
kubernetes Pods should verify the API server's serving certificate before connecting
kubernetes PodSecurityPolicy should be enabled to reject non-compliant pod creations
kubernetes Profiling for API server should be disabled, if not needed
kubernetes Publicly accessible application in a container with elevated privileges assigned to a privileged Kubernetes node
kubernetes Publicly accessible application in container with elevated privileges
kubernetes Publicly accessible application with a critical vulnerability in a container with elevated privileges
kubernetes Publicly accessible application with a critical vulnerability running on a privileged Kubernetes node
kubernetes RBAC should be enabled for the API server
kubernetes RBAC should be enabled for the Kubernetes API server
kubernetes Resources should be created in a non-default namespace in Kubernetes
kubernetes Scheduler profiling should be disabled
kubernetes Scheduler profiling should be disabled
kubernetes Scheduler.conf file should only be alterable by owners with permissions of 644 or more restrictive
kubernetes Self-signed certificates should not be used for etcd TLS
kubernetes Service accounts management should be automated
kubernetes Service accounts on the controller manager should have a private key file set
kubernetes Streaming connections should have timeouts enabled
kubernetes Streaming connections should have timeouts enabled and not be disabled
kubernetes The --audit-policy-file flag should be set for Kubernetes logging to be enabled
kubernetes The /etc/kubernetes/manifests/etcd.yaml file should have permissions of 644 or stricter
kubernetes The `admin.conf` file should be owned by root
kubernetes The `admin.conf` file should have permissions of 600 or more restrictive
kubernetes The `controller-manager.conf` file should be owned by root
kubernetes The `controller-manager.conf` file should have permissions of 600 or more restrictive
kubernetes The admin.conf file should have permissions of 644 or more restrictive
kubernetes The API server audit log files should be rotated once the file reaches 100 MB or more
kubernetes The API server pod specification file ownership should be assigned to root
kubernetes The API server pod specification file should have permissions of 600 or more restrictive
kubernetes The API server should explicitly set a service account public key file
kubernetes The API server should have a TLS connection setup
kubernetes The API server should not allow anonymous requests to Kubelet
kubernetes The API server should not use basic authentication
kubernetes The API server should only bind to secure, known ports
kubernetes The API Server should require HTTPS connections
kubernetes The API server should set up TLS connection for client authentication
kubernetes The API server should use secure authentication methods without token based authentication
kubernetes The API server should validate the service account token in etcd
kubernetes The API server should verify the kubelet's certificate before connecting
kubernetes The certificate authorities file should be owned by root:root
kubernetes The certificate authorities file should have permissions of 600 or more restrictive
kubernetes The certificate authorities file should have permissions of 644 or stricter
kubernetes The client certificate authorities file should be owned by root
kubernetes The Controller Manager API service should be bound to localhost
kubernetes The Controller Manager API service should only bind to localhost
kubernetes The controller manager pod specification file ownership should be root:root
kubernetes The controller manager pod specification file should be owned by root
kubernetes The controller manager pod specification file should have permissions of 600 or more restrictive
kubernetes The Controller Manager profiling should be disabled
kubernetes The controller manager should have a service account private key file set
kubernetes The controller-manager.conf file should be owned by root:root
kubernetes The controller-manager.conf file should have permissions of 644 or more restrictive
kubernetes The default service account should not be used
kubernetes The etcd data directory should be owned by etcd:etcd
kubernetes The etcd data directory should be owned by the etcd user and group
kubernetes The etcd data directory should have permissions of 700 or more restrictive
kubernetes The etcd pod specification file should be owned by root
kubernetes The etcd server should require API servers to present an SSL CA file when connecting
kubernetes The etcd service should be configured with TLS encryption
kubernetes The global request timeout for API server requests should be set appropriately
kubernetes The insecure API service should not be bound
kubernetes The kube-proxy configuration file should be owned by root:root
kubernetes The kubelet client certificate rotation should be enabled
kubernetes The kubelet configuration file should be owned by root
kubernetes The kubelet configuration file should be owned by root:root
kubernetes The kubelet configuration file should have permissions of 600 or more restrictive
kubernetes The kubelet configuration file should have permissions of 644 or more restrictive
kubernetes The kubelet read-only port should be disabled
kubernetes The kubelet server certificate rotation on controller-manager should be enabled
kubernetes The kubelet server certificate rotation on the controller-manager should be enabled
kubernetes The kubelet server certificate rotation should be enabled
kubernetes The kubelet service file should be owned by root
kubernetes The kubelet service file should be owned by root:root
kubernetes The kubelet service file should have permissions of 600 or more restrictive
kubernetes The kubelet service file should have permissions of 644 or stricter
kubernetes The kubelet.conf file should be owned by root
kubernetes The kubelet.conf file should be owned by root
kubernetes The kubelet.conf file should have permissions of 600 or more restrictive
kubernetes The kubelet.conf file should have permissions of 644 or stricter
kubernetes The Kubernetes admission controller 'AlwaysAdmit' should be disabled
kubernetes The Kubernetes admission controller 'NamespaceLifecycle' should be enabled
kubernetes The Kubernetes admission controller 'NodeRestriction' should be enabled
kubernetes The Kubernetes API server request timeout should not exceed 60 seconds
kubernetes The Kubernetes API server secure port should be enabled
kubernetes The Kubernetes API Server should enable audit logs on its server
kubernetes The Kubernetes API server should only allow explicitly authorized requests
kubernetes The Kubernetes API server should use a service account public key file for service accounts
kubernetes The Kubernetes API server should use secure authentication methods and avoid using token-based authentication
kubernetes The Kubernetes API server should use TLS certificate client authentication
kubernetes The Kubernetes API server should validate that the service account token exists in etcd
kubernetes The Kubernetes PKI directories should be owned by root
kubernetes The Kubernetes PKI directory should be owned by root
kubernetes The misconfigured resource should retain at least 10 log file rotations
kubernetes The ownership of the admin.conf file should be root:root
kubernetes The proxy kubeconfig file should have permissions of 644 or stricter
kubernetes The read-only port should be disabled in Kubelet
kubernetes The scheduler API service should not be bound to non-loopback insecure addresses
kubernetes The scheduler configuration file ownership should be assigned to root
kubernetes The scheduler configuration file should only be alterable by owners
kubernetes The scheduler pod specification file ownership should be assigned to root
kubernetes The scheduler pod specification file ownership should be set to root
kubernetes The scheduler pod specification file should have permissions of 600 or more restrictive
kubernetes The scheduler pod specification file should have permissions of 644 or stricter
kubernetes The scheduler service should only be bound to localhost
kubernetes The scheduler.conf file should be owned by root:root
kubernetes The secure port should not be disabled for the API server
kubernetes TLS connections between etcd peers should not use self-signed certificates
kubernetes TLS connections between etcd peers should not use self-signed certificates that are automatically generated
kubernetes User Attached to a Pod
kubernetes User Exec into a Pod
microsoft-365
Microsoft 365
>
microsoft-365 A Microsoft Teams member was made owner of multiple teams
microsoft-365 A new Microsoft 365 application was installed
microsoft-365 A new Microsoft Teams app or bot was observed
microsoft-365 A potentially malicious file was sent in a Microsoft Teams message
microsoft-365 Abnormal successful Microsoft 365 Exchange login event
microsoft-365 An external Microsoft Teams member was added then removed
microsoft-365 Consent given to application associated with business email compromise attacks in Microsoft 365
microsoft-365 Exchange Online mail forwarding rule enabled
microsoft-365 Microsoft 365 Anomalous Amount of Deleted Emails
microsoft-365 Microsoft 365 Anomalous Amount of Downloaded files
microsoft-365 Microsoft 365 Default or Anonymous user permissions added to mailbox folder
microsoft-365 Microsoft 365 eDiscovery content search started
microsoft-365 Microsoft 365 eDiscovery search export downloaded
microsoft-365 Microsoft 365 Exchange inbox rule name associated with business email compromise attacks
microsoft-365 Microsoft 365 Exchange inbox rule set up to automatically forward email
microsoft-365 Microsoft 365 Exchange inbox rule set up to hide email
microsoft-365 Microsoft 365 Exchange junk email settings modified by a suspicious VPN
microsoft-365 Microsoft 365 Exchange transport rule set up to automatically forward email
microsoft-365 Microsoft 365 Full Access delegate permissions added
microsoft-365 Microsoft 365 Inbound Connector added or modified
microsoft-365 Microsoft 365 mailbox audit logging bypass
microsoft-365 Microsoft 365 OneDrive anonymous link created
microsoft-365 Microsoft 365 Security and Compliance
microsoft-365 Microsoft 365 SendAs permissions added
microsoft-365 Microsoft 365 SharePoint object shared with guest
microsoft-365 Microsoft 365 Unified Audit Logging Disabled
microsoft-365 Multiple Microsoft Teams deleted
microsoft-365 Unusual Authentication by Microsoft 365 Azure AD Service Principal
microsoft-defender-for-cloud
Microsoft Defender For Cloud
>
rds
RDS
>
rds Aurora clusters should have backtracking enabled
rds Aurora MySQL clusters should publish audit logs to CloudWatch Logs
rds Neptune cluster replicates to a publicly accessible Neptune instance
rds Publicly accessible RDS database stores sensitive data
rds Publicly Accessible RDS instance uses a common master database username
rds RDS cluster exports snapshots to publicly accessible S3 bucket
rds RDS cluster replicates to a publicly accessible RDS instance
rds RDS cluster snapshots should be encrypted at rest
rds RDS cluster snapshots should not be publicly shared
rds RDS cluster snapshots should not be shared with external accounts
rds RDS clusters should be configured to copy tags to snapshots
rds RDS clusters should be configured to use a custom administrator name
rds RDS clusters should be configured to use multiple Availability Zones
rds RDS clusters should have Auto Minor Version Upgrade enabled
rds RDS clusters should have deletion protection enabled
rds RDS clusters should have encryption at rest enabled
rds RDS clusters should have IAM authentication enabled
rds RDS clusters should use KMS encryption
rds RDS databases should be encrypted
rds RDS databases should have 'Auto Minor Version Upgrade' enabled
rds RDS databases should not be publicly accessible
rds RDS event subscriptions should be configured to notify for critical database parameter group events
rds RDS event subscriptions should be configured to notify for critical database security group events
rds RDS event subscriptions should be configured to notify for critical events
rds RDS instance snapshots should be encrypted at rest
rds RDS instance snapshots should not be publicly shared
rds RDS instance snapshots should not be shared with external accounts
rds RDS instances should be configured to copy tags to snapshots
rds RDS instances should be configured to use a custom administrator name
rds RDS instances should be configured to use Enhanced Monitoring
rds RDS instances should be configured to use multiple Availability Zones
rds RDS instances should be deployed inside of a VPC
rds RDS instances should have automatic backups enabled
rds RDS instances should have deletion protection enabled
rds RDS instances should have IAM authentication enabled
rds RDS instances should publish logs to CloudWatch Logs
rds RDS instances should use a non-default port
rds RDS logs should be collected and retained for no less than 90 days
windows
Windows
>
windows Multiple failed login attempts
windows PsExec execution detected
windows Suspicious named pipe created
windows BETA Windows active directory object WriteDAC access
windows BETA Windows active directory privileged users or groups reconnaissance
windows BETA Windows active directory replication from non machine account
windows BETA Windows active directory user assigned right to control user objects
windows BETA Windows active directory user backdoors
windows BETA Windows ANONYMOUS LOGON local account created
windows Windows audit log cleared
windows BETA Windows BITS transfer job download from direct IP
windows BETA Windows BITS transfer job downloaded to suspicious folder
windows BETA Windows CobaltStrike service installations
windows BETA Windows CrackMapExec execution patterns
windows BETA Windows credential dumping tools service execution
windows BETA Windows credential dumping via WER application error
windows BETA Windows critical hive in suspicious location access bits cleared
windows BETA Windows delete volume shadow copies via WMI with PowerShell
windows BETA Windows device installation blocked
windows BETA Windows DHCP server error loaded CallOut DLL
windows BETA Windows DHCP server loaded CallOut DLL
windows BETA Windows DiagTrackEoP default login username
windows BETA Windows DNS query to Tor Onion address
windows Windows Domain Admin group changed
windows BETA Windows eventlog cleared
windows Windows firewall disabled
windows BETA Windows fsutil suspicious invocation
windows BETA Windows hidden local user creation
windows BETA Windows HybridConnectionManager service running
windows BETA Windows Impacket PsExec execution
windows BETA Windows important scheduled task deleted or disabled
windows BETA Windows Kerberoasting RC4 encrypted tickets
windows BETA Windows malware protection engine crash
windows BETA Windows moriya rootkit
windows BETA Windows MSI installation from web
windows BETA Windows MSSQL add sysadmin account
windows BETA Windows MSSQL disable audit settings
windows BETA Windows MSSQL SPProcoption set
windows BETA Windows MSSQL XPCmdshell change
windows Windows MSSQL XPCmdshell suspicious execution
windows Windows Net command executed to enumerate administrators
windows BETA Windows NoFilter tool execution
windows BETA Windows OpenSSH brute force attempt
windows BETA Windows OpenSSH server listening on socket
windows BETA Windows password change on directory service restore account
windows BETA Windows password protected ZIP file opened with suspicious email attachments
windows BETA Windows password protected ZIP file opened with suspicious filenames
windows BETA Windows persistence via sticky key backdoor
windows BETA Windows potential lsass process dump via procdump
windows BETA Windows potential powershell reverseshell connection
windows BETA Windows PowerShell AADInternals cmdlets execution
windows BETA Windows PowerShell create volume shadow copy
windows BETA Windows PowerShell disable command history
windows BETA Windows PowerShell disable ETW trace
windows BETA Windows PowerShell Disable-WindowsOptionalFeature command
windows BETA Windows PowerShell Invoke-Mimikatz script
windows BETA Windows PowerShell PSAsyncShell asynchronous TCP reverse shell
windows BETA Windows PowerShell Rubeus execution
windows BETA Windows PowerShell scripts installed as services
windows Windows PowerShell Set-Acl on folder
windows BETA Windows PowerShell suspicious Get-ADDBAccount usage
windows BETA Windows PowerShell Veeam backup servers credential dumping script execution
windows BETA Windows PowerShell volume shadow copy deletion
windows BETA Windows PowerShell web access installation using PsScript
windows BETA Windows privilege escalation via local kerberos relay over LDAP
windows BETA Windows protected storage service access
windows BETA Windows PurpleSharp execution
windows BETA Windows register new logon process by Rubeus
windows BETA Windows remote access tool ScreenConnect file transfer
windows BETA Windows replay attack detected
windows BETA Windows restricted software access by the Software Restriction Policies
windows BETA Windows RottenPotato like attack pattern
windows BETA Windows SAM registry hive handle request
windows BETA Windows self extraction directive file created
windows BETA Windows service installed by suspicious client
windows BETA Windows shadow copies deletion using operating systems utilities
windows BETA Windows shimcache flush
windows BETA Windows SMB create remote file admin share
windows BETA Windows suspicious computer name containing Samtheadmin
windows BETA Windows suspicious PowerShell mailbox export to share
windows Windows suspicious Teams application related ObjectAccess event
windows BETA Windows syskey registry keys access
windows Windows user added to Domain Admin group
windows BETA Windows VolumeShadowCopy symlink creation via mklink
windows Windows vulnerable spn enumerated
windows BETA Windows WCE wceaux.dll access
windows BETA Windows WinPwn execution patterns
windows BETA Windows WMI backdoor exchange transport agent
Workload Protection
>
workload protection AppArmor profile modified
workload protection Auditd configuration modified
workload protection Bring your own file system (BYOF) tool executed
workload protection Cloud credentials accessed by network utility
workload protection Compiler executed in container
workload protection Compiler wrote suspicious file
workload protection Container accessed using kubectl in another container
workload protection Container breakout attempt using container management socket
workload protection Container breakout using runc file descriptors
workload protection Container management utility in container
workload protection Crypto miner environment variables observed
workload protection Crypto miner process observed
workload protection Cryptocurrency miner attempted to boost CPU performance
workload protection Database process spawned shell
workload protection DNS lookup for cryptocurrency mining pool
workload protection DNS lookup for IP lookup service
workload protection DNS lookup for paste service
workload protection Dynamic linker hijacking attempt
workload protection Evidence hidden by deleting system log file
workload protection Executable bit added to newly created file
workload protection Exfiltration attempt via network utility
workload protection File created and executed inside container
workload protection Hash of known malware detected
workload protection Interactive shell spawned in container
workload protection Kubernetes DNS enumeration
workload protection Kubernetes service account token created in container
workload protection Local account password modified
workload protection Looney Tunables (CVE-2023-4911) exploited for privilege escalation
workload protection Memfd object created
workload protection Network scanning utility executed
workload protection Network utility executed
workload protection Network utility executed in container
workload protection Network utility executed with suspicious URI
workload protection Offensive Kubernetes tool executed
workload protection Package installed in container
workload protection PAM authentication library hooked using eBPF
workload protection Post compromise shell detected
workload protection Potential rootkit compiled and then loaded
workload protection Process hidden using mount
workload protection Pwnkit privilege escalation attempt
workload protection Python executed with suspicious arguments
workload protection Recently written or modified suid file has been executed
workload protection Redis modified cron job directory to execute commands
workload protection Redis sandbox escape (CVE-2022-0543)
workload protection Redis server wrote suspicious module file
workload protection Resource provisioned using kubectl in container
workload protection Runc binary modified
workload protection SELinux enforcement disabled
workload protection Sensitive namespace modified using kubectl
workload protection Shell process created by Java application
workload protection Unfamiliar kernel module loaded
workload protection Unfamiliar kernel module loaded from memory
workload protection Unfamiliar process accessed AWS EKS service account token
workload protection Unfamiliar process created by web application
workload protection User created interactively